3 December 2018
Mass router hack exposes millions of devices to potent NSA exploit
More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday. The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don’t reveal precisely what happens to the connected devices once they’re exposed, Akamai said the ports—which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed—provide a strong hint of the attackers’ intentions. The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play—often abbreviated as UPnP—to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets. The new instance, which Akamai researchers have dubbed EternalSilence, injects commands into vulnerable routers that open ports on connected devices. Legitimate injections often include a description such as "Skype." EternalSilence injections use the description "galleta silenciosa"—"silent cookie/cracker" in Spanish.
Hackers Breach Dunkin’ Donuts Accounts in Credential Stuffing Attack
A credential stuffing attack has allowed hackers to take a big bite out of Dunkin’ Donuts customer data. The donut giant announced Tuesday evening that a data breach in October may have led to customers’ personal information being compromised. Dunkin’ Brands Inc. in an advisory posted to its website said that on Oct. 31, a malicious actor attempted to access customers’ first and last names, email address, as well as account information for DD Perks, Dunkin Donuts’ rewards program. That account info include customers’ 16-digit DD Perks account number and DD Perks QR code. Dunkin’ Donuts has forced a password reset that required all of the potentially impacted DD Perks account holders to log out and log back in to their account using a new password. The company said that it believes the hacker obtained usernames and passwords from security breaches of other companies, and then used those usernames and passwords to try to break in to various online accounts via widespread automated login requests – a method also known as credential stuffing. “Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts,” the company said in its statement. Dunkin’ Donuts said its security vendor was successful in stopping most of these attempts, but it is possible still that the hacker may have succeeded in logging in to some DD Perks accounts.
Dell says hackers may have stolen customer info
Dell has released a customer update on its website acknowledging that it warded off a possible hack that happened earlier this month on November 9th. In the update, Dell says it noticed and took action to intervene in “unauthorized activity” on its network. The hackers tried to extract customer names, email addresses, and hashed passwords, although it’s not clear how successful the effort was. (Credit card information was not impacted.) The customer update says it found no proof that any information was compromised, but a separate press release by Dell on its website about the incident words it a little differently, saying, “Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted.” After noticing the activity, Dell hired a digital forensics firm, involved the authorities, and took the precautionary measure of resetting all Dell.com customer passwords. It is also recommending that if your Dell password is the same or similar to what you use on other websites, then you should change it with those services as well. Dell would not say how many accounts were affected, telling CNET, “Since this is a voluntary disclosure, and there is no conclusive evidence that customer account information was extracted, it would be imprudent to publish potential numbers when there may be none.”
Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins
A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is "Event-Stream," a toolkit that makes it easy for developers to create and work with streams, a collection of data in Node.js — just like arrays or strings. The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers. After gaining access to the library, the new rightful maintainer "Right9ctrl" released Event-Stream version 3.3.6, containing a new library, called Flatmap-Stream, as a dependency, which was specifically crafted for the purposes of this attack and includes the malicious code. Since the flatmap-stream module was encrypted, the malicious code remained undetected for more than 2 months until Ayrton Sparling (FallingSnow), a computer science student at California State University, flagged the issue Tuesday on GitHub. After analyzing the obfuscated code and encrypted payload, open source project manager NPM which hosted event-stream found that the malicious module has been designed to target people using BitPay's open-source bitcoin wallet app, Copay, a company that incorporated event-stream into its app. The malicious code attempted to steal digital coins stored in the Dash Copay Bitcoin wallets—distributed through the Node Package Manager (NPM)—and transfer them to a server located in Kuala Lumpur.
Sennheiser's high-end headphones have a bizarre and potentially dangerous bug
Sennheiser's HeadSetup headphone software for PC and Macs contains a vulnerability that could allow hackers to show users up fake websites that look perfectly legitimate. Sennheiser has issued an update which every HeadSetup user should download and install now. If you currently use —or have ever used — Sennheiser's HeadSetup software, which is designed to complement some of the company's headphones on a PC or Mac, you may be vulnerable to hackers, according to a report from the Secorvo Security Consulting firm. The report was first spotted by Ars Technica. Essentially, the vulnerability in the HeadSetup software allows hackers to show a "spoofed" website, such that a fake site can look real, including the "https:" at the beginning of the website's URL address, as well as the lock icon. Normally, the lack of those things is a good marker that a site is a fraud; the flaw could help fool even savvy users. Any information you typed into a spoofed website could be obtained by the hackers who put it up, including login information, passwords, credit card information, personal information, and anything else you'd type into a legitimate website for whatever reason. Sennheiser has issued an update containing a fix for the vulnerability on its website. Anyone who's ever used the software should download the update and install it. Even those who have uninstalled the software for whatever reason should download the update and install it, as the vulnerability lingers even after uninstalling the version of the software that contained the vulnerability. If installing an update isn't an option for whatever reason, Sennheiser has also provided steps for both PC and Mac.
Uber fined by ICO over 2016 data breach
The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack. A series of avoidable data security flaws allowed the personal details of around 2.7million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers. The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016. The ICO investigation found ‘credential stuffing’, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage. However, the customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded. ICO Director of Investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”