Table of Contents

  1. Leaks
    1. Photo App Exposes 100,000s of Users in Massive Data Leak
    2. Details of 10.6 million MGM hotel guests posted on a hacking forum
    3. Canadian Government Breaches Exposed Citizens' Data
  2. Crime
    1. Credit Card Skimmer Found on Nine Sites, Researchers Ignored
    2. Hackers Were Inside Citrix for Five Months
    3. DRBControl Espionage Operation Hits Gambling, Betting Companies
    4. Over 20,000 WordPress Sites Run Trojanized Premium Themes
    5. How Saudi Arabia Infiltrated Twitter
  3. Vulnerabilities
    1. Microsoft Has a Subdomain Hijacking Problem
    2. Zero-Day in WordPress Plugin Exploited to Create Admin Accounts
    3. Exploiting Jira for Host Discovery
  4. Privacy
    1. Wearable Microphone Jamming
    2. Leaked Document Shows How Big Companies Buy Credit Card Data on Millions of Americans
    3. Telecoms Say They Have a First Amendment Right to Sell Your Private Data
  5. Microsoft
    1. Microsoft Defender ATP for Linux Now In Public Preview


Photo App Exposes 100,000s of Users in Massive Data Leak

Led by Noam Rotem and Ran Locar, vpnMentor's research team recently discovered a data breach belonging to photography app PhotoSquared. The exposed database potentially compromised the privacy and security of 100,000s of PhotoSquared users by revealing a massive amount of sensitive photos and personal information. PhotoSquared could have easily avoided this leak, but instead, it represents a lack of basic security protocols by the company.

Details of 10.6 million MGM hotel guests posted on a hacking forum

The personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week. ZDNet verified the authenticity of the data today, together with a security researcher from Under the Breach, a soon-to- be-launched data breach monitoring service. A spokesperson for MGM Resorts confirmed the incident via email. According to the analysis, the MGM data dump that was shared contains personal details for 10,683,188 former hotel guests. Within hours, the MGM Resorts team was able to verify the data and track it to a past security incident. "Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,/" MGM told ZDNet. In addition, MGM Resorts told us it retained two cybersecurity forensics firms to conduct an internal investigation into last year's server exposure.

Canadian Government Breaches Exposed Citizens' Data

Data breaches at Canadian government agencies exposed the personal information of approximately 144,000 citizens over a two-year period, according to a report from the Canadian Broadcasting Corp. The breaches, which had been unreported, only came to light in January when Conservative MP Dean Allison demanded that the country's federal government produce a report for the Canadian House of Commons, according to the CBC. The 800 - page report contained details about agency breaches in 2018 and 2019.


Credit Card Skimmer Found on Nine Sites, Researchers Ignored

Security researchers discovered a new batch of nine websites infected with malicious JavaScript that steals payment card info from online shoppers. Some of them were infected a second time and the script persisted, despite efforts from the researchers to contact the website owners. The two researchers noticed that the skimmer is hosted on ',' which resolves to multiple IP addresses, mostly in Russia. "The used obfuscation is similar to the previous skimmer script, where the first stage functions as a loader, whereas the second stage contains the original script with added garbage code and string obfuscation. The two researchers found nine websites infected by this particular code and tried to contact all owners about the threat. None of them replied and the latest check showed that the malicious script was still active on all but one.

Hackers Were Inside Citrix for Five Months

Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection. In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company's internal network. The FBI told Citrix the hackers likely got in using a technique called "password spraying," a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords.

DRBControl Espionage Operation Hits Gambling, Betting Companies

An advanced threat actor has been targeting gambling and betting companies in multiple regions of the globe with malware that links to two Chinese hacker groups. Named "DRBControl" by security researchers, the group uses malware not publicly reported before. The mission appears to be cyberespionage, stealing databases and source code from the targets being part of the operation. The actor seems to focus on companies in Southeast Asia but unconfirmed reports say that it also attacks targets in Europe and the Middle East.

Over 20,000 WordPress Sites Run Trojanized Premium Themes

A threat actor that has infected more than 20,000 WordPress sites by running the same trick for at least three years: distributing trojanized versions of premium WordPress themes and plugins. The operation counts tens of unofficial marketplaces, likely managed by the same actor, specifically set up to provide nulled (pirated) WordPress components. The distribution network has at least 30 websites, listed at the end of the article, that are actively promoted. The network of compromised websites is significant, 20,000 being a conservative estimation since some of tainted plugins and themes have well upwards of 125,000 views. The cookie is set to expire in 1,000 days and includes the referrer website and the compromised domain visited. This side of the campaign aims at increasing visibility of the sites the attacker controls to ensnare more victims. The attacker makes money from showing ads on compromised websites. According to Prevailion, the ads displayed by the threat actor were benign and gained them half a cent for each click. Malicious use was also observed, though, for prompting users to download adware that was likely pushing malicious software.

How Saudi Arabia Infiltrated Twitter

From May 2015 until he was exposed that December, Alzabarah spied for the Saudi Arabian government inside Twitter, a criminal complaint from the FBI alleges. After the initial exchange, a representative from a US Saudi Arabian business council in Virginia asked Abouammo to set up a tour at Twitter headquarters. "Nobody told us that we would be approached, that we would be - I don't know if 'seduced' is the right word - that we would be intimidated into giving any kind of Twitter information." Twitter has not responded to questions regarding this issue. In February 2015, a few months after accepting the watch, he made an introduction, putting his handlers in contact with Alzabarah, a Saudi citizen living in San Bruno and a Twitter SRE. Unlike Abouammo, Alzabarah blended into the background at Twitter. In May 2015, Alzabarah "Began to access without authorization private data of Twitter users en masse," according to the FBI complaint. On Feb.17, 2016, Omar Abdulaziz, a Saudi dissident with a popular YouTube channel and Twitter page who applied for asylum in Canada in 2014 and received it, got an email. Although the alleged spying put Abdulaziz at risk, the deeper damage was done to those Twitter users in Saudi Arabia, he said.


Microsoft Has a Subdomain Hijacking Problem

A security researcher has pointed out that Microsoft has a problem in managing its thousands of subdomains, many of which can be hijacked and used for attacks against users, its employees, or for showing spammy content. The issue has been brought up by Michel Gaschet, a security researcher and a developer for In an interview with ZDNet, Gaschet said that during the past three years, he's been reporting subdomains with misconfigured DNS records to Microsoft, but the company has either been ignoring reports or silently securing some subdomains, but not all.

Zero-Day in WordPress Plugin Exploited to Create Admin Accounts

A zero-day vulnerability in the ThemeREX Add-ons, a WordPress plugin installed on thousands of sites, is actively exploited by attackers to create user accounts with admin permissions and potentially fully taking over the vulnerable website. Based on the estimations of WordPress site security firm Wordfence, the company that reported the ongoing attacks targeting the ThemeREX Add-ons zero-day bug, the plugin is currently installed on at least 44,000 websites. ThemeRex, the company behind this WordPress plugin, has over 466 commercial WordPress themes and templates for sale in their shop which will also install the ThemeREX Add-ons plugin to help customers configure and manage them easier. "At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Add-ons plugin if you are running a version greater than 1.6.50 until a patch has been released. We have intentionally provided minimal details in this post in an attempt to keep exploitation to a bare minimum while also informing WordPress site owners of this active campaign,/" Chamberland said.

Exploiting Jira for Host Discovery

The CSRF vulnerability found in Jira's POP3 test connection component was leveraged to perform a host discovery scan from the Jira server via a CSRF script which caused Jira to initiate test connections for a range of IP addresses. The time taken to complete each request was measured to determine if a host was present at the corresponding IP address. The results proved to be consistent with those from a Nmap host discovery scan.


Wearable Microphone Jamming

Researchers have created a device that is capable of disabling microphones in its user's surroundings, including hidden microphones. The device is based on a recent exploit that leverages the fact that when exposed to ultrasonic noise, commodity microphones will leak the noise into the audible range. Moreover, the device exploits a synergy between ultrasonic jamming and the naturally occurring movements that users induce on their wearable devices (e.g., bracelets) as they gesture or walk. Researchers demonstrate that these movements can blur jamming blind spots and increase jamming coverage.

Leaked Document Shows How Big Companies Buy Credit Card Data on Millions of Americans

Yodlee, America's largest financial data broker, says the data it sells it is anonymous. A confidential document obtained by Motherboard shows people could be unmasked in the data. Yodlee sells data pulled from the bank and credit card transactions of tens of millions of Americans to investment and research firms, detailing where and when people shopped and how much they spent. The company claims that the data is anonymous, but a confidential Yodlee document obtained by Motherboard indicates individual users could be unmasked. The findings come as multiple Senators have urged the Federal Trade Commission (FTC) to investigate Envestnet, which owns Yodlee, for selling Americans' transaction information without their knowledge or consent, potentially violating the law.

Telecoms Say They Have a First Amendment Right to Sell Your Private Data

After lobbying to kill consumer privacy rules at the federal level, big telecom is now taking aim at individual state efforts to protect your privacy online. The law demands ISPs clearly disclose what data is collected and who it's sold to, requiring that users opt in to the sale of sensitive location or financial data. But this week the broadband industry sued the state of Maine, claiming that the law violates the industry's free speech rights. But telecom experts say the industry's grasping at straws as it attempts to dodge accountability for a decade rife with telecom related privacy abuses. "Big broadband is clearly trying untested First Amendment arguments in the hope that something sticks," former FCC lawyer Gigi Sohn told Motherboard. "Since when does giving consumers a right to control their personal information become an unconstitutional limitation on broadband companies' speech?" Sohn asked.


Microsoft Defender ATP for Linux Now In Public Preview

Finally! Now you can install Microsoft Snake Oil software on your Linux machine! In conjunction with next week's RSA conference, Microsoft has announced that Microsoft Defender ATP for Linux has now entered public preview and is available for six different Linux distributions. In addition to making Microsoft Defender ATP available for Linux, Microsoft is working on iOS and Android versions as well.