New Cryptojacking Tactic May Be Stealing Your CPU Power
What if cybercriminals could generate money from victims without ever delivering malware to their systems? That’s exactly what a new phenomenon called “cryptojacking” entails, and it’s been gaining momentum since CoinHive first debuted the mining JavaScript a few months ago.
The intended purpose: whenever a user visits a site that is running this script, the user’s CPU will mine the cryptocurrency Monero for the site owner. This isn’t money out of thin air, though. Users are still on the hook for CPU usage, the cost of which shows up in their electric bill. While it might not be a noticeable amount on your bill (consumer CPU mining is very inefficient), the cryptocurrency adds up fast for site owners who have a lot of visitors. CoinHive’s website claims this is an ad-free way for website owners to generate enough income to pay for the servers. All altruistic excuses aside, it’s clear threat actors are abusing the tactic at the victims’ expense.
In the image above, we can see that visiting this Portuguese clothing website causes my CPU to spike up to 100%, and the browser process will use as much CPU power as it can. If you’re on a brand new computer and not doing anything beyond browsing the web, a spike like this might not even be noticeable. But if you’re using a slower computer, just navigating the site will become very sluggish.
Cybercriminals using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is. In case you’re wondering why this script uses Monero instead of Bitcoin, it’s because Monero has the best hash rate on consumer CPUs and has a private blockchain ledger that prevents you from tracking transactions. It’s completely anonymous. Criminals will likely trade their Monero for Bitcoin regularly to make the most of this scam.
CoinHive’s JavaScript can be seen in this website’s HTML:
CoinHive maintains that there is no need block their scripts because of “mandatory” opt-ins:
“This miner will only ever run after an explicit opt-in from the user. The miner never starts without this opt-in. We implemented a secure token to enforce this opt-in on our servers. It is not circumventable by any means and we pledge that it will stay this way. The opt-in token is only valid for the current browser session (at max 24 hours) and the current domain. The user will need to opt-in again in the next session or on a different domain. The opt-in notice is hosted on our servers and cannot be changed by website owners. There is no sneaky way to force users into accepting this opt-in.”
For reference, here’s what an opt-in looks like (assuming you ever do see one):
Why Webroot blocks cryptojacking sites
Unfortunately, criminals seem to have found methods to suppress or circumvent the opt-in—the compromised sites we’ve evaluated have never prompted us to accept these terms. Since CoinHive receives a 30% cut of all mining profits, they may not be too concerned with how their scripts are being used (or abused). This is very similar to the pay-per-install wrappers we saw a few years ago that were allegedly intended for legitimate use with user consent, but were easily abused by cybercriminals. Meanwhile, the authors who originated the wrapper code made money according to the number of installs, so the nature of usage—benign or malicious—wasn’t too important to them.
To protect our users from being exploited without their consent, we at Webroot have chosen to block websites that run these scripts. Webroot will also block pages that use scripts from any CoinHive copycats, such as the nearly identical Crypto-Loot service.
There are a few other ways to block these sites. You can use browser extensions like Adblock Plus and add your own filters (see the complete walkthrough here.) If you’re looking for more advanced control, extensions like uMatrix will allow you to pick and choose which scripts, iframes, and ads you want to block.
Update 12/13/17:
CoinHive scripts running rampant
If there was ever any doubt around the severity of this emerging threat and the overall nefarious use of CoinHive’s scripts, it can be put to rest. CoinHive engineers have now essentially admitted that they’ve “invented a whole new breed of malware,” according to a report in the German newspaper Süddeutsche Zeitung.
With the continued price surges in Monero, and the cryptocurrecy market as a whole, it seems cryptojacking becomes a more lucrative opportunity for cybercriminals with each passing day. And recent revelations have shown even more surreptitious methods being used by cryptojacking sites to evade user detection. One website was seen hiding a popup window underneath the Window’s task bar in order to continue mining after users believe they have closed their web browser, according to Bleeping Computer.
CoinHive’s cryptojacking script was even spotted on public WiFi at a Starbucks in Buenos Aires, according to BBC News.
Cyber News Rundown: Edition 12/01/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any questions? Just ask.
US Military Files Found on Publicly Available Server
In the past week, researchers have discovered several publicly available Amazon S3 servers belonging to the US Army and the NSA. Of the numerous sensitive files that were exposed, one was a virtual machine that contained thousands of files, many of which were labeled “Top Secret”, though these were inaccessible without the aid of other internal resources. Along with the virtual machine, researchers also discovered a portion of an outdated cloud computing service used to access the aggregate information on an Army intelligence network, though the program has been out of use since 2014.
Latest MacOS Leaves Root Access Exposed
With the latest iteration of MacOS, dubbed High Sierra, comes an unusual problem: it allows anyone with local access to a machine to log in as a “root” user (which has powerful system permissions) without entering a password. Fortunately for many users, simply adding a root password was a quick method to solve the security issue, though Apple promptly released a patch which provided the fix.
Healthcare Industry Takes Firmer Stance on Security
A new report revealed that most healthcare domains do little to protect their email users, as a staggering 57% of all emails that come from the healthcare industry have been found to be fraudulent. In addition, at least 92% of all healthcare domains have been victims of phishing or scam emails within the past 6 months. Hopefully, with the implementation of stricter security measures, customers can begin to have more trust in the emails they receive from healthcare providers.
Facebook Flaw Allows Polls to Delete Other Users’ Data
Recently, a researcher found a flaw in Facebook’s polling feature that would have allowed him to connect this poll with any other user’s images and subsequently delete the images when he deleted the poll. By finding a workaround to user authentication, he could attach the image ID of any picture that was posted to the site to a Facebook poll he created. Luckily, the researcher quickly contacted Facebook, who have since fixed the flaw and paid a tidy bounty for the find.
Uber Waits Entire Year to Reveal Data Breach
Last week, Uber announced they suffered a data breach in late 2016 that could affect 2.7 million users in the UK. Reportedly, Uber knew of the breach and paid the hackers $100,000 to delete the stolen data and keep quiet. While the breach appears to only contain names, email addresses, and phone numbers, the National Cyber Security Centre (NCSC) encourages all Uber users to change their login credentials immediately, as the full extent of the breach remains unclear. This breach and its handling are yet another strike against the ride-sharing service, after a long year of controversies that have majorly affected their business.
Why You Should Use a VPN on Public WiFi
Working remotely? It only takes a moment on a free WiFi connection for a hacker to access your personal accounts. While complimentary WiFi is convenient, protecting your connection with a VPN is the best way to stay safe on public networks, keeping your data and browsing history secure.
Are you prepared for today’s attacks? Discover the year’s biggest cyber threats with the annual Webroot Threat Report.
What is a VPN?
VPN stands for “virtual private network” and is a technology that can be used to add privacy and security while online. It’s specifically recommended when using public WiFi which is often less secure and is often not password protected.
VPN’s act as a bulletproof vest for your internet connection. In addition to encrypting the data exchanged through that connection, they help safeguard your data and can enable private and anonymous web browsing. However, even if you’re using a VPN, you must still be careful about clicking on suspicious links and downloading files that may infect your computer with a virus. Protecting yourself with antivirus software is still necessary.
When and why should you use a VPN?
When checking into your hotel, connecting to the WiFi is often one of the first things you do once settling in. While it may sound like a tempting offer, logging in to an unsecured connection without a VPN is a very bad idea. In July, ZDNet reported the return of hacker group DarkHotel which aims to target hotel guest’s computers after they have logged on to the building’s WiFi. Once compromising a guest’s WiFi, the hacker group can then leverage a series of phishing and social engineering techniques to infect targeted computers.
Traveling and lodging is just one example of when you can use a VPN to help stay secure and avoid potential attacks, however anyone can benefit from using a VPN.
From checking Facebook on an airport hotspot, accessing your company files while working remotely or using an open network at your local coffee shop, regardless of the scenario, using a public WiFi can potentially put the data you’re sending over the internet at risk. For business looking to secure their guest WiFi, click to learn more about our DNS protection solution.
Ready to take back control of your privacy? Webroot WiFi Security is compatible with devices running iOS®, Android™, macOS® and Windows® operating systems, and is now available to download on the Apple App Store, Google Play™ store, and Webroot.com.
Cyber News Rundown: Edition 11/16/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Brothers Printers Vulnerable to Major Exploit
Researchers have discovered an exploit in several Brothers printer models that would allow attackers to issue a continuing DDoS attack against the printer, rendering it unusable. By sending a fraudulent HTTP request to the device, the attackers could then use the printer against itself by forcing a cycle of printer errors, followed swiftly by another phony HTTP request. Although this exploit only affects printer models with a web interface, its discovery sheds light on much more basic security flaws, such as not changing the default password or allowing unrestricted remote access.
Password Hackers Have Reached New Heights
As cybercriminals and their tools get more and more advanced, it’s no surprise that the use of traditional passwords may have finally met its end. Password cracking software has gone from taking years to days to hours to complete, so human-created passwords may now leave many institutions less secure than they could be, and have contributed to numerous data breaches in the last few years.
Ride-Hailing Service Leaves Servers Unsecured
In the least week or so, a server belonging to Fasten, a Boston-based ride-hailing service, was found to be publicly accessible for at least 48 hours; the timeframe may have been longer. The server in question contained personal data for both passengers and drivers, along with data about customer devices and the vehicles used. Fortunately for many users, the company worked quickly to secure the server and improve their data security policies.
Pro-ISIS Hacking Group Targets U.S. School Websites
Recently, the primary websites for at least 800 schools across the U.S. were hacked by a Pro-ISIS group to redirect site visitors to an Arabic YouTube propaganda video. The hacked sites were all linked through an academic website building service called SchoolDesk. SchoolDesk claims no personal information was exposed during the breach, though this news is difficult to confirm. This attack isn’t the worst one perpetrated by the hacking group, but it is the most recent, and the hackers have stated each of their victims has had limited security protocols.
IcedID Banking Trojan Spreads to US
Over the last several days, researchers have been tracking a new banking Trojan that has swiftly spread across the US. IcedID employs both redirection attacks and browser injection, which is fairly unusual. Previously, these tactics have only been combined by Dridex, a highly advanced banking Trojan. By using the botnet built by the Emotet Trojan, IcedID can deploy onto previously infected systems, causing even more damage.
Cyber News Rundown: Edition 11/10/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
UK-Based Cryptocurrency Hit By Cyberattack
Prior to the official launch of Electroneum, a UK-based cryptocurrency that uses smartphones for its mining process, was targeted by a DDoS attack that shut down both the website and the app for several days. The attack effectively blocked all users from accessing their accounts, as the entire network was forced offline, to ensure the safety of investors’ funds.
Canadian University Held for Ransom
In the past week, officials have been working with affected students to secure their personal information after hackers breached the university’s systems and gained access to student records. The university has since taken its email system offline, as the hackers were spreading the leaked information throughout the email lists. Along with the data circulation, the hackers also demanded the university pay a large ransom of roughly 23,000 USD within 48 hours, though officials are still uncertain when the breach itself occurred.
WaterMiner Cryptocurrency Mod for GTA 5
As more cryptocurrency miners are embedded in software, one Russian hacker has gone a step further by exploiting a mod for the popular game Grand Theft Auto 5. The exploit silently uses a computer’s power to mine digital currency and, with the help of a modified version of the XMRig miner, can hide itself if it suspects monitoring software is active.
Paradise Papers Expose Latest Offshore Dealings
A sizable data dump from offshore law firm Appleby was released and quickly distributed across the globe in the last week. Initial reports reveal that nearly 1.4TB of data was included in the dump, which contained private investment figures belonging to large corporations and prominent political figures. While the perpetrator of the leak has not yet been identified, this event brings to light the unconscionable lack of security that such firms employ, even when dealing with the most sensitive of client data.
Parity Bug Freezes $300 Million in Cryptocurrency
Although the full impact has not yet been quantified, a user bug caused at least 70 Ethereum accounts to completely deactivate, leaving approximately $300 million worth of cryptocurrency completely inaccessible. The bug stems from a recent patch that Parity developers implemented after a previous breach led to the theft of over $30 million in cryptocurrency. At this time, the future of the locked funds is still undecided. Developers are considering a radical change (termed a “hard fork”) to the currency to unlock affected accounts, but this solution isn’t appealing to many investors.
Two-Factor Authentication: Why & How You Should Use it
Conventional wisdom about passwords is shifting, as they are increasingly seen as a less-than-ideal security measure for securing digital accounts. Even the recommended rules for creating strong passwords were recently thrown out the window. Average users are just too unreliable to regularly create secure passwords that are different across all accounts, so using technology to augment this traditional security is imperative.
From online banking to email to cloud-based file storage, much of our high-value information is in danger if a hacker gains access to our most frequently visited sites and accounts. That’s where two-factor authentication comes in.
Two-factor authentication (2FA) adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are is an added layer of security. Each layer of security that you add, exponentially increases protection from unauthorized access.
Three categories of two-factor authentication:
- Something you know, such as a password.
- Something you have, such as an ID card, or a mobile phone.
- Something you are, a biometric factor such as a fingerprint.
The two factors required should come from two different categories. Often, the second factor after entering a password is a requirement to enter an auto-generated PIN code that has been texted to your mobile phone. This combines two different types of knowledge: something you know (your password) and something you have (your mobile phone to receive a code in SMS text or code from a 2FA app).
Protect accounts with an extra layer of security
Popular social media sites, including Twitter, Facebook, Instagram and Pinterest, have added 2FA to help protect users. In addition, you may have noticed that services from companies such as Apple, Google and Amazon will notify you via email each time you log in from a different device or location.
While 2FA from an SMS text message is popular and much more secure than a password alone, it is one of the weaker types of 2FA. This is because it’s relatively easy for an attacker to gain access to your SMS texts. When you log in to your account and it prompts for a SMS code, the website then sends the code to a service provider and then that goes to your phone.
This is not as secure as everyone thinks, because the phone number is the weakest link in the process. If a criminal wanted to steal your phone number and transfer it to a different SIM card, they would only need to provide an address, the last four digits of your social security number, and maybe a credit card number.
This is exactly the type of data that is leaked in large database breaches, a tactic to which most Americans have fallen victim at some point or another. Once the attacker has changed your phone number to their SIM card, they essentially have your number and receive all your texts, thus compromising the SMS 2FA.
Ready to protect your home setup? Explore and compare Webroot’s home cybersecurity solutions here.
Many people are guilty of using weak passwords or the same login information across several accounts, and if this sounds like you, we recommend that you use authenticator apps such as Google Authenticator and Authy. These apps are widely supported and easy to setup.
Simply go to the “account settings” section on the site you want to enable. There should be an option for 2FA if it is supported. Use the app on your phone to scan the QR code and, just like that, it’s configured to give you easy six-digit encrypted passwords that expire every 30 seconds.
What happens when you’re not using sites that have 2FA enabled? Quite simply, security is not as tight and there’s a higher risk of a hacker gaining access to your accounts. Depending on what is stored, your credit card information, home address, or other sensitive data could be stolen and used to commit fraud or sold on the DarkWeb.
Learn how to enable 2FA on your Webroot SecureAnywhere in our Community Knowledge Base.
Cyber News Rundown: Edition 11/03/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
DoubleLocker Takes Android Ransomware to Next Level
While the concept of ransomware is nothing new, DoubleLocker takes encryption a step further by not only locking down the device’s files, but also locking the device itself. Once installed, DoubleLocker takes control of the Home button functionality, implementing a randomly generated PIN for the device the first time the user taps Home. This makes it extremely difficult to unlock the device without performing a complete factory reset.
Heathrow Security Documents Found on Lost USB Drive
In the last week, officials at Heathrow Airport in London have been working to determine how a USB drive containing a large quantity of security details about the airport was found on an inconspicuous London street. The USB contained information on the airport’s security measures, as well as details on how the Queen is ushered through the facility. Fortunately, the man who found the drive turned it in to the proper authorities after discovering the data it contained.
Firefox Fights Canvas Fingerprinting
The newest Firefox browser version will take a sterner approach to canvas fingerprinting, a nearly silent method of tracking users’ browsing activity. Canvas fingerprinting tracks the browser instead of storing cookies on the system. Although it has legitimate uses, the canvas element allows companies to track users without their consent. Unlike cookies, fingerprints cannot be deleted by the user. While canvas fingerprinting won’t be going away, Firefox is taking a step in the right direction: their new browser version will give users the choice of opting in, rather than being unwitting subjects.
Mobile Facebook Users Targeted By Phishing Scheme
Recently, Facebook users from continental Europe have seen a sizeable increase in phishing campaigns focused on mobile users. The campaigns start with an already-hacked Facebook account that posts fake “YouTube” links. These links direct anyone who clicks to a fake login page that attempts to steal their credentials. The phished credentials are then used to continue propagating the campaign from the compromised user accounts.
ONI Ransomware Favors Japanese Systems
For the last several months, researchers have been tracking the ONI ransomware variant as it works its way through Japan’s corporate sector. Focusing solely on Japanese companies, ONI and MBR-ONI have been spotted encrypting numerous computers and also wiping others clean, likely in an attempt to cover up other hacking operations. Researchers report the attackers may have used the EternalBlue exploit to move through networks more easily, as the computers involved had not yet received the Microsoft update that would have patched that vulnerability.
Top 10 Nastiest Ransomware Attacks of 2017
We’re revealing the top 10 nastiest ransomware attacks from the past year. NotPetya came in on our list as the most destructive ransomware attack of 2017, followed closely by WannaCry and Locky in the number two and three spots, respectively. NotPetya took number one because of its intent to damage a country’s infrastructure. Unlike most ransomware attacks, NotPetya’s code wasn’t designed to extort money from its victims, but to destroy everything in its path.
While NotPetya and WannaCry were first uncovered in 2017, the other ransomware attacks on our top 10 list made their debuts last year. These attacks either continued into 2017 or returned with a vengeance.
This top 10 list underscores the reality of our increasingly connected world—cybercriminals will continue to develop new infections and will capitalize on reliable, successful attack methods.
To view our Top 10 Nastiest Ransomware infographic, click here.
Not sure how to protect yourself online? Read our safety tips.
Cyber News Rundown: Edition 10/27/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Fake Crypto Exchange Apps Found on Google Play Store
After being available on the Google Play store for nearly a month, several phishing apps that were spoofing cryptocurrency exchanges have been removed. Unfortunately, they had been installed up to 5000 unique times by unwitting users. While this isn’t the first time we’ve seen phony crypto exchange apps in an app store, they are becoming more regular, and increasingly difficult to identify.
Reaper Botnet on Track to Be Largest in History
A new botnet called Reaper has been spotted controlling nearly two million unique IoT devices, and is continuing to grow. The infection spreads relatively quietly, like a worm, and uses known vulnerabilities within internet-connected devices to increase its reach. The botnet has yet to be used for any known DDoS attacks, and it appears to be more concerned with growth than high-profile attacks.
Microsoft Office Vulnerability Leaves Users Defenseless
As more and more attention is focused on infections from malicious email attachments, an exploit has been found in a decades-old data exchange system used in all Microsoft Office programs that could allow similar attacks to remain unnoticed. The exploit is based on the data exchange protocols used to send data between Office apps and could be used to trigger malware without user interaction. Unfortunately, Microsoft is unlikely to perform any major patches to resolve the issue, since they could break the data protocols needed by each app.
Customer Info Breach at Major Cosmetics Company
Recently, a security firm found two publicly accessible databases containing sensitive information for nearly 2 million Tarte Cosmetics customers. The data consisted mostly of payment and other sensitive information for any online customers from the last decade, and may have also fallen victim to a ransomware attack during the period that it was unsecured. Fortunately, Tarte was quick to take both databases offline after being informed of the indiscretion.
Bad Rabbit Ransomware Invades Media Outlets
Over the past week, multiple media outlets from Eastern Europe to Japan have been experiencing a ransomware attack, dubbed Bad Rabbit by researchers. The variant shares some of its code with Petya, the ransomware that caused widespread damage earlier this year. Bad Rabbit seems to propagate through fake Flash updates and uses Mimikatz to obtain credentials from infected devices.
Public Safety in a Connected World
The U.S. electrical grid is in “imminent danger” from cyberattacks according to a report from the U.S. Energy Department released earlier this year. Such an attack would put much of the infrastructure that we rely on for public safety and basic services in jeopardy—electricity, water, healthcare, and communications systems, among others.
Just last week, an email was sent to energy and industrial firms by the DHS and FBI warning of hacking groups targeting critical infrastructure in the “energy, nuclear, water, aviation, and critical manufacturing sectors.”
Great power, great responsibilty
While the networked technology behind this infrastructure empowers our society, it also exposes us to new risks. Most people are aware of the cyber threats facing our personal mobile devices, home computers, and smart appliances. But the risks to public safety on a larger scale are less well known. Commitment to securing this brave new world is critical if we are to avoid serious public safety problems.
Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world.
Ransomware attacks—when cybercriminals hack a computer, encrypt the files and hold them hostage—pose a particularly dangerous threat for public infrastructure. It is estimated that ransomware has resulted in billions of dollars of losses in the last year alone, according to our June 2017 Quarterly Threat Trend Report.
Already this year, we’ve seen several major ransomware attacks on government entities, including counties, cities and multiple police departments leading to major disruptions in services like emergency response times, video surveillance and emergency radio transmissions.
In June, an infamous cyberattack dubbed NotPetya hit Europe, affecting workplaces and public domains. This attack mirrored its predecessor named Petya (a type of ransomware), except this new incarnation used “EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack.” It also differed from other popular ransomware attacks by denying user access and attacking low-level structures on the disk. This Petya-based attack targeted employees at one of the world’s largest advertising agencies, as well as oil companies, shipping companies and banks. A new ransomware attack that emerged this week named Bad Rabbit also appears to be linked to the NotPetya attack.
As advanced threats such as ransomware continue to evolve in sophistication, they present a more imminent threat to the systems and services we rely on for public safety. Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world.
Get tips on becoming a more proactive and prepared citizen with our “One Wrong Click” infographic.
Cyber News Rundown: Edition 10/20/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Swedish Trains Schedule Gets Derailed by Cyber Attack
In the last week, several computer systems belonging to the Sweden Transportation Administration were subjected to multiple DDoS attacks that forced the agency to halt some trains and delay others. While they were able to bring the services back online within a few hours, the delays affected transportation schedules for the remainder of the days. Unfortunately, the effects of the attacks were still noticeable within the transportation systems for several days, as the schedules all needed readjustment to accommodate their customers.
Adobe Flash Affected by Zero-Day Exploit
Researchers this week discovered a zero-day exploit within Adobe Flash Player that was used to install FinSpy, a malicious software used to steal user information. The software was hidden in an infected Word document, which the user received via email. FinSpy surveillance software is sold worldwide, but is often used maliciously to gain financial or political power through information gathering and extortion. Fortunately for Adobe Flash users, the latest update patches the exploit and is readily available from Adobe’s site.
Adult Themes Infest Roblox Computer Game
The open-source nature of games like Roblox can enable users to make custom additions to the game and make their experience their own. However, some users choose to take advantage of the system and abuse it. Unfortunately, many of the game’s younger user-base has recently been subjected to Nazi propaganda and other adult content. The vendors of such mods are usually banned from the servers, only to return a short while later.
IoT Takes Major Hit with Krack Attacks
Recently, a vulnerability was found within the WiFi encryption currently in use by hundreds of millions of IoT devices around the world. Fortunately, the vulnerability has been patched by dozens of vendors for quite some time now. However, there are still some devices that won’t likely receive an update in the near future: security cameras, routers, and other household wirelessly connected “things”.
Oracle Updates Large Number of Critical Patches
In their latest update, Oracle pushed out more than 250 different patches for bugs across hundreds of products. Some of the most critical patches involve SQL injection vulnerabilities in their E-Business Suite, which could be used maliciously to steal or alter sensitive financial data. Another area that received multiple patches was the Java Platform, which had 20 unique exploits that were available remotely without any user authentication.
Cyber News Rundown: Edition 10/13/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Rigzone Founder Caught Stealing Data
Over the last few months, officials have been piecing together the case against Rigzone founder, David Kent. After selling the Rigzone domain several years ago, Kent used several backdoors he’d implemented to access account information for over 700,000 customers, which he then attempted to sell back to Rigzone. By setting up several dummy accounts, Rigzone staff determined the specific IP address Kent used and apprehend him.
Criminals Hack Eastern Europe Bank for Millions
In the last year, banks in several Eastern European countries have seen a drastic rise in fraudulent charges at ATMs that have allowed hackers to make off with nearly $40 million dollars. Attackers start by manipulating the banks overdraft protection and setting up proxies to allow accomplices in other countries withdraw massive quantities of money from separate accounts. In addition to spoofing the overdraft system, the attackers also installed remote access software on bank computers to enable further intrusion to the institution’s systems.
Multiple Accenture Servers Left Exposed Online
A security researcher recently discovered four servers belonging to Accenture that were left publicly accessible on the internet for an undisclosed length of time. These servers contained data on thousands of Accenture’s clients, though the company’s statement on the issue assured customers that all data was from a retired system that contained no current data. Fortunately, server logs show that the researcher was the only unauthorized user to access them, which should help Accenture’s IT staff sleep a little better.
Latest Apple OS Gives Actual Password instead of Password Hint
A bug within Apple’s latest macOS, High Sierra, could allow a local attacker to request a password hint but receive the actual password. This bug occurred due to an issue with Apple’s file management system, which would have asked users to input a password hint in case they forgot their credentials. Unfortunately, the bug caused the hint request to display the legitimate password instead. Luckily for High Sierra users, Apple was quick to release a patch that fixed the issue.
Healthcare Service Records Found Online
Kromtech researchers discovered an unsecured Amazon S3 bucket belonging to a US healthcare services company that contained information on at least 150,000 patients. Although the company secured the server as soon as they were notified of this security oversight, it’s unclear how long the bucket was freely accessible.