Specsavers suffered data breach compromising clients’ medical details

Eye wear giant Specsavers suffered a data breach compromising clients’ medical details after a password-protected computer server went missing. On June 03, 2019, Specsavers became aware that a shipping container containing the business' belongings including a computer server has been stolen between May 25 and 26, 2019. “During the fit-out works, a range of building materials and IT equipment, including a password-protected computer server, went missing from an onsite storage facility,” Specsavers said. The stolen computer server contained the personal information of clients including names, dates of birth, addresses, phone numbers, email addresses, clinical records of optometry tests, and Medicare details. However, no financial information or credit card details were involved in the incident. Specsavers confirmed that there has been no evidence that the information on the server has been accessed. The Eyewear giant has warned its customers to be cautious about telephone calls, emails, and messages that purport to come from Specsavers. The optical company is also working with the Commonwealth Department of Human Services to monitor the records for any suspicious activity and implement additional security to the impacted customers' Medicare records. It has also notified the Office of the Australian Information Commissioner about the incident. “We are committed to the privacy and security of our customers' personal data and we are doing everything we can to ensure that this cannot happen again in the future,” Specsavers said in a statement to ABC.

 

Attackers distribute new JavaScript-based trojan MonsterInstall in form of Game Cheats

Researchers uncovered a new JavaScript-based trojan dubbed ‘MonsterInstall’ which is distributed in the form of game cheats via websites owned by the attackers. Researchers from Yandex discovered the MonsterInstall downloader trojan, who then reported it to Doctor Web's research team for further analysis. Doctor Web researchers analyzed the trojan sample and revealed the following insights. When users download the game cheat, they end up downloading a password-protected zip archive that contains an executable file. Once launched, the executable file downloads the game cheat along with the MonsterInstall trojan components. Once the trojan gets launched, it will gain persistence by adding itself to the infected system’s autorun, in order to get automatically launched after the machine is rebooted. MonsterInstall then starts gathering system info and sends it to the C&C server controlled by the attacker. The downloader trojan then downloads the crypto mining module ‘xmrig.dll’ onto the infected system. The cryptomining module loads the malicious executable ‘xmrig.exe’. The executable sends system information to its C&C server and gets back the miner configuration in the form of a JSON file. Once the miner configuration file is loaded, it will automatically execute and start mining the TurtleCoin cryptocurrency. “Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month,” Doctor Web researchers said.

 

New cryptomining malware uses cron commands to infect systems

A cryptomining malware was spotted by security researchers that leveraged cron scheduler. Researchers from the security firm Sucuri analyzed a Bash script linked with the malware, which downloaded its payload and configuration files into the system. It was found that this script terminated other cryptomining processes in the infected system before running its own and used cron commands for evading detection, and reinfection. The malware infects web server and starts running cryptomining processes that maximize the CPU usage. The malicious payload is downloaded by a Bash script named 'cr2.sh'. This script killed any process associated with cryptomining including those of xmrig, cryptonight among others. It also performs many operations such as identifying the OS environment (32/64 bit) to download the appropriate payload. The script downloads a configuration file and a cryptominer payload. In the case of detection, cron commands are executed for killing the script and for redownloading it again. This way, the malware establishes persistence in the system without being detected easily. Sucuri researchers suggest that the malware affects desktop installations on top of web servers, and advise users to stay aware of malicious cron processes. “If you overlook a malicious cronjob, it can reinfect your environment until it’s mitigated. It’s also important to remember that it’s not just web servers that are targeted — it can also infect desktop installations of 32/64bit Linux systems and other variants, which are used to infect Windows installations,” the researchers explained.

 

Mermaids UK apologizes for data breach that disclosed private details of transgender children

Mermaids UK has sent out an ‘apology’ letter for inadvertently exposing private details of transgender children and young people. The data breach occurred after the organization had published part of its email database on the internet. In an official statement, Mermaids UK disclosed that over 1,000 pages of confidential emails were exposed online. This included sensitive details of vulnerable youngsters. The letters exposed in the breach were sent between 2016 and 2017. They included the names, addresses and telephone numbers of those reaching out for help. “The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users. Mermaids has contacted these people. The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids,” said the firm in its notification. Meanwhile, Mermaids has maintained that there is no evidence of data being misused or stolen by threat actors. The charity and advocacy organization has reported the matter to the Information Commissioners Office (ICO). It has also contacted the affected families as well as the stakeholders and notified them about the data breach. Mermaids UK is investigating the situation so as to ascertain the extent of the data breach. It is also working on improving the security conditions of its infrastructures.

 

Latest sample of Echobot found using 26 exploits to target IoT devices

Earlier this June, security researchers at Palo Alto Networks had discovered a new variant of Mirai botnet named Echobot using a total of 18 exploits to target IoT devices. However, the latest research cites that Echobot has evolved to include 26 exploits in its arsenal. The targets of the latest Echobot variant include network-attached storage devices (NAS), routers, network video recorders (NVR), IP cameras, IP phones, and wireless presentation systems. Most of the exploitation code included in the Echobot variant is for unpatched IoT devices. Apart from these the botnet also exploits well-known vulnerabilities in Oracle WebLogic and VMware SD-Wan. "I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices," said Larry Cashdollar from Akamai Technologies in a blog post. The new variant of Echobot includes 8 extra exploits along with the previously available exploit. Cashdollar’s latest research reveals that Echobot uses the same attack code derived from Mirai. But the only difference seems to be the addition of exploits that help the Echobot variant to spread.

 

Researchers disclose two zero-day vulnerabilities impacting two Facebook WordPress plugins

A cybersecurity firm has published the details about two zero-days impacting two Facebook WordPress plugins. The disclosed vulnerabilities are cross-site request forgery (CSRF) flaws that impact ‘Messenger Customer Chat’ and ‘Facebook for WooCommerce’ WordPress plugins. The ‘Messenger Customer Chat’ plugin that shows a custom Messenger chat window on WordPress sites has been installed by over 20,000 sites. The ‘Facebook for WooCommerce’ plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages has been installed by over 200,000 users. These vulnerabilities could allow authenticated users to alter WordPress site options. The security firm, White Fir Design LLC aka Plugin Vulnerabilities, also published the Proof-of-Concept code allowing attackers to create exploits and target the sites using the two plugins. The WordPress.org forums banned security researchers from disclosing vulnerabilities through the forums and instead asked them to email the WordPress team about the vulnerability. However, the Plugin Vulnerabilities team decided to not follow the policy change and continued to disclose security flaws on the WordPress forums, this resulted in its forum accounts being banned. Now, the Plugin Vulnerabilities team has gone a step further by publishing in-depth details and PoC code about the vulnerabilities on their blogs.

 

Job searching platform exposes personal information of 1.6 million employers and job seekers

Researchers from SafetyDetective have uncovered an unprotected database belonging to Talanton, a new job posting and searching platform based in India. The leaky database has been exposed between May 17, 2019, and June 15, 2019. The leaky database has exposed the personal information of almost 1.6 million employers and job seekers from the USA, India, Israel, UK, France, multiple additional European countries, Australia, UAE, Singapore, and Hong Kong. The database included phone numbers and emails of CISOs, CEOs, and government officials including the CTO of the Australian government and the FBI Domestic Security Alliance Council member. The database also included the job seekers’ personal details such as phone numbers, email addresses, gender, nationality, residential addresses, designations, current employers, salary expectations, and job seeking status. The database also included encrypted passwords of over 50,000 user records. The leaky database also included the details of Tommy Hilfiger Japan CEO, Tom Chu. Safety Detective notified the leaky database to the owner of the database, however, received no response. The researchers then contacted the hosting server company Tata Communications who took the database offline.

 

Remote code execution vulnerability affect Oracle WebLogic Server spotted in the wild

Oracle has released emergency patches for another critical remote code execution vulnerability affecting its WebLogic Server. The newly discovered RCE flaw has been tracked as CVE-2019-2729. It was only a month ago that a deserialization vulnerability tracked as CVE-2019-2725 was discovered in the WebLogic Server. The flaw was widely abused by attackers to deliver a variety of malware in different attack campaigns. The RCE flaw, tracked as CVE-2019-2729, affects WebLogic versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. It has received a severity score of 9.8 on CVSS and can be exploited by a remote attacker without authentication. “This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” reads the security advisory of Oracle. According to KnownSec404 team, the new RCE flaw has arisen because of an incomplete patch for CVE-2019-2729. The researchers have confirmed that threat actors are already exploiting the CVE-2019-2729 in the wild. KnownSec team notes that the current vulnerability is being abused currently to target JDK 1.6.x compatible systems. Just like CVE-2019-2725, the CVE-2019-2729 can allow attackers to exploit the process and run code on vulnerable systems.

 

Edited and compiled by cyber security specialist James Aguilan.