16 February 2023
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
Trending Vulnerable Products
Open Source
| Name | Heat 7 |
|---|---|
| Tecnomatix Plant Simulation |  |
| Apple Safari | |
| Apple iPadOS | |
| Microsoft SQL Server |  |
| Splunk Enterprise | |
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| GoAnywhere MFT |  |
| Foxit PDF Reader | |
| FortiADC | |
| Microsoft Office | |
| Windows Defender SmartScreen | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| General Treasury of the Republic of Chile | A hacker claimed to have persistent access to the Treasury’s servers and the content of all their databases. Screenshots were posted as proof, one of which appears to contain personal information including name, date of birth, nationality, and more. | Unknown |
| Modesto Police Department (US) | The department detected suspicious activity on its network, which some reports attribute to a ransomware attack. | Unknown |
| Phihong Technology (Taiwan) | On February 9th, 2023, the LockBit gang added the company to its leak site. The group claims to have stolen confidential documents, including personally identifiable information of employees and customers. | Unknown |
| Mount Saint Mary College (US) | The college was added to the leak site of the Vice Society ransomware group following a December 2022 ransomware attack. This may have exposed the personal information of individuals. | Unknown |
| Reddit (US) | A Reddit employee fell victim to a phishing attack that exposed their credentials. Compromised data includes contact information for hundreds of Reddit contacts, as well as current and former employees, and limited advertiser information. | Unknown |
| The Arc of Essex County (US) | The LockBit ransomware group added the children’s disability service to its leak site with a payment deadline of February 26th, 2023. | Unknown |
| The Pakistan Institute of Medical Sciences | Data from Pakistan’s public health card programme was stolen from the hospital in 2022. The health card data is now reportedly securely stored in multiple locations. | Unknown |
| Slick (India) | A misconfigured database exposed the data of users, including school children. Potentially compromised data includes names, mobile numbers, dates of birth, and profile pictures. | Unknown |
| Israel Institute of Technology | On February 12th, 2023, a new threat actor, named DarkBit, claimed responsibility for a ransomware attack on the university. | Unknown |
| B&G Foods (US) | Daixin Team claimed to have exfiltrated data during a cyberattack on Feburary 4th, 2023. This includes internal company documents and some employee data, such as dates of birth, phone numbers, and more. | Unknown |
| Multiple | LockBit added Avante Textil in Mexico and Politriz in Brazil to its leak site. It also added the government of Medellin in Colombia, uploading several files as proof that include names, phone numbers, and email addresses. | Unknown |
| Thomas J. Schandy (Uruguay) | Avos Locker added the company to its leak site, claiming to be in possession of 100GB of data. Files leaked as proof include CVs and work agreements. | Unknown |
| City of Oakland, California (US) | A ransomware attack on Februrary 8th, 2023 forced the city to take all systems offline. Core emergency services remain unaffected. | Unknown |
| A10 Networks (US) | A Play ransomware attack on January 23rd, 2023, compromised data related to human resources, finance, and legal functions. The Play ransomware group later added the company to its leak site on February 9th, 2023, claiming to have stolen personal data, technical documentation, and more. | Unknown |
| Highmark Inc (US) | A data breach occurred after an employee’s email account was compromised in a phishing attack between December 13th and December 15th, 2022. The attacker gained access to consumers’ names, Social Security numbers, financial account information, insurance information, and protected health information. | ~300,000 |
| Garrison Women’s Health (US) | The healthcare entity suffered a data breach after one of its IT vendors, Global Network Systems, expierenced unauthorised third-party access on or around December 12th, 2022. Potentially compromised data includes appointment records and personal health information. | 4,158 |
| Penang Government (Malaysia) | A hacker posted data on BreachForums allegedly stolen from the government’s official website. The data consists of over 600,000 rows and reportedly includes usernames, passwords, full names, email addresses, and security-related keys. State executive councilor, Zairil Khir Johari, stated that the leaked data is from an outdated database. | Unknown |
| CentraState Medical Center (US) | Sensitive patient information was stolen during a ransomware attack against the healtchare provider in December 2022. This includes names, addresses, dates of birth, Social Security numbers, health insurance information, medical records, and patient account numbers. | Unknown |
| PokerBaazi (India) | A misconfigured server exposed over 6GB of data for over two months. Exposed data reportedly includes names, email addresses, location, OAuth tokens, and internal logs. | Unknown |
| Regal Medical Group (US) | The healthcare entity suffered a ransomware attack which affected several affiliated medical groups, including Lakeside Medical Organization, Affiliated Doctors of Orange County, and Greater Covina Medical Group. Potentially compromised data includes names, phone numbers, Social Security numbers, addresses, dates of birth, diagnosis and treatment information, and more. | 3,300,000 |
| Edmonds School District (US) | The school district suffered a data breach after an unauthorised actor managed to access information between January 16th and January 31st, 2023. Potentially compromised information includes names, Social Security numbers, driver’s license numbers, dates of birth, student identification numbers, financial and medical information, and student records. | Unknown |
| Munster Technological University (Ireland) | ALPHV added the university to its leak site and subsequently leaked over 6GB of allegedly stolen data. This reportedly includes staff medical diagnoses and student bank account information. | Unknown |
| Bridgewater-Raritan Regional School District (US) | A data breach between December 10th and December 12th, 2022, exposed the names and Social Security numbers of district employees and others in the district’s insurance plan. | Unknown |
| The Center for Autism and Related Disorders (US) | On January 24th, 2023, a third-party vendor made an error that resulted in certain caregivers receiving invoices for services for an unrelated patient. Exposed information includes names, CARD internal reference numbers, and payment history. | Unknown |
| Pepsi Bottling Ventures (US) | On December 23rd, 2022, the company experienced a network intrusion that resulted in the installation of information-stealing malware. Compromised data includes full names, home addresses, financial account information, driver’s license numbers, Social Security numbers, and more.Scandinavian Airlines (Sweden) | Unknown |
| Tonga Communications Corporation | The Medusa ransomware group took responsbility for an attack on the state-owned company which encrypted and locked access to parts of its system. | Unknown |
| Multiple | The LockBit ransomware group added three new victims to its dark web leak site including the Argentinian oil and gas company, Grupo Albanesi, Indian chemical manufacturer, SRF, and the American convenience store chain, CEFCO. | Unknown |
| CSE (Brazil) | The company, a subsidiary of Aker Solutions, was affected by a cyberattack in which the hackers claim to have accessed IT systems, encrypted certain files, and locked access to data. | Unknown |
| Multiple (US) | Arizona Priority Care and AZPC Clinics suffered a cyberattack on December 2nd, 2022, in which malware was used to exfiltrate data regarding its family of companies. Potentially compromised data includes names, dates of birth, addresses, treatment dates and information, services authorisation numbers, and health plan numbers. | 10,978 |
| Brooks Rehabilitation (US) | Tracking technology vendors were able to acquire individually identifiable health information when a user provided information via a Brooks website. Potentially compromised data includes names, phone numbers, email addresses, IP addresses, and more. | ~1,554 |
| Minuteman Senior Services (US) | An unknown individual accessed an employee email account between November 21st and November 30th, 2022. Potentially compromised data includes names, addresses, dates of birth, health insurance information, and more. | Unknown |
| Xavier University of Louisiana (US) | The university suffered a data breach following a ransomware attack that occurred in November 2022. The attacker gained access to confidential information including full names and Social Security numbers. | 44,312 |
| Multiple (China) | A search bot promoted on Telegram allegedly had a 435GB database containing 4.5 billion pieces of personal information related to e-commerce and express delivery platforms. It remains unclear what caused the leak, or exactly which couriers the data relates to. | Unknown |
| Government of Malaysia | A former transport minister stated that the data of 33 million citizens, including 16 million driver’s license holders, is at risk due to poor security features in the newly launched MyJPJ app. | Unknown |
| California Northstate University (US) | The university was added to the AvosLocker ransomware leak site along with several files as proof, including all 393 of the college’s employees W-2 forms. The attackers also claimed to have stolen all student admissions data, including names, Social Security Numbers, dates of birth, addresses, emails, and more. | Unknown |
| Dorben Group (US) | On February 7th, 2023, customer details were leaked on a hacker forum. The leaked database is allegedly from September 2022 and includes customers’ full names, emails, phone numbers, and home addresses. | 790,000 |
Attack Type mentions in Critical Infrastructure
This chart shows the trending attack types related to Critical Infrastructure within a curated list of cyber sources over the past week.
Weekly Industry View
| Industry | Information |
|---|---|
| Critical Infrastructure |
A joint advisory issued by the United States and South Korea warns that North Korea is generating an ‘unspecified amount’ of cryptocurrency revenue from attacks on critical infrastructure entities, including healthcare, in both countries. The activity has included publicly available strains of ransomware and the privately developed Maui ransomware and H0lyGh0st ransomware. The ransom payments are used to directly support North Korean national-level priorities and objectives, including offensive cyber operations against the US and South Korean governments. |
| Government |
Microsoft identified an activity cluster targeting diplomatic entities in South America, attributed to a China-based cyber espionage actor dubbed DEV-0147. The activity is an expansion of the group’s data exfiltration operations that traditionally targeted government agencies and think tanks in Europe and Asia. DEV-0147 uses established hacking tools to infiltrate targets and establish persistence, including ShadowPad and QuasarLoader. Post-exploitation activity includes the abuse of on-premises identity infrastructure, and the use of Cobalt Strike. Initial access methods are likely gained through phishing and targeting of unpatched applications. |
| Healthcare |
The Clop ransomware group claims to have stolen data from over 130 organisations, including United States healthcare providers, by exploiting the recently fixed zero-day vulnerability in GoAnywhere MFT, tracked as CVE-2023-0669. The group claimed it only stole documents from the compromised servers, despite being able to move laterally in the victims’ networks and deploy ransomware. Currently identified victims include one of the largest US hospital chains, Community Health Systems in Tennesse. |
| Cryptocurrency |
Cisco Talos researchers observed an unidentified actor deploying MortalKombat ransomware and a Golang variant of the Laplas Clipper, to steal cryptocurrency or demand ransom payments from individuals, small businesses, and large organisations. MortalKombat ransomware was first observed in January 2023 and uses qTOX to communicate with victims. It is assessed with high confidence to belong to the Xorist family, based on code similarities, class names, and certain strings. The authors of Laplas Clipper are actively producing new variants, including a C++ variant available as an executable and DLL. |
| Technology |
SentinelOne researchers discovered a malvertising campaign leveraging Google Ads to target Amazon Web Services (AWS) logins. The malicious ads relating to AWS lead to a hop domain, which is an attacker-controlled blogger website. This first hop then redirects to the actual credentials phishing page hosted on a second domain. Once the victims enter their credentials, a final redirect leads to the legitimate AWS login page. The blogspot and phishing websites used in the campaign make repeated use of source code copied from unrelated and legitimate websites. The phishing domain was protected under Cloudflare, who since shut down the account for service abuse. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
