Cyware Weekly Threat Intelligence, April 22-26, 2019

See All
The Good

We’re back with the most interesting threat intel of the week. The past week witnessed several cybersecurity advancements, security incidents, as well as the emergence of new threats. To begin with, let’s first glance through all the good that has happened in the cyberspace over the past week. The EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens. The Washington state legislators have unanimously passed a bill ‘Hb 1071’ that expands consumer data breach notification requirements to include more types of consumer information. Meanwhile, researchers from the U.S. Army Combat Capabilities Development Command’s Army Research Laboratory and the Towson University have collaborated in creating a new method to make network intrusion activity alerts more helpful to cybersecurity teams.

  • Researchers from the U.S. Army Combat Capabilities Development Command’s Army Research Laboratory and the Towson University have collaborated in creating a new method to make network intrusion activity alerts more helpful to cybersecurity teams.
  • The Washington state legislators have unanimously passed a bill ‘Hb 1071’ that expands consumer data breach notification requirements to include more types of consumer information such as full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data.
  • The EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens. The identity records and biometrics include names, dates of birth, passport numbers, fingerprints, facial scans, and other identification details.

The Bad
 
Several data breaches and security incidents were witnessed over the past week. Magecart group has compromised the online store of Atlanta Hawks, a basketball team in Atlanta, Georgia. An unprotected ElasticSearch database belonging to ‘Steps To Recovery’ healthcare centre exposed almost 4.9 million Personally Identifiable Information (PII) of its patients. Last but not least, The medical billing service provider ‘Doctors’ Management Service’ suffered a GandCrab ransomware attack compromising patients’ data from almost 38 clients.
 
  • The medical billing service provider ‘Doctors’ Management Service’ suffered a GandCrab ransomware attack compromising patients’ data from almost 38 clients including Beverly Surgical Associates, Today’s Wellness PLLC, Neuro Institute of New England, and more. The compromised data includes patients’ personal information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, insurance, Medicare/Medicaid information and numbers, and medical information.
  • Magecart group has compromised the online store of Atlanta Hawks, a basketball team in Atlanta, Georgia. The attack has impacted all those who have shopped from the online store on or after April 20, 2019. Shoppers’ data such as names, addresses, and credit card details have been potentially stolen by the Magecart group through skimmers injected on hawksshop.com.
  • Manufacturing giant Aebi Schmidt has been hit with a major ransomware attack, forcing the company to shut down its systems across the company’s international network, including its U.S. subsidiaries. The attack has primarily impacted its European base leaving a number of systems non-operational.
  • An unprotected ElasticSearch database belonging to ‘Steps To Recovery’ healthcare centre exposed almost 4.9 million Personally Identifiable Information (PII) of its patients. The exposed information includes patients’ ages, birthdates, current addresses, past addresses, email addresses, names of the patients’ family members, political affiliation and phone numbers.
  • A hacker who goes by the online handle ‘@0x55Taylor’ stole and posted online over 4800 sensitive documents from Mexico’s embassy in Guatemala. The incident occurred after the hacker managed to compromise a vulnerable server belonging to the embassy.
  • An unprotected database belonging to ‘Wi-Fi Finder’ exposed almost 2 million WiFi network passwords. The unprotected database also contained other WiFi network related details such as Wi-Fi network name, Wi-Fi’s precise geolocation, Basic Service Set Identifier (BSSID) and passwords.
  • Bodybuilding.com suffered a security breach impacting its IT systems and customers’ personal information. The breach was a result of an unauthorized activity on one of its employee’s email in February 2019. The compromised information includes customers’ names, email addresses, billing/shipping addresses, phone numbers, order history, any communications with Bodybuilding.com, birthdates, and any information included in customers BodySpace profile.
  • EmCare suffered a data breach compromising the personal information of almost 60,000 people, including patients, employees, and contractors. The exposed personal information includes names, dates of birth, clinical information, Social Security numbers, and driver’s license numbers.
  • Attackers have targeted the City of Stuart in Florida with a ransomware attack, infecting the city’s servers and computers with Ryuk ransomware and forcing them offline. City services such as payroll, utilities, and budgeting have been restored to normal operations. However, emails services, police, and fire departments are still offline.
  • Scammers have carried out several affiliate marketing spam campaigns leveraging GoDaddy subdomains and fake celebrity endorsements. Most of the products promoted via these scams are brain supplements, weight loss pills, CBD oils, and other dietary products. GoDaddy has taken down over 15000 subdomains and has reset passwords for the compromised accounts.
  • Amnesty International said that its Hong Kong office has been hit by a years-long cyberattack from threat actors associated with the Chinese government. Amnesty said that it first detected the cyber attack on March 15, 2019, when its Hong Kong office migrated its IT infrastructure to a more secure international network.

New Threats
 
The past week also witnessed the occurrence of new malware strains and vulnerabilities. Security researchers have uncovered the source code of the ‘Carbanak’ backdoor trojan that has been available on VirusTotal for almost two years. A security researcher has created a malware dubbed ‘SMBdoor’ with the help of two leaked NSA exploit kits. Meanwhile, a recent operating system update has made the Nokia 9 PureView smartphone vulnerable, allowing anyone to bypass the phone’s fingerprint lock.
 
  • Security researchers have uncovered the source code of the ‘Carbanak’ backdoor trojan that has been available on VirusTotal for almost two years. The source code of Carbanak was 20MB in size and consisted of 755 files, 39 binaries, and over 100,000 lines of code.
  • TA505 threat actor group in its new spear-phishing campaign against financial institutions has used a signed version of the ServHelper backdoor and a number of LOLBins to evade detection. In addition, ServHelper had a signed and verified certification from Sectigo RSA Code Signing CA to evade detection.
  • A zero-day XML External Entity (XXE) injection vulnerability has been detected in Microsoft Internet Explorer. This vulnerability could allow an attacker to steal confidential information or exfiltrate local files from the victim’s machine.
  • A fraudulent ad-clicking campaign has been observed infecting 90 million Android mobiles across the world. In this campaign, six fake apps claiming to boost the performance of smartphones have been used to distribute adware named ‘PreAmo’.
  • A security researcher has created a malware dubbed ‘SMBdoor’ with the help of two leaked NSA exploit kits. The malware has been created with a purpose to help academicians in their research. The malware’s characteristics are similar to that of DoublePulsar and DarkPulsar.
  • After a recent operating system update, the Nokia 9 PureView smartphone has apparently become vulnerable to an easy trick to bypass the fingerprint lock. The flawed update allows anyone to bypass the phone's fingerprint lock.
  • Researchers noted that attackers are deploying a banking trojan dubbed ‘LoadPCBanker’ via the file cabinet template built into the Google Sites platform. LoadPCBanker malware is used against victims who speak Portuguese or English.
  • Researchers detected a new security bug in Qualcomm chipsets tracked (CVE-2018-11979) that could allow attackers to retrieve private data and encryption keys from Qualcomm Secure Execution Environment (QSEE). The vulnerable Qualcomm chipsets are primarily used in smartphones and tablets.




  • Share this blog:
Previous
Cyware Weekly Threat Intelligence, April 29 - May 03, 2019
Next
Cyware Weekly Threat Intelligence, April 15-19, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.