Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported cybersecurity breaches and vulnerabilities

Ellucian systems
Hackers exploited a security flaw in the Banner platform, which is made by the software company Ellucian and used by universities to manage student and administrative data. The attack compromised information systems at 62 universities, generating fake data and potentially accessing sensitive information. To read more: https://edscoop.com/ellucian-banner-cyberattacks-62-universities/

WordPress plugin

A malvertising campaign hit WordPress sites using the plugin Coming Soon & Page Maintenance Mode. Compromised sites displayed unwanted popup ads due to a stored cross-site scripting vulnerability. To read more: https://www.bleepingcomputer.com/news/security/hackers-exploit-recent-wordpress-plugin-bugs-for-malvertising/

Facebook

A design flaw in Facebook’s Messenger Kids app enabled users to get around protections and allowed children to enter group chats with unapproved strangers. Facebook has been closing down group chats and alerting parents. To read more: https://www.theverge.com/2019/7/22/20706250/facebook-messenger-kids-bug-chat-app-unauthorized-adults

Siemens

A former Siemens contractor secretly planted logic bombs in automated spreadsheets that he created for the company, setting them up to malfunction after an expiration date. Upon returning to fix problems, the contractor would temporarily remedy issues by resetting the expiration dates, thereby securing repeat contract assignments. To read more: https://thehackernews.com/2019/07/siemens-logic-bomb.html

ProFTPD

A security researcher disclosed the details of a vulnerability in ProFTPD, an open source FTP server that comes pre-installed on many Linux distributions. The vulnerability is in the mod_copy module of the application, which allows users to copy files from one place to another. To read more: https://thehackernews.com/2019/07/linux-ftp-server-security.html

Cost of a data breach

IBM released its annual study on the financial impact of data breaches on organizations. The cost of a data breach has increased 12% over the past five years and now averages $3.92m. To read more: https://newsroom.ibm.com/2019-07-23-IBM-Study-Shows-Data-Breach-Costs-on-the-Rise-Financial-Impact-Felt-for-Years

Lancaster University

Hackers stole the personal data of prospective and current students of Lancaster University. While the university has over 13,000 students, how many were impacted is currently unclear. To read more: https://www.zdnet.com/article/phishing-attack-students-personal-information-stolen-in-university-data-breach/

American Medical Collections Agency

Arizona Dermatopathology, a medical laboratory, reported that 7,000 of its patients may have been impacted by a data breach at American Medical Collections Agency (AMCA) in March 2019. The breach occurred on the patient payments section of the AMCS website but did not affect affect Arizona Dermatopathology’s own website. To read more: https://www.bizjournals.com/phoenix/news/2019/07/21/medical-lab-data-breach-could-affect-7-000-arizona.html

Asian Art Museum of San Francisco

A ransomware attack targeted the Asian Art Museum in San Francisco. The museum regained control of its computer network and did not pay the ransom. To read more: https://news.artnet.com/market/hackers-attack-asian-art-museum-san-francisco-1604188

LinkedIn

Hacker group APT34 is running a phishing campaign to deliver malicious documents via LinkedIn invitations. The campaign uses a keylogger, backdoor access and a credential-stealing tool to exploit victims. To read more: https://www.scmagazine.com/home/security-news/apts-cyberespionage/fireeye-researchers-identified-a-phishing-campaign-conducted-by-apt34-masquerading-as-a-member-of-cambridge-university-to-gain-their-victims-trust-to-open-malicious-documents/

Citrix

Citrix finished an investigation into a data breach that the software company suffered earlier this year. Hackers stole business documents and files from a network drive, but apparently no products or services were compromised. To read more: https://threatpost.com/citrix-confirms-password-spraying-heist/146641/

Process Doppelganging

Numerous malware programs are deploying a fileless code-injection technique called Process Doppelganging. The technique uses a built-in Windows function to escape detection and works on every modern version of Windows. To read more: https://thehackernews.com/2019/07/process-doppelganging-malware.html

WatchBog

Researchers found a new variant of a Linux-based cryptomining botnet, which has a module to scan the internet for Windows RDP servers that are vulnerable to the so-called Bluekeep flaw. Microsoft released patches for the flaw, which allows for remote code-execution, but over 800,000 Windows machines are still vulnerable. To read more: https://thehackernews.com/2019/07/linux-malware-windows-bluekeep.html

 

Check out Have I Been Pwned to see if any of your accounts have been exposed by the above breaches.

 

Monokle

Researchers discovered new Android spyware believed to be developed by a Russian defense contractor. The spyware, a remote-access trojan called Monokle, has actively targeted Android phones since March 2016. To read more: https://thehackernews.com/2019/07/russian-android-spying-apps.html

Robinhood

The investment and stock-trading app Robinhood stored user credentials, including passwords, in plaintext. The company behind the app said that no data was improperly accessed but urges customers to change their passwords. To read more: https://techcrunch.com/2019/07/24/robinhood-stored-passwords-in-plaintext-so-change-yours-now/

APT17

Anonymous cybersecurity analysts exposed three people behind the hacking group APT17, identifying one who is believed to be an officer of the Chinese Ministry of State Security. The hackers are located in Jinan, China and all three are likely linked to the Chinese government. To read more: https://www.zdnet.com/article/apt-doxing-group-expose-apt17-as-jinan-bureau-of-chinas-security-ministry/

Airbus A350

Some models of Airbus A350 planes require a hard reboot every 149 hours due to a software bug. A directive requiring personnel to reboot as needed was originally issued in 2017. As of July 26, 2019, specific models — ones with modified software — are exempt. For all other models, failure to reboot could cause loss of avionics systems and functions. To read more: https://www.theregister.co.uk/2019/07/25/a350_power_cycle_software_bug_149_hours/

City Power

Residents in Johannesburg, South Africa, were left without electricity after City Power was hit with a ransomware attack. The virus encrypted the company’s network, databases and applications. To read more: https://thehackernews.com/2019/07/cyberattack-power-outage.html

LibreOffice

The open-source office suite LibreOffice contains an unpatched code-execution vulnerability that could infiltrate a system with malware. LibreOffice released an update that addressed two vulnerabilities earlier this month, but attackers have since bypassed the patch for one of these vulnerabilities. To read more: https://thehackernews.com/2019/07/libreoffice-vulnerability.html

Louisiana

The governor of Louisiana has declared a state of emergency in response to ransomware attacks that hit multiple school districts. In three districts, IT networks went down and attackers encrypted files. To read more: https://www.zdnet.com/article/louisiana-governor-declares-state-emergency-after-local-ransomware-outbreak/

Roche

The pharmaceutical company Roche acknowledged that it was hit by a cyberattack using malware known as Winnti. Roche is not alone, as Bayer previously confirmed that it was targeted by the same malware. To read more: https://www.europeanpharmaceuticalreview.com/news/95107/roche-confirms-cyber-attack-from-winnti-malware/

ProtonMail

A sophisticated cyberattack targeted ProtonMail, a Swiss provider of encrypted email services. ProtonMail became aware of attempts to trick its clients via phishing last week and worked with authorities to shut down web domains that the hackers used in the attack. Backend systems and servers were not compromised. To read more: https://www.ft.com/content/876fb2d8-af92-11e9-8030-530adfa879c2

NAB

The National Australia Bank (NAB) announced that personal information on 13,000 customers was accidentally uploaded to the servers of two data-service companies. NAB said that all information was deleted within two hours. While not a cyberattack specifically, this incident calls into question businesses’ data-sharing practices, whether deliberate or accidental. To read more: https://www.zdnet.com/article/nab-admits-it-shared-personal-info-on-13000-customers-with-two-external-parties/

Want to learn more?

Sign up below and receive these reports and more, directly in your inbox.

https://upscri.be/9816bc

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.