Thousands of Unprotected Kibana Instances Exposing Elasticsearch Databases

Researchers and malicious threat actors continue to discover vast troves of unprotected databases and servers exposed to the internet. One report yielded some twenty-six thousand exposed Kibana analytics instances, which could allow unauthorized users to access analytics for massive datasets, without having access to the datasets themselves.

https://www.shodan.io/report/Q1dTCJhM


City of Albany Hit in Ransomware Attack

The City of Albany, New York, suffered a ransomware attack which disabled vital records systems, shift scheduling, and police dispatch systems. The city was better prepared for the possibility of such an attach than the City of Atlanta, though it remains unknown why in-car police dispatch systems were on the same network as vital records and shift scheduling services.

https://www.bleepingcomputer.com/news/security/new-york-albany-capital-hit-by-ransomware-attack/


GoDaddy Takes Down 15,000 Miracle Product Scam Sites

GoDaddy took down over 15,000 scam websites pushing “miracle drugs”, phishing landing pages, and other similar “affiliate marketing” scams. The sites were active for over two years with automated domain generators and content templates that could constantly and consistently create new content at set intervals.

https://unit42.paloaltonetworks.com/takedowns-and-adventures-in-deceptive-affiliate-marketing/


“Sea Turtle” Campaign Abused Third-Party DNS Hijacking

A state-sponsored espionage campaign targeting some 40 public and private entities across the Middle East and North Africa abused DNS infrastructure on the ISP side of the supply chain. The threat actors targeted ISPs and other infrastructure to alter DNS records for specific organizations who used that respective infrastructure to connect to the internet in a multi-year espionage and man-in-the-middle campaign.

https://blog.talosintelligence.com/2019/04/seaturtle.html


IT Giant Wipro Breached in Major Supply Chain Attack

Indian IT services giant Wipro was the target of a major supply chain attack which affected several of Wipro’s clients. Threat actors used Wipro’s systems to gain access to several clients’ networks. It is believed that the threat actors compromised Wipro’s email system and used the trusted status of that system to infect further victims.

https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/


Two-Thirds of Hotel Sites Leak Data to Third Parties

Researchers have discovered than 1,000 hotel websites (out of 1,500 which were tested) across 56 countries leak guest booking details to third party sites, and many of those sites allow direct access to guests’ personal data. Third-party services were allowed to directly view reservation details, personal information, including names, addresses, phone numbers, payment card information, and passport numbers, and, in many cases, cancel reservations.

https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data


Info Stealer Baldr Makes Waves on Threat Actor Markets

An information stealer known as Baldr has become a top seller among cyber criminal marketplaces. The stealer takes as much information as possible and exfiltrates that information as soon as possible, before dying when the victim machine shuts down. The top piece of information sought by Baldr is browser information, including full fingerprints, indicating the importance cyber criminals now place on the ability to harvest and sell legitimate browser fingerprints .

https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/


NamPoHyu Ransomware Targets Remote Samba Servers

A new variant of the MegaLocker ransomware has a built-in capability to scan for unprotected Samba servers and target those servers directly for ransomware infections. Rather than running a local script to launch the infection, the NamPoHyu strain operates remotely. At present, there are approximately 500,000 accessible Samba servers.

https://www.bleepingcomputer.com/news/security/nampohyu-virus-ransomware-targets-remote-samba-servers/


Nasty List Phishing Scam Targets Instagram Users

A phishing scam targeting Instagram users claims that the user is on the “Nasty List” and, upon visiting the page for the list, prompts the user to view the list on an external site, which hosts a credential harvester targeting the user’s Instagram credentials. Once the threat actor harvests a user’s credentials, he logs into their page and spreads the scam letter to all of the user’s followers.

https://www.bleepingcomputer.com/news/security/the-nasty-list-phishing-scam-is-sweeping-through-instagram/


BEC Scam Group London Blue Observed Shifting Tactics

The Nigeria-based London Blue scam group has been observed using new tactics in its business email compromise (BEC) scams. Rather than claiming that the targeted company owes money to a vendor, the group has adopted a mergers and acquisitions theme. In addition, the group has shifted its focus to Asian firms.

https://threatpost.com/bec-scam-gang-london-blue-evolves-tactics-targets/143440/