Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported breaches and vulnerabilities

Instagram

Instagram, the popular social media site, was hacked and hundreds of its users were locked out of their accounts. When users attempted to reset their passwords, they could not, because the email address linked to their accounts had been changed to a .ru domain. To read more: https://www.zdnet.com/article/instagram-hack-is-locking-hundreds-of-users-out-of-their-accounts/

Cosmos Bank

Hackers put malware on an ATM server belonging to India’s Cosmos Bank, in a coordinated attack across 28 countries. The malware stole customer information from the bank server, which was then used to clone thousands of Visa and RuPay debit cards. Using the cloned debit cards, the hackers stole 805 million rupees (US $11.5 million) from ATMs in various countries. To read more: https://www.tripwire.com/state-of-security/security-data-protection/hackers-indian-bank-attack/

SuperProf

SuperProf, a website that helps people to find private tutors, made its newest members’ accounts easily hackable by giving them temporary passwords that simply put the word “super” in front of each user’s first name. To read more: https://www.grahamcluley.com/superprof-private-tutor-site-massively-fails-password-test-makes-accounts-super-easy-to-hack/

Reported Vulnerabilities

Man-in-the-Disk

A new attack technique known as “Man-in-the-Disk” tries to crash Android devices by taking advantage of storage protocols in third-party applications. To read more: https://www.zdnet.com/article/man-in-the-disk-attacks-take-advantage-of-android-storage-systems/

Microsoft

Microsoft’s Patch Tuesday resolved 60 vulnerabilities including two zero-day security flaws currently being used in attacks. The flaws affected the Windows operating system, Internet Explorer, Microsoft Edge, Microsoft Office, ChakraCore, the .NET Framework, Microsoft Exchange and SQL Servers, and Visual Studio. To read more: https://www.zdnet.com/article/microsoft-patch-tuesday-60-vulnerabilities-resolved-including-two-active-exploits/

Oracle

Oracle is urging users to update their database software following the discovery of a critical remote-code-execution vulnerability. The flaw, CVE-2018–3110, has a CVSS base score of 9.9 out of 10. If exploited, the bug can “result in complete compromise of the Oracle Database and shell access to the underlying server.” To read more: https://www.theregister.co.uk/2018/08/14/oracle_database_flaw/

Intel

Another chip-security issue, known as Foreshadow, has hit Intel. Researchers who discovered it noted that “Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds.” The original attack was “designed to extract data from Software Guard Extensions enclaves,” while a second version “affects VMs, hypervisors, operating system kernel memory and System Management Mode memory.” To read more: https://www.zdnet.com/article/beyond-spectre-foreshadow-a-new-intel-security-problem/

Smart homes

Almost 50,000 unprotected IoT servers have been found on the internet. These Messaging Queuing Telemetry Transport servers enable home automation and unify the control of various connected devices. To read more: https://threatpost.com/open-mqtt-servers-raise-physical-threats-in-smart-homes/136586/

Google Chrome

A bug in Chrome allows hackers to uncover private data stored on Facebook, Google sites and other platforms by using video and audio HTML tags. The bug exists in the Blink engine, which is used to power Chrome. To read more: https://threatpost.com/google-chrome-bug-opens-access-to-private-facebook-information/136573/

Android spy app

An app called Couple Vow left 1.7 million user passwords unprotected and in plain text. Anyone who had access to an account could have all the location, text and call data of whoever was being tracked. A separate vulnerability in the app’s database then enabled hackers to grab all of the users’ data — some of which included nude photos. To read more: https://www.forbes.com/sites/thomasbrewster/2018/08/11/an-android-spy-app-left-17-million-passwords-and-nude-photos-exposed-to-hackers/

Necurs botnet

The Necurs botnet has been linked to new campaigns targeting financial institutions. The attacks begin with weaponized Microsoft Publisher files, which are attached to fraudulent phishing emails. The hackers then deliver a FlawedAmmyy RAT malware payload. This malware is based on the leaked source code of the legitimate Ammyy Admin remote-desktop control software. To read more: https://www.zdnet.com/article/necurs-botnet-launches-fresh-assault-against-banks/

Apple

A 16-year-old student hacked into Apple’s servers and downloaded 90GB of secure files. These files included secure authorized keys used to grant login access to users. The teen hacked the servers numerous times over the course of more than a year. To read more: https://thehackernews.com/2018/08/apple-hack-servers.html

Medical equipment

By taking advantage of a weak communications protocol used by some patient-monitoring equipment to send data to central monitoring stations, hackers are able to change sensitive patient medical data. To read more: https://www.bleepingcomputer.com/news/security/hackers-can-falsify-patient-vitals/

Want to learn more?

Sign up below and receive weekly breach reports directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.