‘ZoneAlarm’ an Israeli owned cybersecurity firms suffered a data breach exposing data of its discussion forum users.
ZoneAlarm is an Internet Security software company that provides consumer antivirus and firewall products with nearly 100 million downloads.
The company sent an email notification to ZoneAlarm forum users advising them to change their forum account passwords, informing them hackers have gained unauthorised access to the forum members data including names, email addresses, hashed passwords and date of births. It is unclear when the attackers compromised the ZoneAlarm forum.
The security incident only affects users registered with the “forums.zonealarm.com” domain, which has a nearly 4,500 subscribers. This website is separate from any other website and used by a small number of subscribers who registered to this specific forum.“The website became inactive to fix the problem and will resume as soon as it is fixed. You will be requested to reset your password once joining the forum,” read data breach notification message.
It is embarrassing to know that the incident was caused by the lack of patch management for the impacted forum. A spokesperson confirmed The Hacker News that attackers exploited a known critical RCE vulnerability CVE-2019-16759 in the vBulletin forum to compromise ZoneAlarm’s website and gain unauthorised access.
The hot wallet of Upbit was ransacked by hackers stealing 342,000 Etherium (ETH) worth $48.5 million in cryptocurrency.
Upbit is a South Korean cryptocurrency exchange initially launched as a partnership between Bittrex and South Korean app maker Dunamu. Upbit ranked third globally and first in Korea in April Market Surveillance report published by Blockchain Transparency Institute on April 12, 2019.
“At 1:06 PM on 27 November 2019, 342,000 ETH(approximately 58 billion won) were transferred from the Upbeat Ethereum Hot Wallet to an unknown wallet. Unknown wallet address is 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029” reads the data breach notification published by the company.
The attackers did a total of 40 transactions for a total amount of 342,000 ETH worth of cryptocurrency that were stored in the main hot wallet of the exchange.
Data Records of 1.2 billion users found openly without password protection or authentication on elasticsearch server.
Bob Diachenko and Vinny Troia discovered an elasticsearch server containing 4 billion user accounts spanning more than four terabytes of data, on October 16, 2019.
“This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers and associated account URLs. That’s a lot of information in one place to get you started.” Troia said.
The exposed records
The leaked data contained names, email addresses, phone numbers, LinkedIn and Facebook profile information.
The company discovered the breach on April 23, 2019, when their engineering staffs discovered a suspicious activity occurred on April 21-22, 2019.
The databases contained users’ account information such as name, Flipboard username, cryptographically protected password and email address.
Additionally, the database also contained digital tokens used for connecting their Flipboard account to that third-party account.
‘High-valued’ Social Media Accounts Targeted by SIM-Swappers for Cryptocurrency.
Two Massachusetts men charged in connection with a two-year-old scheme of allegedly sim swapping attacks targeting ‘high-value’ social media accounts and stealing cryptocurrency.
According to the announcement on November 14, two Massachusetts men Eric Meiggs, 21 and Declan Harrington, 20 were arrested on Thursday and charged in U.S district court in Boston accused in an 11-count indictment, charging with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse and one count of aggravated identity theft.
How did the two Massachusetts men attack?
According to the indictment, the pair allegedly stole or attempted to steal over $550,000 in cryptocurrency from at least 10 victims throughout the U.S, since November 2017.
Meiggs and Harrington allegedly targeted executives of cryptocurrency companies thought to own significant amounts of cryptocurrency as well as social media accounts with “high-value” we’re hijacked. Massachusetts used the illegal SIM swapping technique to take control of the victim’s social media and other sensitive accounts.
ZombieLoadv2 or TSX AsynchronousAbort (TAA) vulnerabilities targeting Intel CPUs that support TSX feature being disclosed.
ZombieLoad was discovered and reported by Michael Schwarz, Moritz Lipp and Daniel Gruss.
ZombieLoad is one of the Microarchitectural Data Sampling (MDS) speculative execution vulnerabilities that affect Intel processor generations released from 2011 onwards.
Vulnerabilities that affected Intel CPUs known as Microarchitectural Data Structures (MDS) attacks, these are security flaws in the same as Meltdown, Spectre and Foreshadow. As MDS attacked different areas of CPU’s speculative execution process, they are different from the original Meltdown, Spectre and Foreshadow hugs disclosed. These micro architectural data structures included the load, store and line fill buffers, which the CPU uses for fast read/writes inside the CPU.
Transactional Synchronization Extensions (TSX)
Intel’s Transactional Synchronization Extensions adds hardware transactional memory support, speeding up the execution of multi-threaded software through lock emission.
What is ZombieLoadv2 and how it works?
ZombieLoadv2 resides in Intel’s Transactional Synchronization Extensions (TSX). ZombieLoadv2 referred to as “Transactional Synchronization Extensions (TSX) Asynchronous Abort(TAA)” assigned CVE-2019-11135. This becomes vulnerable when the data currently being stored or executed on the CPU become readable to foreign entities and create a conflict between read operations inside a CPU. This operation leaks data about what is being processed inside an Intel CPU.
More than 50% European Airport Workstation Infected Cryptocurrency Miners
A new Cryptocurrency mining campaign has infected about 50% of workstation at European International Airport.
Can you guess how many more airports may have malware in their systems?
The suspected malware
According to Cyberbit researchers, the malware was discovered while installing Cyberbit’s Endpoint Detection and Response (EDR). Cyberbit EDR is an advanced behavioural detection and threat hunting platform.
“While rolling out Cyberbit’s Endpoint Detection and Response (EDR) in an International Airport in Europe, our researchers identified an interesting crypto mining infection, where cryptocurrency mining software was installed on more than 50% of the airport’s workstations.” published by Cyberbit.
New Malware named Agent Smith Infected 25 Million Android Devices
Security researchers have discovered a new variant of mobile malware named Agent Smith which has already infected around 25 million Android devices.
Disguising as a google related application the malware exploits known vulnerabilities in Android and automatically replaces installed application with malicious versions.
Three Phases of Malware Infection
In the first phase, the attacker lures the users to download a dropper application disguised as free games, utility applications or adult entertainment applications.
The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files.
In the second phase, the dropper automatically decrypts and installs its core malware by abusing several known system vulnerabilities without any user interaction.
In the third phase, the core malware starts to target each application on the target list by quietly extracting the application APK file and patches it with extra malicious modules.
Then the malware replaces the original application with the malicious one as if it is an update..