At a glance.

  • Entrust security incident included data exfiltration.
  • Update on Twitter breach investigation. 
  • Remembering Ashley Madison. 
  • Attempted spyware attack on Greek MEP.

Entrust security incident included data exfiltration.

US security solutions firm Entrust has confirmed that data was stolen after an intruder gained unauthorized access to their systems used for internal operations. The company, which is based out of the state of Minnesota, sent a notification letter to customers earlier this month reading, “While our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate environments from our internal systems and are fully operational.” CEO at threat intelligence firm AdvIntel Vitali Kremez says the incident involved ransomware and that the threat actor used stolen Entrust credentials to access the company’s network. Security Week notes that it’s unclear exactly which ransomware group could be behind the attack. 

Update on Twitter breach investigation. 

As we noted earlier this week, a hacker with the spot-on username “devil” is attempting to sell data on hacking marketplace BreachForums that he claims is connected to 5.4 million Twitter user accounts. The incident follows the January discovery of a vulnerability on Twitter’s platform that could allow even the most basic hacker to search for a Twitter account by phone number or email, even if the user has the necessary privacy settings. Twitter was informed of the bug and announced they’d fixed it just days later, awarding the researcher who detected it with a $5,040 bounty. A Twitter spokesperson told Fortune that they had indeed resolved the issue months ago and said the company is “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.” A security expert shared his take with Information Security Buzz: “While bug bounties are great for finding vulnerabilities, it is still down to the company to ensure they have sufficiently closed the gap as well as the ability to hunt through historic activity to find evidence of exploration, otherwise they risk being publicly embarrassed just like Twitter over the last few days.” He added that because the stolen data includes email and phone numbers, an additional attack could already have been launched on Twitter users employing multi factor authentication. 

We heard from Ian McShane, VP Strategy at Arctic Wolf, who commented, “The linking of a private email address and phone number associated with a Twitter account has the potential to add an extra dimension to this data breach. From what we know so far, it seems likely that an additional attack could be or could already have been launched on high profile users with MFA enabled. We’ve seen what can happen when accounts are compromised on Twitter – usually some kind of cryptocurrency scam efforts – and while there’s been no evidence of such an attack recently, users should be vigilant for unexpected login attempts or unsolicited messages and calls.” The incident, of course, brings with it an increased chance of spoofing. “Outside of Twitter, there’s the potential for attackers using the phone number to spoof MFA requests from other services (such as those linked to an @icloud or @gmail account). For what’s it’s worth, and with no evidence to link it to this breach, I’ve noticed a significant uptick in my own cell number being abused from all manner of countries since around February of this year, and I do not give that number to any one or any non-essential services.”

Remembering Ashley Madison. 

KrebsOnSecurity takes a walk down memory lane with a look back at the Ashley Madison data breach. In 2015 a threat group called the “Impact Team” published the data of millions of users, along with internal company information like employee network account details, company bank info, and salaries. The attack followed claims from Ashley Madison parent company Avid Life Media (ALM) that users could completely erase their profile information by simply paying for a $19 service. The Impact Team said the service was a sham, as users’ purchase details, including real names and street addresses, were not actually deleted, and said the hack was a way of punishing ALM for profiting “on the pain of others.” The hackers gave ALM one month to take Ashley Madison offline, and when the platform refused, the Impact Team published links to the 60 gigabytes of stolen data. Some experts questioned the hackers’ motives, as it was highly unlikely ALM would actually shut down its cash cow. Robert Graham, CEO of Errata Security, wrote in a blog post, “They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it’s fun and #2 because they can.” The stolen data also included more than three years’ worth of emails stolen from Ashley Madison’s then-CEO Noel Biderman, who had been verbally attacked on Neo-Nazi websites several times in the months leading up to the attack. Though Biderman stated on July 19, 2015 that the company believed the attacker was an insider and that the platform was “on the doorstep of [confirming] who we believe is the culprit,” no one was ever charged. 

Attempted spyware attack on Greek MEP.

A malicious link was found in an SMS message sent to Nikos Androulakis, a member of the European Parliament (MEP) for the Panhellenic Socialist Movement, and the link was found to be connected to Predator, a spyware created by Israeli-made offensive cyber company Cytrox. Androulakis fortunately did not click the link, Haaretz reports, and therefore avoided infection, but the discovery is still worthy of investigation. After filing a complaint with prosecutors, Androulakis told reports, “There was an attempt to bug my mobile phone with the Predator surveillance malware. The revelation of those hiding behind such sick practices…is not a personal issue but my democratic duty.” The link was found when phones belonging to Androulakis as well as other MEPs were examined in the wake of the recent discoveries made by the Pegasus Project. Unlike Pegasus, Predator requires the target to click on the link in order for infection to take place. Cytrox’s parent company Intellexa is currently based in Greece but is run by former Israeli military intelligence official Tal Dilian, and sources say many of its workers are Israelis. It’s unclear whether Cytrox is under Israeli defense oversight.