Marketing video firm Promo has massive breach, nation state attacks turn towards credential theft, Business ID theft sores OkCupid flaw allows attackers to read private messages and undetectable malware targeting docker.
Promo Data Breach Hits 14.6 Million User Accounts
- An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts.
- Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident.
- “The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo.
- “Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.”
- Although Promo failed to quantify the scale of the breach, HaveIBeenPwned has claimed the incident exposed 22 million records containing over 14.6 million unique email addresses.
- Promo has informed all affected customers and will force a password reset as a precaution.
- “To add insult to injury, the data was posted on a forum before Promo even knew about the breach and was able to alert customers.”
Nation State Attackers Shift to Credential Theft
- A greater focus is being placed on credential theft by nation state actors rather than stealing money.
- Speaking on a virtual briefing, Jens Monrad, head of Mandiant Threat Intelligence for EMEA at FireEye, focused on attacks from Russia, Iran and China and said attacks are easily done because of the user’s common digital footprint, which can allow an attacker to pick up on items about the victim.
- He said that financial attacks are still happening, and there are more standard cyber-attacks taking place where the attacker tries “to gain large financial sums in one cyber-attack,” but the “longer game” with credential theft is now common, and from a cyber-criminal perspective, the value in purely financial attacks is diminishing, with more money made from “selling access to desktop machines.
Identity thieves who specialize in running up unauthorized lines of credit in the names of small businesses are having a field day with all of the closures and economic uncertainty wrought by the COVID-19 pandemic.
- In 2019, Dun & Bradstreet saw more than a 100 percent increase in business identity theft.
- For 2020, the company estimates an overall 258 percent spike in the crime.
- To prove ownership over the hijacked firms, they hire low-wage image editors online to help fabricate and/or modify a number of official documents tied to the business — including tax records and utility bills.
- Usually, the first indication a victim has that they’ve been targeted is when the debt collection companies start calling.
- Cybersecurity researchers today disclosed several security issues in the ating platform OkCupid that could potentially let attackers remotely spy on users' private information or perform malicious actions on behalf of the targeted accounts.
- the flaws in OkCupid's Android and web applications could allow the theft of users' authentication tokens, users IDs, and other sensitive information such as email addresses, preferences, sexual orientation, and other private data.
After Check Point researchers responsibly shared their findings with OkCupid, the Match Group-owned company fixed the issues, stating, "not a single user was impacted by the potential vulnerability."
- The flaws were identified as part of reverse engineering of OkCupid's Android app version 40.3.1, which was released on April 29 earlier this year.
- Cybersecurity researchers today uncovered a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar.
- The malware targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud.
- According to the latest research Intezer shared an ongoing Ngrok mining botnet campaign scanning the Internet for misconfigured Docker API endpoints and has already infected many vulnerable servers with new malware.
Dubbed 'Doki,' the new multi-threaded malware leverages "an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address despite samples being publicly available in VirusTotal."
- The malware has been designed to execute commands received from its operators.
- Uses a Dogecoin cryptocurrency block explorer to generate its C2 domain in real-time dynamically.
- Uses the embedTLS library for cryptographic functions and network communication.
- Crafts unique URLs with a short lifetime and uses them to download payloads during the attack.