Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

DarkHydrus APT
Researchers discovered a new hack linked to the DarkHydrus APT group that uses Google Drive as its command-and-control server. Attackers infect victims’ computers by tricking them into opening a Microsoft Excel document containing VBA macros. DarkHydrus first appeared on the scene last August when it leveraged the open-source Phishery tool to carry out attacks in the Middle East. To read more: https://thehackernews.com/2019/01/macro-malware-microsoft-office.html

Mountberg
An online casino owned by the Cyprus-based Mountberg casino group leaked information on over 180 million bets, including customers’ personal information, deposits and withdrawals. The data leaked from an ElasticSearch server that was exposed online without a password. To read more: https://www.zdnet.com/article/online-casino-group-leaks-information-on-108-million-bets-including-user-details/

Google
France’s National Data Protection Commission fined Google 50m Euros for violating the European Union’s General Data Protection Regulation, or GDPR. The fine was for Google’s “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” To read more: https://thehackernews.com/2019/01/google-privacy-gdpr-fine.html

Shodan
Any smart object that connects to the internet gets scraped and tagged in Shodan’s search engine, the first aimed at Internet-of-Things devices. Users can find anything from open ports on routers to vulnerable databases, hospital CT scanners and airport explosive-detector units. Hackers are now playing “Shodan Safari” where they tweet and share the worst exposed devices and databases. To read more: https://techcrunch.com/2019/01/21/shodan-safari/

Cebuana Lhuillier
The Bangko Sentral ng Pilipinas, the central bank of the Philippines, is monitoring a reported breach of personal information of 900,000 clients of Cebuana Lhuillier, a pawn company. The exposed personal information includes users’ names, birthdates, email addresses, mobile numbers and income information. To read more: https://www.gmanetwork.com/news/money/companies/682243/bsp-investigating-cebuana-lhuillier-data-breach/story/

Brazilian government hack
Brazil’s Ministry of Defense and National Intelligence Agency were victims of a data breach after a hacker accessed the IT firm Sepro, Brazil’s largest provider of IT for government agencies. To read more: https://roguemedialabs.com/2019/01/19/officials-belonging-to-brasilian-ministerio-da-defesa-inteligencia-abin-it-firm-sepro-exposed-by-data-breach/

GoDaddy.com
An authentication weakness at GoDaddy.com made possible two of the most widespread recent spam email campaigns. The same weakness enabled spammers hijack domains that affect many other major Internet service providers. To read more: https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

PC Trends Report 2019
Avast found that a majority of PC users are not implementing security patches and keep outdated versions of popular apps on their machinese. According to the report, 55% of all software is outdated. The most frequently neglected apps include Adobe Shockwave, VLC Media Player and Skype. To read more: https://blog.polyverse.com/wp-content/uploads/2019/01/Avast_PC_Trends_Report_2019.pdf

Ascension
A security researcher found an exposed server running an Elasticsearch database that had more than a decade’s worth of loan, mortgage agreements and other highly sensitive financial documents. The database contained more than 24 million financial and banking records. The leak was traced back to Ascension, a data and analytics company used by the financial industry. To read more: https://techcrunch.com/2019/01/23/financial-files/

Ascension, redux
The Ascension leak that exposed 24 million financial documents just got worse. Investigators unearthed a separate unprotected server that provided anyone online with access to yet more documents, including mortgage applications and W-9 forms. To read more: https://www.housingwire.com/articles/48007-massive-data-breach-involving-millions-of-mortgage-documents-just-got-much-worse

Distributed Denial of Secrets
A new leak site called Distributed Denial of Secrets released hundreds of thousands of hacked emails and gigabytes of documents from Russian oligarchs and the Kremlin. Distributed Denial of Secrets is a volunteer effort to provide researchers and journalists with a repository for hacked documents. To read more: https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked

City of Akron
Authorities are investigating a financially motivated cyberattack on Akron city servers. The attack does not seem to have compromised any personal information — yet. To read more: https://www.news5cleveland.com/news/local-news/akron-canton-news/multiple-local-and-state-agencies-investigating-cyber-attack-on-akrons-city-servers

Check out Have I Been Pwned to see if any of your accounts have been exposed by the above breaches.

Reported Vulnerabilities

iPhone X Jailbreak
A Chinese cybersecurity researcher unveiled details of critical vulnerabilities in the Safari web browser and iOS that could enable a remote attacker to jailbreak and compromise an iPhoneX. To read more: https://thehackernews.com/2019/01/ios12-jailbreak-exploit.html

DNS hijacking
The Department of Homeland Security published an emergency directive that details a wave of DNS-hijacking attacks from Iran. They ordered government agencies to audit DNS records for unauthorized edits; change passwords; and enable two-factor authentication for all accounts. To read more: https://www.zdnet.com/article/dhs-issues-security-alert-about-recent-dns-hijacking-attacks/

PHP PEAR
If anyone downloaded PHP PEAR package manager from the official website over the past six months it may be compromised. The maintainers took down the official site after they discovered that someone had replaced the original PHP PEAR package manager with a modified version. PEAR is a structured library of open-source code for PHP users. To read more: https://thehackernews.com/2019/01/php-pear-hacked.html

apt/apt-get
A security researcher found a vulnerability in apt that enables a man-in-the-middle to execute arbitrary code as root. Apt is a Linux package manager. The bug has since been fixed. To read more: https://justi.cz/security/2019/01/22/apt-rce.html

hAnt
A new ransomware strain called hAnt is targeting Bitcoin mining rigs in China. Most of the infected rigs are Antminer S9 and T9 devices. To read more: https://www.zdnet.com/article/new-ransomware-strain-is-locking-up-bitcoin-mining-rigs-in-china/

MS Word macros
Researchers found two different malware campaigns spreading the Ursnif trojan and GandCrab ransomware in the wild. The attacks begin with phishing emails containing a Microsoft Word document embedded with malicious macros. Ursnif is a data-stealing malware and GandCrab is a ransomware threat. To read more: https://thehackernews.com/2019/01/microsoft-gandcrab-ursnif.html

Chrome, Firefox, Opera
Researchers published a report detailing how many Chrome, Firefox and Opera browser extensions can be compromised to steal sensitive browser data and/or plant files on systems. To read more: https://threatpost.com/web-apps-browser-extensions-backdoors/141061/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.