Last week in security news, researchers revealed that millions of medical images and other personal health data were publicly viewable on the web. Security analysts disclosed their research on a threat actor’s efforts to update its attack infrastructure, exploits and cryptomining payloads, and others revealed how a threat group had targeted IT providers in Saudi Arabia in probable supply chain attacks. Finally, researchers found a rootkit capability in a Linux malware family and spotted a new family of ransomware targeting businesses via exposed Remote Desktop Services (RDS).

Top Story of the Week: 5 Million Exposed Medical Images

ProPublica found images of MRI, CT and X-Ray scans for at least 5 million U.S. patients — and even more worldwide — stored on unsecured servers. Many of these servers lacked even basic password protections at the time of discovery, making it easy for anyone to view the more than 16 million images over the public web.

In its investigation, ProPublica found no evidence that anyone had copied the images and/or published them elsewhere. Still, investigators found it was hard to assign blame for the server exposures.

Source: iStock

Also in Security News

• TFlower Ransomware Targets Businesses via Exposed RDS: First discovered in August 2019, TFlower ramped up its activity in September 2019 when attackers began abusing exposed RDS to hack into network-connected machines. This initial intrusion enabled bad actors to infect the local machine, reported Bleeping Computer, or spread the ransomware to other IT assets by moving throughout the network.
• Emotet Springs Back to Life: Security researcher Raashid Bhat spotted a malspam campaign targeting Polish- and German-speaking users with Emotet. This marked the first time that anyone in the security community had spotted a new attack campaign involving the malware family in close to four months.
• Panda Continues to Update Infrastructure, Exploits on the Fly: Since July 2018, Cisco Talos has been tracking a threat actor named Panda that uses remote access tools (RATs) and cryptomining malware to generate Monero cryptocurrency. Researchers have observed the actor update its activities upon numerous occasions; most recently, it began exploiting a new WebLogic flaw and changed its command-and-control (C&C) infrastructure.
• Malware Dropper Masquerading as a Virtual Currency Wallet: Avast spotted a malware dropper, dubbed WiryJMPer, masquerading as a wallet called ABBC Coin. Using this disguise, the malware displayed the ABBC Coin wallet’s window while it downloaded threats such as the Netwire RAT in the background.
• Linux Malware Uses Rootkit Functions to Evade Detection: Trend Micro disclosed that it observed a new family of Linux malware called Skidmap. This threat used LKM rootkits to overwrite or modify parts of kernel, thereby making it easier for the threat to evade detection and remain persistent.
• Astaroth Trojan Found Leveraging YouTube and Facebook Profiles: In a phishing campaign spotted by Cofense, emails used one of three lures — an invoice, a show ticket or a civil lawsuit notice theme — to trick users into opening an .htm file that, in turn, downloaded a sample of the Astaroth Trojan. This malware used YouTube and Facebook profiles to host and maintain configuration data for its command-and-control (C&C) infrastructure.
• Attack Group Targeting IT Providers in Saudi Arabia: Symantec discovered a previously undocumented attack group dubbed Tortoiseshell using custom and off-the-shelf malware to target IT providers in Saudi Arabia. At the time of publication, the security firm had identified 11 organizations that the group had targeted; at two of those organizations, bad actors had managed to obtain admin-level access.
• New Remote-Access Trojan Conceals Itself to Steal Personal Data: Researchers at Zscaler detected a new remote-access Trojan (RAT) named InnfiRAT checking for sandbox environments and concealing itself as an easily overlooked system process to hide on an infected machine. This technique gave the malware the perfect cover to steal victims’ credentials, especially those pertaining to their cryptocurrency wallets.

Security Tip of the Week: Boost Your Organization’s Malware Defenses

The stories discussed above highlight the need for organizations to defend themselves against increasingly sophisticated strains of malware. They can do so by creating security awareness training programs that teach digital security hygiene to all employees. Companies should also develop a comprehensive vulnerability management plan through which they can identify, prioritize and remediate known vulnerabilities affecting key business assets.

Learn more about vulnerability management on the SecurityIntelligence podcast