Nightfall InfoSec Round-up: November 8 to November 18
Cyber Attacks & Breaches
- Retailer Orvis.com Leaked Hundreds of Internal Passwords
(Krebs on Security) November 11th
Orvis, a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers.
- Twitter spy scandal a wake-up call for companies to clean up their data access acts
(CSO Online) November 12th
Two Twitter employees accessed user data on behalf of the Saudi government. Neither should have had access, and this is a sign of a bigger problem at all companies.
- Google’s secret cache of medical data includes names and full details of millions – whistleblower
(The Guardian) November 12th
Project Nightingale is understood to be by far the largest data transfer of its kind so far in the healthcare field. It will cover the entire spread of Ascension, a Catholic network of 2,600 hospitals, clinics and other medical outlets.
- Thousands of hacked Disney+ accounts are already for sale on hacking forums
(ZDNet) November 16th
The Disney+ launch was marred by technical issues. Many users reported being unable to stream their favorite movies and shows. But hidden in the flood of complaints about technical issues was a smaller stream of users reporting losing access to their accounts.
Vulnerabilities & Exploits
- Multiple Security Flaws Detected (and fixed) in Cisco Small Business Routers
(CISO Mag) November 11th
Three major security bugs were discovered in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers firmware named as CSCvq34465, CSCvq34469, and CSCvq34472.
- Magento Urges Users to Apply Security Update for RCE Bug
(Bleeping Computer) November 11th
Magento’s Security Team urged users to install the latest released security update to protect their stores from exploitation attempts trying to abuse a recently reported remote code execution (RCE) vulnerability.
- Intel Failed to Fix a Hackable Chip Flaw Despite a Year of Warnings
(Wired) November 12th
Researchers revealed new versions of a hacking technique that takes advantage of a deep-seated vulnerability in Intel chips. They’re spins on something known as ZombieLoad or RIDL, an acronym for Rogue In-Flight Data Load; Intel refers to it instead as microarchitectural data sampling, or MDS.
- Tech Support Scammers Exploiting Unpatched Firefox Bug
(Security Week) November 12th
Mozilla is working on addressing a Firefox bug that has been exploited by tech support scammers to lock the browser when users visit specially crafted websites.
- Manual code review finds 35 vulnerabilities in 8 enclave SDKs
(ZDNet) November 12th
A team of British and Belgium academics looked at eight open-source enclave SDKs and found 35 vulnerabilities that can be exploited to run malicious code inside a computer’s most secure area.
- VMware patches five security vulnerabilities
(SC Magazine) November 13th
VMware pushed out security updates covering five vulnerabilities that if exploited could lead to information disclosure or a denial of service situation.
- McAfee antivirus software impacted by code execution vulnerability
(ZDNet) November 13th
On Tuesday, the SafeBreach Labs cybersecurity team said that CVE-2019-3648 can be used to bypass McAfee’s self-defense mechanisms, potentially leading to further attacks on a compromised system. The vulnerability exists due to a failure to validate whether or not loading DLLs have been signed.
- Code Execution Vulnerability Found In Symantec Endpoint Protection
(Symantec) November 18th
The Symantec Endpoint Protection Local Privilege Escalation (LPE) bug now tracked as CVE-2019-12758 requires potential attackers to have Administrator privileges to successfully exploit the issue. While the threat level of this vulnerability is not immediately apparent, such bugs are commonly rated with medium and high severity CVSS 3.x base scores.
Risks & Warnings
- Researchers Find New Approach to Attacking Cloud Infrastructure
(Dark Reading) November 11th
A new attack vector exists in cloud providers’ application programming interfaces (API), which are accessible through the Internet and give adversaries an opportunity to take advantage and gain highly privileged access to critical assets in the cloud.
- Don’t Rush Quantum-Proof Encryption, Warns NSA Research Director
(Nextgov) November 11th
Quantum computers could crack the codes that secure the world’s digital information but racing to a solution could create more threats, according to Dr. Deborah Frincke.
- New Buran ransomware-as-a-service tempts criminals with discount licenses
(ZDNet) November 12th
A new RaaS offering is attempting to undercut competitors to become established in the lucrative criminal space.
- 5G has security flaws that could let hackers track your location
(MIT Technology Review) November 13th
Security researchers have identified 11 design vulnerabilities with 5G protocols that could expose a user’s location, spoof emergency alerts, track phone activity (calls, texts, or web browsing), or silently disconnect the phone from the network altogether.
- New Threat Actor Impersonates Govt Agencies to Deliver Malware
(Bleeping Computer) November 14th
A new threat actor is using email to impersonate government agencies in the United States, Germany, and Italy to deliver ransomware, backdoors, and banking Trojans through malicious attachments.
- Design flaw could open Bluetooth devices to hacking
(Science Daily) November 14th
Mobile apps that work with Bluetooth devices have an inherent design flaw that makes them vulnerable to hacking, new research has found.
- 146 security flaws uncovered in pre-installed Android apps
(The Next Web) November 15th
Researchers at Kryptowire have uncovered 146 security vulnerabilities in pre-installed apps across 29 Android OEMs (aka original equipment manufacturers), underscoring the vast scope of the problem.
- Passwords should become a thing of the past. Here’s why
(World Economic Forum) November 18th
Over the past decade, the average person’s digital footprint has been exposed to increasing numbers of third parties. Now the average consumer manages over 191 pairs of usernames and passwords.