Round Up of Major Breaches and Scams
The Department of Veterans Affairs (VA) has disclosed today a security breach during which the personal information of around 46,000 veterans was obtained by a malicious third-party. Officials said the breach took place after “unauthorized users” accessed an online application managed by the VA Financial Services Center (FSC). The VA said the hackers used “social engineering techniques” and exploited the “authentication protocol” to gain access to the FSC app and then divert VA payments.
The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses. Credential stuffing is a relatively new term in the cyber-security industry. It refers to a type of automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services.
More than 2,000 Magento online stores have been hacked over the weekend in what security researchers have described as the “largest campaign ever.” The attacks were a typical Magecart scheme where hackers breached sites and then planted malicious scripts inside the stores’ source code, code that logged payment card details that shoppers entered inside checkout forms. “On Friday, 10 stores got infected, then 1,058 on Saturday, 603 on Sunday and 233 today,” said Willem de Groot, founder of Sanguine Security (SanSec).
A court hearing on election security in America failed in its own security efforts – when it was zoombombed with porn, swastikas and images of the World Trade Center attacks. The public hearing in an Atlanta federal district court on Friday had approximately 100 people on a Zoom conference call before it was taken over by a participant named Osama who shared his screen and showed offensive images complete with music. At least one other person did the same. The images were particularly offensive as the hearing itself was being held on the anniversary of the September 11, 2001 attacks.
A National Health Service (NHS) Trust revealed that it had mistakenly uploaded the personal information of over 18,000 people who had previously tested positive for coronavirus 2019 (COVID-19). On September 14, Public Health Wales announced in a web statement that the data breach had occurred back on the afternoon of August 30, 2020. This notice explained that the personal information of 18,105 Welsh residents who had tested positive for COVID-19 had ended up on a public server as the result of human error.
Giant office retail company Staples informed some of its customers that data related to their orders has been accessed without authorization. Few details are available at the moment. The company has not disclosed the incident publicly and alerted affected customers individually over email. It is important to note that Staples’ main business is selling office supplies and related products using retail channels and through business-to-business engagements.
Personal data on 24 million South Africans, wrongfully sold by Experian to a person it claimed had “pretended” to represent a “legitimate client”, is now not only circulating on the dark web – it’s also on clearweb file-sharing sites, according to reports. Despite assurances from Experian in August that it had obtained an Anton Piller court order to seize and destroy the data it haplessly passed on, 40 per cent of South Africa’s population is now living in the knowledge that any random bod browsing Swiss file-sharing site WeSendIt could have freely downloaded their personal data.
A US academic has revealed the existence of 2.4-million-person database he says is compiled by a Chinese company known to supply intelligence, military, and security agencies. The academic alleges the purpose of the database is enabling overseas influence operations to be conducted against prominent or influential people outside China. That company is Shenzhen Zhenhua and the academic is Chris Balding, an associate professor at the Fulbright University Vietnam.
Round Up of Major Malware and Ransomware Incidents
On September 8, 2020 pro-Islamic State (ISIS) Telegram bots warned users not to click on a link if it is sent to them, saying it contained malware which, if clicked on, will reveal the user’s IP address and location. The URL of the link was shortened using an Iran-based site.
Round Up of Major Vulnerabilities and Patches
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.
Monday’s CISA advisory is a staunch reminder for federal government and private sector entities to apply patches for flaws in F5 BIG-IP devices, Citrix VPNs, Pulse Secure VPNs and Microsoft Exchange servers. The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.
About 70 members of the computer security community on Monday challenged US voting app maker Voatz’s effort to dictate the terms under which bug hunters can look for code flaws. Earlier this month, Massachusetts-based Voatz filed an amicus brief in Van Buren v. United States, a case being heard by the US Supreme Court that will determine the scope of the US Computer Fraud and Abuse Act (CFAA), a cybersecurity law long criticized for its ambiguity.
The National Cyber Security Centre (NCSC) in the U.K. has released a guideline to help companies implement a vulnerability disclosure process or improve it if one is already set up. Named “The Vulnerability Disclosure Toolkit,” the document underlines the need for organizations of all sizes to pave the road for an open posture toward responsible bug reporting and encourage it.
The flaws are disclosed as Oracle reportedly partners with TikTok as concerns in the U.S. over spying continue. Researchers have disclosed four high-severity flaws in the Android version of TikTok that could have easily been exploited by a seemingly benign third-party Android app. If successful, an attacker could fully compromise the target’s TikTok account. Public disclosure of the vulnerabilities was Friday and all bugs have been patched in version 17.4.4 of the app.