Cyber Victor – a leading blog on cyber security

On March 29, 2019, Toyota Motor Company (TMC) announced in Japan that that its Tokyo Sales Holdings Inc., a TMC sales subsidiary, and its affiliated enterprises, as well as 3 other dealers in Japan, have been hacked. Unauthorized access had been detected on March 21, 2019 on a server containing data belonging to 3.1 million customers. Customer names and dates of birth were hacked, but no credit card information.

On February 21, 2019, Toyota Australia reported a security breach. Although no user or customer data was hacked at that time, the attack caused disruptions to its IT systems.

Read more about it here.

Security experts found an unprotected server operated by e-mail validation company Verifications.io, exposing 4 MongoDB databases. Initially, only one database was reported as being leaked. In total, 2,069,145,043 records (made up of both individual consumers and businesses) have been leaked.

Leaked information included first name, last name, e-mail, phone, city,state, date of birth, and more.

The good news is that the leaked data didn’t include financial data, medical records or other personal or confidential information.

The image below shows Verifications.io’s four MongoDB databases exposed to the internet.

The breached server and the web site have been down since.

Read more about it here.

American software giant Citrix was notified by the FBI on March 6, 2019 that it has been hacked.

The FBI believes attackers used the “password spraying” technique to access the Citrix network. In this technique, a large number of accounts (usernames) are attempted to be accessed by a low number of commonly used password, such as “Password1” or “Summer2018”.

Once inside, the attackers worked to obtain more privileges. According to one source, 6TB of e-mails, documents and corporate secrets were stolen.

So far, there aren’t any indications that personal information was stolen.

Read more about it here.

Here are some of the highlights from the 2019 Hacker Report:

• $19 million in customer bounties earned in 2018, representing nearly the bounty totals for all preceding years combined.
• By the end of 2018, hackers had earned over $42 million.
• Some hackers earned $100K for one vulnerability.
• A 19-year-old that goes by the handle “@try_to_hack” became the first white hat hacker to surpass $1 million in bounty awards.
• The community has over 300,000 registered hackers.
• Over $100,000 valid vulnerabilities have been submitted.

Read more about it here.

According to a recent report, Finnish researcher Jouko Pynnönen discovered a cross-site scripting (XSS) vulnerability affecting Yahoo! Mail. This was the third time for Pynnönen to report an XSS flaw with Yahoo!. He discovered the flaw in December 2018, which he then reported to Yahoo!. In January, Yahoo! fixed the flaw and acknowledged Pynnönen’s efforts with a bug bounty of $10,000.

Read more about it here.

The Internet Corporation for Assigned Names and Numbers (ICANN) declared “an ongoing and significant risk” key parts of the Domain Name System (DNS) infrastructure. “There have been targeted attacks in the past, but nothing like this”. The attacks go back to 2017. “There isn’t a single tool to address this”, as ICANN called for an overall hardening of web defenses. ICANN urged broader implementation of DNSSEC to prevent traffic hijacking and to prevent internet users from being misdirected from intended websites.

Read more about it here.

Google recently began the rollout of the February 2019 Android security update, that addresses 42 issues. One of the vulnerabilities fixed could enable a remote attacker using a specially crafted PNG file to execute arbitrary code. That means, access to the device it is viewed on.

The vulnerability affects Android 7.0 and above versions. While Google has released a fix, the fix is currently available on for Pixel smartphones, the Pixel C tablet, and the Essential Phone.

What can you do in the meantime ? Don’t open an image, especially a PNG file received from an untrusted source. And apply the security update as soon as it becomes available.

Read more about it here.

According to the European Union Agency for Network and Information Security (ENISA) 2018 Threat Landscape Report, which was published on January 28, 2019, the cyber threat landscape changed significantly. The most important threat agent groups were cyber-criminals and state-sponsored actors. Monetization motives have contributed to the appearance of crypto-miners in the top 15 threats.

The main trends in the 2018’s cyberthreat landscape are:

• Mail and phishing messages have become the primary malware infection vector.
• Exploit Kits have lost their importance in the cyberthreat landscape.
• Cryptominers have become an important monetization vector for cyber-criminals.
• State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
• Skill and capability building are the main focus of defenders. Public organisations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents.
• The emergence of IoT environments remains a concern, due to missing protection mechanisms in low-end IoT devices and services. The need for generic IoT protection architectures/good practices remains pressing.

Read more about it here.

Security experts at Check Point Research discovered several cybersecurity flaws in popular online battle game Fortnite. One of the flaws is an OAuth account takeover vulnerability that could allow a remote attacker to take over gamer accounts, tricking players into clicking a specially crafted link.

Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems at Facebook, Google+, Xbox Live and Sony PlayStationNetwork, to steal the user’s access credentials and take over their account.

Once the token has been obtained, the attacker could access personal information, buy in-game currency at the user’s expense, eavesdrop on and record players’ in-game chatter and background home conversations.

One way to minimize the thread of falling victim to such an attack is to use a two-factor authentication.

Checkpoint published a demo video of the attack:

Read more about it here.

Security experts at Pen Test Partners have discovered thousands of connected hot tubs are vulnerable to remote cyber attacks. Pen Test Partners, the UK security company that carried out the research, wrote: “Like most internet of things devices, the Wi-Fi module acts initially as in AP mode. The mobile app can connect as a client and control the tub locally. However, it can also configure the tub controller to be a client on your home network, so remote control from anywhere is possible through an API. The AP is open, no PSK, so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.”

Pen Test Partners e-mailed the manufacturer, Balboa Water Group, already in November 2018. The manufacture promised a fix by the end of February 2019.

Read more about it here.