Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

NASA
NASA confirmed a data breach that may have compromised the personal information of past and current employees. The hackers gained access to a server that stored personally identifiable information. To read more: https://thehackernews.com/2018/12/nasa-hack-data-breach.html

Facebook
The New York Times obtained various documents from Facebook that detailed the company’s system for tracking partnerships and data sharing. The report revealed 150 different deals with companies and their data sharing agreements. Facebook allowed Bing to see the names of all users’ friends without consent and gave Netflix and Spotify the ability to read user’s private messages. Facebook has said that none of their partners abused the data. To read more: https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html

Ballistic Missile Systems
In an audit of the Department of Defense ballistic missile defense systems, the inspector general found that many network vulnerabilities existed. These vulnerabilities could allow hackers to access technical information in the systems. One such example was that network administrators failed to use basic security controls in the systems. To read more: https://www.fedscoop.com/cybersecurity-flaws-missile-defense-systems-dod/

Twitter
Twitter was hit with a data breach that it believes is linked to a state-sponsored attack. While investigating a vulnerability in one of its support forms, the company found a bug being misused to access and steal users’ information. To read more: https://thehackernews.com/2018/12/twitter-data-breach.html

Click2Gov
Security researchers from Gemini Advisory released a report examining the effects of the Click2Gov cyber attack that compromised 294,929 payment records. The hackers have earned at least $1.7 million by selling the information on the Dark Web. To read more: https://www.zdnet.com/article/hackers-have-earned-1-7-million-from-trading-stolen-us-gov-payment-portal-data/

Caribou Coffee
Caribou Coffee sent a letter notifying customers that their personal information may have been exposed in a data breach that occurred between August and December 2018. The breach exploited the company’s point of sale systems. To read more: https://blog.polyverse.com/wp-content/uploads/2018/12/Data-Security-Notice.pdf

DDoS for hire
The US Justice Department seized 15 domains of “DDoS-for-hire” websites. These services rent access to a network of infected devices to launch DDoS attacks against other websites. In the last few years, hackers have taken down PlayStation, Xbox, and other gaming sites networks on Christmas Day. To read more: https://thehackernews.com/2018/12/fbi-christmas-ddos-for-hire.html

HPE & IBM
Hackers from China’s Ministry of State Security breached HPE and IBM’s networks to access their clients’ computers. The attacks were part of a campaign called Cloudhopper and were executed to steal secrets. To read more: https://www.reuters.com/article/us-china-cyber-hpe-ibm-exclusive-idUSKCN1OJ2OY

Blind
Blind, an app-based “anonymous social network” accidentally left one of its database servers exposed online without a password. The app is used as a safe way to reveal wrongdoing and improper conduct at companies. The exposed server had user’s account information and identified would-be whistleblowers. To read more: https://techcrunch.com/2018/12/20/blind-anonymous-app-data-exposure

Reported Vulnerabilities

Twitter memes
Security researchers discovered a new way that hackers are disguising malware as regular traffic. The new malware retrieves commands from memes posted on a hacker-controlled Twitter account. This way the hackers can circumvent any security tools that detect malicious IP addresses since the image is on a legitimate website. To read more: https://thehackernews.com/2018/12/malware-twitter-meme.html

Windows Zero-Day
A security researcher released a proof-of-concept zero-day vulnerability that exploits the Windows operating system on Twitter. The exploit is an arbitrary file read issue that could allow a malicious program to read the content of any file on Windows that otherwise would only be possible at the administrator level. To read more: https://thehackernews.com/2018/12/windows-zero-day-exploit.html

KILSWITCH & APASS
Two Android apps used by US military troops in live combat scenarios contained severe vulnerabilities. These apps show satellite imagery of surroundings and act as a modern replacement for radios and paper maps to allow troops to coordinate with other military branches. To read more: https://www.zdnet.com/article/two-android-apps-used-in-combat-by-us-troops-contained-severe-vulnerabilities/

Microsoft
Microsoft released an emergency patch to secure a critical zero-day vulnerability in Internet Explorer. The vulnerability is a remote code execution flaw found in the browser’s scripting engine. To read more: https://thehackernews.com/2018/12/internet-explorer-zero-day.html

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.