Nightfall Weekly InfoSec Roundup: July 16 to July 22

Cyber Attacks & Breaches

• In systemic breach, hackers steal millions of Bulgarians' financial data
  (Reuters) July 16th
  Bulgaria’s finance minister apologized to the country after admitting hackers had stolen millions of taxpayers’ financial data in an attack that one researcher said may have compromised nearly every adult’s personal records.
• Data dump suggests that Evite data breach affected 100M accounts
  (SC Magazine) July 17th
  A new addition to the data breach reference website “Have I Been Pwned?” seemingly reveals that more than 100 million accounts were compromised in this year’s data breach of the event-planning service Evite.
• Telecoms Giant Sprint Suffers Data Breach via Samsung Website
  (isBuzz News) July 17th
  It has been reported that American telecommunications provider Sprint has suffered a data breach, telling customers that hackers broke into their accounts through a Samsung website. The company said it re-secured all compromised accounts by resetting PIN codes.
• Ministry of Civil Service of Taiwan suffered from data breach
  (SPAMfighter) July 18th
  The civil service system of Taiwan reported an incident of an information security breach where personal information of more than 240,000 civil servants was compromised. The data from the information breached has been made available on foreign websites.
• Clinical Pathology Laboratories alerts 2.2 million patients of data breach
  (Beckers Hospital Review) July 18th
  Clinical Pathology Laboratories began notifying 2.2 million patients that their personal health information may have been exposed in a vendor data breach. The information affected included names, addresses, phone numbers, dates of birth, dates of service, balance information, credit card or banking information and treatment provider information.
• Slack resets user passwords after 2015 data breach
  (Tech Crunch) July 18th
  In 2015, Slack said it was hit by hackers who gained access to its user profile database, including their scrambled passwords. But the hackers inserted code that scraped the user’s plaintext password as it was entered by users at the time.
• QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack
  (Krebs on Security) July 19th
  Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data. Unfortunately, the company appears to be turning a deaf ear to the increasingly anxious cries from its users.
• Russia's Secret Intelligence Agency Hacked: 'Largest Data Breach In Its History'
  (Forbes) July 20th
  The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing.
• Exchange QuickBit Confirms Data Breach May Impact 300K Users
  (coindesk) July 22nd
  QuickBit, a Swedish cryptocurrency exchange listed on the NGM Nordic MTF market, allegedly leaked 300,000 customer records via an unprotected MongoDB database. The exchange confirmed the event in a series of updates on their investor relations board.

Vulnerabilities & Exploits

• Critical WordPress plugin flaw leaves 200,000 sites at risk
  (SC Magazine) July 16th
  A critical security flaw in a WordPress plugin allows threat actors to remotely execute PHP code. The vulnerability is found in the Ad Inserter plugin, a plugin that is currently installed in more than 200,000 sites, and stems from the use of the check_admin_referer() for authorization.
• Bluetooth Bug Enables Tracking on Windows 10, iOS & macOS Devices
  (Dark Reading) July 17th
  A team of Boston University researchers discovered a vulnerability in several Bluetooth devices that can make location and other sensitive data available to third parties. The vulnerability exists in devices running Windows 10, iOS, and MacOS, as well as Fitbit and Apple Watch.

• Cisco releases updates, one ‘Critical,’ two ‘High’ severity ratings
  (SC Magazine) July 18th
  Cisco released security updates for multiple products, some of which contain vulnerabilities that if exploited would allow an attacker to take control of an affected system.
• BlackBerry Cylance to rush out a fix for anti-virus bypass exploit
  (Computing) July 19th
  BlackBerry Cylance has acknowledged the threat posed by an exploit to its anti-virus software, and has pledged to rush-out a fix. However, users will have to wait a week before the hot-fix is available.
• Flaw allows attackers to alter media files sent via WhatsApp, Telegram, say researchers
  (SC Magazine) July 19th
  Researchers have reported a vulnerability in the Android versions of WhatsApp and Telegram that could allow malicious actors to manipulate media files sent via the apps. This flaw could allow attackers to alter photographs, modify invoices, swap out files, or potentially manipulate audio messages.
• ProFTPD Remote Code Execution Bug Exposes Over 1 Million Servers
  (BleepingComputer) July 22nd
  More than one million ProFTPD servers are vulnerable to remote code execution and information disclosure attacks that could be triggered after successful exploitation of an arbitrary file copy vulnerability.

Risks & Warnings

• EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users
  (The Hacker News) July 16th
  Security researchers have discovered a rare piece of Linux spyware that's currently fully undetected across all major antivirus security software products, and includes rarely seen functionalities with regards to most Linux malware.
• New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission
  (The Hacker News) July 10th
  Dubbed Spearphone, the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions.
• Malware framework generates 1B fake ad impressions in 3 months
  (SC Magazine) July 17th
  Researchers have sniffed out a malware framework that targets major browsers installed on Windows machines and has generated more than 1 billion false Google AdSense impressions in the past three months alone.
• This strange new phishing attack uses a surprise bill to trick you into clicking
  (ZDNet) July 18th
  Banks and financial institutions around the world are being targeted by a new email phishing campaign which uses an unusual technique as part of its attacks. If users open the attachments, they're immediately redirected to a malicious site requesting sensitive information.
• Mirai malware sets sights on enterprise IoT devices ripe for picking
  (SC Magazine) July 18th
  In 2016, Mirari took down a major DNS provider and since has branched out into more than 60 known variants and taken aim at enterprises. New variants have the potential to impact cloud servers and heavily compromise information and insurance services and more.

Join us next week for the next edition of Watchtower’s Weekly InfoSec Roundup!