Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Chinese surveillance malware

At certain entry points into China, border guards are seizing travelers’ phones and installing malware on the devices that gives the authorities access to text messages and other data. The malware also scans for files containing Islamic content as well as other material that China’s government deems sensitive. To read more: https://www.vice.com/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware

Lake City, Florida

Officials from Lake City, Florida, fired an IT employee after the city was forced to make a ransomware payment. The city’s IT network was infected with malware in June after an employee opened a document that contained the Emotet trojan. To read more: https://www.zdnet.com/article/florida-city-fires-it-employee-after-paying-ransom-demand-last-week/

D-Link

Taiwanese networking equipment manufacturer D-Link agreed to 10 years of security audits to settle a Federal Trade Commission lawsuit. The lawsuit alleged that the company did not take necessary steps to protect consumers from hackers. To read more: https://thehackernews.com/2019/07/ftc-d-link-router-security.html

Zipato smart hubs

Security flaws in Zipato smart hubs could be hacked in order to unlock a front door equipped with a smart lock. Researchers found that they could extract a hub’s private SSH key for root access from the memory card on the device. To read more: https://techcrunch.com/2019/07/02/smart-home-hub-flaws-unlock-doors/

Outlook

US Cyber Command issued an alert that bad actors could use a vulnerability in Outlook to plant malware on government networks. The bug is one that Microsoft patched in Outlook in October 2017. To read more: https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/

Orvibo

A publicly accessible ElasticSearch cluster owned by Orbivo, a Chinese smart-home-solutions company, leaked 2bn user logs. The exposed database contained usernames, email addresses, passwords, precise locations and other records that potentially could allow hackers to take control of customers’ smart devices. To read more: https://www.bleepingcomputer.com/news/security/billions-of-records-including-passwords-leaked-by-smart-home-vendor/

Cirque du Soleil app

A mobile app developed for a Cirque du Soleil show that ended this year placed the device of every user at risk. Lacking authentication protocols, the app, which has over 100,000 installations, allowed anyone who was connected to the network during the show the same admin permissions as the show operators. To read more: https://www.zdnet.com/article/cirque-du-soleil-app-gives-users-same-admin-rights-as-operators/

Facebook

Facebook shut down more than 30 accounts that were spreading malware through malicious links. The campaign started in 2014 and infected thousands of victims with remote access trojans. To read more: https://threatpost.com/facebook-malware-laced-links/146149/

IBM

IBM disclosed multiple high-severity vulnerabilities in Spectrum Protect, one of the company’s security tools. The most severe flaw could enable a remote attacker to execute arbitrary code on impacted systems. To read more: https://threatpost.com/ibm-patches-critical-high-severity-flaws-in-spectrum-protect/146201/

Amazon Alexa

Amazon acknowledged that it retains voice recordings and transcripts of customer interactions with Alexa indefinitely. The fact that Amazon retains such information even after a user may have deleted it raises questions about how long companies should be allowed to keep collected personal data. To read more: https://threatpost.com/amazon-admits-alexa-voice-recordings-saved-indefinitely/146225/

4shared

The 4shared file-storage app displays invisible ads and subscribes users to paid services without their knowledge or permission. The app is able to automate clicks by means of third-party code. To read more: https://techcrunch.com/2019/07/02/4shared-invisible-ads-fraudulent-purchases-consent/

 

Check out Have I Been Pwned to see if any of your accounts have been exposed by the above breaches.

 

Firefox

An application-security researcher developed an attack against Firefox to demonstrate the risk of a known, 17-year-old issue in the browser. The attack takes advantage of Firefox’s inadequate same-origin policy, which could give an attacker access to folders and subfolders by tricking a victim into downloading a malicious HTML file. To read more: https://thehackernews.com/2019/07/firefox-same-origin-policy-hacking.html

VPNs

Nearly one third of the world’s top virtual private network (VPN) providers are ultimately owned by six parent companies based in China, which raises concern given China’s lack of adequate privacy laws. Information on the parent companies is often hidden from consumers, with ownership of different VPNs being split among seemingly unconnected subsidiaries. To read more: https://www.computerweekly.com/news/252466203/Top-VPNs-secretly-owned-by-Chinese-firms

Football Association of Ireland

The Football Association of Ireland released a statement regarding an external hacking attempt that impacted email services. After working with law enforcement, the association concluded that no evidence exists that employee data was extracted from the hacked server. To read more: https://www.rte.ie/sport/soccer/2019/0703/1060043-no-employee-data-taken-in-attempted-cyber-attack-fai/

YouTube

YouTube added hacking and phishing tutorials to its list of banned video content. Many white hat hackers are protesting this ban because, even though it could stop some illegal behavior, it also impacts people studying computer security. Many legitimate researchers and computer-system testers employ the techniques filmed in the videos and use YouTube as a knowledge-sharing platform. To read more: https://www.theverge.com/2019/7/3/20681586/youtube-ban-instructional-hacking-phishing-videos-cyber-weapons-lab-strike

Perceptics LLC

Perceptics LLC, which is at the center of a Customs and Border Patrol data breach, was found “preliminarily ineligible” to conduct business with the federal government. The company provides vehicle identification and license plate recognition technology. The findings prohibit federal agencies from extending existing contracts with the company or soliciting new offers. To read more: https://www.nbc-2.com/story/40738270/customs-and-border-protection-attempts-to-end-business-with-contractor-involved-in-data-breach

Maryland Department of Labor

Hackers accessed names and social security numbers of 78,000 people from two Maryland state databases. The breach involved relatively old data, collected from people who received unemployment benefits in 2012 or who participated in an adult literacy program in 2009, 2010 or 2014. The scope of this breach was much smaller than other recent cyberattacks affecting Maryland, such as the ransomware attack that hit Baltimore earlier this year. To read more: https://www.washingtonpost.com/local/md-politics/maryland-data-breach-accessed-up-to-78000-names-and-social-security-numbers/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

https://upscri.be/9816bc

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.