Posted June 12, 2018
This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.
Information Security Risk
“MyHeritage, an online genealogy platform, announced that more than 90 million of their users had email addresses and hashed passwords compromised, after a researcher discovered a file being hosted on a private server. In addition, based on the wording of the disclosure, the company determined that the compromised data included email addresses and hashed passwords for everyone who signed up for the service from 2003 until October 26, 2017. While the other systems, such as those that manage payments, genealogy, and DNA were not compromised, the company has hired an outside firm to determine the full scope of the breach. It isn’t clear how MyHeritage hashed the user passwords, but the company recommended that everyone change their passwords on the website. They’ve also promised to implement two-factor authentication as soon as possible.”
“Security updates released by Adobe on Thursday for Flash Player patch four vulnerabilities, including a critical flaw that has been exploited in targeted attacks. The vulnerability that has been exploited in the wild is tracked as CVE-2018-5002, and it has been described by Adobe as a stack-based buffer overflow that can be leveraged for arbitrary code execution. The security hole was independently reported to Adobe by researchers. The researchers have yet to share any details, but Adobe did mention that CVE-2018-5002 has been exploited in limited, targeted attacks against Windows users. Hackers deliver the exploit via malicious Office documents that include specially crafted Flash content. The documents are distributed via email. The latest version of Flash Player, 18.104.22.168, also patches a critical type confusion vulnerability that can lead to code execution (CVE-2018-4945), an “important” severity integer overflow that can result in information disclosure (CVE-2018-5000), and an “important” out-of-bounds read issue that can also lead to information disclosure (CVE-2018-5001). espite Adobe’s plans to kill Flash Player by 2020, threat actors apparently still find zero-day vulnerabilities highly useful. This is the second zero-day discovered in 2018. The first was patched in February after North Korean hackers exploited it for several months in attacks aimed at South Korea.”
Legal, Lititgation, and Regulatory Risk
“Australia’s largest bank has agreed to pay an almost $530 million fine to settle a civil lawsuit that revealed numerous breaches of the country’s Anti-Money Laundering and Counter-Terrorism Act. The proposed agreement with the federal government’s financial-intelligence agency, which remains subject to approval by a federal court, includes further admissions by the bank that it contravened the law, including breaches of risk procedures, reporting and monitoring. Australia’s biggest bank by assets and with a market value of almost $92 billion, said it would pay a penalty of 700 million Australian dollars ($529.8 million) plus the regulator’s legal costs of A$2.5 million to resolve the civil suit.”
“A city official said at a public meeting on Wednesday, as she proposed an additional $9.5 million to help pay for recovery costs, that the Atlanta cyber-attack has had a more serious impact on the city’s ability to deliver basic services than previously understood. Atlanta’s administration has disclosed little about the financial impact or scope of the March 22 ransomware hack, but information released at the budget briefings confirms concerns that it may be the worst cyber assault on any US city. Atlanta Information Management head Daphne Rackley said that more than a third of the 424 software programs used by the city have been thrown offline or partially disabled in the incident. Nearly 30 per cent of the affected applications are considered “mission critical,” affecting core city services, including police and courts.”