This Week in CyberSec, 01 Sept 2017

Doxagram, US Government Site hosts Cerber ransomware, 33,000 IOT device credentials published


Instagram API flaw breach may affect up to 6 million users. A website called Doxagram purportedly allows the public to search for Instagram usernames, email addresses, and phone numbers exposed in Instagram’s recently discovered critical API flaw for $10 per search. User passwords were reportedly not affected by the breach. Instagram announced on 30 AUG 2017 that the API vulnerability had been patched.

NYDailyNews, Instagram hacked, personal information from ‘high-profile user accounts’ stolen “We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number — by exploiting a bug in an Instagram API,” a rep told the Daily News in a statement. A source told The News that one person found the bug in the API and used it to access information.

The source may be referring to singer Selena Gomez’s hacked Instagram account which posted private photos of Justin Bieber.

Cyberscoop, Instagram investigating larger breach; hacker claims 6 million accounts for sale “Earlier in the week, Instagram said it had found and fixed a “bug” in its API…We fixed the bug swiftly and are running a thorough investigation,” Instagram told CyberScoop Friday. The company said that the hackers initially appeared to have targeted high-profile accounts and that “out of an abundance of caution,” it had notified all verified users.

“After additional analysis,” the statement continued, “we have determined that this issue potentially impacted some non-verified accounts as well. Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.” The Facebook owned social-media platform has a reported 700 million users.

Ars Technica, Site sells Instagram users’ phone and e-mail details, $10 a search

“At first glance, the Instagram security bug that was exploited to obtain celebrities’ phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts. Now a database of 10,000 credentials published online Thursday night suggests the breach is much bigger…The [database] sender said he was able to scrape personal data belonging to 6 million users and was selling the data in a searchable website for $10 per query. The person provided a sample of 10,000 of those records.”

DailyBeast, Hackers Make Searchable Database to Dox Instagram Celebs “As for why the database contains high profile users, the hackers claimed they set up their scraper to initially target all users with over 1 million followers, and then recursively harvest other users.”

The HackerNews, Instagram Hacker Puts 6 Million Celebrities Personal Data Up For Sale On DoxaGram “A security researcher from Kaspersky Labs, who also found the same vulnerability and reported it to Instagram, told The Hacker News that the issue actually resided in the Instagram’s mobile API, specifically in the password reset option, which apparently exposed mobile numbers and email addresses of the users—but not passwords.”

US government Site Hosting Cerber ransomware

An unnamed US government site was recently found to be hosting a malicious downloader for the Cerber ransomware.

 Threatpost, US Government Site Was Hosting Ransomware “As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware.” “[NewSky Security researcher] Anubhav said the site was hosting a .zip archive that contained JavaScript that included obfuscated PowerShell. The PowerShell downloads a gif file which is in reality a Cerber executable.”

NewSky Security, US Government Site Unwittingly Hosting Malware “On 30th August, we revealed the presence of malware on the US Government site via Twitter, notifying US-CERT simultaneously. We observed that within few hours of this tweet, the malware link was taken down.”

List of over 33,000 IOT Device Credentials Published to Pastebin

Thousands of functioning telnet credentials for IOT devices have been exposed on Pastebin since June 2017. 8,233 unique IP addresses were found with over 2,000 of that number still allowing Telnet access as of 26 AUG 2017.

Bleeping Computer, Someone Published a List of Telnet Credentials for Thousands of IoT Devices “The list…includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of “admin:admin”, “root:root”, and other formats. The Pastebin list includes 143 credential combos, including the 60 admin-password combos from the Mirai Telnet scanner.”