Upcoming Webinar – Tools and Tactics to solve the top 3 Open-Source Intelligence Challenges Learn More +

Weekly Cyber Digest

12 January 2023

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Trending Vulnerable Products

Open Source
Name Heat 7
Ubuntu
Microsoft Windows 8.1
Elementor
Zoom Rooms
Windows 7
Deep & Dark Web
Name Heat 7
Mozilla Firefox
AVG Antivirus
Oracle Database
Cisco NX-OS
Gatekeeper (macOS)

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Multiple (UK) Vice Society targeted numerous UK schools in 2022 and have since published allegedly stolen data. Among the victims are Pates Grammar School in Gloucestershire, Lampton School, Mossbourne Federation, and the School of Oriental and African Studies in London. Unknown
Saint Gheorghe Recovery Hospital (Romania) The hospital was targeted in a ransomware attack in December 2022 that continues to impact hospital operations. The hackers reportedly gained access to the hospital’s systems. Unknown
Rackspace (US) Rackspace confirmed that Play ransomware operators were behind the December 2022 attack that took down its hosted Microsoft Exchange environment. The attackers gained access to the personal storage folders of 27 customers. This may include information such as emails, calendar data, contacts, and tasks. 27
University of Miami Health System (US) An intrusion into an employee’s work-associated email account took place. Emails containing the names and medical record numbers of some patients were forwarded to a third-party email account. Unknown
Maternal & Family Health Services (US) A ransomware attack may have exposed sensitive information to an unauthorised individual between August 21st, 2021, and April 4th, 2022. This includes names, addresses, dates of birth, Social Security numbers, financial account information, and more. Unknown
Consulate Health Care (US) Hive ransomware added the healthcare provider to their leak site, leaking 550GB of allegedly stolen data. Potentially compromised data includes email addresses, Social Security numbers, phone numbers, and more. Unknown
Air France & KLM (France & Netherlands) Personal information of certain Flying Blue cutomers was exposed after their accounts were breached. Potentially compromised data includes names, email addresses, phone numbers, latest transactions, and Flying Blue information such as earned miles balance. Unknown
January 6th Committee (US) The United States House of Representatives January 6th Committee exposed the Social Security numbers of individuals who visited the White House in December 2020. This includes at least three members of former President Trump’s Cabinet, a few Republican governors, and numerous Trump allies. 2,000
Telas Palo Grande (Venezuela) The BL00DY ransomware gang claimed an attack on the textile firm. The group posted alleged proof of claims, including screencaps and CSV files, on their Telegram channel. Unknown
Universidad De La Salle (Colombia) CL0P ransomware added the university to its leak site. They posted images of passports and a copy of an international agreement allegedly stolen as proof of claims. Unknown
Grupo Estrategas EMM (Mexico) BlackCat ransomware operators claim to have targeted the firm. The group has yet to upload any proof of claims. Unknown
Vijayawada Controller of Communication Accounts (India) Some of the computer systems belonging to the Indian city’s Controller of Communication Accounts (CCA) suffered a potential ransomware attack. Certain basic data in the compromised systems were affected. Unknown
MedStar (US) The company suffered a ransomware attack on or around October 20th, 2022. Compromised information could include full names, birthdates, contact information, treatment information, and more. 612,000
San Francisco Bay Area Rapid Transit (US) The Vice Society ransomware gang added BART to its data leak site on January 6th, 2023. BART is currently investigating the group’s claims. Unknown
Captify Health (US) The company’s online retail service, Your Patient Advisor, was found to contain malicious code between May 26th, 2019, to April 20th, 2022. Patients may have had their personal information and full payment card information, including CVV numbers, compromised. 244,300
SAIF Corporation (US) An unauthorised third party may have been able to view or acquire archive files containing policyholders’ data on October 24th, 2022. Potentially exposed data includes Social Security numbers, driver’s licence numbers, financial account numbers, health insurance policy numbers, and medical history information. Unknown
CyberOptics Corporation (US) The SchoolBoys Gang claim to be in possession of about 650GB of stolen data. The group reportedly leaked 20GB of the data on BreachForum after negotiations broke down in November 2022. This includes non-disclosure agreements (NDAs), Excel files with account names and passwords, driving licenses, and more. Unknown
Oxshag (UK) On January 7th, 2023, a website claiming to be a dating app published a list of full names and colleges of every person who currently holds an Oxford University email address. The breach is not limited to students, but also includes tutors, porters, academic offices, and more. Unknown
CAF (France) The social security agency sent sensitive and personal data of beneficiaries in Gironde to a service provider. The service provider then posted the file in plaintext on its website in March 2021. The exposed data includes addresses, dates of birth, household composition and income, and amount and types of benefits receives. 10,204
American Institute of Certified Public Accountants (US) Threat actors on a popular hacking forum claim to have acquired a database containing users’ login details. Samples of the data were leaked as proof. 140,000
Government of Australia The login details for over 100,000 Australian government agencies have allegedly been found on a dark web forum. The data is part of a database of over 14 million usernames and passwords. The majority of the data has not been verified. Unknown
Aflac Japan (UK) The personal data of customers of Aflac’s cancer insurance product were leaked online, including surname, age, gender, and insurance cover. A sample of this data was also found on a prominent forum. 3,000,000
Zurich Insurance (Switzerland) Attackers stole the data of over 2.6 million Japanese customers. This includes names, gender, dates of birth, email addresses, policy numbers, and more. A Zurich spokesman stated that the data leak originated from an external service provider. 2,600,000
The Guardian (UK) The newspaper confirmed it was hit by a ransomware attack on December 20th, 2022, that involved unauthorised third-party access to parts of its network. The attacker gained access to the personal information of UK employees. Unknown
Experian (US) Identity thieves abused a security weakness in the consumer credit bureau’s website to view other individuals’ credit information. Experian’s website allowed users to bypass security questions to view anyone’s credit report. To exploit the weakness, an attacker would need the person’s name, address, birthday, and Social Security number. Experian has since resolved the issue. Unknown
Fire Rescue Victoria (Australia) On January 12th, 2023, the Vice Society ransomware group claimed responsibility for a December 2022 attack that led to a widespread IT outage. Vice Society also released a sample data set as proof. Personal information of current and former employees and job applicants may have been leaked, including full names, addresses, email addresses, phone numbers, health information, criminal history, and more. Unknown
ODIN Intelligence (US) An app used by dozens of police departments, named SweepWizard, leaked confidential details about hundreds of sweeps over multiple years, possibly since 2011. Exposed data included personally identifying information about hundreds of officers and thousands of suspects. This includes geographic coordinates of suspects’ homes, the time and location of raids, demographic and contact information, Social Security numbers, and more. >5,770
Trustanduse[.]com (Greece) A publicly accessible database, first discovered on June 21st, 2022, exposed 855GB of sensitive user and business data for at least six months. Exposed data included usernames, full names, Facebook IDs, phone numbers, and hashed passwords.The database has since been secured.  439,000
SB Tactical (US) A breach in which customer data was leaked occurred between September 19th and December 13th, 2022. Compromised data includes names, addresses, and full credit card details. Unknown

Malware mentions in Critical Infrastructure

This chart shows the trending malware related to Critical Infrastructure within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance
Symantec researchers observed the Bluebottle cybercrime group conducting attacks against banks in French-speaking countries in Africa from at least July 2022 to September 2022. The campaign appears to be a continuation of the OPERA1ER activity documented by Group-IB that spanned from mid-2019 to 2021. The group makes extensive use of living-off-the-land, dual-use tools, and commodity malware, deploying no custom malware. New tactics, techniques and procedures were observed in the more recent activity, including indications that ISO files may have been used as an initial infection vector, and the use of the GuLoader commodity malware in the initial stages of the attack.
Technology
Microsoft researchers analysed known ransomware families affecting macOS devices, including KeRanger, FileCoder, MacRansom, and EvilQuest. Mac ransomware typically relies on user-assisted methods for initial access, such as downloading and running fake or trojanised applications, but can also arrive as a second-stage payload dropper or be downloaded by other malware or part of a supply chain attack. Once running, the ransomware attacks usually comprise gaining access, execution, encrypting target users’ files, and notifying the target with a ransom message. In order to conduct these actions, malware creators abuse legitimate functionalities and devise various techniques to exploit vulnerabilities, evade defences, or coerce users to infect their devices.
Critical Infrastructure
Reuters reported that the Russian hacker group Cold River targeted three nuclear research laboratories in the United States between August and September 2022. These include the Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The hackers created fake login pages for each institution and emailed nuclear scientists in an attempt to retrieve their passwords. It has yet to be confirmed whether any intrusion attempts were successful.
Retail
Malwarebytes researchers identified a skimmer using the ‘Mr.SNIFFA’ framework to target e-commerce sites. The skimmer has adopted various obfuscation techniques as well as steganography to load its malicious code and exfiltrate stolen credit card data. The campaign uses a cryptocurrency theme, not previously seen in Magecart attacks. The skimmer injects a payment form into the e-commerce checkout page, which uses special character encoding to exfiltrate the stolen credit card data as an image file. The domains used in this campaign are hosted on DDoS-Guard infrastructure.
Healthcare
Trend Micro researchers observed Gootkit loader resurfacing in a recent spate of attacks against organisations in the Australian healthcare industry. This is an expansion of the group’s targeting of the legal sector. The examined samples leveraged search engine optimisation poisoning for initial access, targeting industry-related keywords paired with Australian city names. The fake sites contain a link to download a malicious ZIP containing a JS file, which is used to create a scheduled task for persistence. A second, heavily obfuscated JS file is executed to launch a PowerShell script that establishes C2 access.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.