Cyber Risk News
A huge MongoDB database containing detailed CVs for over 202 million individuals has been found exposed online.
The unprotected MongoDB instance was found via a simple BinaryEdge or Shodan search and was left without any password protection, according to Bob Diachenko, director of cyber risk research at Hacken.io and HackenProof.
The 854GB trove contained data on 202.7m Chinese job-seekers including “personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.” Such information could be used to good effect in follow-on phishing attacks.
The source of the data is unknown, although it is believed it may have been scraped from third-party CV sites.
“The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository which contained a web app source code with identical structural patterns as those used in the exposed resumes,” explained Diachenko.
“The tool named ‘data-import’ (created three years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like bj.58.com and others. It is unknown, whether it was an official application or an illegal one used to collect all the applicants’ details, even those labelled as ‘private’.”
The database was secured “shortly after” Diachenko publicized his discovery on Twitter, although it’s unclear for how long it was exposed online before he first spotted it on December 28 last year.
He claimed that “at least a dozen” IPs may have accessed the database before it was taken offline, according to the MongoDB log.
Misconfigured security settings are likely to continue exposing organizations to preventable risk in 2019, especially as more of them migrate data and systems to the cloud, Trend Micro said in its 2019 predictions report recently.
Using a new penetration testing tool to automate phishing attacks, hackers can potentially bypass two-factor authentication (2FA), according to a new post published by security researcher Piotr Duszynski. The tool was written to intentionally make phishing campaigns as easy and effective as possible, said Duszynski.
Dubbed Modlishka, a Polish word that means "mantis," the tool can reportedly bypass login operations for accounts protected by 2FA and enable an attacker to have full control of "cross" origin TLS traffic flow from the victims browsers, Duszynski wrote.
A GitHub user inquired whether the 2FA is broken, to which Duszynski explained, “2FA isn't broken. At the end it is all about 'social engineering' that you will have to be stay alert about. Which can be e-mail, phone, post or face2face based.
“If you don't want to always verify if the domain name in the URL address bar of your browser isn't somehow malicious or worry if there's yet another URL spoofing bug, then consider switching to U2F [universal second factor] protocol."
"While cyber-criminals can get past 2FA, this should only be one piece in the authentication stack and not the only one,” said Don Duncan, security engineer for NuData Security, a Mastercard company.
“This is why companies are using multilayered authentication tools that can verify the legitimacy of a transaction from different angles," Duncan continued. "This way, if one of the layers is fooled by a bad actor, the other layers or tools can flag that activity. It is this in-depth defense that allows companies to provide an exceptional experience for customers while cutting out cyber-criminals.”
Still, Duszynski said that in his experience as a penetration tester, he has had the greatest success infiltrating customer networks by using social engineering. “One definitely does not need to burn a 0day exploit/s for all of those sophisticated top-notch security defenses that are protecting the perimeter, when often just few e-mails or phone calls will do just perfectly fine to compromise internal infrastructure and company's sensitive data.”
Award-winning cooking tools company OXO revealed that it has suffered data breaches over the last two years that may have compromised customer and credit card information.
In a breach disclosure letter filed with the State of California, OXO said that the data security incident involved “sophisticated criminal activity that may have exposed some of your personal information.” The attacker is believed to have accessed credit card information, along with names and billing and shipping addresses, though the letter does not state the scope of impact.
“On December 17, 2018, OXO confirmed through our forensic investigators that the security of certain personal information that you entered into our e-commerce website (https://www.oxo.com) may have been compromised. We currently believe that information entered in the customer order form between June 9, 2017 – November 28, 2017, June 8, 2018 – June 9, 2018, July 20, 2018 – October 16, 2018 may have been compromised. While we believe the attempt to compromise your payment information may have been ineffective, we are notifying you out of an abundance of caution.”
OXO is currently working with security consultants and forensic investigators, who are looking at past vulnerabilities in the website as part of an ongoing investigation of the incident. Additionally, the company has taken measures to secure its site to prevent future incidents.
“This latest breach underscores the importance of 24/7 security monitoring,” said Matan Or-El, CEO of Panorays. “With the new year upon us, companies should perform an in-depth review of all their digital assets to ensure that they and their third parties have not been compromised. We expect that future hacks will be targeted towards entire industries so as to maximize the payout for cyber-criminals.”
OXO has also secured the services of risk mitigation and response firm Kroll in order to extend identify monitoring services to its customers.
In the wake of the massive data breach suffered by Marriott, Hyatt has announced that it will launch a bug bounty program in partnership with HackerOne, making it the first major hotel chain in the world to have a public bug bounty program.
“By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers,” Hyatt stated in its program policy.
With the goal of better protecting its millions of global guests from cyber threats, the Hyatt program will engage with researchers around the globe, offering them the chance to earn cash rewards for reporting valid security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and the iOS and Android versions of the Hyatt mobile app.
“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt chief information security officer Benjamin Vaughn in a press release. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”
Security researchers can earn $4,000 for critical vulnerabilities and $1,200 for each high vulnerability reported, while those deemed medium will be awarded $600 and low vulnerabilities will be paid $300. To date, Hyatt has paid a total of $5,650 bounties, with the average bounty worth between $150–300.
Hyatt only accepts disclosures from HackerOne researchers, and the vulnerability reports must meet all of the established requirements and contain “original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and/or availability of the services in scope.”
Security researchers have spotted a new series of DNS hijacking attacks successfully targeting organizations globally on a large scale and traced back to Iran.
The attacks have managed to compromise “dozens” of domains run by government, telecommunications and internet infrastructure in the Middle East and North Africa, Europe and North America. In so doing, they change DNS records to direct users to malicious but legitimate-looking, Let’s Encrypt certified domains where email credentials are harvested.
FireEye observed three attack methods, with activity first spotted in January 2017.
The first uses previously compromised credentials to log-in to a DNS provider’s administration panel with the aim of changing DNS A records.
The second exploits a previously compromised registrar or ccTLD to change DNS nameserver (NS) records. A third technique is used in combination with the previous two, to return legitimate IP addresses for users outside the targeted domains.
FireEye warned that a “large number” of DNS/SSL cert firms had been affected by these attacks, including telcos, ISPs, infrastructure providers and governments.
“It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets described above,” the vendor explained.
“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.”
There was less forthcoming information on the type of organizations and users targeted by the cyber-espionage itself, although FireEye claimed they include “Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value.”
This, along with the fact that the attackers used IP addresses previously associated with Iranian raids, has led the vendor to attribute the campaign to Tehran with “moderate confidence.”
The trial of a suspected Mexican drugs baron took an unexpected turn this week after it emerged that the FBI managed to persuade the accused’s IT consultant to hand over access to his secure comms infrastructure.
IT specialist Christian Rodriguez had worked for drug lords before, and was apparently recommended by one, Colombian Jorge Cifuentes to Mexican "El Chapo" Joaquin Guzman.
Once on board, he’s said to have built a bespoke encrypted communications network for El Chapo as well as installing spyware on others’ phones so the kingpin could listen in to their conversations.
In total, it’s reported that Guzman was tracking 50 devices including those of his wife, mistress and members of the cartel, with malware known as FlexiSPY installed on brand new handsets by Rodriguez before being gifted to the individuals.
The Feds’ big break came in 2010 when, posing as a Russian mobster, an undercover agent is said to have arranged a meeting with Rodriguez where he requested a similar system.
It’s unclear how, but the FBI eventually managed to persuade the IT guy to turn informant. In 2011 he apparently moved the network servers from Canada to the Netherlands in what he claimed was a routine upgrade, whilst handing over the all-important encryption keys to the authorities.
That allowed the FBI to tap 200 VoIP phone calls in which Guzman apparently discussed major drug deals, beating up the police, and even bribing a corrupt federal police commander.
However, it’s believed the IT consultant suffered a nervous breakdown in 2013 from the stress of working for, and colluding against, his employer.
Although the story at times reads like the script of a film, it highlights the vital role technology now plays in law enforcement investigations.
However, ultimately the breakthrough was achieved via old-fashioned undercover work.
A large number of Reddit users have been locked out of their accounts as a precaution while the site’s admins investigate potential unauthorized access.
Staffer “Sporkicide” would not disclose exactly how many users were affected by the move, but claimed in a post yesterday that “a large group of accounts were locked down due to a security concern.”
“By ‘security concern,’ we mean unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access,” the admin continued.
“The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.”
These credential stuffing attacks, facilitated by automated software which injects breached credentials into other sites to crack accounts, is set to become ever more popular in 2019, according to one security vendor.
“Breached credentials will be actively and heavily used in fraudulent transactions as cyber-criminals take the next logical step after amassing data breach info dumps in past years: using these stolen credentials,” Trend Micro predicted in a recent report.
However, some of those commenting on the security notice claimed they used strong, site-specific credentials for Reddit. One even suggested the incident could be the result of a session hijacking attack of the same kind that led to the theft of access tokens for 30 million Facebook accounts last year.
Reddit is no stranger to security incidents: last year it suffered a major breach of user data after hackers first cracked staff accounts by intercepting SMS-based two-factor authentication codes.
Sporkicide claimed yesterday that over “the next few hours” affected account holders will be able to reset their passwords.
Jarrod Overson, director of engineering at Shape Security, claimed Reddit accounts are prized as they can be used to push malicious content, exploit other users and make content go viral.
“Reddit is notoriously easy for attackers to manipulate — they don’t require an email to open an account; the signup form only uses basic reCAPTCHA, which has been ineffective for years; and the login form does not appear to use any automation prevention techniques to protect against credential stuffing attacks,” he added.
“Sites like Reddit are a dream for attackers, there are virtually no barriers to entry and the value of trusted accounts on social networks is so high.”
IcePick-3PC has impacted a range of businesses, from publishers to e-commerce, across a variety of industries, including retail and healthcare, according to researchers from The Media Trust’s digital security and operations (DSO) team. The malware strain was first identified in spring 2018 and is able to steal device IPs en masse.
When it was initially detected, IcePick-3PC was used to spam device owners using phishing in a campaign that fraudulently offered gift cards from big-name retailers, such as Amazon and Walmart, in return for users sharing their personal information.
In a January 9, 2019, blog post, researchers explained that a website’s third-party tools are designed to incorporate interactive web content, such as animation via HTML5, and are loaded onto client platforms by self-service agencies. In the attack, which has affected more than 100 clients, IcePick-3PC executes after malware writers successfully hijack a website’s third-party tools.
“The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog stated.
Additionally, before it downloads, the malware is able to examine the devices of those users who visit a website with a compromised third party library. “The extraction and collection of IPs represents the largest scale of IP theft the DSO has observed to date and marks a significant advancement in malware authoring, as stealing IP en masse with such efficiency demands rarefied coding skills,” researchers wrote.
“But now that this malware has overcome such hurdles and even breaks through VPNs in order to intercept IPs, it enables bad actors to identify users’ device vulnerabilities, and leaves the devices wide open for exploit targeting and potential future attacks.”
“In order to protect sites from this malware, publishers and e-commerce businesses should thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders. They can also detect such offenders by scanning interactive ads and site pages for unauthorized code,” researchers said.
A Python network tool, Scapy, is vulnerable to denial-of-service (DoS) attacks, according research published by Imperva. The company also released its 2018 State of Web Application Vulnerabilities, which found that injections represented 19% of the total vulnerabilities in 2018, while plugins were the root cause of 98% of the vulnerabilities in WordPress.
In the latest version of Scapy, the algorithm used to determine the type of network packet relies on port numbers, but the packet type can easily be spoofed.
According to researchers, “The vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. The vulnerability is due to a lack of input validation when reading the length field in the RADIUS packet’s Attribute Value Pairs (AVP). This can cause an infinite loop in the following code section if a certain byte is set to zero.”
In addition to the vulnerability in this tool, web application vulnerabilities are trending upward and WordPress vulnerabilities have tripled since 2017. Still, Drupal vulnerabilities were exploited en masse, targeting hundreds of thousands of sites throughout 2018.
There was, however, some good news in regard to other web app vulnerabilities. Last year saw a decline in both the number of the internet of things (IoT) and PHP vulnerabilities, as well as in vulnerabilities related to weak authentication. Still, API vulnerabilities did show some growth. In fact, 2018 saw a total of 264 API vulnerabilities, up 23% from the 214 reported in 2017.
“The overall number of new vulnerabilities in 2018 (17,142) increased by 21% compared to 2017 (14,082) and by 159% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch,” the report stated.
When looking at content management systems (CMSs), attackers spent much of their time targeting WordPress, which is used by 59% of all websites using a known CMS, according to the report. “Although Drupal is the third-most popular CMS, two of its vulnerabilities, CVE-2018-7600 and CVE-2018-7602, were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations.”
A researcher reportedly paid $300 to a bounty hunter who was then able to geolocate a phone down to a location in a specific neighborhood only blocks away from the actual location of the targeted phone. According to a blog post from Motherboard’s Joseph Cox, these surveillance capabilities are available to individuals and businesses and sometimes sold through word of mouth.
“At least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard,” Cox wrote.
In addition to telecoms selling cell phone location data to company, the researcher said that there is a trickle down effect with the information, which could land in the wrong hands.
“Your mobile phone is constantly communicating with nearby cell phone towers, so your telecom provider knows where to route calls and texts. From this, telecom companies also work out the phone’s approximate location based on its proximity to those towers,” Cox said.
As we rely more on connected devices, our data is everywhere and becoming accessible to parties often unknown to us, and we may not have given consent for our data to be shared. “With each data transaction, the potential for the new party to either leak data, fall victim to compromise, or further share the data means that very quickly there's no control or governance,” said Ben Johnson, co-founder and CTO, Obsidian Security.
“Sadly, most of us assume not only that what we deliberately put on the Internet will fall into unauthorized hands but that data generated by our devices, services and even our human networks will be utilized in various ways we haven't authorized. Every copy of data is a liability, and until those who collect or generate this data have better guiding principles and scrutiny, we must assume that our data and data about us is everywhere.”
NHS Digital’s first chief information security officer (CISO) has resigned just three months into the job, dealing a blow to efforts to improve cybersecurity across the UK’s health service.
In a memo to staff seen by HSJ, NHS Digital deputy CEO, Rob Shaw, said that Robert Coles’ departure was due to personal reasons and that a search for a replacement would begin immediately.
“We have enjoyed working with Robert, and his resignation is accepted with great regret,” he’s reported to have said. “I would like to personally thank him for the passion he brought to the role and the early progress he has made in developing the system-wide cyber-strategy.”
Coles only started his job as NHS Digital’s first CISO on October 1 with a daunting task ahead of him, given scarce funds and well-documented systemic cybersecurity challenges.
In fact, his role was only created after recommendations by NHS England CIO, Will Smart, following the infamous WannaCry ransomware attack of May 2017.
That attack is said to have cost the NHS £92m: £19m as a result of access to information and systems being unavailable, leading to cancelled appointments and £72m spent on extra IT support.
An estimated 19,000 operations and appointments were cancelled as a result of the ransomware-related outages, which caused disruption at a third of NHS England’s trusts and infected a total of 603 primary care and other NHS organizations, including 595 GP practices.
Despite his resignation, Coles is reportedly set to return to work as an independent consultant in the coming months.
“I am very sorry not to be able to continue in my role at NHS Digital,” he explained in the memo. “I have enjoyed working with the very talented and passionate cybersecurity team at NHS Digital and seeing the commitment to improving cyber-resilience across the health and care system.”
Coles is no stranger to high-profile jobs, having held similar positions at pharma giant GlaxoSmithKline, the National Grid and Merrill Lynch.
Controversial exploit broker Zerodium has upped its bug bounties for the majority of desktop/server and mobile exploits, offering security researchers millions of dollars for their work.
At the lower end, a Windows local privilege escalation or sandbox escape will now pay out $80,000, up from $50,000, while at the top of the server/desktop category are “zero click” Windows remote code execution exploits, which have doubled in value to $1m.
However, the biggest bucks go to researchers looking for flaws in mobile platforms.
A local pin/passcode or Touch ID bypass for Android or iOS will net you $100,000, up from $15,000, while a zero click Apple iOS remote jailbreak with persistence is now worth $2m, up from $1.5m
“Zerodium pay outs for eligible zero-day exploits range from $2000 to $2m per submission,” the firm’s website explained.
“The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc).”
The firm claims it was founded to “build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”
However, unlike Trend Micro’s Zero Day Initiative, for example, exploits submitted to the firm are usually sold on privately rather than shared with the white hat community and vendors.
Law enforcement and intelligence services around the world are keen to get their hands on the latest security research, to monitor terrorists and criminals but also dissidents, journalists and others.
Microsoft started the new year yesterday by issuing fixes for a near half century of vulnerabilities, although only seven were rated critical.
Many of these were remote code execution (RCE) bugs, with experts agreeing that CVE-2019-0547 should be top of the priority list. This RCE vulnerability in the Windows DHCP Client was given Microsoft’s highest exploit index rating.
“DHCP is a network management protocol often used to dynamically configure things like IP addresses for systems when they connect to a router,” explained Rapid7 senior security researcher, Greg Wiseman. “Any untrusted network, such as a random Wi-Fi hotspot in a coffee shop, is a potential vector for this attack.”
Other critical flaws to look at first include three Chakra scripting engine memory corruption vulnerabilities (CVE-2019-0539, CVE-2019-0567, CVE-2019-0568); two Hyper-V RCEs (CVE-2019-0550, CVE-2019-0551); and CVE-2019-0565, a Microsoft Edge memory corruption vulnerability.
Unlike the past few months, there were no zero-day flaws for admins to tackle, but there was one which had been publicly disclosed although not actively exploited in the wild.
CVE-2019-0579 is an RCE in the Jet Database Engine: one of 11 CVEs which could lead to RCE in the product.
Also on the list is Exchange memory corruption vulnerability CVE-2019-0586, which could allow an attacker to take control of a victim machine by sending a specially crafted email.
System administrators are also spared the regular task of patching Adobe Flash this month, although the vendor released fixes for two critical vulnerabilities in Reader and Acrobat last Thursday.
Qualys director of product management, Jimmy Graham, also reminded IT teams not to forget the out-of-band patch Microsoft released on December 17 for CVE-2018-8653, fixing a bug affecting Internet Explorer 9-11 which has been actively exploited in the wild.
“This patch should also be prioritized to all workstation-type devices,” he said.
The Zero Day Initiative has a full list of CVEs for January 2019 here.
Network and endpoint security company, Sophos, announced today that it has acquired Avid Secure, a cloud infrastructure security company that uses artificial intelligence to deliver cloud security analytics, according to a press release.
No further details about the acquisition have been released, though a spokesperson for the company said in an email that Sophos will be holding meetings during RSAC 19 to discuss the company’s recent acquisition and overarching cloud business strategy.
“The accelerated adoption of public cloud environments is presenting new data security challenges to organizations. With the cloud workload protection and the cloud security posture management software from Avid Secure, Sophos will expand its current capabilities in cloud security and drive leadership in this growing space,” said Dan Schiappa, senior vice president and general manager of products at Sophos.
“We welcome the Avid Secure team to Sophos and are excited to bring their transformational technology into our portfolio, strengthening our ability to offer the best protection for our customers’ data on endpoints and networks, wherever their services are hosted.”
Since 2017, Avid Secure, a privately owned company headquartered in San Francisco, California, has offered its AI-based platform that provides public cloud protection for services such as AWS, Azure and Google.
“We built the Avid Secure platform to revolutionize the security of public cloud environments in a process efficient way,” said Nikhil Gupta, CEO and co-founder at Avid Secure in the press release.
“We are proud of our innovative AI powered technology that provides enterprises with end-to-end continuous security analytics, visibility, and compliance to protect their data and maximize their investments in public cloud services. The opportunity to join Sophos in their mission to evolve cybersecurity into an intelligent, integrated system presented a perfect fit for our engineering vision. I, and the whole team at Avid Secure look forward to what we can achieve together.”