Threat Summary - Week 38, 2019

Reports / Surveys

IoT bot attacks surge, Mirai still going strong

Malicious bot traffic skyrocketed in the first half of this year according to research by F-Secure, with the company’s honeypots registering more than triple the number of incoming connections than during the second half of 2018. 99.9% of the attacks involved automated traffic coming from computers as well as all kinds of Internet-of-things (IoT) devices, while the malware used in these attacks was often linked to the infamous Mirai IoT botnet that has been around since 2016. The bulk of malicious traffic originated in China, the US and Russia. The most targeted ports were:

  • 23/TCP (Telnet)
  • 1900/UDP (UPnP, plug-and-play devices)
  • 445/TCP (SMB)
  • 22/TCP (SSH)
  • 1433/TCP (MSSQL)

When it comes to attacks on actual endpoints, F-Secure noted an uptick in ransomware campaigns during H1 2019, the majority of which involved attacks on RDP services (31%) or the distribution of malicious emails (23%).

Healthcare organizations are exposing millions of medical records

Healthcare organizations are leaving millions if not billions of medical records exposed to the Internet via unsecured or misconfigured healthcare systems and databases, analysts with IntSights warn in a new study. Researchers with the firm spent 90 hours evaluating 50 databases, 15 (30%) of which were exposing a total of 1.5 million medical records. This implies that skilled hackers should be able to discover thousands or even tens of thousands of medical records every hour (the researchers averaged 16,667 records/hour). Attackers can sell this data on underground marketplaces for about $1 per record.

94% of US consumers want firms to improve their cybersecurity

Almost 6 in 10 (58%) Americans have either experienced personal data compromise themselves or know someone who has, a recent survey by IBM and Harris Poll shows. Cybersecurity awareness is growing, with nearly all US consumers (94%) saying they want companies to step up their efforts to safeguard people against cybersecurity threats. The vast majority of respondents also stated that consumers no longer have control over how businesses use their private information (84%) and that they would boycott firms that share consumer data without consent (83%). Almost two-thirds of people (64%) have decided not to work for a certain organization over their data handling practices.

Common encryption issues, exposed ports and outdated systems put SMBs at risk

The vast majority of small to mid-sized businesses (SMBs) are leaving themselves vulnerable to cyberattacks by failing to resolve common weaknesses in their security posture, a new report by Alert Logic found. 42% of all security issues that were identified at SMBs can be traced back to a set of 13 persistent configuration problems, all of which have to do with encryption. Port scans revealed that the following three ports account for almost two-thirds (65%) of port vulnerabilities:

  • 22/TCP (SSH)
  • 80/TCP (HTTP)
  • 443/TCP (HTTPS)

Two in three (66%) SMBs run Windows versions that are either no longer supported or will reach their end of life (EOL) in January of next year (Windows 7 and Windows server 2008). In addition, many SMBs are exposed to the same vulnerabilities. 75% of the 20 most common unpatched flaws were discovered more than a year ago.

Data breaches

Leaky database exposes private info of nearly all Ecuadorians

An unsecured database owned by an Ecuadorian firm has exposed highly sensitive personally identifiable information of 20 million people, researchers with vpnMentor have discovered. The massive data leak impacts virtually the entire population of Ecuador (around 17 million). The leaked data includes full names, genders, dates of birth, home addresses, email addresses, financial information, and employment data.

Freaky Infosec Fact of the Week

Hackers can take over your computer by swapping your USB cable with a malicious clone

Earlier this year, a security researcher managed to embed wireless implants into regular USB cables. The O.MG cable looks and functions like any other USB cable, except that the implant provides threat actors with remote access to the computer the cable is plugged into.

What You Can Do

This week, organizations should ensure that they have a consistent monitoring and alerting program for detection of malicious activities, including port scans and authentication attacks against Internet-facing services. Organizations should also ensure that no unnecessary ports are exposed to the Internet, such as RDP or Telnet, as the presence of these services to the Internet increases your overall external threat landscape.

In this blog post, we demonstrate how RDP is still being targeted and how many organizations were found to expose weak services to the public Internet, most of them are unnecessary. During our analysis, we were able to discover over a million RDP services that were exposed unnecessarily to the Internet. Unfortunately, many of these organizations that were discovered are increasing their chances of being attacked by both automated and non-automated password attacks.

Perform a quick network scan across your environments to ensure that unnecessary ports are not exposed to the Internet. This should be conducted on a monthly basis, especially if your organization makes changes on Internet-facing systems on a frequent basis. This scan should also take no longer than 10 minutes and could save you a significant amount of money from a potential data breach.


About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io

Stay Informed

  • Connect with us on Linkedin for Professional Security Tips
  • Like us on Facebook for Personal Security Tips
  • Follow us on Twitter for News & Threat Updates