The Month in Hacks: July 2017

Cryptocurrency has a bad month, a popular Wordpress plugin compromises sites, and 6 million Verizon customers have their data released. It's all this and more in The Month in Hacks.

IoT security devices hacked thanks to “Devil's Ivy” flaw

A critical vulnerability was found in an open-source software development library that left millions of IoT devices vulnerable to hacking. The software in question is used in many physical security products, including security cameras, sensors, and access card readers. The flaw, dubbed “Devil's Ivy,” could be exploited by hackers to run any code on vulnerable devices.

The flaw was discovered in an IoT security camera manufactured by Axis Communications, but the library is used by major IoT device manufacturers, including Canon, Siemens, Cisco, Hitachi, Axis Communications, and more. While a patch has been released, any devices that haven't been updated are still at risk.

75% of Memcached vulnerabilities remain exposed after months

Memcached, a popular open-source distributed caching system, was discovered to have three critical vulnerabilities late last year. Exposed websites included Facebook, Reddit, and  YouTube. Developers released patches for the flaws shortly afterward, but researchers discovered this month that almost three-quarters of affected servers are still vulnerable.

The cause of the vulnerability is organizations not applying the patches. Leaving the flaws unpatched make the servers easy targets for ransomware attacks. Network engineers are advised to apply the patches as soon as possible to reduce risk.

CoinDash loses $7 million in Ethereum in Initial Coin Offering hack

A hacker recently targeted CoinDash, a blockchain technology startup for the trading of Ethereum, stealing over $7 million worth of the online currency. The hacker accessed CoinDash's website during the initial coin offering (ICO), changing the address where investors were instructed to send money to a fraudulent address owned by the hacker.

While CoinDash discovered the flaw within minutes, the hacker was still able to steal millions of dollars meant to be an investment in the startup. The company currently does not know who was behind the attack, and the sale of Ethereum through the site has been terminated.

Verizon vendor leaves 6 million customers' data on unprotected servers

Over 6 million Verizon customers had their data exposed after NICE Systems, a third-party vendor, left sensitive user details on an unprotected cloud server. Since the server was completely unprotected, anyone could access and download user's data. Information available included names, phone numbers, and account PINs.

The data available means that hackers can easily access user accounts, as the PIN can be used to fool customer service into giving them access to the subscriber's account. Verizon has not provided a way for customers to see if their data was exposed, so all Verizon customers are encouraged to change their PIN.

Smartphone WiFi chipset flaw allows hackers to execute malicious code

A set of WiFi chipsets used in most Android devices and some iPhone models has been found to have a serious bug that allows hackers to execute malicious code on devices. The hacker simply needs to be within the same WiFi range of a vulnerable phone to access the phone.

The hack, dubbed BroadPwn, affects a broad range of devices from companies including Apple, HTC, LG, Nexus, and Samsung. Patches have been released by Google for Pixel and Nexus devices, but the rest of Android devices are vulnerable until the original equipment manufacturers provide their own patches. All users of affected models should install the newest security update.

14 million Android devices affected by malware posing as popular apps

In another attack on Android smartphones, a malware strain infected more than 14 million Android devices globally, earning hackers over $1.5 million in fake ad revenues over two months. Called CopyCat, the malware rooted devices and injected malicious code that gave hackers full access to the devices. The malware was distributed by pretending to be popular apps with a high number of downloads.

It's estimated that there have been nearly 4.9 million fake apps installed on phones, displaying up to 100 million ads. Interestingly, the malware is coded to not attack users in China, which makes researchers believe that the creators of the app live in China and want to avoid police investigation.

Bithumb customers lose $1 million after employee PC compromised

A South Korean cryptocurrency exchange for Ethereum and Bitcoin was targeted by hackers, losing more than $1 million when user accounts were compromised. Hackers also stole the personal information of over 31,000 users, including their names, email address, and mobile phone numbers. Hackers used phishing scams to get the login details of victims - some people stated that they received phone calls from people pretending to work for Bithumb.

Bithumb believes that the hackers did not access the information through the company's core servers. Instead, it's likely that an employee's home PC was compromised.

300,000 Wordpress websites at risk due to WP Statistics vulnerability

A popular Wordpress plugin, WP Statistics, was found to have a SQL Injection vulnerability, which hackers could exploit to steal databases or gain control of sites remotely. WP Statistics, which provides detailed statistics on a site's users and demographics, is used by over 300,000 Wordpress websites.

Hackers were able to access vulnerable sites by creating a subscriber account through the plugin. Since the current code in the plugin did not check for additional privileges, hackers were able to inject malicious code into its attributes. WP Statistics released a patch shortly after the flaw was discovered.

Italy's number one bank discovers data breach

UniCredit SpA announced this month that hackers took biographic and loan data from 400,000 client accounts in “one of the biggest breaches of European banking security this year,” according to Bloomberg. The attacks were said to have occurred towards the end of 2016 and in June and July of this year. The bank continues to monitor the situation and is updating clients over email.

3 Million WWE accounts exposed

Names, addresses, and other personal information of 3 million wrestling fans sat on an unprotected Amazon cloud server in plain text, as recently discovered by a security expert. WWE confirmed the breach and has said the databases have been removed. The company is currently working with a cybersecurity firm to find the cause of the leak.

Talk To An Expert

Interested in learning about how TeleSign's identity and engagement solutions can prevent fraud while fostering secure and global growth for your business? Let's chat.