Weekly Cyber Security News 05/04/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. It’s been a while since we had reports of a Node.Js module repo tainting, this time though, it appears that its Ruby’s turn to suffer along with Google scoring an own goal. Trust in the code library supply chain shows once again that mistakes can have a wide ranging impact. I don’t have any solutions. Does anyone?

• JavaScript Library Introduced XSS Flaw in Google Search

• Backdoor code found in popular Bootstrap-Sass Ruby library

We’ve seen regular exposure of S3, Elastic Search and MongoDB instances. In some ways it can be understandable (though not defensible) as to why they might be exposed. What I am utterly amazed at is the discovery of iSCSI exposure! What were they thinking – if they were at all?:

• Over 13K iSCSI storage clusters left exposed online without a password

Could this be a new angle for the future?

• Undocumented Intel VISA Tech Can Be Abused, Researchers Allege Researchers at Black Hat Asia said that Intel VISA, an undocumented testing tool, can be abused using previously-disclosed vulnerabilities.

 

In other news…

• Attackers Store Malware in Hidden Directories of Compromised HTTPS Sites

• Apache Bug Lets Normal Users Gain Root Access Via Scripts

• Buca di Beppo, Planet Hollywood Restaurants Hit by Card Breach

• Toyota announces second security breach in the last five weeks (ZDNet)

• 26k+ Kibana Instances exposed Elasticsearch databases online

• A Third of Brits Suffered Cybercrime Last Year

• Bithumb cryptocurrency exchange hacked a third time in two years

• Boeing delays 737 MAX software fix delivery

• Boston Dynamic’s latest robot is a mechanical ostrich that loads pallets

• Canadian Authorities Raid RAT Developer

• Cisco Botches Fix for RV320, RV325 Routers, Just Blocks “curl” User Agent

• Cryptocurrency exchange loses millions in heist

• Dell encryption console breaks after installing March 2019 Windows Update

• DLA Piper Set to Sue Insurer Over NotPetya Claim: Report

• DragonEx Exchange Suffers Security Breach, Amount of Crypto Stolen Still Unknown

• FireEye debuts Windows Commando VM as Linux Kali rival

• Firefox to run experiment to reduce push notification permission spam (ZDNet)

• Google’s constant product shutdowns are damaging its brand

• Hacker group has been hijacking DNS traffic on D-Link routers for three months (ZDNet)

• Hackers don”t just want to pwn networks, they literally want to OWN your network and no one knows they”re there (The Register)

• Head of Money Mule Operation Extradited to the United States

• Home DNA kit company asks you to upload your family tree for the FBI (ZDNet)

• ICO Invites Applicants to GDPR Sandbox

• Lazarus Group Widens Tactics in Cryptocurrency Attacks MacOS users, as well as Windows, are in the cross-hairs, especially those based in South Korea.

• Look who’s stalking

• Magento Patches Critical Vulnerabilities

• Magento”s Latest Patches Should Be Applied Immediately (InfoRiskToday)

• Man Behind Fatal ‘Swatting’ Gets 20 Years

• Michigan practice folds after cyberattackers wipe out all their files

• Microsoft Fixing Azure Service Failures Impacting Western Europe

• New Shodan Service Keeps Track of Internet-Exposed Systems

• Pharmaceutical giant Bayer targeted by cyberattack, threat “contained” (ZDNet)

• Popup enlarges at the last second so users click on ads instead of “Close” button

• Recovering Smartphone Typing from Microphone Sounds

• Researchers discover and abuse new undocumented feature in Intel chipsets

• Researchers publish list of MAC addresses targeted in ASUS hack

• Researchers trick Tesla Autopilot into steering into oncoming traffic

• Serious Magento bug will likely be exploited in the wild by card skimmers

• Top 550+ Funny Passwords Ever Encountered

• VPN providers pull Russian servers as Putin”s ban threatens to bite (ZDNet)

• Why women still make up only 24% of cybersecurity pros

• Windows 10 News App Blunder Made Users Think They”re Infected

• You don”t need a PhD to phish a Brit university: Nonprofit claims 100% hit rate is easy peasy

• 0-Day in TP-Link SR20 Routers Allows Command Execution

• How financial institutions are risking customer data through insecure mobile apps

• Zero-Day Bug Lays Open TP-Link Smart Home Router However, an attacker would need to already be on the local network to be successful.

• Zero-Day TP-Link SR20 Router Vulnerability Disclosed by Google Dev

• A dozen US web servers are spreading 10 malware families, Necurs link suspected (ZDNet)

• UNNAM3D Ransomware Locks Files in Protected Archives, Demands Gift Cards

• BEC Scam Gang London Blue Evolves Tactics, Targets Business email compromise group London Blue is back with evolved email domain spoofing tactics and a newfound interest in targets in Asia.

• Ironically, Phishing Kit Hosted on Nigerian Government Site

• AWS S3 Buckets Exposed Millions of Facebook Records

• Facebook and Amazon are Locked in a Blame Game Over Leaked Data: Who’s Really To Blame? After two databases were discovered leaking Facebook data, Facebook and Amazon are both pointing fingers but researchers say the onus lies on all parties involved as data collection continues to grow.

• Gustuff Android banking trojan targets 125+ banking, IM, and cryptocurrency apps

• Microsoft fixing Skype Android app bug that automatically answers calls (ZDNet)

• Security researcher pleads guilty to hacking into Microsoft and Nintendo

• WordPress iOS app leaked authentication tokens

• Serious Path Traversal Flaw Found in Kubernetes

• Two Zero-Day Flaws in Edge and Internet Explorer Remain Unpatched