September’s Security Breaches: Rootkit, Onelogin, Dropbox and Rambler. Are You On It?

14th September, 2016 by

Do you know what makes your server vulnerable? Find out exactly what to do here.

Rootkit: A Hacker’s Hidden User

First on the agenda today is the announcement from Trend Micro about the discovery of the Umbreon root kit for Linux systems. The rootkit can be used not only on x86 systems such as PCs and servers, but also ARM based systems such as the Raspberry Pi and other embedded systems. Named after the Pokémon Umbreon, which is a hard to find nocturnal Pokemon, the rootkit itself is also regarded as difficult to detect. To install the rootkit on a system, a hacker first has to successfully infiltrate the target system or get a user on the system to mistakenly install it for them. After installation, a hidden user is created that isn’t visible in files such as /etc/passwd, but is usable to connect using standard administration tools such as SSH. In case remote access is blocked from outside, the rootkit can also connect to a pre-defined remote system to act as a reverse shell allowing it to bypass system firewalls.

How To Detect Rootkit

To detect the rootkit you need to check for some unusual libc library files, details of which are at Trend Micro’s website along with more details as to the function of the rootkit and instructions on how to remove it. With the details that Trend Micro have shared rootkit detection tools should be able to automatically detect this threat in the near future.

Onelogin Password Vault Service Security Breach

In other news,’s Secure Notes facility has been breached with user data being downloaded from the service. The service is advertised from as a place to store information such as license keys and things like firewall passwords, data that will be very handy for the attacker who got hold of the data. It is advised that only notes that were updated between 2nd June 2016 and 25th Aug 2016 were viewed by the attacker(s). If you are a user of this service it’s worth checking what information you store, and make sure that potentially vulnerable credentials are updated. This compromise adds to the growing list of online password vault services to have suffered from a data breach.

Dropbox Breached Keywords

Another case of breached passwords comes from Dropbox with the confirmation that a released cache of password information reported to come from a Dropbox breach back in 2012 is genuine. The dump contains user IDs and password hashes, though not the SALT (Secure salted passwords) that the passwords were hashed with making it more difficult for an attacker to discover the underlying password. The data dump covers the information of 68 million accounts and Dropbox have previously issued a password reset round for users affected by this breach.

Rambler Leaks Details

Sounding remarkably similar to the Dropbox incident, over 98 million accounts of have had their details leaked, again from a 2012 hack. This time the passwords were stored in plain text meaning that the user accounts were easily compromised.

The three above breaches again highlight the importance of good password security. This applies not just in choosing your password, but with rambler’s use of unencrypted passwords that you use unique passwords on different sites, or at least use different passwords on sites where you don’t so much care about whether the account gets hacked versus sites where your data is important. While you may be using a secure password, there’s no guarantee that the website you are using it on is storing the password securely or even if they are that the data won’t be breached at some point in the future.

(Visited 22 times, 1 visits today)