Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

OkCupid
Several OkCupid users contacted TechCrunch because they believed their accounts were hacked. OkCupid put out a statement saying that there was no security breach. The attacks appear to be credential stuffing attacks that can be stopped with Two Factor Authentication, which OkCupid and many other dating sites do not have. To read more: https://techcrunch.com/2019/02/10/okcupid-account-hacks/

Australian Parliament
The Australian parliament announced that they found an unknown intruder trying to hack their computer systems. Officials said there were no indications of data theft as of yet. To read more: https://www.cisomag.com/parliament-of-australia-hit-by-cyber-attack/

VFEmail
Email provider VFEmail suffered what it’s calling “catastrophic destruction” due to a hacker trashing all of the company’s primary and backup data located in the United States. VFEmail believes that 18 years worth of data is completely gone. After two hours, VFEmail managed to stop the hacker who was formatting one of the company’s mail servers in the Netherlands. The attacker managed to format all the disks on every server in the US ultimately meaning that every VM, every file server and every backup was lost. To read more: https://krebsonsecurity.com/2019/02/email-provider-vfemail-suffers-catastrophic-hack/

Dunkin Donuts
Dunkin Donuts announced that it was hit with a second credential stuffing attack. Hackers were able to gain entry to the Dunkin Donuts Perks rewards accounts using credentials leaked from other sites. To read more: https://latesthackingnews.com/2019/02/13/dunkin-donuts-victim-of-second-cyber-attack-in-three-months/

Coffee Meets Bagel
On Valentines Day, a dating app called Coffee Meets Bagel announced that user account information was stolen by a third-party who gained unauthorized access to the company’s systems. The breach was discovered as part of a larger data dump that went up for sale on the dark web. 673MB of data was taken from late 2017 and mid-2018. To read more: https://techcrunch.com/2019/02/14/happy-valentines-day-your-dating-app-account-was-hacked-says-coffee-meets-bagel

500px
500px, a Toronto based photo-sharing service 500px announced that it was a victim of a hack in 2018 and that 148M accounts were exposed. The unauthorized access occurred in July of 2018. The company reset all account passwords. To read more: https://petapixel.com/2019/02/13/500px-hacked-personal-data-stolen-from-all-14-8-million-users/

Package 2
A hacker, who previously sold 620M stolen account credentials, just put up a second batch of 127M records from eight new sites on the dark web. The sites include Houzz, YouNow, Ixigo, Stronghold Kingdoms, Roll20.net, Ge.tt, Petflow, Vbulletin forum, and Coinmama (cryptocurrency exchange). To read more: https://thehackernews.com/2019/02/data-breach-website.html

Coinmama
The Coinmama team notified users that it suffered a data breach that resulted in customer data going up for sale on a dark web registry. The data includes 450,000 emails and hashed passwords. The breach was a part of the larger Package 2 breach. To read more: https://ethereumworldnews.com/coinmama-suffers-data-breach-affecting-450000-emails-and-hashed-passwords/

Taco Bueno
The owner of the Taco Bueno chain restaurant said malware infected Point of Sale devices at 150 restaurants last year. Taco Bueno started deploying end-to-end encryption at some locations, but the locations that were affected did not have encryption. To read more: https://www.nrn.com/quick-service/taco-bueno-outlines-data-breach-incident

BlankMediaGames
Back in January, hackers broke into the servers of computer game maker BlankMediaGames and stole 7.6M user account details of people who signed up to play Town of Salem. One of the users who frequented the gaming site was a hacker who called in multiple bomb threats to schools and launched DDoS attacks. The Department of Justice arrested Timothy Dalton Vaughn after one of his online aliases was found as part of the leaked Town of Salem credentials. To read more: https://krebsonsecurity.com/2019/02/bomb-threat-hoaxer-exposed-by-hacked-gaming-site/

Bank of Valletta
A major Maltese bank shut down all of its operations after detecting a cyber attack. An attacker broke into its systems and tried to shift funds overseas. To minimize the risk the bank closed ATMs and disabled its website. To read more: https://www.reuters.com/article/us-bank-valetta-cyber/cyber-attack-on-malta-bank-tried-to-transfer-cash-abroad-idUSKCN1Q21KZ

Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.

Reported Vulnerabilities

Docker
A security vulnerability was found in RunC that enables container breakout. According to a SUSE engineer, security researchers discovered the vulnerability which “allows a malicious container to (with minimal user interaction) overwrite the host RunC binary and thus gain root-level code execution on the host.” To read more: https://www.zdnet.com/article/doomsday-docker-security-hole-uncovered/

.exe malware
Security researchers at Trend Micro discovered a new way that hackers are bypassing macOS security by deploying malicious .exe files. The researchers could not get the same EXE files to run on Windows machines as this malware is specifically targeted to MacOS users. To read more: https://thehackernews.com/2019/02/macos-windows-exe-malware.html

Microsoft
According to a new study, 70% of all vulnerabilities in Microsoft products that are addressed in security updates are memory safety issues. Memory safety bugs occur when software accesses system memory in a way that exceeds its allocated size and memory addresses (think buffer overflows). To read more: https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/

Xiaomi electric scooters
Researchers from a mobile security firm discovered a severe vulnerability in Xiaomi’s M365 Folding Electric Scooter. Due to improper validation of the password on the scooter’s end, a remote attacker could send unauthenticated commands over Bluetooth to target a vehicle. To read more: https://thehackernews.com/2019/02/xiaomi-electric-scooter-hack.html

Adobe Reader DC
A temporary patch was released to stop a zero-day vulnerability in Adobe Reader that could enable hackers to steal hashed password values. The vulnerability allows a PDF document to automatically send a message-block request to an attacker’s server as soon as the document is opened. To read more: https://threatpost.com/temporary-patch-released-for-adobe-reader-zero-day/141701/

Snapd flaw
Ubuntu and several other Linux distributions are vulnerable to a severe privilege escalation flaw. The flaw called “Dirty_Sock” is in the REST API for snapd service, a universal Linux packaging system. Snapd comes default installed on all versions of Ubuntu, Debian, OpenSUSE, Arch Linux, Solus, and Fedora. To read more: https://thehackernews.com/2019/02/snapd-linux-privilege-escalation.html

Shlayer malware
A new variant of Shlayer malware is targeting macOS users and can disable Gatekeeper protections to run unsigned payloads. The malware is disguised as a fake Adobe Flash Player installer. To read more: https://www.bleepingcomputer.com/news/security/shlayer-malware-disables-macos-gatekeeper-to-run-unsigned-payloads/

Intel SGX Enclaves
Researchers discovered a way to hide malware in Intel SGX enclaves. The enclaves are a hardware-based memory encryption feature that isolates sensitive code and data to protect it from modification. The same team that discovered the Spectre flaws was able to bypass the protections using return-oriented programming (ROP). To read more: https://thehackernews.com/2019/02/intel-sgx-malware-hacking.html

Twitter
A security researcher found that Twitter keeps direct messages including those you have deleted for years. The researcher said this is a “functional bug” rather than a security flaw, but it allows anyone to bypass mechanisms put in place to prevent access to suspended or deactivated accounts. To read more: https://techcrunch.com/2019/02/15/twitter-direct-messages/

Facebook login phishing campaign
Researchers found a new phishing campaign that is spoofing users with fake prompts to login into Facebook to read exclusive content. The fake pop-up was created with HTML and JavaScript to reproduce the look and feel of a legitimate browser. The only way to check the authenticity of the pop-up is to drag the prompt away from the window it is displayed in. If part of the pop-up disappears, it’s a fake. To read more: https://thehackernews.com/2019/02/advance-phishing-login-page.html

WordPress
Hackers are exploiting a vulnerability in the “WP Cost Estimation & Payment Forms Builder” plugin. Hackers were abusing an AJAX-related flaw in the plugin’s upload functionality to save files with strange extensions. They would then upload a file that associated the file extension with the site’s PHP interpreter ensuring a backdoor. To read more: https://www.zdnet.com/article/another-wordpress-commercial-plugin-gets-exploited-in-the-wild/

Learn more about Polyscripting and how to stop this WordPress attack.

Windows NTLM password
An open source password recovery tool called HashCat can crack an eight-character Windows NTLM password hash in under 2.5 hours. NTLM is an old Microsoft authentication protocol that was replaced with Kerberos but its still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers. To read more: https://www.theregister.co.uk/2019/02/14/password_length/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.