Back to qualys.com

Security News: WannaCry Surfaces in Taiwan, as Reddit Breach Puts 2FA in the Spotlight

WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.

WannaCry hits Taiwan Semi

The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.

Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.

According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.

Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.

That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.

As a reminder, Qualys has a full set of QIDs and capabilities for dealing with WannaCry. Learn more about how we can help:

How to Rapidly Identify Assets at Risk to WannaCry Ransomware and ETERNALBLUE Exploit

Qualys response for Global Ransomware Attack (WannaCry)

Detect MS17-010 with Qualys Vulnerability Management

Report on MS17-010 with Qualys Vulnerability Management

Another major organization that fell victim to ransomware recently was the PGA of America, which found itself scrambling to deal with the attack while getting ready to host major golf tournaments in the coming weeks.

More information about the TSMC infection:

Top iPhone Supplier Battles WannaCry Infection

iPhone Chipmaker Races to Recover After Crippling Computer Virus

TSMC says variant of WannaCry virus brought down its plants

TSMC Blames WannaCry for Manufacturing Disruption

2FA a factor in Reddit hack

An alarming hack of Reddit, the uber-popular news aggregator and discussion forum, has put the spotlight on a type of two-factor authentication (2FA).

Hackers accessed confidential information after breaking into several Reddit employee accounts that were protected by SMS-based authentication. This means that after employees logged into their work accounts, they had to enter a numeric code that Reddit texted to their phones.

Well, hackers were able to not only snatch the employee passwords, but also intercept that code. “SMS-based 2FA has been frowned upon in recent years, as attacks have become more common,” wrote independent security analyst Graham Cluley.

While other 2FA methods have proven more secure, people should still use the SMS method if it’s the only one available, because it’s better than using only a password, according to Cluley.

During the June breach, hackers accessed Reddit databases, logs, usernames and their related email addresses, encrypted passwords, source code, and employee files.

The company is also catching flak from a number of security and privacy experts who say it hasn’t done enough to notify and assist potentially affected members, especially those whose anonymity might have been compromised.

More information:

Reddit Got Hacked Thanks To A Woefully Insecure Two-factor Setup

Reddit’s serious “security incident” – what you need to know

Reddit Breach Stems from SMS Two-Factor Authentication Breakdown

Reddit discloses hack, says SMS intercept allowed attackers to skirt 2FA protections

MicroTik routers compromised for cryptomining

Yet another reminder to patch critical vulnerabilities on a timely fashion: A large-scale cyrptojacking campaign exploited a known vulnerability in MicroTik routers, potentially compromising hundreds of thousands of the networking devices. MicroTik had issued a patch for the bug back in April.

The exploit targets the routers’ Winbox utility and lets the attacker read files from the device, explained TrustWave security researcher Simon Kenin. “The bottom line is that using this exploit you can get unauthenticated remote admin access to any vulnerable MikroTik router,” he wrote.

The attacker then used compromised devices to inject the CoinHive cryptominer script into every web page users visited. Large ISPs and enterprises use hundreds of thousands of these routers globally, according to Kenin.

“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” Kenin wrote.

As we’ve reported before, cryptomining has become all the rage among hackers, who are aggressively breaching networks and infecting devices — PCs, IoT systems, smartphones, servers — to steal computing power for mining virtual currencies. Between September and January, the number of websites hosting cryptomining scripts — knowingly or not — spiked 725%, Cyren Security Lab said recently.

Meanwhile, over on Twitter, thousands of robots were recently discovered spreading cryptocurrency spam by researchers from Duo Security.

Recognizing how critical this problem has become, Qualys’ Malware Research Labs recently released Qualys BrowserCheck CoinBlocker, a Chrome extension to detect and block browser-based cryptocurrency mining.

More information:

Routers turned into zombie cryptojackers – is yours one of them?

Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally

Staying Safe in the Era of Browser-based Cryptocurrency Mining

Qualys BrowserCheck CoinBlocker Protects Users From Active Cryptojacking Campaigns

Comcast hardens website after warning

Comcast fixed two website flaws that could expose customers’ personal data, specifically parts of their home address and of their social security numbers.

The flaws, discovered by security researcher Ryan Stevenson, affected the Xfinity customer portal and a signup page for authorized dealers. After being notified, Comcast fixed the issues and said it has yet to find evidence that any data was improperly accessed.

A detailed description on Buzzfeed indicates the issues involved weak website configurations and account verification processes that could be exploited by knowledgeable data thieves.

“An attacker having partial address information and combining it with partial Social Security numbers information is a recipe for disaster,” Jessy Irwin, head of security at Tendermint, told Buzzfeed. “We really need to move away from using those kinds of information.”

More information:

Comcast Xfinity web flaws exposed customer data

Flaw exposed Comcast Xfinity customers’ partial home addresses and SSNs

Black Hat / DefCon research findings

With Black Hat and DefCon happening last week, here’s a quick roundup of security alerts issued at the events:

 

Leave a Reply