Office Depot is a popular office supplies store that conducts business internationally and one of their Elasticsearch servers had a misconfiguration that was exposing 974,000 database records. This exposed database was determined to be from Office Depot Europe and it did not have any password protection. The discovery was made by a research team called Website Planet who disclosed the issue to Office Depot on March 3rd. The database may have been exposed for up to 10 days, but Office Depot corrected the issue within a few hours of notification. The database contained customer names, phone numbers, home/office addresses, order history, and hashed passwords. The article mentioned this information is valuable for an attacker because they could contact the customer and be able to provide information that only Office Depot would know such as order history and then try to obtain their credit card information.
FBI arrests man for plan to kill “70% of Internet” in AWS bomb attack
A 28-year-old man from Texas was recently arrested for an alleged plot to bomb an Amazon Web Services data center in Ashburn, Virginia. According to text messages obtained by the FBI, Seth Aaron Pendley was planning to “kill off about 70% of the internet.” The FBI found out about the plot after the man made posts on the MyMilitia website for and another source shared private messages about the plot with the FBI.
He was planning to use C-4 plastic explosives and “drive a bomb into these servers lol.” Pendley had a handmade map of the AWS data center. He was arrested after buying fake explosives from an undercover FBI agent.
Fresh Cyberattack Waves and Latest Statistics on COVID-19
Cybercriminals are using malicious tactics to lure people into a COVID-19 vaccination scheme. Reported attacks include one in the form of a Microsoft Excel document that carries a malicious link encouraging recipients to perform Visual Basic for Applications (VBA) command, which allows hackers to attempt a hijacking attack. Another is a spear-phishing attack that goes after businesses that deliver vaccines for the pandemic. With these attacks starting to come out, the public should be cautious in determining what are facts, and what is inaccurate information.
The hackers posted a profile on a popular hacker forum that contained data they said, including LinkedIn ID, full name, professional title, email address, phone number, and other personally identifiable information (PII). The report said the data set also includes links to LinkedIn profiles and other social media profiles. It has not suffered a data leak in which hackers hacked into the company’s internal database to steal information. The bad actors grabbed data from LinkedIn’s public-facing services. Scraping is a common strategy used by threat actors to steal public information from the Internet, which can then be sold online for-profit and reused for malicious activities. The collected data is often reused to create social network phishing attacks, carry out identity theft, violent credential or spam victims’ accounts, and other evil activities.
Hackers have hacked rival “card shop”, Swarmshop, stealing its entire database of stolen payment card data and leaking it online. It is reported that 623,036 payment records from card issuers in Brazil, Canada, China, Mexico, France, Saudi Arabia, Singapore, UK were stolen – with the US representing 63% of stolen data. While the root cause of the incident has not yet been fully determined, records indicate that two card shop users injected a malicious script searching for website vulnerabilities. This incident further underscores the importance of Cyber security, be it, corporations, individuals, or hacker themselves.
Three wireless routers an a VPN firewall device, produced by Cisco and targeted to small businesses, are vulnerable to a newly-discovered buffer overflow attack that can be used to gain root access to the devices. The vulnerability is a result of insecure validation of input to the administrative web interfaces of the routers and firewall, and can be exploited via bad HTTP requests sent to the devices.
Since the devices have already been deemed end-of-life by Cisco, they have not received any security patches for some time and this particular vulnerability will not be patched. Since the vulnerability is rated at a severity of 9.8 out of 10, it is imperative that the hardware be replaced as soon as possible by any small businesses that rely on these devices.
This article talks about Russian hackers going after specific email accounts of Department of Homeland Security employees as part of the SolarWinds breach. The article explains that the hackers attempting to access email of very specific employees who were expected to work on the SolarWinds breach once it was discovered shows sophistication. It also shows they had some way to prioritize who they attempted to go after, rather than just a blanket attempt at any DHS users’ emails. They were apparently unsuccessful at these specific targets but did infiltrate 30 email accounts including former acting secretary Chad Wolf and former DHS CIO Karen Evans. The hackers did not impact any operations or do anything particularly disruptive with the access. It’s unknown if that is because they were detected and stopped in time or whether the infiltration was part of a bigger plan we have not seen unveiled yet.
According to NPR, Facebook suffered a cyber attack in August 2019 and has decided not to notify over 530 million of its users whose personal data were exposed during the data breach. The article below states that personal identifiable information (PII) of about 530 million phone numbers, names, email addresses, and locations were exposed. Facebook has stated that the company has found the coding error and has fixed the issue that same month in August 2019. However, the social media company has stated “We don’t currently have plans to notify users individually,” in the past few weeks. The reason to not notify victimized users is due to “He also said that in deciding whether to notify users, Facebook weighed the fact that the information was publicly available and that it was not an issue that users could fix themselves.” Luckily, the hacked information did not include financial information, health information, passwords, or social security numbers.
Popular collaboration and chat apps Discord and Slack have been attacked and used to deliver remote-access trojans (RATs) and other malware to users. This malware is released to steal users’ information to click on and download malicious attachments. The researchers explained that Slack, Discord, and other collaboration app platforms use content delivery networks (CDNs) to store the files shared back and forth within channels. As an example, Talos uses the Discord CDN, which is accessible by a hardcoded CDN URL from anywhere, by anyone on the internet. Files can be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed.” Hackers get users to click on a malicious link, then once it gets away with security detection, users think it’s a legitimate business tool.
SAP Bugs Under Active Cyberattack, Causing Widespread Compromise
This article states that an active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications. The consequences of the attack including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware. The article also recommends that the main way to thwart these kinds of attacks is to patch the vulnerabilities and create unique passwords to disallow automated brute-force attempts to break in.
The article talks about how a federal watchdog has sounded the alarm on cyber practices that happen in dozens of US Agencies. The news is in light following the SolarWinds cyber attack. The Government Accountability Office has an ongoing audit of the state department, but it’s been taking longer to provide the GAO with the necessary information. The article then goes on to talk about the steps the Biden administration has been taken in an attempt to take a more serious approach to cybersecurity in government agencies.
An article published on. ZDNet on April 7th reported on a Facebook data breach due to scraping. The article reported about 553 million Facebook users’ data has been posted online. This data including Facebook IDs, names, date of birth, gender, location, and relationship status.
The scraping was made possible by Facebook’s own contact importer functionality. Prior to September 2019, allowed users to upload a large set of phone numbers to see which ones matched Facebook users. This also allowed users to query a set of user profiles and obtain some level of information about those users included in their public profiles. This option was updated since then and future scraping possibilities are eliminated. However, any data scrapped prior to this change is now available. You can always check and see if any of your email or phone number is involved in ay data breaches here: https://haveibeenpwned.com/ You can read more here: https://www.zdnet.com/article/facebook-scraping-led-to-data-of-553m-users-leaked-online-how-to-see-if-you-are-impacted/
A bug known as the “royal flush” allows attackers to write files in Microsoft’s Azure Functions cloud container. Intezer researchers discovered that the containers run with the “privileged Docker flag, which means that device files in the /dev directory can be shared between the Docker host and the container guest” and these files have elevated privileges, read/write permissions, for “others.” This could be an issue if an attacker that already has access as a low privileges user exploits the vulnerability to escalate privileges potentially all the way to root. It is important to note that the bug is not a direct Docker escape vulnerability; however, the attacker could escape to the Docker host using various Docker escape techniques, and per Ari Eitan, the Vice President of research, “merging those two together is a great power for attackers.” Upon learning of this vulnerability from Intezer the Microsoft Security Response Center (MSRC) performed their own analysis and concluded that there is no security impact to the users and thus there will be no patch issued. Intezer believes otherwise which is why the information including the proof-of-concept exploit code. Microsoft did not return the request to comment on the article.
1.3M Clubhouse Users’ Data Dumped in Hacker Forum for Free
This article talks about how a new start up social media app was breached. A SQL file containing the personal data of 1.3 million Clubhouse users has been posted in a hacker forum for free. The article states the file included names, user IDs, photo URL, number of followers, Twitter and Instagram handles, dates that accounts were created and even the profile information of who invited them to the app. The article states this gives threat actors key information which can be used against victims in phishing and other socially engineered scams. The interesting thing is the app is denying a breach ever occurred as are similar social media platforms where this has occurred. I’d be interested to see how this unfolds.
61 percent of employees fail basic cybersecurity quiz
A recent survey was completed assessing how prepared employees from different industries for cyber attacks. Of the respondents who work in IT, only 17% passed a basic quiz on cyber de unity preparedness, with (surprisingly) the 18-24 demographic perform in the worst. Healthcare workers did much better, with 67% passing the quiz. These numbers are shocking, as I would have expected IT employees to perform much better. This was only a sample of 1200 employees, but shows why cyber security training is so important. Employees need to be exposed to engaging training that shows why cyber security unity is such a serious issue.
A new invite chat app Clubhouse has denied that they have been hacked. The article states
“Names, user IDs, photo URL, number of followers, Twitter and Instagram handles, dates that accounts were created and even the profile information of who invited them to the app are among the information contained in the database, according to CyberNews, giving threat actors key information which can be used against victims in phishing and other socially engineered scams.”
Clubhouse states through twitter in response to CyberThreat”
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.”
I found it surprising that clubhouse would say that the information cited is public information. Seems to be a lot of data that could be used for social engineering.
The article continues and suggests that social media companies should use better API to protect the information
Title: Office Depot Configuration Error Exposes One Million Records
URL: https://www.infosecurity-magazine.com/news/office-depot-configuration-error/
Office Depot is a popular office supplies store that conducts business internationally and one of their Elasticsearch servers had a misconfiguration that was exposing 974,000 database records. This exposed database was determined to be from Office Depot Europe and it did not have any password protection. The discovery was made by a research team called Website Planet who disclosed the issue to Office Depot on March 3rd. The database may have been exposed for up to 10 days, but Office Depot corrected the issue within a few hours of notification. The database contained customer names, phone numbers, home/office addresses, order history, and hashed passwords. The article mentioned this information is valuable for an attacker because they could contact the customer and be able to provide information that only Office Depot would know such as order history and then try to obtain their credit card information.
FBI arrests man for plan to kill “70% of Internet” in AWS bomb attack
A 28-year-old man from Texas was recently arrested for an alleged plot to bomb an Amazon Web Services data center in Ashburn, Virginia. According to text messages obtained by the FBI, Seth Aaron Pendley was planning to “kill off about 70% of the internet.” The FBI found out about the plot after the man made posts on the MyMilitia website for and another source shared private messages about the plot with the FBI.
He was planning to use C-4 plastic explosives and “drive a bomb into these servers lol.” Pendley had a handmade map of the AWS data center. He was arrested after buying fake explosives from an undercover FBI agent.
https://www.bleepingcomputer.com/news/security/fbi-arrests-man-for-plan-to-kill-70-percent-of-internet-in-aws-bomb-attack/
Fresh Cyberattack Waves and Latest Statistics on COVID-19
Cybercriminals are using malicious tactics to lure people into a COVID-19 vaccination scheme. Reported attacks include one in the form of a Microsoft Excel document that carries a malicious link encouraging recipients to perform Visual Basic for Applications (VBA) command, which allows hackers to attempt a hijacking attack. Another is a spear-phishing attack that goes after businesses that deliver vaccines for the pandemic. With these attacks starting to come out, the public should be cautious in determining what are facts, and what is inaccurate information.
https://cyware.com/news/fresh-cyberattack-waves-and-latest-statistics-on-covid-19-64cdfab7
Data from 500M LinkedIn Users Posted for Sale Online
https://threatpost.com/data-500m-linkedin-users-online/165329/
The hackers posted a profile on a popular hacker forum that contained data they said, including LinkedIn ID, full name, professional title, email address, phone number, and other personally identifiable information (PII). The report said the data set also includes links to LinkedIn profiles and other social media profiles. It has not suffered a data leak in which hackers hacked into the company’s internal database to steal information. The bad actors grabbed data from LinkedIn’s public-facing services. Scraping is a common strategy used by threat actors to steal public information from the Internet, which can then be sold online for-profit and reused for malicious activities. The collected data is often reused to create social network phishing attacks, carry out identity theft, violent credential or spam victims’ accounts, and other evil activities.
“623M Payment Cards Stolen from Cybercrime Forum”
Hackers have hacked rival “card shop”, Swarmshop, stealing its entire database of stolen payment card data and leaking it online. It is reported that 623,036 payment records from card issuers in Brazil, Canada, China, Mexico, France, Saudi Arabia, Singapore, UK were stolen – with the US representing 63% of stolen data. While the root cause of the incident has not yet been fully determined, records indicate that two card shop users injected a malicious script searching for website vulnerabilities. This incident further underscores the importance of Cyber security, be it, corporations, individuals, or hacker themselves.
https://threatpost.com/623m-payment-cards-stolen-from-cybercrime-forum/165336/
“Zero-Day Bug Impacts Problem-Plagued Cisco SOHO Routers”
Three wireless routers an a VPN firewall device, produced by Cisco and targeted to small businesses, are vulnerable to a newly-discovered buffer overflow attack that can be used to gain root access to the devices. The vulnerability is a result of insecure validation of input to the administrative web interfaces of the routers and firewall, and can be exploited via bad HTTP requests sent to the devices.
Since the devices have already been deemed end-of-life by Cisco, they have not received any security patches for some time and this particular vulnerability will not be patched. Since the vulnerability is rated at a severity of 9.8 out of 10, it is imperative that the hardware be replaced as soon as possible by any small businesses that rely on these devices.
https://threatpost.com/zero-day-bug-soho-routers/165321/
Hunting the Hunters: How Russian Hackers Targeted US Cyber First Responders in SolarWinds Breach.
https://www.google.com/amp/s/amp.cnn.com/cnn/2021/04/02/politics/russian-hackers-target-us-cyber-hunters-solarwinds/index.html
This article talks about Russian hackers going after specific email accounts of Department of Homeland Security employees as part of the SolarWinds breach. The article explains that the hackers attempting to access email of very specific employees who were expected to work on the SolarWinds breach once it was discovered shows sophistication. It also shows they had some way to prioritize who they attempted to go after, rather than just a blanket attempt at any DHS users’ emails. They were apparently unsuccessful at these specific targets but did infiltrate 30 email accounts including former acting secretary Chad Wolf and former DHS CIO Karen Evans. The hackers did not impact any operations or do anything particularly disruptive with the access. It’s unknown if that is because they were detected and stopped in time or whether the infiltration was part of a bigger plan we have not seen unveiled yet.
According to NPR, Facebook suffered a cyber attack in August 2019 and has decided not to notify over 530 million of its users whose personal data were exposed during the data breach. The article below states that personal identifiable information (PII) of about 530 million phone numbers, names, email addresses, and locations were exposed. Facebook has stated that the company has found the coding error and has fixed the issue that same month in August 2019. However, the social media company has stated “We don’t currently have plans to notify users individually,” in the past few weeks. The reason to not notify victimized users is due to “He also said that in deciding whether to notify users, Facebook weighed the fact that the information was publicly available and that it was not an issue that users could fix themselves.” Luckily, the hacked information did not include financial information, health information, passwords, or social security numbers.
https://www.npr.org/2021/04/09/986005820/after-data-breach-exposes-530-million-facebook-says-it-will-not-notify-users
Popular collaboration and chat apps Discord and Slack have been attacked and used to deliver remote-access trojans (RATs) and other malware to users. This malware is released to steal users’ information to click on and download malicious attachments. The researchers explained that Slack, Discord, and other collaboration app platforms use content delivery networks (CDNs) to store the files shared back and forth within channels. As an example, Talos uses the Discord CDN, which is accessible by a hardcoded CDN URL from anywhere, by anyone on the internet. Files can be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed.” Hackers get users to click on a malicious link, then once it gets away with security detection, users think it’s a legitimate business tool.
https://threatpost.com/attackers-discord-slack-malware/165295/
SAP Bugs Under Active Cyberattack, Causing Widespread Compromise
This article states that an active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications. The consequences of the attack including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware. The article also recommends that the main way to thwart these kinds of attacks is to patch the vulnerabilities and create unique passwords to disallow automated brute-force attempts to break in.
https://threatpost.com/sap-bugs-cyberattack-compromise/165265/
Federal watchdog investigating State Department cybersecurity practices
https://www.cnn.com/2021/04/08/politics/watchdog-state-department-cybersecurity/index.html
The article talks about how a federal watchdog has sounded the alarm on cyber practices that happen in dozens of US Agencies. The news is in light following the SolarWinds cyber attack. The Government Accountability Office has an ongoing audit of the state department, but it’s been taking longer to provide the GAO with the necessary information. The article then goes on to talk about the steps the Biden administration has been taken in an attempt to take a more serious approach to cybersecurity in government agencies.
An article published on. ZDNet on April 7th reported on a Facebook data breach due to scraping. The article reported about 553 million Facebook users’ data has been posted online. This data including Facebook IDs, names, date of birth, gender, location, and relationship status.
The scraping was made possible by Facebook’s own contact importer functionality. Prior to September 2019, allowed users to upload a large set of phone numbers to see which ones matched Facebook users. This also allowed users to query a set of user profiles and obtain some level of information about those users included in their public profiles. This option was updated since then and future scraping possibilities are eliminated. However, any data scrapped prior to this change is now available. You can always check and see if any of your email or phone number is involved in ay data breaches here: https://haveibeenpwned.com/ You can read more here: https://www.zdnet.com/article/facebook-scraping-led-to-data-of-553m-users-leaked-online-how-to-see-if-you-are-impacted/
Azure Functions Weakness Allows Privilege Escalation
A bug known as the “royal flush” allows attackers to write files in Microsoft’s Azure Functions cloud container. Intezer researchers discovered that the containers run with the “privileged Docker flag, which means that device files in the /dev directory can be shared between the Docker host and the container guest” and these files have elevated privileges, read/write permissions, for “others.” This could be an issue if an attacker that already has access as a low privileges user exploits the vulnerability to escalate privileges potentially all the way to root. It is important to note that the bug is not a direct Docker escape vulnerability; however, the attacker could escape to the Docker host using various Docker escape techniques, and per Ari Eitan, the Vice President of research, “merging those two together is a great power for attackers.” Upon learning of this vulnerability from Intezer the Microsoft Security Response Center (MSRC) performed their own analysis and concluded that there is no security impact to the users and thus there will be no patch issued. Intezer believes otherwise which is why the information including the proof-of-concept exploit code. Microsoft did not return the request to comment on the article.
https://threatpost.com/azure-functions-privilege-escalation/165307/
1.3M Clubhouse Users’ Data Dumped in Hacker Forum for Free
This article talks about how a new start up social media app was breached. A SQL file containing the personal data of 1.3 million Clubhouse users has been posted in a hacker forum for free. The article states the file included names, user IDs, photo URL, number of followers, Twitter and Instagram handles, dates that accounts were created and even the profile information of who invited them to the app. The article states this gives threat actors key information which can be used against victims in phishing and other socially engineered scams. The interesting thing is the app is denying a breach ever occurred as are similar social media platforms where this has occurred. I’d be interested to see how this unfolds.
https://threatpost.com/clubhouse-users-data-hacker-forum/165354/
61 percent of employees fail basic cybersecurity quiz
A recent survey was completed assessing how prepared employees from different industries for cyber attacks. Of the respondents who work in IT, only 17% passed a basic quiz on cyber de unity preparedness, with (surprisingly) the 18-24 demographic perform in the worst. Healthcare workers did much better, with 67% passing the quiz. These numbers are shocking, as I would have expected IT employees to perform much better. This was only a sample of 1200 employees, but shows why cyber security training is so important. Employees need to be exposed to engaging training that shows why cyber security unity is such a serious issue.
https://www.scmagazine.com/home/security-news/61-percent-of-employees-fail-basic-cybersecurity-quiz/
A new invite chat app Clubhouse has denied that they have been hacked. The article states
“Names, user IDs, photo URL, number of followers, Twitter and Instagram handles, dates that accounts were created and even the profile information of who invited them to the app are among the information contained in the database, according to CyberNews, giving threat actors key information which can be used against victims in phishing and other socially engineered scams.”
Clubhouse states through twitter in response to CyberThreat”
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.”
I found it surprising that clubhouse would say that the information cited is public information. Seems to be a lot of data that could be used for social engineering.
The article continues and suggests that social media companies should use better API to protect the information
https://threatpost.com/clubhouse-users-data-hacker-forum/165354/