Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

QuadrigaCX
One of the largest Canadian bitcoin exchanges claims to have lost 190 million CAD (145 million USD) worth of cryptocurrency. The last person who had access to the offline secure wallet unexpectedly died leaving the exchange without access to its funds. To read more: https://thehackernews.com/2019/02/cryptocurrency-exchange-exit-scam.html

Pentagon cybersecurity
Three high profile DoD systems are still exhibiting flaws in their cybersecurity. In the office of the Director of Operational Test & Evaluation’s (DOT&E) report, DOT&E found that the F-35 Joint Strike Fighter, the Defense Healthcare Management System and the Joint Regional Security Stack operated inadequately. One of the biggest takeaways is that the DoD should stop any operation of the Joint Regional Security Stack until “the system demonstrates that it is capable of helping network defenders detect and respond to cyberattacks.” To read more: https://www.fedscoop.com/cybersecurity-dod-operational-test-evaluation-2018-report/

Visma
Hackers believed to be working on behalf of China breached the network of a Norwegian software firm called Visma. Visma provides business software products to companies across Scandinavia and parts of Europe. The company is confident that no client networks were accessed. To read more: https://www.reuters.com/article/us-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUSKCN1PV141

Huaxia Bank ATMs
A Chinese software manager was found guilty of stealing $1M from Huaxia Bank ATMs through security weaknesses. When the bank uncovered the scheme, the manager tried to use internal security testing as an excuse for his actions. To read more: https://www.zdnet.com/article/software-exec-jailed-after-exploiting-atm-loophole-to-steal-1-million/

Eskom Group
South African energy company, Eskom Group, was hit with a security breach that exposed an unsecured database containing customer information. The breach exposed network credentials, customer details, redacted credit card information and more. To read more: https://www.bleepingcomputer.com/news/security/power-company-has-security-breach-due-to-downloaded-game/

Huddle House
Huddle House restaurant chain reported a point-of-sale data breach that began in August of 2017 due to one of its third-party vendors. The exploited information includes cardholder name, credit card number, expiration date and more. To read more: https://www.scmagazine.com/home/security-news/data-breach/huddle-house-hit-with-point-of-sale-data-breach/

Mumsnet
The online forum for parents called Mumsnet, reported a data breach that happened during a “software change.” Mumsnet does not know how many accounts were accessed but approximately 4,000 users logged into their accounts during the time of the breach. To read more: https://www.theregister.co.uk/2019/02/07/mumsnet_breach/

Trakt
Trackt, a service for tracking the movies and TV shows users watch, announced a data breach that took place in 2014. The company only recently discovered the breach but believe that “a PHP exploit was used to capture data.” To read more: https://betanews.com/2019/02/07/trakt-data-breach/

Apple
Apple released an iPhone update that fixes the FaceTime bug that allowed users to eavesdrop on each other. The vulnerability was discovered by a teen while playing Fortnite back in January. To read more: https://www.cnet.com/news/apple-releases-iphone-update-to-fix-group-facetime-eavesdropping-bug/

Apple redux
Researchers at Google’s Project Zero group identified a zero-day in the wild that exploited two vulnerabilities in Apple’s iOS. While Apple’s 12.1.4 patch was mainly designed to fix the FaceTime bug from last week, it also patched against this other zero-day. To read more: https://www.macrumors.com/2019/02/08/hackers-exploited-two-vulnerabilities-ios-12-1-4/

Jack’d
Gay dating app Jack’d stored users private images on an unsecured AWS server. The app, which has more than 1M downloads from the Google Play store, was alerted that the vulnerability existed a year ago. Ars Technica reported that the most recent February update patched the issue. To read more: https://arstechnica.com/information-technology/2019/02/indecent-disclosure-gay-dating-app-left-private-exposed-to-web/

Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.

Reported Vulnerabilities

SpeakUp
A new backdoor trojan called SpeakUp is running on Linux systems in China and South America. Hackers are using an exploit for the ThinkPHP framework to infect servers with the malware. If the trojan gets a foothold, it can run shell commands and execute files downloaded from a remote command and control server. SpeakUp currently runs on six different Linux distributions. To read more: https://www.zdnet.com/article/security-researchers-discover-new-linux-backdoor-named-speakup/

Take a look at Polyscripting and see how we eliminate script injection attacks in PHP.

OpenOffice and LibreOffice
A security researcher discovered remote code execution vulnerabilities in OpenOffice and LibreOffice, two open source office suites. The attack executes a specific python library bundled within the software. The researcher reported the vulnerability to both open source projects in October of 2018. LibreOffice has released a fix for the vulnerability, but OpenOffice remains unpatched. To read more: https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html

Glassbox
Mobile apps from companies like Abercrombie & Fitch, Hotels.com, Singapore Airlines and more use a customer experience analytics firm called Glassbox. Glassbox enables developers to embed “session replay” technology into their apps. A mobile expert, The App Analyst, who analyzes popular apps found that Air Canada’s iPhone app wasn’t properly masking the session replays. This leak exposed passport numbers and credit card data. While not every app leaked masked data, it is unclear how many companies data was exposed. To read more: https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/

Android smartphones
Android smartphones are vulnerable to being hacked merely by opening a PNG file. Three specific vulnerabilities were discovered that impact millions of devices running recent versions of Android. The bugs appear to be a heap buffer overflow flaw, errors in “SkPngCodec” and issues in components that render PNG images. Not every manufacturer rolls out security patches at the same time, so it’s difficult to know when all devices will receive patches. To read more: https://thehackernews.com/2019/02/hack-android-with-image.html

FireOS
Amazon patched a vulnerability in the Amazon Fire Tablet operating system. The flaw could enable a hacker to inject malicious content into the Settings, Legal and Compliance, Terms of Use and Privacy sections on the device. These sections of FireOS lack HTTPS for some content, which can enable a man-in-the-middle attack. To read more: https://threatpost.com/fireos-flaw-allowed-limited-content-injection-in-amazon-tablets/141607/

Zcash Bug
Developers of Zcash cryptocurrency recently patched a critical vulnerability that could have enabled an attacker to coin an infinite number of Zcash. Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous than Bitcoin. The flaw was discovered in March of 2018 and kept secret until October of 2018 when developers released a patch. To read more: https://thehackernews.com/2019/02/zcash-cryptocurrency-hack.html

Apple keychain flaw
A security researcher revealed an exploit that can reveal the passwords in Mac’s keychain. The exploit grabs everything in the keychain with a single press of a “show me your secrets” button. Watch the exploit in action. To read more: https://venturebeat.com/2019/02/06/researcher-reveals-huge-mac-password-flaw-to-protest-apple-bug-bounty/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.