Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

ASUS software updates
Researchers at Kaspersky Lab found that update software from ASUS, a large Taiwanese computer maker, was hijacked and used to install a malicious backdoor — known as ShadowHammer — on numerous customers’ computers. The malicious file was signed with legitimate ASUS digital certificates to make it seem harmless. Half a million Windows machines received the backdoor via an update server. To read more: https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

Update:
ASUS released a new version of its Live Update software to address the ShadowHammer attack. The company is also working on new security mechanisms to secure its systems in future. To read more: https://www.engadget.com/amp/2019/03/26/asus-releases-fix-for-update-tool-malware-attack/

DragonEx and CoinBene
Two cryptocurrency-exchange portals disclosed hacks and have “gone into maintenance mode” to investigate the issues. DragonEx estimated that it lost more than $1m of cryptocurrency, while CoinBene’s losses are greater than $45m. To read more: https://www.zdnet.com/article/cryptocurrency-platforms-dragonex-and-coinbene-disclose-hacks/

Office Depot and Support.com
America’s Federal Trade Commission ordered Office Depot and Support.com to pay $35m after they were accused of duping customers into paying “cleanup fees” to rid their PCs of non-existent malware. To read more: https://www.theregister.co.uk/2019/03/27/office_depot_support_com_fine_ftc/

Total
Hackers stole more than 26,400 gallons of fuel from Total gas stations around Paris by unlocking pumps with a remote device. The hack was possible because some gas stations had not changed the pump’s lock code from its default of “0000”. To read more: https://www.zdnet.com/article/french-gas-stations-robbed-after-forgetting-to-change-gas-pump-pins/

Voting machines
Senators are asking the largest U.S. voting-machine makers to explain why they sell devices with known vulnerabilities. A letter was sent to ES&S, Dominion Voting and Hart InterCivic asking that they explain why they sell decades-old machines that could be easily exploited. To read more: https://techcrunch.com/2019/03/27/senators-security-voting-machines/

Toyota
Toyota announced the second of two data breaches in the past five weeks. The first took place at an Australian subsidiary, the second at its Tokyo headquarters. Hackers accessed servers with stored sales information on 3.1m customers. To read more: https://www.zdnet.com/article/toyota-announces-second-security-breach-in-the-last-five-weeks/

Zammis Clark aka Slipstream
A security researcher named Zammis Clark — but also known as Slipstream — admitted to hacking into Microsoft and Nintendo servers and stealing confidential information. Using an internal username and password, he uploaded a web shell to remotely access Microsoft’s network freely for at least three weeks. In total, 43,000 files were stolen. To read more: https://www.theverge.com/2019/3/28/18286027/microsoft-nintendo-vtech-security-hack-breach-researcher-guilty

Verifications.io
More than 980m users’ personal information was exposed in a data breach of Verifications.io last month. The leaked data included names, birthdays, social-media accounts and places of employment. Verifications.io is used to check whether marketing emails sent to group emails will bounce back. To read more: https://nypost.com/2019/03/29/emails-of-nearly-1-billion-people-leaked-in-massive-data-breach/

Earl Enterprises
This parent company of Buca di Beppo, a chain of Italian restaurants, announced that it had remediated a ten-month data breach of its payment systems at numerous restaurants. KrebsOnsecurity contacted Buca di Beppo after finding two million freshly stolen credit and debit cards on the dark web. To read more: https://krebsonsecurity.com/2019/03/a-month-after-2-million-customer-cards-sold-online-buca-di-beppo-parent-admits-breach/

Atrient
Two security researchers confronted executives from Atrient, a casino-technology firm, at a conference about a bug bounty, but the ensuing conversation quickly went off the rails… To read more: https://arstechnica.com/information-technology/2019/03/50-shades-of-greyhat-a-study-in-how-not-to-handle-security-disclosures/

Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.

Reported Vulnerabilities

Tesla in-car browser
Security researchers took home a Tesla Model 3 as a reward for successfully exposing a vulnerability in the car’s infotainment system. The pair used a JIT bug to bypass memory-randomization data that keeps information protected. To read more: https://techcrunch.com/2019/03/23/hackers-conquer-tesla-and-win-a-model-3

Pegasus malware
Researchers found evidence that Pegasus malware was deployed against victims in 45 countries — a number greater than that of known operators, suggesting that some are conducting illegal cross-border surveillance. The malware was created by cybersecurity firm NSO Group. To read more: https://www.zdnet.com/article/lawful-intercept-pegasus-spyware-found-deployed-in-45-countries/

UC Browser
China-made UC Browser contains a feature that could be exploited by remote attackers to automatically download and execute code on Android devices. UC Browser is one of the world’s most popular mobile browsers, with 500 million users. To read more: https://thehackernews.com/2019/03/uc-browser-android-hacking.html

Programming languages
A report from WhiteSource found that the top three most insecure programming languages are C, PHP and Java. WhiteSource aggregates information on open-source vulnerabilities from the National Vulnerability Database, GitHub issue trackers, and more. The language C has the highest number of vulnerabilities, accounting for nearly 50% of breaches over the past ten years. To read more: https://www.techrepublic.com/article/the-3-least-secure-programming-languages/

Apple
Apple patched 51 security vulnerabilities in its mobile operating system. Most of the weaknesses were found in its web-rendering engine WebKit. To read more: https://thehackernews.com/2019/03/ios-update-iphone-security.html

Huawei
Microsoft researchers found a severe privilege-escalation flaw in the Huawei PCManager driver software for Windows 10 laptops. Third-party kernel drivers are more attractive to attackers than expensive zero-day kernel exploits. To read more: https://www.zdnet.com/article/microsoft-windows-10-devices-open-to-full-compromise-from-huawei-pc-driver/

Magento
Magento released a new version of its software to fix 37 new security vulnerabilities. Magento is used across 28% of websites on the Internet. One of the flaws is a SQL injection vulnerability, which can be exploited remotely. To read more: https://thehackernews.com/2019/03/magento-website-security.html

LTE protocol
A group of researchers identified 36 new vulnerabilities in the Long Term Evolution (LTE) standard used by mobile networks. The vulnerabilities enable attackers to disrupt mobile base stations, block incoming calls, disconnect users from a network, and more. To read more: https://www.zdnet.com/article/researchers-find-36-new-security-flaws-in-lte-protocol/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.