Hackers Steal Dropbox Credentials, Infect IoT Devices and Exploit Apple OS

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

Apple Releases OS Fix to Block Spyware

The same zero days that allowed sophisticated spyware to take over iPhones also existed in Apple OS X and the Safari web browser.

Citizen Lab and Lookout last week reported three exploits called Trident that could remotely jailbreak an iOS device and install spyware. Trident was used in the wild: A human rights activist received text messages that lead to the exploits’ discovery.

Apple released a security update Aug. 25 for its mobile operating system. The company released urgent security updates for El Capitan and Yosemite on Sept. 1.

“The same vulnerabilities showed up in OS X because the desktop and mobile versions of the Safari browser share much of the same code base,” according to a CNET report.

Malware Infects 1M Internet of Things Devices

A family of malware has infected more than 1 million internet-enabled devices for potential use as a botnet for hire.

According a Level 3 Threat Research and Flashpoint report, hacker groups like Lizard Squad and Poodle Corp harness the devices to provide “distributed denial of service attacks as a service” to individuals—or for their own plans.

The malware goes by many names—Lizkebab, BASHLITE, Torlus and gafgyt—and has spawned many variants since its source code popped up in early 2015, the report said. Security cameras and DVRs make up the bulk of the bots.

Researchers identified more than 200 command and control servers that communicate with a varying number of bots with the largest talking to 120,000.

The report warned IoT manufacturers need to take security more seriously and that hackers will continue to target devices with weak security.

“Before spending more energy on traditional bot hosts, they’ll take advantage of the abundance of insecure IoT devices. Until IoT device manufacturers start attending to security and device owners stop connecting them insecurely to the internet, we can expect this trend to continue,” the report said.

68M Dropbox Credentials Stolen

Emails and passwords for 68 million online cloud storage accounts emerged this week, years after the initial breach.

Dropbox announced Aug. 26 users would have to reset their passwords if their accounts were made before mid-2012 and haven’t updated their credentials.

“We learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time,” the Dropbox site said.

The data, however, popped up in database trading community but doesn’t appear to be in the “major dark web marketplaces,” according to Motherboard.

Dropbox also used two hashing algorithms, one of which, bcrypt, Motherboard said hackers were “unlikely” to crack to access users’ passwords.

“We don’t believe that any accounts have been improperly accessed,” said the Dropbox announcement. To improve security, the company suggested using unique passwords across multiple services, only use accounts with secure devices and enable two-step verification.