AppSec News Roundup: WordPress, Equifax, Oracle, and more

Print Friendly, PDF & Email

There's never any shortage of credential stuffing attacks.  WordPress is in our roundup again, and we've got some configuration errors in this one as well.

Large breaches, big investigations

Some (impressively?) large data breaches were disclosed in May and June. Significant among them:

10 Million people from a single Australian breach

While the report did not detail the origin of the breach that affected over 10 million individuals, it did show that the most number of affected individuals from a single finance-related breach was less than 500,000 and the health sector's three heaviest impacting breaches affected less than 5,000 individuals each.

'... over 10 million individuals had their information compromised in one single incident. The current population of Australia is around 25.4 million.' via @zdnetClick To Tweet

Hackers had access to the sensitive information of Flipboard users for over 9 months

“Flipboard, which has more than 145 million monthly active users, said it was in the process of determining how many accounts were affected. It said the compromised databases contained users’ names, Flipboard usernames, and cryptographically protected password and email addresses.”

UK’s Parliament chiefs investigate claims its website was hacked amid fears of a confidential data breach

One Twitter user said they had found passwords had leaked online too. A Parliamentary spokesman said it was looking into the reports but said it had not found any evidence that confidential parliamentary data had been breached.

EatStreet was hit by a GnosticPlayers hack

Accessed information included names, phone numbers, email addresses, bank accounts, and routing numbers for restaurants and delivery services. For customers who ordered food through the EatStreet app and website, information the hacker might have accessed or stolen included names, credit card numbers, expiration dates, card verification codes, billing addresses, email addresses, and phone numbers.

More WordPress woes

Zero-days disclosed in “Facebook for WooCommerce” and “Messenger Customer Chat” by disgruntled security firm

The security of all users who installed these extensions was put at risk because of a stupid grudge between a Denver-based company called White Fir Design LLC (dba Plugin Vulnerabilities), and the WordPress forum moderation team.

A web spam campaign that targets Koreans is creating problems for site administrators all around the world. Hackers are compromising vulnerable Korean-language WordPress websites, but are also polluting search engine results for non-hacked sites globally

“Although the result page says that “nothing was found”, it contains the full search query with the relevant spam keywords, along with the domain name of the site the attackers want to promote. ….This adds an impressive amount of search visibility for the promoted domains.”

SlickPopup and WP Database Backup plugins have serious problems. WP Database Backup has fixed its vulnerability, though

Plugin flaws continue to plague WordPress websites. According to an Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.

Equifax and Cathay Pacific got told off for not patching old vulnerabilities

A little known breach caused Equifax to get told off recently by the US Congress. Cathay Pacific got told off as well, for, among others, “–failing to catch an unspecified but “commonly known exploitable vulnerability” on the server”

In a statement, Apache Struts wrote, “This vulnerability was patched on 7 March 2017, the same day it was announced … In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.” This week, the financial rating service Moody’s downgraded Equifax from a “stable” to a “negative” outlook due to the high level of cybersecurity spending and litigation that comes as a direct result of the 2017 breach. It’s the first time cybersecurity was cited as the reason for an outlook change, CNBC reported. Two groups, one who installed a keylogger on a server, the other who exploited a vulnerability on an unsecured Internet-facing server led to data breaches at Cathay Pacific Airlines which exposed personal information of 9.4 million passengers, Hong Kong’s privacy commissioner has concluded.

CNBC reports that Equifax is the first company to have its financial outlook downgraded from “stable” to a “negative” outlook due to a #cybersecurity incident.Click To Tweet

Our regular API, credential stuffing and supply chain attack roundup

Magecart continues to run rampant. Forbes is among those hit recently. Another supply chain attack group has also been discovered, going after login and payment details. Another skimmer is going around as well, using iframes to capture payment data

As revealed by Bad Packets Report's co-founder Troy Mursch, the script collects card numbers, expiration dates, and credit card CVV/CVC verification codes, as well as customers' names, addresses, phone numbers and emails. … Magecart groups have been active since at least 2015 and represent an ever-evolving threat capable of launching attacks against high profile international companies like TicketmasterBritish AirwaysOXO, and Newegg, as well as to target small retailers like Amerisleep and MyPillow.

Hackers are now going after your loyalty points and it’s credential stuffing that is helping them to these points

One hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88, according to the cloud security company Armor.

Instagram’s had a number of API-based problems in the past, and this time around, it seems to have allowed the scraping of the contact data for millions of influencers

At the time of writing, the database had over 49 million records — but was growing by the hour. From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their personal contact information, such as the Instagram account owner’s email address and phone number.

Infected Cryptocurrency-Mining Containers Target Docker Hosts With Exposed APIs, Use Shodan to Find Additional Victims

Once an exposed Docker host is located, it is added to a list (iplist.txt file), which is further sorted for unique IPs. It also checks if the target host already has an existing cryptocurrency-mining container running, which is deleted if found. It then reaches out to its C&C servers to deploy additional containers to other exposed hosts based on the IP list. It then loops to the beginning of the routine stated earlier with a new host.

Oracle patches two serious WebLogic flaws in two months

Both are Deserialization attacks

Oracle released an out-of-band patch for a WebLogic Server Deserialisation vulnerability which could allow an unauthenticated attacker to remotely exploit and gain remote code execution (RCE) ability on vulnerable systems. Oracle said in a blog post that,while both exploits are deserialisation flaws, CVE-2019-2729 is “a distinct vulnerability.”

Top 5 configuration mistakes that create a field day for hackers, and a related example

Some things that never change, and should change, from Threatpost. A configuration mistake exposed a lot of HCL’s customer and personal data

Many of the pages that allowed public access had been indexed by search engines. One subdomain was dedicated to human resources and included new employee names, email addresses, phone numbers, and passwords.” In addition to HCL employees, the company was also accidentally exposing thousands records for customers.

Configuration mistakes that hackers like: same password on multiple sites, default or unused open ports, delayed patching, poor credential management. Click To Tweet

Scroll to top
Tweet
Share
Share