Sunday, October 2, 2016

Issue 84- Week of Sep 26th


1.      Zerodium offers $1.5 Million bounty for iOS Zero-day exploits: Exploit vendor Zerodium has tripled its bug bounty for an Apple's iOS 10 zero-day exploit, offering a maximum payout of $US1.5 Million. That is seven times more than Apple's $200k Bug bounty program. Last year (Issue 31) - the same vendor had offered $1Million for an iOS 9 exploit and few weeks later - a team of hackers won that money. The company has also doubled its bug bounty for Android 7.x (Nougat) remote jailbreaks to $200,000. The hike in the price is in line with demand and the tougher security of the latest iOS and Android operating systems, and to attract more researchers, hackers and bug hunters to seek complex exploit chains in iOS 10.

2.      World's largest 1 Tbps DDoS attack launched from 152,000 hacked Smart devices: France-based hosting provider OVH was the victim to the record-breaking Distributed Denial of Service (DDoS) attacks that reached over one terabit per second (1 Tbps) over the past week. As the Internet of Things (IoT) or connected devices (like televisions, cars, refrigerators or thermostats) are growing at a great pace, they continue to widen the attack surface at the same time, giving attackers a large number of entry points. The worst part: There is no security updates in line for these insecure IoT or internet-connected devices. In Issue 54, we discussed a 400 Gbps attack that could be rented.

3.      Jive resets passwords after August data breach: US based, Jive Software is a provider of communication and collaboration solutions for business. After the company discovered a data breach, it has reset customers passwords. The breach was discovered in its Producteev task management software, as its logins were held in a file outside the normal encryption procedures of the company. No other Jive products were impacted by the breach.

4.      'Syrian Electronic Army (SEA)' Hacker pleads guilty in US court: One of the FBI's Most Wanted Hackers who was arrested in Germany earlier this year has pleaded guilty to federal charges for his role in a scheme that hacked computers and targeted the US government, foreign governments, and multiple US media outlets. SEA hackers were allegedly engaged in a long-running cyber-propaganda campaign and used "spear-phishing" tactics to target computer systems. The hacker faces up to 5 years in prison and is scheduled to be sentenced on 21st October.

5.      Yahoo data breach may have hit over 1 Billion users: Last issue- Yahoo confirmed 'state-sponsored' hackers stole personal data from 500m accounts, Now a report indicates that the number of affected Yahoo accounts may be between 1 Billion and 3 Billion. Yahoo's back-end system's architecture is designed in such a way that all of its products use one main user database (UDB) to authenticate users, this central database is what got compromised.

6.      Multiple backdoors found in D-Link Router: D-Link DWR-932B LTE router is allegedly vulnerable to over 20 issues, including backdoor accounts, default credentials, leaky credentials, firmware upgrade vulnerabilities and insecure UPnP (Universal Plug-and-Play) configuration. If successfully exploited, these vulnerabilities could allow attackers to remotely hijack and control any router, as well as network, leaving all connected devices vulnerable to man-in-the-middle and DNS poisoning attacks. The  hacked router can be easily abused by cybercriminals to launch massive Distributed Denial of Service (DDoS) attacks. One of the vulnerabilities includes - sending "HELODBG" string as a secret hard-coded command to UDP port 39889, which in
6.return launch Telnet with root privileges without any authentication.

7.      First-ever Ransomware for smart Thermostat: Ransomware is known for its attacks on Computers, Smartphones, TVs, now two white hat hackers have showed the first proof-of-concept (PoC) ransomware that infects a smart thermostat. The hackers hacked a US thermostat that runs a modified version of Linux, and used the SD card slot meant to load custom settings. The downside of the PoC was it required physical access to the IoT but since Internet of Things is currently being deployed in a large variety of uses throughout homes, businesses, hospitals, and even entire cities that are called Smart Cities, it gives attackers a large number of entry points to attack some or the other way.

8.      Majority of enterprises admit they are vulnerable to insider threats: The majority of enterprise players admit they are vulnerable to insider threats to their networks and a third have already become victims, according to new research. Insider threats are not always due to malicious, unprincipled employees. While it is possible that such staff members could access corporate data for sale or trade illegally, it is often accidental insider threats which are the source of data breaches -- such as in the case of Snapchat this year, when a cybercriminal posed as the firm's CEO in order to dupe HR into handing over staff payroll data. In the majority of organizations, employee training, identity management solutions, data leakage prevention solutions and Insider threat solutions - were seen as effective tools to combat insider threats.

9.      Clinton, Trump debate 'Twenty-First Century War' of Cyberattacks: Both Clinton and Trump stressed the importance of cybersecurity for the next administration. Both candidates to date have had some very public cybersecurity woes of their own: Trump with his Trump International Hotels data breach, and Clinton with the Democratic National Committee (DNC) breach. She blamed Russia for the DNC hack while he disputed that conclusion and said nobody knows who the actual hackers are. Most experts welcome this political discussion on Cyber-security but would like to hear more in terms policies for mitigating cybersecurity threats and prevention of Data leakage that affect governments and private businesses.

Ransomware attack on Kerala Govt.: Kerala state forest department has suffered a Ransomware attack. Computers containing crucial data pertaining to accounts and finance were locked out. The IT team and CERT tried in vain to retrieve the data. They have now decided to forgo the data. Meanwhile in Mumbai - Someone hacked Bollywood actress Kareena Kapoor's Income Tax account and filed a false return claim. A police compliant has been filed and investigation is on.


Source: Zerodium website


No comments:

Post a Comment