The days that would follow would not bode well for T-Mobile. They also advised that any current T-Mobile customer should proactively change their account pin number. The following day, T-Mobile confirmed that nearly 50 million current and former users might have been impacted by the breach, and the data may have included customers’ first and last names, date of birth, SSN, and driver’s license/ID information. The same day, on August 16, T-Mobile issued a public statement stating that they were working “around the clock to investigate claims being made that T-Mobile data may have been illegally accessed.” In total, over 106 GB of customer data was exfiltrated by the attacker. Once inside The Oracle server, the attacker was able to exfiltrate large amounts of data until it was eventually noticed by T-Mobile and access shut down. Limiting SSH failed attempts, which is considered a basic security practice, would have stopped this breach in its tracks, and proper logging would have notified the security team of failed attempts. Not only did they leave a public-facing gateway misconfigured and open for intrusion, but once inside, they appeared to not have basic security measures in place like rate limits on SSH attempts. T-Mobile is no stranger to high-profile breaches, but this paints a bleak picture even for them. Eventually, he made his way into an Oracle Database server that stored the customer data From there, the attacker was easily able to pivot to the internal network by brute-forcing and credential stuffing SSH servers. Apparently, the gateway was used for testing but left exposed to the public internet. On August 16, Jeremy Kirk on Twitter provided proof from the attacker that a misconfigured GPRS gateway allowed them to compromise the internal system. While we don’t know how long they had access to the T-Mobile data, the seller confirmed their access was already blocked: “I think they already found out because we lost access to the backdoored servers.” When the motherboard private messaged the user directly, they confirmed this data came from “T-Mobile USA. A user on a Tor underground forum was attempting to sell 30 million SSN’s and driver licenses for six bitcoins. The news of a potentially massive data breach was first reported by Motherboard on August 15. We’ll start by drawing out a timeline of the events as they took place and see how a 21-year-old American in Turkey took down a multibillion-dollar company by not following basic security practices. In this blog, we’ll review how this all took place and what they could have done differently to stop this attack. Just how did this all happen, and what could T-Mobile have done differently? The answer is a surprisingly simple one – as we’ll see in this blog, very basic security practices should have been in place to prevent this breach from ever occurring
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |