1. New Attacks Against 4G, 5G Mobile Networks Re-Enable IMSI Catchers

At NDSS Symposium 2019, a group of university researchers revealed newly discovered cellular network vulnerabilities that impact both 4G and 5G LTE protocols.

According to a paper published by the researchers, “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information,” the new attacks could allow remote attackers to bypass security protections implemented in 4G and 5G, re-enabling IMSI catching devices like “Stingrays” to intercept users’ phone calls and track their location.

2. Hackers Favorite CoinHive Cryptocurrency Mining Service Shutting Down

Coinhive, a notorious in-browser cryptocurrency mining service popular among cybercriminals, has announced that it will discontinue its services on March 8, 2019.

For a brief recap: In recent years, cybercriminals leveraged every possible web vulnerability [in Drupal, WordPress, and others] to hack thousands of websites and wireless routers, and then modified them to secretly inject Coinhive’s JavaScript-based Monero (XMR) cryptocurrency mining script on web-pages to financially benefit themselves.

Millions of online users who visited those hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without users’ knowledge, potentially generating profits for cybercriminals in the background.

A few months after that Apple also banned all cryptocurrency mining apps from its official app store.

Have something to say about this article? Comment below.

3. Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years

Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately.

Cybersecurity researchers shared their latest research revealing the existence of a critical remote code execution vulnerability that affects all previous versions of WordPress content management software released in the past 6 years.

The remote code execution attack, discovered and reported to the WordPress security team late last year, can be exploited by a low privileged attacker with at least an “author” account using a combination of two separate vulnerabilities—Path Traversal and Local File Inclusion—that reside in the WordPress core.

4. Latest WinRAR Flaw Being Exploited in the Wild to Hack Windows Computers

It’s not just the critical Drupal vulnerability that is being exploited by in the wild cybercriminals to attack vulnerable websites that have not yet applied patches already available by its developers, but hackers are also exploiting a critical WinRAR vulnerability that was also revealed last week.

They reported about a 19-year-old remote code execution vulnerability disclosedd by Check Point in the UNACEV2.dll library of WinRAR that could allow a maliciously-crafted ACE archive file to execute arbitrary code on a targeted system.

WinRAR is a popular Windows file compression application with 500 million users worldwide, but a critical “Absolute Path Traversal” bug (CVE-2018-20250) in its old third-party library, called UNACEV2.DLL, could allow attackers to extract a compressed executable file from the ACE archive to one of the Windows Startup folders, where the file would automatically run on the next reboot.

5. Hackers Actively Exploiting Latest Drupal RCE Flaw Published Last Week

Cybercriminals have actively started exploiting an already patched security vulnerability in the wild to install cryptocurrency miners on vulnerable Drupal websites that have not yet applied patches and are still vulnerable.

Developers of the popular open-source content management system Drupal patched a critical remote code execution (RCE) vulnerability (CVE-2019-6340) in Drupal Core that could allow attackers to hack affected websites.

Despite releasing no technical details of the security vulnerability, the proof-of-concept (PoC) exploit code for the vulnerability was made publicly available on the Internet just days after the Drupal security team rolled out the patched version of its software.

6. Almost Half A Million Delhi Citizens’ Personal Data Exposed Online

Exclusive — A security researcher has identified an unsecured server that was leaking detailed personal details of nearly half a million Indian citizens… thanks to another MongoDB database instance that company left unprotected on the Internet accessible to anyone without the password.

In a report shared Bob Diachenko disclosed that two days ago he found a 4.1 GB-sized highly sensitive database online, named “GNCTD,” containing information collected on 458,388 individuals located in Delhi, including their Aadhaar numbers and voter ID numbers.

Though it’s not clear if the exposed database is linked to the Government of National Capital Territory of Delhi (GNCTD), Diachenko found that the database contains references and email addresses with “transerve.com” domain for users registered with “senior supervisor,” and “super admin” designations.

7. Critical WinRAR Flaw Affects All Versions Released In Last 19 Years

Beware Windows users… a new dangerous remote code execution vulnerability has been discovered in the WinRAR software, affecting hundreds of millions of users worldwide.

Cybersecurity researchers at Check Point have disclosed technical details of a critical vulnerability in WinRAR—a popular Windows file compression application with 500 million users worldwide—that affects all versions of the software released in last 19 years.

The flaw resides in the way an old third-party library, called UNACEV2.DLL, used by the software handled the extraction of files compressed in ACE data compression archive file format.

8. LPG Gas Company Leaked Details, Aadhaar Numbers of 6.7 Million Indian Customers

Why would someone bother to hack a so-called “ultra-secure encrypted database that is being protected behind 13 feet high and 5 feet thick walls,” when one can simply fetch a copy of the same data from other sources.

French security researcher Baptiste Robert, who goes by the pseudonym “Elliot Alderson” on Twitter, with the help of an Indian researcher, who wants to remain anonymous, discovered that the official website of popular state-owned LPG gas company Indane is leaking personal details of its millions of customers, including their Aadhaar numbers.

This is not the first time when an unprotected third-party database has leaked Aadhaar details of Indian citizens, which is a unique number assigned to each citizen as part of India’s biometric identity programme maintained by the government’s Unique Identification Authority of India (UIDAI).

9. Hacker Breaches Dozens of Sites, Puts 127 Million New Records Up for Sale

A hacker who was selling details of nearly 620 million online accounts stolen from 16 popular websites has now put up a second batch of 127 million records originating from 8 other sites for sale on the dark web.

The Hacker News received an email from a Pakistani hacker who claims to have hacked dozens of popular websites (listed below) and selling their stolen databases online.

During an interview the hacker also claimed that many targeted companies have probably no idea that they have been compromised and that their customers’ data have already been sold to multiple cyber criminal groups and individuals.

10. Android Phones Can Get Hacked Just by Looking at a PNG Image

Beware! You have to remain more caution while opening an image file on your smartphone—downloaded anywhere from the Internet or received through messaging or email apps.

Yes, just viewing an innocuous-looking image could hack your Android smartphone—thanks to three newly-discovered critical vulnerabilities that affect millions of devices running recent versions of Google’s mobile operating system, ranging from Android 7.0 Nougat to its current Android 9.0 Pie.

The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, have been patched in Android Open Source Project (AOSP) by Google as part of its February Android Security Updates.

However, since not every handset manufacturer rolls out security patches every month, it’s difficult to determine if your Android device will get these security patches anytime sooner.

Although Google engineers have not yet revealed any technical details explaining the vulnerabilities, the updates mention fixing “heap buffer overflow flaw,” “errors in SkPngCodec,” and bugs in some components that render PNG images.

11. Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks

Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.

If you are an electric scooter rider, you should be concerned about yourself.

In a report shared researchers from mobile security firm Zimperium said to have discovered an easy-to-execute but serious vulnerability in M365 Folding Electric Scooter by Xiaomi that could potentially putting riders life at risk.

12. First Hacker Convicted of ‘SIM Swapping’ Attack Gets 10 Years in Prison

A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims’ phone numbers has pleaded guilty and accepted a sentence of 10 years in prison.

Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as “SIM swapping,” which typically involves fraudulently porting of the same number to a new SIM card belonging to the attacker.

In SIM swapping, attackers social engineer a victim’s mobile phone provider by making a phony call posing as their target and claiming that their SIM card has been lost and that they would like to request a SIM swap.

The attackers attempt to convince the target’s telecommunications company that they are the actual owner of the phone number they want to swap by providing required personal information on the target, like their SSNs and addresses, eventually tricking the telecoms to port the target’s phone number over to a SIM card belonging to the attackers.

13. Airbus Suffers Data Breach, Some Employees’ Data Exposed

European airplane maker Airbus admitted yesterday a data breach of its “Commercial Aircraft business” information systems that allowed intruders to gain access to some of its employees’ personal information.

Though the company did not elaborate on the nature of the hack, it claimed that the security breach did not affect its commercial operations. So, there’s no impact on aircraft production.

Airbus confirmed that the attackers unauthorized accessed some data earlier this month, which the plane manufacturer claimed was “mostly professional contact and IT identification details of some Airbus employees in Europe.”

“Investigations are ongoing to understand if any specific data was targeted; however we do know some personal data was accessed,” Airbus said in its press release published on Wednesday.

14. New Unpatched macOS Flaw Lets Apps Spy On Your Safari Browsing History

A new security vulnerability has been discovered in the latest version of Apple’s macOS Mojave that could allow a malicious application to access data stored in restricted folders which are otherwise not accessible to every app.

Discovered by application developer Jeff Johnson on February 8, the vulnerability is unpatched at the time of writing and impacts all version of macOS Mojave, including macOS Mojave 10.14.3 Supplemental update released on February 7.

Certain folders in macOS Mojave have restricted access that is forbidden by default, like ~/Library/Safari, which can be accessed by only a few applications, such as Finder.

15. Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws

Microsoft has issued its second Patch Tuesday for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity.

February security update addresses flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code.

Four of the security vulnerabilities patched by the tech giant this month have been reported as being publicly known at the time of release, and one is being actively exploited in the wild. source:the hacker news