Infosec in brief Hogwarts doesn’t teach an incantation that could have saved Harry Potter publisher Scholastic from feeling the power of an online magician who made off with millions of customer records – except perhaps the wizardry of multifactor authentication.
Scholastic, publisher of the US editions of the Harry Potter series and The Hunger Games, along with other children’s book series like The Magic School Bus and Goosebumps, was added to the Have I Been Pwned database last week after it emerged a self-described “furry” hacker – not associated with the other furry hackers, they claim – breaching an employee portal and exfiltrating about eight million items of data.
The Daily Dot, which spoke to the hacker who identified themselves by the handle “Parasocial,” said they gained access to the employee portal after stealing login credentials from a Scholastic employee whose system was infected with malware.
The data Parasocial stole, which was reviewed by the Daily Dot, contained 4,247,768 unique email addresses and a mix of names, phone numbers and home addresses for US-based customers. More than one million of the compromised records belonged to educational contacts – (i.e., teachers and administrators), while the rest reportedly belonged to parents. The Daily Dot reported that parents are prompted to enter the names of their children when they register with the publisher.
Luckily for those whose data was Accio’ed out of the Scholastic database, Parasocial isn’t a Death Eater: They reportedly have no plans to make the data public, claiming to have breached the database out of boredom.
“This is a lesson to be learned the hard way. Don’t let your customers take the hit for your security failures, use MFA,” the hacker said.
Scholastic hasn’t publicly acknowledged the breach.
“Immediately upon learning of this claim, our internal security teams began an investigation with leading third-party cybersecurity experts to identify any potential unauthorized access to Scholastic systems,” a company spokesperson said. “At this time, our investigation is ongoing.”
Critical vulnerabilities of the week: Patch those industrial switches
A trio of security vulnerabilities in Planet Technology’s WGS-804HPT industrial ethernet switches disclosed last week by IoT infosec outfit Claroty should have anyone who might be operating one of the devices headed for the patch download page.
Two of the vulnerabilities (CVE-2024-52320 and CVE-2024-48871) have been tagged with a CVSS score of 9.8 and can be chained to gain remote code execution powers on affected devices.
The other critical flaw we spotted last week (other than those noted in our Patch Tuesday coverage, was the CVSS 9.9-rated – CVE-2023-48365 that impacts Qlik Sense Enterprise for Windows prior to August 2023 Patch 2 allows for RCE. Unpatched systems are being actively exploited.
Android app secrets easy to steal, say researchers
Android apps are surprisingly bad at keeping secrets, a quartet of researchers from Canada and Hong Kong determined in a recently-published paper.
According to their work, which examined 23,041 Android apps available on Google Play and looked for 575 secrets – like API and encryption keys or tokens – 4,020 of them contained at least one exploitable secret. It wasn’t hard to nab the data, either.
“We devised a text mining strategy using regular expressions and demonstrated that numerous app secrets can be easily stolen, even from … highly popular Android apps,” the team wrote.
Twenty-five encryption keys, for example, were found embedded in apps in plain text. 24 app-private back-end service credentials were also detected. As the apps surveyed were popular ones with large user bases, the team believes this presents a problem for the Android app ecosystem.
“Even developers of well-maintained apps can neglect the importance of protecting app secrets,” the group said. “This highlights the need to raise awareness of the issue among all Android developers.”
DDoS attacks whack Dutch universities
Universities in The Netherlands were hit by a second day of distributed denial of service attacks, causing significant disruptions to their networks and delaying some classes, Dutch media reported Friday.
The attacks, which education IT services provider SURF said had been ongoing since Wednesday, resumed on Friday. SURF noted that the attacks began at 0820 local time and were hopping between targets in its network. Mitigations stopped the attack by 1140 the same morning, but the provider made similar claims to have taken measures to stop future attacks on Wednesday and Thursday, too.
It’s not clear who is behind the attacks, but it’s not only the country’s universities that have been hit this week. DigiD, the Dutch government login service, was also hit by a DDoS attack last week, knocking it offline for most of Tuesday, January 14, the government said.
It’s unknown if the attacks are related, and the culprit behind the DigiD DDoS wasn’t named, either.
North Korea’s latest fake job campaign is more dangerous than ever
Every time we turn around, there’s another fake job malware campaign in the news, but the North Korean-linked Lazarus Group’s latest campaign is “a masterclass,” wrote the researchers from SecurityScorecard who found it.
Unlike the previous campaign from Lazarus called Operation Dream Job that tricked developers into downloading malicious files, this one, called Operation 99, appears to be a long, sophisticated con.
Lazarus Group appears to have created fake recruiter profiles on LinkedIn to target developers in the Web3 and crypto space. The crypto-stealing malware infection that’s the end game for the campaign is hidden in a GitLab repository the “recruiter” asks their victim to clone after first performing other tasks that appear designed to test candidates’ skills and suitability for a job.
By all accounts, this appears to be another financially motivated campaign in keeping with North Korea’s modus operandi of cryptocurrency heists.
Texas sues Allstate for collecting and selling customer data
Texas Attorney General Ken Paxton announced a lawsuit against auto insurance firm Allstate and its data analytics subsidiary Arity, alleging the unlawful collection and use of driver data to create what it claims “world’s largest driving behavior database” without customer consent.
Data on drivers was collected by paying developers of third party apps to embed routines in their apps, the AG alleged, resulting in the gathering of “trillions of miles worth of location data from over 45 million consumers nationwide.”
That data, in turn, was purportedly used to inform underwriting decisions, potentially affecting insurance premiums and coverage – all without customers having given consent for their data to be collected, used or sold for that purpose, according to the filing.
The lawsuit follows General Motors settling with the Federal Trade Commission over allegations it engaged in a similar scheme using OnStar services available in its vehicles. ®
This post was originally published on here
