Weekly Cyber Security News 10/05/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. After last week’s news about a part of Docker Hub being exposed, things have got just a little bit worse. One of the most popular images has a root account vulnerability. Now, with someone knowing what people have, and that there is a potential hole, a target list becomes massively reduced…

• Bug in Alpine Linux Docker Image Leaves Root Account Unlocked

We trust our malware and AV companies as their code is in the most trusted part of the OS. What do we do now?

• Hackers breached 3 US antivirus companies, researchers reveal

Whenever there is the claim of ‘unhackable’, you just know this will end badly…

• ‘Unhackable’ Biometric USB Offers Up Passwords in Plain Text A simple Wireshark analysis was enough to subvert the gadget, which uses iris identification to protect the drive.

 

The rest of this week’s news:

• Airbnb Superhost Secretly Recorded Guests with Hidden Bedroom Camera The incident is only the latest in a string of disturbing horror stories of guests finding live, recording cameras hidden in their Airbnb flats.

• Airbnb users complain of accounts being ‘hacked’ saying they’ve been charged thousands and had bookings cancelled

• Amazon to Disable S3 Path-Style Access Used to Bypass Censorship

• Avengers: Endgame Sites Promise Digital Downloads, Deliver Info-Harvesting Web scammers are going after Marvel fans as the movie passes the $2.2 billion box-office mark, making it the second-highest grossing film of all time, behind only Avatar.

• Canadian Telco Exposes Unencrypted Card Details

• CIA camps out in anonymized Tor network (ZDNet)

• Credit Union Sues Fintech Giant Fiserv Over Security Claims

• Database With Millions of Indian Personal Records Exposed and Hijacked

• Drug Lab Cyberattack Puts Spotlight on IP Theft Threat (InfoRiskToday)

• Evil Clippy Makes Malicious Office Docs that Dodge Detection

• FBI Shutters DeepDotWeb Portal – Suspected Admins Arrested (InfoRiskToday)

• Finder of patient details accused by HSE of data breach

• Google Chrome to support same-site cookies, get anti-fingerprinting protection

• Google”s Web Packaging standard arises as a new tool for privacy enthusiasts

• Hacker takes over 29 IoT botnets

• Hackers attack Confluence Servers, hijack power for cryptocurrency mining (ZDNet)

• Hackers Steal $41 Million worth of Bitcoin from Binance Exchange

• Japanese government to create and maintain defensive malware

• Key to success: Tenants finally get physical keys after suing landlords for fitting Bluetooth smart-lock to front door (The Register)

• Locked Computers

• Microsoft to Ship a True Linux Kernel With Windows 10 WSL

• Mozilla Bans Firefox Extensions Containing Obfuscated Code

• Mozilla to Delete Usage Data Collected From Firefox Addon Fix

• Mozilla to track infrastructure time-bombs in wake of recent Firefox armagadd-on (ZDNet)

• OneCoin CryptoQueen sued over alleged $4bn cryptocurrency Ponzi scheme (ZDNet)

• Ongoing Attack Stealing Credit Cards From Over A Hundred Shopping Sites

• Online Tutoring Program Reveals Customer Data Breach

• Open source bug poses threat to sites running multiple CMSes

• Orange acquires SecureLink in European enterprise security push

• Over 275 Million Records Exposed by Unsecured MongoDB Database

• Singapore, Canada complete blockchain trial for cross-border payments (ZDNet)

• Site Promoting KeePass Password Manager Pushes Malware

• Turla Backdoor Deployed in Attacks Against Worldwide Targets

• Vulnerabilities Found in Over 100 Jenkins Plugins

• Want rootkit-level access without the hassle? Enter, LightNeuron for Exchange Server

• What do tech giants know about you –  A new tool shows you just how much (ZDNet)

• WordPress 5.2 to Come with Supply-Chain Attack Protection

• Airbnb host thrown in the clink after guest finds hidden camera inside Wi-Fi router (The Register)

• Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

• Jenkins Vulnerability Exploited to Deliver ‘Kerberods’ Malware

• Mystery Git ransomware appears to blank commits, demands Bitcoin to rescue code (The Register)

• Surge of MegaCortex ransomware attacks detected

• Amazon employees charged with theft of $100,000 in Apple Watch products

• Russian cyberspies are using one hell of a clever Microsoft Exchange backdoor

• UC Browser for Android Vulnerable to URL Spoofing Attacks