On August 15th, Vice broke the news that bad actors were selling T-Mobile customer data on the Dark Web. At the time, the hackers claimed to have stolen the data of more than 100 million T-Mobile customers.
On August 20th, T-Mobile updated its advisory to include a total of 54.6 million prospective customers and existing customers affected by the attack. While the numbers continue to increase, the big questions are what happened and how do we ensure it doesn’t happen to us.
How Did the Cyberattack Happen?
According to most reports, a leaky or improperly secured API tied to a part of T-Mobile’s website allowed the hackers access to their network. As a security practitioner, you know that securing APIs is challenging but a necessity in your enterprise network.
API security protects your APIs from malicious attacks and misuse, and is critical for third party APIs in addition as well as internal APIs you may use.
An API, or Application Program Interface, helps to streamline software development and innovation. APIs let apps exchange functionality and information securely and quickly. Still, when not protected they can be a gateway into your network and data.
Some vulnerabilities are common to APIs, and every year the Open Web Applications Security Project (OWASP) provides an updated list. Currently the list includes:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross Site Scripting
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
While these are the most critical vulnerabilities, there are others that are less critical.
Brute Force Attacks
Another possible scenario recently shared by T-Mobile is a brute force attack. This type of entry is trial and error until the hacker successfully guesses login details, finds a hidden web page or encryption keys.
This attack vector is a traditional type that is popular with attackers since it is still effective.
There are a few areas that are critical to secure your network. For example, the assigned privileges and method of authentication for user accounts. It’s why we say administrators should ensure the following:
- PAM – Deployment Privileged access management for all admin accounts, service accounts, routers, switches. Anywhere that escalated privileges are used in the environment.
- MFA – MFA should be deployed on all user authentication across the organization.
The Wall Street Journal report says a 21-year-old American, John Binns, claimed responsibility for the attack. He says he did it to get attention, citing that T-Mobile’s “security is awful.”.
He claims that he used an unprotected router to look for vulnerabilities and a publicly available tool. It’s unknown if he was working alone or had partners.
Defending Against Cyberattacks
Staying secure is means staying on top of how cyberattacks are occurring. One certainty to focus on is the attack vectors used in every attack.
Ask the question, “how did they get in?” Then put a plan of action into effect to make sure those areas are solid.
Here are a few well-known attack vectors:
- Unpatched software
- Social Engineering
- Password Attacks
- Physical Attacks
- User Errors
- Denial of Service
If the T-Mobile cyberattack shows us anything, it’s to be vigilant to ensure we have no vulnerabilities available to would-be attackers.
Keeping Your Network Secure
As a security practitioner ensuring your clients are secure and your network safe is a priority. Every endpoint, every API, and every possible attack vector is vital to protect.