September 23, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that millions of medical images and other personal health data were publicly viewable on the web. Security analysts disclosed their research on a threat actor’s efforts to update its attack infrastructure, exploits and cryptomining payloads, and others revealed how a threat group had targeted IT providers in Saudi Arabia in probable supply chain attacks. Finally, researchers found a rootkit capability in a Linux malware family and spotted a new family of ransomware targeting businesses via exposed Remote Desktop Services (RDS).

Top Story of the Week: 5 Million Exposed Medical Images

ProPublica found images of MRI, CT and X-Ray scans for at least 5 million U.S. patients — and even more worldwide — stored on unsecured servers. Many of these servers lacked even basic password protections at the time of discovery, making it easy for anyone to view the more than 16 million images over the public web.

In its investigation, ProPublica found no evidence that anyone had copied the images and/or published them elsewhere. Still, investigators found it was hard to assign blame for the server exposures.

Source: iStock

Also in Security News

  • TFlower Ransomware Targets Businesses via Exposed RDS: First discovered in August 2019, TFlower ramped up its activity in September 2019 when attackers began abusing exposed RDS to hack into network-connected machines. This initial intrusion enabled bad actors to infect the local machine, reported Bleeping Computer, or spread the ransomware to other IT assets by moving throughout the network.
  • Emotet Springs Back to Life: Security researcher Raashid Bhat spotted a malspam campaign targeting Polish- and German-speaking users with Emotet. This marked the first time that anyone in the security community had spotted a new attack campaign involving the malware family in close to four months.
  • Panda Continues to Update Infrastructure, Exploits on the Fly: Since July 2018, Cisco Talos has been tracking a threat actor named Panda that uses remote access tools (RATs) and cryptomining malware to generate Monero cryptocurrency. Researchers have observed the actor update its activities upon numerous occasions; most recently, it began exploiting a new WebLogic flaw and changed its command-and-control (C&C) infrastructure.
  • Malware Dropper Masquerading as a Virtual Currency Wallet: Avast spotted a malware dropper, dubbed WiryJMPer, masquerading as a wallet called ABBC Coin. Using this disguise, the malware displayed the ABBC Coin wallet’s window while it downloaded threats such as the Netwire RAT in the background.
  • Linux Malware Uses Rootkit Functions to Evade Detection: Trend Micro disclosed that it observed a new family of Linux malware called Skidmap. This threat used LKM rootkits to overwrite or modify parts of kernel, thereby making it easier for the threat to evade detection and remain persistent.
  • Astaroth Trojan Found Leveraging YouTube and Facebook Profiles: In a phishing campaign spotted by Cofense, emails used one of three lures — an invoice, a show ticket or a civil lawsuit notice theme — to trick users into opening an .htm file that, in turn, downloaded a sample of the Astaroth Trojan. This malware used YouTube and Facebook profiles to host and maintain configuration data for its command-and-control (C&C) infrastructure.
  • Attack Group Targeting IT Providers in Saudi Arabia: Symantec discovered a previously undocumented attack group dubbed Tortoiseshell using custom and off-the-shelf malware to target IT providers in Saudi Arabia. At the time of publication, the security firm had identified 11 organizations that the group had targeted; at two of those organizations, bad actors had managed to obtain admin-level access.
  • New Remote-Access Trojan Conceals Itself to Steal Personal Data: Researchers at Zscaler detected a new remote-access Trojan (RAT) named InnfiRAT checking for sandbox environments and concealing itself as an easily overlooked system process to hide on an infected machine. This technique gave the malware the perfect cover to steal victims’ credentials, especially those pertaining to their cryptocurrency wallets.

Security Tip of the Week: Boost Your Organization’s Malware Defenses

The stories discussed above highlight the need for organizations to defend themselves against increasingly sophisticated strains of malware. They can do so by creating security awareness training programs that teach digital security hygiene to all employees. Companies should also develop a comprehensive vulnerability management plan through which they can identify, prioritize and remediate known vulnerabilities affecting key business assets.

Learn more about vulnerability management on the SecurityIntelligence podcast

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today