Hackers Breach a Billion Yahoo Accounts

This week we hear about how Hackers Breached a Billion Yahoo Accounts and how a Nagios Exploit Leads to Root Privilege Escalation and Remote Code Execution.

Breach

Hackers Breached a Billion Yahoo Accounts

On Wednesday, the Internet service company Yahoo! reported another major cyber attack of user account data, saying data from more than 1 billion user accounts was compromised in August 2013. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring around August 2013, was reported in December 2016, and affected over 1 billion user accounts.

Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

References: Yahoo Hack Billion of Users | How Does the Latest Yahoo Data Breach Impact The Company’s Reputation? | Yahoo Exposed to The Largest Data Breach in History (Again)

Mitigation Strategies:

  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Netflow traffic may also reveal large data transfers and potential data leakage
  • Threat intelligence scanning and mining the internet to identify lost/stolen data

Malware

Nagios Exploit Leads to Root Privilege Escalation and Remote Code Execution

“High” severity-rated vulnerabilities in the Nagios Core platform were spotted by Legal Hacker Dawid Golunski that could allow root privilege escalation and remote code execution. Nagios, an open source software application which monitors systems, networks, and IT infrastructures.

One of the vulnerabilities, a Command Injection, could potentially enable remote unauthenticated attackers who managed to impersonate the feed server (via DNS poisoning, domain hijacking, ARP spoofing etc.), to provide a malicious response that injects parameters to curl command used by the affected RSS client class and effectively read/write arbitrary files on the vulnerable Nagios server. The other critical vulnerability could enable malicious local attackers to escalate their privileges from 'nagios' system user, or from a user belonging to 'nagios' group, to root. The exploit could enable the attackers to fully compromise the system on which a vulnerable Nagios version was installed.

Nagios has recently updated the two critical vulnerabilities. To mitigate the issue, users are advised to upgrade to Nagios Core 4.2.4 as previous versions are vulnerable.

References:  Nagios Core 4.2.4 Closes Serious Root Privilege Escalation Bug | Nagios Core Bug Allows Root Privilege Escalation | Nagios Core Patches Root, RCE Vulnerabilities

Mitigation Strategies:

This Week's Malicious IP Addresses

181.183.56.217 118.170.130.207
46.109.168.179 188.118.2.26
183.60.48.25 208.78.70.5

*IP addresses provided by Recorded Future.