Last Week In Blockchain and CyberSecurity News - September 3, 2019

Google Uncovers Massive iPhone Attack Campaign

Researchers from Google’s Project Zero are reporting that a small collection of hacked websites has been breaching iPhones for the last two years. By utilizing unknown vulnerabilities, the malicious websites conduct “watering hole” attacks on victims that visit the site. Ian Beer, a researcher at Project Zero, describes the attack, stating: 

There was no target discrimination; simply visiting the hacked website was enough for the exploit server to attack your device, and if it was successful, install a monitoring plant.

Google’s Threat Analysis Group (TAG) discovered five “exploit chains covering nearly every operating system release from iOS 10 to the latest version of iOS 12.” These flaws provide attackers the ability to bypass several layers of protection. The unknown hackers were able to exploit 14 vulnerabilities: 

  • 7 affecting Safari 

  • 5 affecting the kernel 

  • 2 sandbox escapes 

The malware is able to access all of a victim’s database files. And files used by apps such as Facebook Messenger, iMessage, Telegram, and WhatsApp could be breached. Ian demonstrated how attackers could “upload private files, copy a victim's contacts, steal photos, and track real-time location every minute.”  

Google discovered the vulnerabilities in February, reported them to Apple, and they were patched in iOS 12.1.4, released on February 7, 2019.  

According to TechCrunch, "sources familiar with the matter have said that the websites were part of a state-backed attack—likely China—designed to target the Uighur community in the country’s Xinjiang state."

Read more here

Foxit Software Discloses Data Breach Exposing User Passwords

Foxit, a PDF software provider, recently disclosed a security breach that allowed a third-party to access sensitive information, such as customer and company names, emails, phone numbers, passwords, and IP addresses. The company currently has over 525 million users around the world and has sold its software to over 200 countries.  

Foxit has not provided details on how many customers have been affected by this breach. As a security precaution. However, Foxit has alerted those affected by the breach with password reset forms.   

Read more here

Capital One Hacker Took Data from More Than 30 Organizations

As of last week, new court documents have shed more light on the criminal activity of accused Capital One hacker Paige A. Thompson. Documents published by US officials state,  

The servers seized from Thompson’s bedroom during the search of Thompson’s residence, include not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities.

An additional charge against Thompson is likely based upon their latest discovery. Various media reports state that organizations such as Unicredit, Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation were affected by Thompson’s criminal activity. She has also been accused of hacking into the servers of her employer’s cloud services customers for the purpose of cryptojacking, CoinTelegraph reports.   

Get more information here

Google Play Store Bug Bounty Program Expands to All Apps with 100 Million+ Downloads

Google has expanded its already extensive bug bounty program to include all apps with 100 million downloads or more. The new policy also introduced privacy-focused rewards for researchers that identify data abuse in various phone applications. Google will work with researchers and the app developers to fix the discovered bugs.  

Before this addition, the only bug bounties available were those through app developers’ own programs. Therefore, white hat hackers had no incentive to search for bugs in apps without programs.. Thankfully, the  Google Play Security Reward Program now offers a far superior bug bounty process. The collaboration with HackerOne will also help identify data abuse issues in OAuth projects as well as Chrome extensions.  

Whoever submits verifiable evidence of data abuse is eligible for a reward. A single reward could be as large as $50,000. 

Read more here

Cybersecurity Firm Imperva Discloses Breach

Imperva, a provider of firewall services that help websites block cyberattacks, was a victim of a data breach that exposed the email addresses, scrambled passwords, API keys, and SSL certificates of many of its firewall users. Its WAF product, Incapsula, was breached by a third-party and impacts customers who had accounts through September 15, 2017.  

A cybercriminal in possession of a customer’s API keys and SSL certificates can significantly undermine the security of traffic coming in and out of a customer's websites. One can theoretically intercept, view, modify, or divert all traffic from the breached site through a site owned by an attacker. The cause of the incident is unknown as the breach is still under investigation.  

Read more here