Cyware Weekly Threat Intelligence - March 4–8

Weekly Threat Briefing • Mar 8, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Mar 8, 2019
The Good
We’re back with the most interesting threat intel of the week. Before getting into the cyberattacks and new threats, lets first acknowledge all the positive events that occurred over the past week. National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering. World Wide Web Consortium has approved the WebAuthn API. Meanwhile, Singapore has proposed new guidelines for Technology Risk Management (TRM) and Business Continuity Management (BCM).
National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering to the public at the RSA conference. Ghidra allows security researchers to analyze malicious code and malware thoroughly with reverse engineering tasks such as disassembly, assembly, decompilation, graphing, scripting, and more.
World Wide Web Consortium has approved the WebAuthn API on March 4, 2019. WebAuthn is a new way of logging into websites without the need for passwords. Instead, it requires biometrics such as fingerprint/face recognition or hardware security tokens for authentication.
Singapore has proposed new guidelines for Technology Risk Management (TRM) and Business Continuity Management (BCM). The new changes to the guidelines will help finance organizations to implement more security measures to enhance their operational resilience.
The Bad
In the past week, we witnessed several data breaches and massive cyber attacks. A security researcher detected almost 18 unprotected MongoDB databases that contained social services related data. Wolverine Solution Group suffered a ransom attack impacting nearly 700 healthcare centers. In the meantime, hackers defaced multiple Israeli webpages with the words ‘Jerusalem is the capital of Palestine’.
A security researcher uncovered 18 MongoDB servers that were publicly available without any password protection. The open MongoDB databases contained data that are a part of a Chinese surveillance program. The exposed information included online social services related data such as profile names, ID numbers, photos, public and private conversations, file transfers, GPS location, and more.
Wolverine Group Solutions suffered a ransomware attack that impacted nearly 700 healthcare organizations as these organizations use Wolverine Solutions Group for their billing and mailing services. The healthcare organizations affected by the breach include Mary Free Bed Rehabilitation Hospital, the Health Alliance Plan, North Ottawa Community Health System, Three Rivers Health and more. The data breach has compromised personal information of almost 1.2 million patients.
Attackers attempted ransomware attack against Israeli webpages on March 2, 2019, which failed miserably due to a coding error. However, the attackers managed to deface multiple web pages with the words ‘Jerusalem is the capital of Palestine’. What went wrong was that the variable was set only to ‘Windows’ but the browser user agent strings also include Windows version number such as ‘Windows 10’, and ‘Windows 7’.
Security researchers detected an unprotected MongoDB belonging to Dalil, a caller ID app for Saudi Arabia. The open database contained the app’s entire data including users’ personal details and activity logs such as users’ mobile numbers, names, email addresses, Viber account, gender, call details, and number searches. It also included device details such as model number, serial number, IMEI, MAC address, SIM number, OS version, etc, telecom operator details, and GPS coordinates.
Chinese hackers targeted more than two dozens of universities across the world to steal maritime military secrets. The attack campaign targeted almost 27 universities via spear-phishing emails. The emails purported to come from partnered universities and included malicious attachments. The targeted universities include Massachusetts Institute of Technology, the University of Washington, and other colleges in Canada and Southeast Asia.
Sharecare Health Data Services (SHDS) suffered a network hack compromising patients data of AltaMed Health Services Corporation and Blue Shield of California. The exposed data included patients’ names, addresses, dates of birth, unique identification numbers, names and addresses of clinics, names of health care providers, medical record numbers, and internal SHDS processing notes.
Researchers detected an unprotected MongoDB database belonging to an email marketing firm Verifications. The open MongoDB exposed almost 809 million records online. The leaky database contained three folders with different records. The first folder had over 790 million unique email addresses, the second folder contained 4,150,600 records that included both email addresses and users’ phone numbers, while the third folder contained 6 million business lead records.
New Threats
Several new malware, vulnerabilities, and ransomware were discovered over the past week. Researchers detected a new variant of the GarrantyDecrypt ransomware that pretends to be the security team for Proton technologies. Almost 19 zero-day vulnerabilities were detected in 5 visitor management systems. Last but not least, a new Ransomware as a Service (RaaS) ‘Jokeroo’ has been promoted in the underground hacking forum.