Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported breaches and vulnerabilities

Nintendo Switch
Nintendo Switch “pirates” are releasing widely anticipated games prior to their intended release dates. To read more: https://motherboard.vice.com/en_us/article/mbyegx/inside-messy-dark-side-nintendo-switch-hacking-piracy-pirates

Mobile VPNs
Sixty percent of the top free mobile VPN apps on Google’s Play Store and Apple’s App Store were developed in China or by firms under Chinese ownership. This fact is raising concerns about data privacy. To read more: https://www.top10vpn.com/free-vpn-app-investigation/

Kars4Kids
A New Jersey charity, Kars4Kids, experienced a security issue where the company’s MongoDB database was left open on the web without a password. The server contained 21,612 records. To read more: https://techcrunch.com/2018/11/13/kars4kids-data-breach/

Infowars
Malware that recorded payment card information was removed from the Infowars online store. The malware was a generic Magecart infection that was spotted by a security researcher. To read more: https://www.zdnet.com/article/card-skimming-malware-removed-from-infowars-online-store/

City of Bakersfield
The city of Bakersfield reported a data breach that may have compromised the personal information of anyone who used its Click2Gov online-payment service. To read more: https://www.bakersfield.com/news/city-of-bakersfield-announces-data-breach-from-hacked-click-gov/article_753d61ba-e6d3-11e8-a527-8316ecef574f.html

Cathay Pacific
This Hong Kong-based airline last month revealed that it had uncovered “unauthorized access” to data on 9.4 million passengers back in March, but had taken “immediate action to investigate and contain the event.” Now Cathay has admitted that the attack continued for several months after it was spotted, and still seems to have no real idea what happened. To read more: https://www.infosecurity-magazine.com/news/cathay-pacific-admits-cyberattack/

Venezuela and ZTE
Venezuela’s government hired Chinese telecoms giant ZTE to build a “fatherland database” that many citizens and human rights groups believe is a tool to monitor the public. The system monitors citizen behavior through an identification card. The card has already been used by the government to track voting. To read more: https://www.reuters.com/investigates/special-report/venezuela-zte/

Voxox
A security snafu at Vovox, a communications company, exposed a massive database containing tens of millions of text messages. The server wasn’t protected with a password, enabling anyone to view the stream of text messages. To read more: https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/

Reported Vulnerabilities

Ruby
The Ruby programming language is being affected by a deserialization issue that caused a major issue in the Java ecosystem in 2016. The serialization and deserialization process can be targeted to trick applications into running malicious commands. To read more: https://www.zdnet.com/article/deserialization-issues-also-affect-ruby-not-just-java-php-and-net/

New Spectre and Meltdown vulnerabilities
Seven new variants of speculative-execution attacks were discovered that affect Intel, AMD and ARM chips. Some of the vulnerabilities are mitigated by existing techniques but others are not. To read more: https://thehackernews.com/2018/11/meltdown-spectre-vulnerabilities.html

Siemens
Siemens patched eight vulnerabilities spanning its industrial product lines. The most serious flaw is a cross-site scripting vulnerability in its SCALANCE firewall product. To read more: https://threatpost.com/siemens-patches-firewall-flaw-that-put-operations-at-risk/139082/

Windows
Windows users should patch their systems immediately to rectify 63 security vulnerabilities, twelve of which are rated critical. One of the vulnerabilities is the zero-day CVE-2018–8589. To read more: https://thehackernews.com/2018/11/microsoft-patch-tuesday-updates.html

Nigerian ISP
MainOne Cable, a small Nigerian ISP, hijacked internet traffic meant for Google’s data centers. The incident was detected by BGPmon, an online server that monitors the routes taken by the traffic. To read more: https://www.zdnet.com/article/google-traffic-hijacked-via-tiny-nigerian-isp/

Zero-days
Apple’s iPhone X, Samsung’s Galaxy S9 and Xiaomi’s Mi6 were among devices that were successfully hacked in the annual mobile-hacking contest Pwn2Own. To read more: https://thehackernews.com/2018/11/mobile-hacking-exploits.html

Magecart
Researchers found that online stores infected with Magecart malware will often get reinfected after clean-up. Some 21% of cleaned stores were found to be reinfected within 11 days. To read more: https://www.zdnet.com/article/one-in-five-magecart-infected-stores-get-reinfected-within-days/

AMP plugin
A critical vulnerability was just disclosed in one of the popular plugins for WordPress. It could enable a low-privileged attacker to inject malicious code on Accelerated Mobile Pages, an open-source technology designed by Google. To read more: https://thehackernews.com/2018/11/amp-plugin-for-WordPress.html

Want to learn more?

Sign up below and receive these reports and more directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.