On-demand Webinar – World vs Cyber: Bridging the Gap to Mitigate Threats Learn More +

Weekly Cyber Digest

 

10 November 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Deep & Dark Web
Name Heat 7
Microsoft Windows NT
Windows Common Log File System
Windows 10 Enterprise
Microsoft Windows 10
Windows 11
Open Source
Name Heat 7
Splunk Enterprise
VMware Workspace ONE Assist
Cisco Firepower Threat Defense
Cisco ASA Adaptive Security Appliance
Acronis Cyber Protect

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Continental AG (Germany) LockBit ransomware operators claim to have hacked the automotive parts manufacturer. The group has threatened to publish allegedly stolen data on its Tor leak site. The company has since confirmed that some data was stolen in an August 2022 attack. Unknown
Convergent Outsourcing Inc (US) On June 17th, 2022, the company was the victim of a ransomware attack that resulted in the compromise of personal customer information. This includes names, contact information, financial account numbers, and Social Security numbers. Unknown
AstraZeneca (UK) The pharmaceutical giant inadvertently exposed access to sensitive patient data for over a year after a developer left the credentials for an internal server on GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment that contained some patient data. Unknown
UOB KayHian (Malaysia) DESORDEN GROUP added the stock brokerage firm to its leak site, allegedly stealing 159,807 customer records in October 2022. The records reportedly include full names, gender, dates of birth, IC numbers, passports, usernames and passwords, email addresses, and more. Unknown
Landi Renzo SpA (Italy) On November 3rd, 2022, Hive ransomware added the Italian firm to its leak site. The actors did not release any sample data as proof, but did provide DataBreaches[.]net with access to what is allegedly 534GB of exfiltrated files. The data includes proprietary information and personal information on employees and vendors. Unknown
Kearney & Company (US) LockBit ransomware added the premier CPA firm, which offers services to the US federal government, to its leak site on November 5th, 2022. A published sample of the data includes financial documents, contracts, audit reports, billing documents, and more. Unknown
BWX (Australia) Malicious code was unlawfully inserted into its Flora & Fauna website, possibly resulting in the credit card numbers and expiry dates of customers to be transmitted to an unauthorised third party between August 13th and September 29th, 2022. 2,500
Take Solutions Ltd (India) The company disclosed on November 3rd, 2022, that it suffered a ransomware attack on its enterprise resource planning system hosted with a third-party cloud service provider. Certain folders were encrypted, impacting the firm’s ongoing audit of financial results. Unknown
PNORS Technology Group (Australia) The IT company suffered a cyber incident which led to a data breach impacting two of its businesses, Datatime and Netway. As a result, thousands of students and their families may have had their personal data stolen, including medical information, and information related to demographics, development and behavioural issues, and more. Unknown
Kilvington Grammar School (Australia) On October 14th, 2022, the LockBit ransomware gang posted data allegedly stolen from the Australian education institution. The school confirmed that it suffered a data breach that involved unauthorised access to some of its online systems. Unknown
Norman Public Schools (US) On November 4th, 2022, the school district disclosed that its networks were experiencing a ransomware attack. The district expects significant disruptions as a result. Users were recommended to stop using district-issued devices. Unknown
Health Service Executive (Ireland) Individuals may have had their personal data stolen during the cyberattack in 2021 against the government agency. For the majority of impacted individuals, the exposed data is less sensitive. However, a smaller subset of individuals reportedly had more sensitive details compromised. >100,000
Smart Link BPO Solutions (Saudi Arabia) The Justice Blade threat group published data allegedly stolen from the IT vendor. The group claims to have stolen CRM records, personal information, email communications, contracts, and account credentials. They released screenshots of active Remote Desktop Protocol sessions and Office 365 communications between various countries in the region, as well as several lists of users. Unknown
Orange Spain
A security incident at the company’s debt collection provider exposed the sensitive information of some of Orange’s clients. This includes names, surnames, postal addresses, telephone numbers, emails, DNI/NIE numbers, IBAN, and more. Unknown
Dutch Land Registry
Between September 18th and October 11th, 2022, agency suffered a data breach that made protected residential addresses visible and accessible. Unknown
Eindhoven University of Technology (Netherlands) On September 17th, 2022, the university’s campus card provider, ID-Ware, suffered a BlackCat ransomware attack. The incident compromised certain information of university passholders, such as name, address, and campus pass number. 23,846
URLScan
The urlscan[.]io security tool left sensitive URLs publicly listed and searchable. The URLs lead to shared documents, password reset pages, team invites, payment invoices, and more. Unknown
Medibank (Australia) On November 9th, 2022, hackers began to leak sensitive customer medical records recently stolen from the health insurer after the firm refused to pay a ransom. Records include names, dates of birth, passport numbers, and information on medical claims. 9,700,000
Lodi Unified School District (US) An unauthorised actor gained access to their third-party student record management application, Aeries, on or around September 21st, 2022. The actor accessed certain information within the Aeries application, including first and last names, and medical information. Unknown
Multiple Anaesthesia Practices (US) At least 10 additional anaesthesia practices in the United States were added to the ‘data security incident’ at an unnamed healthcare management company, which was first reported in October 2022. Compromised data includes names, Social Security numbers, dates of birth, driver’s licences, financial account information, and more. 55,029
Baton Rouge General (US) Patient data was compromised following a network hack between June 24th and June 29th, 2022. Potentially exposed data includes names, Social Security numbers, dates of birth, financial account data, state ID numbers, and more. Unknown
Salud Family Health (US) Patient and employee data was accessed after certain computer systems were hacked on September 5th, 2022. Stolen data includes names, Social Security numbers, driver’s licence numbers or Colorado identification card numbers, financial account information, passport numbers, and more. Unknown
Legacy Post Acute Care (US) Personal data of patients was compromised after multiple employee email accounts were hacked between January 19th and March 3rd, 2022. Unknown

Malware mentions in Banking & Finance

This chart shows the trending malware related to Banking & Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance
Group-IB and Orange CERT-CC researchers discovered a French-speaking threat actor, dubbed OPERA1ER, that has conducted over 30 successful attacks against banks, financial services, and telecommunications companies between 2018 and 2022. OPERA1ER is confirmed to have stolen at least $11 million in this period, from targets primarily located in Africa. The group utilises highly targeted spear phishing emails that distribute remote access trojans and other tools to collect user credentials. The stolen credentials are used to gain administrator privileges on the domain controllers, before the banking infrastructure is ultimately utilised to fraudulently transfer money from customer accounts to mule accounts.
Government
Graphika researchers observed suspected Russian actors engaging in a renewed effort to target far-right audiences in the United States with divisive messaging in relation to the midterm elections. The actors’ activity is consistent with previous phases of a ‘Posing as Patriots’ campaign which targeted the 2020 US election. The messaging includes attempts to undermine support for Democratic candidates in Pennsylvania, Georgia, New York, and Ohio. Other narratives promote inflammatory messaging about sensitive cultural and political issues, criticism of President Biden, and pro-Russian narratives related to the war in Ukraine. On November 8th, 2022, some state websites were hit with distributed denial of service attacks amid the midterm election. Affected states include Illinois and Mississippi. The impacted websites have since been restored, and there was no credible threat to the casting or counting of ballots.
Healthcare
The HHS Office of Information Security warned the United States healthcare sector about potential cyber threats from Iranian hackers. The actors include Charming Kitten, Static Kitten, Pioneer Kitten, Remix Kitten, Helix Kitten, Refined Kitten, Magic Kitten, Infy, and UNC3890. The groups are known to engage in various destructive activities, such as website defacement, malware distribution, theft of personally identifiable information, spear phishing, and distributed denial-of-service attacks. They have also deployed wiper malware, performed retaliatory attacks, and conducted social media-driven operations.
Technology
Following recent discoveries by Mandiant on a series of targeted attacks using Amazon job lures by the advanced persistent threat cluster, UNC4034, VirusTotal researchers discovered additional cases that they believe with high confidence to be related to the same activity set. These newly observed cases target Dell and IBM. Six malicious ISO files were discovered, some of which contained remote client tools, including TightVNC Viewer, PuTTY, and KiTTY, the latter of which is a fork of PuTTY. Some of the attackers’ IPs were also discovered.
Critical Infrastructure
The Danish train operator DSB disclosed that a recent breakdown of the country’s train network between October 29th and October 30th, 2022, was caused by a cyberattack on IT subcontractor Supeo’s software testing environment. Supeo subsequently shut down its servers, which affected the train drivers’ ability to operate trains for several hours. DSB’s chief of security, Carsten Dam Sonderbo-Jacobsen, stated that the attack did not target infrastructure but was an economic crime. It remains unknown who was behind the attack.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.