L’hebdo des cyber-menaces (24 janv 2021)

In Carnet de veille
Déroulez ici

Voici le rapport de veille de la semaine faisant le tour des actualités les plus intéressantes. Certaines d’entre elles seront développées dans les prochains articles. Bonne lecture et Merci pour le café !

Vol / perte de données

Hacker leaks full database of 77 million Nitro PDF user records

A stolen database containing the email addresses, names, and passwords of more than 77 million records of Nitro PDF service users was leaked today for free. The 14GB leaked database contains 77,159,696 records with users’ email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related information.

1.4 million Pixlr user records shared on hacker forum

1.4 million Pixlr user records have been leaked online to a hacker forum. The user records contain information that can be used by malicious actors to carry out credential stuffing and targeted phishing attacks. The hacker known as ShinyHunters shared the user record database for free to the hacker forum, claiming that the data was stolen from 123rf, whos parent company Inmagine also owns Pixlr.

Malwarebytes says SolarWinds hackers accessed its internal emails

Cybersecurity firm Malwarebytes today confirmed that the threat actor behind the SolarWinds supply-chain attack were able to gain access to some company emails. “While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” Malwarebytes CEO and co-founder Marcin Kleczynski said.

Bonobos clothing store suffers a data breach, hacker leaks 70GB database

Bonobos men’s clothing store has suffered a massive data breach exposing millions of customers’ personal information after a cloud backup of their database was downloaded by a threat actor. Bonobos states that the corporate systems were not breached during the attack.

Phishing : Des milliers d’identifiants ont été exposés, trouvables par une simple recherche Google

Sécurité : Une vaste campagne de phishing a permis à des cyberattaquants de s’emparer de milliers d’identifiants d’employés. Mais les données volées ont été indexées par Google et étaient visibles publiquement au moyen d’une simple recherche. Les opérateurs d’une campagne de phishing ciblant les secteurs de la construction et de l’énergie ont exposé des identifiants volés lors d’attaques.

Massive privacy risk as hacker sold 2 million MyFreeCams user records

Stolen data of around 2 million users of an adult streaming website MyFreeCams (MFC) was up for sale on an online hacker forum for $1,500 worth of bitcoin per 10,000 records. The threat actor selling the data claimed that a single batch would rake in at least $10,000 for the buyer on the black market.

Cyberattaques / fraudes

Le FBI met en garde contre des attaques de phishing vocal | WeLiveSecurity

Les criminels amènent les employés à leur remettre leurs identifiants et utilisent ces données pour s’infiltrer dans les réseaux d’entreprise. Le Federal Bureau of Investigation (FBI) des États-Unis a émis un avertissement concernant des campagnes dans le cadre desquelles les acteurs de la menace ciblent des employés du monde entier avec des attaques de phishing vocal (également appelé vishing) afin de voler leurs identifiants réseau et d’augmenter les privilèges des utilisateurs.

Failles / vulnérabilités

Bugs in Signal, Facebook, Google chat apps let attackers spy on users

Vulnerabilities found in multiple video conferencing mobile applications allowed attackers to listen to users’ surroundings without permission before the person on the other end picked up the calls. The logic bugs were found by Google Project Zero security researcher Natalie Silvanovich in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps and are now all fixed.

Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks

Do you know of any similar security vulnerability or data breach? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

UK govt gives malware infected laptops to vulnerable students

Some of the laptops distributed by the UK Department for Education (DfE) to vulnerable students have been found to be infected with malware as reported by the BBC.

Justice / police / réglementation

Rogue CCTV technician spied on hundreds of customers during intimate moments | ZDNet

A Texas-based CCTV technician pleaded guilty this week to illegally accessing the security cameras of hundreds of families to watch people in their homes get naked and engage in sexual activities. According to a criminal complaint [ PDF], Telesforo Aviles, a 35-year-old, committed his crimes between November 2015 and March 2020 while working as a support technician for ADT, a provider of home security services.

Divers

La newsletter