Cyber Insurance News January 2019
In the January edition of Cyber Insurance related news we look at:
Stay up to date with useful information to reduce your risks.
Any comments and opinions on this blog is NOT ADVICE. They are the personal opinions of the author only. They may not be shared by any company or organisations associated with the author or INDAGARD.
WordPress Multilingual Plugin Site hacked by Ex-Employee
WPML is one of the most popular plugins used in WordPress which is used for translating the sites into different languages and has more than 600,000 paying clients. It is also compatible with other themes and plugins.
The attack was performed by a former employee of the company who claims to be a security researcher. He also stated that he had found several issues in the plugin which he had already reported to the WPML team, but were neglected.
The hack was not done due to any exploit in WordPress or other plugins.
The hacker accessed the website by using an old password and a vulnerability which he has inserted into the website before quitting the job to gain access to the site at a later time.
The attacker posted a message on the website as a blog post and also sent the same message to all the WPML clients as mass-mail on behalf of WPML.
He wanted to warn the users regarding the security issues in the plugin which could be exploited.
The message says that the plugin has several security vulnerabilities and the users must take preventive measures to ensure security and if possible, to remove the plugin.
The company however disagree with the hackers claim, that there were security loopholes in the plugin.
Besides, spamming the users and contacts of the plugin, the hacker included the feature “Security Holes” for the product in its purchase page. As a result of the attack, client data has been lost.
A WPML developer, Amir Helzer stated that the website has been restored and the server was reconstructed from scratch.
He claims that the plugin is safe, back to working state and is not vulnerable anymore.
The access to the admin account has been secured using 2-factor authentications.
He assured that even though the attacker stole keys from the WPML website, they are used only to get updates from the site. So, it is not possible to use them on other websites that uses the WPML plugin.
The hacker had access to all the customer’s account information including their names and email addresses, but none of the payment details are compromised, as such details were not stored in the website. The users are advised to reset their accounts and to change their password as a precautionary step.
WPML was launched in 2007 and this is the first major breach against it since then. The company has decided to take legal action against the attacker.
Collection #1 Mega Data Breach exposes 773 Million Records!
Collection #1 includes 772,904,991 unique emails and 21,222,975 unique passwords and was found posted online.
The breach was discovered by security researcher Troy Hunt and he claims that Collection #1 data breach comprises of all the data stolen from various other data breaches.
The data was uploaded in the cloud storage site Mega and it consists of a large file with 12,000 separate files and had a data size of 87 GB.
The data was also posted in a popular hacking forum as well, which is a collection of more than 2000 databases. It consists of dehashed passwords which means they have been cracked and converted into human readable form.
The combination of compromised email and passwords are more dangerous as the users are easily vulnerable to credential stuffing.
Credential stuffing is using the breached username or password pair to obtain access to other user account and this affects those who have used the same username/password for multiple sites.
Another security expert, Brian Krebs on further investigation about the breach, found that Collection #1 was part of more than 4 TB of data.
He claims that he had contacted the hacker selling the Collection #1 data who stated they were at least 2 to 3 years old.
The hacker known by the name Sanixer said that he had more database collection for sale.
If you wish to know if your email address has been compromised, you can check out Troy hunt’s website “HaveIBeenPwned” which runs a service to check if your email address has been compromised.
If you also want to know whether your password has been exposed, there is a password search feature in the same site which lets you know if your password has appeared in the breach.
The main reason for data getting stolen is negligence from the users who make use of poor passwords or reusing old passwords.
It is highly recommended that all users must follow some password security tips.
It’s time to think about using a password manager and authenticate your emails by using strong, unique passphrase and enable 2 factor authentications.
Also make sure to not use same username/password across different accounts.
Popular Web Hosting Providers found with Multiple Vulnerabilities
This vulnerability was discovered by the Cyber security researcher Paulos Yibelo.
All the web hosting sites mentioned here are favored and largely used by millions of users and these client-side flaws could have risked these customers and also their site visitors of being hacked.
More than dozens of bugs were collectively discovered in these web hosting sites that comes to around seven million domains.
Certain flaws are too simple, that by just making a click it was possible for an attacker to take control over the accounts of those using any of these hosting providers.
Each of these hosting providers have at least one serious vulnerability out of which, the one that has been given the severity status “High” is the information leak through Cross-Origin-Resource-Sharing (CORS) that makes the website share information across their domains, thereby allowing a hacker to steal sensitive information such as payment details.
The researcher claims that the reason for these flaws are mainly due to the old infrastructure, complex back-end systems and companies having enormous user databases.
However, it is not yet known whether anybody has taken advantage of these vulnerabilities and have it exploited or not.
The critical flaws reported in each of the 5 Web Hosting Providers are given here
The information leakage occurred due to the misconfiguration in Cross-Origin-Resource-Sharing (CORS).
This flaw lets the attackers steal personal identifiable information, partial payment details and token that lets access to a user’s hosted endpoints.
Account takeover due to improper JSON request validation CSRF, the attacker can change the email address of any user and set the address of their choice and are able to gain complete control by changing their email password.
A medium severity flaw is man-in-the-middle due to the issue of misconfiguration of CORS.
Cross-site scripting permits the attacker to execute commands as a client.
The vulnerabilities are found across the user’s account section in the site.
The HostGator hosting service usually use anti-CSRF tokens while submitting the forms. But the server can be fooled to bypass anti-CSRF tokens. The attacker can gain complete control over the website.
There are multiple CORS misconfigurations that could let the attacker to gain control over the account and perform information leak, man-in-the-middle attack and CRLF injection in Microsoft Edge and Internet Explorer users.
The vulnerability which has severity “Moderately High” is the account takeover using cross-site scripting where the attacker can change the users email ID or password.
The vulnerabilities in this provider includes CSRF protection bypass that exist throughout the website.
It can also be exploited on browsers with Adobe Flash Player. The next flaw is the misconfigurations of the API.
The vulnerabilities include account takeover of any iPage user remotely while they simply click on any link. The next flaw is multiple Content Security Policy (CSP) bypasses.
The security researcher has reported his findings to all the web hosting providers that have been affected.
However, OVH has not responded to the findings, whereas all the remaining hosting providers have already patched these vulnerabilities before it was notified to the public.
Ethereum Classic Trading suspended by Coinbase
This led the company to freeze all Ethereum Classic (ETC) transactions on their platform.
During crypto mining, the transactions are added to a universal shared transaction database called as blockchain consisting of blocks which are packets of transactions.
Coinbase claims that Ethereum Classic blockchain had been reorganized which means rewriting the transaction history.
This is called a 51% attack because one who has control over more than 50% of the mining power can rewrite the transaction history. When this occurs, the attacker can interfere with the blockchain records and perform illicit activities like double spend.
Remember – every system has vulnerabilities.
Having cyber insurance protects you when a vulnerability is exploited to breach your network.
Double spending permits an attacker to recover already spent coins from the deserved recipients and then spending it again by transferring to a new entity of their choice.
Initially the exchange found eight reorganizations worth 88,500 ETC and then 12 more reorganizations including double spends were detected which totals to 219,500 ETC.
The attack involved a loss of more than $1.1 million worth of Ethereum Classic cryptocurrency.
It is however not clear who the exact target of the attackers was. Coinbase had confirmed that their customers funds were not affected due to this attack.
Ethereum Classic was created in June 2016 and is currently a top-20 cryptocurrency having a market cap of $500 million. The value of Ethereum Classic has declined since the news came out.
Many believed that it is almost impossible to perform attacks on large-cap cryptocurrencies like Bitcoin and Ethereum, the hackers chose to attack cryptocurrencies like Ethereum Classic and Bitcoin Gold.
Gate.io was the first exchange to verify the Coinbase findings. Last week Gate.io states that the attacker has returned Ethereum Classic tokens worth $100,000 to them.
They received the refund on 10th Jan but the attacker has not given any explanation regarding the attack.
Gate.io explained in their statement that the attacker might be a white hat hacker who wants to make the people aware of the risks involved with blockchain.
Data Breach in Singapore Airlines
The issue occurred on 4th January 2019, when certain changes were made in the carrier’s website.
The members of the KrisFlyer program were able to view the details of other customers including their flight information, name, address, travel miles etc.
Out of the affected customers, passport details of 7 customers were also exposed.
However, the company claimed that no alterations were made in any of the account details and that the credit card details of none of the customers were compromised.
It is confirmed that the data breach occurred only due to the one-off software glitch and that no external parties were included.
During the glitch, when a frequent flyer customer logged into her account, she was able to view the email ID and travel details of some other customer.
In fact, the account contained mixed up information of both the customers data. She contacted the Airlines and reported the issue to which they replied about the upgrading of their software and advised her to login at a later time.
The bug had acted in such a way that when two frequent flyer members logged in at the same time, they would be able to see the details of each other.
However, the issue has been resolved and the affected customers has been informed regarding the incident.
The airlines also informed the Personal Data Protection Commission of Singapore to ensure that incidents like this will not happen in future.
The bug in software existed due to the poor software testing practices by the company and this is not expected in a large company like Singapore Airlines. So, software must always be given a priority in the security program of any airline companies globally.
Microsoft Patch Tuesday 2019 – Security Updates
The update addressed vulnerabilities including seven critical vulnerabilities, forty important vulnerabilities and 2 vulnerabilities of moderate severity.
Microsoft patches any security issues in their monthly Patch Tuesday updates. In the recent patches issued by Microsoft, there were fixes for 4 zero-day bugs, but this time there weren’t any actively exploited zero-day bug present.
The vulnerabilities were present in the software including Windows OS, Internet Explorer, Microsoft Edge, ChakraCore, .NET Framework, ASP.NET, Microsoft Visual Studio, Microsoft Exchange Server, Adobe Flash Player, Microsoft Office and Microsoft Office Services and Web Apps, Skype for business and Team Foundation Server.
Out of the 7 critical vulnerabilities, the two remote code execution flaws that resides in Windows Hyper-V are CVE-2019-0550 and CVE-2019-0551.
The remaining five are memory corruption vulnerabilities of which three flaws namely CVE-2019-0539, CVE-2019-0567, and CVE-2019-0568 infected the Chakra Scripting Engine, one flaw called CVE-2019-0565 was found in the Microsoft Edge browser and the last one dubbed CVE-2019-0547 affected Windows Dynamic Host Configuration Protocol (DHCP) client.
The remote code execution vulnerabilities on successful exploitation could have let the hackers to implement remote code execution.
However, Microsoft confirmed that none of the vulnerabilities existed were exploited in the wild.
Along with the security updates for the vulnerabilities, all the updates include defense updates to improve the security.
An important patch which was given moderate severity was a vulnerability in Skype for Android, dubbed as CVE-2019-0622 that could have permitted the attackers to unlock the screen and access sensitive data on an Android mobile if you simply answer a Skype call to the affected device.
Adware Apps removed from Google Play Store
These apps were reported by the cyber security researchers at Trend Micro who stated that these apps were showing full screen advertisements to the users at regular intervals, even while they were not using the infected apps.
The removed apps were disguised as utility apps like online television, remote-control apps and games. All these apps were already downloaded and installed by more than 9 million times.
The most downloaded app was named Easy Universal TV Remote which is a remote-control app and this alone has been downloaded by more than 5 million users.
These adware apps come from different developers and uses different APK public key certificates but shares similar source code.
Some of the other adware apps include Moto Racing, Garage Door Remote Control, TV World, to name a few.
These apps hide their icon themselves but can run in the background and then shows a full screen ad every few minutes.
The ads also appear every time the user unlocks the phone.
Adware is mainly done to get some revenue by showing the users some ads and is different from a malware which steals sensitive data from the victim device.
One of the main risks that is associated with the adware apps are that they can show the ads of a malware infected app as a promotion which might persuade the user to download the app.
Google removed all the reported apps from the Play Store and those who have already installed these must uninstall it manually.
Users must be very cautious while downloading and installing any apps.
Make sure to take a look at the reviews of the customers who have already installed the apps and accept the permission requests only that is suitable for its functionality.