Site Logo

AppSec News Roundup: Docker, WordPress, bruteforce attacks, and more

Thèmes:
9 mai 2019
|
Tushar Richabadas

These are the biggest #AppSec headlines of April 2019.  I love the analogy of the developer getting mugged in this first example.  And we have more incidents of credential stuffing here.  

Dockerhub breach results in 190,000 credentials stolen


Docker has announced a large breach that has resulted in over 190000 credentials being stolen. The impact is best explained by Kenn White:
Kenn White, a security researcher, explained the potential impact of the breach with an analogy.

“Think of it like this: developer gets mugged, and gets his keychain and wallet stolen. If the only keys were to his house and cars, that’s not great but it’s not a problem for the company,” White told Motherboard in an online chat. “In this case, potentially 190,000 keychains were pilfered, but with keys to company’s front doors too. Now it’s everybody’s problem.”


More Wordpress Plugin Woes


Active exploits for the Wordpress Social Warfare plugin snowballed, putting over 40000 websites at risk.

Another WooCommerce vulnerability is impacting over 60000 sites.

An inside look at how Credential Stuffing operations work


Catalin Cimpanu talks about how Data breaches, custom security, proxies, IoT botnets and hacking forums all play a role.  This is a very thorough writeup with some great images.


Monthly API, Credential Stuffing and Supply Chain attack roundup


How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in

A hacker used brute forcing to break in the API of GPS tracking apps and found that he could remotely kill car engines. The Hamburglar’s online version struck McDonalds Canada’s app and made away with 1000’s of dollars in fraudulent orders.

A mysterious group seems to have drastically increased their attack rates. Victims now attributed to supply chain attacks include video games. Meanwhile, the victims of Magecart now include the NBA’s Atlanta Hawks. The skimmer itself was found to be hosted on GitHub and taken down.

Meanwhile, Willem De Groot has discovered a polymorphic version that uses over 50 payment gateways.

Now for some fun


 

If you'd like to learn more about the Barracuda solutions I'm working on, see the Barracuda Web Application Firewall and the Barracuda WAF-as-a-Service.

 

Tushar Richabadas

Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda.  Prior to this role, Tushar was a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus on cloud and automation.  Tushar has a wide range of experience, from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.

Connect with him on LinkedIn here.

Billets associés :
AppSec News Roundup: Docker, WordPress, bruteforce attacks, and more
AppSec News Roundup: Docker, WordPress, bruteforce attacks, and more
Établir la confiance avec Zero Trust
Établir la confiance avec Zero Trust
 The third pillar to well-architected AWS cloud security - NetSec (Network Security)
The third pillar to well-architected AWS cloud security - NetSec (Network Security)
L'ABCdaire de la protection du cloud
L'ABCdaire de la protection du cloud