safety events / loopholes of vitamin 2019

Posted by deaguero at 2020-04-09

Guide reading

In 2019, data leakage, DDoS attacks and security vulnerabilities are frequent:

Large scale data leakage event has become a huge problem at present, so it is urgent to strengthen supervision and legislation; with the rapid development of cloud security, along with the development of Internet broadband, Internet of things and IPv6, the peak traffic of DDoS attacks continues to rise; as the most commonly used means of attacks, high-risk vulnerabilities need to be focused. This article will go back to some major data leaks, DDoS attacks and security vulnerabilities in 2019.

Data leakage

Data management company rubrik data disclosure

On January 29, rubrik, an IT security and cloud data management company, suffered a large-scale data leak. The leaked database is hosted on Amazon elastic search server, and has billions of bytes of data. The leaked information includes sensitive information such as customer name, contact information and work information of each enterprise customer. Rubrik did not say whether it would notify its customers or national regulators, but could face a gdpr related fine because the data breach involved European companies. According to the time stamp, the data can be traced back to October 2018. After investigation, rubrik said the incident was caused by human error. divulges 809 million user data

On February 25, security researchers found a publicly accessible mongodb database belonging to, which contains standard information such as name, email address, phone number and residential address. But it also includes gender, date of birth, amount of personal mortgage, interest rates, Facebook, LinkedIn and instagram accounts related to email addresses, and people's credit rating (e.g., average, above average, etc.). At the same time, other records in the database appear to be related to corporate sales practices, including company names, annual revenues, fax numbers, company websites, and industry identifiers such as "SiC" and "NAIC" used to classify companies. The website has completely offline the content, which has not been recovered so far.

Disclosure of 540 million Facebook user records

On April 3, the research team found that two Amazon S3 repositories for third-party applications were publicly accessible, one of which belonged to Mexican media company cultura Colectiva, the database named CC datalake, with a size of 146gb, contains about 540 million user records, including email address and login information, which even directly includes passwords, accounts, identification codes, user comments and interactions,. The other is a third-party application at the pool, which only contains 22000 user records. The common point between culture colectiva and at the pool database is that they all store data related to Facebook users, from their interests, relationships to interactions, etc.; Facebook, which is strictly reviewed by the outside world, is tightening the user data that third-party programs can access.

Justdial divulges 156 million Indian user information

On April 17, researchers found an API vulnerability in justdial, a local search engine company in India, which allowed hackers to log in to the accounts of its 156 million users. The leaked data includes justdial user's name, email, mobile number, address, gender, date of birth, photo and occupation information. The API vulnerability has been around since at least 2015, but it's not clear if anyone has abused it to collect personal information about justdial users. It is said that hackers can not only access the user's name, telephone number, email address and other information through the vulnerability, but also view the account payment information.

Evite divulges 101 million account information

On May 14, evite issued a data disclosure notice, saying that its servers had been unauthorized since February 22, and about 10 million users' information had been leaked. But according to the data collected on the have I been Pwned website, this number is much larger, with 101 million users leaking information. The data can be traced back to 2013. The leaked information includes name, telephone number, actual address, date of birth, gender, clear text password and email address. The original leaked database was sold on dream market, but the site has been closed by the police, so it is unclear whether the larger database is also being sold.

FAFC divulges 885 million mortgage records

On May 24, according to the New York Times, a leak on the website of first American Financial Corporation leaked 885 million mortgage related records in 16 years. Records include bank accounts and statements, mortgage and tax records, social security numbers, wire transfer receipts, and driver's license images. The company said it was assessing the impact of the incident on customer information security and would not comment until the internal audit was completed. At present, the securities and Exchange Commission and New York state are conducting investigations. The SEC declined to comment on the matter

Orvibo leaked more than 2 billion user records

On June 16, the team found an arbitrarily accessible database related to orvibo smart home products. The database contains more than 2 billion logs, recording user name, e-mail address, password and precise location information, in which the password is the MD5 hash format without salt. And the amount of data continues to increase every day. In addition, the database includes family ID, family name, associated smart device information, scheduled tasks, etc. Users from Japan, Thailand, the United States, the United Kingdom, Mexico, France, Australia, Brazil and other countries and regions have been found in the 2 billion leaked logs.

Capital one divulges 106 million user information

1.2 billion social data leakage, data exceeding 4tb

Hackers open 2.21tb data of Cayman bank

On November 15, hackers stole 2.21tb of data from the Cayman bank and posted it on the Internet, allegedly stolen by the hacker Phineas Fisher. The data includes detailed financial information of more than 3800 corporate, trust and personal accounts, involving more than 1400 customer account locations, including 780 in the Isle of man, 272 in Cyprus, 153 in the UK, 107 in the Cayman Islands, 51 in the British Virgin Islands, 12 in Seychelles, 11 in the United States, 7 in Belize, 7 in Ireland, and other jurisdictions involving offshore banking business, They include Gibraltar, Jersey, Saint Kitts and Nevis, Barbados, Guernsey, Malta and Mauritius. In response to the serious data breach, Cayman bank issued a public statement confirming its invasion.

Truedialog divulges 1 billion records

On November 26, the security research team found an unauthorized access vulnerability in the elasticsearch database of truedialog, a US SMS operator, which resulted in 604gb data leakage, including 1 billion highly sensitive data information, which was related to many aspects of truedialog's business model, which may lead to potential phishing attacks. Millions of these accounts are plaintext and Base64 encoded. According to public information, the company currently cooperates with more than 990 mobile phone operators, with more than 5 billion users.

Elastic search 2.7 billion data leaks

On December 10, researchers found 2.7 billion email addresses, 1 billion email account passwords and nearly 800000 copies of birth certificates in cloud storage buckets. Most email domain names come from Chinese email operators, such as Tencent, Sina, Sohu and NetEase. Yahoo Gmail and some Russian email domains were also affected. The stolen emails and passwords were also linked to the 2017 data breach, when hackers sold them directly on the dark Internet. The elastic search server belongs to a hosted service center in the United States, which shut down on December 9 after diachenko released a database storage security report. But even so, it has been open for at least a week and allows anyone to access it without a password.

DDoS attack

Nujp in Philippines is attacked by DDoS

University of Albany is under DDoS attack

Since February 19, the UA system of Albany university has been subjected to 17 DDoS attacks, which have affected the availability and functions of multiple UA IT systems (especially blackboard). Computers in the UA network are not affected by DDoS attacks. But students and teachers using their own devices cannot access blackboard.

Ecuador has been attacked by 40 million hackers

Since the arrest of Wikileaks founder Julian Assange on April 11, Ecuador claimed to have suffered 40 million large-scale cyber attacks from many countries, mainly from the United States, Brazil, the Netherlands, Germany, Romania, France, Austria, the United Kingdom and Ecuador. The most seriously attacked are the Ministry of foreign affairs, the central bank, the office of the president, the tax bureau, as well as some ministries and universities. Ecuador indicated that the information of these institutions had not been stolen or deleted.

Ubisoft is attacked by DDoS

On June 18, Ubisoft said it had solved the problems caused by today's DDoS attacks, and all services had been restored. A large amount of traffic causes the web server to be unstable and unusable. Although it is not clear who is responsible for the attack, Ubisoft was also attacked by DDoS last year, and it took the company about 10 hours to recover.

Mirai DDoS attacks streaming services for up to 13 days

On July 26, Mirai, the botnet that launched the attack, was the first IOT malware discovered in 2016. The source code of Mirai was released in October 2016. Since then, there have been many variants, including echobot, wicked, satori, okiru, masuta and others. The botnet uses 402000 different IPs, most of which are apparently located in Brazil. It uses Internet of things (IOT) devices to open ports 2000 and 7547, which are traditionally associated with devices infected by Mirai malware. To mask their attacks, attackers used a legitimate user agent, which is similar to serving their own applications.

Wikipedia was attacked by DDoS and recovered in a few hours

Around 2:00 a.m. on September 8, Wikipedia suffered from malicious network attacks, which resulted in the offline downtime of its sub stations in many countries, mainly affecting users in Europe and the Middle East. The Wikipedia foundation confirmed the attack and informed users that its experts were trying to get back to business. Wikipedia did not attribute the attack to a specific attacker, and said it could not be ruled out as an exemplary attack to test the attack power of a rentable DDoS botnet. According to users from different countries, the normal service has been basically restored after several hours, but Wikipedia has not officially confirmed the complete elimination of the problem, and the incident seems to be still under investigation.

AWS DNS suffers DDoS attack and is paralyzed for 15 hours

On October 23, Amazon AWS DNS server was attacked by DDoS, that is, the attacker tried to block the system through garbage network traffic, resulting in the result that the service could not be accessed. Amazon's DNS system is blocked by a large number of packets, some of which are legitimate domain name requests released to alleviate the problem. That is to say, the website and the application may fail to contact the system hosted by the back-end Amazon, such as the S3 bucket, which causes the user to see the error message or blank page. The DDoS attack lasted for 15 hours.

Large scale DDoS attacks on Internet service providers in South Africa

On November 23rd, Afrihost and other Internet service providers in South Africa were attacked by large-scale DDoS attacks. Rsaweb was the first provider to be attacked. Cool ideas suffered the attack on November 23. The provider said that the scale of the attack was more than 300gbps. The attack traffic data came from cogent communications and hurricane electric in London, and about 40Gbps was legal. On the night of the 23rd, afrihost, Axxess and webafrica were also attacked by DDoS. Afrihost warned customers Sunday that its network was experiencing intermittent connectivity problems. Recently, Bank of South Africa has also become the target of DDoS attacks. On October 23, online and mobile services of local banks such as standard bank were attacked, but most of them have returned to normal.

Attack financial institutions by pretending to be fancy bear DDoS

On October 24, in the past week, cyber criminals posing as Russia's apt organization, fancy bear, have been launching large-scale DDoS attacks on international companies in the financial industry and demanding ransom, mainly for financial companies in Singapore and South Africa. Three security companies, Link11, Radware and Group IB, have confirmed the attack.

Massive DDoS attacks in Georgia

On October 28, Georgia suffered the largest cyber attack in history, during which more than 15000 websites were attacked and offline, and websites of various government agencies, banks, courts, local newspapers and television stations were affected. The incident is related to the hacker's invasion of Pro service, the local network hosting service provider. The attack occurred in the local morning, and by 8 p.m. the staff had recovered more than half of the damaged sites. The hackers posted photos of the exiled former President Mikheil Saakashvili on the hacked website and wrote "I will come back!" Information. Local law enforcement agencies are investigating the incident.

Security holes

Linux apt Remote Code Execution Vulnerability (cve-2019-3462)

Windows RDP Remote Code Execution Vulnerability (cve-2019-0708)

On May 14, Microsoft released the May windows security update to fix 79 vulnerabilities. This includes a remote code execution vulnerability (cve-2019-0708) in the RDP service. Because the vulnerability exists in the pre authentication stage of the RDP protocol, user interaction is not required for vulnerability exploitation. An attacker who successfully exploits this vulnerability can execute arbitrary code on the target system. The vulnerability affects Windows XP, windows 2003, windows 2008, windows 2008R2 and windows 7, but users of Windows 8 and windows 10 and later are not affected by the vulnerability.

Oracle WebLogic Server Remote Code Execution Vulnerability (cnnvd-201906-596)

On June 17, cnnvd released a notice about the Remote Code Execution Vulnerability of Oracle WebLogic Server (cnnvd-201906-596). An attacker can use this vulnerability to send attack data without authorization to execute arbitrary code. The vulnerability is due to a historical vulnerability of Oracle (cnnvd-201904-961, cve-2019-2725) that is not fully patched. Although Oracle released a patch on April 26, it was found that the vulnerability can still be exploited by new attack methods. Oracle WebLogic Server, and other versions are affected by the vulnerability. At present, Oracle has not released the vulnerability patch, but it can mitigate the damage caused by the vulnerability through temporary patching measures.

Proftpd Remote Code Execution Vulnerability (cve-2019-12815)

On July 23, proftpd released a new version 1.3.6 to fix a vulnerability that could lead to rce. The vulnerability (cve-2019-12815) is related to the mod_copy module of proftpd, because the custom site CPFR and site cpto commands of the mod_copy module do not work as expected. The administrator can mitigate this vulnerability by disabling the mod_copy module. According to Shodan's search results, there are currently more than 1 million proftpd servers that have not been upgraded with patches. German cert Bund also notified users of the vulnerability.

Multiple remote code execution vulnerabilities in VxWorks (urgent / 11)

On July 30, VxWorks officially released a security update to fix 11 vulnerabilities in VxWorks, six of which may lead to remote code execution, while the remaining vulnerabilities may lead to denial of service, information disclosure or logic vulnerabilities. VxWorks is one of the most widely used real-time operating systems (RTOS) in embedded devices. It is widely used in aerospace, national defense, industry, medical, automobile and other fields. At least 2 billion devices in the world use VxWorks. The urgent / 11 vulnerability affects all VxWorks versions since version 6.5 and above. It is clear that all VxWorks versions released in the past 13 years are vulnerable. The attacker can use the vulnerability to achieve remote attack without user interaction and authentication, and finally fully control the relevant devices.

IE browser Remote Code Execution Vulnerability (cve-2019-1367)

On September 23, Microsoft released a security update to fix a remote code execution vulnerability (cve-2019-1367) in Internet Explorer. The vulnerability lies in the way ie script engine processes objects in memory. The vulnerability could damage memory in a way that an attacker can execute arbitrary code in the context of the current user. An attacker who successfully exploits the vulnerability can gain the same user privileges as the current user. If the current user logs in with administrative user privileges, an attacker who successfully exploits this vulnerability can take control of the affected system. Attackers can then install programs; view, change, or delete data; or create new accounts with full user privileges. According to foreign media reports, the vulnerability has been found to be used in the wild, but Microsoft did not release more details about the attack.

PHP Remote Code Execution Vulnerability (cve-2019-11043)

On September 26, PHP officially issued a vulnerability notice, pointing out that the server using nginx + PHP FPM has a remote code execution vulnerability (cve-2019-11043) in some configurations, which has been widely used and is harmful. The POC for the vulnerability was released on October 22. The affected versions of PHP include 7.0, 7.1, 7.2, 7.3, and 5.6. PHP has released a fix on October 12.

Windows UAC privilege raising vulnerability (cve-2019-1388)

On November 12, researchers disclosed the details of a privilege raising vulnerability in windows, which originated from the user account control (UAC) function. By interacting with the user interface of UAC, an unprivileged attacker can launch a highly privileged web browser on the ordinary desktop, and then install malicious code or perform other malicious activities. Researchers say attackers must first have low privileged user identities on the target system and have access to the interactive desktop. The CVss score of the vulnerability (cve-2019-1388) is 7.8, and Microsoft has released the relevant patch of the vulnerability.

VMware opensld Remote Code Execution Vulnerability (cve-2019-5544)

On December 6, VMware released the latest security notice to fix the opensld remote execution code vulnerability (cve-2019-5544). VMware rated the vulnerability as an emergency high-risk remote vulnerability with cvss9.8 points. At present, VMware has released a security patch, suggesting users to upgrade and repair as soon as possible. This vulnerability is due to the heap coverage problem of openslp used in esxi and horizon DAAS devices. By using this vulnerability, an attacker can break through the permission isolation of virtual machine and obtain the system permission of the host, resulting in the loss of confidentiality, integrity and effectiveness of user data. This means that an attacker can arbitrarily process user information without authorization. This kind of vulnerability can implement arbitrary code execution on other virtual machines and host computers, and may be used to spread network worms.

Win32k privilege escalation vulnerability (cve-2019-1458)

On December 10, Microsoft released two announcements and updates for 36 CVE vulnerabilities. Among these vulnerabilities, 7 are classified as serious, 27 as important, 1 as medium and 1 as low. And cve-2019-1458 vulnerability has been exploited. In recent attacks, Kaspersky detected that the operation wizard used windows vulnerability (cve-2019-1458) and Google Chrome vulnerability (cve-2019-13720) to download and install malware on Windows computers that visit Korean news portal. At present, Microsoft has released a patch of the vulnerability, suggesting that users update to the latest version to reduce the possibility of attacks.