October 29, Securityweek – (International) 13 million passwords leaked from free hosting service. A security expert reported October 28 that 13 million personal user records including names, emails, and plaintext passwords from the free web hosting service, 000webhost.com were compromised after its main server was exploited via a flaw in its old version of PHP. To mitigate future breaches, 000webhost updated its systems, increased its encryption, and changed all passwords. Source
October 29, Securityweek – (International) Several flaws patched in Xen Hypervisor. Researchers from Xen Project released a total of nine advisories addressing recently patched Xen hypervisor vulnerabilities including hypercall issues leveraged to cause a denial-of-service (DoS) condition via repeated logging to the hypervisor console, privilege escalation vulnerability, and a multicall issue exploited via a malicious guest to crash a host, amongst other patched security holes after experts from Citrix, Alibaba, and SUSE discovered each vulnerability. Source
October 28, Securityweek – (International) “Chikdos” Malware abuses MySQL Servers for DDoS attacks. Researchers from Symantec reported that the Chikdos trojan malware designed to hijack both Linux and Windows, recently targeted MySQL servers via a malicious user-defined function (UDF) working as a downloader trojan (Downloader.Chikdos) that allows actors to conduct distributed denial-of-service (DDoS) attacks via SQL injection attacks. Symantec data confirms the most infected MySQL servers were located in India, China, Brazil, Holland, and the U.S. Source
October28, Securityweek – (International) Infinite Automation patches flaws in SCADA/HMI product. Infinite Automation Systems released an updated version of its Mango Automation product patching a series of vulnerabilities after researchers from ICS-CERT discovered unrestricted fire upload, information exposure, SQL injection, and cross-site scripting vulnerabilities. The version fixed all the flaws except an OS command injection and a cross-site request forgery (CSRF) flaw. Source