Cyware Weekly Threat Intelligence, November 25 - 29, 2019

Share Blog post

The Good

Yet another week has passed by, and it was bustling with activity in cyberspace — both ethical and otherwise. Let’s begin the weekly review of cybersecurity happenings with the positive ones. The Finnish Transport and Communication Agency Traficom announced that cybersecurity labels for IoT devices would be issued. SoniTalk, a new method for near-field communication focused on security, has been made freely available. In other news, researchers from the National Tsing Hua University (NTHU) have developed a new cryptographic technique to transmit encrypted messages.

  • Traficom, the Finnish Transport and Communications Agency, has announced that the country would issue cybersecurity labels for IoT devices. This initiative aims to raise awareness about information security and the safe use of IoT devices among customers. Labels are said to be awarded to connected devices that meet the criteria specified by EN 303 645, a document that outlines IoT security specifications.
  • SoniTalk, a new method for near-field communication with a focus on data protection and security, has been made freely available as an open-source technology. This method lets users decide in which cases which apps and devices are allowed to communicate through ultrasound.
  • The European Union Agency for Cybersecurity (ENISA) has published a report detailing good cybersecurity practices for the maritime sector. The agency has also published another report on cybersecurity for connected and (semi-)automated cars.
  • Researchers from the National Tsing Hua University (NTHU) have developed a new cryptographic technique using quantum technology to transmit encrypted messages. This technique is said to be much harder to decrypt than the currently available cryptography. Pulsed laser light was used to produce photons, on which researchers encoded binary code.

The Bad

Cyber incidents were reported in plenty this week. In a massive breach this week, an open database exposed the data of over 1.2 billion people. Facebook and Twitter disclosed that the data of hundreds of Android users may have been improperly accessed after their accounts were used to log in to Google Play Store apps. Meanwhile, Adobe disclosed that its Magento Marketplace suffered a security breach impacting the account details of registered users.

  • An open Elasticsearch database was found to be leaking more than 4 terabytes of data associated with People Data Labs and OxyData, two data enrichment companies. Personal and social information of over 1.2 billion people, is said to be impacted by this leak. Researchers have not been able to attribute the database to a specific company.
  • Facebook and Twitter announced that hundreds of Android users may have had their data improperly accessed after the accounts were used to log in to Google Play Store apps. This reportedly happened because One Audience, a software development kit, allowed third-party developers to access users’ personal data. Twitter said that it had notified Apple and Google of the vulnerability.
  • Adobe disclosed the details of a security breach that impacted the company's Magento Marketplace. An unauthorized third-party is said to have accessed the account information of registered users. Plugin and theme developers as well as users registered to buy the theme and plugins have been reportedly impacted.
  • Smartphone vendor OnePlus suffered a data breach that involved the order information of certain customers. The company said that payment information, passwords, and accounts were not impacted. The incident has been reported to relevant authorities and an investigation is said to be in progress.
  • The New York City Police Department’s fingerprint database was hit by a ransomware attack in October 2018, and the incident was reported this week. This incident is said to have occurred when an infected third-party vendor’s machine was connected to the police network. Officials said that the system was shut down for hours while the software was reinstalled on all the systems.
  • The Online Registration System (ORS) website, a health portal run by the Indian government, was discovered to be risking the data of about 2 million people. A security flaw in the website potentially allowed access to patient names, age, mobile numbers, addresses, and partial Aadhar numbers among other details. This vulnerability is said to have been fixed in October last year.
  • Mexican food chain On the Border has issued notice of data breach in a payment processing system. The company said that some credit card information used between April 10 and August 10, 2019, could have been potentially compromised. Investigation of the incident was said to be ongoing.
  • Hackers were reported to have stolen 342,000 Ethereum coins from the South Korean cryptocurrency exchange Upbit. The stolen cryptocurrency is said to be worth $48.7 million. The company has suspended withdrawals and deposits for the time being.
  • Spanish security company Prosegur was hit by a ransomware attack that impacted the company’s telecommunication platform. In order to avoid malware propagation, the company has limited its customer communications. Prosegur was said to be analyzing this security incident and working on restoring services as soon as possible.

New Threats

This week witnessed the emergence of several new malware strains and vulnerabilities. Thousands of Android applications were reported to be impacted by a GIF processing vulnerability that was recently disclosed. The Common Weakness Enumeration (CWE) list of the 25 most dangerous software vulnerabilities has been updated for the first time in eight years. In other news, security experts have reported that the new Dexphot malware has infected more than 80,000 computers.

  • Thousands of Android applications were said to be impacted because of a recently disclosed GIF processing vulnerability. Tracked as CVE-2019-11932 this flaw is a stack buffer overflow that could be exploited using MP4 video files. This flaw was initially discovered in Whatsapp and has been patched by its parent company Facebook.
  • The Common Weakness Enumeration (CWE) list outlining the 25 most dangerous software vulnerabilities has been updated for the first time in eight years. The updates were made using a data-driven approach based on reported real-world vulnerabilities. The list has been compiled from the publicly reported vulnerabilities available in the National Vulnerabilities Database (NVD).
  • According to security experts at Microsoft, the new Dexphot malware has infected more than 80,000 computers. This malware is a second-stage payload, that is dropped on infected systems by other malware. It hijacks the resources of the infected system and mines cryptocurrency.
  • Researchers have spotted a new ransomware variant called PureLocker that is used in targeted attacks against company servers. It is known to encrypt the victim’s server and demand a ransom. The ransomware is said to be named PureLocker because it has been written in the programming language PureBasic.
  • The U.S. National Security Agency (NSA) has warned against the dangers of Transport Layer Security Inspection (TLSI). The advisory released by the NSA outlines the associated risks and provides mitigation measures for organizations using the TLSI.
  • Security experts reported the discovery of a new version of the Tushu SDK, that was found infecting apps in Google Play earlier this year. This new version, dubbed Twoshu SDK, is said to contain several evasive techniques. This newly discovered SDK collects several details including International Mobile Equipment Identity (IMEI) numbers, GPS coordinates, and the Wi-Fi SSIDs from devices.
  • According to Google’s Threat Analysis Group (TAG), the company had warned 12,000 users across 149 nations about phishing attacks by state-backed hackers. These warnings were said to be sent between July and September this year. The number of warnings sent to users is said to be consistent with the numbers in the years of 2017 and 2018.
  • National Cyber Security Centre (NCSC) in the Netherlands has published a confidential report that states that at least 1,800 companies across the world are affected by ransomware. The victims are said to be from several industries including construction, chemical, food, health, entertainment, and the automotive industry. The report also names LockerGoga, MegaCortex, and Ryuk as the common forms of ransomware.


common weakness enumeration
magento marketplace

Posted on: November 29, 2019

Get the Weekly Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!