Twitter Flaw Exposes 17 Million Users

Here's the latest on emerging cyber threats.

A recently-revealed Twitter software flaw and a malicious new type of ransomware are two emerging threats being monitored by cyber security experts.

The Twitter vulnerability allowed hackers to match 17 million user accounts with their phone numbers. And the new ransomware strand – known as Maze – is targeting law firms and other private companies in the US.

Below are two blogposts on both threats from cybersecurity expert Craig Petronella.

If you have professional liability coverage through Alta Pro Insurance, you’re invited to attend a free CLE webinar on social engineering and phishing scam coming in March. Stay tuned for more details. This is just one of the many benefits from being a part of the Alta Pro family. Here’s how to join.

FBI Warns Business Owners: Beware of Increasing Maze Attacks
By Craig Petronella, CEO Petronella Technology Group

Directly on the heels of LockerGoga and MegaCortex, a different strand of ransomware, Maze, which was first discovered nearly a year ago, started to target private companies in the US in November, and the FBI wants to make sure you know about it.

Just two days after issuing an alert for LockerGoga and MegaCortex, the FBI has issued a “TLP: Green” alert for Maze, meaning that they are only able to release limited details; otherwise, they may aid hackers. That being said, the FBI is strongly urging any victims to share the details of their attack with them; any details may be able to assist agents in finding the cyber attackers. In the alert, victims of Maze ransomware attacks were urged to share information with the FBI as soon as possible to help its agents trace the attackers and bring them to justice.

What is Maze?
After a successful breach, Maze replicates the data it accesses before it encrypts it.  Once encrypted, Maze sends a ransom to its victims. Where Maze is a little bit more insidious, however, is that the data thieves threaten to not only destroy the files if they don’t receive payment, but to also publish it, which is something the City of Pensacola and a Georgia-based wire and cabling firm, Southwire, discovered when they did not pay up.

How does Maze infiltrate their victims?
Maze has successfully breached their victims using:

  • Felonious cryptocurrency websites
  • Malspam
  • Phishing scams (as government agencies and security vendors)
  • Exploit kits (i.e. Fallout downloads)

What if I am attacked?
The FBI recommends NOT paying the ransom because there is no way to know if the hackers will actually decrypt your data. Even if you pay, they might still leak and/or destroy your files. They do strongly urge victims to contact them.

Twitter Vulnerability Exposed in a Big Way
By Craig Petronella, CEO Petronella Technology Group 

Ibrahim Balic, a security researcher, recently exposed a flaw in Twitter’s app that allowed him to match unique Twitter user accounts with 17 million phone numbers months ago. He was able to accomplish this by uploading large lists of phone numbers by way of Twitter’s “Contacts Upload” feature that is available on the social media giant’s Android app.

It is interesting to note, too, that the “Contact Upload” feature won’t accept the lists when the numbers are in sequential order. He had to generate the numbers by hand, then he randomized them into the app. So it appears that while Twitter did possibly anticipate this could happen, they didn’t go far enough in protecting their users.

Fortunately, though, this bug only existed in the Android app; it doesn’t exist in the web-based “Contact Upload.” He also discovered that if you upload your phone number, Twitter will provide you with user data. The researcher was able to match these records over the course of two months. The data flow was stopped when Twitter finally blocked him on December 20.

Balic has yet to go to Twitter with this finding, but he did contact many of the high-profile users he was able to uncover, via a group text in WhatsApp in order to notify them directly.

But Twitter is apparently aware of the problem and they have publicly stated that they are working hard to fix the bug. Let’s hope the fix comes sooner, rather than later.

If you practice in Wisconsin, Texas, Minnesota, Ohio, Illinois, Indiana or Michigan, you can stay a step ahead of the competition by being a member of Alta Pro Lawyers RPG. You’ll get access to free webinars, the Pro Practice Playbook, Reminger ProLink, Ask the Risk Pro and more. Here’s how to join.

About the Author
Craig A. Petronella is the CEO of Petronella Technology Group Inc, a cybersecurity group that specializes in helping law firms with security and compliance. With 30 years of experience, he is the author of “How Hackers can Crush your Law Firm,” Peace of Mind Computer Support” and other titles. MIT Certified: AI, Blockchain & Hyperledger. Phone: 919-601-1601; Helpdesk Support: 919-422-2607. For more information about a cyber-crime risk assessment call: 1-877-468-2721

Let Alta Pro RPG Help You Get Insured

Quick turn around times. Hassle free insurance.

Join Our Mailing List

Subscribe to our exclusive mailing list and get the freshest stories from the Alta Pro RPG team.

Continue Reading