Cyware Weekly Threat Intelligence, August 05 - 09, 2019

Weekly Threat Briefing • Aug 9, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Aug 9, 2019
The Good
With the weekend around the corner, let’s quickly glance through all that happened in cyberspace over the week. Before delving into the security incidents and new threats, let’s first take a look at all the positive events. Microsoft has launched the Azure Security Lab and doubled its Azure bug-bounty reward to $40,000. Slack has added several new security features to its Enterprise grid product. Meanwhile, a design firm named OpenIDEO is hosting a contest for visual creators to create attractive and informative images on cybersecurity.
Microsoft has launched the Azure Security Lab and doubled its Azure bug-bounty reward to $40,000 in an effort to further strengthen cloud security. The newly-launched Azure Security lab is isolated from the main Azure framework in order to prevent hacking attempts and tests from disrupting the normal functionality.
Slack has added several new security features to its Enterprise grid product to enable admins with more control over how their organization's data can be accessed and shared in Slack. The features include security authentication controls, session management tools, domain whitelisting tools, among others.
A design firm named OpenIDEO is hosting a contest for visual creators to create attractive and informative images on cybersecurity. The contest will award $7000 for up to five winners. Contestants can submit their cyber-security related images until August 16, 2019, and the organization will announce the shortlisters on September 4, 2019.
The Bad
Several data breaches and security incidents were witnessed in this week. E-commerce platform CafePress suffered a data breach compromising over 23 million customer accounts. Several misconfigured Jira servers were found exposing information about internal projects belonging to large organizations including Google, NASA, and Yahoo. Last, but not least, a misconfigured Amazon S3 storage bucket belonging to the Democratic Senatorial Campaign Committee exposed around 6.2 million email addresses of Democrats.
CafePress suffered a data breach compromising over 23 million customer accounts, email addresses, and other records containing personal information. According to HaveIBeenPwned, CafePress was hacked in February 2019 and almost 493,000 accounts are being sold on hacker forums.
Hackers found an unprotected MongoDB instance which was publicly accessible without any authentication. They took advantage of the open database, erased 2.1 million records of customer data, and replaced them with a ransom note. The ransom note stated that the contents of the database are backed up on the attacker's servers and demanded a ransom payment of 0.05 BTC worth $500 to recover the data.
Researchers have found several misconfigured Jira servers that have been leaking information about internal projects and users belonging to large organizations such as Google, NASA, Yahoo, and Lenovo, among others. The leaked data includes names, roles, and email addresses of employees who are involved in various projects of an organization, along with the current state and development of those projects.
Monzo requested around 480,000 customers to change their PINs as their PINs were stored in encrypted log files of their internal systems that were accessible by engineers. Upon discovering the security glitch, Monzo made immediate changes to close the exposure and disable access to the engineers. The bank officials also deleted all the information that was stored incorrectly.
The City of Naples in Florida fell victim to a spear-phishing attack compromising $700,000. The scammers purported to be a representative from the Wright Construction Group targeted a specific department through a phishing email. This caused the department to transfer the amount to a fake bank account provided by the hackers.
A fraudster bribed AT&T employees over $1 million to unlock mobile phones and install unauthorized devices on the company's internal network for over five years between 2012 and 2017. This resulted in millions of mobile phones being removed from AT&T’s service or payment plans. However, the fraudster has been arrested and extradited to the U.S.
An unprotected Amazon S3 storage bucket named “toclinton” belonging to the Democratic Senatorial Campaign Committee has exposed approximately 6.2 million email addresses of Democrats. The list contained email addresses from major email providers, along with universities, government agencies, and the military.
A vulnerability in the image upload function of SuperINN plus web application allowed attackers to extract customers’ personal information from the database. The compromised information includes customers’ names, addresses, phone numbers, email addresses, encrypted card numbers, and encrypted cardholder data. The incident impacted almost 43,250 across the globe, including 2,882 residents of California.
Attackers hacked the website for the National Baseball Hall of Fame and injected a malicious Magecart script on the checkout page of its online store. This resulted in the attackers stealing the personal information of customers who made purchases via the online store between November 15, 2018, and May 14, 2019.
Insurance company State Farm notified its customers that it suffered a credential stuffing attack during which attackers were able to confirm valid usernames and passwords for some customer accounts. State Farm has reset passwords for all impacted customer accounts in order to avoid further access attempts by the attackers.
An unprotected server belonging to Boeing had exposed full code designed to run on the Boeing 737 and Boeing 787 passenger jets. The leaked code for a component of the Boeing 787 passenger jet has security flaws in it. These vulnerabilities can be abused by an attacker to send malicious commands to far more sensitive components that control the plane’s safety-critical systems, including its engines, brakes, and sensors.
An attacker who claims to have stolen KYC data of 10,000 Binance users, threatened Binance cryptocurrency exchange to release the data if the company did not pay 300 Bitcoins (~ $3.5 million). In response to the exchange not co-operating with the attacker’s demand, he began distributing the data online and to media outlets. The exchange is offering a reward of 25 bitcoins which is worth over $290,000 to anyone who provides information related to the identity of the attacker.
Air New Zealand suffered a data breach compromising Airpoints members’ personal information after two staffs had their accounts breached in a phishing attack. The compromised staff accounts exposed the personal information of customers' membership profiles to those attackers. This incident has affected nearly 3.5 percent (around 112,000) customers out of the 3.2 million Air New Zealand Airpoints customers.
New Threats
This week also witnessed the occurrence of several new malware strains and vulnerabilities. Researchers have spotted a new variant of the Trickbot trojan that propagates via JavaScript files. A new variant of LokiBot info-stealer malware that uses steganography technique to hide its code required for unpacking routine has been detected. Meanwhile, security researchers have uncovered a new speculative-execution vulnerability dubbed ‘SWAPGS’ that impacts CPUs in Windows and Linux based machines.