Cyber Updates – April 1st, 2021

Posted on April 1, 2021 by Webhose

read the article

This month we have exciting additions to our coverage, including a patient leak from a Chinese hospital, 8 terabytes of data from the Mobikwik data breach, the detection of Defensor ID banking Trojan, and more.

New Patient Record Leak at Chinese Hospital

Speaking of healthcare threats, this week a particular post caught our eye. In this post, a threat actor shared more than a million leaked records from a Chinese-based hospital.

Medical records are a target for malicious hackers and have been shared, sold or asked about in the dark web frequently. It’s almost impossible for a healthcare facility this past year to not have experienced a data breach. Either the facility hasn’t yet experienced it or simply isn’t aware of it. 

This week we detected a million leaked medical records from China shared in RaidForums. The leak contains phone numbers, dates of birth, names, medical information, emails, and different IDs used by the facility and owned by the patient. The source of the leak has not yet been disclosed.

In our research from earlier posts from the same actor in the forum, we detected additional databases that he shared. This increases the likelihood that the patient record leak at the Chinese hospital is an authentic database.

You can find and monitor this and other leaked content in the Cyber Endpoint. 

To query more similar content, use the query:
title:(patient OR medical OR MRI OR PHI OR health OR hospital OR healthcare) AND (database OR records OR exploit OR vulnerability) -cannabis -news

New Defensor ID Source Code Shared in Hacking Forums

Defensor ID is a banking trojan (which is stored as an app) capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. It performs the majority of its malicious functionality by abusing Android’s accessibility service. Once this access is enabled by the user, the malware’s full capabilities are unleashed. The malware was first reported around May 2020. It was even stored in an app that was available on Google Play for a short period of time!

Webhose revealed two posts sharing this malware’s source code this month. Shares of these types of source codes allow other hackers to examine and be inspired by the malware’s capabilities. For instance, these shares help hackers build more malware on the same code base with similar or even more dangerous capabilities – like in this Android banking malware

Shares of these codes also have an upside. They enable cybersecurity researchers to analyze the data and learn more about the capabilities malware can have and how organizations can defend against them. 

Webhose detected thousands of similar posts that share or sell similar source codes of different botnets, malware and trojans.

To find similar posts of source codes, use the query: 

(malware OR trojan OR botnet) AND (sourcecode OR source OR “source code” OR code OR execute OR panel OR apk OR code)

Further reading: Malicious apps on Google Play dropped banking Trojans on user devices

8TB of Mobikwik Data Shared Across the Dark Web

Mobikwik’s data breach was disclosed this week. According to findings on the dark web, a malicious actor is selling the data and claims to have 8 terabytes of the company’s user data, including Know Your Customer (KYC) information (government-issued Aadhaar card or PAN ID) of 3.5 million users.

KYC documents are required in India for users who want to access certain services without any limitations. Hackers who can obtain this PII data can use it to commit different types of fraud. 

At Webhose, we were able to detect the post mentioned above, along with mentions in other discussions and chatting applications of the data breach. In one Telegram channel, we were able to find a link to a group sharing images of ID cards allegedly obtained from the breach. The group claims that 99,224,559 phone numbers, emails, hashed passwords, addresses, bank accounts, and card details of its users were leaked. Needless to say that once discovered, the group was added to our coverage and its content can now be queried through the Cyber Endpoint.

To query content about this data breach, use the query:

Further reading: An Exclusive Look Behind the Scenes of a Data Breach

Bitchute Updated Content Now Available

A social video-hosting service launched in 2017, BitChute is part of a group of alt-tech websites that position themselves as less strictly moderated alternatives to mainstream social media platforms like YouTube, Facebook, and Twitter. It was part of the alt-tech sites dedicated to right-wing communities along with 4chan, 8chan, Parler, and Gab (all sites included in Webhose’s coverage).

Due to its free speech policy, BitChute became known for its far-right, antisemitic, racists actors, conspiracy theorists, and hateful (hate speech) content. Some channels and users migrate to BitChute after being banned or removed by other platforms. As a result, the site’s traffic is steadily increasing, making these topics even more popular with users.

We have recently expanded our coverage extensively for the use cases above and increased the number of posts from this site to thousands of posts a day.

To discover content from Bitchue use the query: 

Further reading: BitChute: A Hotbed of Hate

That’s it for our Cyber News Update from our Cyber Team this time. We’ll be back again next time though with more exciting updates. Stay tuned! 

Until next time, 

Team Webhose