Weekly Cyber Digest

15 September 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Windows Common Log File System
WPGateway
BackupBuddy WordPress Plugin
MiVoice
VMware Horizon
Deep & Dark Web
Name Heat 7
Magento
BackupBuddy WordPress Plugin
WPGateway
WordPress
Adminer

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Armed Forces General Staff of Portugal The government agency suffered a cyberattack that allegedly allowed the theft of classified NATO documents. Hackers subsequently posted samples of the stolen material on the dark web and offered to sell the files. Unknown
KN Modi Foundation (India) A group of hackers allegedly stole and deleted data from the foundation. The group reportedly used the LockBit Black malware for the data theft. Unknown
Henderson & Walton Women’s Center (US) The company suffered a data breach after a hacker gained access to an employee email account. Potentially compromised personal data includes dates of birth, Social Security numbers, medical information, driver’s licence numbers, and health insurance information. >34,000
Radiology Ltd (US) The company suffered a breach after unauthorised access to patient information occurred between December 17th and December 24th, 2021. Potentially compromised data includes names, dates of birth, Social Security numbers, health insurance information, and more. Unknown
Gateway Diagnostic Imaging (US) The company suffered a breach after unauthorised access to patient information occurred between December 17th and December 24th, 2021. Potentially compromised data includes names, dates of birth, Social Security numbers, health insurance information, and more. Unknown
NorthStar Healthcare Consulting (US) On April 20th, 2022, the company discovered that a hacker had gained access to an employee email account. Potentially compromised data includes names, Medicaid identification numbers, dates of birth, contact details, prescriptions, prescriber names, appeal numbers, and diagnoses. 18,354
First Street Family Health (US) The organisation suffered a cyberattack that may have begun as early as July 5th, 2022. The incident led to access or theft of patient health information, and the ‘automated deletion’ of backup data for its electronic medical records. Possibly exposed data includes contact details, dates of birth, Social Security numbers, diagnosis, and more. 7,310
Alegria Family Services (US) BianLian ransomware operators added the care centre to their leak site and claimed to have acquired internal records, personnel-related files, and client data. At present, BianLian has not leaked any data from the care centre. The company confirmed that BianLian succeeded in locking the company’s current files and its cloud-based backup that contains all archived files and records going back six years. Unknown
Suffolk County (US) On September 9th, 2022, the executive of the New York county, Steve Bellone, stated that the county was investigating a possible ransomware attack on county computer systems after detecting a cyber intrusion. Unknown
Bardstown Connect (US) On September 2nd, 2022, the internet service provider suffered a ransomware attack that knocked its services offline. Bardstown mayor, Dick Heaton, stated that the city has not paid a ransom and that an investigation into the attack remains ongoing. Unknown
Los Angeles Unified School District (US) Vice Society claimed responsibility for the ransomware attack against the school district that occurred over the weekend of September 3rd, 2022. They additionally claim to have exfiltrated 500GB of data from the network before encrypting it with ransomware. Unknown
Eurocell (UK) The manufacturer suffered a data breach after experiencing unauthorised third-party access to its systems. Potentially compromised data on current and former employees includes dates of birth, next of kin, bank account and national insurance, tax reference numbers, and more. Unknown
U-Haul (US) The company experienced a data breach after a customer contract search tool was hacked. The attackers accessed some customers’ rental contracts between November 5th, 2021, and April 5th, 2022. Compromised data includes customer names, and driver’s licence or state identification numbers. Unknown
OakBend Medical Center (US) The medical centre took all systems offline after being targeted with ransomware on September 1st, 2022. Daixin Team claimed responsibility for the attack, allegedly exfiltrating about 3.5GB of data, including 1.2 million records containing patient and employee data. Unknown
Cisco Systems (US) On September 11th, 2022, Cisco observed the Yanluowang ransomware actors posting the content of files stolen in the May 2022 attack on the dark web. According to the leader of Yanluowang, the group stole 55GB of data, including classified documents, technical schematics, and source code. The actor did not provide any proof, with Cisco denying the possibility that the intruders had accessed or exfiltrated any source code. Unknown
Napa Valley College (US) Following a ransomware attack in June 2022, the college discovered that a limited amount of personal information may have been accessed by an unauthorised third party in the incident. This may have included first and last names, Social Security numbers, and other data elements. ~8,000
Government of Indonesia The Coordinating Minister of Political, Legal, and Security Affairs, Mahfud MD, stated that no top-secret government documents were impacted in a recent data leak. The responsible hacker, Bjorka, previously claimed to have hacked presidential data and obtained presidential letters and top-secret documents from the intelligence agency. Unknown
TAP Air Portugal  On September 12th, 2022, the Ragnar Locker ransomware group published the personal data of customers. This includes names, addresses, dates of birth, nationalities, and more. Ragnar Locker threatened to release additional data, claiming to possess the personal information of around 1.5 million customers. 150,000
Buenos Aires Legislature (Argentina) A ransomware attack on September 11th, 2022, compromised its internal operating systems and took down WiFi connectivity. As of September 13th, 2022, the legislature’s website continued to be offline. Unknown
Philippine Airlines A data breach occurred after its IT service provider, Accelya, suffered an AlphV ransomware attack in August 2022. The airline disclosed that the cyberattack exposed the personal data of Mabuhay Miles members from 2015 to 2017. This includes names, birth dates, nationality, gender, join date, tier level, and points balance. Unknown
Medical Associates of the Lehigh Valley (US) A ransomware attack first discovered on July 3rd, 2022, resulted in a data breach. Possibly impacted data includes patient names alongside addresses, email addresses, dates of birth, Social Security numbers, medical information, and more. 75,268
The Physicians Spine and Rehabilitation Specialists of Georgia, PC (US) The organisation did not specify whether ransomware was involved in a recently disclosed data breach, but noted that the attackers claim to have stolen certain records. Possibly stolen information includes names, contact information, dates of birth, Social Security numbers, medical information, and more. 39,765
InSpecs EyeWear (US) The company was added to the LockBit 3.0 data leak site. The attackers posted images of patient records and a drive directory as proof. It remains unclear how old or current the files might be. Unknown
TennCare (US) An update to the computer system may have inadvertently disclosed personal information for Medicaid recipients in Tennessee. A limited number of individuals from one household may have been able to view information about individuals in another household that includes some of the same individuals. 1,700
IPCA Laboratories (India) The RansomHouse extortion group claims to have stolen 500GB of data from the company. Portions of the allegedly stolen data published on the group’s dark web leak site reportedly includes employee records and sensitive material related to medical research, as well as information on former employees and internal audit reports. Unknown
TIC International Corporation (US) On March 30th, 2022, the company experienced a network disruption caused by a Conti ransomware attack. Documents containing sensitive consumer information were accessed in the attack. This may include names, addresses, and Social Security numbers. Unknown
Canadian Solar LockBit 3.0 ransomware operators claimed to have hacked the solar technology company. The group set a deadline of September 13th, 2022, for the company to pay the requested ransom. Unknown
South Francilien Hospital Center (France) LockBit 3.0 added the hospital to its leak site and claimed to have stolen over one million files. The group set a deadline of September 13th, 2022, for the company to pay the requested ransom. Unknown

Attack Type mentions in Education

This chart shows the trending attack types related to Education within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Technology Censys researchers observed a recent increase in Deadbolt ransomware attacks targeting a zero-day vulnerability, tracked as CVE-2022-27953, in QNAP NAS devices running Photo Station when connected to the internet. The increased activity began on September 2nd, 2022, when the number of unique hosts increased from 7,748 to 13,802. The number further increased to 19,029 by September 4th, 2022. The majority of infections were located in the United States, with 2,472 distinct hosts showing signs of Deadbolt, followed by Germany and Italy. The most targeted autonomous systems include HINET Data Communication Business Group, DTAG internet service provider operations, and France Telecom – Orange.
Education Abnormal Security researchers identified threat actor Chiffon Herring targeting local school districts and universities in the United States since at least March 2022. The group engages in business email compromise (BEC) attacks by using the payroll diversion theme. The group almost exclusively provides Green Dot accounts as the supposed replacement accounts, which are generally linked to prepaid cards. As opposed to typical BEC scams that impersonate executives, this campaign impersonates teachers and professors. The group spoofs publicly available email addresses, with the attacks sent to department heads.
Banking & Finance Cyble researchers noted that the fake e-shop campaign targeting Malaysian banking customers that began at the end of 2021 remains ongoing. Among the targeted banks are Hong Leong Bank, CIMB Bank, Maybank, AmBank, Public Bank, RHB Bank, OCBC Bank, Bank Rakhyat, Bank Islam, Bank Simpanan Nasional, and Agrobank. Activity has ramped up in August 2022, with a higher number of phishing domains registered. The threat actor may begin targeting additional banks and countries, with a new phishing site impersonating a payment application website observed targeting HD Bank in Vietnam.
Government In June and July 2022, Secureworks researchers identified a PlugX malware campaign targeting computers of government officials from several countries in Europe, the Middle East, and South America. Multiple campaign characteristics indicate it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group. PlugX was likely delivered via phishing emails and is embedded within RAR archive files that, once opened on a Windows computer, display an LNK file masquerading as a document. Along with the LNK is a hidden folder that contains the malware, embedded in a sequence of folders in a likely attempt to bypass detection. Clicking the LNK executes a legitimate file, a malicious DLL, and an encrypted payload.
Critical Infrastructure Cisco Talos researchers discovered a new Lazarus Group campaign that targets energy providers globally, but primarily in the United States, Canada, and Japan. The campaign is designed to infiltrate and establish long term access in targeted organisations, and exfiltrate data of interest to North Korea. The activity distributes VSingle, YamaBot, and MagicRAT malware. Initial access is gained through exploitation of the Log4Shell vulnerability on exposed VMWare Horizon servers.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal