This Week In Security - 01/27/2020
Global Cybersecurity Effort Seizes Site Selling Stolen Data
A few days ago, the FBI seized the domain WeLeakInfo.com where users could get unlimited access to breached data records for as little as $2 for 24 hours of access.
Marketing itself as a place where individuals could check to see if they had been the victims of identity theft or a data breach, WeLeakInfo.com “harvested over 12 billion records from over 10,000 data breaches… including Chegg.com, StockX, Dubsmash, and MyFitnessPal”.
The WeLeakInfo.com “seizure is part of a comprehensive law enforcement action” taken by US state and federal agencies alongside other law enforcement representatives from the UK, Netherlands, Germany, and Northern Ireland.
This type of collaboration suggests that a unified global cybersecurity effort is not a pipe dream after all but a feasible reality, and an effective one at that as two individuals believed to have profited from the WeLeakData.com site have already been arrested.
Cyberattack Hits Mitsubishi Electric Where It Hurts
Mitsubishi Electric, a multinational electronic equipment manufacturer, is warning government agencies and businesses that sensitive information may have been compromised after a Chinese cybercrime group alleged accessed the company’s servers and computers.
The Japan-based company told the government that there was no “leak of sensitive information regarding defense equipment and electricity“ while admitting that other sensitive information may have been compromised.
After detecting irregular activity on its servers back in June last year, Mitsubishi Electric “conducted an internal probe that found unauthorized access to management sections at its head office and elsewhere”.
The company took immediate action against the authorized access, but fears that “personal data on over 8,000 people, including employees, retirees, and job seekers, had been endangered”.
Mitsubishi Electric apologized to those whose data may have been breached and said it “will continue to bolster its information security and monitoring measures”.
Phishing Attack Exposes US Taxpayers’ Credentials
Tax season isn’t quite here yet, but for some taxpayers, the nightmare has already begun. Some companies using the private payroll processing company, Automatic Data Processing (ADP), recently received emails informing them that their W-2 forms were ready. Unfortunately, the emails contained links that redirected users to a phishing website that looked remarkably like the ADP landing page but wasn’t.
Those that clicked on the links exposed details of their employees’ ADP credentials, giving cybercriminals access bank account numbers and the ability to redirect salary payments. The phishing attacks left other personal data exposed, including names, addresses, social security numbers, and home addresses, making victims vulnerable to identity theft.
In light of this recent phishing attack, the manager of Security Research at AppRiver, Troy Gill, recommended that taxpayers activate 2FA on their IRS accounts and “remember that the IRS will never require you to take action via an email”.
Windows 10 in New Year Cyberthreat Nightmare
Following hot on the heels of the critical Windows 10 vulnerability we reported last week, Microsoft is in the grip of another serious cyberattack, this time a ransomware threat known as Snake.
Nothing like the innocent game that helped Nokia sell over “10 million retro-revival handsets”, this is a dangerous and slippery piece of malware is designed to “lock-up your apps and files … and charge you exorbitant fees to reverse the viper-tight encryption”.
Snake goes one step further by disabling any remote management tools or software, so your remote IT technicians won’t be able to even get into, let alone look around long enough to resolve this ransomware infection. Snake uses the latest encryption and makes the process recovery difficult by also deleting Shadow Volume Copies which are backup snapshots of certain files that can be used to restore lost data.
Despite the severity of the threat posed by Snake, cybersecurity experts have reiterated the FBI’s stance on ransomware and are urging victims not to cough up. Research indicates that less than 20% of ransomware victims who pay up regain access to their files, while over 80% managed to get their content back using their own data backups.
Flawed Plug-ins Endanger 400k WordPress Sites
Researchers have discovered serious flaws in three popular WordPress Plug-ins that could leave sites exposed to authentication bypass vulnerabilities. The worst offender is the plugin InfiniteWP client that “allows users to manage an unlimited number of WordPress sites from their own server”, although WP Database Reset and WP Time Capsule are hot on its heels.
The flaw in the InfiniteWP plug-in “lets anyone log in to an administrative account with no credentials at all”. Marc-Alexandre Montpas of the web security firm, Sucuri, says “logistical vulnerabilities like the ones seen in this recent disclosure can result in severe issues for Web applications and components”.
WP Time Capsule’s critical flaw similarly allows unauthenticated users to log in to an administrative account, while the WP Database Reset vulnerability gives unauthenticated attackers access to the database and the ability to rest any table within it to its original state.
All three vulnerabilities are dangerous, and although there is no sign of them being exploited yet, if they are, it could “result in the complete loss of data or a site reset to the default WordPress settings”.
WordFence, the WordPress security tool, is advising all users to back-up their sites and update to WordPress version 3.15.