Newsletter

Nightfall Weekly InfoSec Roundup: July 1 to July 8

by
Michael Osakwe
,
July 11, 2019
Nightfall Weekly InfoSec Roundup: July 1 to July 8Nightfall Weekly InfoSec Roundup: July 1 to July 8
Michael Osakwe
July 11, 2019
On this page

Cyber Attacks & Breaches

  • 239,000 patient records vulnerable in insurance database security incident (Beckers Hospital Review) July 1stThe exposed database was discovered on May 13. It contained names, addresses, telephone numbers, email addresses, IP addresses, dates of birth, and information regarding health insurance. Around 239,000 insurance records were left vulnerable. It is unclear how long the database was exposed, reports the HIPAA Journal. MedicareSupplement.com was notified of the vulnerability, and the database has since been secured.
  • Thousands of Facebook Users Hit in Malware Distribution Campaign (Dark Reading) July 1st“Operation Tripoli,” is a multiyear malware campaign mainly targeting users in Libya that has nevertheless impacted tens of thousands of Facebook users across multiple countries, including the US and Canada. According to Checkpoint, the malware distribution campaign is one of the largest it has observed on Facebook. The security vendor has estimated that some 50,000 Facebook users have clicked on the URLs over the years, but it is unclear how many of them became infected as a result.
  • Attunity Data Leak Exposes Sensitive Files at Ford, TD Bank (Dark Reading) July 1stData management firm Attunity exposed more than 1TB of sensitive data via three misconfigured Amazon S3 buckets, security firm UpGuard disclosed late last week. The mistake compromised Attunity internal corporate information as well as data of high-profile businesses, including Ford, TD Bank, and Netflix.
  • Ransomware Hits Georgia Court System (Dark Reading) July 1stNews reports have confirmed the Georgia court system has been struck with a ransomware attack, which has resulted in at least part of its digital information systems being taken offline. An investigation is now underway; it remains unclear how many systems were compromised.
  • 4 hacked email accounts cause breach at Summa Health (Health Data Management) July 1stOn May 1, Summa Health learned of the access to the employees’ email accounts. It hired a forensics firm, which determined that the attacker first had access to two accounts dating back to August 2018, and then accessed two more accounts between March 11 and March 29. “The investigation was unable to determine whether the unauthorized individual viewed any email or attachment in the accounts,” the company notes.
  • Exposed Orvibo database leaks two billion records (SC Magazine) July 1stMore than two billion user logs containing information on Chinese home solutions company Orvibo customers were leaked after a database was left exposed. Among the customer data exposed by the unprotected ElasticSearch cluster were: email addresses, passwords, user geolocation, conversations recorded with smart cameras, usernames and IDs, IP addresses, account reset codes, device names, identities of devices accessing accounts, schedules, and family names and IDs.
  • Eurofins Scientific: Forensic services firm paid ransom after cyber-attack (BBC) July 5thEurofins Scientific was infected with a ransomware computer virus a month ago, which led British police to suspend work with the global testing company. At the time, the firm described the attack as “highly sophisticated”. BBC News has not been told how much money was involved in the ransom payment or when it was paid.
  • Ubuntu-Maker Canonical’s GitHub Account Gets Hacked (The Hacker News) July 5thAn unknown hacker successfully managed to hack into the official GitHub account of Canonical, the company behind the Ubuntu Linux project and created 11 new empty repositories. It appears that the cyberattack was, fortunately, just a “loud” defacement attempt rather than a “silent” sophisticated supply-chain attack that could have been abused to distribute modified malicious versions of the open-source Canonical software.

Vulnerabilities & Exploits

  • Ten years later, malware authors are still abusing ‘Heaven’s Gate’ Technique (ZDNet) July 2ndMore than ten years after it was first detailed in a hacker e-zine (online magazine), malware strains are still successfully using the “Heaven’s Gate” technique to avoid antivirus detection, even today. Talos researchers said they’ve spotted at least three malware distribution campaigns in which the malware which infected users’ systems used the Heaven’s Gate technique to run malicious code without triggering an antivirus detection. Any malware using the Heaven’s Gate technique is effectively going after older systems, which shows once more why using a modern OS is always a good idea.
  • Cyber Command warns hackers exploiting Outlook vulnerability to attack gov’t agencies (SC Magazine) July 2ndThe U.S. Cyber Command warned that a threat group was exploiting a vulnerability in Outlook to attack government agencies and uploaded samples that one security researcher said are linked to APT33 and Shamoon2. “USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching.
  • Android July 2019 Security Update Patches 33 New Vulnerabilities (The Hacker News) July 2ndGoogle has started rolling out this month’s security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity. The vulnerabilities affect various Android components, including the Android operating system, framework, library, media framework, as well as Qualcomm components, including closed-source components.
  • Nexus Repository Flaws Expose Thousands of Private Artifacts (SecurityWeek) July 3rdNexus is Sonatype’s integrated open source governance platform that is used by over 1,000 organizations and 10 million software developers. A security researcher, however, discovered that the default Nexus settings include two issues, unrelated to each other, but which exposed artifacts from all affected repositories to the public. They also said that at least half of the Internet accessible repositories he checked were using the default settings, which expose them to both vulnerabilities.
  • 17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device (The Hacker News) July 3rdExcept for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher demonstrated a technique that could allow attackers to steal files stored on a victim’s computer. Though the implementation weakness in Firefox is not new, this is, however, the first time when someone has come up with a complete PoC attack that puts security and privacy of millions of Firefox users at risk.
  • Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! (Medium) July 8thA vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Risks & Warnings

  • New Warning on Ryuk Ransomware (Dark Reading) July 1stA new Ryuk campaign is spreading globally, according to a warning issued by the UK’s National Cyber Security Centre (NCSC). Ryuk is ransomware known for its long “dwell time” — the time between initial infection and system damage — and for adjusting the amount of ransom demanded based on the victim’s perceived ability to pay.
  • Mac OS X/CrescentCare malware designed to evade antivirus (SC Magazine) July 1stA fake Flash Player trojan malware is targeting Macs with a design that allows it to evade antivirus solutions. Dubbed OS X/CrescentCare, Intego researchers spotted the malware in the wild in several places on the web ranging from sketchy copyright-infringing download sites to rogue, high-ranking, non-sponsored Google search results links.
  • New MacOS Malware Discovered (Dark Reading) July 2ndA wave of malware targeting MacOS was discovered over the past month. The newest attack code for the Mac includes three pieces of malware found in June — a zero-day exploit, a package that includes sophisticated anti-detection and obfuscation routines, and a family of malware that uses the Safari browser as an attack surface.
  • WannaLocker ransomware found combined with RAT and banking trojan (SC Magazine) July 2ndResearchers are warning that a new version of WannaLocker – essentially a mobile derivative of WannaCry ransomware – has been enhanced with spyware, remote access trojan and banking trojan capabilities. Cybercriminals have been using the all-in-one malware package in a campaign targeting Brazilian banks and their Android mobile customers.
  • China’s Border Guards Secretly Installing Spyware App on Tourists’ phones  (The Hacker News) July 3rdAccording to a joint investigation by New York Times, the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to extract emails instantly, texts, calendar entries, call records, contacts and insecurely uploads them to a local server setup at the check-point only. This suggests that the spyware app has not been designed to continuously and remotely track people while in China. In fact, the report says the surveillance app is uninstalled before the phone is returned to its owner in most cases.
  • Dridex Operators Use New Trojan Downloader (SecurityWeek) July 3rdReferred to as TA505 and believed to speak Russian, the financially motivated threat actor has proven highly prolific over time. Last month, TA505 was noticed using a new Trojan downloader to deliver the FlawedAmmyy full-featured remote access Trojan (RAT). Dubbed AndroMut, the downloader shows code and behavior similarities to Andromeda, a long-established malware family.

Join us next week for the next edition of Nightfall’s Weekly InfoSec Roundup!

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo