Search This Blog

Showing posts with label AT&T. Show all posts

Database of 70 Million AT&T Users Being Sold on a Hacker Forum

 

The same threat actor is selling 70 million AT&T customers' records just days after the T-Mobile data leak. The data leak claim was refuted by the mobile service provider, who stated that the data did not emanate from any of their systems. ShinyHunters, the same threat actors that just days ago sold T-Mobile subscribers' data, is now selling 70 million records reportedly belonging to another mobile service provider – AT&T. AT&T consumers' full names, social security numbers, email addresses, and dates of birth are among the data for sale. 

ShinyHunters is a well-known organisation that has been linked to a number of high-profile data breaches. Mashable, 123RF, Minted, Couchsurfing, Animal Jam, and other companies have been targeted, according to HackRead. 

The revelation was first reported by Restore Privacy. According to them, the hacker is seeking $1 million for the full database (direct sell) and has given them exclusive information for this report.

"In the original post that we discovered on a hacker forum, the user posted a small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," said Restore Privacy. "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid." 

AT&T denied that the data had been leaked, claiming that it was either forged or obtained through other sources. “Based on our investigation today, information that appeared in an internet chat room does not appear to have come from our systems,” MarketWatch quoted the cell phone carrier. 

 AT&T has previously experienced a data breach. For an insider breach in 2015, the company agreed to pay a $25 million fine. In fact, a threat actor was looking to hire a T-Mobile and/or AT&T employee in May, presumably to assist them in staging an insider attack on their employer. 

T-Mobile was notified late last week about accusations in an online forum that a threat actor had compromised T-Mobile systems. The company announced that it had discovered and shut down the access point that might have been utilised to obtain unauthorised access to the company's servers.

Ezuri Crypter Being Used to Evade Antivirus Detection

 

As per a report delivered by AT&T Alien Labs, various cyber criminals are utilizing Ezuri crypter to pack their malware and dodge antivirus detection. Although Windows malware has been known to deploy similar tactics, cybercriminals are currently utilizing Ezuri for penetrating Linux systems too. Written in Golang, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Utilizing AES, it encrypts the malware code and, on decoding, executes the noxious payload directly inside memory without producing any records on the disk. 

Systems engineer and Ezuri's maker, Guilherme Thomazi Bonicontro ('guitmz'), had open-sourced the ELF loader on GitHub in 2019 and debuted the tool in his blog entry. In an email interview with, Bonicontro otherwise known as TMZ shared that he is a malware researcher and makes research apparatuses for spreading awareness and aiding defenders. 

“I'm an independent malware researcher, I do this as one of my leisure activities. The objective of my work is just to learn and bring awareness on assorted PoC assault and defense techniques, yet never bring on any harm. As a general guideline, I generally share samples of my ventures with antivirus organizations and I never discharge code with ruinous payload or anything with refined replication capabilities. I believe knowledge ought to be available to everybody and every individual ought to be answerable for their own activities to rest soundly at night,” said Bonicontro. 

Researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs noted in the wake of decrypting the AES-encrypted payload, Ezuri quickly passes the subsequent code to the runFromMemory work as a contention without dropping malware files anyplace on the tainted system. During the last few months, Caspi and Martinez distinguished a few malware creators that pack their samples with Ezuri. These incorporate the cybercrime group, TeamTnT, active since at least April 2020. 

TeamTnT is known to assault misconfigured Docker instances and exposed APIs to transform weak systems into DDoS bots and crypto miners. Later variations of TeamTnT's malware, for example, "Black-T" that install network scanners on tainted systems and extract AWS credentials from memory were likewise discovered to be bound with Ezuri. As indicated by the AT&T researchers, "the last Black-T sample distinguished by Palo Alto Networks Unit42 is really an Ezuri loader." The researchers additionally saw the presence of the 'ezuri' string in numerous Ezuri-packed binaries. 

Malware samples which were commonly distinguished by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encoded with Ezuri, at the time of AT&T's research. Even today, the Ezuri-stuffed sample has less than a 5% detection rate on VirusTotal.