CYBERSECURITY NEWS V. November – November Android patches, Atlassian patches critical flaws, Dropbox data leak
News FYI
Pharmaceutical company AstraZeneca faced with the personal data leakage of its patients
The management of a large pharmaceutical company AstraZeneca confirmed that due to the inattention of one of the developers, a list of credentials from the internal networks of the organization was publicly available, which compromised the personal confidential data of patients
In 2021, the developer left the credentials for the AstraZeneca internal server on GitHub. These credentials allowed anyone to access the Salesforce test cloud environment that many companies often use to manage client databases, but AstraZeneca's test environment contained some patient data. Some of the data related to AZ&ME apps that offer discounts to patients who need medicines.
Dropbox data leak
Cloud service Dropbox faced a data leak after company employees fell for the tricks of intruders through phishing emails. The attackers managed to gain access to one of the company's GitHub organizations, and then stole data from 130 repositories.
The incident occurred on October 14, 2022, and was associated with a large-scale phishing campaign, which GitHub representatives had previously warned about. Let me remind you that as part of this scheme, scammers sent letters with fake notifications on behalf of the Circle CI service, which is used for continuous development and deployment.
Immediately after the detection of suspicious activity, attackers' access to GitHub was disabled. Dropbox security experts updated all compromised developer credentials and determined which customer data was exposed or stolen.
"To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers," Dropbox revealed on Tuesday.
Google Patches High-Severity Privilege Escalation Vulnerabilities in Android.
Google releases November Android patches
Android devices running a security patch level of 2022-11-05 or later have been patched against all these vulnerabilities.
Google has released the November Android security patch for Google Pixel series smartphones. It eliminates a set of vulnerabilities from medium to critical severity.
In addition, the update contains a number of bug fixes for the Pixel 6 and 7 series:
- fixing an issue that resulted in increased power consumption when installing certain applications (Pixel 6/6 Pro/6a);
- Fixing an issue that caused a green screen to flicker under certain conditions (Pixel 7/7 Pro).
- optimization of display power consumption to improve thermal performance in certain conditions (Pixel 7/7 Pro);
- Fixes an issue where the Photos app would sometimes crash when using certain features of the photo editor.
The update is available on Pixel 4a and 4a 5G, Pixel 5, Pixel 5a, Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro smartphones. Notably, the Pixel 4 and Pixel 4 XL are off this month's list.
The first part of the update, the ‘2022-11-01 patch level’, includes fixes for 17 security defects, 12 of which could lead to escalation of privilege (EoP), three to denial of service (DoS), and two leading to information disclosure. All of these are high-severity vulnerabilities impacting Android 10 and newer releases.
The internet giant also mentions two additional vulnerabilities addressed as part of the Google Play system updates, namely CVE-2022-2209 (impacting Media framework components) and CVE-2022-20463 (impacting Wi-Fi).
The second part of this month’s Android security update, the ‘2022-11-05 patch level’, resolves 26 additional issues (one critical- and 25 high-severity flaws) in Imagination Technologies, MediaTek, Unisoc, and Qualcomm components.
Android devices running a security patch level of 2022-11-05 or later have been patched against all these vulnerabilities.
Apple Rolls Out Xcode Update Patching Git Vulnerabilities
On 11/01/2022, Apple released a new version of the Xcode 14.1 application development environment for macOS Monterey 12.5 and earlier.
The new version fixes four vulnerabilities that could allow an attacker to expose sensitive information, elevate privileges, cause an unexpected application termination, or execute arbitrary code.
Deeze streaming data leak
A full database dump of major European music streaming service Deezer.com was offered for sale on a shadow forum.
There are 257,829,454 user records in the dump:
- First Name Last Name
- login
- email address mail
- floor
- Date of Birth
- City, country
- date of registration
The dump is dated Fall 2019.
Atlassian patches critical flaws in Bitbucket and Crowd Server
Atlassian developers have fixed critical vulnerabilities in Crowd Server and Data Center, as well as in Bitbucket Server and Data Center. According to the company, both problems received 9 points out of 10 possible.
The vulnerability in Crowd Server and Data Center has received the identifier CVE-2022-43782 and is associated with an incorrect configuration. The issue is reported to have occurred in version 3.0 and only affects new installs, meaning it does not affect upgrades from previous versions such as 2.9.1.
The second vulnerability was discovered in Bitbucket Server and Data Center, CVE-2022-43781, and appeared in version 7.0. The bug is related to command injection, allowing an attacker with permission to control their username to execute code on the target system under certain conditions.
This issue is known to affect all versions from 7.0 to 7.21 (regardless of their configuration), as well as versions 8.0 to 8.4 where mesh.enabled is disabled in bitbucket.properties.
WhatsApp data leak
WhatsApp has experienced a major data breach. Hackers put up-to-date phone numbers of 500 million messenger users for sale.
WhatsApp estimates the number of its users at 2 billion, then the data of a quarter of the users of the messenger leaked to the network. The database includes information about users from 84 countries. The data, according to the seller, is relevant at the moment.
