Another week, another unsecured s3 bucket. It's practically boring, I know. It's a big one though, as it contains addresses, mortgage statuses, finance histories and even whether or not you own a cat. And that for practically every household in the US, a total of 123 million. The bucket belongs to Alteryx, a US data analytics provider, who bought the info from credit reporting company Experian.
It was discovered by FireEye and dubbed 'Triton'. The malware would cause physical damage to the industrial systems, overriding safety shut downs and thereby possibly endangering lives. It joins a small family of malware written to cause physical damage, like the Stuxnet of old. A detailed write-up can be found here.
It doesn't happen often that a government officially points the finger to another nation for a cyber attack. They condemn North Korea and its Lazarus Group for the damages done, and call on private industry to work together with the government to fight these attacks. There's a video in the article that shows the White House briefing.
To boil down all the fuzz around this, it's really not that bad. A beta version of Windows 10 came pre-installed with Keeper, a password manager. Researcher Tavis Ormandy noticed that the included version was vulnerable to password theft by any malicious site, a very similar bug he found in Keeper before. Keeper fixed it within 24 hours of reporting.
F5 researchers discovered the campaign. It uses the Apache Struts vulnerability, in combination with EternalBlue, EternalSynergy and a DotNetNuke bug. It infects both Linux and Windows environments. Any code can be run, but currently it uses its power to mine Monero cryptocurrency.
A web application used for secure document exchange was breached by manipulating DNS records. The attacker obtained the credentials for their DNS provider, and no 2fa was present. They handled it very well, and shared what happened in a detailed blogpost.
The plugin, which has 300,000 installs, was bought a few months ago from the original developer and was then shipped with a backdoor that creates an authenticated admin account. It's apparently used to create backlinks from the compromised sites to a set of payday loan companies owned by a single person, boosting its search engine rankings.
Unrelated to the previous item, a massive flood of Wordpress brute force attacks was launched this week. It originates from over 10.000 unique IP addresses and targeted 190.000 Wordpress sites per hour at its peak. If a site is breached, the attack either flips the site into another brute force scanner, or installs a Monero miner. The attackers have made at least $100.000 so far.
The DDE mechanism, normally used to share data between Office applications, rose in popularity recently with malware authors. Microsoft's latest updates disable DDE by default to stop this.
Interesting read on the security problem that affected all Estonian e-ID's and how they fixed it. Warning, includes math, but you can skim over that. In short: their RSA based crypto was busted, so they had to mass-switch all cards to elliptic curve crypto using a mass update. Kudos, they seem to have handled it very well.
Called Tripwire, it was developed at the University of California, San Diego. It creates thousands of accounts with unique e-mail addresses on more than 2000 websites, using the same password for the e-mail and the online account. If someone logged in to the e-mail account, the website was breached. They detected 19 breaches, none of them were disclosed at the moment.
Fantastic blogpost on the fundamentals of the Windows API, and how it can be used to detect malware. If you're like me and know diddly squat about Windows internals, DLL's, etc, you might enjoy this technical yet readable write-up.
WAFs are a good security measure but the security of your web applications should not solely depend on it. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be bypassed.