Weekly Breach Report – September 28

Sep 28, 2020By Shaina Raskin

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Microsoft Bing

A researcher discovered a data leak in a back-end server belonging to Microsoft Bing. The Hacker News: https://thehackernews.com/2020/09/bing-search-hacking.html

 

Shopify

Shopify confirmed a data breach in which two “rogue members” of its support team stole customer data. Tech Crunch: https://techcrunch.com/2020/09/23/shopify-data-merchant-breach/

 

Town Sports International

This parent company of several New York sports clubs was alerted to an unprotected server containing terabytes of internal corporate data. Tech Crunch: https://techcrunch.com/2020/09/23/new-york-sports-clubs-owner-breach/

 

Luxottica

The world’s largest eyewear company, based in Italy, experienced a cyberattack that shut down operations in both its home country and China. Bleeping Computer: https://www.bleepingcomputer.com/news/security/ray-ban-owner-luxottica-confirms-ransomware-attack-work-disrupted/

 

University of Tasmania

The personal information of 20,000 students at this Australian island-state university was exposed online due to misconfigured security settings on its email system. Yahoo News Australia: https://au.news.yahoo.com/data-leak-hits-20k-tasmania-uni-students-050044237–spt.html

 

Instagram

Researchers disclosed details of a vulnerability in Instagram’s Android app that enables remote attackers to control a targeted device by sending victims specially crafted images. The Hacker News: https://thehackernews.com/2020/09/instagram-android-hack.html

 

Fortigate VPN

A vulnerability in this cybersecurity firm’s Fortigate VPN solution exposed more than 200,000 businesses to man-in-the-middle attacks in which criminals present a valid SSL certificate and take over a connection. The Hacker News: https://thehackernews.com/2020/09/fortigate-vpn-security.html

 

Video game industry

A new study claims that the gaming industry suffered 152m web-application attacks and 10 billion credential-stuffing attacks during the past two years. Computer Weekly: https://www.computerweekly.com/news/252489465/Video-gamers-barraged-with-cyber-attacks

 

Hungarian banking and telecoms

A DDoS attack hit several Hungarian banking and telecommunication companies. Yahoo News: https://news.yahoo.com/hungary-hit-large-cyber-attack-081853251.html

 

FinSpy

Researchers discovered FinSpy spyware targeting Linux and macOS systems in Egypt. The Hacker News: https://thehackernews.com/2020/09/finspy-malware-macos-linux.html

 

ZeroLogon

A researcher set up a honeypot vulnerable to CVE-2020-1472, also known as ZeroLogon, and detailed an “in the wild” exploitation of the vulnerability. Double Pulsar: https://doublepulsar.com/in-the-wild-exploitation-of-zerologon-detected-over-the-internet-on-honeypot-f61e2700215b

 

Like the report? Sign up below and get it in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.