Category: Uncategorized

In what appears to be the world’s biggest airline data breach, Cathay Pacific announced on October 24, 2018 on Twitter that it has been hacked. Hackers accessed personal information of 9.4 million customers, including:

• Names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, identity cards and frequent-flier programs, and historical travel information.
• 403 expired credit card numbers
• 27 non-expired credit numbers with no CVV (Card Verification Value printed on the card)
• About 860,000 passport numbers
• About 245,000 Hong Kong IDs.

The breach took place in March 2018 and was confirmed by investigators in May, however it was disclosed only in October. Some local lawmakers criticized Cathay for taking so long to reveal the breach. Cathay responded, saying it wanted to have an accurate grasp on the situation, and it took immediate steps once the breach was discovered.

Read more about it here.

Over 9 million security cameras, digital video recorders (DVRs), and network video recorders (NVRs) manufactured by Hangzhou Xiongmai Technology Co., Ltd. contain vulnerabilities that can allow a remote attacker to easily take over devices, security researchers at EU-based SEC Consult revealed on October 10, 2018. But end users won’t be able to tell whether they are using a hackable device, because the company doesn’t sell any product with its name on it. Rather, it ships all equipment as white label for other companies to put their name on it. Over 100 companies using Xiongmai devices have been identified so far.

The vulnerability is caused by the devices, creating a secure tunnel with a cloud account. These cloud accounts haven’t been sufficiently protected. The accounts and their passwords can be easily guessed.

Read more about it here.

The United States Department of Homeland Security (DHS) has issued an alert of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative the outsourcing model.

The alert says: “The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” The alert provides some mitigation steps.

Read more about it here.

According to a report published by Bloomberg News, China implanted a tiny chip, the size of a grain of rice, on computer equipment manufactured for US companies and government agencies. The attack reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain. The micro chip was inserted on equipment manufactured in China for US based Super Micro Computer Inc., one of the world’s biggest suppliers of server motherboards.

Amazon discovered the tiny chips when it was about to acquire software firm Elemental, and conducted in 2015 a security assessment of equipment made for Elemental by Supermicro. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.

Read more about it here.

Facebook notified users on Sep. 28, 2018 that it discovered a security issue affecting almost 50 million accounts. A vulnerability in the “View As” feature, a feature allowing Facebook users to see how their profile looks to someone else, allowed cyber thieves to steal access tokens.

The affected users have been logged out of their account by Facebook, forcing users to generate new access token upon subsequent login. Users who use Facebook to login to other accounts and services may also be impacted. Facebook has temporarily disabled the “View As” function, while it is completing a thorough security investigation.

Read more about it here.

According to Akamai’s latest State of the Internet report on credential stuffing, credential stuffing continues to be a growing threat, with financial services companies being the major target.

Credential stuffing attacks occur when botnets try login credentials usually obtained through phishing attacks and data breaches. The bots then attempt the same credentials on banks and retailers web sites. This kind of attack is efficient, due to the bad habit of users to reuse the same username and password over multiple services and accounts.

8.3 billion malicious login attempts were detected from bots in May and June 2018, up from 6.3 billion in March and April 2018.

Read more about it here.

Electronic retailer Newegg has been hacked by Magecart, the same cybercrime group that hacked into British Airways.

Security companies Volexity and RiskIQ have conducted a joint investigation on the hack.

Magecart group managed to hack into the Newegg web site and steal credit card information of all customers who made purchases between August 14 and September 18, 2018.

The hackers were able to inject 15 lines of malicious JavaScript code into the checkout process at Newegg. The code collected data and sent it back to the hackers. They used a domain called neweggstats.com, which they registered just the day before the attack started.

Read more about it here.

According to an announcement made on their web site, personal and payment card information of 380,000 British Airways customers were stolen from users making bookings on its website and app from 22:58 BST August 21, 2018 until 21:45 BST September 5, 2018.

The stolen information included name, address, email address and credit card information; it did not include travel or passport details

The airline confirmed that the breach has been resolved, and its services are now operating normally.

In March 2015, British Airways Executive Club member accounts were hacked, however that wasn’t considered a data breach, because hackers used information available in the underground.

Read more about it here.

A Man-in-the-Disk attack can occur when an Android app stores on the mobile device’ external storage, that is shared by all apps. A malicious app could tamper with files stored on the external storage.

In this case, the Fortnite app installer stored the install file on external storage, and then runs that install file. Another app already installed can observe that, replace the file with its own, and cause any code to run.

Epic Games has released a fix.

Read more about it here.

T-mobile announced on August 24 that on August 20, 2018, hackers accessed certain unauthorized information on their servers. The information included customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid). The incident affected more than 2 million customers, or 3 percent of its 77 million customers.

The hackers were able to exploit an internal API (application programming interface) on its servers that handled personal information. Luckily, the API doesn’t provide financial data or sensitive information.

Affected customers have been contacted by T-Mobile.

Read more about it here and here.