Polyverse Weekly Breach Report

Oct 30, 2018By Shaina Raskin

A snapshot of last week’s reported breaches and vulnerabilities

Windows Zero-Day
A security researcher disclosed a proof-of-concept exploit for a new Windows zero-day vulnerability. The exploit appears to be a privilege escalation flaw in Microsoft Data Sharing. To read more: https://thehackernews.com/2018/10/windows-zero-day-exploit.html

Cathay Pacific
This Hong Kong airline announced that it had suffered a major data leak affecting up to 9.4 million passengers. Personal information including passport numbers, identity-card numbers, email addresses, and credit-card details was accessed. To read more: https://www.theguardian.com/technology/2018/oct/24/cathay-pacific-hit-by-data-leak-affecting-up-to-94m-passengers

British Airways
British Airways has added 185,000 more victims to the tally of those impacted by a data breach in September. Some 429,000 people are now believed to have been affected. To read more: https://threatpost.com/british-airways-data-breach-takes-off-again-with-185k-more-victims/138600/

Missouri Department of Health and Senior Services
The Missouri Department of Health and Senior Services has notified 10,400 people that their personal information was compromised by a security breach. To read more: http://www.stlamerican.com/news/local_news/state-warns-of-data-breach-has-mailed-letters-to-those/article_a672c38a-d975-11e8-b6f9-7f5e9452188e.html

Adult websites
A recent hack of eight poorly secured adult websites exposed megabytes of personal data. Included in the leak are IP addresses, user passwords protected by weak, four-decade-old cryptography, user-names, and 1.2 million email addresses. To read more: https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/

Wolf Intelligence
This German spyware startup left 20 gigabytes of data?—?including recordings of customer meetings, scans of the founder’s credit cards, and surveillance data?—?exposed on the internet. Security researchers discovered the data in a public Google Drive folder. To read more: https://motherboard.vice.com/en_us/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online

Pocket iNet
This US-based ISP left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. The bucket contained internal network diagramming, network hardware configuration photos, and other data. To read more: https://motherboard.vice.com/en_us/article/zm9dmj/an-isp-left-corporate-passwords-keys-and-all-its-data-exposed-on-the-internet

China ISP intelligence-gathering
According to an academic paper published this week, state-owned China Telecom has been “hijacking the vital internet backbone of western countries.” The company is China’s third-largest telco and internet service provider, and has had a presence inside North American networks since the early 2000s. To read more: https://www.zdnet.com/article/china-has-been-hijacking-the-vital-internet-backbone-of-western-countries/

Cisco Webex
An exploitable security bug was found in the Cisco Webex Meetings Desktop App for Windows. The bug is a privilege-escalation issue rated “high”. To read more: https://www.theregister.co.uk/2018/10/25/white_hats_pop_webex/

Reported Vulnerabilities

SystemD
A security bug in open-source software suite Systemd can be exploited over the network to crash vulnerable Linux machines. The vulnerability sits within the written-from-scratch DHCPv6 client of the Systemd management suite, which is built into various types of Linux. To read more: https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/

Python
A security engineer identified 12 Python libraries uploaded on the official Python Package Index that contained malicious code. They have since been removed from PyPl. To read more: https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

X.org
A vulnerability that is trivial to exploit was found on Linux and BSD distributions using the open-source X.Org Server. The flaw has been present for two years. To read more: https://www.bleepingcomputer.com/news/security/trivial-bug-in-xorg-gives-root-permission-on-linux-and-bsd-systems/

Windows zero-day
Proof-of-concept code for a zero-day vulnerability in Windows was released by a security researcher before Microsoft released a fix. The code exploits a vulnerability that enables any files on a machine (including system files) to be deleted without permission, and can potentially lead to privilege escalation. To read more: https://www.bleepingcomputer.com/news/security/new-windows-zero-day-bug-helps-delete-any-file-exploit-available/

Want to learn more?

Sign up below and receive these reports and more directly in your inbox.

https://upscri.be/9816bc/

Like the report? Sign up below and get it in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.