Security News

Data breach chaos and a new spooky Spectre

Avast Security News Team, 1 March 2019

In this week’s cybernews, TurboTax responds to breach claims, your WebEx meeting could be at risk, and a new threat haunts processing chips.

All-in-one bots perform credential stuffing

Cybersecurity experts reported this week that for an eight-month period in 2018, retail websites were hit with 10 billion credential stuffing attacks. Credential stuffing is an automated attack that bombards accounts by trying to log in using the vast amount of stolen credentials. With the millions of stolen or leaked credentials in today’s unending data breaches, cybercriminals can choose, instead of breaking into an account, to use the proper credentials and walk in the virtual front door.

Software can be programmed to run these kinds of attacks with ease, and the use of “all-in-one” (AIO) bots allows cyberattackers not only to launch the credential stuffing attack, but also to use successfully compromised accounts to make purchases. The common tactic is then for the thief to resell the item for cash. Clothing and department stores seem to be the most popular targets. Experts suggest these attacks can be mitigated both by retailers implementing better security measures that can detect credential stuffing attacks and by consumers making sure they do not reuse passwords across multiple accounts.

Furthering this advice, Avast security evangelist Luis Corrons notes, “Apart from not re-using credentials — an easy task when using a password manager — using 2FA [two-factor authentication] renders this kind of attack useless. Always enable 2FA when available.”

WebEx flaw could allow attackers in

A flaw has been found in the Cisco WebEx Meetings Desktop app releases between 33.6.4.15 and 33.8.2.7. The vulnerability has been labeled CVE-2019-1674, and it is an OS Command Injection which essentially bypasses new controls. The new controls refer to a patch Cisco included in a recent update that fixes a DLL hijacking issue. By exploiting this vulnerability, an attacker could replace the Cisco WebEx Meeting update binary with a previous version that is vulnerable. Once the WebEx software is “updated” with the old, flawed version, the attacker can then escalate privileges and begin running arbitrary commands.

ExSpectre when you least expect it

Last year around this time, the world was learning about Meltdown and Spectre, the two vulnerabilities discovered to be an architectural aspect of most computer processing chips in the world. The flaws centered around the processing chips’ “speculative execution” feature, a process that enables CPUs to compute various scenarios in advance as preparation. When one scenario fits the need, all other “speculative threads” are discarded. Meltdown and Spectre allowed hackers to access these speculative threads before they were erased.

This week University of Colorado Boulder academics announced that speculative execution can be used for more than data theft — it can also be used to hide malware. They named the malicious process ExSpectre. They describe it as a ruse where the computer system believes that application binaries configured with malware are actually benign. But once a specific speculative execution thread is launched, it could trigger the binary into executing harmful operations.

TurboTax breach confusion

Data breaches have become so common that one was reported recently that didn’t really happen. Stories began emerging this week that an undisclosed number of TurboTax accounts had been hacked. The tax preparation software parent company Intuit was quick to release a statement clearly stating that a data breach had not occured at Intuit. The company’s statement goes on to explain that the false breach story was borne out of a letter the company had sent to the state of Vermont reporting that a third-party had used legitimate credentials to access a single account. Intuit adds that they post best security practices and other online safety tips in their online security center.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.