Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Package 3
Another round of hacked credentials came up for sale on Dream Market. These user accounts belong to users of Pizap, Jobandtalent, Gfycat, Storybird, Legendas.tv, Onebip, Classpass, Streeteasy, and Btcurk. The hacker is selling each of the companies data above for 2.6249 Bitcoin ($9,700). To read more: https://thehackernews.com/2019/02/data-breach-sale-darkweb.html

Austrian IPs
A researcher downloaded the complete list of IP addresses in Austria and found 1,273 exposed Windows machines. He also found exposed web servers, printer, webcams, and various industrial systems. To read more: https://blog.haschek.at/2019/i-scanned-austria.html

Indane
Baptiste Robert, a French security researcher, joined an anonymous researcher in discovering that the official website of Indane, an Indian, state-owned LPG gas company, is leaking the personal details on millions of customers. A loophole in the Indane online dealers portal enabled anyone to access hundreds of thousands of customers’ data without authentication. To read more: https://thehackernews.com/2019/02/indane-aadhaar-leak.html

Containing state-sponsored threats
Governments and business have around 20 minutes to detect and contain hacks perpetrated by Russian nation-state hackers. The Russian hackers are followed up by North Korean groups with two hours and 20 minutes needed to break out. To read more: https://www.zdnet.com/article/you-have-around-20-minutes-to-contain-a-russian-apt-attack/

LandMark White
Westpac Group, an Australian bank and financial services company, warned customers that users who conducted a property valuation may be impacted by a data breach affecting another company called LandMark White. The data breach exposed property valuations and the contact information of borrowers, lenders, homeowners, residents and more. To read more: https://www.zdnet.com/article/landmark-white-data-breach-could-impact-westpac-customers/

BugCrowd
A security researcher was kicked off of Bugcrowd, a vulnerability-reporting platform, after violating the company’s rules on “unauthorized disclosure.” He told a reporter about a vulnerability in LastPass, a well-known password manager. The weakness is an old one, but at the time of disclosure it still was not fixed. To read more: https://www.cyberscoop.com/bugcrowd-adrian-bednarek-lastpass/

Transerve Technologies
A security researcher identified an unsecured MongoDB database instance that was leaking personal details on half a million Indian citizens. The database is called “GNCTD” and contained information collected on 458,388 people located in Delhi. The database belongs to Transerve Technologies, which is a Goa-based company that specializes in smart city solutions and advanced data collection technology. To read more: https://thehackernews.com/2019/02/mongodb-delhi-database-leaked.html

Password Managers
Independent Security Evaluators published a paper that tested several popular password managers. They found that “each password manager fails in implementing proper secrets sanitization for various reasons”. To read the full paper: https://www.securityevaluators.com/casestudies/password-manager-hacking/

Toyota Australia
Toyota Australia announced that it experienced an “attempted cyber attack.” The company does not believe that any employee or customer data was accessed. To read more: https://www.zdnet.com/article/toyota-australia-confirms-attempted-cyber-attack/

UW Medicine
A “data error” exposed 1M University of Washington (UW) Medicine patient records on the internet. The information included patient names, medical record numbers and where medical information was shared. To read more: https://patch.com/washington/seattle/data-974-00-uw-medicine-patients-exposed-internet

Facebook’s Onavo Project
Facebook removed Onavo VPN from the Google Play store after backlash following the investigation released a few weeks ago. The app will eventually shut down and stop pulling in data from users for market research. To read more: https://techcrunch.com/2019/02/21/facebook-removes-onavo/

Swiss Post
Switzerland launched an open penetration test and bug bounty program for Swiss Post, an online voting system. The penetration testing will occur between February 25 to March 24th, and any people who find legitimate vulnerabilities will receive compensation. To read more: https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s-e-voting-system

Stanford University
A vulnerability at Stanford exposed sensitive admission files of a few students. The bug enabled anyone to view admission records, essays, personal information, social security numbers and more. The problem was discovered in a third-party content management system called NolijWeb. 93 students were affected and were notified by the school. To read more: https://www.2-spyware.com/stanford-data-breach-students-access-each-others-personal-details

UConn (University of Connecticut) Health
A recent data breach at UConn may have exposed the data of 300,000 patients and employees. Someone got hold of employee email accounts that contained the personal information. To read more: https://www.wtnh.com/news/connecticut/hartford/uconn-health-data-breach-could-impact-300-000-/1802299304

Intuit
Intuit notified users that a successful stuffing attack resulted in a data breach. The attackers accessed the tax return information of TurboTax accounts by using login credentials they got from other sites. To read more: https://www.technadu.com/intuit-turbotax-stuffing-attack-data-breach/59121/

Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.

Reported Vulnerabilities

CracksNow
A popular file uploader called CracksNow is banned from several torrent sites after it was found distributing malware bundled with the uploads. Many downloaders complained that the files they downloaded contained GandCrab ransomware. To read more: https://thehackernews.com/2019/02/malware-torrent-download.html

Nest Security System
Google’s Nest security system is in the hot seat after news came out that Nest shipped with an undisclosed microphone. The microphone was active, which means that the device sat unknown in users’ homes for up to a year and could have been used as a listening device. Google gave a statement saying that the microphone was never meant to be a secret and should have been listed in the tech specs. To read more: https://arstechnica.com/gadgets/2019/02/googles-nest-security-system-shipped-with-a-secret-microphone/

WordPress 5.0.3
A security researcher revealed a critical remote code execution vulnerability that impacts all versions of WordPress released in the past six years. The attack can be exploited with an “author” account using a Path Traversal and Local File Inclusion bugs. To read more: https://thehackernews.com/2019/02/wordpress-remote-code-execution.html

O.MG Cable
The O.MG cable hides a backdoor inside the shell of a USB connector. If a user plugs the cable into a computer, they enable an attacker to execute remote exploits over WiFi. To read more: https://hackaday.com/2019/02/18/wifi-hides-inside-a-usb-cable/

Microsoft Edge
Microsoft’s Edge browser whitelists Facebook so it can run Adobe Flash code. Through whitelisting Flash, the software is able to bypass Edge security features that usually prevent websites from running code without user approval beforehand. To read more: https://www.zdnet.com/article/microsoft-edge-lets-facebook-run-flash-code-behind-users-backs/

Bigscreen
Researchers at the University of New Haven discovered critical vulnerabilities in the VR app, Bigscreen. The researchers were able to turn on user microphones and listen in on conversations, join private VR rooms and more. To read more: http://www.newhaven.edu/news/releases/2019/discover-vulnerabilities-virtual-reality-app.php

Drupal
Drupal developers released a patch to fix a critical vulnerability that enable remote attackers to hack a site. The vulnerability is a critical remote code execution flaw in Drupal Core that could “lead to arbitrary PHP code execution.” To read more: https://thehackernews.com/2019/02/hacking-drupal-vulnerability.html

Chrome Extensions
A recent survey of Chrome extensions found that more than a third of all extensions ask users for permission to access and read all data on any website. Hackers are known to buy extensions from developers who no longer want to maintain them to hijack and push malicious code. To read more: https://www.zdnet.com/article/a-third-of-all-chrome-extensions-request-access-to-user-data-on-any-site/

WinRAR
Researchers at Check Point disclosed technical details of a critical vulnerability in WinRAR, a Windows file compression application. This vulnerability impacts all versions of the software for the last 19 years. The flaw is in a third-party library called UNACEV2.DLL, which is used to handle the extraction of files compressed in ACE data compression archive file format. To read more: https://thehackernews.com/2019/02/winrar-malware-exploit.html

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.