28 September 2023
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
Trending Vulnerable Products
Open Source
| Name | Heat 7 |
|---|---|
| WebKit Software Component |  |
| Apple Safari | |
| Accusoft ImageGear | |
| Cisco IOS XE | |
| Cisco Catalyst |  |
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| Microsoft SharePoint |  |
| libwebp |  |
| Quake3 | |
| Windows Server 2008 |  |
| Opera Web Browser | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| Florida Department of Veterans Affairs (US) | Snatch ransomware added the organisation to their leak site on September 5th, 2023. The attackers published a pack of sample data as proof of claims. | Unknown |
| Exail Technologies (France) | A publicly accessible environment file contained database credentials, which could allow attackers with access to the database to view, modify, or delete sensitive data. | Unknown |
| United Healthcare Services Inc (US) | Sensitive customer data was accessible to an unauthorised party. Compromised data was likely protected health information. | 315,915 |
| Unknown (Israel) | A phishing campaign targeting Israeli jobseekers resulted in personal data being stolen and leaked. Compromised information includes photos of ID cards, resume files, and more. The attack has been attributed to Iranian hackers. | Unknown |
| Philippine Health Insurance Corporation | A Medusa ransomware attack is impacting the Philippines government health insurance program. Work is ongoing to assess the impact and secure compromised systems. | Unknown |
| Hong Kong Consumer Council | A ransomware attack may against the organisation was detected on September 20th, 2023. The attackers claim to have obtained certain data, including information on employees and clients, as well as other internal documents. | Unknown |
| Lakeland Community College (US) | Between March 7th and March 31st, 2023, attackers accessed full names and Social Security numbers. The Vice Society ransomware group previously listed the college on its data leak site. | 285,948 |
| Auckland University of Technology (New Zealand) | Monti ransomware gang claims to have stolen 60GB of data from the university, threatening to dump the exfiltrated data online early next month. The university confirmed it had been a victim of a cyberattack. | Unknown |
| BMO Bank (US) | Information entrusted to the company was accessible to an unauthorised party. Potentially compromised data includes names, Social Security numbers, addresses, and dates of birth. | Unknown |
| Jordan Valley Community Health Center (US) | The personal information of Native American patients was stolen between March 9th and June 22nd, 2023. Potentially compromised data includes names, addresses, email addresses, dates of birth, and race. | Unknown |
| Virginia Department of Medical Assistance (US) | Sensitive information of individuals was compromised as a result of a hacking and IT incident involving a network server. | 1,229,333 |
| Pain Care Specialists (US) | AlphV ransomware added the Oregon healthcare provider to its leak site, claiming to have encrypted the network and stolen over 150GB of sensitive data. This is said to include patients’ and employees’ medical records, Social Security numbers, and more. | Unknown |
| Lake Region Healthcare and Mountrail County Medical Center (US) | The healthcare providers disclosed data breaches stemming from third-party provider, DMS Health Technologies. Potentially compromised data includes names, dates of birth, dates of services, physician names, and exam types. | >1,390 |
| Multiple (US) | Thousands of DICOM servers are exposed on the internet due to misconfigurations. This has resulted in the exposure of patient data from numerous countries, including patient names, dates of birth, disease information, and more. | Unknown |
| Clarion (UK) | Alphv ransomware added the global manufacturer to its leak site on September 23rd, 2023, claiming to be in possession of confidential data. This includes engineering information for the company’s customers as well as customer data. | Unknown |
| Hillsborough County Public Schools (US) | The Florida school district confirmed that the protected information of students was improperly accessed due to a cybersecurity breach. The information includes names, dates of birth, district student identification numbers, and more. | 254 |
| Sony (Japan) | The RansomedVC ransomware group claims to have compromised the company’s systems. The attackers are offering allegedly stolen data for sale, stating they will not be ransoming the company as Sony do not want to pay. | Unknown |
| Oak Valley Hospital District (US) | An unauthorised party accessed the California hospital’s systems between April 21st and July 18th, 2023. The actor was able to access files containing patient information, including names, health insurance information, and more. | Unknown |
| Leekes (Wales) | The furniture chain was added to the NoEscape ransomware leak site on September 17th, 2023, with the attackers claiming to have stolen 130GB of data. | Unknown |
| Progressive Leasing (US) | A cyberattack is believed to have impacted a substantial amount of personally identifiable information. This includes Social Security numbers of customers and other individuals. | 40,000,000 |
| MNGI Digest Health (US) | The AlphV ransomware group listed the medical practice on its leak site. The group uploaded some images from diagnostic tests to prove their claims. | Unknown |
| Waterloo Media (US) | NoEscape ransomware claims to have exfiltrated 50GB of data from the company. | Unknown |
| Flair Airlines (Canada) | A public environment file exposed company data for at least seven months. At least one subdomain for booking group travel was collecting private user information, which includes names, email addresses, phone numbers, flight details, and more. | Unknown |
| Conduent (US) | An unnamed threat actor allegedly gained unauthorised access to the company’s emails, chatrooms, and critical data following an SMS phishing attack. The breach reportedly compromised sensitive client contracts, database entries, and more. | Unknown |
| Kuwait Ministry of Finance | The Rhysida ransomware group claimed responsibility for an attack on the ministry on September 18th, 2023. The group added the department to its leak site, publishing a set of documents as proof of claims. | Unknown |
| Johnson Controls International (US) | Dark Angels ransomware actors claim to have stolen over 27TB of corporate data in an attack that encrypted VMware ESXi servers and disrupted operations at the company and its subsidiaries. | Unknown |
| Pelmorex (Canada) | LockBit ransomware allegedly acquiried databases from its network, including access codes to the company’s digital servers. The attackers have announced their intention to leak the data on their dark web leak site. The company stated that the attackers are currently believed to have gained limited access to publicly available information. | Unknown |
| DarkBeam (UK) | An unprotected Elasticsearch and Kibana interface contained over 3.8 billion records, exposing user emails and passwords from previously reported and non-reported data breaches. | Unknown |
| LCS Financial Services (US) | An unauthorised party accessed the computer network on February 24th, 2023. The actor was able to access and remove files containing confidential consumer information. | Unknown |
| Community First Medical Center (US) | Unauthorised access occurred at some point in July 2023. The actor was able to access certain files containing confidential patient information, which may include names and Social Security numbers. | Unknown |
| Kokoro (UK) | Multiple UK charities have warned supporters that hackers have stolen their data following a breach of a web server run by third-party supplier, Kokoro. The impacted charities include Shelter, the RSPCA, the Dogs Trust, Battersea Dogs and Cats Home, and Friends of the Earth. Potentially compromised data includes names, home addresses, email addresses, and information on past donations. | Unknown |
| Iran Telecom | The APT IRAN group claimed to have gained access to and exfiltrated 4TB of data from Iran Telecom and Irancell databases. The group threatened to upload a penetration video and the exfiltrated data to prove their claims. | Unknown |
| University of Minnesota (US) | The university confirmed that a recent security incident led to the exposure of personal information of students, applicants, and faculty members involved with the university between 1989 and 2021. Potentially compromised information includes names, contact information, Social Security numbers, dates of birth, payroll information, and more. | Unknown |
| ChildFund New Zealand | Personal contact information of donors was impacted in the April 2023 cyberattack on Pareto Phone. Potentially compromised data includes names, postal addresses, phone numbers, and reference numbers. | Unknown |
| ZenLedger (US) | A dark web actor operating as ‘Sing’ announced the sale of data allegedly belonging to ZenLedger for $15,000. The user claimed the data was not the company’s publicly available database, and included IDs, email addresses, names, and more. | Unknown |
Attack Type mentions in Hospitality
This chart shows the trending attack types related to Hospitality within a curated list of cyber sources over the past week.
Weekly Industry View
| Industry | Information |
|---|---|
| Hospitality |
Cofense researchers observed a well-crafted and innovative social engineering attack delivering an advanced information stealer to the hospitality industry. The campaign employs reconnaissance emails and instant messages to lure hospitality email addresses into responding. Further phishing emails are then used to deliver malware such as RedLine, Vidar Stealer, Stealc, Lumma Stealer, and Spidey Bot. The emails use lures including booking requests, reservation changes, and special requests, and use multiple methods to bypass secure email gateways and email security analysis. |
| Telecommunications |
SentinelLabs researchers identified a new threat activity cluster from an unknown actor, dubbed Sandman APT, that has been targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent. The activity is characterised by strategic lateral movements and minimal engagements, likely to evade detection. Sandman deploys a novel modular backdoor, dubbed LuaDream, that utilises the LuaJIT platform. The malware’s main functionalities include exfiltrating system and user information, and managing attacker-provided plugins that extend the malware’s features. |
| Government |
Palo Alto Networks Unit 42 researchers identified a series of espionage attacks targeting different governmental entities in the same Southeast Asian country. Whilst the activity occurred around the same time, it was carried out by three separate threat actors, whose activity clusters can be characterised by distinct tools, modus operandi, and infrastructure. The observed techniques and tools combined with persistent long-term surveillance suggest the work of three advanced persistent threat (APT) groups, including Stately Taurus, Alloy Taurus, and Gelsemium. |
| Banking & Finance |
In August 2023, ThreatFabric researchers identified new samples of the Xenomorph Android banking trojan being used in a distribution campaign following months of hiatus. The new activity primarily targets the United States, Spain, and other European countries. Xenomorph has been updated with several new commands, which include antisleep, mimic, and clickonpoint features. The distribution campaign uses phishing webpages posing as Google Chrome updates to trick victims into installing malicious APKs. |
| Technology |
Authorities from the United States and Japan released a joint advisory detailing the activity of the China-linked threat actor, BlackTech, against router firmware. The group targets headquarters in Japan and the US through their international subsidiaries by compromising branch routers. Various sectors have been targeted, including government, industrial, technology, media, electronics, telecommunications, and entities that support the militaries of the US and Japan. BlackTech uses custom malware payloads and remote access tools, including BendyBear, Bifrose, BTSDoor, FakeDead, Flagpro, FrontShell, IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
