Week in review 19 January 2020 – hacker leaks IoT passwords, WordPress plugin vulns, Oracle record patch haul, 25% of users fall for phishing, quarter of PCs vulnerable now Windows 7 unsupported
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices
A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.
The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.
According to experts, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.
Read more here: https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/
Equifax Breach Settlement Could Cost Firm Billions
Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.
The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.
Over two-fifths (44%) of the population of the US are thought to have been affected.
This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.
Read more here: https://www.infosecurity-magazine.com/news/equifax-breach-settlement-could/
WordPress plugin vulnerability can be exploited for total website takeover
A WordPress plugin has been found to contain "easily exploitable" security issues that can be exploited to completely take over vulnerable websites.
The plugin at the heart of the matter, WP Database Reset, is used to reset databases -- either fully or based on specific tables -- without the need to go through the standard WordPress installation process.
According to the WordPress library, the plugin is active on over 80,000 websites.
The two severe vulnerabilities were found on January 7 and either of the vulnerabilities can be used to force a full website reset or takeover.
Tracked as CVE-2020-7048, the first critical security flaw has been issued a CVSS score of 9.1. As none of the database reset functions were secured through any checks or security nonces, any user was able to reset any database tables they wished without authentication.
Oracle Issues Record Critical Patch Update cycle with 334 Patches
Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.
The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.
Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly.
Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).
It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.
Read the original article here: https://www.infosecurity-magazine.com/news/oracle-issues-record-cpu-with-334/
Giant botnet has just sprung back to life pushing a big phishing campaign
One of the world's most prolific botnets has returned and is once again attempting to deliver malware to victims via phishing attacks.
Emotet started life as a banking trojan before evolving into a botnet, which its criminal operators leased out to other hackers as a means of delivering their own malware to previously compromised machines.
Such was the power of the botnet that at one point last year it accounted for almost two-thirds of of malicious payloads delivered in phishing attacks.
But after seemingly disappearing towards the end of 2019, Emotet has now returned with a giant email-spamming campaign, as detailed by researchers at cybersecurity company Proofpoint.
Read more here: https://www.zdnet.com/article/this-giant-botnet-has-just-sprung-back-into-life-pushing-a-big-phishing-campaign/
A quarter of users will fall for basic phishing attacks
Slightly more than a quarter of people will fall for a phishing scam that claims to be an urgent message prompting them to change a password, according to statistics gathered by a cyber security testing and training firm.
The security firm studied tens of thousands of email subject lines both from simulated phishing tests and those found in the wild, and found many of the most-clicked emails related either to security or urgent work-related matters.
It revealed its top 10 most effective simulated subject lines to be: Change of Password Required Immediately (26% opened); Microsoft/Office 365: De-activation of Email in Process (14% opened); Password Check Required Immediately (13% opened); HR: Employees Raises (8% opened); Dropbox: Document Shared With You (8% opened); IT: Scheduled Server Maintenance – No Internet Access (7% opened); Office 365: Change Your Password Immediately (6% opened); Avertissement des RH au sujet de l’usage des ordinateurs personnels (6% opened); Airbnb: New device login (6% opened); and Slack: Password Reset for Account (6% opened).
In the wild, subject lines often tended to relate to Microsoft, with emails about SharePoint and Office 365 particularly likely to be opened, as well as notifications about Google and Twitter accounts. People were also likely to fall for emails pretending to be related to problems with a shipping company, with FedEx the most widely impersonated, as well as the US Postal Service.
Read the full article here: https://www.computerweekly.com/news/252476845/A-quarter-of-users-will-fall-for-basic-phishing-attacks
Business Disruption Attacks Most Prevalent in Last 12 Months
Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.
According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.
Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.
Read more here: https://www.infosecurity-magazine.com/news/business-disruption-attacks/
Quarter of PCs could now be more at risk from ransomware
Last week saw the day when Windows 7 reached end of life. That means that Microsoft will no longer issue regular patches or updates for the famed operating system. From now on, any flaw or vulnerability discovered will remain unpatched, and the machines running the old system will remain at risk.
Any businesses or individuals running legacy and unsupported operating systems will be at a greater risk of ransomware than before.
WannaCry, one of the most devastating ransomwares of all time, was successful mostly because of unpatched systems. Roughly 200,000 devices in 150 countries around the world will be vulnerable to similar malware, now that Windows 7 is no longer receiving security updates from Microsoft.
From this month, a quarter of all PCs are going to fall into this unsupported category so it is vital that any organisations that rely on Windows 7 are aware of the risks and what they need to mitigate them.
Read the original article here: https://www.itproportal.com/news/quarter-of-pcs-could-now-be-more-at-risk-from-ransomware/
5 tips to avoid spear-phishing attacks
Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself.
The good news is that most of us have learned to spot obvious phishing attacks these days.
The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.
You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.
Spear-phishing, where the fake emails really are believable, isn’t just an issue for high-profile victims such as the Burismas of the world.
Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.
So here are Sophos’ 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:
1. Don’t be swayed just because a correspondent seems to know a lot about you
2. Don’t rush to send out data just because the other person tells you it’s urgent
3. Don’t rely on details provided by the sender when you check up on them
4. Don’t follow instructions on how to view an email that appear inside the email itself
5. Don’t be afraid to get a second opinion
Read the full article here: https://nakedsecurity.sophos.com/2020/01/17/5-tips-to-avoid-spear-phishing-attacks/
Organized cybercrime -- not your average mafia
Does the common stereotype for "organised crime" hold up for organisations of hackers? Research from a University in US is one of the first to identify common attributes of cybercrime networks, revealing how these groups function and work together to cause an estimated $445-600 billion of harm globally per year.
"It's not the 'Tony Soprano mob boss type' who's ordering cybercrime against financial institutions," said Thomas Holt, MSU professor of criminal justice and co-author of the study. "Certainly, there are different nation states and groups engaging in cybercrime, but the ones causing the most damage are loose groups of individuals who come together to do one thing, do it really well - and even for a period of time - then disappear."
In cases like New York City's "Five Families," organised crime networks have historic validity, and are documented and traceable. In the online space, however, it's a very difficult trail to follow, Holt said.
Read more here: https://eurekalert.org/pub_releases/2020-01/msu-oc-011620.php
Cybercrime Statistics in 2019
It doesn’t make for cheery reading but a researcher has compiled a list of statistics for cyber crime, here are few choice headlines:
Cybercrime will cost as much as $6 trillion annually by 2021
Financial losses reached $2.7 billion in 2018
The total cost of cybercrime for each company in 2019 reached US$13M
The total annual cost of all types of cyberattacks is increasing
Read the full article here: https://securityaffairs.co/wordpress/96531/cyber-crime/cybercrime-statistics-in-2019.html