AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/18/2019

1 – California adds biometric specs to data breach law

California is changing its Information Practices Act of 1977 to expand the definition of personal information with additional identifiers, including biometric data of those affected. The amendment comes with new instructions on how to notify affected parties by a breach. The legislation is old and uses a definition too broad to describe personal information in all the shapes and forms found today. As such, amendment AB 1130, approved by California Governor Gavin Newsom last week, seeks to expand the definition of personal information to add “specified unique biometric data and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to these provisions.”


2 – Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now

Hackers from afar can mess around with Cisco’s Aironet industrial and business Wi-Fi access points because the devices have flawed URL access controls, Cisco has warned customers.  The critical Aironet flaw has been assigned the identified CVE-2019-15260 and has a CVSS v3 score of 9.8 out of 10.  The bug affects several Aironet product lines, including access points for industrial customers. It can be exploited by a remote attacker without the correct credentials, who could then tamper with device settings with elevated privileges or view sensitive corporate information. 


3 – Graboid Cryptojacking Worm Has Struck Over 2K Unsecured Docker Hosts

Researchers discovered a new cryptojacking worm called “Graboid” that has spread to more than 2,000 unsecured Docker hosts. Unit 42 researchers found that an infection begins when malicious actors establish an initial foothold through unsecured Docker daemons. A quick search on Shodan uncovered over unsecured 2,000 Docker engines lacking any authentication or authorization measures. These weaknesses enabled the threat actors to compromise the daemon, run the malicious Docker container pulled from Docker Hub, download several scrips from its command-and-control (C&C) server and pick its next target. To do so, Graboid selected three targets at a time. It then installed the worm on the first target, stopped its Monero miner on the second target and started the miner on the third target.


4 – Cybercrime Tool Prices Bump Up in Dark Web Markets

Prices have been rising in the last two years for longstanding tools available on the Dark Web to help bad actors commit cyber attacks and fraud, alongside newer innovations that are emerging to bolster crimes like ransomware and SIM swapping, new research has found. Keeping track of these trends in dark-web markets for the tools and data cybercriminals depend on to commit nefarious acts can be a key indicator of where the next attacks will occur, according to a new Flashpoint report, “Pricing Analysis from Goods in the Cybercrime Communities.”


5 – This sophisticated Russian hacking group is back in action again

The newly uncovered campaign – dubbed Operation Ghost by researchers – started in 2013 and continued into 2019, meaning the group never stopped its espionage activity. In attacks using four new families of malware, Cozy Bear has targeted at ministries of foreign affairs in at least three different countries in Europe, as well as the US embassy of a European Union country in Washington DC. Researchers have attributed Operation Ghost to Cozy Bear because the attacks use backdoor malware associated with previous activity by the group – MiniDuke – although this version appears to have been updated. The group also appears to mostly active during working hours in Russia, with occasional activity at night-time.


6 – Class action lawsuit filed against Hy-Vee over data breach 

A class action has been filed in Illinois against Hy-Vee, Inc., following a massive data breach that impacted its gas stations, coffee shops and restaurants. Between December 14, 2018, and July 29, 2019, the company said malware accessed cards at fuel pumps for Hy-Vee gas stations and card payments at restaurants and drive-thru coffee shops between January 15, 2019, and July 29, 2019. Hy-Vee announced the breach in August 2019 after it noticed unauthorized activity on some of our payment processing systems. On Oct. 3, Hy-vee shared additional details with customers about which locations and services were impacted.


7 – ASIO discloses LinkedIn foreign intelligence threat

The Australian Security and Intelligence Organisation (ASIO) tabled its annual report to Parliament Wednesday afternoon, providing an overview of its security performance and Australia’s security environment and outlook. In the report [PDF], ASIO disclosed it had issued advice to stakeholders across “government, business, and industry” about social media platforms being used to recruit people into hostile intelligence services.  Specifically, the intelligence agency provided advice describing how LinkedIn and other social media platforms were being used to target people in positions for foreign intelligence purposes.


8 – Stripe Users Targeted in Phishing Attack That Steals Banking Info

A phishing campaign using fake invalid account Stripe support alerts as lures has been spotted while attempting to harvest customers’ bank account info and user credentials using booby-trapped Stripe customer login pages. Stripe is one of the top online payment processors, a company that provides the payment logistics internet businesses need to accept payments over the Internet from their e-commerce customers. This makes Stripe users the perfect target for threat actors looking to get their hands on their banking info, seeing that the company handles billions of dollars in payment every year.


9 – Millions of Amazon Echo and Kindle Devices Affected by WiFi Bug

Millions of Amazon Echo 1st generation and Amazon Kindle 8th generation are susceptible to an old WiFi vulnerability called KRACK that allows an attacker to perform a man in the middle attack against a WPA2 protected network. KRACK, or Key Reinstallation Attack,  is a vulnerability in the 4-way handshake of the WPA2 protocol that was disclosed in October 2017 by security researchers Mathy Vanhoef and Frank Piessens. Using this attack, bad actors can decrypt packets sent by clients in order to steal sensitive information that is sent over plain text.


10 – Cashback Sites Leak Unencrypted Passwords, Bank & Other Sensitive User Data

The security research team at Safety Detectives has uncovered yet another data leak worth 2 terabytes of data hosted on an Elastic Server. Affecting savvy shoppers in both India and the U.K., sister sites Pouringpounds.com and Cashkaro.com – both of which belong to Pouring Pounds Ltd. – have provided the dark web with yet another source of full PII and account access to up to 3.5 million individuals.

Related Posts