Upcoming Webinar – Tools and Tactics to solve the top 3 Open-Source Intelligence Challenges Learn More +

Weekly Cyber Digest

08 December 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Trending Vulnerable Products

Deep & Dark Web
Name Heat 7
Atlassian Bitbucket
Chrome V8 JavaScript Engine
Anonfiles
jQuery
phpMyAdmin
Open Source
Name Heat 7
Sophos Firewall
Rukovoditel
Microsoft Internet Explorer
Chrome V8 JavaScript Engine
Hive Social

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Hive Social The social media platform temporarily shut down its service on November 30th, 2022, after a security advisory from Zerforschung warned that the site contained vulnerabilities that allow any attacker to access all data stored in user accounts.This includes  private posts and messages, shared media, deleted direct messages, and more. Unknown
Receivables Performance Management (US) The agency suffered a ransomware attack on May 12th, 2021, after attackers first gained access to the company’s server on April 8th, 2021. The attack compromised personal information, including Social Security numbers. The attackers are reportedly no longer in possession of the stolen data. 3,766,573
Florida Department of Revenue (US) A direct object reference flaw on the website of the government agency exposed sensitive information of taxpayers. This includes names, home and business addresses, bank account and routing numbers, Social Security numbers, and more. The issue has since been fixed. Unknown
Andre Mignot Hospital (France) On December 3rd, 2022, the French hospital, part of the Versailles Hospital Center, was targeted in a cyberattack that forced it to shut down its computer systems. The attack is likely a ransomware attack, though this has not yet been confirmed by the hospital. Unknown
United Reporters A leak reportedly occurred shortly after the network covered the ongoing Greek surveillance scandal involving Predator spyware. The leaked data includes financial data. Unknown
Ministry of Transport and Public Works (Uruguay) On October 17th, 2022, the organisation was targeted in a PLAY ransomware attack. The attackers claimed to have stolen 80GB of data and released 5GB as proof. The ministry has denied any communications with the attackers and estimated the stolen data accounts for about 0.03% of information available to the ministry.
Plascar Participações Industriais SA (Brazil) On November 30th, 2022, Vice Society added the company to their leak site. The ransomware group has claimed to have leaked 650GB of data from the firm. Unknown
Three Cube IT Lab (India) A post on the dark web is advertising sensitive data reportedly stolen from the company. By accessing the company’s systems, the attackers managed to also gain access to data belonging to the firm’s hospital clients. Unknown
Sree Saran Medical Centre (India) Personally identifiable information of patients at the hospital is currently for sale on the dark web. This includes names, guardian names, dates of birth, doctor’s details, and address information. Unknown
CoinTracker (US) On December 1st, 2022, the software company discovered a leaked list of emails and referral links of CoinTracker users online. No other personal or financial information was leaked. The leak was reportedly due to a larger data compromise at one of its service providers. Unknown
Central Board of Higher Education Delhi (India) Hacktivist group Team Mysterious Bangladesh claimed to have compromised the organisation and threatened to leak the data of students from 2004 to 2022, with screenshots of stolen data already shared. The compromised data includes names, Aadhaar numbers, IFSC codes, and more. Unknown
Travis Central Appraisal District (US) The Texas government office was targeted in what it believed to be a Royal ransomware attack on December 5th, 2022. The ransomware attack shut down phone lines and an online chat system. Unknown
Dallam Hartley Counties Hospital District (US) The Texas organisation was targeted in a ransomware attack on September 28th, 2022. The incident resulted in the theft of protected health information, including names, Social Security numbers, health insurance information, demographic details, and limited medical information. 70,000
Mena Regional Health System (US) The Arkansas organisation disclosed that patient data was exfiltrated by an unauthorised party on October 30th, 2021. Compromised data includes patient names, Social Security numbers, dates of birth, driver’s licenses, government IDs, financial account details, medical information, and more. 84,814
CCA Health California (US) Current and former health plan members were notified of a data breach that took place on May 4th, 2022. The attackers stole or accessed data such as names, Social Security numbers, dates of birth, contact details, passport numbers, and more. ~15,000
Antwerp (Belgium) The city experienced disruptions to its digital services following a suspected ransomware attack on its digital provider, Digipolis. Unknown
Rackspace (US) The cloud company confirmed the recent security incident that forced it to shut down its hosted Microsoft Exchange environment was the result of a ransomware attack. It remains unclear which ransomware group is responsible and whether any sensitive data was stolen. Unknown
Hudson County Schools of Technology (US) The school district’s internal servers went offline on December 5th, 2022, resulting in early dismissal for students. The district did not confirm the cause of the outage, however security researcher Brett Callow noted that it is possibly ransomware. Unknown
Adams-Friendship Area School District (US) The district detected unauthorised activity within its environment on or around November 15th, 2022. On December 7th, 2022, Royal ransomware claimed responsibility for the attack, adding the district to its leak site. The group has yet to provide any proof of their claims. Unknown
CloudSEK (India) A threat actor gained access to its Confluence server using stolen credentials for one of its employees’ Jira accounts. Some internal information, including screenshots of product dashboards and the names and purchase orders of three customers were exfiltrated from its Confluence wiki, however CloudSEK’s databases were reportedly not compromised. Unknown
LJ Hooker (Australia) The operators of ALPHV ransomware added LJ Hooker Palm Beach to its data leak site on November 30th, 2022, claiming to have stolen 375GB of employee and customer data. The attackers provided a screenshot of allegedly breached usernames and passwords. The group also published the passport details of staff members, as well as some profit and loss statements and a property sale contract. Unknown
Intersport (France) On December 5th, 2022, Hive ransomware operators published the personal information of some customers on the dark web. Potentially compromised data includes passports, lists of customer information, and payslips. Unknown
Acuity Brands (US) An unauthorised individual gained access to some systems on December 7th and December 8th, 2021, and copied a subset of files out of the network. During an investigation into this incident, Acuity discovered an unrelated incident of unauthorised access on October 6th and October 7th, 2020, in which the attacker attempted to copy certain files. Potentially compromised data on current and former employees includes names, Social Security numbers, financial account information, driver’s licence numbers, and more. Unknown

Attack Type mentions in Cryptocurrency

This chart shows the trending attack types related to Cryptocurrency within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Cryptocurrency
Volexity researchers observed renewed activity by North Korean threat actor Lazarus Group, with the latest campaign likely targeting cryptocurrency users and organisations with AppleJeus malware. Lazarus Group was seen using new techniques, including a new variation of DLL sideloading not previously seen before. AppleJeus is spread via a website called BloxHolder, which is largely a clone of the HaasOnline automated cryptocurrency trading platform. The site contains an MSI file for the QTBitcoinTrader app that is bundled with the malware.
Retail
Jcrambler researchers discovered threat actors using new techniques in web skimming attacks that involve gaining control of defunct domains that formerly hosted popular JavaScript libraries. Campaigns from three threat actors were observed, one of which targeted the Cockpit JavaScript library, which is end-of-service, acquiring the domain name and using it to serve a skimming script via the same URL. The other two campaigns targeted the e-commerce websites directly, injecting malicious scripts into their homepages, one of which was disguised as Google Tag Manager, using string concatenation to avoid detection.
Critical Infrastructure
Cyble researchers discovered a new ransomware operation, called BlackMagic, that appears to originate from Iran. The group uses double extortion to target victims, and has disclosed details of over ten victims in the transportation and logistics industry to date, all of which are from Israel. The group is suspected to be politically motivated. The ransomware payload is a 64-bit DLL file that is dropped on the victim system and executed using rundll32. The group’s ransom note does not provide contact details or cryptocurrency addresses for ransom payment, but instead contains links to social media channels used for advertising the victim’s data. 
Technology
CrowdStrike discovered an intrusion campaign targeting telecommunications and business outsourcing companies. The attackers attempt to gain access to mobile carrier networks and conduct SIM swapping attacks. The campaign has been ongoing since June 2022. Social engineering techniques are used to impersonate IT personnel and convince victims to visit a credential harvesting site or run commercial remote monitoring and management tools used for persistence. Other tactics involve the use of compromised credentials to access an organisation’s Azure tenant, or the exploitation of CVE-2021-35464 in the ForgeRock OpenAM application server. The attacks appear to be financially motivated, with the campaign attributed to threat actor SCATTERED SPIDER with low confidence.
Banking & FInance
K7 Security researchers identified a sample of the Zanubis banking trojan that disguises itself as the mobile application of Peru’s tax authority, SUNAT. The app asks for accessibility service and battery optimisation permissions to gather data from the victim’s device. It uses an overlay screen over the targeted application to acquire login credentials for a number of banks.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.