Major Data Breaches Everywhere
Data breaches are now a constant occurrence. Often, all it takes is a misconfigured Elasticsearch instance for millions of people’s information to become publicly accessible. Both large companies and organizations, including industry leaders, are frequently affected by such attacks and mistakes. November 2018 was a prime example of this trend.
Amazon
Amazon notified users about a data breach but provided almost no details. On November 21, 2018, some users received strange emails stating that a “technical error” on Amazon’s website had exposed their email addresses. The message did not specify when the breach occurred, how many users were affected, who might have accessed the leaked addresses, or what the “technical error” was. Due to the lack of details, many recipients suspected the emails were fake, but Amazon confirmed the incident was real and that the bug had been fixed. Amazon declined to provide further comments but assured users that internal systems and the website itself were not compromised, and there was no need to change passwords.
Instagram developers fixed a bug in the “Download Your Data” feature, which allows users to export their photos, videos, comments, profile information, and other account data. As a security measure, the service required users to re-enter their password before downloading. However, due to a coding error, in some cases, the password was included in the browser’s URL and stored on Facebook’s servers in plain text. Instagram claims only a small number of users were affected and that the mistakenly stored data has been deleted. The bug has been fixed, and affected users are being notified and advised to change their passwords, enable two-factor authentication, and clear their browser history.
An Imperva specialist disclosed a now-fixed Facebook bug that allowed attackers to access personal data of users and their friends. Researcher Ron Masas found the vulnerability in Facebook’s search function, where each search result contained an iframe element used for internal tracking. By analyzing these iframes, Masas could determine whether a search query returned a positive or negative result, allowing him to infer if a user liked a page, took photos at certain locations, or had friends with specific attributes. He also created a malicious proof-of-concept page that could automate these searches via the Facebook Graph API. The vulnerability affected multiple browsers and was especially problematic for mobile users. Facebook fixed the issue quickly after being notified in May 2018 and found no evidence of exploitation.
Dell
Dell reported that on November 9, 2018, it detected unauthorized access to its network. Attackers attempted to extract user information from Dell.com, including names, email addresses, and hashed passwords (the hashing algorithm was not specified). Dell stated that financial information was not compromised and that there is no evidence any data was actually stolen, but as a precaution, all passwords for Dell.com, Premier, Global Portal, and support.dell.com were reset.
U.S. Postal Service (USPS)
Security journalist Brian Krebs reported that due to an API issue on the USPS website, any registered user could view data on 60 million people. The vulnerability, discovered by an anonymous security specialist, allowed logged-in users to access other users’ names, user IDs, email addresses, account numbers, phone numbers, and mailing addresses. The API also allowed users to request changes to other accounts, such as changing email or phone numbers. USPS fixed the vulnerability after it was publicized and stated there was no evidence of malicious exploitation.
Voxox
Voxox, a U.S. company providing VoIP and SMS gateway services, left a database containing tens of millions of text messages publicly accessible. German security specialist Sébastien Kaul found the database, which included password reset links, two-factor authentication codes, and verification messages. The database, running on Amazon Elasticsearch with a Kibana frontend, contained about 26 million SMS messages, but the real number could be higher due to the platform’s processing rate. Examples included Badoo app passwords, Booking.com 2FA codes, Google account codes, temporary bank passwords, Amazon tracking links, and medical appointment reminders. The breach was closed after TechCrunch and Kaul notified Voxox.
Firefox Monitor
In September 2018, Mozilla launched Firefox Monitor in partnership with Have I Been Pwned (HIBP), allowing users to check if their email addresses and accounts have been compromised. Mozilla announced plans to expand Firefox Monitor’s functionality: soon, desktop Firefox versions will warn users when they visit sites that have suffered data breaches. Users will be prompted to check their credentials with Firefox Monitor. Notifications will appear at least once for sites breached in the past 12 months, and for new breaches within two months. Notifications can be disabled.
GandCrab Ransomware Operators Lose $1 Million
Romanian police, Europol, and Bitdefender released a new decryptor for files affected by GandCrab ransomware (versions v1, v4, and v5). Over 1,700 victims have used the free tool, resulting in nearly $1 million in unpaid ransoms. The tool was especially helpful for users in South Korea, China, India, and the U.S.
MageCart Attacks Continue
MageCart attacks, where hackers steal users’ credit card data by injecting malicious JavaScript into e-commerce sites (often Magento-based), have been active since at least 2015. Multiple hacker groups use similar tactics, sometimes compromising third-party services like chat widgets. Recent reports from RiskIQ and Flashpoint identified at least seven groups responsible for attacks on 110,000 stores. Competition among these groups is increasing, with some sabotaging rivals by corrupting stolen card data. Sites hit by MageCart often suffer repeated infections, with 21.3% being reinfected, sometimes within days. Reasons include backdoors, admin accounts left by attackers, periodic reinfection tasks, obfuscation, and exploitation of zero-day vulnerabilities.
Russian Government Proposes Phone Number Verification
The Russian government wants to require mobile operators and messenger app developers to jointly verify the authenticity of users’ phone numbers. Messenger owners would need to confirm that a user’s phone number actually belongs to them, with operators required to respond within 20 minutes. The goal is to reduce anonymous communication, which complicates law enforcement investigations and enables spam, misinformation, and fraud.
BGP Issues and Internet Outages
November 2018 saw two major BGP routing incidents affecting Google services and Russian internet users. BGP, developed in the 1980s, lacks modern security mechanisms, making such incidents common.
On November 12, 2018, a BGP routing error caused outages for Google services, including G Suite, search, analytics, and third-party services like Spotify. The issue originated with Nigerian provider MainOne Cable Company, which incorrectly announced Google IP prefixes. The error spread to other providers, including Russia’s TransTeleCom and China Telecom, resulting in a DoS-like effect. MainOne apologized, attributing the incident to misconfigured BGP filters during a network upgrade.
Russian Internet Outage
On November 25, 2018, a configuration error by Russian provider Krek Ltd caused significant outages for Rostelecom users, affecting services like Amazon, YouTube, VKontakte, and IVI. The issue redirected a large portion of Rostelecom’s traffic to Krek’s network, which could not handle the load. The anomaly lasted over an hour and affected 10–20% of Russian users, with over 5,000 networks impacted globally.
6,500 Darknet Sites Deleted After Hosting Attack
In mid-November 2018, Daniel’s Hosting (DH), a major darknet hosting provider, was hacked. Attackers gained access to the database and deleted all accounts, including the root account, wiping out over 6,500 darknet sites. The operator admitted there were no backups. A similar attack on Freedom Hosting II in 2017 reduced the number of darknet sites by 85%.
New Meltdown and Spectre Variants
Researchers who discovered the original Meltdown and Spectre vulnerabilities published a report detailing seven new attack variations: two new Meltdown types and five new Spectre types. These affect various AMD, ARM, and Intel processors. Some previously released mitigations do not fully protect against the new variants. Intel claims existing protections are sufficient, but researchers found otherwise in their tests.
Meltdown
- Meltdown-BR: Bypasses Memory Protection Extensions (MPX) in Intel and AMD x86 CPUs, enabling speculative attacks.
- Meltdown-PK: Affects only Intel CPUs, bypassing Protection Keys for Userspace (PKU).
Spectre
- Spectre-PHT: Exploits the Pattern History Table.
- Spectre-BTB: Exploits the Branch Target Buffer.
- Spectre-RSB: Exploits the Return Stack Buffer.
- Spectre-BHB: Exploits the Branch History Buffer.
Five new Spectre issues were found, three related to the Pattern History Table and two to the Branch Target Buffer. All affected vendors have been notified.
Researchers Hack 85% of ATMs
Positive Technologies examined 26 ATM models from major manufacturers (NCR, Diebold Nixdorf, GRGBanking) and found that nearly all were vulnerable to local or network attacks. 85% could be compromised within 15 minutes. Key findings:
- 15 out of 26 ATMs still run Windows XP.
- 22 machines are vulnerable to network spoofing, allowing fraudulent transactions via LAN in just 15 minutes.
- 18 devices are susceptible to “black box” attacks, where a device like a Raspberry Pi, Teensy, or BeagleBone can control the dispenser and withdraw cash in about 10 minutes.
- 20 ATMs can be taken out of kiosk mode via USB or PS/2, giving attackers OS access.
- 24 out of 26 do not encrypt hard drive data, allowing attackers with physical access to extract all stored data and configurations.