Silobreaker Daily Cyber Digest – 13 May 2019
Multiple actors exploiting flaw in Microsoft SharePoint
- According to AT&T Alien Labs researchers, multiple attackers are actively exploiting the Microsoft SharePoint flaw tracked as CVE-2019-0604. One exploitation attempt, reported by a Twitter user, originated from an IP address used as a C2 server for malware linked to the FIN7 group.
Thousands of websites compromised after Picreel and Alpaca Forms breached
- Sanguine Security founder Willem de Groot discovered that analytics service Picreel and open-source project Alpaca Forms have been breached. The attacks are believed to have been carried out by the same threat actor.
- The malicious code logs any content entered into form fields and sends it to a server in Panama. Data includes checkout/payment information, as well as filled contact forms and login sections.
Indonesian cybercrime group plaNETWORK uncovered
- Check Point researchers reported on an Indonesian threat actor, dubbed plaNETWORK, believed to have been active for the past seven years.
- In January 2019, the researchers observed a spike in attacks utilizing a unique PHP WebShell and attempting to exploit the Drupalgeddon flaw. Through their investigation, the researchers were led to an Indonesian IT services company named ‘plaNETWORK’.
- Further investigation of the ‘company’ revealed that its members shifted from originally providing IT consultancy services to offering hacking tutorials and announcing their successful website defacements.
Leaks and Breaches
Patient information compromised at Texas based clinic
- UMC Southwest Gastroenterology, part of the UMC Health System group, reported that patients’ protected health information has been compromised due to storage on an unsecured network.
- A Google shared drive, created by two employed providers, contained files that listed patient names, addresses, phone numbers, medical records and more. It is unknown whether this information was accessed or copied by other parties.
Scottish National Party faces fines over data breach
- The Information Commissioner’s Office are investigating the Scottish National Party, following a data breach which resulted in campaign material being distributed to incorrect addresses.
- The breach is being investigated under GDPR compliance directives. 400,000 election letters have been sent out, but the number of voters affected is at present unclear.
Facebook fined $280,000 by Turkish watchdog over data breach
- Turkey’s Personal Data Protection Authority has issued Facebook with a fine of 1.65 million Turkish lira ($280,000) following a data breach in December 2018 that exposed the non-public photos of 6.8 million users to 1,500 apps and 876 developers.
- 300,000 Turkish Facebook users were potentially affected by the leak, made possible through a bug in the Facebook API.
- The watchdog continues to investigate Facebook over another incident in September 2018, where hackers were able to steal the personal details of 30 million users.
Personal alert systems open to compromise
- Researchers at Fidus have observed that over 10,000 emergency devices used by vulnerable people in the UK are at risk of being breached.
- Using a phone number, attackers can alter numbers, power settings and alarm settings, and are able to access the GPS and live recording features of the devices to track users’ conversations and movements.
Southeastern patient information potentially affected by ransomware incident
- The Southeastern Council on Alcoholism and Drug Dependence discovered in February 2019 that they had been the target of a ransomware attack.
- The attack has potentially led to the compromise of patient information, including, names, addresses, social security numbers, medical history and treatment information.
- At present it is unclear as to whether this information was accessed or copied.
Data breach investigated in Philippine midterms
- The National Privacy Commission (NPC) are investigating claims that candidates in the midterm election are accessing voter information without consent.
- Voters have received cards from candidates that contain protected details, such as their name, residential address, date of birth, and more.
Indiana Pacers notifies customers of security breach
- A press release by Pacers Sports & Entertainment (PSE) has notified its customers of a phishing campaign that allowed hackers to gain access to PSE employee accounts between October 15th 2018 and December 4th 2018. PSE had learned of the attack on or shortly before November 16th 2018.
- The amount of people affected is said to be limited. Information contained in the accounts includes names, addresses, passport numbers, medical information, and more. In a small number of cases, social security numbers may also have been exposed.
Charnwood Borough Council informs its residents of data breach
- Charnwood Borough Council accidentally uploaded the personal data of 134 people who had responded to a survey to its website. The information was digitally blanked out, rather than completely removed, which means the data could still be accessed.
- The personal information included names, addresses, phone numbers and email addresses. The council has since removed the document from its website.
NVIDIA patches high and medium severity flaws in GPU Display Driver
- The three vulnerabilities, tracked as CVE-2019-5675, CVE-2019-5676 and CVE-2019-5677, could lead to denial of service, privilege escalation or information disclosure.
French security researcher bricks Samsung mobile phones
- French security researcher Elliot Alderson has found an unprotected receiver in the ContainerAgent application of a Samsung mobile phone.
- This vulnerability can be exploited by creating a “Locker application”, which can result in the Secure Folder being continuously locked and the user being redirected to the first page of the launcher with every use.
- The Samsung Security Team reportedly considers this issue as having no or little security impact.
Attacks on SHA-1 hashing algorithm could become more dangerous
- Academics from France and Singapore have discovered a “chosen-prefix collision attack” on the SHA-1 hashing algorithm. Although outdated, SHA-1 is still used for digital signatures by many users.
- The previous collision attack carried out by Google and CWI in 2017 had little control over the data that collides. This new type of attack can be carried out with custom inputs, allowing attackers to carry out targeted attacks.
Building systems exposed to hackers
- Researcher Gjoko Krstic discovered over 100 vulnerabilities in building management, building automation and access control products from Nortek, Prima Systems, Optergy, and Computrols.
- The flaws could allow hackers access to alarms, entrance systems, elevator controllers, video feeds, and more. Moreover, attackers would also have access to personal details.
- Krstic stated that his research indicated that the flaws could impact up to 10 million people across 200 facilities.
US DOJ charges nine individuals connected to ‘The Community’ hacking group
- The US Department of Justice (DOJ) indicted nine individuals connected to a hacking group known as ‘The Community’ for their participation in identity theft and cryptocurrency theft via SIM hijacking. The perpetrators allegedly stole around $2.4 million in cryptocurrency.
Crypto investor wins $75.8 million in SIM swapping case
- Michael Terpin, a cryptocurrency investor has been awarded $75.8 million in a civil case brought against Nicholas Truglia.
- Truglia hacked Terpin’s phone and stole $24 million of vital currencies before resetting passwords to Terpin’s online accounts.
- The case follows fifteen indictment counts brought by the US Department of Justice against hacking groups who have utilised similar SIM swapping techniques.
BEC attack targets Sri Lanka Cricket
- Following a six-month investigation, auditors at Ernst and Young (EY) have concluded that Sri Lanka Cricket was a victim of a business email compromise (BEC).
- Attackers sent emails to Sony Pictures from Sri Lanka Cricket requesting that $187,000 and $5.5 million should be paid into Hong Kong-based bank accounts. The money was not transferred.
- EY’s findings showed that the emails were sent from fake IP addresses and attached invoices were modified using PDF altering tools.
Hackers steal $574,250 from Bulgarian company
- Yavor Kolev, the head of the Bulgarian Cyber Crime Department, announced that hackers have transferred 1 million leva ($574,250) from the account of an unnamed Bulgarian company.
- Kolev stated that this was the biggest damage suffered by a Bulgarian company in a compromised business communication incident.
OAIC report finds over 10 million Australians affected by data breaches
- The Office of the Australian Information Commissioner (OAIC) has published its latest data breach report, revealing that over 10 million Australians have been affected by data breaches in the first quarter of 2019.
- The number of data breach notifications was down to 215, compared to 262 in the previous quarter. Of these breaches, 61% were due to malicious attacks, whilst other breaches occurred due to human error and system faults.
- The most affected information was contact information, followed by financial information and identity information. The report also showed that the most hit sector remains private health providers.
DVLA data breaches affect over 2000 people
- The UK Driver and Vehicle Licensing Agency (DVLA) reported 439 data breaches that affected over 2000 people in the last year. Breaches were allegedly the result of human error, where documents had been mislaid or sent to the wrong address.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.