AppSec News Roundup: WordPress, Equifax, Oracle, and more
22 juil. 2019|
There's never any shortage of credential stuffing attacks. WordPress is in our roundup again, and we've got some configuration errors in this one as well.
Large breaches, big investigations
Some (impressively?) large data breaches were disclosed in May and June. Significant among them:
While the report did not detail the origin of the breach that affected over 10 million individuals, it did show that the most number of affected individuals from a single finance-related breach was less than 500,000 and the health sector's three heaviest impacting breaches affected less than 5,000 individuals each.
'... over 10 million individuals had their information compromised in one single incident. The current population of Australia is around 25.4 million.' via @zdnet
Click To Tweet
Hackers had access to the sensitive information of Flipboard users for over 9 months
"Flipboard, which has more than 145 million monthly active users, said it was in the process of determining how many accounts were affected. It said the compromised databases contained users’ names, Flipboard usernames, and cryptographically protected password and email addresses."
UK’s Parliament chiefs investigate claims its website was hacked amid fears of a confidential data breach
One Twitter user said they had found passwords had leaked online too. A Parliamentary spokesman said it was looking into the reports but said it had not found any evidence that confidential parliamentary data had been breached.
EatStreet was hit by a GnosticPlayers hack
Accessed information included names, phone numbers, email addresses, bank accounts, and routing numbers for restaurants and delivery services. For customers who ordered food through the EatStreet app and website, information the hacker might have accessed or stolen included names, credit card numbers, expiration dates, card verification codes, billing addresses, email addresses, and phone numbers.
The security of all users who installed these extensions was put at risk because of a stupid grudge between a Denver-based company called White Fir Design LLC (dba Plugin Vulnerabilities), and the WordPress forum moderation team.
A web spam campaign that targets Koreans is creating problems for site administrators all around the world. Hackers are compromising vulnerable Korean-language WordPress websites, but are also polluting search engine results for non-hacked sites globally
"Although the result page says that “nothing was found”, it contains the full search query with the relevant spam keywords, along with the domain name of the site the attackers want to promote. ....This adds an impressive amount of search visibility for the promoted domains.”
SlickPopup and WP Database Backup plugins have serious problems. WP Database Backup has fixed its vulnerability, though
Plugin flaws continue to plague WordPress websites. According to an Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.
Equifax and Cathay Pacific got told off for not patching old vulnerabilities
A little known breach caused Equifax to get told off recently by the US Congress. Cathay Pacific got told off as well, for, among others, “–failing to catch an unspecified but “commonly known exploitable vulnerability” on the server”
In a statement, Apache Struts wrote, “This vulnerability was patched on 7 March 2017, the same day it was announced ... In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.” This week, the financial rating service Moody’s downgraded Equifax from a “stable” to a “negative” outlook due to the high level of cybersecurity spending and litigation that comes as a direct result of the 2017 breach. It’s the first time cybersecurity was cited as the reason for an outlook change, CNBC reported. Two groups, one who installed a keylogger on a server, the other who exploited a vulnerability on an unsecured Internet-facing server led to data breaches at Cathay Pacific Airlines which exposed personal information of 9.4 million passengers, Hong Kong’s privacy commissioner has concluded.
CNBC reports that Equifax is the first company to have its financial outlook downgraded from “stable” to a “negative” outlook due to a #cybersecurity incident.
Click To Tweet
Our regular API, credential stuffing and supply chain attack roundup
As revealed by Bad Packets Report's co-founder Troy Mursch, the script collects card numbers, expiration dates, and credit card CVV/CVC verification codes, as well as customers' names, addresses, phone numbers and emails. ... Magecart groups have been active since at least 2015 and represent an ever-evolving threat capable of launching attacks against high profile international companies like Ticketmaster, British Airways, OXO, and Newegg, as well as to target small retailers like Amerisleep and MyPillow.
Hackers are now going after your loyalty points and it’s credential stuffing that is helping them to these points
One hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88, according to the cloud security company Armor.
Instagram’s had a number of API-based problems in the past, and this time around, it seems to have allowed the scraping of the contact data for millions of influencers
At the time of writing, the database had over 49 million records — but was growing by the hour. From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their personal contact information, such as the Instagram account owner’s email address and phone number.
Once an exposed Docker host is located, it is added to a list (iplist.txt file), which is further sorted for unique IPs. It also checks if the target host already has an existing cryptocurrency-mining container running, which is deleted if found. It then reaches out to its C&C servers to deploy additional containers to other exposed hosts based on the IP list. It then loops to the beginning of the routine stated earlier with a new host.
Oracle released an out-of-band patch for a WebLogic Server Deserialisation vulnerability which could allow an unauthenticated attacker to remotely exploit and gain remote code execution (RCE) ability on vulnerable systems. ... Oracle said in a blog post that,while both exploits are deserialisation flaws, CVE-2019-2729 is "a distinct vulnerability."
Many of the pages that allowed public access had been indexed by search engines. One subdomain was dedicated to human resources and included new employee names, email addresses, phone numbers, and passwords.” ... In addition to HCL employees, the company was also accidentally exposing thousands records for customers.
Configuration mistakes that hackers like: same password on multiple sites, default or unused open ports, delayed patching, poor credential management.
Click To Tweet