Polyverse Weekly Breach Report


A snapshot of last week’s reported breaches and vulnerabilities

Windows Zero-Day
A security researcher disclosed a proof-of-concept exploit for a new Windows zero-day vulnerability. The exploit appears to be a privilege escalation flaw in Microsoft Data Sharing. To read more: https://thehackernews.com/2018/10/windows-zero-day-exploit.html

Cathay Pacific
This Hong Kong airline announced that it had suffered a major data leak affecting up to 9.4 million passengers. Personal information including passport numbers, identity-card numbers, email addresses, and credit-card details was accessed. To read more: https://www.theguardian.com/technology/2018/oct/24/cathay-pacific-hit-by-data-leak-affecting-up-to-94m-passengers

British Airways
British Airways has added 185,000 more victims to the tally of those impacted by a data breach in September. Some 429,000 people are now believed to have been affected. To read more: https://threatpost.com/british-airways-data-breach-takes-off-again-with-185k-more-victims/138600/

Missouri Department of Health and Senior Services
The Missouri Department of Health and Senior Services has notified 10,400 people that their personal information was compromised by a security breach. To read more: http://www.stlamerican.com/news/local_news/state-warns-of-data-breach-has-mailed-letters-to-those/article_a672c38a-d975-11e8-b6f9-7f5e9452188e.html

Adult websites
A recent hack of eight poorly secured adult websites exposed megabytes of personal data. Included in the leak are IP addresses, user passwords protected by weak, four-decade-old cryptography, user-names, and 1.2 million email addresses. To read more: https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/

Wolf Intelligence
This German spyware startup left 20 gigabytes of data — including recordings of customer meetings, scans of the founder’s credit cards, and surveillance data — exposed on the internet. Security researchers discovered the data in a public Google Drive folder. To read more: https://motherboard.vice.com/en_us/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online

Pocket iNet
This US-based ISP left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for months. The bucket contained internal network diagramming, network hardware configuration photos, and other data. To read more: https://motherboard.vice.com/en_us/article/zm9dmj/an-isp-left-corporate-passwords-keys-and-all-its-data-exposed-on-the-internet

China ISP intelligence-gathering
According to an academic paper published this week, state-owned China Telecom has been “hijacking the vital internet backbone of western countries.” The company is China’s third-largest telco and internet service provider, and has had a presence inside North American networks since the early 2000s. To read more: https://www.zdnet.com/article/china-has-been-hijacking-the-vital-internet-backbone-of-western-countries/

Cisco Webex
An exploitable security bug was found in the Cisco Webex Meetings Desktop App for Windows. The bug is a privilege-escalation issue rated “high”. To read more: https://www.theregister.co.uk/2018/10/25/white_hats_pop_webex/

Reported Vulnerabilities

A security bug in open-source software suite Systemd can be exploited over the network to crash vulnerable Linux machines. The vulnerability sits within the written-from-scratch DHCPv6 client of the Systemd management suite, which is built into various types of Linux. To read more: https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/

A security engineer identified 12 Python libraries uploaded on the official Python Package Index that contained malicious code. They have since been removed from PyPl. To read more: https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

A vulnerability that is trivial to exploit was found on Linux and BSD distributions using the open-source X.Org Server. The flaw has been present for two years. To read more: https://www.bleepingcomputer.com/news/security/trivial-bug-in-xorg-gives-root-permission-on-linux-and-bsd-systems/

Windows zero-day
Proof-of-concept code for a zero-day vulnerability in Windows was released by a security researcher before Microsoft released a fix. The code exploits a vulnerability that enables any files on a machine (including system files) to be deleted without permission, and can potentially lead to privilege escalation. To read more: https://www.bleepingcomputer.com/news/security/new-windows-zero-day-bug-helps-delete-any-file-exploit-available/

Want to learn more?

Sign up below and receive these reports and more directly in your inbox.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.