Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

Weekly Breach Report – November 16th

Nov 16, 2020By Shaina Raskin

iOS

Apple released multiple security updates to patch three zero-day vulnerabilities in the FontParser component and the kernel of iOS. The Hacker News: https://thehackernews.com/2020/11/update-your-ios-devices-now-3-actively.html

Mashable

Tech news website Mashable announced that its users’ personal information was discovered in a leaked database. Port Swigger: https://portswigger.net/daily-swig/data-breach-at-mashable-leaks-users-nbsp-personal-information-online

Prestige Software

Used by hotels to integrate their reservation systems with online booking websites, Prestige’s software left 10m files related to hotel guests worldwide exposed for seven years, thanks to a misconfigured AWS S3 bucket. ThreatPost: https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/

BigBasket

Indian online grocery BigBasket suffered a data breach in which details of 20m users ended up on the dark web. Economic Times: https://economictimes.indiatimes.com/tech/startups/bigbasket-faces-potential-data-breach-details-of-2-crore-users-put-on-sale-on-dark-web/articleshow/79109124.cms

University of Vermont Medical Center

The University of Vermont Medical Center is working to restore systems disabled in a cyberattack that prevented the hospital’s from providing some cancer treatments. The Wilton Bulletin: https://www.wiltonbulletin.com/news/article/Hospital-network-hit-by-cyber-attack-restoring-15709619.php

Brazilian Superior Court of Justice

The Brazilian court was hit by a cyberattack that brought all of its operations to a halt for an entire week. ZDNet: https://www.zdnet.com/article/brazilian-superior-electoral-court-hit-by-major-cyberattack/

Luxottica

A data breach exposed the personal and health information of patients of LensCrafters, Target Optical, EyeMed and several other eye-care practices. Bleeping Computer: https://www.bleepingcomputer.com/news/security/luxottica-data-breach-exposes-lenscrafters-eyemed-patient-info/

SonarQube

The FBI issued a security alert warning that hackers are abusing misconfigured SonarQube applications to steal source-code repositories from U.S. government agencies and businesses. SonarQube’s software is used to test code for security flaws before applications are released. ZDNet:https://www.zdnet.com/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/

Magento

Hackers are attacking businesses running Magento’s 1.x e-commerce platform; this obsolete version of the platform has been unsupported by Magento since June 2020, but is still widely used. The Hacker News: https://thehackernews.com/2020/11/over-2800-e-shops-running-outdated.html

ModPipe 

A new backdoor targets Oracle’s MICROS point-of-sale restaurant-management software to steal payment information stored in the devices. The Hacker News:https://thehackernews.com/2020/11/new-modpipe-point-of-sale-pos-malware.html

WildWorks

A children’s online-gaming platform that builds a virtual world known as Animal Jam suffered a data breach impacting 46m accounts. Bleeping Computer: https://www.bleepingcomputer.com/news/security/animal-jam-kids-virtual-world-hit-by-data-breach-impacts-46m-accounts/

Vertafore 

This insurance-software provider disclosed a data breach in which a third-party accessed the details of 27.7m Texas drivers. ZDNet: https://www.zdnet.com/article/info-of-27-7-million-texas-drivers-exposed-in-vertafore-data-breach/

Facebook ads

A ransomware group is using hacked Facebook accounts to run ads to pressure ransomware victims into paying for their data. Krebs on Security: https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/

Akropolis

Hackers used a flash loan attack against cryptocurrency borrowing and lending service Akropolis to steal 2m in Dai cryptocurrency. ZDNet: https://www.zdnet.com/article/hacker-steals-2-million-from-cryptocurrency-service-akropolis/

Like the report? Sign up below and get it in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.