Weekly Summary

SPOTLIGHT, VULNERABILITY CHAT & PRIVACY HEADLINES
Share this analysis
Island Breach Exposure Monitoring

The beginning of the end for .io websites

21 October 2024
BREACHAWARE HQ

A total of 15 breaches were found and analysed resulting in 25,581,512 leaked accounts containing a total of 22 different data types. The breaches found publicly and freely available included TEG, OpenSea, Stealer log 0489, Maksavit and SPIM. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

Not many people have noticed that the British government is in the process of handing over the Chagos Islands, a group of seven atolls comprising more than 60 islands located about 500 kilometres south of the Maldives archipelago. While this might not sound like a big deal —it’s just a tiny island in the Indian Ocean— it has wider implications. Once the transfer is finalised, the British Indian Ocean Territory will cease to exist. So, what happens to one of the most popular top-level domains (TLDs) used by tech companies worldwide, .io? The long and short of it is that, once the international standard for country codes is updated, the Internet Assigned Numbers Authority (IANA), which manages TLDs, will no longer allow new registrations for .io domains. This could signal the beginning of the end for .io websites.

Meanwhile, the world seems to be becoming more dystopian by the day. Two Harvard students have developed an app called I SPY, designed for Meta’s new Ray-Ban smart glasses. The app uses public databases, Facebook, Instagram, and a large language model (LLM) to search for a person’s details based on their face. Point the glasses at a stranger, and the app pulls information about them from these sources, eroding what little privacy we thought we had left. What happens when this app becomes widely available? And worse, what if it makes a mistake?

In the UK, Facewatch, a facial recognition software, is being deployed in major high street stores to combat a rise in shoplifting. However, the software has an accuracy rate of just 73%. Big Brother Watch, a UK civil liberties group dedicated to reducing government surveillance, has raised concerns. They’ve published stories from individuals who were wrongly identified and banned from shops as a result of the software. The same concerns apply to I SPY. What if it misidentifies someone, and you think you're dealing with an entirely different person? As we increasingly rely on centralised databases, what happens when they get compromised by a government agency that can alter identities at will? Perhaps avoiding social media, living off the grid, and only going out with a Faraday bag on your head will turn out to have been wise all along.

In other news, a large mailing list from a popular NFT and crypto company has surfaced after a data breach earlier this summer. The compromised data is now circulating on dubious platforms, available for free. This information is gold for crypto scammers and phishing attacks—after all, if you’re on that mailing list, there’s a good chance you own cryptocurrency.

VULNERABILITY CHAT

This week, Cyble sensors detected an alarming 411,000 attacks on a single vulnerability, highlighting the dramatic increase in its exploitation. The vulnerability, which is now four years old, resides in the Treck TCP/IP stack, initially developed as an IPv6 implementation for embedded devices with limited space. This means the flaw could potentially be present in a wide range of systems, including medical, industrial, and critical infrastructure devices that support IPv6, along with some consumer devices.

Bitdefender Total Security has been found vulnerable to Man-in-the-Middle (MITM) attacks due to improper certificate validation in its HTTPS scanning feature. According to Sophos, one such attack led to the deployment of Fog ransomware, while another attempted to install Akira ransomware. Indicators of compromise in all four observed cases align with previous attacks involving these ransomware strains.

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that ransomware groups are exploiting a vulnerability found last month in Veeam products. CISA had introduced the “Known To Be Used in Ransomware Campaigns” tab in the Known Exploited Vulnerabilities (KEV) Catalog nearly a year ago, though it has only used this designation sparingly.

Microsoft Threat Intelligence has uncovered a macOS vulnerability dubbed "HM Surf" that could allow attackers to bypass the operating system's Transparency, Consent, and Control (TCC) technology. The vulnerability involves removing TCC protection for the Safari browser directory and modifying its configuration file, granting unauthorised access to user data such as browsing history, camera, microphone, and location information—all without user consent.

Meanwhile, unknown threat actors have been spotted attempting to exploit a now-patched vulnerability in the open-source Roundcube webmail software. According to Positive Technologies, the attack uses a stored cross-site scripting (XSS) flaw via SVG animate attributes to execute arbitrary JavaScript in the victim’s web browser. The attack is part of a phishing campaign aimed at stealing user credentials.

A sophisticated cyberattack, suspected to be backed by a nation-state, has exploited critical vulnerabilities in Ivanti's Cloud Service Appliance (CSA), enabling unauthorised access to sensitive systems. Lastly, CISA has issued a warning about a critical vulnerability in SolarWinds Web Help Desk (WHD) software that is actively being exploited by malicious actors.

4 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Mozilla (Firefox). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 773 vulnerabilities last week, making the 2024 total 31,025. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

After X (formerly Twitter) announced a controversial change to its privacy policy, many users are migrating to Bluesky. Previously, blocking someone on X meant they were entirely blocked from seeing your posts. However, with the new policy, blocked users can no longer interact directly with you but can still view, screenshot, and repost your content. Shortly after the policy change, the official Bluesky account reported that 500,000 new users had signed up in the past 24 hours. A similar surge of 2,000,000 new signups occurred last month when the Brazilian government banned X due to political issues, and when X announced that certain features would be moved behind a paywall.

Meanwhile, OpenAI CEO Sam Altman’s controversial crypto project Worldcoin has announced a major rebrand, now simply known as “World.” The rebrand reflects a shift in focus as the project continues its mission to scan every human’s iris, signalling a possible move away from its strong crypto association in an effort to broaden its appeal and market its broader vision.

A recent study has raised concerns about genetic databases, which are increasingly popular among researchers but could be exploited to reveal the identities of participants or link private health information to their public genetic profiles. The findings highlight the challenge of balancing research benefits with donor privacy. “Our genomes are highly identifying. They reveal a lot about us—our traits, our disease predispositions,” says study co-author Gamze Gürsoy, a bioinformatics researcher at Columbia University. “If your credit card number gets leaked, you can change it, but you can't change your genome."

The Secretariat of the Committee of Convention 108 participated in the G7 Privacy Roundtable in Rome, Italy, delivering a presentation titled ‘Privacy in the Age of Data’. The event, organised by the Italian Data Protection Authority, brought together privacy and data protection regulators from the Group of Seven, the European Data Protection Board (EDPB), and the European Data Protection Supervisor (EDPS). Key topics discussed included Data Free Flow with Trust (DFFT), emerging technologies, enforcement cooperation, and artificial intelligence.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan

DATA CATEGORIES DISCOVERED

Contact Data, Technical Data, Socia-Demographic Data, Financial Data, Transactional Data, Usage Data, Documentary Data, Locational Data.

  • Key Statistics
  • Breaches Discovered
    0
  • ACCOUNTS DISCOVERED
    0
  • DATA TYPES DISCOVERED
    0