Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Round 4
A fourth batch of records came up for sale on the dark web. The fourth round contains 27m new users’ records originating from six other websites. The hacked sites include Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual, and Coubic. These credentials are worth 1.2431 Bitcoin, which is roughly $5,000. To read more: https://thehackernews.com/2019/03/data-breach-security.html

Fabian Woser
A man named Fabian Woser is working with victims of ransomware around the world to get their files back without paying hackers. Hackers hate him so much that they leave angry threats buried within the code of their own viruses. To read more: https://www.bbc.co.uk/news/resources/idt-sh/hated_and_hunted_the_computer_virus_malware_ransomware_cracker

Chinese online recruitment sites
A database containing the personal details of 33m candidates from online recruitment sites like 51Job, Lagou, and Zhilian were found open online. The unencrypted database was discovered by a security researcher. The owner of the database was not identified. To read more: http://theindependent.sg/china-data-breaches-33-mil-unprotected-job-applicant-profiles-leaked/

London attractions
Kew Gardens, National History Museum, Tate Gallery and Imperial War Museum were hit by 109m cyber attacks over the last few years. Spyware was the most prevalent type of attack. To read more: https://www.itpro.co.uk/security/33243/londons-top-attractions-besieged-by-more-than-100-million-cyber-attacks

Elsevier
Elsevier, the company behind scientific journals like The Lancet, left a server open to the internet exposing email addresses and passwords. It is not clear how long the server was exposed or how many accounts were impacted. To read more: https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online

Magecart
Researchers identified two new Magecart attacks targeting MyPillow and Amerisleep. Magecart is well known after hackers attacked British Airways, Ticketmaster, and Newegg. The attack is a digital payment card skimmer with malicious Javascript code. To read more: https://thehackernews.com/2019/03/magecart-ecommerce-hackers.html

Norsk Hydro
One of the world’s largest aluminum producers was forced to shut down several plants across Europe and the US after a cyber attack left the companies’ IT systems unusable. The plants were shut down and switched the manual operations where possible. Norsk Hydro is still investigating the full extent of the attack, but the company was hit with a new strain of ransomware called LockerGoga. To read more: https://thehackernews.com/2019/03/norsk-hydro-ransomware-attack.html

Used laptops and phones
A security consultant collected used desktop, hard disks, cellphones, and other technology from pawn shops near his home. He found that their former owners left tons of personal information on the devices. He found 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, and more. To read more: https://gizmodo.com/its-scary-how-much-personal-data-people-leave-on-used-l-1833383903

Tornado sirens
A hacker took control of tornado emergency sirens in two North Texas towns. The cities shut down their emergency warning systems a day before major storms were set to hit the area. To read more: https://www.zdnet.com/article/hacked-tornado-sirens-taken-offline-in-two-texas-cities-ahead-of-major-storm/

UK Police
The UK Police Federation confirmed that it was hit by a cyberattack. The organization represents 119,000 police officers across England and Wales. The ransomware attack hit the federation’s Surrey headquarters, and several databases and emails systems were encrypted. To read more: https://techcrunch.com/2019/03/21/police-federation-ransomware

GitHub Repos
Over the last six months, 100,000 GitHub repos leaked API tokens and cryptographic keys. The scan was conducted by a team from North Carolina State University and the results were shared with GitHub. GitHub has since accelerated its work on a new security feature called Token Scanning, which is in beta. To read more: https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/

Oregon Department of Human Services
The Oregon Department of Human Services announced that a data breach possibly exposed the personal information of 1.6m residents. The breach occurred in January after nine employees opened a phishing link. To read more: https://www.ktvz.com/news/oregon-dept-of-human-services-confirms-data-breach/1061408539

FEMA
The Federal Emergency Management Agency acknowledged that it shared personal addresses and banking information for more than 2m disaster survivors. The agency shared personally identifiable information of disaster survivors of the California wildfires and Hurricanes Harvey, Irma and Maria. To read more: https://www.washingtonpost.com/national/health-science/fema-data-breach-hits-25-million-disaster-survivors/2019/03/22/3e2c6232-4cec-11e9-93d0-64dbcf38ba41_story.html?utm_term=.6482eea38650

Voova
A fired employee went on a rampage through his former employer’s AWS accounts using a stolen login and took down 23 servers. Steffan Needham worked for Voova for a month before he was let go. He managed to get ahold of a colleague’s AWS login and destroy £500,000 worth of business-critical data. To read more: https://www.theregister.co.uk/2019/03/20/steffan_needham_aws_rampage_prison_sentence_voova

Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.

Reported Vulnerabilities

Libssh2
A popular open source client-side C library implementing the SSHv2 protocol released the latest version of its software to patch nine security vulnerabilities. The library is available for all major Linux distributions. The vulnerabilities are memory corruption issues which could enable arbitrary code execution. To read more: https://thehackernews.com/2019/03/libssh2-vulnerabilities.html

Windows
A security researcher at Google found a new class of vulnerabilities in Windows. He discovered how Windows performs permissions check when opening files and other secured objects. Google and Microsoft are working together to fix the issue. To read more: https://arstechnica.com/gadgets/2019/03/google-project-zero-microsoft-collaborate-for-12-months-to-find-new-kind-of-windows-bug/

Mirai variant
Researchers found a new variant of Mirai that is targeting embedded devices to carry out DDoS attacks. The variant is targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs among others. To read more: https://thehackernews.com/2019/03/mirai-botnet-enterprise-security.html

SQLRat malware
A threat actor group called Fin7 was found using a new form of malware. The hackers stole at least 15 million credit card records from over 6,500 PoS terminals. The malware is called SQLRat and executes SQL scripts on a compromised system. To read more: https://www.zdnet.com/article/global-cybergang-fin7-returns-with-new-sqlrat-malware/

PuTTY
A popular SSH client program called PuTTY released an updated version of its software that includes patches for eight high-severity security bugs. PuTTY is a widely used open-source client-side program that allows users to access a computer over SSH remotely, Telnet and Rlogin network protocols. To read more: https://thehackernews.com/2019/03/putty-software-hacking.html

Ethereum Classic Blockchain
The security team at Coinbase found that an attacker gained control of more than half of the network’s computing power and was using it to rewrite Ethereum Classic’s blockchain transaction history. This attack is called a 51% attack and made it possible to spend the same cryptocurrency more than once. Coinbase claims that no currency was stolen from any accounts. To read more: https://www.technologyreview.com/s/612974/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/?utm_source=share&utm_medium=ios_app

Facebook
Facebook confirmed that it stored “hundreds of millions” of account passwords in plaintext for years. None of the passwords were visible to anyone outside of Facebook, but the logs were still accessible to some 2,000 engineers. Read the Krebsonsecurity report. To read more: https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/

PewDiePie
PewDiePie fans released at least two PewDiePie themed ransomware strains under the guise of supporting the YouTube channel’s quest to remain the top channel. The two ransomware strains are destroying user data or encrypting files without a method to recover the data. To read more: https://www.zdnet.com/article/pewdiepie-fans-keep-making-junk-ransomware/

Medtronic defibrillators
750,000 heart devices made by Medtronic PLC contain a cybersecurity vulnerability that could enable an attacker to alter programming on an implanted defibrillator. The US Homeland Security Department issued an alert describing the vulnerability found in 16 models of the devices sold around the world. To read more: http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/

Nokia
Some Nokia phones sent data to servers in China without consent from users. Finland will investigate the phones to see whether they breached data rules. To read more: https://bgr.com/2019/03/21/nokia-data-breach-nokia-7-plus-sent-data-to-chinese-servers/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.