Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
Weekly Security Newsletter! (Patreon)
Content
PATREON SECURITY NEWSLETTER - Week of August 26, 2019
Support me on alternative platforms! https://snubsie.com/support
https://www.youtube.com/shannonmorse -- subscribe to my new channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
Hy-Vee:
Compromised gas pumps, coffee shops, and restaurants operated by Hy-Vee allowed an attacker to steal 5.3 million cardholder accounts from 35 US states. Hy-Vee announced the data breach August 14 and said their grocery stores or pharmacies werenât affected. The account data was being sold on the black market online called the Jokers Stash for prices ranging from $17 to $35 per record. Hy-Vee has not disclosed how long the attacker had access.
Via Johnny on Discord!
Lenovo bug found:
Lenovoâs Solution Centre software has another flaw allowing for privilege escalation attacks, which could give an attacker admin privileges. Pen Test Partners found the flaw and a CVE was administered. Lenovo recommends users upgrade to Lenovo Vantage, a newer version of the software. Affected computers were likely manufactured from 2011 to 2018, though recently sold machines could be affected as well if they were 2018 models.
https://threatpost.com/bug-found-in-pre-installed-software/147657/
https://www.laptopmag.com/articles/lenovo-solution-center-vulnerability
Silence APTtargets banking sites:
Russian cybercriminal group Silence APT is targeting banks in America, Europe, Africa, and Asia - to the total of 30 countries worldwide. They recently were successful in targeting a bank in Bangladesh where they stole $3 million using ATM cash withdrawals. The group has changed their tactics, techniques, and procedures, allowing them to target a much wider group of banks, with total losses being closer to $4.2 million.
https://thehackernews.com/2019/08/silence-apt-russian-hackers.html
Google and more block Kazakhstan Cert:
Google, Apple, and Mozilla have joined forces to try to protect Kazakhstan users from government surveillance by blocking the governmentâs root CA certificate. Local ISPs in the country have been forcing users to install the government root certification on devices to access the internet, but this cert allows the ISPs to intercept, monitor, and decrypt HTTPS and TLS traffic - thereby allowing the government to spy on citizens or censor content.
https://thehackernews.com/2019/08/kazakhstan-root-certificate.html
Privacy Sandbox:
Privacy Sandbox is a new Google initiative that theyâre hoping can enhance privacy on the web by offering a consistent standard that users could expect with regards to privacy in browsers. They propose that instead of using private identifiable information for ads, that browsers track by category, target interests without targeting specific users, and detect fraudulent activity. https://thehackernews.com/2019/08/google-privacy-sandbox-ads.html
https://threatpost.com/google-launches-open-source-browser-extension-for-ad-transparency/147634/
VPNs targeted in attacks:
Attackers are actively trying to steal encryption keys, passwords, and other data from servers that have not updated to fix bugs in two VPNs. The VPNs are Fortigate SSL VPN on 480,000 servers and Pulse Secure SSL VPN on 50,000 servers. Updates for both were available in the springtime of this year, but many servers were never updated. Endpoints for these VPNs belong to government agencies, public universities, hospitals, banks and more.
Crown Sterling:
Crown Sterling, the company behind a new cryptocurrency and encryption technique, is suing Blackhat because, they allege, the convention didnât do enough to uphold their sponsorship agreement. During a talk given by Crown Sterlingâs CEO at Blackhat, the CEO was booed and heckled by audience members who considered the cryptography technique to be snake oil and refuted the claims made by the CEO.
https://www.cyberscoop.com/crown-sterling-black-hat-lawsuit/
Badgelife:
Just plain cool. This is the story behind the DEF CON 27 badge. Personally, I love this badge because Iâm a crystal collector (no seriously, I have a rock collection).
Microsoft listens to Xbox:
According to a Vice report, Microsoftâs contractors listened to Cortana voice control features on Xbox. Microsoft specifically noted that the voice recordings were âshort snippetsâ including Skype and virtual assistant Cortana recordings. This voice collection data ended several months ago.
https://www.cnet.com/news/microsofts-contractors-listened-in-on-xbox-users-report-says/
Moviepass CCs exposed:
Moviepass left card numbers and credit card details exposed on a database for their customers. 160 million records were affected and according to Moviepass, the server was secured as soon as it found the vulnerability. According to TechCrunch, that data was left unsecured until journalists reached out to the company about the exposed data.
https://www.cnet.com/news/moviepass-reportedly-left-customers-credit-cards-exposed-online/
Ring and Police:
Ring and their partnership with police has been pretty secretive to the public. Ring declines to share data about how many partnerships they have and where those partnerships are located, but advocates have created a map detailing this data (linked in the article). Other data, like the Neighbors Portal back end features, heat map, etc are also not to be shared with the public. Freedom of Information Act requests have made some of this information available.
https://www.cnet.com/news/amazon-ring-wants-police-to-keep-these-surveillance-details-from-you/
Linux / Unix backdoors:
A zero day vulnerability in a Unix administration tool callen Webmin actually seems to have been planted there on purpose as a backdoor. It was available for attackerâs use for at least a year before being discovered during DEF CON.
https://threatpost.com/backdoor-found-in-utility-for-linux/147581/
Wordpress:
Wordpress has started to notify some users of an ongoing campaign that exploits vulnerabilities in a few Wordpress plugins. These include Simple 301 Redirects - Addon - Bulk Uploader and others developed by NicDark aka Endreww. All of the plugins have been updated to resolve the issues.
https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/
China hackers target healthcare:
FireEye has identified numerous hacks being orchestrated by Chinese hackers against the healthcare industry.
https://www.wired.co.uk/article/china-hackers-medical-data-cancer
Cambridge analytica:
According to new emails, employees of Facebook knew about Cambridge Analytica more than two years before the news broke about their data collection. The employees at the time, dating back to September of 2015, debated whether or not data collection by Cambridge Analytica violated Facebooks rules. About an hour after this news broke by NBC, Facebook came forward publicizing it as well.
https://www.businessinsider.com/facebook-emails-show-workers-knew-cambridge-analytica-2015-2019-8
Voting systems left online:
Several key swing states, including Wisconsin, Michigan, and Florida, have kept their voting machines connection to the internet, making them vulnerable to hacking.
https://www.vice.com/en_us/article/ywadeb/american-voting-systems-were-left-online
Hostinger:
Hostinger, a major hosting provider on the web, disclosed a security incident affecting 14 million customers. Data included usernames, IP addresses, first and last names, and contact info including phone numbers, email addresses, and home addresses. All of this was stored on an internal server. User passwords were also stored on this server, but that was encrypted and hashed. Hostinger is forcing password resets for itâs users.
https://www.zdnet.com/article/hostinger-resets-customer-passwords-after-security-incident/
Capital one:
The Capital One hacker has been denied release and will remain in jail. The hacker has a history of mental health problems and as such, her lawyer hoped to have her moved to a halfway house with GPS monitoring. The prosecutor denied this, stating that she was a threat to herself and others.
https://www.zdnet.com/article/capital-one-hacker-denied-release-will-remain-in-jail/
Hong kong & Telegram:
Software engineers in Hong Kong have warned users that are active in protests to not use Telegram, since the app could allow a third party, such as the Chinese government or intelligence agencies, to obtain phone numbers and track down the protesters real world identities. This app does play a major role in the protests as it allows for organization of the gatherings using encrypted anonymous communications with group chatting. Unfortunately, even when Telegram is set to ânobodyâ for phone number sharing, a bug still tracks that data. Users are advised to use burner sims. According to Telegram, this works the way it should as users who already have your number can still see it on Telegram.
Bug bounty for chromium edge:
Microsoftâs Chromium based Edge browser now has a top reward of $30,000 for bug bounties, specifically the most critical bugs. These include privilege escalation flaws and container escapes.
BCE email scam takedown:
80 individuals have had multiple charges in relation to being part of a massive Business Email Compromise (BES) scam along with a âromance scam networkâ. The indictment was unsealed on Thursday last week showing 252 counts against the defendants. The attacks had conspired to steal millions of dollars through fraud schemes and laundering. Several arrests have already happened in the US, with many more to come. The group are Nigerian based so several are overseas.
https://www.zdnet.com/article/80-suspects-arrested-in-massive-business-email-scam-takedown/
G Cal spam:
Google calendar spam has been seeing a massive spike. If youâve noticed spam on your calendar, you can combat it with the steps listed in this article.
https://www.theverge.com/2019/8/23/20829615/google-calendar-spam-events-sharing-email-how-to-stop