Weekly update: Data breach, Incognito, Linux malware, new course about Red Team for LLMs, phishing without login page.

01/04/2023 - 07/04/2023

This week, I am experimenting a new format of a newsletter with top cyber news, introduce learning resource and on dive-deep article. If you enjoy, please hit share and subscribe to follow. Feel free to drop any feedback below.

Top news of this week.

1. AT&T data breach: 73 millions customers information including full name, email address, mailing address, phone numbers, SSN, DOB, AT&T account number and pass code. Among those, there are 7.6 million current account holders and 65.4 million former account holders. This data was leaked two weeks ago. At this moment, they have yet known whether this data originated from AT&T or one of its vendors. None evidence of unauthorized access to AT&T system in exfiltration of the data set has been identified. (Source)

2. Google will destroy billions of data in Incognito mode. This follows a class action began in 2020 covering millions of Google users since June 1, 2016 (Source) They are also working on a new security featured called Device Bound Session Credential (DBSC) - to prevent attackers using a stolen session cookie that gains access user accounts. DBSC will bind authentication to the device, so stolen cookies will be worthless unless it is locally on a device. (Source)

3. Details about the first malware in Linux injected by an open-source maintainer. This impacts hundreds of millions of computers using Debian, RPM based system world wide via an utility called xz within liblzma library version released in February ‘24 (5.6.0 - 5.6.1). Through this backdoor, attacker can remotely control an entire system via ssh. In CVSS, it scores 10.0/ 10.0. Advisory is to revert the

Learning resources

• DeepLearning.ai is launching a brand new course Red Teaming LLM Applications (Source) In this course, you will learn to identify and evaluate vulnerabilities in LLMs. Also how to apply red teaming technique from cyber security for the safety and reality. The course is powered by a startup named Giskard with their open source library.

Review: Phishing email without login page

This week, I dive deep into news of some local Vietnamese Youtubers having compromised accounts with similar details to mine. One of them is a tech savvy well-known for streaming on the internet with nearly eight millions of followers. The below is brief translation from his perspective on a magazine for Entertainment.

“According to him, after ending the livestream session at 4 a.m. on April 2, while checking his email, a victim inadvertently downloaded malicious software, resulting in his channel being hacked.

Specifically, he received a collaboration email regarding the upcoming game promotion Black Myth: Wukong from the game's producer, Game Science. The hacker was very cunning in using a domain email similar to the name of this game's producer, causing the victim to be confused.

"The email contained a link to download the demo game installation file, but when I opened the file, I didn't see anything. Just a moment later, Google sent me a series of emails notifying me that my password had been changed, two-step verification was disabled... At that moment, I knew I had lost my channel," he said.

Shortly after, he had to immediately reinstall the operating system and contact YouTube's support team. By 5 p.m. on the same day, the streamer from Cao Bang officially regained control of his channel. However, for personal reasons, he did not change the channel name, cover photo, or stream key (a personalized code provided by the platform to enable users to livestream from anywhere, on any device). Taking advantage of this, the hacker continued to livestream cryptocurrency, while still being able to change the account password.”

Despite of taking extra protection by reinstalling Operating System and changing passwords, hackers still gained access his account second time. And also he lost another account on Steam with assets up to 800,000 USD. In this story, the victim was lucky to took two account back by paying the hacker $5000 paid by cryptocurrency when the phishing email is $2500. In addition, he lost some very valuable game assets and a fair number of subscribers on his channels. (Source)

According to Vietnam data, 2023 (13,900 incidents). The top 3 why you are hacked.

1. Social Engineering. Most are phishing that direct users to a wrongful login page to steal an account or remotely control the computer. (32.6%)

2. Mail server. Content management system. Data sharing platform. (27.4%)

3. Vulnerabilities caused by organization web development. For example: SQL injection. Weak admin passwords. Or exploited libraries. Not only collect, change or steal data, hacker even inserts backlinks with illegal content. (25.3%)

Seems like Vietnam becomes an experimenting site of several foreign hackers with new technologies targeting to finance industry and show internet businesses. Most of people who lost money are experts in their field. This week, an financial expert asks media for help to resolve his case when he lost around $20,000 via a banking app on iphone. He only knew an incidence after going to an on-site bank. It was difficult to detect by anti-virus software or late/ nothing for a notification system.