Upcoming Webinar – Tools and Tactics to solve the top 3 Open-Source Intelligence Challenges Learn More +

Weekly Cyber Digest

15 December 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Trending Vulnerable Products

Deep & Dark Web
Name Heat 7
Citrix Application Delivery Controller
Netwrix Auditor
Citrix Gateway
Sophos Firewall
Open Source
Name Heat 7
WebKit Software Component
Android 11
Android 10
Citrix Application Delivery Controller
Snapdragon Mobile

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Ambulances des Trois Cantons (France) The ambulance service in Peyrehorade was hit by a ransomware attack on December 6th, 2022. The incident impacted phone lines and has resulted in the loss of all files as well as appointment schedules beyond December 12th, 2022. Unknown
CommonSpirit Health (US) The non-profit confirmed that hackers accessed the personal data of patients during ransomware attack between September 16th through to October 3rd, 2022. Data confirmed to be compromised includes names, addresses, phone numbers, dates of birth, and an internal unique ID. 623,774
Avicena Medical Laboratory (Kosovo) The site was found to have insufficient authorisation controls, which resulted in the exposure of an estimated 166,000 records. Among the exposed data were personal and medical data of patients, including national ID numbers, first and last names, and more. Unknown
Telstra (Australia) A ‘misalignment of databases’ resulted in customer details being made publicly available on the online White Pages and via directory assistance. The leak exposed the names, phone numbers, and addresses of customers. 130,000
COVAXon (Canada) Data was stolen from Ontario’s COVID-19 vaccine management system in November 2021. In most cases, only names and phone numbers were impacted. 360,000
Congress of Jalisco (Mexico) A Play ransomware attack on December 6th, 2022, reportedly encrypted 14 servers, with most affected data said to be legislative, legal or administrative in nature. To date, the Play ransomware group has not listed the agency on its leak site. Unknown
Requena City Council (Spain) A ransomware attack on November 27th, 2022, forced it to shut off its system and impacted the payroll payment system. The BlackCat ransomware group claimed responsibility and has leaked a number of files. Unknown
Multiple Organisations (Argentina) Several organisations disclosed early December 2022 cyberattacks, including the National Institute of Statistics and Census (INDEC), Automovil Club Argentino, and Cetrogar. The attacks against INDEC and Cetrogar both involved ransomware, with the latter possibly compromised by Play ransomware. Unknown
Knox College (US) Hive ransomware operators claimed responsibility for a ransomware attack that caused disruptions to computer systems, with the attackers claiming to have encrypted critical infrastructure and data. The group also threatened to leak sensitive personal information they claim to have stolen, such as medical records and Social Security numbers. Unknown
Uber (US) A threat actor gained access to an Amazon Web Services backup server belonging to a third-party vendor, Teqtivity. The attacker was able to access device information and user information, including names, work email addresses, and work location details, for companies using the platform. Unknown
California Department of Finance (US) On December 12th, 2022, LockBit ransomware operators claimed to have stolen 76GB of data from the government agency. The data allegedly includes databases, confidential data, financial documents, and ‘sexual proceedings on court’. The group has given the agency a December 24th, 2022, deadline before publishing stolen files. Unknown
Global Pravasi Rishta Portal (India) The portal, owned by the Indian Ministry of External Affairs and used by the Indian government to connect with its overseas population, was leaking sensitive user data. This exposed names, country of residence, email addresses, occupation status, and phone and passport numbers in plaintext. Unknown
Vevor (US) The retail giant left a multi-terabyte database exposed. Leaked sensitive user data includes names, physical and email addresses, phone numbers, order details, partial payment details, payment logs, and other tracking information. Unknown
City of Antwerp (Belgium) Play ransomware operators claimed responsibility for a recent attack against the Belgian city’s vendor, Digipolis. The attackers added the city to their leak site, claiming to have stolen 557GB of data during the attack, including personal information, passports, IDs and financial documents. They have yet to leak any data. Unknown
Sequoia (US) Hackers accessed sensitive customer information that was stored on a cloud storage between September 22nd and October 6th, 2022. Potentially compromised data includes names, home addresses, dates of birth, gender, Social Security numbers, government identity cards, and more.   Unknown
Konext (Pakistan) The Xnspy stalkerware was found to contain common security flaws that can be easily exploited to steal data from users. The exposed data includes unique iCloud email addresses and passwords, as well as authentication tokens. Also exposed were the names, email addresses, and scrambled passwords of Konext developers and employees behind the stalkerware. 60,000
InfraGard (US) On December 10th, 2022, a hacker on BreachForums advertised the user database of InfraGard, the physical threat information sharing network run by the Federal Bureau of Investigation. The hacker alleged the database contained information on members, including names and contact information, as well as 47,000 emails. 80,000
TPG Telecom (Australia) The company suffered a data breach on its hosted Microsoft Exchange services that run email accounts for iiNet and Westnet business customers. The target appeared to be cryptocurrency and financial information contained within these accounts. Unknown
San Gorgonio Memorial Hospital (US) Between October 29th and November 10th, 2022, an unauthorised party had access to the computer network of the California hospital. The actor gained access to sensitive patient information, including names, addresses, dates of birth, medical records numbers, Social Security numbers, and more. Unknown
Covid Vaccine Intelligence Network (India) A hacker, claiming to be Nazila Blackhat, claimed to have access to the Indian government’s CoWIN portal, and attempted to sell the admin access of the platform, as well as the sensitive data of healthcare workers. They shared multiple screenshots as proof, including ones displaying personal data. Security researcher Sunny Nehra stated that the hacker’s claims seem to be false and theorised the screenshots may show data of a limited number of CoWIN users from other regions or a local database, rather than the main CoWIN website. Unknown
International Table Tennis Federation (US) Data from the International Table Tennis Federation was available for public download for three years. The data is said to include information on hundreds of professional players, including Ma Long and Fan Zhendong. Unknown
Gemini Trust Company (US) A third-party vendor of the cryptocurrency exchange appears to have suffered a data breach on or before December 13th, 2022, as a result of a hacking incident. The hackers reportedly gained access to over 5.7 million lines of information belonging to Gemini customers’ email addresses and partial phone numbers. Unknown
2NetworkIT (Canada) The company was hit by a Cuba ransomware attack on December 8th, 2022. 2NetworkIT has since restored the affected services. Whilst the company’s owner, Marc Villeneuve, stated that they only lost a day’s worth of email and data, Cuba ransomware operators claimed to have stolen financial documents, correspondence with bank employees, tax documents, and source code. Unknown

Malware mentions in Healthcare

This chart shows the trending malware related to Healthcare within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
The United States Department of Health and Human Services issued a warning to healthcare organisations about ongoing attacks from the Royal ransomware gang. The actors are believed to be focused on targeting US healthcare organisations, having claimed to have leaked all allegedly stolen data following each compromise. The group uses social engineering to trick corporate victims into installing remote access software following callback phishing attacks impersonating software providers and delivery services.
Trend Micro researchers observed a cryptocurrency mining attack that leverages the Chaos remote administration tool (RAT). The attack flow involves terminating competing malware and killing off resources that influence cryptocurrency mining performance on Linux devices. Chaos RAT achieves persistence by altering a UNIX task scheduler file that, in this instance, downloads itself every 10 minutes from Pastebin. Additional payloads are then downloaded, including an XMRig miner and its configuration file, a shell script looping ‘competition killer’ and Chaos RAT. Chaos RAT is a Golang compiled binary that can perform reverse shell, download, upload, and delete files, take screenshots, and more.
A new email campaign by the North Korean hacking group Kimsuky is targeting individuals who are influential in foreign governments to better understand where Western policy is headed on North Korea. This includes imitating other research entities to ask researchers and other experts on North Korea about their opinions on policy, and to write and comment on reports. The attackers appear to be successful, as multiple experts have provided information to a Kimsuky attacker account. The campaign marks as shift in tactics since groups like Kimsuky are known to usually infect targets with malware to steal sensitive information.
Researchers from SentinelLabs, Mandiant, and Sophos observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions. The malicious driver and its loader, tracked as POORTRY and STONESTOP respectively, are designed to terminate antivirus and endpoint detection and response processes. Several distinct malware families, associated with distinct threat actors, were identified to have signed using this process. This includes UNC3944, Cuba ransomware, and Hive ransomware.
Critical Infrastructure
Cyble researchers observed a recent spike in Mallox ransomware samples in the wild, indicating that the malware is active and spreading rapidly. Spam emails are used to deliver an unknown .NET loader, which downloads encrypted malicious content from a remote server, decrypts it in the loader memory, and executes it. The malicious content is executed in memory without the actual payload being saved to the disk to evade antivirus detection. The loader then downloads and decrypts the ransomware binary in memory, before executing it. The ransomware stops numerous services and programs upon execution, as well as GPS-related programs, suggesting the ransomware could be targeting organisations dealing with critical infrastructure.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.