AppSec News Roundup: Docker, WordPress, bruteforce attacks, and more
May. 9, 2019|
These are the biggest #AppSec headlines of April 2019. I love the analogy of the developer getting mugged in this first example. And we have more incidents of credential stuffing here.
Dockerhub breach results in 190,000 credentials stolen
Docker has announced a large breach that has resulted in over 190000 credentials being stolen. The impact is best explained by Kenn White:
Kenn White, a security researcher, explained the potential impact of the breach with an analogy.
“Think of it like this: developer gets mugged, and gets his keychain and wallet stolen. If the only keys were to his house and cars, that’s not great but it’s not a problem for the company,” White told Motherboard in an online chat. “In this case, potentially 190,000 keychains were pilfered, but with keys to company’s front doors too. Now it’s everybody’s problem.”
More Wordpress Plugin Woes
Active exploits for the Wordpress Social Warfare plugin snowballed, putting over 40000 websites at risk.
Another WooCommerce vulnerability is impacting over 60000 sites.
An inside look at how Credential Stuffing operations work
Catalin Cimpanu talks about how Data breaches, custom security, proxies, IoT botnets and hacking forums all play a role. This is a very thorough writeup with some great images.
Monthly API, Credential Stuffing and Supply Chain attack roundup
How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in
A hacker used brute forcing to break in the API of GPS tracking apps and found that he could remotely kill car engines. The Hamburglar’s online version struck McDonalds Canada’s app and made away with 1000’s of dollars in fraudulent orders.
A mysterious group seems to have drastically increased their attack rates. Victims now attributed to supply chain attacks include video games. Meanwhile, the victims of Magecart now include the NBA’s Atlanta Hawks. The skimmer itself was found to be hosted on GitHub and taken down.
Meanwhile, Willem De Groot has discovered a polymorphic version that uses over 50 payment gateways.
Now for some fun
If you'd like to learn more about the Barracuda solutions I'm working on, see the Barracuda Web Application Firewall and the Barracuda WAF-as-a-Service.