Insecure backend databases and mobile apps are making for a dangerous combination , exposing Attack.Databreach an estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leaked Attack.Databreach personally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team called Vulnerability-related.DiscoverVulnerability the vulnerability HospitalGown and said Vulnerability-related.DiscoverVulnerability the culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report released Vulnerability-related.DiscoverVulnerability Wednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlines Vulnerability-related.DiscoverVulnerability in February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortion Attack.Ransom targets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it found Vulnerability-related.DiscoverVulnerability 21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessing Attack.Databreach company data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers said Vulnerability-related.DiscoverVulnerability vulnerable mobile apps it found Vulnerability-related.DiscoverVulnerability ran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerable Vulnerability-related.DiscoverVulnerability to possible exfiltration Attack.Databreach by a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted access Attack.Databreach to the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority said Vulnerability-related.DiscoverVulnerability , attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attack Attack.Phishing or brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leaked Attack.Databreach data . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leaked Attack.Databreach Pulse customer data . AppThority notified Vulnerability-related.DiscoverVulnerability Pulse Workspace and its customers of the vulnerability , which have since been fixed Vulnerability-related.PatchVulnerability . Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collect Attack.Databreach personal identifiable data that can be mined by hackers for phishing Attack.Phishing or ransomware attacks Attack.Ransom . App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .

Experts have cast doubt on a recent report claiming that hackers linked to a Russian military intelligence agency used a piece of Android malware to track Ukrainian artillery units . A report published by threat intelligence firm CrowdStrike before Christmas revealed that the Russia-linked cyberespionage group known as Fancy Bear ( aka APT28 , Pawn Storm , Sofacy , Tsar Team , Strontium and Sednit ) modified a legitimate Android app used by the Ukrainian military . Specifically , researchers found Vulnerability-related.DiscoverVulnerability an Android version of X-Agent , a piece of malware known to be used by Fancy Bear , embedded in an app developed by artillery officer Yaroslav Sherstuk to help military personnel reduce the time to fire D-30 howitzers . According to CrowdStrike , the malicious app , which had been distributed on Ukrainian military forums from late 2014 through 2016 , was capable of accessing Attack.Databreach contact information , SMS messages , call logs and Internet data . The security firm believes these capabilities could have allowed Russia to track Ukrainian troops via the app . CrowdStrike also pointed to a report claiming that Ukraine had lost many D-30 guns in the past years , and speculated that this cyber operation may have contributed to those losses . Based on its investigation , the company is confident that Fancy Bear is connected to the Russian military , particularly the GRU foreign military intelligence agency . Sherstuk has called CrowdStrike ’ s report “ delusional ” and pointed out that the app is not open source . He says the application has been under his control and he personally oversees the activation of each installation . Jeffrey Carr , CEO of Taia Global and founder of the Suits and Spooks conference , has analyzed CrowdStrike ’ s report and , after contacting several other experts , he determined that the security firm ’ s arguments are flawed . According to Carr , while X-Agent may be used by Fancy Bear , the malware is not exclusive to the group . The X-Agent source code appears to have been obtained by several entities , including Ukrainian hacktivist Sean Townsend and the security firm ESET . The X-Agent variant found in the Ukraine military app has also been analyzed by Crysys , the Hungary-based security firm that has investigated several sophisticated pieces of malware , including Duqu . Researchers have found similarities between X-Agent implants described in previous Fancy Bear reports and the version found in the Ukrainian military app , but they pointed out that such similarities can be faked by threat actors . Another interesting discovery Vulnerability-related.DiscoverVulnerability is that the rogue app does not use GPS to obtain the infected device ’ s exact location , which Carr names Vulnerability-related.DiscoverVulnerability “ a surprising design flaw for custom-made malware whose alleged objective was to collect Attack.Databreach and transmit location data on Ukrainian artillery to the GRU ” . While the malware can collect Attack.Databreach some location data via the base stations used by the infected Android device , Carr believes it ’ s not enough to track someone , especially given Ukraine ’ s poor cellular service . Pavlo Narozhnyy , a technical adviser to Ukraine ’ s military , told VOA that he doubts the D-30 app can be hacked , and he claimed that none of the app ’ s users reported any D-30 howitzer losses . Carr also highlighted that the malware-infected app may have not actually made it onto a single Ukrainian soldier ’ s Android device , considering that each user needed to contact Sherstuk personally to obtain an activation code .