Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Sri Lanka
The Sri Lanka Computer Emergency Readiness Team said that at least ten of its country’s websites were hacked. To read more: https://menafn.com/1098541574/Sri-Lanka-comes-under-a-cyber-attack

LeakedSource
Defiant Tech pleaded guilty to trafficking identity information in Canada last week. Defiant Tech is the company behind the LeakedSource website, which launched in 2015 and provided access to illegally obtained information to anyone willing to pay a fee. To read more: https://www.zdnet.com/article/company-behind-leakedsource-pleads-guilty-in-canada/

OGusers.com
An online forum called OGusers.com, which is used by people who steal online accounts, was itself hacked. Nearly 113,000 users’ email addresses, hashed passwords and IP addresses were breached. A rival hacking community uploaded the OGusers database for anyone to download. To read more: https://krebsonsecurity.com/2019/05/account-hijacking-forum-ogusers-hacked/

Instagram influencers
A database hosted by AWS that belonged to a Mumbai-based social-media marketing company called Chtrbox was left open online without a password. The database contained 49m records belonging to Instagram influencers, celebrities, and brand accounts. To read more: https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/

Winnti Linux
Security researchers discovered a Linux variant of Winnti malware after Bayer, a German pharmaceutical company, was hit by a cyberattack, and Winnti was found on its systems. There are code similarities between the new Linux version and the Windows version. To read more: https://www.zdnet.com/article/security-researchers-discover-linux-version-of-winnti-malware/

Google
Google announced that a number of enterprise customers had their passwords stored on its system in plain text. The company discovered that the way it had implemented password setting and recovery for enterprises was faulty, and had been since 2005. No consumer Gmail accounts were affected by the security lapse. To read more: https://techcrunch.com/2019/05/21/google-g-suite-passwords-plaintext/

Game Golf
A security researcher found an Elastic database that was open on the internet. The database belonged to Game Golf, an app with coaching tools and GPS data for specific golf shots. The database exposed 134m rounds of golf, 4.9m user notifications and 19.2m records in the activity feed. To read more: https://threatpost.com/golfers-privacy-hazard-game-golf/144918/

Windows 10
An anonymous hacker released PoC exploit code for a zero-day vulnerability exploiting Windows 10. The code was published on GitHub and is a privilege-escalation bug. To read more: https://thehackernews.com/2019/05/windows-zero-day-vulnerability.html

The same hacker posted two more vulnerabilities that impact Microsoft’s Windows Error Reporting service and Internet Explorer 11. To read more: https://thehackernews.com/2019/05/microsoft-zero-day-vulnerability.html

APT28 malware
A malware sample that U.S. Cyber Command uploaded to VirusTotal last week is still involved in active attacks. The malware was linked with APT28, the group that breached the Democratic National Committee. To read more: https://www.cyberscoop.com/cyber-command-virustotal-apt28-kaspersky-zonealarm/

Abusing code-signing
Hackers are abusing code-signing to distribute malware by purchasing legitimate certificates. Researchers recently used malware-scanner VirusTotal to see how many Windows Executable files were actually malware, and found that 3,815 malware samples met the criteria and were legitimately signed. To read more: https://medium.com/@chroniclesec/abusing-code-signing-for-profit-ef80a37b50f4

Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.

Khan Academy
Khan Academy, a non-profit learning company, fixed two cross-site-request forgery flaws that could enable attackers to take over accounts. The flaws came from a lack of CSFR tokens, which double-check account log-in requests. To read more: https://threatpost.com/critical-flaws-in-khan-academy-opened-door-to-account-takeovers/144973/

Deutsche Bank
A German bank, Deutsche Bank, announced that the software it used to screen customer transactions for suspicious activity had a bug. The bank maintains that no suspicious transactions were executed due to the flaw. To read more: https://www.nytimes.com/2019/05/22/business/deutsche-bank-money-laundering.html

WannaCry-infected laptop
A Windows laptop infected with various malwares, from WannaCry to BlackEnergy, is up for auction as a work of art. Called “The Persistence of Chaos,” it runs six pieces of malware that were responsible for $95 billion in financial losses. It is for sale at about $1m. To read more: https://threatpost.com/wannacry-infested-laptop-art-auction/144992/

First American Financial Corp
First American Financial Corp’s website leaked hundreds of millions of mortgage documents dating back to 2003. The records included wire-transaction receipts, bank-account numbers and statements, driver-license images, and more. The California-based company is a leading provider of title insurance and settlement services to the real-estate and mortgage industries. To read more: https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/

TicketTrick
A security researcher discovered a flaw that hackers can use to access companies’ internal communications. The bug has not been fixed, but the researcher has contacted companies and affected vendors as part of their bug-bounty programs. To read more: https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Stolen NSA tools
The NSA’s stolen exploit, called EternalBlue, was used in cyberattacks throughout the United States. Hackers are targeting vulnerable American towns and cities with ageing digital infrastructure, including Baltimore, San Antonio and Allentown. The attack on Allentown cost $1m to remedy plus another $500,000 for new cyber-defenses. The agency still has not acknowledged the loss of the cyberweapon that is wreaking havoc. To read more: https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html

Elastic
Elastic announced that it was making core security features of the Elastic Stack free and accessible to everyone. Elastic Stack is a collection of open-source projects that companies use to format and visualize large amounts of data in real time. Recently, due to misconfiguration, thousands of Elasticsearch and Kibana servers left millions of users’ data exposed online. To read more: https://thehackernews.com/2019/05/elastic-stack-security.html

U.S. companies and Huawei
U.S. President Donald Trump signed an executive order declaring a national emergency to ban foreign companies from doing business with Huawei, a Chinese telecommunications company, over surveillance fears. Google appears to have suspended all activities with Huawei and revoked its Android license. Besides Google, Intel, Qualcomm and Broadcom are also cutting ties with Huawei. To read more: https://thehackernews.com/2019/05/google-intel-huawei.html

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.