Last Week In Blockchain and CyberSecurity News - March 12, 2019

Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners  

Thousands of Docker containers were found to be exposed online and susceptible to illegal cryptocurrency mining attacks. Docker technology provides the ability to perform operating system level virtualization. Many businesses utilize Docker technology to develop and run applications inside containers. To interact and control a Docker container, a terminal or API can be used, however, if this ability falls into a malicious user's control, the container and possibly the applications contained within may be at risk.  

A newly discovered vulnerability,  CVE-2019-5736, allows one to gain host root access from a docker container. An exposed remote docker API combined with this vulnerability can lead to a fully compromised host. According to Imperva’s research, several thousands of dockers have already been exposed and are currently being attacked. At the time the research was published, “3,822 Docker hosts [had their] remote API exposed publicly,” and “400 IPs out of 3,822 were accessible.” In many of the Docker images, illicit cryptocurrency mining activity was taking place. The majority of the cryptojacking scenarios detected by Imperva were set to mine Monero. As cryptojacking is only one type of attack that can be done to vulnerable Docker hosts, it is essential to be up to date in patches and utilize other security practices. 

Read more here.

Marriott CEO Shares Investigation Results On Last Year's Hack 

The Marriott CEO Arne Sorenson testified in front of a U.S. Senate subcommittee yesterday regarding the massive security breach the hotel chain experienced last year. Sorenson explained the events surrounding the incident, stating a database monitoring system called “ IBM Guardium” detected an anomaly in the Starwood guest reservation database (a hotel chain reservation system they were attempting to combine with their own) a day before the breach occurred.” The Guardium alert was triggered by a query from an administrator's account to return the count of rows from a table in the database," Sorenson said. The alert was of high importance as that specific type of query is only conducted by a human operator and not the automated software.  

Further investigation into this incident by third-party forensic investigators uncovered a Remote Access Trojan in the system’s devices (‘RAT’)- allowing a malicious actor to surveil, and even gain control over a computer. The investigators also discovered Minikatz- a tool that searches a device’s memory for usernames and passwords. Further investigation revealed that hackers had operated on Starwood’s IT network for more than two years without being detected, and two compressed, encrypted files were deleted.  

The latest statistics surrounding the Marriott breach are shown below: 

  • 383 million guest records 

  • 18.5 million encrypted passport numbers 

  • 5.25 million unencrypted passport numbers (663,000 from the US) 

  • 9.1 million encrypted payment card numbers 

  • 385,000 card numbers that were still valid at the time of the breach  

(ZDnet) 

Read more about Marriott here.

Vulnerabilities In Car Alarm Systems Exposed 3 Million Cars To Hack 

Last week security experts at Pen Test Partners discovered numerous vulnerabilities in two smart car alarm systems that put three million vehicles globally at risk of being hacked. The companies, Viper, and Pandora Car Alarm Systems advertised and sold “smart” alarms. Pandora also proudly stated their systems were “unhackable” - a claim that has since been wiped off the vendor’s websites. The vulnerabilities can be exploited to disable, track, unlock the vehicle or even start and stop the engine when a car is moving. According to a report published by Pen Test Partners, researchers stated  

“After purchasing and fitting several high-end ‘smart’ alarms to [their] cars, costing [them] ~$5,000, [they] discovered that two of the largest aftermarket alarm systems have critical security flaws that allow: 

  • The car to be geo-located in real time 

  • The car type and owner’s details to be identified 

  • The alarm to be disabled 

  • The car to be unlocked 

  • The immobiliser to be enabled and disabled 

  • In some cases, the car engine could be ‘killed’ whilst it was driving 

  • One alarm brand allowed drivers to be ‘snooped’ on through a microphone 

  • Depending on the alarm, it may also be possible to steal vehicles 

  • The flawed car alarm systems are manufactured by the Russian firm Pandora and the US-based company Viper. 

The researchers discovered these vulnerabilities as the API’s for both applications failed to authenticate requests- providing an attacker the opportunity to take over customer accounts attributed to the lack of insecure direct object references (IDORs) issues. The possibility of more than $150 Billion worth of vehicles was exposed. As systems like these can cause incredible harm if misconfigured/flawed, more testing needs to be conducted to ensure safety for consumers

Read more about the vulnerability here.

An Email Marketing Company Left 809 Million Records Exposed Online 

Last week an unprotected and publicly accessible MonogDB database containing 150 gigabytes of detailed, plaintext marketing data was discovered by security researchers Bob Diachenko and Vinny Troia. The database contains over 763 million unique email addresses, IP addresses, zip codes, and “business intelligence data” such as employee and revenue figures from different companies. The database is owned by an email validation firm Verifications.io who took the database offline the same day Diachenko reported it to the company. Companies like Verifications.io are used by companies to audit mailing lists and ensure emails included are valid/will not bounce back.  

Diachenko and Troia found 808,539,939 records, the largest collection of which was named "mailEmailDatabase," which is listed below: 

  • Emailrecords (798,171,891 records) 

  • emailWithPhone (4,150,600 records) 

  • businessLeads (6,217,358 records) 

Companies must become more involved and implement proper security precautions to prevent incidents such as the one Verifications.io has experienced. We have seen numerous companies leave millions of consumer data exposed online due to a simple error such as not applying a password. In a world where personally identifiable information is so valuable, it is vital to protect consumer data.  

Get more information here.

The US Arrests Alleged Leader Of $3.7 Billion Cryptocurrency Pyramid Scheme 

The U.S. District Attorney have arrested the leaders behind “OneCoin” for allegedly promoting a fraudulent cryptocurrency-related pyramid scheme. The prosecutors allege the cryptocurrency was, in fact, a pyramid scheme rather than a functional currency. According to the notice, Mark Scott and Konstantin Ignatov are suspected of being involved in “wire fraud, securities fraud, and money laundering offenses,” through which they lured unsuspecting investors into contributing “billions of dollars in the fraudulent cryptocurrency.” According to the indictment, the company mimicked a multi-level marketing scheme by providing an individual commission if they convinced others to buy the OneCoin cryptocurrency. OneCoin also claimed to have over 3 million members worldwide, however, the cryptocurrency did not have a functional blockchain or public ledger. Other false claims regarding OneCoin include several OneCoin members stating “the OneCoin cryptocurrency is mined using mining servers maintained and operated by the company,” when in reality the OneCoin cryptocurrency is not mined using computing resources and that OneCoin lacks a true blockchain.  

Further investigation uncovered plans in which the leaders lied to investors to inflate the value of OneCoin from half a euro ($0.56) to almost 30 euros ($33.65), and to “take the money and run and blame someone else for this.” It will surely be interesting to read upcoming developments regarding the OneCoin case.   
Read more here.