Data from 533M Facebook Profiles Leaked 🌐, The State of Ransomware 💵, Fake Linkedin Job Offers 💼

CyberLite Apr 13, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

📰 News

Catching you up on everything important that happened this week…

🌐 Personal Data from 533 million Facebook Users Leaked Online

Cybercriminals posted the stolen data to a public hacker forum over the weekend which has done nothing good for Facebook's public image (although I think you'd struggle to find anyone who thinks about Facebook in a good light recently). The data was gathered by exploiting a bug in the Add Friend feature that was fixed back in 2019.

“Effectively, the attacker created an address book with every phone number on the planet and then asked Facebook if his ’friends’ are on Facebook,” - security expert Mikko Hypponen

Facebook has said that this wasn’t a data breach, instead they’ve claimed it was an example of scraping where public information is siphoned from the internet using bots. Although if this was scraping it would require the data to be publically accessible, and without the Add Friend bug the data would have been private. I think it’s fair to say people are far from convinced by Facebook’s statement on this one.

The data is only up to date as of September 2019 but it’s still worth checking if you're phone number or email has been made public - haveibeenpwned is a great resource for this! Link.

📧 Wait… Linkedin too?

The Facebook leak wasn't the only story about "leaked" social media data this week. Scraped phone numbers and emails from 500M Linkedin profiles were posted online.

When compared to the Facebook leak this story garnered very little media attention despite the end result being the same, it certainly shows how unwilling we are to believe anything coming out of Facebook’s PR department. Link.

💰 The State of Ransomware

I've mentioned ransomware in 11 out of the 13 issues of CyberLite so it's fair to say it's a threat we're getting quite used to living with. This week we’re going to have a quick zoom out and look at some analysis on popular ransomware tactics.
According to a study from Bitdefender ransomware attacks grew 485% in 2020 when compared to 2019, so it's hardly unsurprising we're talking about it all the time.

A study from F-secure has been looking at what they’ve dubbed ransomware 2.0. A type of attack we've got used to seeing which use a tactic known as "double extortion". This is where in addition to attackers encrypting an organization’s data the threaten to leak the data online if a ransom isn't paid. The study had some interesting takeaways about how these attacks are carried out, here were my highlights:

  • Over half of the attacks used email to infect their victims in 2020.
  • Attackers used Excel formulas to obfuscate malicious code. This became three times more common in the second half of 2020.
  • Phishing emails sent to try and infect users often impersonated well-known brands, the most popular being Outlook, Office365 and Facebook.

The ransomware 2.0 toolkit certainly isn’t complete yet though, KrebsonSecurity reported this week that a number of top ransomware gangs have started emailing customers and employees of breached organizations telling them to pressure organizations to pay the ransom. An example letter’s pictured below for some light bedtime reading.

💼 Fake Job Offers on Linkedin used to Spread Malware

A threat group known as Golden Chickens has been browsing people's Linkedin profiles and sending malicious .zip files disguised as job offers. The files are named by adding "position" to the end of the user's current job title on Linkedin. If a user opens the file it installs malware called "more_eggs" which can install additional malware and provide access to the victim's system. Link.

🤖 Android Malware Spreads By Replying to Incoming Whatsapp Messages

Android malware disguised as a Netflix app has been found trying to spread itself to new devices by sending an automated reply to any incoming Whatsapp messages the victim receives. Link.

📱 Gigaset's Android Update Server Hacked

The German phone company Gigaset had a rough week when users of their older smartphone models found their phones installing malicious apps after a software update. Attackers had successfully taken over a server responsible for issuing software updates to these older smartphones. They then used their newfound access to automatically install these malicious apps onto users' devices.

Gigaset has been able to regain control of the server and reverse the update, but it shows just how critical securing your update and patching infrastructure is. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

🍎 Details of a vulnerability in Apple Mail from February have now been released. The vulnerability would’ve allowed attackers to modify a victim’s mail settings. Attackers could then redirect incoming mail to intercept password resets and take over a victim’s online accounts. To exploit the vulnerability an attacker would’ve needed to send an email containing a specially crafted .zip file.

CVSS Score: 🟠 Medium 6.5 Link.

☁ A critical vulnerability in VMware's Carbon Black Cloud Workload platform (a bit of a mouthful...) would allow attackers to escalate their privileges and gain administrative rights. The platform provides cybersecurity defense to virtual machines hosted on VMware's cloud-computing platform.

CVSS Score: 🔴 Critical 9.1 Link.

💯 What’s a CVSS score? A CVSS (Common Vulnerability Scoring System) score gives an indication of how severe a vulnerability is. The score takes into account lots of different metrics such as the complexity, impact, and whether or not a fix is available. A full list of the metrics used can be found here.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

💳 An analysis from CyberInsights Weekly on Mobikwik's data breach from last week’s issue. What they should've done and how you can do better. Link.

🐛 Last year security researcher Robert Chen earned a £35,000 bug bounty for finding an authentication flaw on Github. He's now been allowed to publish a blog post explaining the flaw and how he found it. Link.

🦟 An in-depth malware analysis from security researcher John Hammond on Threatpost. This gives you a great look at what the malware we hear about each week really looks like. Link.

🔎 Apple is letting third parties add their devices to Apple's Find My tracking network. A world where all of your devices can be located from an iPhone is an exciting prospect if you're anything like as scatterbrained as me! Link.

📞 How Elliot in Mr. Robot hacked the FBI cellphones. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.