Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Apple synthetic clicks

An Apple security expert revealed a zero-day vulnerability impacting MacOS, including the new version that was launched at the company’s Worldwide Developers Conference. The issue surrounds “synthetic events,” a MacOS mechanism that enables applications to automate mouse clicks and keyboard input. These events can load kernel extensions, dump keychain passwords, get geo-location data and more, and can be a problem because of the level of access they have. To read more: https://www.zdnet.com/article/apple-still-has-problems-with-stopping-synthetic-clicks/

Google Cloud

Google experienced a cloud outage that took down its services for three hours. The outage took out a large portion of Google services as well as those of companies such as Shopify, Snap and Vimeo. The issue has since been resolved. To read more: https://techcrunch.com/2019/06/02/googles-cloud-outage-is-resolved-but-it-reveals-the-holes-in-cloud-computings-atmosphere/

BlackSquid

A new malware known as BlackSquid is targeting web servers and network drives using various exploits. The malware uses anti-debugging and anti-sandboxing methods to determine whether to continue with installation. It also has worm-like behavior to accelerate propagation. To read more: https://blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/

GandCrab ransomware

The operators of the GandCrab Ransomware are shutting down their operation and telling affiliates to stop distributing the ransomware. The operators make the unlikely claim to have made more than $2bn in ransom payments. They also informed current victims that they have to pay for decryption now, as all keys will be deleted at the end of this month. To read more: https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/

LandMark White

This Australian commercial and residential property-valuation company said that a “small number” of its clients stopped using its services because of a two data breaches within the past six months. LandMark White revealed that someone posted internal documents to document-sharing service Scribd. To read more: https://www.computerworld.com.au/article/662400/landmark-white-faces-fallout-over-second-data-breach/

Quest Diagnostics

One of the largest blood-testing providers in the country just warned customers that nearly 12m individuals’ personal, medical and financial information was breached. A hacker gained access to a billing-collections vendor used by Quest. To read more: https://www.nbcnewyork.com/news/local/Quest-Diagnostics-12-Million-People-Data-Breach-510754611.html

Tinder

Russian authorities are requiring the dating app Tinder to hand over user data, including messages. Tinder has not yet complied. The dating app is among 175 online services that the Russian government has target⁠ — many have not complied and were blocked. To read more: https://www.apnews.com/103dc01ce19e48fd89cd32e083ca1e50

JCrush

User records and private messages were exposed on JCrush, a Jewish dating app, after a database was left open without a password. The database had around 200,000 user records, none of which were encrypted. To read more: https://techcrunch.com/2019/06/04/jcrush-exposed-data-messages/

Baltimore

Baltimore’s computer systems, which have been held hostage by ransomware for the past month or so, do not seem to contain the NSA hacking tool Eternal Blue, as was thought. New analysis suggests that although Eternal Blue may have been used to spread the ransomware, known as RobbinHood, the latter contains no traces of Eternal Blue itself. The NSA has maintained throughout the whole affair that Eternal Blue was not used in the Baltimore attack. To read more: https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/

Windows

A bug in Windows’ RDP Network-Level Authentication enables an attacker to bypass the lock screen on remote sessions. To read more: https://kb.cert.org/vuls/id/576688/

Australian National University

The Australian National University announced a significant data breach that exposed the personal information of 200,000 staff and students. The university believes that the accessed data goes back 19 years. To read more: https://www.theguardian.com/australia-news/2019/jun/04/australian-national-university-hit-by-huge-data-breach

Check out Have I Been Pwned to see if any of your accounts have been exposed by the above breaches.

Microsoft Exchange

A tool to hack Microsoft Exchange email accounts was leaked online. The leaker released the tool and said that it was used by the Iranian government. The attack involved brute force against online Exchange services. To read more: https://www.bleepingcomputer.com/news/security/new-email-hacking-tool-from-oilrig-apt-group-leaked-online/

Rkt container flaws

Some unpatched vulnerabilities in the rkt container runtime can enable an attacker to escape the container and gain root access to the host. To exploit the flaw, a user must execute “rkt enter” in an attacker-controlled pod. To read more: https://www.securityweek.com/rkt-container-runtime-flaws-give-root-access-host

LabCorp

Medical testing company LabCorp announced that the personal and financial data of 7.7m consumers were exposed by a breach at a third-party billing-collections company. This is part of the same breach that also impacted Quest Diagnostics. To read more: https://krebsonsecurity.com/2019/06/labcorp-7-7m-consumers-hit-in-collections-firm-breach/

Exim

A critical remote-command-execution flaw was found that impacts more than half of the internet’s email servers. The vulnerability impacts Exim, a mail-transfer agent, which is the software that relays email from senders to recipients. Currently, 57% of all email servers run Exim. To read more: https://www.zdnet.com/article/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers/

Android smartphones

Four low-end German Android smartphone models have a backdoor embedded in the firmware. The flaw impacts the Doogee BL7000, M-Horse Pure 1, Keecoo P11 and VKworld Mix Plus smartphones. The malware was embedded inside an app called SoundRecorded that was included by default. To read more: https://www.zdnet.com/article/germany-backdoor-found-in-four-smartphone-models-20000-users-infected/

SandboxEscaper

The anonymous security researcher known as SandboxEscaper, who released the unpatched Windows vulnerabilities from last week, just released another zero-day exploit. This time it can be used to bypass a patched elevation of privilege vulnerability in Windows OS. To read more: https://thehackernews.com/2019/06/windows-eop-exploit.html

GoldBrute

Security researchers discovered a botnet campaign known as GoldBrute that is brute-forcing 1.5m Windows RDP servers on the internet. To remain undetected, the attackers command each infected machine to target millions of servers with a unique set of username/password combinations so that the server is brute-forced from different IP addresses. To read more: https://thehackernews.com/2019/06/windows-rdp-brute-force.html

Opko Health

This medical testing company was notified by its former billing-collections vendor that it had been breached and information on 422,600 customers was impacted. The vendor, American Medical Collection Agency, informed Opko Health that the information included credit-card and banking information, email addresses and more. This is the same breach that impacted Quest Diagnostics and LabCorp. To read more: https://www.reuters.com/article/us-opko-health-cyber/opko-health-says-over-400000-customers-likely-affected-by-data-breach-idUSKCN1T71UL

Komodo Platform

A cryptocurrency startup called Komodo learned that there was a backdoor in one of its older wallet apps called Agama. Before hackers could use the flaw, Komodo used the backdoor to extract customers’ funds from all impacted wallets and move them to a safe location. The backdoor was discovered in the npm JavaScript package repository. To read more: https://www.zdnet.com/article/cryptocurrency-startup-hacks-itself-before-hacker-gets-a-chance-to-steal-users-funds/

Bing

A new malware strain intercepts and tampers with internet traffic on infected Apple Macs to inject Bing results into Google search. The malware is hidden as an installer for an Adobe Flash plugin that users are tricked into running. If a user then tries to run a Google search, the request is routed to the local proxy and injects the results page with Bing results. To read more: https://www.theregister.co.uk/2019/06/04/macos_infection_hijack/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.