Polyverse Weekly Breach Report

breach_report

A snapshot of last week’s reported breaches and vulnerabilities

Instagram
Instagram recently patched a security flaw that may have accidentally exposed some of its users’ passwords in plain text. The bug was found in a newly implemented feature called “Download Your Data” that enables users to download a copy of what they shared on the social platform. To read more: https://thehackernews.com/2018/11/instagram-password-hack.html

Google Android
Researchers found 13 driving-simulation apps in the Google Play Store that have no legitimate function. These apps have been downloaded over half a million times. Once installed the apps hide themselves and their shortcut icons, then request that the user download and install an additional .APK. If the user grants consent the app displays ads without permission. To read more: https://www.zdnet.com/article/fake-google-android-driving-apps-claim-half-a-million-victims/

United States Postal Service
USPS fixed a security issue that had enabled anyone with an account at usps.com to view the account details of some 60 million other users. The problem was caused by an authentication weakness in an API. A researcher discovered the flaw more than a year ago and informed USPS of his finding, but didn’t receive a response. To read more: https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/

Vision Direct
Vision Direct, a UK-based contact-lens supplier, revealed a data breach that lead to widespread theft of customer data. The stolen information included names, addresses, emails, passwords and phone numbers. To read more: https://www.zdnet.com/article/vision-direct-reveals-customer-credit-card-leak/

Make-A-Wish
Hackers took advantage of an unpatched Drupal vulnerability to install a cryptocurrency-mining script on the Make-A-Wish website. The cryptominer, which has been active since May, was discovered on the international version of the non-profit’s site. To read more: https://threatpost.com/cryptojacking-attack-targets-make-a-wish-foundation-website/139194/

Altus Baytown Hospital
A Texas-based hospital revealed a ransomware outbreak that may have led to a leak of patient data. Altus Baytown Hospital found that hackers had installed malicious code that infected the hospital’s systems with Dharma ransomware. To read more: https://www.zdnet.com/article/texas-hospital-becomes-victim-of-ransomware-patient-data-potentially-leaked/

Dark Web hosting
Daniel’s Hosting, one of the larger Dark Web hosting providers, was hacked and forced offline. The server’s root account was deleted and all 6,500 Dark Web services hosted on the platform no longer appear. To read more: https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/

Spectre variant 2
Major slowdowns in the new Linux 4.20 kernel can be traced to a patch for Spectre variant 2. The newly implemented mitigation is built into the kernel for all Intel systems. Linus Torvalds, the founder of Linux, has requested that the patch is not enabled by default. The fix uses Single Thread Indirect Branch Predictors to specifically address attacks against hyper-threading. To read more: https://www.zdnet.com/article/linus-torvalds-after-big-linux-performance-hit-spectre-v2-patch-needs-curbs/

Italian email accounts
Hackers gained access to thousands of certified Italian email accounts, including those of magistrates and security officials. The attack was launched on November 12th and targeted a server located near Rome. The hackers potentially accessed data from 500,000 accounts. To read more: https://www.reuters.com/article/us-italy-cyber/big-foreign-cyber-attack-targets-italian-certified-email-accounts-idUSKCN1NO2I6

MySpace and Dropbox hacker
Recorded Future, a cybersecurity company, claims to have uncovered the real world identity of Tessa88, a pseudonym for the hacker that sold databases from MySpace, Badoo, Dropbox, LinkedIn and Twitter, among others. Maksim Vladimirovich Donakov is known for perpetrating many major hacks in 2016. To read more: https://www.zdnet.com/article/cyber-security-firm-doxxes-hacker-who-sold-myspace-and-dropbox-databases-in-2016/

HealthEquity
A hack of two employee email accounts potentially exposed the personal data of 190,000 customers of HealthEquity, a healthcare-savings company — the second breach reported by the firm this year. The first occurred in June, when an unauthorized user hacked into an employee’s email account and breached the data of 16,000 customers. To read more: https://healthitsecurity.com/news/healthequity-email-hack-breaches-data-of-190k-patients

Amazon
Amazon shared a message with some customers about the possible exposure of their personal information. The company attributed the problem to a technical error rather than a data breach. Customers were informed that they did not need to change their passwords. To read more: https://news.alphastreet.com/data-security-slip-up-casts-shadow-over-amazons-holiday-sales/

High Tail Hotel
An “erotic furry” game called High Tail Hotel was hacked last August, but developers only recently found the attack after Tony Hunt, founder of an email-security website known as Have I Been Pwnd, alerted the studio of the breach. User emails, names, IP addresses and orders on the site were exposed. To read more: https://techraptor.net/content/erotic-furry-game-data-breach-compromises-data-for-400k-users

Japan’s cybersecurity minister
The Japanese minister of cybersecurity who recently made headlines for not using computers has now told a Diet committee that he is not very familiar with cybersecurity issues. According to Minister Sakurada, his job is to “read out written replies (prepared by bureaucrats) without making any mistakes.” This is not exactly encouraging for Japan’s digital domain. To read more: https://www.japantimes.co.jp/news/2018/11/23/national/politics-diplomacy/japan-cybersecurity-minister-doesnt-use-computers-says-hes-not-familiar-cybersecurity/

Reported Vulnerabilities

Drupal
Hackers are launching new attacks against Drupal website owners. The hackers aim to gain a foothold on servers to install a legitimate SSH client so they can log in to the hijacked systems. Attackers are using the Drupalgeddon 2 and Dirty COW vulnerabilities to pull off the hack. To read more: https://www.zdnet.com/article/hackers-use-drupalgeddon-2-and-dirty-cow-exploits-to-take-over-web-servers/

Adobe
Adobe has issued a patch for a vulnerability in Flash Player that could lead to arbitrary code execution. The vulnerability affects versions of Flash Player running on Windows, MacOS, Linux and Chrome OS. To read more: https://threatpost.com/critical-adobe-flash-bug-impacts-windows-macos-linux-and-chrome-os/139264/

Electronic Arts Origin
A bug in Electronic Art’s (EA’s) Origin online-gaming platform enables a hacker to gain access to account data. According to the researcher who found the vulnerability, “the issue occurs when you use the EA Origin client but request to edit your account on EA.com; the EA client will spit out an auto-login URL, which is basically the equivalent of your active username and password.” To read more: https://www.zdnet.com/article/a-bug-in-ea-origin-client-exposes-gamers-data/

Atlantis word processor
Researchers at Cisco Talos discovered multiple critical vulnerabilities in its Atlantis Word Processor. The flaws enable remote attackers to execute arbitrary code and ultimately take over computers. To read more: https://thehackernews.com/2018/11/word-processor-vulnerability.html

Kitten of Doom
A denial-of-service vulnerability was discovered in the Skype for Business unified-communications platform. The bug can be triggered by sending large numbers of emojis to the instant messaging client. The attack was named “Kitten of Doom” because researchers initially used the kitten emoji to demonstrate the attack. To read more: https://threatpost.com/emoji-attack-can-kill-skype-for-business-chat/139186/

Pterodo malware
The Computer Emergency Response Team and Foreign Intelligence Service of Ukraine have detected a new strain of the Pterodo malware targeting computers at various Ukrainian government agencies. Pterodo is a backdoor used to insert malware and collect information. To read more: https://arstechnica.com/information-technology/2018/11/ukraine-detects-new-pterado-backdoor-malware-warns-of-russian-cyberattack/

Want to learn more?

Sign up below and receive these reports and more directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.