Thursday, May 29, 2025
Latest:
The Register

TeleMessage security SNAFU worsens as 60 government staffers exposed

TH Author

Infosec In Brief Secrets of the Trump administration may have been exposed after a successful attack on messaging service TeleMessage, which has been used by some officials.

Evidence of an attack on administration officials appeared last week on leak site Distributed Denial of Secrets, hosted an archive of messages that included details of over 60 government workers, a White House staffer, and members of the Secret.

The leak, first reported by Reuters, isn’t as serious as Signalgate – no one was discussing air strikes and possible war crimes – but it’s still suboptimal.

The White House said that it was “aware of the cyber security incident” but didn’t comment further.

TeleMessage servers are reportedly closed while an investigation is carried out.

Operation Endgame II takes out malware

Europol had already detailed attempts to take down the Qakbot and Danabot malware groups, and last Friday it announced the disruption of the following five malware crews:

  • Bumblebee
  • Lactrodectus
  • Hijackloader
  • Trickbot
  • Warmcookie

Operation Endgame II, a combined operation involving police from the EU, UK, US, and Canada, has now led to 20 arrests and 18 suspects have been added to the EU’s most wanted list. In addition a total of €21.2 million has been seized.

“This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganise,” said Catherine De Bolle, Europol executive director. “By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”

Infosec boffins propose predictive patching formula

Two government boffins have proposed a method for predicting which security vulnerabilities criminals are likely to exploit, and think it could be used to improve patching choices.

In a recent paper [PDF], cybersecurity specialist Jono Spring of CISA and Peter Mell, a former senior computer scientist retired from Uncle Sam’s NIST this month, suggest a new system that addresses a blind spot in current flaw fixing methodologies.

Don’t patch crits, get hit

Here’s the current list of patches under active attack, courtesy of US government security guards at CISA.

CVSS 9.8 – CVE-2025-4632 is a path traversal vulnerability in Samsung MagicINFO 9 Server which would allow anyone with the skill to write arbitrary files as a system authority.

CVSS 7.2 – CVE-2025-4428 is a vulnerability in Ivanti Endpoint Manager Mobile 12.5.0.0 and earlier builds. It allows full remote code execution using a specially crafted API request.

One current tool to help users prioritize the fixes to deploy is the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) known exploited vulnerabilities (KEV) database that lists which CVEs under active attack. Regulations require US federal government agencies to patch bugs on the list within six months. Private sector admins also use the list.

Further help comes from an industry group known as the Forum of Incident Response and Security Teams (FIRST) which feeds CVE data into a separate Exploit Prediction Scoring System (EPSS). This machine-learning system predicts which vulnerabilities criminals are likely to attack in the next 30 days.

Spring and Mell have suggested a new system to help admins that combines KEV and EPSS and called it a likely exploited vulnerabilities (LEV) list, and assert that it offers helpfully accurate indicators to focus patching priorities.

GoDaddy settles with FTC

Hosting biz GoDaddy has agreed a settlement with the US FTC after the regulator took action over the lamentable state of its security.

In 2023 GoDaddy was forced to admit that it didn’t notice its systems were under attack for three years. The biz hadn’t bothered with multi-factor authentication for key accounts, was lax about patching its applications, didn’t have great logs of security events, or secure its network connection.

As a result thousands of GoDaddy customers suffered outages and had their websites infected with malware. The furor caused the FTC to step in, but the settlement is so mild as to make the phrase “slap on the wrist” sound violent.

As a result GoDaddy has agreed to be “prohibited from making misrepresentations about its security,” revamp its security systems – something it should have been doing anyway – and to hire independent infosec consultants to check on GoDaddy’s work.

184 million logins and passwords dangling online

A security researcher has found something really rather disturbing – an unsecured database containing 47.42GB of data.

Jeremiah Fowler, a security specialist at vpnMentor, found the database and claims it contained 184,162,718 unique logins and passwords. He tested 10,000 of the credentials and found 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, 209 Discord accounts, and more than 100 Microsoft, Netflix, and PayPal accounts, Wired reports.

“To confirm the authenticity of the data, I messaged multiple email addresses listed in the database and explained that I was investigating a data exposure that may have involved their information,” he said. “I was able to validate several records as these individuals confirmed that the records contained their accurate and valid passwords.”

Fowler suspects the database was compiled by users of infostealer malware. He contacted the hosting company on whose services he found the trove, but it declined to identify the customer whose instance hosted the database. ®

READ MORE HERE