Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Facebook
Users are complaining that the phone number they used for two-factor authentication is publicly associated with their user profile, so anyone can look it up. Facebook’s default setting allows everyone with or without an account to look up a user based on the phone number added to their account. There is no apparent way to disable the feature. To read more: https://techcrunch.com/2019/03/03/facebook-phone-number-look-up/

GitHub accounts
A security researcher found a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac and Linux applications. The malicious apps download a Java-based malware called Supreme NYC Blaze Bot. The malware is a “sneaker bot” that infects a system in order to participate in online auctions for limited-edition sneakers. To read more: https://www.zdnet.com/article/researchers-uncover-ring-of-github-accounts-promoting-300-backdoored-apps/

Sharpshooter cyberattack
Security researchers linked a global cyber-espionage campaign to a North Korean Advanced Persistent Threat (APT) hacking group. The campaign targets government, defense, nuclear, energy and financial organizations around the world. To read more: https://thehackernews.com/2019/03/north-korea-hacking.html

Zerodium
Zerodium is willing to pay up to half a million dollars for zero-days in popular cloud technologies like Hyper-V and VMware’s vSphere. These are hypervisors that let a single host server create and run virtual guest operating systems. To read more: https://www.zdnet.com/article/hide-yo-kids-hide-yo-clouds-zerodium-offering-big-bucks-for-cloud-zero-days/

Chinese surveillance data
A security researcher found 18 accessible MongoDB databases filled with personal information generated by accounts from several online social services in China. The data appears to belong to a countrywide surveillance program. The researcher could not identify all the messaging services by their commercial names, but published a list that others are connecting to companies. To read more: https://www.bleepingcomputer.com/news/security/open-mongodb-databases-expose-chinese-surveillance-data/

Rush System for Health
Rush System for Health, a network for healthcare providers, said that personal information for 45,000 patients was compromised in a data breach. The breach exposed names, addresses, birthdays, social security numbers and health-insurance information. The company claims that none of the data has been misused. To read more: https://www.sfchronicle.com/news/article/Rush-health-system-reports-data-breach-affecting-13661696.php

GHIDRA
The NSA released GHIDRA version 9.0 for free during the RSA conference. GHIDRA is a classified reverse-engineering tool that the agency uses to find security bugs in software and applications. WikiLeaks first confirmed the existence of the toolset in one of its data releases. To read more: https://thehackernews.com/2019/03/ghidra-reverse-engineering-tool.html

QuadrigaCX
Millions of dollars went missing when the CEO of QuadrigaCX, a cryptocurrency exchange, died late last year. The CEO was thought to have sole access to the $137M in cryptocurrency, but investigators have since discovered that the money is gone. By examining the public blockchain, investigators determined that the money was actually emptied in April of 2018, eight months before his death. To read more: https://markets.businessinsider.com/currencies/news/crypto-ceo-died-with-passwords-to-137-million-but-the-money-is-gone-2019-3-1028009684

800 million emails
A security researcher found a 150GB MongoDB instance open on the internet. The database contained 808m records that were split into four separate collections. This is an entirely unique data set that was not part of the “Package 1–3” breaches. To read more: https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/

Citrix
On Friday Citrix disclosed that hackers had accessed the company’s internal network and downloaded business documents. Citrix was unable to identify which specific documents were stolen at the time of the breach announcement. To read more: https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/

Oberlin College
Hackers targeted a database controlled by the Office of Admissions and Financial Aid at Ohio’s Oberlin College. The attackers collected information about prospective, current and former students who enrolled after fall 2014. They exploited a flaw in the “reset your password” function on OCPass, which was run by a third-party software-management company. The breach appears to be part of a coordinated set of attacks targeting colleges across the United States. To read more: https://oberlinreview.org/18231/news/cyber-attackers-breach-admissions-database/

MyEquifax.com
After the Equifax hack, many people froze their credit files and were given a PIN which is required to lift the freeze. However, unless you have an account at the new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze and bypass the PIN using your name, social-security number and birthday. Read Brian Kreb’s in-depth account on how he set up his myEquifax.com account and the security holes he found in the system. To read more: https://krebsonsecurity.com/2019/03/myequifax-com-bypasses-credit-freeze-pin/

Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.

Reported Vulnerabilities

MacOS Kernel
A security researcher at Google publicly disclosed a proof-of-concept exploit for a vulnerability in the macOS operating system that Apple did not patch within 90 days of being notified. The vulnerability is in the way the XNU kernel can be exploited by an attacker to manipulate filesystem images without informing the operating system. To read more: https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html

Intel Spoiler attack
Researchers discovered a new flaw impacting all Intel chips that abuses speculative execution. Unlike Spectre and Meltdown, Spoiler targets the Memory Order Buffer, which is used to manage memory operations. To read more: https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/

Google Chrome
A security researcher discovered a high-severity vulnerability in Chrome that could enable an attacker to execute arbitrary code and take full control of the computers. The vulnerability is a zero-day that is being actively exploited in the wild by hackers. It affects all major operating systems including Windows, macOS, and Linux. To read more: https://thehackernews.com/2019/03/update-google-chrome-hack.html

Pandora Car Alarm System
Cybersecurity researchers published a report detailing the security drawbacks of smart car alarms. The team could unlock the car, disable the alarm, and steal the owner’s details. In some cases, a cyberattack could result in the engine being turned off during use. Pandora’s marketing materials claimed that the smart alarm systems were unhackable. To read more: https://www.zdnet.com/article/smart-car-alarms-opened-the-doors-of-3-million-vehicles-to-hackers/

Hard Disk Drives
Researchers found that hard disk drives can be turned into listening devices using malicious firmware and signal-processing calculations. An acoustic side-channel can be accessed by measuring how sound waves make hard disk parts vibrate. The research will be presented at the 2019 IEEE Symposium on Security and Privacy. To read more: https://www.theregister.co.uk/2019/03/07/hard_drive_eavesdropping/

Android VPNs
John Mason from TheBestVPN.com analyzed 81 Android VPN apps available on the Google Play Store. He determined that 50 of the 81 available request access to “dangerous” user permissions that a standard VPN app would have no use for. Some of these include read/write permission for external device storage, precise location data, and access to call logs. To read more: https://www.zdnet.com/article/some-android-vpn-apps-request-access-to-sensitive-permissions-they-dont-need/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.