Upcoming Webinar – Tools and Tactics to solve the top 3 Open-Source Intelligence Challenges Learn More +

Weekly Cyber Digest

08 September 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
QNAP Photo Station
Chromium Web Browser
IBM Cognos Analytics
QNAP Network Attached Storage
Deep & Dark Web
Name Heat 7
Genshin Impact
Discord VoIP

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Ministry of Communication & Information Technology (Indonesia) A user on the breached[.]co hacker site claimed to be selling the SIM card registration data of over 1.3 billion SIMs. The data reportedly includes national ID card numbers, phone numbers, telecommunications providers, and registration data. The ministry claims the data did not come from them.  Unknown
Neopets (US) Attackers had access to the company’s IT system from January 3rd, 2021, until July 19th, 2022. Exposed information for past and present players may include name, email address, username, date of birth, gender, IP address, Neopets PIN, hashed password, and more. Unknown
Fremont County (US) A recent cybersecurity incident was the result of a BlackCat ransomware attack. Employees’ personal information may have been compromised, along with that of a small number of individuals in the community. Unknown
Bridgestone Americas Inc (US) A data breach occurred following a LockBit ransomware attack in February 2022. Compromised data of certain individuals includes names, Social Security numbers, and bank account information. Unknown
Tulsa Tech (US) The school district disclosed that someone accessed its systems in June 2022 and stole files from the network. This includes data belonging to students who were enrolled in classes between 1986 and 1999, including names and Social Security numbers. Unknown
Internal Revenue Service (US) The IRS inadvertently leaked confidential information on taxpayers who filed a Form 990-T data as part of their tax returns. The exposed information includes names, contact information, and reported income for those IRAs.  120,000
KeyBank (US) A data breach occurred after a third-party vendor, Overby-Seawell Company, was targeted by hackers on July 5th, 2022. The hackers acquired the personal information of home mortgage holders at KeyBank, including names, addresses, mortgage account number, and the first eight digits of Social Security numbers.  Unknown
Gestore dei Servizi Energetici SpA (Italy) BlackCat ransomware claimed responsibility for a cyberattack on August 28th, 2022. The group claims to have exfiltrated 700GB of data from the agency, including information on projects, contacts, accounting, and more.   Unknown
Samsung (US) A data breach occurred after some of its US systems were compromised in late July 2022. The attacker accessed and exfiltrated personal customer information, including names, contacts and demographic information, dates of birth, and product registration data. Unknown
Higher Education Authority (Ireland) The personal details of individuals who attended Springboard courses have been exposed. The exposed data goes as far back as 2011, and includes names, mobile phone numbers, email addresses and education courses. Amongst the affected individuals are members of the Garda, the prison service, and people working in the Health Service Executive.  45,720
Export Development Fund (Pakistan) The website of the government body was recently targeted in a brute force attack by an attacker who reportedly stole over 4GB of data. The stolen data allegedly includes hexed passwords, email records and history, files, and other sensitive material like proposals, trade and billing information, and more. Unknown
San Francisco 49ers (US) The team confirmed that personal information was accessed or stolen in the Blackbyte ransomware attack between February 6th and February 11th, 2022. The compromised information includes names and Social Security numbers.  20,930
CorrectHealth (US) The healthcare provider identified suspicious activity in employee email accounts on November 10th, 2021. Information may have been exposed between March and July 2022. This includes names, addresses, and Social Security numbers.  54,000
TikTok and WeChat (China) AgainstTheWest claimed to have breached both companies and gained access to a server holding 2.05 billion records in a 790GB database that contains user data, platform statistics, software code, cookies, authentication tokens, server information, and more. Researchers have verified the validity of the data, however TikTok have denied the breach. Unknown
Orange Cyberdefense (France) On September 4th, 2022, a post on a popular forum listed data that allegedly belongs to the security provider, including names, email, phone number, and more. The company confirmed the file contains information relating to certain French customers of the Micro-SOC service. Unknown
Malindo Air (Malaysia) On September 3rd, 2022, a database containing the personal data of customers was made available on an online forum. The data allegedly includes email and physical addresses, dates of birth, passport numbers, and phone numbers. The data stems from a data breach in 2019 which was acknowledged by Malindo Air at the time. 45,000,000
Savannah College of Art and Design (US) AvosLocker ransomware added the school to its leak site on September 3rd, 2022, claiming to have stolen a database of phone numbers, email addresses, and more. Databreaches[.]net determined that the group managed to steal at least 69,000 files that contained student information, personnel files, and business data. Unknown
Standard-Examiner (US) On September 5th, 2022, a ransomware attack targeted the computer network of the daily morning newspaper in Utah. The attack was likely conducted through a malicious email. Unknown
Los Angeles Unified School District (US) The district confirmed that recent technical issues were the result of a ransomware attack on its IT systems over the weekend of September 3rd, 2022. It remains unknown which ransomware was involved.  Unknown
General Elections Commission (Indonesia) A hacker recently listed a dataset on BreachForums that allegedly contains 20GB of information on citizens likely taken from the commission. It reportedly includes citizens’ ID card numbers, full names, dates of birth, and other personally identifiable information.   105,000,000
The North Face (US) From July 26th until August 19th, 2022, a large-scale credential stuffing attack resulted in the hacking of accounts on the company’s official website. The hackers potentially accessed information within the customer accounts, such as full name, purchase history, billing address, shipping address, telephone number, and more. 194,905
Bitvavo (Netherlands) The digital asset platform experienced a technical issue which led to the personal data of users being shown on its app and web. The leak occurred due to a misconfiguration issue of Bitvavo’s cache solution and was quickly remediated. 8

Malware mentions in Critical Infrastructure

This chart shows the trending malware related to Critical Infrastructure within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Technology SafeBreach researchers discovered a targeted attack that leverages a new remote access trojan, dubbed CodeRAT. The attack uses a Microsoft Word document containing a Microsoft Dynamic Data Exchange (DDE) exploit to target Farsi-speaking code developers. CodeRAT is believed to be used as an intelligence tool by a government-linked threat actor. The DDE exploit downloads CodeRAT from a GitHub repository. The malware’s monitoring capabilities include nearly 50 commands and can monitor webmail, Microsoft Office documents, integrated development environments, and more. CodeRAT also spies on sensitive windows for tools such as Visual Studio, Python, PhpStorm, and Verilog.  
Education United States authorities released a joint cybersecurity advisory warning that Vice Society actors have recently been observed disproportionately targeting the education sector with ransomware attacks. These attacks have particularly impacted kindergarten through twelfth grade institutions, resulting in restricted access to networks and data, delayed exams, cancelled school days, and unauthorised access to, and theft of personal data. The advisory provides Vice Society indicators of compromise and tactics, techniques, and procedures observed in attacks as recently as September 2022. It additionally warns that these attacks may increase as the 2022/2023 school year begins. 
Banking & Finance Check Point researchers examined a malicious campaign, called DangerousSavanna, that has been targeting multiple major financial service groups in French-speaking African countries for the last two years. In the last few months, the campaign heavily focused on the Ivory Coast. The threat actors target employees with spear phishing emails containing malicious attachments for initial infection. The attackers persistently pursue the employees of the targeted companies, constantly changing infection chains that use a wide range of malicious file types. Once a victim has been compromised, the campaign usually installs relatively unsophisticated software tools, such as Metasploit, PoshC2, DWservice, and AsyncRAT.
Government On September 6th, 2022, 20 websites across four government ministries in Japan suffered disruptions after being targeted in a cyberattack. Pro-Russian group Killnet claimed responsibility for the attacks. Japan’s government is now investigating whether Killnet was involved and whether the disruptions were caused by a denial-of-service attack. Japan’s e-Gov administrative portal continued to experience log-in problems to certain services on September 7th, 2022. Some services on the other targeted websites have since been restored. 
Critical Infrastructure Avast researchers identified a pro-Russian group, dubbed NoName057(16), conducting distributed denial-of-service attacks on websites in Ukraine, as well as Estonia, Lithuania, Norway, and Poland. Targets include governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more. NoName057(16) conducts the attacks using a botnet comprised of devices infected with the .NET malware, Bobik. The researchers estimate there are thousands of Bobik botnets in the wild, most of which are located in Brazil, India, and Southeast Asia.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.