Table of Contents

  1. Breaches
    1. Woman’s shock after getting two medical files with other people’s STD results and mental health diagnosis
    2. Catho - 1,173,012 breached accounts
    3. Sonicbids - 751,700 breached accounts
    4. Gym app management platform exposed info of thousands of users
    5. DopplePaymer Ransomware Operators Allegedly Struck Royal Military College of Canada
  2. Vulnerabilities
    1. Some email clients are vulnerable to attacks via 'mailto' links
    2. CVE-2020-10029: Buffer overflow in GNU libc trigonometry functions?!?
  3. Privacy
    1. New Toyotas Will Upload Data To AWS To Help Create Custom Insurance Premiums Based On Driver Behavior
    2. Clear Channel’s billboards will start tracking consumers in Europe
  4. Misc
    1. Zoom web client outage prevents users from joining meetings
    2. Kali Linux 2020.3 begins journey of replacing Bash with ZSH
    3. Microsoft is killing off insecure Cloud App Security cipher suites
    4. Using Disinformation to Cause a Blackout
    5. Breaking Samsung firmware, or turning your S8/S9/S10 into a DIY “Proxmark”
  5. Malware
    1. Cryptojacking worm steals AWS credentials from Docker systems
  6. Crime
    1. Ukraine arrests gang who ran 20 crypto-exchanges and laundered money for ransomware gangs

Breaches

Woman’s shock after getting two medical files with other people’s STD results and mental health diagnosis

A woman told of her shock after receiving two different medical files containing separate patients' STI results and a mental health diagnosis. Rachel Healy, 38, from Co Cork, said she received a medical file via email on August 5 from Union Quay Medical Centre in Co Cork which was not hers. The file contained the patient's personal details including occupation and address but also detailed the woman's mental health history. Nine days later on August 14, Ms Healy received STI results not belonging to her via email from myclinic.ie, a Dublin GP practice.

Catho - 1,173,012 breached accounts

In approximately March 2020, the Brazilian recruitment website Catho was compromised and subsequently appeared alongside 20 other breached websites listed for sale on a dark web marketplace. The breach included almost 11 million records with 1.2 million unique email addresses. Names, usernames and plain text passwords were also exposed.

Sonicbids - 751,700 breached accounts

In December 2019, the booking website Sonicbids suffered a data breach which they attributed to "a data privacy event involving our third-party cloud hosting services". The breach contained 752k user records including names and usernames, email addresses and passwords stored as PBKDF2 hashes. The data was provided to HIBP by breachbase.pw.

Gym app management platform exposed info of thousands of users

Hackers could hijack user accounts in dozens of fitness and gym mobile applications, even where the two-factor authentication (2FA) mechanism was active. The common ground for all the apps is Fizikal, a management platform from Israel for gyms and sports clubs that allows customers to handle their subscription and class registration. Several vulnerabilities affecting the Fizikal platform could be chained to bypass security checks, enumerate users, bruteforce the one-time password (OTP) for logging in, and get access to a user's account.

DopplePaymer Ransomware Operators Allegedly Struck Royal Military College of Canada

Recently, CybleInc researchers identified a leak post in which DopplePaymer ransomware operators claimed to have breached the Royal Military College of Canada (RMC) -- Established in the year 1876, RMC is the only federal institution in Canada with degree-granting powers. It is a college of a mix of historic buildings and more modern academic, athletic, and dormitory facilities.

Vulnerabilities

A lesser-known technology known as "mailto" links can be abused to launch attacks on the users of email desktop clients. The new attacks can be used to secretly steal local files and have them emailed as attachments to attackers, according to a research paper published last week by academics from two German universities. In a research paper named "Mailto: Me Your Secrets", academics from Ruhr University Bochum and the Münster University of Applied Sciences said they found email client apps that support the mailto standard with some of its most exotic parameters that allow for attacks on their users. In particular, researchers looked at the mailto "attach" or "attachment" parameters that allow mailto links to open new email compose/reply windows with a file already attached. Academics argue that attackers can send emails containing boobytrapped mailto links or place boobytrapped mailto links on websites that, when clicked, could surreptitiously append sensitive files to the email window.

CVE-2020-10029: Buffer overflow in GNU libc trigonometry functions?!?

ForAllSecure has discovered bugs in the glibc functions cosl, sinl, sincosl, and tanl due to assumptions in an underlying common function, leading to CVE-2020-10029. These bugs, after being dormant for 8 years are now fixed in glibc 2.32. Researchers reported this bug to the glibc private security address, then reported it to their public tracker per their request. You can follow the public thread from January 31, 2020 on the glibc developers mailing list. The developers have put in a bug fix, and the CVE (CVE-2020-10029) is now public. The bug affects the glibc functions cosl, sinl, sincosl, and tanl due to assumptions in an underlying common function. The bugs will be fixed in glibc 2.32. The CVSS score is 5.5.

Privacy

New Toyotas Will Upload Data To AWS To Help Create Custom Insurance Premiums Based On Driver Behavior

Toyota has expanded its collaboration with Amazon Web Services in ways that will see many of its models upload performance data into the Amazonian cloud to expand the services the auto-maker offers to drivers and fleet owners. Toyota reckons the data could turn into "new contextual services such as car share, rideshare, full-service lease, and new corporate and consumer services such as proactive vehicle maintenance notifications and driving behavior-based insurance." Neither party has specified just which bits of the AWS cloud Toyota will take for a spin but it seems sensible to suggest the auto-maker is going to need lots of storage and analytics capabilities, making AWS S3 and Kinesis likely candidates for a test drive. Whatever Toyota uses, prepare for privacy ponderings because while cheaper car insurance sounds lovely, having an insurer source driving data from a manufacturer has plenty of potential pitfalls.

Clear Channel’s billboards will start tracking consumers in Europe

Clear Channel Outdoor Holdings' Radar tracking technology, which gives advertisers access to anonymized mobile phone data about people who pass by billboards, is launching in Europe next month, the Financial Times reported. The outdoor ad-tracking program has been in the US for four years, but Clear Channel waited to launch in Europe so it could meet the EU's stricter privacy regulations. William Eccleshare, CEO of Clear Channel's international division, told the FT that Radar, which he stressed relied on data that was "very well anonymized," can see and follow people's movements into a store, follow what they purchase, and look at viewing habits if someone, say, passed by an outdoor ad for a Netflix show.

Misc

Zoom web client outage prevents users from joining meetings

Zoom users were currently unable to join meetings and webinars through the Zoom web client and WebSDK, with the outage not impacting users joining through the Zoom application. An incident entry posted on Zoom's status page says that the company has "identified the issue causing users to be unable to join Meetings and Webinars through our web client and WebSDK." According to some reports, users are seeing errors when trying to join Zoom meetings saying that "Your connection has timed out and you cannot join the meeting. Verify your network connectivity and try again."

Kali Linux 2020.3 begins journey of replacing Bash with ZSH

Kali Linux 2020.3 was released by Offensive Security, and it begins the first steps of switching from Bash as the default shell to ZSH. Kali Linux is a distribution built for security professionals and comes with numerous software packages and tools that can be used by ethical hackers to perform penetration testing. With this release, the Kali Linux Team begins their plan to switch from a default Bash shell to ZSH. In the next version, Kali Linux 2020.4, the default shell will automatically be switched to ZSH so that users can benefit from the many plugins, themes, and extra features such as path expansions, auto directory changing, and auto-suggestions.

Microsoft is killing off insecure Cloud App Security cipher suites

Microsoft announced that some insecure cipher suites currently supported by Microsoft Cloud App Security (MCAS) will be removed later this year. After that happens, Redmond will no longer provide support for connections using these non-secure cipher suites and they will no longer work as expected. To prepare for this incoming change, "[c]ustomers should ensure that all client-server and browser-server combinations are using supported suites in order to maintain the connection to Microsoft Cloud App Security," Joanna Harding, Product Marketing Manager at Microsoft, said.

Using Disinformation to Cause a Blackout

Social media has made it possible to manipulate the masses via disinformation and fake news at an unprecedented scale. This is particularly alarming from a security perspective, as humans have proven to be one of the weakest links when protecting critical infrastructure in general, and the power grid in particular. [[https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0236517][Here, researchers consider an attack in which an adversary attempts to manipulate the behavior]] of energy consumers by sending fake discount notifications encouraging them to shift their consumption into the peak-demand period. Using Greater London as a case study, they show that such disinformation can indeed lead to unwitting consumers synchronizing their energy-usage patterns, and result in blackouts on a city-scale if the grid is heavily loaded.

Breaking Samsung firmware, or turning your S8/S9/S10 into a DIY “Proxmark”

PentestPartners have managed to reverse engineer and repurpose Samsung phones firmware to talk it over NFC at a raw level and use it as an alternative to the Proxmark device.

Malware

Cryptojacking worm steals AWS credentials from Docker systems

A cybercrime group known as TeamTNT is using a crypto-mining worm to steal plaintext AWS credentials and config files from compromised Docker and Kubernetes systems. TeamTNT's cryptocurrency mining botnet was first reported in May by MalwareHunterTeam and further analyzed by Trend Micro researchers who discovered its affinity for misconfigured Docker containers. According to researchers at Cado Security this is the first-ever worm that comes with AWS credential theft functionality on top of run-of-the-mill cryptomining modules. This botnet uses already infected servers to execute an open-source masscan IP port scanner instance that scans for exposed Docker APIs (and Kubernetes systems as later discovered), installing itself in new containers on any misconfigured servers it finds.

Crime

Ukraine arrests gang who ran 20 crypto-exchanges and laundered money for ransomware gangs

Law enforcement in Ukraine has announced the arrest of a cybercrime gang who ran 20 cryptocurrency exchanges where they laundered more than $42 million in funds for criminal groups. The group, which authorities said had three members, has been operating from Ukraine's Poltava region since 2018. According to Ukrainian officials, the group has advertised its services on underground criminal forums, where they offered to convert cryptocurrency from criminal activities into fiat (real-world) currency for other groups, helping criminals launder their ill-gotten profits. The arrests took place in late June, earlier this year, but new details have been released in joint press releases by Binance and Ukraine Cyber Police. Binance, who collaborated in the investigation, said the group collaborated with ransomware gangs, and also spread ransomware themselves.