Go to listing page

Cyware Daily Threat Intelligence, June 05, 2019

Cyware Daily Threat Intelligence, June 05, 2019

Share Blog Post

The risk of third-party breaches can even affect organizations that maintain a healthy security posture themselves. On the other hand, lapses in security of large user databases leave the doors open to cybercriminals. From the last 24 hours, the group of organizations facing the brunt of such breaches includes LabCorp, University of Chicago Medicine and JCrush.

A security breach in the web payment page of American Medical Collection Agency (AMCA) which provides billing services to US healthcare firms has claimed many victims. After Quest Diagnostics, LabCorp has disclosed that the personal data of 7.7 million customers, was affected by this breach.

In a separate incident, the University of Chicago Medicine was found exposing 1,679,993 records stored in an unprotected database. The database contained personal information of potential leads and existing donors to the organization, including their names, contact information, marital status, wealth information, and more.

Continuing the trend, the Jewish dating app JCrush was found exposing around 200,000 user records through an unencrypted MongoDB database. The compromised information totaled to over 18GB with sensitive details such as users’ PII, sexual preferences, and also private messages in case of some users.

Top Breaches Reported in the Last 24 Hours

AMCA breach affects 7.7 million LabCorp customers
LabCorp has disclosed that data belonging to around 7.7 million customers were affected by the massive breach that occurred at American Medical Collection Agency (AMCA). AMCA is a third-party vendor to LabCorp. Possible information exposed includes first and last names, dates of birth, addresses, phone numbers, dates of service, providers and balance information of LabCorp customers.

JCrush exposes user data
Jewish dating app JCrush had exposed around 200,000 user records that included personally identifiable information(PII), preferences, and private conversations within the JCrush app. The user records were found in a MongoDB database belonging to the company and were unencrypted. Upon notifying JCrush, the database was secured immediately.

UChicago Medicine database reveals ‘perspective givers’
A publicly accessible Elasticsearch database linked to The University of Chicago Medicine was discovered recently. The database, indexed in the Shodan search engine, had 1,679,933 records with information such as full name, date of birth, full address, phone numbers, emails, gender, marital status, wealth info, current status and communication notes. After notifying the institution, the database was secured.

Top Malware Reported in the Last 24 Hours

Hidden Android adware
Security experts have uncovered a hidden advertising plugin present in 238 Android apps. Researchers from security firm Lookout came across this malicious plugin in these apps which were collectively downloaded over 440 million times. Known as ‘BeiTaPlugin’, the adware was highly obfuscated to cloak itself in the apps.

PCASTLE campaign targets China
A recent campaign using PCASTLE malware was found targeting China-based systems. Threat actors in this campaign used several propagation methods to deliver Monero-mining malware. The campaign followed a multilayered fileless arrival approach, allowing malicious PowerShell scripts to download payloads which are executed in memory. The final PowerShell script comprises of all the malicious routines such as using an SMB exploit (EternalBlue), brute-forcing the system, employing the pass-the-hash method, and downloading payloads.

PLATINUM APT uses new backdoors
Security researchers from Kaspersky Labs have provided details on two previously undiscovered backdoors associated with the PLATINUM APT group. According to the researchers, the first backdoor is meant for steganography and is used to establish persistence in the compromised system, while the second one is deployed to interact with other infected victim systems.

Top Vulnerabilities Reported in the Last 24 Hours

Command injection flaw in WordPress plugin
A major OS Command Injection Vulnerability was discovered in WP-Database-Backup plugin. This flaw could be exploited by attackers by executing a malicious shell command through the ‘wp_db_exclude_table’ option in the plugin. It is reported that the plugin has over 70,000 active installations. However, the vulnerability is fixed in version 5.2 of WordPress.

New Windows zero-day impacts lock screen security in RDP sessions
Researchers have discovered a new zero-day vulnerability impacting Windows systems with active Remote Desktop Protocol (RDP) sessions. Tracked as CVE-2019-9510, the vulnerability lies in Windows RDP Network Level Authentication(NLA) that allows attackers to bypass Windows lock screen and permit unauthorized access to the system. This authentication bypass flaw affects systems running Windows 10 (version 1803 or later) and Windows Server 2019.

Top Scams Reported in the Last 24 Hours

Nigeria-based scammer run large scale BEC scam operation
Security researchers at Agari have identified a new Nigeria-based scammer group which began its operations with Craigslist romance scams in 2008 and has since evolved to conduct large scale BEC scams targeting US enterprises. Known as Scattered Canary, the criminal group has profited millions of dollars by targeting company executives and employees with phishing emails that pretend to come from someone within the organization. The scammers have leveraged various techniques such as domain spoofing and social engineering in their campaigns.

Attackers can bypass 2FA with new kind of phishing scam
Security researchers have identified a new kind of phishing scam wherein attackers use a combination of hacking tools to bypass two-factor authentication (2FA). The hacking tools used by the attackers are called Muraena and NecroBrowser. Muraena is used to intercept traffic and act as a proxy between the victim and a legitimate website. Once the user enters their credentials on the phony site provided by Muraena, it passes the session cookies to NecroBrowser which can simultaneously track thousands of victims.


platinum hacking group
nigerian scam
quest diagnostics inc

Posted on: June 05, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.