Cyware Monthly Threat Intelligence

Monthly Threat Briefing • Apr 30, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Monthly Threat Briefing • Apr 30, 2019
The Good
As April comes to an end, let’s quickly brush up all that happened in the cybersecurity world this month. The past month witnessed several cybersecurity advancements, new laws and policies, security incidents, as well as the emergence of new threats. To begin with, let’s first glance through all the good that has happened in the cyberspace. USA.gov, the official online portal of the U.S federal government, has launched an artificial intelligence (AI) powered chatbot named ‘Sam’ that is capable of answering users’ questions on scams and frauds. The General Services Administration (GSA) has expanded its cybersecurity service offerings to help federal agencies and state governments to protect their valuable data. Meanwhile, the EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens.
Department of Homeland Security (DHS) is planning to roll out its new risk scoring algorithm ‘Agency-Wide Adaptive Risk Enumeration’ (AWARE) in October 2019. AWARE will help agencies prioritize mitigation activities and improve their basic cybersecurity hygiene.
Singapore has introduced a bill ‘Protection From Online Falsehoods and Manipulation Bill’ that aims at preventing the spread of fake news in online platforms. The bill promises to punish disseminators of fake news, with fines of up to S$100,000 or imprisonment of up to 10 years, or both.
The General Services Administration (GSA) has expanded its cybersecurity service offerings to help federal agencies and state governments to protect their valuable data. This will help agencies secure high-value assets on mission-critical systems.
USA.gov, the official online portal of the U.S federal government, has launched an artificial intelligence (AI) powered chatbot named ‘Sam’ that is capable of answering users’ questions on scams and frauds. In just over a month, Sam interacted with over 4,000 users, with 78% users having successfully asked their questions and received an answer.
US senators have introduced a bipartisan bill named ‘Cyber Resiliency Act’ that would require DHS to provide grants to support state and local governments in enhancing cyber defenses and addressing cybersecurity threats.
NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) organized the Locked Shields 2019 event. This is considered as the largest live-fire cyber exercise in the world.
Another two US senators have introduced a new bipartisan legislation to ban social networking platforms from using ‘dark patterns’ to trick users into providing their private data. Social media platforms have long abused dark patterns and have gained access to users’ private data such as geolocation, contacts, call logs, friend lists, and more.
The Washington state legislators have unanimously passed a bill ‘HB 1071’ that expands consumer data breach notification requirements to include more types of consumer information such as full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data.
The EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens. The identity records and biometrics include names, dates of birth, passport numbers, fingerprints, facial scans, and other identification details.
The Bad
April witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. Researchers have uncovered two misconfigured Amazon cloud servers belonging to third-party companies ‘Cultura Colectiva’ and ‘At the Pool game’ that contained over 540 million Facebook user records. An unprotected database belonging to Justdial exposed the personal information of almost 100 million users. Last but not least, more than 500 million iOS users have been targeted by eGobbler hacker group through massive malvertising campaigns.
Researchers have uncovered two misconfigured Amazon cloud servers belonging to third-party companies ‘Cultura Colectiva’ and ‘At the Pool game’ that contained over 540 million Facebook user records. The exposed user records include account names, Facebook IDs, comments, likes, list of Facebook friends, photos, groups, check-ins, and user preferences like movies, music, books, and interests.
Several HR companies in China have exposed over 590 million resumes in the past 3 months due to unprotected databases. While some of these misconfigured databases have been secured, there are few that are still leaking data on the internet.
An unprotected database belonging to JustDial exposed the personal information of almost 100 million users. The exposed data includes Justdial users’ names, email addresses, mobile numbers, location addresses, genders, dates of birth, photos, designations, company names, and more.
After two weeks of first exposure, JustDial has again exposed personal information. This time, it exposed the database of individuals who posted reviews on the platform. The information made public includes the reviewer’s name, mobile number, and location.
More than 500 million iOS users have been targeted by eGobbler hacker group through massive malvertising campaigns. These campaigns were conducted for almost a week starting from April 6, 2019. The group had used ‘8 individual campaigns and over 30 fake creatives’ to perform the attacks.
Bithumb cryptocurrency exchange platform suffered a cyber attack compromising 3 million EOS worth $13.4 million and 20 million Ripple coins (XRP) worth $6 million. An internal inspection revealed that the incident is an ‘accident involving insiders’.
A security researcher detected an unprotected database belonging to the Department of Medical, Health and Family Welfare of a state in northern India that exposed medical records of almost 12.5 million pregnant women who underwent an ultrasound scan, genetic testing, or sex determination testing of their unborn child.
Medical billing service provider ‘Doctors’ Management Service’ suffered a GandCrab ransomware attack compromising patients’ data from almost 38 clients including Beverly Surgical Associates, Today’s Wellness PLLC, Neuro Institute of New England, and more. The compromised data includes patients’ personal information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, insurance, Medicare/Medicaid information and numbers, and medical information.
Magecart group has compromised the online store of Atlanta Hawks, a basketball team in Atlanta, Georgia. The attack has impacted all those who have shopped from the online store on or after April 20, 2019. Shoppers’ data such as names, addresses, and credit card details have been potentially stolen by the Magecart group through skimmers injected on hawksshop.com.
Manufacturing giant Aebi Schmidt has been hit with a major ransomware attack, forcing the company to shut down its systems across the company’s international network, including its U.S. subsidiaries. The attack has primarily impacted its European base leaving a number of systems non-operational.
‘Gnosticplayers’ hacker has been back with the fifth round of stolen data. This time, he has put up over 65 million user accounts on sale on the dark web forum. The latest batch includes user records that belonged to six new companies. The hacked data is being sold for 0.8463 Bitcoin ($4,350) on the DreamMarket forum.
Eight misconfigured databases have been found leaking approximately 60 million records of LinkedIn user information. The total size of databases is estimated to be 229 GB, with each database ranging between 25 GB and 32 GB. Security researcher Sanyam Jain who discovered these misconfigured databases told that the data had been removed every day and loaded on different IPs.
In another revelation on Thursday, Facebook has disclosed that it stored millions of passwords of Instagram users in plaintext. The social networking company mentioned this incident in an update to the earlier blog written on passwords kept in plaintext in its storage systems. However, Facebook has emphasized that these unencrypted passwords were not being abused or accessed by its employees.
Researchers have detected around 74 Facebook groups with nearly 385,000 members that were used to carry out illicit trading of stolen credentials, email addresses, private data, credit card information, and phishing kits. Facebook’s security team has removed all the 74 groups from the site.
Hackers breached Toyota’s IT systems and gained unauthorized access to servers that contained sales information of almost 3.1 million customers. The data belonged to several sales subsidiaries such as Toyota Tokyo Sales Holdings, Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Netz Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.
Kaspersky Lab researchers have revealed the existence of a new cybercrime marketplace named ‘Genesis’ where cybercriminals are selling full digital fingerprints for over 60,000 users. Genesis market sells digital fingerprints, digital identity, cookies, credit card information, sensitive documents, browser user-agent details, WebGL signatures, website user logins, and passwords.
New Threats
Several new malware, ransomware, vulnerabilities, and threat groups emerged over the past month. Researchers have uncovered over a dozen servers that are hosting ten different malware families. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a security alert about a new malware strain named HOPLIGHT. Meanwhile, the Nokia 9 PureView smartphone has apparently become vulnerable to an easy trick to bypass the fingerprint lock after a recent system update.