On-demand Webinar – World vs Cyber: Bridging the Gap to Mitigate Threats Learn More +

Weekly Cyber Digest

13 October 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
SAP 3D Visual Enterprise
Fortinet FortiProxy
Fortinet FortiOS
VMware vCenter Server
Zimbra Collaboration Suite
Deep & Dark Web
Name Heat 7
Binance Smart Chain
Active Directory Certificate Services
Adobe Acrobat
Windows Defender SmartScreen
Windows Server 2008

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Redtone Digital Bhd Networks (Malaysia) Desorden Group hacked the telecommunications company on October 1st, 2022. The group provided samples of allegedly exfiltrated data but did not indicate how many files they are in possession of, or whether it intends to sell or leak the data. Unknown
Multiple Banks (Egypt) A new group of hacktivists, operating under the campaign ‘EG Leaks’ or ‘Egypt Leaks’, have leaked large volumes of customer payment data from major banks on the dark web. This includes National Bank of Egypt, HSBC Bank Egypt, Bank of Alexandria, Banque Misr, Alexbank, Credit Agricole Egypt, and more. Amongst the leaked data are names, email addresses, billing addresses, type of payment card, and more. Unknown
2K Games (US) The game publisher suffered a data breach after a threat actor gained access to its help desk platform through illegally obtained system credentials on September 19th, 2022. Potentially compromised information includes email addresses, names, and other sensitive information. Unknown
Indianapolis Housing Agency (US) The agency suffered a ransomware attack that caused its computers and phones to malfunction. An investigation is ongoing to determine whether any personal information was stolen. Unknown 
Bank of Brasilia (Brazil) On October 3rd, 2022, the bank suffered a ransomware attack. According to unnamed sources, the attackers used LockBit ransomware to conduct the attack. The hackers demanded a ransom to not leak user data. Unknown
Saskatoon Obstetric and Gynecologic Consultants (Canada) The clinic suffered a ransomware attack after a staff member opened a malicious email attachment in late December 2020. The hackers subsequently demanded a ransom to unlock the data. The clinic later paid the attackers for the decryption software. Unknown
Multiple The BidenCash carding forum made 1,221,551 credit and debit card records available for free. The most impacted bank is American Express, followed by Fiserv Solutions and Wells Fargo. The dumped database includes full credit card details, as well as personal details of the cards’ owners, including names, full addresses, dates of birth, and more. A threat actor later advertised a free database of 7.9 million cards on the same site, affecting Bank of America, Chase Bank, Wells Fargo, Bay First, and JPMorgan Chase Bank. Unknown
ESKOM (South Africa) The Everest ransomware gang claimed to have gained access to the company’s servers. ESKOM recently disclosed it is experiencing some server issues. Unknown
CSI Laboratories (US) On July 8th, 2022, the company discovered it was the victim of a phishing attack that compromised an employee’s email account. Potentially compromised information includes patient names and numbers, dates of birth, and health insurance information. 244,850
Toyota (Japan) The company disclosed that customer information from its T-Connect service might have been leaked, including email addresses and customer numbers. The leak affects customers who signed up to the service’s website via email since July 2017. 296,019
Dialog (Australia) The Singtel subsidiary suffered a cyberattack that potentially affected current and former employees and less than 20 clients. Dialog recently learned that a small sample of its data, including some employee personal information, had been leaked on the dark web. 1,000
Tufts University (US) The vaccine clinic provider, Pelmeds, experienced a data breach involving images of patients’ insurance cards. It remains unknown how many Tufts community members are impacted. Unknown
Cardiac Imaging Associates (US) An unauthorised actor had access to an email account between approximately March 30th and April 6th, 2022. Potentially compromised information includes names, dates of birth, Social Security numbers, driver’s licence numbers, financial account and payment card information, and more. Unknown
Infomag (Turkey) An unprotected MongoDB instance containing 3.9GB of data exposed over 19.5 million records and over 152,000 pieces of information relating to customers. Exposed data included names, emails, links to social media profiles, hashed passwords, and more. The database was later hit by ransomware. Unknown
Pinkfong (South Korea) An unsecured Amazon Web Services S3 bucket exposed data and scripts. This includes data from Pinkfong’s content management system used for configuring apps and hosting streaming content, as well as Google login credentials, app settings, and a Slack webhook. Unknown
Costa Group (Australia) A phishing attack on its server in August 2022 may have exposed the personal information of workers who were hired directly by the company since 2013 or by labour hire firms since 2019. This may include passport details, bank details, superannuation details, tax file numbers. Unknown
Wisconsin Department of Health Services (US) A presentation emailed to the DHS Children’s Long-Term Support Council in April 2021 contained protected health information. Potentially compromised information of includes first and last names, dates of birth, gender, county locations, Wisconsin Medicaid member ID numbers, and Social Security numbers. 12,358
Detroit Department of Health (US) On May 12th, 2022, the department discovered that protected health information was compromised because of an unauthorised disclosure in its office. Potentially compromised information includes names, addresses, dates of birth, contact information, gender, race, marital status, and more. Unknown
State Bar of Georgia (US) Employee and member information was compromised in an April 2022 BitLocker ransomware attack. Exposed information may include names, addresses, dates of birth, Social Security numbers, driver’s licence numbers, direct deposit information, or name change information. Unknown
Ro (US) The healthcare entity suffered a data breach after a security contractor inadvertently uploaded a spreadsheet containing personal employee information to a malware detection platform on July 6th, 2022. Compromised information includes names, addresses, and bank account numbers. Unknown
Grain Valley Schools (US) A malware attack caused technical difficulties to its IT systems. Officials reportedly believe that the malware was used to encrypt certain systems. An investigation is ongoing to determine if any sensitive data was compromised in the attack. Unknown
Johnson Fitness and Wellness (US) Desorden Group claims to have stolen 71GB of data, including files on suppliers, dealers, customers, and employees, as well as internal operations and financial records. Sample data included personal information of customers, such as names, addresses, phone numbers, and dates of birth. Unknown
Internap (US) A ransomware attack on September 28th, 2022, affected multiple services. The company stated that the services could not be recovered, and that the multitenant website, database, and email hosting services are no longer available following the incident. Unknown
PG&E (US) Partial Social Security numbers of customers were exposed through the use of Experian Identity Verification questions. The feature enabled malicious actors to find the last four digits of another individual’s SSN, whilst only knowing the person’s name and address. Unknown
RecordTV (Brazil) On October 8th, 2022, the news channel suffered a BlackCat ransomware attack that forced its network offline. The attackers reportedly stole the personal data of employees, the network map containing credentials for local and remote services, and more. Unknown
Hartnell College (US) The college confirmed it suffered a ransomware attack after suspicious activity was observed on its network on October 2nd, 2022. Unknown
Linn-Mar School District (US) An unknown actor gained access to certain systems and conducted activity on these between July 26th and August 1st, 2022. Employee data may have been impacted. Unknown
Aesthetic Dermatology Associates (US) An unauthorised actor accessed certain systems on its network on August 15th, 2022. Potentially compromised patient data includes names, addresses, dates of birth, diagnosis code, and health insurance information. BianLian ransomware group has since claimed responsibility for the attack and began leaking allegedly stolen data on October 1st, 2022. 33,793
Eventus WholeHealth (US) Suspicious activity associated with one of its email accounts was observed, despite the use of multifactor authentication. No evidence was found to suggest the unauthorised third party viewed any information, however, possibly impacted patients are being informed of the potential breach as soon as they are identified. Unknown
Unknown (US) Thirteen separate anaesthesia practices reported breaches stemming from a ‘data security incident’ at an unnamed management company. The incident is thought to have occurred on July 15th, 2022, and compromised the protected health information of patients. Potentially exposed data includes names, contact details, health insurance policy numbers, Social Security numbers, and more.  380,104
Magellan Rx Management (US) TennCare patients were informed that their data was compromised after the email account of a former auditing vendor, NorthStar, was hacked between February and April 2022. A threat actor gained access to a single NorthStar employee email account and accessed or stole Medicaid data tied to the Georgia Department of Community Health. 13,633

Malware mentions in Banking & Finance

This chart shows the trending malware related to Banking & Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Cryptocurrency Attackers were observed airdropping non-fungible tokens (NFTs) to Solana cryptocurrency owners, pretending to be alerts for new Phantom security updates. The ongoing attacks lead to the installation of password-stealing malware and the theft of cryptocurrency wallets. It is currently unclear which malware trojan is being spread, however previous campaigns distributed MarsStealer.
Critical Infrastructure Pro-Russian hacktivist group Killnet is claiming a series of large-scale distributed denial-of-service (DDoS) attacks against websites of several major United States airports. The DDoS attacks do not impact flights, but threaten to disrupt or delay services. Multiple airport websites became inaccessible, including the Hartsfield-Jackson Atlanta International Airport, Los Angeles International Airport, Chicago O’Hare International Airport, Orlando International Airport, Denver International Airport, Phoenix Sky Harbor International Airport, and others in Kentucky, Mississippi, and Hawaii.
Government The pro-Russian hacker group Killnet claimed responsibility for cyberattacks against the government websites of Colorado, Kentucky, and Mississippi in the United States. This includes the website for Kentucky’s Board of Elections. The attacks caused intermittent connection issues. By October 6th, 2022, the targeted websites were all back online.
Banking & Finance A new group of hacktivists, operating under the campaign ‘EG Leaks’ or ‘Egypt Leaks’, are targeting financial institutions in Egypt. The actors have leaked large volumes of customer payment data from major Egyptian banks on the dark web, including National Bank of Egypt, HSBC Bank Egypt, Bank of Alexandria, Banque Misr, Alexbank, Credit Agricole Egypt, and more. The activity was first identified on a Telegram channel created to leak Excel files, which currently contains 12,229 credit cards. While some of the data seems to be incomplete, the data of multiple customers has since been validated.
Technology A new threat cluster, tracked as WIP19, targets telecommunications and IT service providers in the Middle East and Africa. WIP19 is believed to be a Chinese-speaking threat group that conducts espionage-related activity. The group’s activity is characterised by the use of a legitimate, stolen digital certificate, issued by a company called ‘DEEPSoft’. The certificate has been used to sign several malicious components, some of which were tailor-made for specific targets. WIP19’s toolset consists of password dumpers, a keylogging and screen recording component called ScreenCap, and the SQLMaggie implant.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.