Collection #1 dump, 773 million emails, 21 million passwords

Posted: 17 Jan 2019 10:56 AM PST

The popular cyber security expert Troy Hunt has uncovered a massive data leak he called ‘Collection #1’ that included 773 million records.

The name ‘Collection #1’ comes from the name of the root folder.

Collection #1

Someone has collected a huge trove of data through credential stuffing, the ‘Collection #1’ archive is a set of email addresses and passwords totalling 2,692,818,238 rows resulting from thousands of different sources.

According to Hunt, there are 1,160,253,228 unique combinations of email addresses and passwords, while the unique email addresses totalled 772,904,991.

The data was posted on file-sharing service MEGA and also on an unnamed popular hacking forum, it includes more than 12,000 files for a total size of 87 gigabytes.

Hunt pointed out that approximately 140 million email accounts and some 10.6 million passwords are not part of known past data breaches.

The unique email addresses totalled 772,904,991. This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of “cleanliness”. This number makes it the single largest breach ever to be loaded into HIBP.” wrote Troy Hunt.

The post on the hacking forum referenced “a collection of 2000+ dehashed databases and Combos stored by topic” and included a directory listing of 2,890 of the files, Hunted reproduced it here.

Users can check if their credentials are included in the Collection #1 dump by visiting the HIBP website.

“As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.” concludes Hunt.

Pierluigi Paganini

(SecurityAffairs – Collection #1, data leak)

The post Collection #1 dump, 773 million emails, 21 million passwords appeared first on Security Affairs.

Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6

Posted: 17 Jan 2019 04:39 AM PST

Drupal released security updates for Drupal 7, 8.5 and 8.6 that address two “critical” security vulnerabilities that could be exploited for arbitrary code execution.

The first vulnerability could be exploited by a remote attacker to execute arbitrary PHP code. The flaw resides in the phar stream wrapper implemented in PHP and is related to the way it handles untrusted phar:// URIs.

“A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. ” reads the security advisory.

“Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability, This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration."

The development team marked .phar as a potentially dangerous extension, this means that .phar files uploaded to a website running on the popular CMS will be automatically converted to .txt to prevent malicious execution.
Note that the replacement stream wrapper is not compatible with PHP versions lower than 5.3.3.

The development team has disabled the phar:// wrapper for Drupal 7 sites running a version of PHP earlier than 5.3.3.

“Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.” continues the advisory.

The second flaw affects the PEAR Archive_Tar, a third-party library that handles .tar files in PHP. An attacker could use a specially crafted .tar file to delete arbitrary files on the system and possibly even execute remote code.

“Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.” reads the security advisory.

The development team behind the Archive_Tar have patched flaw and released the update it in the core of the CMS.

Drupal 8.6.6, 8.5.9 and 7.62 patch both flaws, experts highlighted that Drupal 8 versions prior to 8.5.x will no longer receive security updates because they have reached the end of life.

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6 appeared first on Security Affairs.

South Korea: hackers compromised Defense Acquisition Program Administration PCs

Posted: 17 Jan 2019 02:17 AM PST

South Korea – Allegedstate-sponsored hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration.

Unknown hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration which is the office that manages the military procurement.

The news was confirmed by the South Korea Ministry of National Defense.

“It has been turned out that 30 computers installed on the internal system of the Defense Acquisition Program Administration, in charge of arms procurement such as next-generation fighter jets, have come under simultaneous virtual attacks and 10 out of them saw internal data leaked.”
the Korea’s 
Dong-A Ilbo reports

“As cyberattacks have continued on major Korean foreign affairs facilities including the Korean presidential office Cheong Wa Dae, the National Assembly and the Defense Acquisition Program Administration, concerns are ever increasing regarding the government's cyber security capabilities.”

The systems targeted by the hackers contain sensitive data on purchases for military equipment and weapons, including “next-generation fighter jets,”

The security breach was disclosed this week in a report from a South Korean politician.

The National Assembly and the Defense Acquisition Program Administration confirmed that no confidential information was accessed or exfiltrated by hackers.

The security breach has occurred on October 4, 2018, the attack aimed at 30 computers, but only 10 of them were hacked. The intrusion was spotted on October 26 when the National Intelligence Service noticed suspicious traffic on IP associated with the Agency.

The intrusion coincides with another attack on Liberty Korea Party Rep. Baek Seung-joo's email account. Experts believe that a threat actor politically motivated targeted systems of Korea's major organizations simultaneously. 

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Rep. Lee pointed out. “Further investigation to find out if the source of attacks is North Korea or any other party.”

The A Ilbo added that an intelligence agent said that further review will be executed on defense measures implemented to protect by the Defense Acquisition Program Administration's systems.

Pierluigi Paganini

(SecurityAffairs – South Korea, Defense Acquisition Program Administration)

The post South Korea: hackers compromised Defense Acquisition Program Administration PCs appeared first on Security Affairs.

Unprotected server of Oklahoma Department of Securities exposes millions of government files

Posted: 17 Jan 2019 12:47 AM PST

A huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.

Another data leak made the headlines, a huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.
It is not clear how long data were left exposed online, according to the Shodan search engine, the server had been publicly open since at least November 30, 2018.

The unsecured storage server was discovered by security expert Greg Pollock from UpGuard, it contained 3 terabytes of data including millions of sensitive Government files and years worth of sensitive FBI investigations.

Other documents included social security numbers, names, and addresses
for over a hundred thousand brokers, credentials for remote access to ODS workstations, and communications meant for the Oklahoma Securities Commission.

The server also included email backups from 1999 to 2016, the largest and most recent reaching 16GB in size.

The exposed information includes passwords that could have used by an attacker to remotely access the state agency’s workstations, and credentials to access several internet services.

Digging in the archive it is also possible to find information related to people with AIDS including patient names and T cell counts.

Oklahoma Department

“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” reads a blog post published by UpGuard.

“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server.”

UpGuard immediately notified the discovery to the ODS department, the storage server was secured by the agency.

The Oklahoma Securities Commission published a press release to disclose the data leak, it announced that a forensic team is still investigating the case.

“The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall.” reads the press release.

“An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them.”

Pierluigi Paganini

(SecurityAffairs – Oklahoma Department, data leak)

The post Unprotected server of Oklahoma Department of Securities exposes millions of government files appeared first on Security Affairs.