Weekly Cyber Digest: 03 - 09 February 2023

09 February 2023

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Trending Vulnerable Products

Deep & Dark Web

Name	Heat 7
VMware ESXi
Python Programming Language
3proxy
Samba
Comodo AntiVirus

Open Source

Name	Heat 7
VMware ESXi
OpenSLP
GoAnywhere MFT
OpenSSL
OpenSSH

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company	Information	Affected
Guardian Analytics (US)	The company was listed on the Daixin Team leak site, and later on the LockBit ransomware leak site. Potentially compromised data includes names, dates of birth, medical record numbers, patient account numbers, Social Security Numbers, and medical and treatment information.	Unknown
Multiple	LockBit ransowmare added multiple new victims to its leak site. They include Tonoli Group, Crystal Creamery, Sakr Group, Beth Rivkah, Scandia Food, Kostica, and Fabricated Pipe Inc.	Unknown
Vice Media (US)	An unauthorised actor gained access to an internal Vice email account in March 2022. Potentially compromised data includes Social Security numbers, financial account numbers, credit and debit card numbers, and more.	1,724
Guildford County School (UK)	The Vice Society ransomware group posted hundreds of files allegedly stolen from the school on its leak site, with file names suggesting they contain childrens’ safeguarding reports.	Unknown
Andersen Corporation (US)	An unprotected Azure storage blob belonging to Renewal by Andersen exposed around one million files. This included nearly 300,000 documents exposing customers’ home addresses, contact details, home renovation orders, and more.	Unknown
Aspire Surgical (US)	A cybersecurity incident compromised the information of patients. This could include names, patient account numbers, dates of service, and amounts paid.	Unknown
Highmark Health (US)	An employee’s email account was compromised in December 2022. Potentially compromised data includes names, social security numbers, and claims relating to treatment. In some cases, financial information, address, phone number, and email addresses were also leaked.	300,000
University of Colorado Hospital Authority (US)	The May 2022 data breach at Diligent Corp affected certain UCHealth patients. Potentially compromised data includes names, addresses, dates of birth, treatment-related information and, in very limited cases, Social Security numbers or other financial information.	48,879
Nonstop Health (US)	Data and source code relating to the company were leaked on two popular hacking forums. The full leak reportedly contains 43,532 lines of data, and includes names, dates of birth, postal addresses, personal email addresses, Social Security numbers, and more. The data was previously posted on a popular Russian-language forum with source code files.	Unknown
Five Guys (US)	The company was added to the BlackCat ransomware leak site. Screenshots indicate that potentially stolen data includes banking statements, international payroll data, information about recruitments, audit information, and more. Five Guys previously disclosed a data breach in January, 2023, but it remains unclear whether the two incidents are related.	Unknown
8Twelve Financial Technologies (Canada)	An open and non-password protected database contained names, phone numbers, email addresses, physical addresses, and more. 8Twelve has since restricted public access to the database.	717,814
Cardiovascular Associates (US)	An unauthorised third party exfiltrated patient data from the company’s Alabama location, including demographic information, Social Security numbers, health insurance information, financial information, and more.	Unknown
Regal Medical Group (US)	A December 2022 ransomware attack resulted in a patient data breach. Potentially compromised information includes names, Social Security numbers, dates of birth, addresses, treatment information, and more.	Unknown
Southeast Colorado Hospital District (US)	An unauthorised third party gained access to an employee email account. This may have compromised the personal information of some individuals, including names, Social Security numbers, driver’s license numbers, dates of birth, treatment information, and more.	Unknown
Jackson & Joyce Family Dentistry (US)	The company was added to the leak site of Lockbit ransomware, along with several screenshots as proof.	Unknown
Seguros Equinoccial (Ecuador)	The company was added to Vice Society’s leak site, with leaked data including reports containing personal information such as names, policies, addresses, phone numbers, email addresses, and more.	Unknown
Multiple	Lockbit added multiple new victims to their leak site, including Luaces Asesores, IT Servicios and Pharma Gestao. No proof was added.	Unknown
Casa Ley (Mexico)	The grocery store chain was added to the leak site of Royal ransomware, although no proof was added.	Unknown
LG Uplus Corp (South Korea)	The company suffered a data breach that exposed customer names, dates of birth, and phone numbers. Investigations are ongoing to determine how the data was leaked.	290,000
US Cellular (US)	Threat actor IntelBroker published a database on the Breached hacking forum, which US Cellular since confirmed was from a recent breach of one of their third-party vendors. Compromised data includes names, email addresses, and other information.	144,000
PeopleConnect (US)	Hackers leaked a backup database on the Breached hacking forum, which allegedly contains email addresses, hashed passwords, first and last names, and phone numbers, of TruthFinder and Instant Checkmate customers who used the services up to April 16th, 2019.	20,220,000
Tallahassee Memorial HealthCare (US)	The Florida hospital took its IT systems offline and suspended non-emergency procedures following a suspected ransomware attack.	Unknown
MKS Instruments Inc (US )	A ransomware attack affected production-related systems. MKS added it would temporarily suspend operations at some of its facilities as part of its containment efforts.	Unknown
RSAWeb (South Africa)	A network outage impacted cloud and shared hosting customers on February 1st, 2023. The incident is believed to be a ransomware attack.	Unknown
Hidalgo County Adult Probation Office (US)	On February 4th, 2023, the Texas probation office was hit by a ransomware attack. The County Judge stated that the incident was limited to the probation office only, and that the office was able to retrieve the affected information without paying a ransom.	Unknown
Sharp HealthCare (US)	Patient information was compromised following a cyberattack on its website. This includes names, internal identification numbers, invoice numbers, payment amounts, and the names of the Sharp entities receiving payment.	62,777
Multiple	The Supreme Court of Florida, the Georgia Institute of Technology and Rice University in the United States, along with several higher education institutions in Hungary and Slovakia, were all reportedly targeted with ransomware, likely part of the widely reported ESXiArgs campaign.	Unknown
Ross Memorial Hospital (US)	Certain facilities were impacted by a suspected ransomware attack. The incident reportedly affected access to medical files.	Unknown
Elevel (Russia)	An unsecured dataset belonging to an online shop owned by the company contained seven million entries. This included names, phone numbers, email addresses, and delivery addresses, as well as login data and passwords in URL encoding. The dataset has since been secured.	Unknown
Weee! (US)	A threat actor uploaded a database belonging it claims was stolen in February 2023. The data includes names, emails, phone numbers, home addresses, delivery types, devices, and dates. In some cases, the delivery logs contain notes left by customers, including door codes to residential or office buildings.	11,000,000
Munster Technological University (Ireland)	The university experienced a major IT breach that may be linked to an international ransomware attack that targets vulnerable VMware ESXi servers.	Unknown
AmerisourceBergen (US)	The Lorenz ransomware gang added the company to their extortion site, posting files allegedly stolen from the company and MWI Animal Health. AmerisourceBergen disclosed that hackers compromised the IT systems of one of its unamed subsidiaries.	Unknown
DotHouse Health (US)	A data breach may have resulted in the compromise of names, addresses, dates of birth, medical record numbers, and more. The company was previously added to the AlphV ransomware leak site, with the threat actor claiming to have exfiltrated 800GB of data.	10,000
Hong Kong Institute of Bankers (China)	Six servers were hacked and encrypted, with the attacker threatening to upload the stolen files to the internet if a ransom is not paid.	113,000

Attack Type mentions in Banking & Finance

This chart shows the trending attack types related to Banking & Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry	Information
Government	CERT-UA warned of an ongoing phishing campaign impersonating Ukrainian and Polish government entities to deliver malicious BAT files and PowerShell scripts. These are used to scan for and exfiltrate files on a targeted system. The threat actor has been observed impersonating the websites of Ukraine’s Ministry of Foreign Affairs, the Security Service of Ukraine, and the Polish Police. A similar fraudulent page impersonated the mail portal of the Ukrainian Ministry of Defense in June 2022. The campaign has been attributed to UAC-0114. The group is believed to have Russian-speaking members.
Technology	Between 2,800 and 3,800 VMware ESXi servers worldwide have been compromised by ransomware targeting a two-year old remote code execution vulnerability, tracked as CVE-2021-21974. Many of the attacks were attributed to the new ESXiArgs ransomware strain, but there were also reports of a new variant of Royal ransomware and Black Basta being responsbile for several incidents. A second wave of attacks, launched on February 7th, 2023, is using an updated encryption mechanism, rendering a recently released recovery tool redundant. Users are urged to immediately upgrade vulnerable ESXi products and disable the OpenSLP service.
Healthcare	Killnet’s latest published list of targets for distributed denial-of-service (DDoS) attacks included a range of different healthcare entities in the United States, with at least 14 organisations actively targeted. The list also included an administrative website for the United States Department for Homeland Security (DHS). According to Cybernews, the website was temporarily down, though the public-facing DHS website was not affected. The DDoS attacks are believed to be in response to US President Biden’s recent promise to provide military tanks to Ukraine.
Banking & Finance	Trend Micro researchers analysed a highly targeted business email compromise (BEC) campaign conducted by threat actor Water Dybbuk. The campaign, likely running since April 2022, targets Office 365 accounts of executives and finance departments in large companies, with the majority in the United States. Initial infection is via a spear phishing email containing a malicious HTML file. The campaign leverages the open-source tools BadaxxBot and EvilGinx2. The former is used to validate a victim’s IP address and User Agent, while the latter is configured for phishing credentials and session cookies from the victim’s Microsoft Office 365 accounts.
Cryptocurrency	Perception Point researchers discovered a new clipper malware, dubbed Paradies Clipper, that allows attackers to replace a victim’s cryptocurrency wallet with their own. The malware uses various hooking techniques to intercept and manipulate sensitive information, such as wallet addresses. Paradies Clipper is a PE32 file written in C/C++. It does not have obfuscated strings and uses registry keys for persistence.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_1737047_9	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Weekly Cyber Digest

09 February 2023

Trending Vulnerable Products

Data Leaks & Breaches

Attack Type mentions in Banking & Finance

Weekly Industry View

Get started today

Product

Log in

Resources

Partners

Company

Contact

Cookie	Duration	Description
_clck	1 year	No description
_clsk	1 day	No description
AnalyticsSyncHistory	1 month	No description
CLID	1 year	No description
li_gc	5 months 27 days	No description
SM	session	No description available.