Silensec Newsletter

CoinHive Cryptocurrency mining service will shut down on March 8, 2019

CoinHive Cryptocurrency mining service will shut down on March 8, 2019

The popular in-browser cryptocurrency mining service Coinhive has announced that it will shut down on March 8, 2019.

This has made headlines across the years because it was used by crooks to abuse computational resources of the victims that were visiting compromised websites hosting the Coinhive script.

It was initially launched as a legitimate service for site administrators to generate revenue from the traffic visiting their websites, when unaware, users visit compromised websites, the script starts using their computers' processing power to mine cryptocurrency

Read more...

Facebook apps secretly sending sensitive data back to the mothership

Facebook apps secretly sending sensitive data back to the mothership

A trio of privacy earthquakes shook Facebooklandia on recently: 11 3rd-party apps seem to be sharing consumer sensitive data with Facebook, New York’s governor called on two state agencies to investigate this “secret” sharing of health and financial data.

60 pages of un-redacted legal documents from a lawsuit between Facebook and app developer Six4Three were anonymously posted on GitHub.

Read more...

Cisco addresses flaws in HyperFlex and Prime Infrastructure

Cisco addresses flaws in HyperFlex and Prime Infrastructure

Cisco released security patches that address more than a dozen issues in its products, including high severity vulnerabilities affecting HyperFlex, Prime Infrastructure, and Prime Collaboration Assurance. Security updates fix two High risk security flaws in HyperFlex software.

The first one is a command injection vulnerability (CVE-2018-15380) in the cluster service manager of the application caused by insufficient input validation, it could be exploited by an attacker to run commands as the root user.

Read more...

Researcher earns $10,000 for another XSS flaw in Yahoo mail

Researcher earns $10,000 for another XSS flaw in Yahoo mail

A researcher says he has discovered yet another critical cross-site scripting XSS vulnerability in Yahoo Mail. The recently patched flaw could have been exploited to steal the targeted user’s emails and attach malicious code to their outgoing messages.

A malicious actor could have exploited the security hole to silently forward the victim’s emails to an external website, change the compromised Yahoo account’s settings, and create an email virus that would attach itself to the signature of all outgoing emails.

The bug existed due to failure to properly filter potentially malicious code in HTML emails.

Read more...

Cyber Attack on Malta's Bank of Valletta

Cyber Attack on Malta's Bank of Valletta

The Bank of Valletta, in which the government is the largest shareholder, shut down its systems, closing branches and ATMs, and suspending mobile and Internet banking and internal email. Its website also went offline.

Customer accounts were "in no way impacted or compromised" and normal services would resume as soon as possible, the bank said. Hackers attempted to transfer funds to banks in the Czech Republic, Hong Kong, Britain, and the US, Muscat told parliament.

Read more...

127 million user records from 8 companies put up for sale on the dark web

127 million user records from 8 companies put up for sale on the dark web

An online cybercriminal recently sold 620M user records stolen from 16 companies and has put up a second batch of hacked data totalling 127M, originating from eight companies. The data is currently being sold on Dream Market, a dark web marketplace where crooks sell an assortment of illegal products, such as user data, drugs, weapons, malware, and others.

Read more...