Cyware Daily Threat Intelligence December 7, 2018

An unsecured MongoDB server exposed data belonging to more than 66 million users. The exposed data included people’s names, emails, location details, skills, employment history. Experts believe that this data may have been scrapped from LinkedIn. The unprotected MongoDB database could be accessed by anyone without authentication. The exposed data could be used by attackers to conduct phishing attacks and identity scams. Fortunately, the exposed database is no longer online and the scraped data is uploaded to the HaveIBeenPwned service.

Foreign hackers have attempted to access the genetic blueprints of thousands of NHS patients. Genomics England, established by the UK Department of Health, suffered multiple cyber attacks on its flagship project —Genomes England Project. All data is believed to be safe as individual data is not released. Instead, de-identified data is analyzed by research users within a monitored environment. Till date, none of the well-known viral attacks have succeeded in causing any dysfunction in Genomics England, claims the project.

The Azorult data-stealing malware is back in action. A new variant, which uses advanced obfuscation techniques, was recently discovered. This variant steals information from more number of cryptocurrency wallets and software compared to previous variants of Azorult. The attacker can also control the infected system remotely. The new Azorult variant uses API flooding, control flow flattening & process hollowing techniques to evade detection. The malware is being propagated via the Fallout exploit kit. 

21 new Linux malware families that operate in the same manner as trojanized versions of the OpenSSH client, were recently discovered. 18 out of the 21 families have a credential-stealing feature, making it possible to steal passwords and/or keys. 17 out of the 21 families featured a backdoor mode, allowing the attacker a stealthy and persistent way to connect back to the compromised machine. Meanwhile, 12 of the 21 malware variants were previously undocumented. 

A bug was discovered in PoliyKit. The vulnerability allows low-privileged user accounts on most Linux operating systems to execute any systemctl command. The vulnerability affects PolicyKit version 0.115, which comes pre-installed on most popular Linux distributions, including Red Hat, Debian, Ubuntu, and CentOS. The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX. If a user is able to create an account on affected Linux systems with any UID greater than INT_MAX value, the PolicyKit component allows him/her to execute any systemctl command successfully.

Google issued out patches for over 50 vulnerabilities in the latest Android Security Bulletin. Several critical and high severity bugs have been addressed. The update includes a large number of functional patches. The update also addresses performance, memory, audio, and camera related functionality of Google devices.

A tax refund phishing scam is making the rounds across Ireland. The phishing scam could allow criminals to access financial information from unwitting victims and exploit them directly or by engineering other scams. The scammers were spotted sending out emails that pose as coming from the Revenue department. The phishing emails contain a link that when clicked takes the victim to a credible-looking fake Irish tax and customs page. The site asks users for the name on their credit or debit card, and the funds currently available on it. Experts are advising users to delete the email without clicking on any links and mark it as spam.