Application Security

Shopify, Intezer, & Weaponized Vuln. – Hack Naked News #215

April 23, 2019

This week, a weather channel that was knocked off air by a malicious attack, how bad bots make up 20 percent of web traffic, ransomware ravages municipalities nationwide, a flaw in Shopify API exposed revenue and traffic data of thousands of stores, and how attackers are weaponizing more vulnerabilities than ever before! In the expert commentary, we welcome Itai Tevet, CEO of Intezer, to talk about Linux threats, recent Mirai variants, and general code reuse in the cyber space!

Security News

  1. Weather Channel Knocked Off-Air in Dangerous Precedent - On Thursday, The Weather Channel – a trusted cable network source of meteorological data across the U.S. – was knocked off the air by what it said was a “malicious software attack” on its network. The Weather Channel hack – not to be confused with the Weather Channel’s own hacks – affected its live broadcast for about 90 minutes between 6 and 7:30 a.m., during which canned content was aired. The network resumed broadcasting from backup locations at that point. Joseph Carson, chief security scientist at Thycotic, via email. “It will be interesting to see if this attack is related to the most recent string of malicious malware impacting other global organizations such as the LockerGoga ransomware that impacted Norsk Hydro several weeks ago, causing more than over $40 million in damages so far. And still several systems are under manual control, a week following the incident.”
  2. Bad bots now make up 20 percent of web traffic - Bots, in general, are estimated to make up roughly 37.9 percent of all Internet traffic. In 2018, one in five website requests -- 20.4 percent -- of traffic was generated by bad bots alone. According to Distil Networks' latest bot report, "Bad Bot Report 2019: The Bot Arms Race Continues," the financial sector is the main target for such activity, followed by ticketing, the education sector, government websites, and gambling. The most interesting part is how the attacker are attempting to use, albeit lame, AI: A total of 73.6 percent of bad bots are classified as Advanced Persistent Bots (APBs), which are able to cycle through random IP addresses, switch their digital identities, and mimic human behavior. An example of this is mouse mimicry, in which the bot is able to simulate mouse events a genuine visitor may perform on a website domain. These tactics are used to try and appear as a legitimate user for the purposes of ad fraud, as well as brute-force attacks against online accounts, competitive data mining, transaction fraud, spam, and phishing campaigns.
  3. Internet Explorer zero-day lets hackers steal files from Windows PCs - Internet Explorer is dying, just like Flash: A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems. The vulnerability resides in the way Internet Explorer processes MHT files. MHT stands for MHTML Web Archive and is the default standard in which all IE browsers save web pages when a user hits the CTRL+S (Save web page) command.
  4. Two-Year-Old DNS Hijacking Campaign Targeted 40 Firms Globally - Not Hijacked on the network, but using Phishing to gain access to your registrar: The phishing emails were aimed at registrants and used to gain their credentials. From there, the bad actors could access an organization’s DNS records with the registrant’s credentials or by exploiting known vulnerabilities – including a PHP code injection flaw in phpMyAdmin (CVE-2009-1151), a remote code exploit for Cisco integrated service router 2811 (CVE-2017-6736) and the infamous “Drupalgeddon” remote code execution Drupal glitch (CVE-2018-7600).
  5. Ransomware ravages municipalities nationwide this week - Augusta, Maine; Imperial County, Calif.; Stuart, Fla.; and Greenville, N.C. were all in different stages of recovering from ransomware attacks over the last seven days. Augusta City Center operations were shuttered after being hit with malware on April 18, according to the Sun-Journal. The city’s IT department did not say ransomware was to blame, but the description of what took place has all the hallmarks of a ransomware attack. The city said the malware gained entry into its network in an unknown fashion and then methodically locked up endpoints and servers. The attack has affected the police dispatch system, the municipal financial systems, billing, automobile excise tax records, assessor’s records and general assistance.
  6. A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores - API security is very poor in so many applications: The white hat hacker analyzed the APIs published over the past year by Shopify that allow users to fetch sales data for graph presentations. He noticed that the system was leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform. The researcher carried out a mass check on all the existing stores to determine if the platform was affected by a Direct Object Reference (IDOR) issue iterating over $storeName.
  7. jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites - The vulnerability in the jQuery library (CVE-2019-11358) was discovered by researchers at Snyk that also published a proof of concept code for a prototype pollution attack. “This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.” reads the analysis published by Snyk. “When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects.
  8. Attackers are weaponizing more vulnerabilities than ever before - Some actionable results to review: Over the research period, the Acrobat Reader family of products contained the most vulnerabilities (1,338). In 2015, the year the Acrobat DC product was introduced, 137 vulnerabilities were reported. I recommend removing this software from all of your systems, there are plenty of alternatives. Also: Despite a 31% decrease in vulnerabilities compared to the high reached in 2016, last year had the most weaponized vulnerabilities ever (177), which represents a 139% increase compared to 2017 (74). This means, get patching faster! Easier said than done as we know.

Expert Commentary: Itai Tevet, Intezer

Itai Tevet is the CEO of Intezer.

Itai carries out Intezer’s vision of improving organizations’ security operations and accelerating their incident response. Tevet previously served as the Head of the Israeli Defense Force’s cyber incident response team (IDF CERT), combining technical expertise and leadership experience to mitigate state-sponsored cyber threats. During this time, Itai led an elite group of cybersecurity professionals in digital forensics, malware analysis, incident response, and reverse engineering.

To learn more about Intezer, visit:
Full Show Notes

Visit to get all the latest episodes!

[audio src="" ]

prestitial ad