to the high-ranking officials they wanted to infect . The emails came with a file attachment , which when opened would covertly install their malware . EyePyramid would collectAttack.Databreachinformation from the target 's system , such as passwords , sensitive documents , and more . The malware would upload this data to various online servers or send to an email address ( via SMTP ) . Italian officials said the two suspects , Giulio Occhionero ( age 45 ) and Francesca Maria Occhionero ( age 49 ) , had most likely used this information for financial profits . It is unclear if this means stock market transactions or blackmail attempts . The two were discovered when one of their emails reached a security researcher , who discovered the payload and notified local police . An investigation followed , and Italian police , together with the FBI , arrested the two and seized servers used to spread the malware and store the stolen data . The two deployed their malware in separate campaigns that took place in 2008 , 2010 , 2011 , 2012 , and 2014 . Court documents reveal the men used the malware to collectAttack.Databreacharound 87GB of data , consisting of keystroke information , 18,327 usernames , and 1,793 passwords . Username and password information was arranged in 122 categories , based on the target 's affiliation , such as business , politics , and more . The EyePyramid malware targeted the following file types for exfiltrationAttack.Databreach: A full list of IOCs has been compiled by Trend Micro security researcher Federico Maggi and is available on GitHub . The researcher has also published an analysis of the malware 's inner workings , not available in court documents , on the Trend Micro blog . The list of victims includes names such as former prime minister Matteo Renzi , former prime minister Mario Monti , cardinal Gianfranco Ravasi , head of the European Central Bank Mario Draghi , Vatican officials , members of Italy 's tax police , Bank of Italy officials , and representatives of the Italian Senate , and members of several Italian ministries ( Finance , Economy , Internal Affairs , Foreign Affairs , and others ) . In a TV interview , Italian investigators said Giulio Occhionero was a high-ranking member of a Masonic lodge . The words `` eye '' and `` pyramid , '' used regularly in the malware 's source code , are some of the most known symbols of Freemasonry .
Insecure backend databases and mobile apps are making for a dangerous combination , exposingAttack.Databreachan estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leakedAttack.Databreachpersonally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team calledVulnerability-related.DiscoverVulnerabilitythe vulnerability HospitalGown and saidVulnerability-related.DiscoverVulnerabilitythe culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report releasedVulnerability-related.DiscoverVulnerabilityWednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlinesVulnerability-related.DiscoverVulnerabilityin February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortionAttack.Ransomtargets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it foundVulnerability-related.DiscoverVulnerability21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessingAttack.Databreachcompany data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers saidVulnerability-related.DiscoverVulnerabilityvulnerable mobile apps it foundVulnerability-related.DiscoverVulnerabilityran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerableVulnerability-related.DiscoverVulnerabilityto possible exfiltrationAttack.Databreachby a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted accessAttack.Databreachto the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority saidVulnerability-related.DiscoverVulnerability, attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attackAttack.Phishingor brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leakedAttack.Databreachdata . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leakedAttack.DatabreachPulse customer data . AppThority notifiedVulnerability-related.DiscoverVulnerabilityPulse Workspace and its customers of the vulnerability , which have since been fixedVulnerability-related.PatchVulnerability. Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collectAttack.Databreachpersonal identifiable data that can be mined by hackers for phishingAttack.Phishingor ransomware attacksAttack.Ransom. App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
Researchers from the University of Negvu have developed a way in which hackers can extractAttack.Databreachdata from a victim ’ s computer using the LED lights displayed on their router . They can do so using a malware named xLED , as reported by JPost . The Cyber Security Research Center at the Ben-Gurion University of the Negvu which is located in Israel have come up with a way to hack into a user ’ s computer and stealAttack.Databreachvital data in the form of LED lights that are displayed on a router . Essentially , the operation would require a specially crafted malware named xLED which will need to be installed on a router in order to hack a victim . That is , the router needs to have a security flaw so as to allow the hacker to install the malware in the first place . It can also be possible if a flawed firmware has been installed in the router , thus making it easier for the attacker to break through the device . Once the malware is installed , the data can be exfiltratedAttack.Databreachin the binary form represented by the blinking of lights . Hence , when the light is off , it will represent a zero while when it is on , it will represent a one . A video recording device can be used to capture the blinking pattern and utilized to stealAttack.Databreachvital information that is being transmitted through the router . The device can be anything from a recording drone to a CCTV camera . As long as the camera captures the blinking lights , the data being transmitted can be easily stolenAttack.Databreach. The researchers indicated that since the rate of exfiltrationAttack.Databreachof data depends upon the number of LEDs being present on a router , it goes without saying that the more number of LEDs on a router , the more amount of data can be exfiltratedAttack.Databreachat any one time . Furthermore , the researchers tested various video-recording setups to see which is the most efficient and found out that the method involving Optical Sensors was the best . This is because it received data at a higher rate and was able to sample the LED lights more quickly than any other methods . Primarily , a data exfiltrationAttack.Databreachrate of 1000 bit/sec per LED was achieved using Optical Sensors . Although the researchers indicated that the method is the most effective one to stealAttack.Databreacha large amount of data , they , however , stated that since the method involves installing malware on a router , a number of other techniques can be used to extractAttack.Databreachdata anyway . This is because once the malware is already on the router , there are other ways in which attackers can directly interceptAttack.Databreachthe data being transmitted without the need of any video recording devices .
Morphisec researchers have spotted another attack campaign using fileless malware that is believed to be mounted by the infamous FIN7 hacking group . The goal of the campaign is to gain control of the target businesses ’ systems , install a backdoor , and through it perform continual exfiltrationAttack.Databreachof financial information . “ Like past attacks , the initial infection vector is a malicious Word document attached to a phishing email that is well-tailoredAttack.Phishingto the targeted business and its day-to-day operations , ” the researchers noted . “ The Word document executes a fileless attack that uses DNS queries to deliver the next shellcode stage ( Meterpreter ) . However , in this new variant , all the DNS activity is initiated and executed solely from memory – unlike previous attacks which used PowerShell commands. ” The researchers attribute this one important change to the group ’ s efforts to stay one step ahead of the defenders , and they are succeeding : “ After decryption of the second stage shellcode , the shellcode deletes the ‘ MZ ’ prefix from within a very important part of the shellcode . This prefix indicates it may be a DLL , and its deletion helps the attack to evade memory scanning solutions , ” the researchers found . “ If this DLL was saved on disk , many security solutions would immediately identify it as a CobaltStrike Meterpreter , which is used by many attackers and pen testers. ” But it ’ s not , and it passes undetected . In-memory resident attacks and the use of fileless malware are on the rise , and FIN7 is one group that has been employing this approach regularly . There can be no doubt other attackers will try to implement the same tactic . FIN7 has previously been tied to a sophisticated spear-phishing campaign hittingAttack.PhishingUS-based businesses with emails purportedly coming fromAttack.Phishingthe US Securities and Exchange Commission ( SEC ) , and Morphisec researchers believe that the series of attacks leveraged against 140+ banks and other businesses earlier this year is also their work . FIN7 is also associated with the infamous Carbanak gang , but whether they are one and the same it ’ s still impossible to say for sure .