27 Security breaches Worldwide – Week 16, 2019
Be informed about the latest 27 Security breaches Worldwide, identified and reported publicly during Week 16, 2019. As these security-related breaches have a severe negative impact on any business, consider a security AUDIT to prevent any similar cases.
- More targeted ransomware called BitPaymer is described in this post.
- It came into a manufacturing company via a compromised admin account in February. Here is the event timeline. The analysis suggests that an IDS would help to identify the incursion. Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec
- Lawyers are bringing various suits.
- Insurers are more frequently citing the “war exclusion” clause in their cyber insurance contracts, denying claims for events such as NotPetya under the justification that they were state-sponsored acts. Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.
- OneLogin suffered two breaches within a year.
- Here is the tale of how it owned up to its problems and recovered its customers’ trust. The company revealed the breach quickly, described the details of the attack and kept customers informed along the way. This could be used as a template for your own breach response playbook. How OneLogin responded to its breach and regained customer trust
- A growing concern for a new malware product called Scranos is described in this detailed report.
- It is a rootkit with spyware features that can steal a variety of browser credentials, online payment accounts, send phishing messages and a variety of other nasty things. Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation
- Russians have been spoofing nearby GPS locations to major shipping lanes, military installations, VIP residences and intelligence offices.
- In this encyclopedic 60-page report, the Center for Advanced Defense examines a variety of events that show their efforts are larger in scope and longer in duration than was previously suspected. Thousands of ship navigation systems have been affected. Exposing GPS Spoofing in Russia and Syria (pdf)
- Researchers have found a new variant of Netwire.
- It uses a time-tested ploy of fake DHL delivery notifications. It contains a whitelisted origin email address and stores its malware on OneDrive, which is usually allowed by anti-spam filters. Fake DHL Shipment Notification delivers Netwire Trojan
- If you are looking for a London flat on AirBnB, beware you might be looking at phishing pages that mimic the real website.
- Krebs has the details about several customers who ended up sending funds to criminals. He found more than 500 rental places listed on the site that were phony. ‘Land Lordz’ Service Powers Airbnb Scams
- There is a new type of polymorphic malware targeting premium publishers.
- It has many different components, but begins with an infected pop-up warning to update your AV software. The malware is being labeled AfterShock-3PC AfterShock-3PC: Polymorphic malware attack on 200+ premium publishers
- Asian targets are being hit with a potent new malware based on the NSA’s EternalBlue exploit.
- The code creates a hidden Monero cryptominer, installs Mimikatz and other Trojans on the affected PCs. Its operation is dissected further in this post. Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse
- For the past nine years, three Romanian hackers ran a botnet that drove a massive online fraud enterprise netting more than $10M.
- The group, called Bayrob, was arrested in 2016 and are finally going to prison this summer over dozens of charges. You can see the relationship among the trio in this infographic here, and read more about their exploits and how they were caught in this post. The Bayrob malware gang’s rise and fall
- Microsoft confirmed that for the first three months this year, a hacker compromised one of their support agent’s accounts.
- This means user account data could have been accessed and compromised. Microsoft: Hackers compromised support agent’s credentials to access customer email accounts
- This means user account data could have been accessed and compromised. Microsoft: Hackers compromised support agent’s credentials to access customer email accounts
- Major VPN vendors have been found to be at risk leaking private data.
- The issue is how they store session cookies in log files or memory locations. Palo Alto Networks Global Protect, Cisco AnyConnect and Pulse Secure Connect are at list. Only Palo Alto has fixed their code and users should upgrade to v.4.1.1 asap. VPN applications insecurely store session cookies
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
Discover trending and viral stories about Security breaches Worldwide. The remaining Security breaches made news headlines. All these happened just in last week.
- This vendor has pulled some interesting endpoint security trends from its own network telemetry of millions of monitored devices around the world.
- The average endpoint is running ten different security agents, but still, about a third of them are unprotected due to outdated or absent protection software. Key insights on data security threats from a global study of six million devices.
- A new variant of the CryptoMix ransomware has been detected.
- It looks for unprotected remote desktop servers and uses a .DLL extension for its encrypted files. DLL Cryptomix Ransomware Variant Installed Via Remote Desktop
- The source who calls itself Lab Dookhtegan used a Telegram channel to dump information about the OilRig hacking group.
- Included were details on the group’s infrastructure, hacking tools, personal details about its members, and account details of some of its victims. The information could be used to discredit their activities. Source code of Iranian cyber-espionage tools leaked on Telegram
- The latest quarterly threat report from Proofpoint’s network telemetry is available now.
- Both fake social media tech support scams (see item #8 below) and web-based attacks using social engineering saw a huge jump from last year. PROTECTING PEOPLE – A Quarterly Analysis of Highly Targeted Cyber Attacks
- Facebook has revealed that it collected another 1.5M users’ contact details this week.
- This was a correction in the number of Instagram users’ data that was previously announced to be in the thousands. The actual number of private data could be at least an order of magnitude higher, since each user’s complete contacts were collected. Facebook said the collection was unintentional and it will delete the data. Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent
- MITM attacks are hard to detect when they leverage embedded browsers in apps.
- The result is that bad actors can intercept your login credentials, which is typical the start of a phishing ploy. Google has announced they will block this path to prevent these kinds of compromises beginning in June. It recommends that app developers switch to browser-based OAuth authentication methods in the near future. Better protection against Man in the Middle phishing attacks
- The Weather Channel was hit by a ransomware attack that took its live broadcast offline for more than an hour yesterday.
- The company confirmed the attack but fortunately was able to restore systems from backups and resume live broadcasts. The FBI is investigating, and details are still scarce. Ransomware attack knocks Weather Channel off the Air
- Security firm Verint was hit with a ransomware attack in its Israel offices.
- The company provides managed security services to many of the world’s largest corporations. FireEye’s Mandiant incident response team is working on finding the origins. Cyber-security firm Verint hit by ransomware
- A new malware-based advertising campaign is targeting iOS users and called eGobbler.
- It uses the .WORLD domains for their landing pages and hijacks user sessions via Jscript. It can get around sandboxing techniques. Massive eGobbler Malvertising Campaign Leverages Chrome Vulnerability To Target iOS Users
- Here is a new ransomware attack method called MegaLocker or NamPoHyu.
- It uses cloud servers to remotely encrypt Samba file shares, leaving no residue on locally compromised PCs. It is using brute force password stuffing. There are more than half a million publicly available Samba servers, so they have a rich target surface. ‘NamPoHyu Virus’ Ransomware Targets Remote Samba Servers
- Based on their own network telemetry, bad bots accounted for one-fifth of all internet traffic in 2018.
- Finserv and ticketing sectors were the most often targeted, and half of the bot traffic is from the US. While bot traffic is slightly down, they continue to be a threat in numerous areas. Bad Bot Report 2019: The Bot Arms Race Continues (pdf)
- The OilRig hacking group uses DNS tunneling to communicate with its command servers.
- They rely on hard-coded IP addresses for data transfer and add data to the various DNS A and TXT records. It is a useful analysis that every security analyst should study carefully to prevent these attacks in the future. DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
- State-sponsored attacks are hijacking root DNS servers with increasing frequency, according to researchers.
- A total of 40 different entities, mainly Middle Eastern government security agencies and energy producers, were compromised by what is being called the “Sea Turtle” campaign. DNS Hijacking Abuses Trust In Core Internet Service
- Breach is at Chipotle, which hasn’t yet been fully acknowledged by the company.
- Customers have posted on Reddit and Twitter, figuring it out thanks to some of them reporting password reuse. Chipotle says it could be the result of password stuffing, but that is questionable. It has no plans to roll out MFA requirements, however. Chipotle customers are saying their accounts have been hacked
- The latest spear phishing attacks targeting the Ukraine government are analyzed here.
- The contents of the messages are about mining equipment and has been linked to five years of previous attacks. The latest round is using infected .LNK files. Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!
