16 – 22 October 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
NameHeat 7
HPE Intelligent Management Center
Apple iPadOS
Apple iOS 13
Cisco Firepower Threat Defense
Apple watchOS
Deep & Dark Web
NameHeat 7
Windows Phone
Telegram App
WhatsApp
Twitter
Microsoft SMBv3

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
CompanyInformationAffected
Crytek (Germany) BleepingComputer were informed by unnamed sources that Egregor ransomware operators successfully attacked Crytek. The criminals claim that they stole files from the company and leaked 308MB of data on their leak site. The data appears to relate to network operations and games. Unknown
Ubisoft (France) The Egregor ransomware group alleges to have attacked Ubisoft and shared a 20MB archive purpotedly containing assets from Ubisoft’s Watch Dogs Legion game. BleepingComputer stated that the legitimacy of this claim is currently unknown. Unknown
Broadvoice (US) Security researcher Bob Diachenko discovered an unprotected Elasticsearch cluster belonging to the company. The company’s CEO Jim Murphy stated that it was accidentally left open on September 28th, 2020. The exposed database included over 350 million customer records, including full caller names, caller identification numbers, phone numbers, state, and city, as well as voicemail records, of which 200,000 also included transcripts exposing personal details. Unknown
Dickey’s Barbecue Pit (US) A stash of card data originating from the restaurant was seen on a dark web marketplace. Researchers stated that between July 2019 and August 2020, 156 locations across 30 states were compromised. The cards, which were processed using the magstripe method, are being sold for an average price of $17. New cards from the breach will likely be added to the database over the coming months. Unknown
McLaren Oakland Hospital (US) The Michigan hospital discovered a desktop file containing an ‘unauthorized and unsecured link’ to patient information, which was accidentally left open by an employee. The data of 2,219 patients could have been accessed via a hospital computer, but an investigation found no evidence of illicit activity. 2,219
JSW Steel (India) SunCrypt ransomware operators claim to have targeted the Indian-owned steel conglomerate in ransomware and distributed denial-of-service (DDoS) attacks. A document purportedly stolen from the company’s Texas-based operation was leaked on the dark web. Unknown
Bharat Matrimony (India) A threat actor claimed to possess more than three million unique lines of personal data, including user emails and clear text passwords from 46 databases attributed to Bharat, Elite Matrimony, and other similar services. Some of the records also include contact numbers and family details. According to a statement from Bharat Matrimony, the exposed database is old and does not contain sensitive information. Unknown
Panion (Sweden) CyberNews researchers discovered an unsecured AWS data bucket belonging to the company. The bucket contains over 2.5 million user records, including full names, email addresses, interests, location coordinates, and other information, as well as nearly 700,000 images such as selfies and photos of documents. 171,855
Toledo Public Schools (US) The operators of Maze ransomware published over 9GB of compressed data they claim to have stolen from Toledo Public Schools. The leaked data includes current and former students’ full names, student ID numbers, gender, race, Social Security numbers, dates of birth, and more. Employee data, such as evaluations and disciplinary reports about personnel were also exposed. Unknown
Kleenheat (Australia) A breach of third-party systems in 2014 may have exposed names, email addresses, and residential addresses. The company said that they had no evidence to suggest that the breach was linked to malicious activity. Unknown
Haldiram (India) A ransomware attack on July 12th, 2020, impacted the company’s offices in Noida and subsequently spread via the corporate network before servers were taken offline. The attackers encrypted data, deleted backups, and stole financial and employee information. Unknown
Go Unlimited (Kuwait) The pirated content streaming host Go Unlimited was targeted in a distributed denial-of-service attack on October 15th, 2020, disabling public access to the site. The attacker also reached out to TorrentFreak with evidence of a database containing user emails, passwords and other data stolen from the site. Unknown
Cosmote (Greece) The mobile network operator was targeted in a cyberattack between September 1st and September 5th, 2020. The data of ‘thousands of customers’ was exposed in the attack, including phone numbers, call times, device types and other information relating to calls made during the attack. No names, passwords, message contents or banking information were exposed. Unknown
Narendra Modi (India) Cyble researchers were notified of several databases on the dark web obtained from India’s Prime Minister Narendra Modi’s official website. The data of 574,000 users was leaked, including their names, email addresses, contact information and more. A second database was found to feature donor information such as bank reference numbers and payment modes. The researchers believe the data may have been extracted from an AWS bucket. Unknown
Sandbox Interactive GmbH (Germany) The company stated that an attacker managed to gain access to Albion Online forum user profiles on October 16th, 2020, and steal encrypted passwords. Email addresses of users were also exposed. The company noted that the passwords were hashed with Bcrypt and salted Unknown
KYB Corporation (US) NetWalker ransomware operators posted screenshots of data allegedly stolen from the company on the dark web, including invoices and Windows directories. Unknown
Pfizer (US) On July 9th, 2020, vpnMentor researchers discovered a misconfigured Google Cloud Storage bucket belonging to Pfizer’s US Drug Safety Unit. The database contained transcripts between users of different Pfizer drugs and the company’s interactive voice response customer support software. The transcripts exposed personally identifiable information, including full names, home addresses, email addresses, phone numbers, and partial details of health and medical status. Unknown
Timberline Billing Service (US) The firm informed the Oskaloosa Community School District and the Knoxville Community School District of a security incident. DataBreaches[.]net notes that further school districts also appear to have been notified. The company stated that an unknown actor had encrypted and removed files from its network between February 12th and March 4th, 2020. Unknown
Made in Oregon (US) The company suffered an unspecified data breach potentially exposing the names, email and physical addresses, and credit card information of 7,800 customers. A small number of affected credit cards have already been used for fraudulent purposes. 7,800
Luxottica Group (Italy) Nefilim ransomware operators published a large number of files purportedly stolen from the eyewear manufacturer. The leak includes personnel and finance data such as professional resumes, recruitment process and human resources internal structure information, budgets, marketing forecast analysis, and others. Unknown
Vastaamo (Finland) Vastaamo, a company offering psychotherapy to patients, stated it had suffered a data breach in which patient data was being held for ransom by ‘an unknown hostile party. Unknown
Unknown (US) Trustwave researchers discovered several large databases of detailed US voter information for sale on the dark web. One such offering allegedly contains the names, addresses, genders, and political affiliations of 186 million US voters. Researchers also found a database purportedly containing 245 million records with over 400 data points for each person, including names, addresses, phone numbers and more. Numerous other state-specific databases are also offered. Unknown

Attack Types Mentions in Banking

Industry View

This chart shows the trending Attack Types related to Banking over the last week.

Weekly Industry View

Industry View
IndustryInformation
Banking & FinanceResearchers at IBM identified a new banking malware, dubbed Vizom, being delivered to Brazilian users primarily via phishing emails. The malware hides inside the legitimate executables of videoconferencing software to trick the Windows operating system into running its malicious DLLs. The DLL hijacking method is also used in the operation of the attack, in this case the files of the legitimate Vivaldi browser are utilised. The malware, which modifies browsers shortcuts for persistence, can monitor browsers, communicate with the attackers’ C2 in real time, apply an overlay screen, carry out remote access trojan functions, log keystrokes, take screenshots, and more.
GovernmentUS officials reported that intimidation emails pretending to come from Proud Boys, which have been received by voters in at least four US states, were sent by Iranian state-backed operatives. An individual who received the email told Motherboard that all the personal details in the email, including full name and home address, were accurate. Motherboard believes the information was likely obtained from public voter rolls. The Director of National Intelligence John Ratcliffe stated that Iranian actors were also spreading a video implying that the mail-in voting system could be compromised to send fake votes. The Washington Post reported that a US Department of Homeland Security official also warned state and local election administrators that ‘holes’ have been detected in state and local election websites.
Cryptocurrency BleepingComputer identified a malicious Coinbase-themed 0Auth consent app being spread via phishing emails which also feature a Coinbase theme. The message informs the user that they must accept an update to Coinbase’s terms to continue using the service. A ‘Read and Accept Terms of Service FAQ’ link in the email directs the target to a Microsoft sign-in page. Users who login are then prompted to allow the malicious ‘coinbaseterms’ app to access their account. Accepting the app allows an attacker to read the user’s profile, and create, read, update, and delete emails in their mailbox. An attacker cannot use the app to send mail.
Retail, Hospitality & TourismGemini Advisory reported that on October 12th, 2020, a new stash of card data, dubbed BLAZINGSUN, was added to the Joker’s Stash dark web marketplace. The marketplace’s administrator stated that BLAZINGSUN contains 3 million compromised cards from 35 US states and ‘some’ locations in Europe and Asia. Gemini Advisory determined that the data comes from US-based restaurant Dickey’s Barbecue Pit. The researchers stated that between July 2019 and August 2020, 156 locations across 30 states were compromised. The widespread compromise led Gemini to suggest that the incident may be linked to the breach of a single central processor. The cards, which were processed using the magstripe method, are being sold for an average price of $17. New cards from the breach will likely be added to the database over the coming months.
Critical InfrastructureAn Internet Storm Center forum researcher observed a phishing campaign aimed at the shipping industry distributing Agent Tesla spyware. The emails impersonate the sender address of an existing shipping company and feature information and requests addressed to the recipient. The body of the emails contains industry terms and refer to real travelling ships. The emails contain a cab attachment with Agent Tesla spyware. The spyware commonly exfiltrates stolen data over email domains belonging to the targeted companies. The researcher was able to determine that the campaign has been somewhat successful.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal