Wikipedia goes partly offline after massive DDoS attack

Attackers have launched a massive DDoS attack against Wikipedia and successfully managed to take down its website across various countries. Wikipedia, the global online encyclopedia experienced intermittent service outages between September 6 and September 7, 2019. “Wikipedia has been experiencing intermittent outages today as a result of a malicious attack. We're continuing to work on restoring access. #wikipediadown,” Wikipedia tweeted. Meanwhile, the official Twitter account for Wikipedia in Germany tweeted that “the Wikimedia server of Wikimedia Foundation, which also hosts Wikipedia, is currently being paralyzed by a massive and very broad DDoS attack. #Wikipedia and her sister projects are therefore temporarily unavailable. Sorry!” The attack was launched on September 6, 2019 (Friday) and targeted several countries including the U.K., France, Germany, Italy, The Netherlands, Poland and parts of the Middle East. Wikimedia Foundation said that Wikipedia sometimes attracts malicious actors as it is one of the world’s most popular sites. In order to prevent attacks from such malicious threat actors, the Wikimedia Foundation has created dedicated systems and staff to regularly monitor and address risks. “As one of the world’s most popular sites, Wikipedia sometimes attracts “bad faith” actors. Along with the rest of the web, we operate in an increasingly sophisticated and complex environment where threats are continuously evolving. Because of this, the Wikimedia communities and Wikimedia Foundation have created dedicated systems and staff to regularly monitor and address risks. If a problem occurs, we learn, we improve, and we prepare to be better for next time,” said the Wikimedia Foundation.

 

Monster job applicants information exposed due to unprotected server

The personal information of job applicants from the job recruitment site Monster was exposed due to a misconfigured server that was publicly accessible without any authentication. As per a statement from Monster, the server was operated by one of its customers. The exposed server contained hundreds of resumes, CVs, and other files from job applicants who applied for jobs between 2014 and 2017. The resumes included personal information of the job applicants including phone numbers, email addresses, home addresses, and work history. The other files found on the exposed server included immigration documentation for work, which Monster does not collect. Monster said that the unprotected server belongs to a recruitment company that was a customer of Monster.com and other recruitment sites. The job recruitment site added that it no longer works with the recruitment customer. A security researcher who discovered the leaky server alerted Monster’s security team about the data leak in August 2019. Upon learning about the incident, it notified the recruitment company of the issue and secured the server. Monster said that it is unable to determine the impacted users as the exposure occurred on a customer system. Furthermore, the job recruitment site did not notify its users about the exposure stating that customers are the owners of this database and they’re responsible for notifying the impacted users. “Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database,” Monster said, TechCrunch reported.

 

Uber patches vulnerability that could allow attackers to compromise users’ accounts

A vulnerability discovered in Uber could allow attackers to take control of any user account. The flaw impacted both the users and drivers. Anand Prakash, the founder of AppSecure, discovered that the issue could be exploited via an application programming interface (API). This involved first acquiring the user universally unique identifier (UUID) of any user by sending an API request that included either their telephone number or email address. “Once you have the leaked Uber UUID from the API request, you can replay the request using the victim’s Uber UUID and get access to private information like access token (mobile apps), location and address,” explained Prakash. By leveraging the mobile app’s access token, Prakash was able to completely compromise an account, request a ride, get payment information, and more. Upon discovery, Uber was quick at rectifying the issue. "Uber was very quick in rectifying the vulnerability after my report," said Prakash, Forbes reported. The ride-hailing app had implemented a fix by April 26, 2019.

 

Discovery of unsecured database reveals ticket fraud scheme

Noam Rotem and Ran Locar, researchers at vpnMentor, found an unsecured database with 17 million records and 1.2 terabytes of data. The breach allowed access to the personal details of users purchasing tickets from any website that uses the Neuroticket software. This impacted popular ticket vendors such as Groupon, Ticketmaster, and Tickpick apart from various small independent venues. The researchers observed that many email addresses in the database did not seem authentic. To test this, they contacted ten email addresses randomly but heard back from only one. Most of the records in the database involve Groupon, a popular website for coupons and discounts. After further investigation and contacting Groupon, the researchers discovered that the database belonged to a group of criminals. The criminals created accounts with fake information on the ticketing sites. They purchased tickets using stolen credit card information and then sold these tickets to fans. To do this, the fraudsters filtered relevant emails from their email account into the Elastisearch database and extracted the tickets. Groupon associated the database with a criminal network they’ve been after since 2016. It is reported that nearly 2 million fake Groupon accounts were created in 2016. These accounts were used to buy tickets using stolen information and then resell them. Although Groupon has worked on closing as many such accounts as possible, the operation has continued to persist. Working with the vpnMentor research team, Groupon has made progress in dealing with this breach.

 

New Exim vulnerability opens up millions of email servers to root-granting exploitation

Exim, an open-source mail transfer agent (MTA), is used for Unix-like operating systems. It is a popular MTA with a lot of organizations’ servers running on Exim to receive and deliver emails. A security vulnerability, tracked as CVE-2019-15846 has been discovered that allows hackers to gain root-level access to the systems. This has left millions of email servers running on Exim vulnerable to attacks. When the Exim server is configured to accept TLS connections, hackers can send a backslash-null sequence attached to the end of an SNI package during the initial TLS handshake. This can enable hackers to run malicious codes and obtain root-level access to the system. The vulnerability can only be exploited in Exim servers up to versions 4.92.1 that accept TLS connections. Exim servers don’t have TLS enabled by default, but some operating systems ship Exim servers with TLS enabled as the default setting.

Although no active attacks have been reported yet, a surge for Exim server scans has been observed. The team behind Exim learned about the vulnerability in July from a security researcher who goes by the pseudonym Zerons. The issue was patched in secrecy, owing to the ease of exploitation and its effect on a massive number of servers. An early warning was issued last week, and version 4.92.2, with the security patch, was released recently. As always, it is recommended that you are updated on the latest security flaws and fixes available. If your organization uses Exim: Ensure that your email servers are running on the latest Exim version (4.92.2). If updating to the latest version is not possible, configure the Exim server to not accept any TLS connections.

 

Phishers leverage Captcha code to bypass email security gateway

Phishing threat actors have now found a new technique to bypass the secure email gateway(SEG). This time, they are using the Captcha to prove human presence, while preventing any red flags from the email security gateway. Discovered by researchers from Cofense, the attack is initiated by sending a phishing email from a compromised account ‘@avis.ne.jp’. The email pretends is disguised as a notification for a voicemail message. The victim is asked to preview the alleged communication by clicking on a button included in the email. This button, when clicked, takes the victim to the page with the Captcha code. “This button is in fact an embedded hyperlink that will redirect the recipient to a page that contains a Captcha code to prove the victim is a human and not an automated analysis tool or, as Google puts it, “a robot.” It’s at this point that the SEG validation would fail,” researchers added. The researchers note that both the captcha and phishing pages are hosted on the Microsoft infrastructure. As a result, they have legitimate top-level domains, ensuring no detection by SEGs during their URL analysis process. “The SEG cannot proceed to and scan the malicious page, only the Captcha code site. This webpage doesn’t contain any malicious items, thus leading the SEG to mark it as safe and allow the user through,” explained the researchers. Once the human verification is complete, the recipient is redirected to an actual phishing page. In this case, the phishing page imitates the Microsoft account selector and login page. The phishing page is meant to capture login credentials entered by victims. This is not the first time that the cybercriminals have come up with an innovative way to bypass security controls. In past campaigns, fraudsters have used QR codes, fake 2FA code and Google Docs to redirect victims to phishing pages.

 

Intel server-grade CPUs plagued by new NetCAT vulnerability

Vrije University has published details of the NetCAT vulnerability in the Intel server-grade CPUs. It allows the abuse of Intel DDIO to infiltrate into machines and networks. DDIO was introduced to make Intel CPUs more efficient in terms of speed. It allows peripherals to access the CPU’s cache to read and write data. NetCAT can compromise an SSH session by just sending network packets to the server. It does not require any malicious code to launch the attack. This vulnerability is a side-channel leak that requires direct access to the vulnerable system. Attackers can observe what is processed in a DDIO-enabled CPU by sending a crafted network packet. However, this requires direct access to the system from the attacker’s network. The research outlines a technique called prime+probe. Using this technique, attackers can look for variations in the latency of the connection. Depending on the variation, they can detect what data was processed. An interactive SSH session sends network packets every time a key is pressed. Based on the arrival of the packet, NetCAT can leak the timing of the keystroke. Analyzing human typing patterns, this vulnerability exposes what users type in their private SSH sessions. If Remote Direct Memory Access (RDMA) is also enabled, the remote server’s memory can be accessed to control the location of network packets. Intel was notified of the vulnerability in June, but no security patch is available yet as it is classified as a low severity vulnerability. An Intel spokesperson told ZDNet, “Intel received notice of this research and determined it to be low severity primarily due to complexity, user interaction, and the uncommon level of access that would be required in scenarios where DDIO and RDMA are typically used.” Mitigation advice was released by Intel that includes limiting direct access from untrusted networks when DDIO and RDMA are enabled.

 

Edited and compiled by cyber security specialist James Aguilan.