Cyber Round-up for 20th September
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A marketing analytics company was storing a massive amount of sensitive information in an unsecured open database, and reportedly included the personal data of the entire population of Ecuador. The leak was discovered by vpnMentor, who revealed that the database included records for 20 million individuals, which covers the 16.5 million living in Ecuador. The leaked database included records such as full names, date of birth, home address, phone numbers and taxpayer IDs. This also includes extensive information on family members, as well as social security numbers and vehicle purchases. The amount of information leaked from this database has researchers questioning how necessary it was for the marketing company to store this, and where they obtained it from in the first place.
The software hosting service, GitHub, has acquired the code analysis platform known as Semmle; the idea behind this venture is to assist developers and researchers in discovering critical vulnerabilities and zero-day threats. Semmle offers a variety of tools and products that are capable of investigating and addressing security issues, as well as uncovering vulnerabilities in third-party dependencies. In other news, GitHub has also announced it’s recent role as a CVE Numbering Authority, meaning the company can officially identify new flaws as they are discovered; this can also integrate with Semmle products since their new collaboration.
The private medical records of 24.3 million patients have been left on unprotected servers, freely accessible on the internet. The leak has exposed records from 52 different countries and includes confidential images such as X-rays, CT and MRI scans. The leaked information includes patient names, dates of birth, examination dates; as well as compromising 13.7 million social security numbers for American patients. Researchers confirmed that they did not have to exploit any software to access the database, all they did was visit a public webpage. The lack of security in place has researchers concerned, especially considering the amount of information that was being stored.
Security experts have begun issuing warnings regarding cyber-insurance companies. Recently, cyber-insurance companies have been encouraging ransomware victims to pay the criminals to recover their encrypted files, thus funding further criminal activity. Security researchers see this as a huge long-term impact on the cyber-security industry; the wealthier criminals become, the more advanced the ransomware becomes along with them. Despite requiring more downtime, companies should look to recovering their files from backups, and use alternate methods instead of paying ransoms, as the long-term effects could be extremely harmful.
A new spam campaign has hit Germany that masquerades as a job application, including a pdf claiming to be a resume; the pdf is actually an executable that installs the Ordinypt Wiper onto the victim’s device and destroys files stored on it. Although this malware destroys files, it is disguised as ransomware and requests payment; regardless of whether payment is made, the files cannot be recovered. This campaign was first spotted in use on September 11th, 2019 and has almost exclusively targeted German speaking users.
Vulnerabilities & Updates
The well-known password manager, LastPass, has recently patched a vulnerability present in browser extensions for Chrome and Opera. This flaw could allow an attacker to steal the username and password of its victim, through the ‘fill-in’ feature. The fill-in feature allows a user to save their login credentials to automatically input their username and password for certain websites. Because of this vulnerability, if a user was to visit a malicious site their login details for the last site visited would be exposed. In practice, there is a lot more steps required to exploit this bug, and it was not actively exploited according to security researchers. This bug was patched in LastPass version 4.33.0, an update which has been automatically applied to all users’ browser extensions.
Emotet, one of the world’s most dangerous botnets and malware droppers, stopped all activity at the start of June 2019; even their command and control sites went inactive. The constantly evolving botnet started out as a banking trojan five years ago and has since then been deemed one of the most prominent threats in cyber security (see our blog post for more info on Emotet). As of September 16th, 2019, the Emotet botnet appears to be active once again; all operations appeared to have resumed, including the dormant command and control site and spam campaigns. Despite the extended break, Talos have ensured that all coverage and protection remain active, and new indications of compromise have been pushed to supported Cisco Security products in response to the revival.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #59 – 20th September 2019
Ironshare – Security Simplified