MOAB: Mother of all Breaches

Security researchers have discovered a vast source of leaked data with more than 25 billion exposed records. They aptly named this discovery MOAB, i.e. “Mother of all breaches”. Unlike typical isolated data breaches, this large dataset appears to be a compilation of several different security breaches.

The discovered database is 12 TB in size, containing more than 3,800 folders, each containing records from individual data breaches. Included in this list are major brands and entities such as Twitter/X (281 million records), LinkedIn (251 million records), Evite (179 million records), and Adobe (153 million records). Tencent leads with 1.5 billion records exposed. The data of government organizations around the world was also discovered.

Although duplications are expected, the leaked information does not only include login credentials, but also includes highly sensitive data that is of considerable value to attackers. In a related incident, a cybercriminal named “emo” posted on a dark-web forum that he had 15 million unique Trello account credentials for sale. This has raised concerns among many companies that use Trello, although Atlassian, the company behind Trello, has denied any breach.

The latest information mentions that the probable source of the leak of the mentioned huge data set was a misconfiguration of the data server of the Leak-Lookup engine and access was gained in December. After fixing the misconfiguration, Leak-Lookup issued a statement that no information about registered users was leaked.

Ukraine destroyed 2 PB of research data to Russia

Ukrainian hacktivists have targeted the Russian Center for Space Hydrometeorology, known as “Planet”, which is affiliated with the Russian space agency Roskosmos. This led to a successful cyber attack that wiped 2 petabytes of data (2000 TB).

The Main Intelligence Directorate of the Ministry of Defense of Ukraine highlighted the destruction of 280 servers in the Far Eastern branch of the research center as part of the announcement. The destroyed data, which included meteorological and satellite information important to various industries, represented an estimated $10 million in damages. The attack not only affected the operation of the supercomputer clusters, but also crippled the HVAC and power systems in the Planet’s main building, presenting a huge recovery challenge for the research center.

The incident follows a series of likely state-sponsored cyber operations by Ukraine against Russian agencies, including hacking attacks on the Federal Aviation Agency and the Federal Tax Service in previous months. While the Ukrainian government has not explicitly confirmed that it was involved in the recent attack, it points out how difficult it is for Russia to restore sophisticated computer systems given the existing sanctions.

NSA buys user data

The U.S. National Security Agency (NSA) is buying information about Americans’ web browsing details from commercial brokers without a court order. The director of the agency gave this information in a letter to Democratic Senator Ron Wyden, who urged him to do so.

Wyden also released a letter urging US intelligence agencies to stop using Americans’ personal information without their explicit knowledge and consent, saying it was illegal. Of course, these records can identify Americans in various activities.

The NSA responded that the information has significant national security value, is critical to the agency’s missions in cyberspace, and is used with great care.

Wyden, who has long championed the privacy and freedoms of citizens on the Internet, has blocked the appointment of new NSA director Timothy Haugh until the agency answers his questions about the collection of users’ Internet movements and the collection of geolocation data.

Critical vulnerabilities in Jenkins

Developers of open-source continuous integration/development (CI/CD) automation software Jenkins have fixed a total of nine security flaws, including one critical one that could allow an attacker to allow remote code execution (RCE).

These vulnerabilities come nearly a year after Jenkins addressed two serious security flaws called CorePlague (CVE-2023-27898 and CVE-2023-27905) that also allowed RCE on affected systems.

The discovery of this new RCE vulnerability is credited to security researcher Yaniv Nizry (as of November 13, 2023) and has been assigned the identifier CVE-2024-23897. The vulnerability exploits the ability to read arbitrary files using the built-in command line (CLI). The Java library args4j is used for this, specifically for parsing arguments and commands that the user enters into the CLI.

This command parsing library includes a function that replaces the @ character followed by the file path in the argument with the contents of the file (expandAtFiles). Unfortunately, this feature is enabled by default on versions 2.441, LTS 2.426.2 and earlier.

Attackers using this vulnerability can read the first three lines of files depending on CLI commands, while attackers with “Overall/Read” permission can read entire files. This bug could therefore be used to read files containing sensitive information or cryptographic keys, but with certain limitations.

As a temporary workaround until you have the patch applied in the 2.442 LTS 2.426.3 releases, it is recommended to disable Jenkins CLI access.

$1.3 Million Car Hack Bounties Given Out

The first year of Pwn2Own Automotive ended with a great success for the participating teams, with the competitors receiving a total of $1,323,750 in prize money. For example, several teams managed to get into a Tesla car and discovered a total of 49 zero-day vulnerabilities in the new electric cars. The competition was held by Trend Micro’s Zero Day Initiative in Tokyo during the Automotive World conference and focused on the security of car chargers, infotainment and operating systems.

The winning team, Synacktiv, won $450,000 for hacking Tesla twice, including rooting and breaking out of the sandbox of the Tesla Infotainment system. With rewards exceeding $1.3 million, it’s no exaggeration to say that the frequency of vulnerabilities in modern automotive systems is still high, and Pwn2Own competitions demonstrate the need for continuous security improvements in the industry as well.

