Craig Pepper
April 15, 2024
5 Min Read

Threat Report 15.04.24

Taxi App Data Leak

iCabbi, a Dublin-based software company, experienced a significant data exposure impacting approximately 287,961 individuals in the UK and Ireland. This incident exposed sensitive personal information including names, email addresses, phone numbers, and user IDs. High-profile individuals such as former UK Members of Parliament, a senior policy advisor, and an EU ambassador were among those affected. The leak also included 2,000 academic email addresses from domains. 

The vulnerability was identified in an unprotected database that was part of a content management storage repository utilised by iCabbi's customer-facing apps.

Cybersecurity researcher Jeremiah Fowler, working with vpnMentor, discovered an unprotected database that contained personal information of nearly 300,000 individuals, revealing a significant breach in data security. The data included sensitive details which could potentially be leveraged in phishing scams to impersonate the taxi company convincingly.

The exposure included personal details of individuals in senior positions across various sectors including media outlets like the BBC, and government departments such as His Majesty's Treasury, the UK Home Office, and the Ministry of Justice.

The breach was attributed to an unprotected database accessible via an IoT search engine's API. The database was used by iCabbi for storing various documents including terms and conditions, alongside customer data, making the exposed information easily accessible to unauthorised individuals.

Upon being notified, iCabbi quickly secured the database, preventing potential misuse by cybercriminals. It was noted that the company was fortunate to have been alerted by an ethical researcher rather than facing a ransomware attack.


Phishing Awareness Training: Given the potential for phishing attacks, organisations should invest in ongoing cybersecurity training for their employees to recognise and respond to fraudulent attempts.

This incident highlights the critical need for stringent cybersecurity measures and proactive risk management strategies, particularly for companies handling large volumes of personal data. Companies must prioritise the security of their digital assets to protect against both the immediate and reputational risks associated with data breaches.

Microsoft Two-Step Phishing Campaign

The Microsoft Two-Step Phishing Campaign is an advanced attack targeting LinkedIn users, designed to steal Microsoft 365 credentials. It employs a sophisticated technique where victims are initially tricked into clicking a URL that appears to be a legitimate OneDrive document link. This leads them to a genuine OneDrive page hosting a malware-infected Word document. Subsequently, the victims are redirected through a fake Cloudflare verification prompt to phishing webpages. This campaign demonstrates the vulnerability of social media platforms like LinkedIn, which provide publicly accessible information that can be exploited for phishing attacks. Notably, this method has successfully compromised accounts with multi-factor authentication (MFA) enabled.

The Microsoft Two-Step Phishing Campaign leverages social engineering to exploit LinkedIn's platform, directing users to malicious sites under the guise of legitimate Microsoft OneDrive documents. This campaign is particularly concerning because it demonstrates the ability to bypass enhanced security measures like MFA.

Initial Contact: Victims receive a LinkedIn message containing a malicious link, which masquerades as a link to a OneDrive document.

Malware Deployment: Clicking the link redirects to a real OneDrive page where a compromised Word document awaits. This document contains embedded URLs leading to further malicious sites.

Credential Theft: Victims are then redirected to a fake Cloudflare page, which serves as a front for phishing sites designed to harvest Microsoft 365 credentials.

The attackers capitalise on the trust users place in familiar interfaces (like LinkedIn and OneDrive) and the effectiveness of MFA bypass techniques. This approach indicates a high level of sophistication and planning.

Recommendations and Risk:

Enhanced User Training: Organisations should educate their employees about the risks of phishing attacks via social media and the importance of scrutinising links and email attachments, regardless of the apparent source.

Improved Detection Tools: Deploy advanced phishing detection tools that can identify and block fake authentication prompts and links embedded within documents.

Regular Security Audits: Conduct regular audits of security measures and update them as necessary to address new and evolving threats.

Strengthen MFA Implementation: Where possible, implement additional layers of security beyond standard MFA to include biometric verification or behavioural analytics.

The Microsoft Two-Step Phishing Campaign shows us the need for continuous vigilance and enhanced cybersecurity practices, especially concerning social media interactions. As attackers continue to refine their strategies to exploit both technological and human vulnerabilities, proactive defence strategies become increasingly crucial in safeguarding sensitive information and access credentials.

Threat Actors Deliver Malware Via YouTube Video

A recent malware campaign leverages YouTube videos to distribute information-stealing malware such as Vidar, StealC, and Lumma Stealer. These videos, masquerading as guides for acquiring free software or game upgrades, contain links to cracked video games and pirated software, which, when executed, compromise the user's system. The campaign primarily targets younger users who are more likely to trust content related to popular computer games on YouTube. Additionally, the use of bots to enhance the perceived authenticity of these videos and the distribution of Lumma Stealer via Discord servers disguised as game cheats further highlights the sophisticated methods employed by threat actors.

Hackers have initiated a malware campaign using YouTube as a vector to target particularly younger audiences. The campaign involves videos that appear to offer legitimate guides for obtaining free software or gaming content but instead lead to malware installation.

Deceptive Videos: The attackers upload YouTube videos that claim to provide free access to software or game upgrades. These videos link to malicious sites offering cracked video games and pirated software.

Malware Installation: Upon downloading and executing these programs, users inadvertently install malware such as Vidar, StealC, and Lumma Stealer on their systems.

Exploitation of Trust: The campaign specifically targets younger individuals who are less cautious and more trusting of YouTube content related to gaming.

Bot Manipulation: The credibility of these YouTube videos is artificially enhanced using bots, making them appear more legitimate and popular.

Extension to Discord: Some instances of malware, particularly Lumma Stealer, are also spread through Discord servers, where they are disguised as beneficial game cheats.

Vulnerabilities Exploited:

The attackers exploit the high level of trust that younger users place in YouTube content and gaming communities, along with their likely unfamiliarity with the risks associated with downloading pirated or cracked software.

Recommendations and Risk:

Educational Initiatives: Parents and educators should inform younger users about the risks associated with downloading software from unverified sources.

Use of Security Software: Users should install comprehensive antivirus and anti-malware solutions that can detect and quarantine malicious downloads.

Content Verification: Users should be encouraged to verify the authenticity of the content they wish to download and avoid clicking on suspicious links.

Community Awareness: Gaming communities and platforms like Discord should actively monitor and remove malicious content and raise awareness about these threats.

This malware distribution campaign via YouTube highlights the need for increased cybersecurity awareness among younger internet users and the importance of protective measures to combat sophisticated cyber threats. It also underscores the necessity for platforms like YouTube and Discord to enhance their monitoring and security practices to prevent the abuse of their services by malicious actors.

Credential Stuffing Strikes Roku: Over Half a Million Accounts Compromised

Roku, the popular streaming video platform, has disclosed a significant data breach impacting 576,000 accounts, a dramatic increase from a previous incident involving 15,000 accounts. This breach, discovered during an investigation into the earlier incident, was not caused by a direct hack but through "credential stuffing"—a method where hackers use previously breached login credentials to gain unauthorised access. Although fewer than 400 accounts saw unauthorised transactions, Roku has moved quickly to reset passwords and plans to introduce two-factor authentication to bolster security for its 80 million global users.

Roku has reported a substantial breach affecting 576,000 accounts, far exceeding the impact of an earlier breach. This breach was identified while Roku was concluding its probe into a smaller, initial security incident.

Credential Stuffing: Hackers utilised existing credentials stolen from other breaches to gain unauthorised access to Roku accounts. This type of attack exploits users who reuse passwords across multiple services.

Impact and Response:

Unauthorised Transactions: The attackers managed to carry out fewer than 400 unauthorised transactions involving purchases of streaming services and Roku hardware.

No Sensitive Financial Data Accessed: The attackers did not obtain sensitive financial information like full credit card details.

Security Enhancements: In response, Roku has reset the passwords of affected accounts and begun notifying impacted users. Additionally, Roku has announced plans to implement two-factor authentication to provide an extra layer of security.

Recommendations and Risk:

Strong, Unique Passwords: Users should create strong, unique passwords for each online account to reduce the risk of credential stuffing.

Enable Two-Factor Authentication (2FA): Roku users, in particular, should activate 2FA as soon as it becomes available to add an additional security layer.

Regular Monitoring: Users should regularly monitor their account activities for any unauthorised actions to respond quickly to potential security breaches.

Public Awareness: Roku should continue to educate its users about the importance of cybersecurity best practices, including the dangers of password reuse.

The recent Roku breaches underscore the persistent challenges companies face in safeguarding consumer data against sophisticated cyber threats. For Roku and its users, enhancing security measures, including the adoption of two-factor authentication and the education on password management, are crucial steps towards mitigating future risks and maintaining trust in an increasingly vulnerable digital landscape.

LG Smart TV Vulnerabilities Allowing Root Access

A series of critical security vulnerabilities in LG smart TVs running webOS were recently disclosed, potentially allowing unauthorised root access. The vulnerabilities, identified by Romanian cybersecurity firm Bitdefender, range from CVE-2023-6317 to CVE-2023-6320, affecting various webOS versions. These flaws could enable attackers to bypass PIN verification, escalate privileges, inject operating system commands, and execute arbitrary commands. Although LG has released patches as of March 22, 2024, over 91,000 devices previously exposed online are at risk, particularly in countries like South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.

Multiple vulnerabilities in LG webOS used in smart TVs have been reported, which could allow an attacker to gain unauthorised root access to the affected devices. These vulnerabilities were disclosed by Bitdefender and have since been patched by LG.

Vulnerabilities Details:

CVE-2023-6317: Allows bypassing PIN verification to add a privileged user without user interaction.

CVE-2023-6318: Permits privilege escalation to gain root access.

CVE-2023-6319: Enables operating system command injection through a vulnerable music lyrics display library.

CVE-2023-6320: Facilitates the injection of authenticated commands via a specific API endpoint.

Affected Versions:

webOS 4.9.7 - 5.30.40 on LG43UM7000PLA

webOS 5.5.0 - 04.50.51 on OLED55CXPUA

webOS 6.3.3-442 - 03.36.50 on OLED48C1PUB

webOS 7.3.1-43 - 03.33.85 on OLED55A23LA

Successful exploitation of these vulnerabilities could allow a threat actor to gain elevated permissions, leading to full control over the device. The discovery that over 91,000 devices exposed these services to the internet exacerbates the risk, with significant exposures noted in several countries.

Recommendations and Risk:

Immediate Patching: Users should immediately install the latest firmware updates provided by LG to mitigate these vulnerabilities.

Enhanced Network Security: Disable remote access to the TV’s network services and ensure that devices are protected by proper firewall configurations.

Regular Security Audits: Regularly review and update security settings on smart devices to protect against new vulnerabilities.

Public Awareness: LG and cybersecurity communities should continue to educate the public on the importance of securing internet-connected devices.

This disclosure serves as a critical reminder of the vulnerabilities associated with smart devices and the importance of maintaining them with the latest security patches. For LG and other smart device manufacturers, it underscores the necessity of continuous vigilance and rapid response to security vulnerabilities to protect users from potential cyber threats.

Read similar blogs