Yes, this is one of those end-of-year summaries. And it's a long one, since 2019 has been a disaster in terms of cyber-security news, with one or more major stories breaking on a weekly basis.
Below is a summary for the past 10 months of security disasters, organized by month.
Severe vulnerability in Apple FaceTime
- A bug in Apple's FaceTime app let attackers call and self-answer a FaceTime call without any user interaction from the callee, opening the door for secret surveillance.
Someone hacked the PHP PEAR website
- We still don't know what happened there, but some hacker breached the PHP PEAR repo and backdoored a version of the PHP PEAR package manager.
SCP implementations impacted by 36-years-old security flaws
- All SCP (Secure Copy Protocol) implementations from the last 36 years, since 1983, were found to be vulnerable to four security bugs that allowed a malicious SCP server to make unauthorized changes to a client's (user's) system and hide malicious operations in the terminal.
Yearly LTE security flaws
- Two sets of new LTE security flaws were discovered this year. One that impacted 3G, 4G, and 5G
, and a second set of 36 vulnerabilities
found found after a fuzzing project carried out by South Korean security researchers.
- The security flaw impacts how Windows, Mac, Linux handle Thunderbolt peripherals. They allow the creation of highly dangerous malicious peripherals that can steal data from OS memory.
New Intel CPU bug
- Researchers find new Intel VISA (Visualization of Internal Signals Architecture) debugging technology.
Hacks at French gas stations
- Criminal group steals 120,000 litres of fuel from Total gas stations around Paris after gas stations forgot to change gas station pump PINs.
Citrix data breach
- Citrix learned of the hack from the FBI. Hackers stole business documents. A lot of Citrix customers' are government agencies and Fortune 500 companies.
Smartphone unlocking issues
- We've had a few this year, but the first case was reported in March when a user found that Samsung Galaxy S10 facial recognition can be fooled by a video of the phone owner
. A month later, a user found that he could unlock a Nokia 9 smartphone's fingerprint scanner with a pack of gum
. Then in October, users found that you could unlock a Pixel 4's facial unlock technology while you had your eyes closed
, and a couple found that they could unlock Samsung S10 devices using fingerprint protection
with any user's finger if the device was protected by a silicon case. In fact, the issue with bypassing facial recognition is quite widespread. A study by a Dutch non-profit last year found that attackers could bypass face unlock-type features on 42 out of the 110 smartphones
United Airlines covers up seat cameras
- The airline insists that the cameras have not been in active use; however, customers were still very disturbed and annoyed by the cameras' presence in the first place.
- A hacker known as Gnosticplayers has dumped over one billion user records online in the span of a few months.
New MDS attacks on modern CPUs
- Researchers, academics detail new Microarchitectural Data Sampling (MDS) attacks, such as Zombieload, Fallout, and RIDL.
- Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear. Most Cisco gear is believed to be impacted. No attacks detected in the wild.
- In mid-May, Microsoft warned about a new "wormable" RDP vulnerability
that later became known as BlueKeep. Two new wormable BlueKeep-like vulnerabilities (DejaBlue
) were later disclosed in August. After months of eagerly waiting attacks, a proof-of-concept exploit
was publicly published in September.
- One of Gnosticplayers' victims. Company was hacked for 139 million user records.
- Extent of the hack is unknown, but Flipboard said hackers had access to its systems for almost nine months.
Major Safe Browsing bug
- Mobile Chrome, Safari, and Firefox failed to show phishing warnings for more than a year.
Hackers breached 10 telecom providers
- Researchers at Cybereason said a nation-state-backed intelligence operation has compromised at least 10 global telco companies - to such an extent the attackers run a "de facto shadow IT department".
Two Firefox zero-days
- Mozilla fixed two Firefox zero-days [1
] that were used to attack Coinbase employees.
AMCA data breach
- Healthcare billing vendor got hacked last year and hackers put patient data for sale online. The breach impacted multiple healthcare providers, and eventually went over the 20 million mark.
Hackers breach FSB contractor
- Hackers have breached SyTech, a contractor for FSB, Russia's national intelligence service, from where they stole information about internal projects the company was working on behalf of the agency -- including one for deanonymizing Tor traffic.
Urgent/11 security flaws
- Major bugs in TCP library impacted routers, printers, SCADA, medical devices, and many IoT devices.
Vulnerabilities found in GE anesthesia machines
- GE recommended that device owners not connect vulnerable anesthesia machines to a hospital's main networks. The company also denied the bugs could lead to patient harm, but later recanted and admitted that the issues could be dangerous to human life.
Los Angeles police caught up in data breach
- Personal record of 2,500+ of LA cops stolen in the hack. The hacker emailed the department directly and included a sample of the allegedly stolen information to back up their claims.
SWAPGSAttack CPU flaw
- Researchers detail hardware vulnerability that bypasses mitigations against Spectre and Meltdown CPU vulnerabilities on Windows systems - and impacts all systems using Intel processors manufactured since 2012.
14 iOS zero-days
- Google finds exploits for 14 iOS vulnerabilities, grouped in five exploit chains, deployed in the wild since September 2016. Attacks aimed at Chinese Uyghur users.
Windows CTF flaw
- Vulnerability in Microsoft CTF protocol goes back to Windows XP. Bug allows hackers to hijack any Windows app, escape sandboxes, get admin rights.
Hy-Vee card breach
- Supermarket chain Hy-Vee admitted to a security breach on some of its point-of-sale (PoS) systems. The data was eventually put up for sale on hacking forums.
- Hackers could use packet delivery services to ship hacking devices right to your company's doorstep.
- Security researchers detailed an SMS-based attack that can allow malicious actors to track users' devices by abusing little-known apps that are running on SIM cards. SIM cards in 29 countries
were found to be impacted. A second attack named WIBAttack
was also discovered.
Smart TV spying
- Two academic papers found that smart TVs were collecting data on users' TV-viewing habits.
Checkm8 iOS jailbreak
- New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips, on iPhones 4S up to iPhone 8 and X. The first jailbreak exploit to work on the hardware level in the past nine years.
Limin PDF breach
- The details of over 24.3 million Lumin PDF users were shared on a hacking forum in mid-September. The company acknowledged the breach a day later.
Exim vulnerability (CVE-2019-15846)
- Millions of Exim servers are vulnerable to a security bug that when exploited can grant attackers the ability to run malicious code with root privileges.
- Czech antivirus maker discloses second attack aimed at compromising CCleaner releases, after the one suffered in 2017. Company said hacker compromised the company via a compromised VPN profile.
- CloudFront, Cloudflare, Fastly, Akamai, and others impacted by new CPDoS web cache poisoning attack.
PHP7 RCE exploited in the wild
- New PHP7 bug CVE-2019-11043 can allow even non-technical attackers to take over Nginx servers running the PHP-FPM module.