At a glance.
- Oracle Access Management systems exposed to vulnerability.
- California gun owners data breach found to be purely accidental.
- Hive Social taken offline due to security concerns.
- Customer data dumped after attack on Thames…erm, South Staffs Water.
Oracle Access Management systems exposed to vulnerability.
Security research firm Censys has found that exposed Oracle Access Management systems that are vulnerable to CVE-2021-35587, a bug that Oracle patched in January, and that the Cybersecurity and Infrastructure Security Agency (CISA) warned this week has been actively exploited. The vulnerability impacts Oracle Fusion Middleware Access Management, an enterprise level Single Sign-on (SSO) tool used by over one hundred and fifty Oracle systems, and Censys researcher Jill Cagliostro said it allows “for full take over of Oracle Access Manager.” The Record by Recorded Future explains that attackers have a variety of options for exploitation of the bug, as the first proof of concept exploit was published in March 2022, with several others following. Security research company GreyNoise has seen an uptick in exploitation attempts, and at least ten attacks using the vulnerability have been recorded since November 29. The fact that CISA has added the bug to its exploited list means it’s a critical risk to federal civilian agencies, and CISA has given agencies until December 19 to patch it.
California gun owners data breach found to be purely accidental.
Back in June, California’s Department of Justice inadvertently posted the names, addresses and birthdays of nearly 200,000 gun owners online. According to an investigation report released Wednesday, the accidental breach occurred because officials neglected to follow policies and lacked an understanding of how the Justice Department’s website operates. As the Guardian reports, the investigation also found that the data, which belonged to people who had applied for a permit to carry a concealed gun, were downloaded 2,734 times by 507 unique IP addresses during a 12-hour period. The timing of the breach, just days after a US Supreme Court ruling giving individuals the right to carry firearms in public, had experts concerned the leak could be politically-motivated, but investigators say they “did not uncover any evidence that the timing of the (data breach) was driven by a nefarious intent or was personally or politically motivated in any way.”
Hive Social taken offline due to security concerns.
The company behind social media platform Hive Social, a newly popular alternative to Twitter, has decided to take the microblogging app offline amid security concerns. As Gizmodo explains, Hive reportedly saw its user base grow by a million users over the course of several weeks as social media users fled the Elon Musk-fueled chaos at Twitter. However, Hive wasn’t ready for the huge increase in its user base, and according to the German security collective Zerforschung, the platform was plagued with software vulnerabilities that left copious amounts of its users’ personal data unprotected. Zerforschung’s blog reads, “The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login. Attackers can also overwrite data such as posts owned by other users…” The researchers have decided not to share technical details about the bugs with the public for fear that cybercriminals will exploit them, but contacted Hive and gave them a couple of days to patch them. When it became clear Hive was unable to do so, Zerforschung went public with their research with a blog post titled, “Warning: do not use Hive Social.” It was then that Hive made the decision to temporarily shut down its servers to address the issues. Hive posted (coincidentally, on Twitter): “The Hive team has become aware of security issues that affect the stability of our application and the safety of our users. Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience.” TechCrunch notes that it’s unusual for a platform to shut down completely this way, as typically there’s a dev environment where code is fixed and then staged for a release, and the move has raised questions about Hive’s workflow and the severity of the bugs.
Customer data dumped after attack on Thames…erm, South Staffs Water.
As we noted last week, UK water supply company South Staffordshire Water (SSW) disclosed that parent company South Staffordshire PL suffered a cyberattack over the summer that compromised customer data. Now, in an apology to customers, the water company has confirmed that customer data have been leaked on the dark web. The Cl0p ransomware group is responsible for the attack, although, as Computing reports, it appears the group believed it was extorting Thames Water. When publishing the data, Cl0p said Thames Water had ignored its ransom demands – unsurprising given Thames Water had not actually been attacked. Distressed customers took to social media to question why SSW took so long to inform them about the breach. SSW explained, “Investigations like this are very complex and it takes time to understand what happened and then to analyse the data that could have been impacted. As soon as we were aware that we needed to notify our customers in compliance with our legal obligations we began to do so.”