The two hired the services of a local programmer to develop their own brand of malware , a backdoor trojan , which authorities have named EyePyramid . The men used simple spear-phishing emails sent Attack.Phishing to the high-ranking officials they wanted to infect . The emails came with a file attachment , which when opened would covertly install their malware . EyePyramid would collect Attack.Databreach information from the target 's system , such as passwords , sensitive documents , and more . The malware would upload this data to various online servers or send to an email address ( via SMTP ) . Italian officials said the two suspects , Giulio Occhionero ( age 45 ) and Francesca Maria Occhionero ( age 49 ) , had most likely used this information for financial profits . It is unclear if this means stock market transactions or blackmail attempts . The two were discovered when one of their emails reached a security researcher , who discovered the payload and notified local police . An investigation followed , and Italian police , together with the FBI , arrested the two and seized servers used to spread the malware and store the stolen data . The two deployed their malware in separate campaigns that took place in 2008 , 2010 , 2011 , 2012 , and 2014 . Court documents reveal the men used the malware to collect Attack.Databreach around 87GB of data , consisting of keystroke information , 18,327 usernames , and 1,793 passwords . Username and password information was arranged in 122 categories , based on the target 's affiliation , such as business , politics , and more . The EyePyramid malware targeted the following file types for exfiltration Attack.Databreach : A full list of IOCs has been compiled by Trend Micro security researcher Federico Maggi and is available on GitHub . The researcher has also published an analysis of the malware 's inner workings , not available in court documents , on the Trend Micro blog . The list of victims includes names such as former prime minister Matteo Renzi , former prime minister Mario Monti , cardinal Gianfranco Ravasi , head of the European Central Bank Mario Draghi , Vatican officials , members of Italy 's tax police , Bank of Italy officials , and representatives of the Italian Senate , and members of several Italian ministries ( Finance , Economy , Internal Affairs , Foreign Affairs , and others ) . In a TV interview , Italian investigators said Giulio Occhionero was a high-ranking member of a Masonic lodge . The words `` eye '' and `` pyramid , '' used regularly in the malware 's source code , are some of the most known symbols of Freemasonry .

Insecure backend databases and mobile apps are making for a dangerous combination , exposing Attack.Databreach an estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leaked Attack.Databreach personally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team called Vulnerability-related.DiscoverVulnerability the vulnerability HospitalGown and said Vulnerability-related.DiscoverVulnerability the culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report released Vulnerability-related.DiscoverVulnerability Wednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlines Vulnerability-related.DiscoverVulnerability in February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortion Attack.Ransom targets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it found Vulnerability-related.DiscoverVulnerability 21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessing Attack.Databreach company data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers said Vulnerability-related.DiscoverVulnerability vulnerable mobile apps it found Vulnerability-related.DiscoverVulnerability ran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerable Vulnerability-related.DiscoverVulnerability to possible exfiltration Attack.Databreach by a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted access Attack.Databreach to the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority said Vulnerability-related.DiscoverVulnerability , attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attack Attack.Phishing or brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leaked Attack.Databreach data . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leaked Attack.Databreach Pulse customer data . AppThority notified Vulnerability-related.DiscoverVulnerability Pulse Workspace and its customers of the vulnerability , which have since been fixed Vulnerability-related.PatchVulnerability . Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collect Attack.Databreach personal identifiable data that can be mined by hackers for phishing Attack.Phishing or ransomware attacks Attack.Ransom . App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .

Developers are once again being blamed Vulnerability-related.DiscoverVulnerability for cloud back-end security vulnerabilities , this time in a new report Vulnerability-related.DiscoverVulnerability from Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposed Attack.Databreach on cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakage Attack.Databreach `` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakage Attack.Databreach on the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we found Vulnerability-related.DiscoverVulnerability almost 43 TB of data exposed Attack.Databreach and 1,000 apps affected Vulnerability-related.DiscoverVulnerability by the HospitalGown vulnerability , '' Appthority said Vulnerability-related.DiscoverVulnerability in a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposed Attack.Databreach , a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The report Vulnerability-related.DiscoverVulnerability echoes the findings of an earlier report Vulnerability-related.DiscoverVulnerability by RedLock Inc. , which revealed Vulnerability-related.DiscoverVulnerability many security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock report Vulnerability-related.DiscoverVulnerability , developers were blamed Vulnerability-related.DiscoverVulnerability for the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacks Attack.Ransom earlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaks Attack.Databreach of personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishing Attack.Phishing , brute force login , social engineering , data ransom Attack.Ransom , and other attacks . And , HospitalGown makes data access Attack.Databreach and exfiltration Attack.Databreach far easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leaking Attack.Databreach large amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leaked Attack.Databreach some form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessed Attack.Databreach by unauthorized individuals and ransomed Attack.Ransom . Even apps that have been removed from devices and the app stores still pose an exposure Attack.Databreach risk due to the sensitive data that remains stored on unsecured servers . The company said Vulnerability-related.DiscoverVulnerability its Mobile Threat Team identified Vulnerability-related.DiscoverVulnerability the HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identified Vulnerability-related.DiscoverVulnerability in the RedLock report Vulnerability-related.DiscoverVulnerability , Appthority emphasized Vulnerability-related.DiscoverVulnerability that all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .

Researchers from the University of Negvu have developed a way in which hackers can extract Attack.Databreach data from a victim ’ s computer using the LED lights displayed on their router . They can do so using a malware named xLED , as reported by JPost . The Cyber Security Research Center at the Ben-Gurion University of the Negvu which is located in Israel have come up with a way to hack into a user ’ s computer and steal Attack.Databreach vital data in the form of LED lights that are displayed on a router . Essentially , the operation would require a specially crafted malware named xLED which will need to be installed on a router in order to hack a victim . That is , the router needs to have a security flaw so as to allow the hacker to install the malware in the first place . It can also be possible if a flawed firmware has been installed in the router , thus making it easier for the attacker to break through the device . Once the malware is installed , the data can be exfiltrated Attack.Databreach in the binary form represented by the blinking of lights . Hence , when the light is off , it will represent a zero while when it is on , it will represent a one . A video recording device can be used to capture the blinking pattern and utilized to steal Attack.Databreach vital information that is being transmitted through the router . The device can be anything from a recording drone to a CCTV camera . As long as the camera captures the blinking lights , the data being transmitted can be easily stolen Attack.Databreach . The researchers indicated that since the rate of exfiltration Attack.Databreach of data depends upon the number of LEDs being present on a router , it goes without saying that the more number of LEDs on a router , the more amount of data can be exfiltrated Attack.Databreach at any one time . Furthermore , the researchers tested various video-recording setups to see which is the most efficient and found out that the method involving Optical Sensors was the best . This is because it received data at a higher rate and was able to sample the LED lights more quickly than any other methods . Primarily , a data exfiltration Attack.Databreach rate of 1000 bit/sec per LED was achieved using Optical Sensors . Although the researchers indicated that the method is the most effective one to steal Attack.Databreach a large amount of data , they , however , stated that since the method involves installing malware on a router , a number of other techniques can be used to extract Attack.Databreach data anyway . This is because once the malware is already on the router , there are other ways in which attackers can directly intercept Attack.Databreach the data being transmitted without the need of any video recording devices .

Morphisec researchers have spotted another attack campaign using fileless malware that is believed to be mounted by the infamous FIN7 hacking group . The goal of the campaign is to gain control of the target businesses ’ systems , install a backdoor , and through it perform continual exfiltration Attack.Databreach of financial information . “ Like past attacks , the initial infection vector is a malicious Word document attached to a phishing email that is well-tailored Attack.Phishing to the targeted business and its day-to-day operations , ” the researchers noted . “ The Word document executes a fileless attack that uses DNS queries to deliver the next shellcode stage ( Meterpreter ) . However , in this new variant , all the DNS activity is initiated and executed solely from memory – unlike previous attacks which used PowerShell commands. ” The researchers attribute this one important change to the group ’ s efforts to stay one step ahead of the defenders , and they are succeeding : “ After decryption of the second stage shellcode , the shellcode deletes the ‘ MZ ’ prefix from within a very important part of the shellcode . This prefix indicates it may be a DLL , and its deletion helps the attack to evade memory scanning solutions , ” the researchers found . “ If this DLL was saved on disk , many security solutions would immediately identify it as a CobaltStrike Meterpreter , which is used by many attackers and pen testers. ” But it ’ s not , and it passes undetected . In-memory resident attacks and the use of fileless malware are on the rise , and FIN7 is one group that has been employing this approach regularly . There can be no doubt other attackers will try to implement the same tactic . FIN7 has previously been tied to a sophisticated spear-phishing campaign hitting Attack.Phishing US-based businesses with emails purportedly coming from Attack.Phishing the US Securities and Exchange Commission ( SEC ) , and Morphisec researchers believe that the series of attacks leveraged against 140+ banks and other businesses earlier this year is also their work . FIN7 is also associated with the infamous Carbanak gang , but whether they are one and the same it ’ s still impossible to say for sure .