Orbitz Breached, Compromising Core Cisco Routers, and More

20 Mar 2018 - Around the Web

Orbitz Announces Breach Spilling 800k Credit Card Numbers

Orbitz announced today that cybercriminals breached its systems and made off the with credit card details, names, phone numbers, and email and billing addresses of some 880,000 of its customers. The breach, according to a Reuters report, seems to have been twofold, compromising one system that maintained consumer billing and another involved with partner billing. The partner platform breach is believed to have occurred sometime between January 1, 2016 and December 22, 2017, while the consumer platform is thought to have been breached between January 1, 2016 and June 22, 2016.

Suspected Russian State Sponsored Hackers Compromise Core Cisco Router

Cylance researchers say that a Russian state-sponsored hacking unit—known variously as DragonFly, Energetic Bear, Crouching Yeti, DYMALLOY, and Group 24—compromised a core router at a major Vietnamese oil rig manufacturing company. The hackers leveraged the compromised core router, which is said to be “considerably harder to detect, analyze, patch, and remediate than compromises of PCs,” to steal credentials that the attackers would then use to access energy companies elsewhere, specifically in the U.K. The group was at the center of a joint DHS-FBI report made public by US-CERT last week.

Mozilla Firefox “Master Password” Protected by Weak Crypto

For nine years, a Mozilla Firefox feature—called “Master Password”—that protects stored-passwords has employed weak cryptography, according to a new BleepingComputer report. Firefox has been encrypting the master password, the password that protects all other passwords that users choose to store in their Firefox browser, with a problematic SHA-1 function. The problem stems from the function’s iteration count. While best practice stipulates that SHA-1 must have an iteration count of at least 10,000 to be considered secure, Mozilla is employing just one iteration to decrypt its master passwords, exposing master passwords to risk of brute-force attacks. Mozilla says that it will resolve the problem when it releases its new password management component, called “Lockbox,” at some unspecified future date. In the meantime, setting a strong and complicated master password would largely mitigate the weakness.

FakeBank Android Trojan Redirects Bank Calls in Real Time

According to Symantec, a popular banking trojan for Android has a new feature: it can redirect phone calls, effectively allowing criminals to reroute legit support calls from the users of infected handsets to malicious call centers (as opposed to their banks). Numbers for these malicious call centers are stored in FakeBank’s configuration file, and staff at the fake call centers are trained to collect banking information from victims. Beyond the call redirect feature, FakeBank uses web-injects to steal banking logins, and it’s also white-listed its processes to evade detection and used TeamViewer to remotely control infected devices. At present, Symantec says that FakeBank, which is embedded in 22 apps that spread through third-party applications markets, is exclusively targeting users in South Korea.

MKACyber publishes this intelligence brief regularly in an effort to keep cybersecurity professionals up-to-date on the news and research that matters.

Transform Your Siloed Security Operations into a Holistic Security Operations Program

Get in Touch Group