16 March 2023
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
Trending Vulnerable Products
Open Source
| Name | Heat 7 |
|---|---|
| Microsoft Outlook |  |
| Windows Defender SmartScreen | |
| Adobe ColdFusion | |
| Akuvox E11 | |
| Dell PowerEdge | |
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| Magento |  |
| Google Chrome Browser |  |
| Microsoft Windows 11 | |
| Microsoft Visual Studio | |
| Microsoft Outlook | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| Cerebral Inc (US) | Customer information was breached through the use of tracking technologies on the company’s mobile applications and websites. Potentially compromised information includes names, phone numbers, email addresses, dates of birth, IP addresses, clinical information, and more. | 3,179,835 |
| AT&T (US) | An unnamed marketing vendor suffered a cyberattack that exposed data associated with wireless telecom accounts. The impacted data is said to include information used to determine eligibility, and is deemed to be ‘years old.’ No sensitive personal data or financial information was accessed. | ~9,000,000 |
| Audio-Technica (Japan) | LockBit ransomware added the equipment manufacturer to its leak site, giving a deadline of March 26th, 2023 for payment. | Unknown |
| Grupo Hospitalar Vida (Brazil) | LockBit ransomware added the company to its leak site, giving them a 16-day deadline to pay the ransom. | Unknown |
| ZOLL Medical (US) | An attack led to the compromise of patient data on or about February 2nd, 2023. Potentially compromised data includes names, addresses, dates of birth, and Social Security numbers. | 1,004,443 |
| Florida Medical Clinic (US) | A ransomware incident on or around January 9th, 2023, led to the compromise of 94,132 files containing personal information, 95% of which included only individuals’ names. The remaining files contained medical information, phone numbers, email addresses, dates of birth, and addresses, with 115 Social Security numbers also compromised. | Unknown |
| The Bone & Joint Clinic (US) | The company experienced a ‘network disruption’ on January 16th, 2023. Potentially compromised data includes names, dates of birth, Social Security numbers, home addresses, phone numbers, and medical information. | Unknown |
| California Secretary of State (US) | Personal information relating to the state’s forced sterilisation program conducted between 1908 and 1979 was inadvertently shared to a single researcher in December 2022. Compromised information includes names, dates of birth, familial history and familial medical history, and medical information. | Unknown |
| Codman Square Health Center (US) | A ransomware attack allowed an unauthorised party to access and exfiltrate files from the company’s network in November 2022. Potentially compromised data includes names, addresses, and protected health information. | Unknown |
| FONASA National Health Fund (Chile) | BlackCat ransomware claimed responsibility for a recent attack, providing screenshots as proof. Potentially compromised data includes healthcare beneficiary names and addresses, and employee names, IDs and signatures. | Unknown |
| Autoridad para la Reconstrucción con Cambios (Peru) | A new threat actor named Dark Power added the reconstruction agency to its leak site on or about March 9th, 2023, inviting users to contact them to download the files via Tox. | Unknown |
| Ministry of Public Health (Ecuador) | Threat actor KelvinSecurity posted a database called ‘COVID-19’ on a popular forum on March 5th, 2023. Potentially compromised data includes names, sex, dates of birth, phone numbers, ethnicity, nationality, vaccination details, and more. The ministry has denied any breach. | Unknown |
| Hawaii Department of Health (US) | Attackers used the account of a former external medical certifier, which had not been deactivated, to access records belonging to individuals deceased between 1998 and 2023. The data included their name, Social Security number, address, sex, date of birth, date of death, place of death, and cause of death. | 3,400 |
| BMW Italy | An unprotected environment on the company’s website potentially exposed business and client data. Customer data collected by BMW Italy includes full names, addresses, phone numbers, email addresses, vehicle details, and more. The data has since been secured. | Unknown |
| Institute of Space Technology (Pakistan) | The university was added to the blog of Medusa ransomware, with the group demanding a ransom of up to $500,000. The group posted samples as proof, including passports, payslips, analysis details, and other sensitive information. | Unknown |
| University of North Carolina at Chapel Hill (US) | Employees’ personal data was exposed after the university mistakenly sent out Internal Revenue Service Form 1099s to the wrong people. Compromised data includes names, addresses, Social Security numbers, and tax identification numbers. | 1,025 |
| PeopleGrove (US) | An exposed server hosting an internal database could be accessed without a password. The database contained gigabytes of unencrypted personal information, including email addresses, phone numbers, addresses, resumes, and more. | Unknown |
| Wilkes-Barre Career and Technical Center (US) | A suspected ransomware attack on March 8th, 2023, targeted a server which reportedly contains payroll data for the school and some of the school’s member school districts. | Unknown |
| Cosentino Group (US) | A website misconfiguration allowed threat actors to access customer information via a direct object reference vulnerability. Potentially compromised data includes home addresses alongside full names, emails, and phone numbers. The site has since been secured. | Unknown |
| Berkeley County Schools (US) | Vice Society ransomware added the school district to its data leak site, dumping data they claim to have stolen during a February 2023 attack. An analysis of the leaked data revealed that it contained more than the district previously disclosed, including personal and sensitive student information dating back numerous years. | Unknown |
| Housing Authority of the City of Los Angeles (US) | A ‘complex’ cyberattack, previously claimed by LockBit ransomware, led to the encryption of files. Potentially compromised information includes names, Social Security numbers, dates of birth, passport and driver’s licence numbers, credit or debit card numbers, and more. | Unknown |
| Ring (US) | ALPHV ransomware added the Amazon-owned company to their leak site, threatening to leak allegedly stolen data. Ring has denied having suffered an attack, adding that it is investigating a ransomware attack at a third-party vendor. | Unknown |
| Gamaleya Research Institute (Russia) | Hacker group KelvinSecurity claims to have accessed confidential information related to the development of the Sputnik COVID-19 vaccine, posting over 300 documents on a hacker forum. The documents appear to contain information about the deaths of participants in the vaccine’s clinical trials. | Unknown |
| Bishop Luffa School (UK) | Medusa ransomware uploaded sample data they claim to have stolen from the British secondary school, including full names of students and personal data of staff. The ransomware group has demanded a $100,000 ransom. | Unknown |
| Deutsche Bank (Germany) | BreachForums user ‘Alliswell’ claimed to possess 60GB of data which was allegedly stolen from the bank by the LockBit ransomware gang. The data is said to include that of employees, as well as details of Citibank accounts and two accounts from high-ranking HSBC executives. | Unknown |
| Multiple (Vietnam) | Threat actor Kernelware posted data allegedly stolen from PetroVietnam, Long Son Petrochemicals, and POSCO Engineering & Construction on BreachForums. Data contained in the leak allegedly includes employee information. | Unknown |
| Marshall Amplification (UK) | BlackBasta ransomware operators added the music equipment maker to its leak site. It remains unclear what, if any, data may have been compromised. | Unknown |
| Arizona Department of Economic Security Division of Developmental Disabilities (US) | A former employee had records of certain members, which include information such as names, addresses, phone numbers and Health Care Cost Containment Systems ID numbers. | 850 |
| Rubrik (US) | Attackers gained access to non-production IT environments via CVE-2023-0669 in Fortra’s GoAnywhere MFT. Compromised data relates to internal sales information. The company was also listed on the Clop ransomware leak site, with samples of stolen data leaked as proof. | Unknown |
| Keuda Group | A LockBit ransomware attack infected 60% of Keuda’s workstations and servers. The infected machines also contained personal information, such as Social Security numbers of students and staff. It is unclear if any data has been leaked. | Unknown |
| IPH Ltd (Australia) | Unauthorised access was detected in a document management system. This included some client documents and correspondence at the company’s head office and two member firms, Spruson & Ferguson (Australia) and Griffith Hack. | Unknown |
| Independent Living Systems (US) | Between June and July 2022, a threat actor gained unauthorised access to certain systems, acquiring some information. Potentially compromised data includes names, Social Security numbers, taxpayer identification numbers, medical information, and health insurance information. | 4,226,508 |
| Latitude Financial (Australia) | An attacker reportedly gained access following a cyberattack against a vendor using stolen login credentials. The attackers were able to access personal customer information held by two other service providers, including copies of drivers’ licences. | Unknown |
| US Marshals Service | A threat actor is selling 350GB of allegedly stolen data on a Russian speaking forum. This supposedly includes copies of passports and identification documents, details on surveillance of citizens, information on convicts, gang leaders and cartels, and details of individuals in witness protection. The service previously confirmed the attackers had gained access to employees’ personal information. | Unknown |
| NorthStar Emergency Medical Services (US) | An unauthorised actor gained access to the healthcare provider’s network on or around September 16th, 2022. Potentially compromised data includes names, Social Security numbers, dates of birth, patient ID numbers, Medicaid or Medicare numbers, and more. | 82,450 |
| Essendant (US) | LockBit ransomware claimed they were responsible for a recent attack. The company experienced a network outage on March 6th, 2023, which led to widespread disruption. LockBit gave a deadline of March 18th, 2023, for payment. | Unknown |
| Beaver Medical Group (US) | On January 24th, 2023, the company discovered that an unauthorised actor had gained access to an employee’s workstation following a successful phishing attack. Health plan information stored in that account included names, member ID numbers, health plan names, and premium payment amounts. | Unknown |
| AllCare Plus Pharmacy (US) | A phishing incident on April 14th, 2022, resulted in the compromise of some employee email accounts. The attackers accessed certain accounts containing patient information, such as names, addresses, dates of birth, Social Security numbers, financial information, and more. | 5,971 |
Malware mentions in Banking & Finance
This chart shows the trending malware related to Banking & Finance within a curated list of cyber sources over the past week.
Weekly Industry View
| Industry | Information |
|---|---|
| Banking & Finance |
ThreatFabric researchers discovered a new variant of the Xenomorph Android banking trojan, named Xenomorph.C, developed by the Hadoken Security Group threat actor. This latest version features new capabilities which automates the entire fraud chain. The malware also added cookie stealer functionality and an updated target list of over 400 financial institutions and multiple cryptocurrency wallets. The malware has a dedicated website to advertise itself, which may indicate it is becoming a malware-as-a-service. |
| Government |
Cisco Talos researchers analysed several espionage and data theft campaigns, ongoing since at least June 2022, which they attribute to a new threat actor called YoroTrooper. YoroTrooper targets the government and energy sectors in Commonwealth of Independent States (CIS) countries, while two international organisations were also identified as victims. The group uses phishing emails for initial infection to deliver malware via LNK files hidden in attached archive documents. This includes Python-based, custom-built and open-source information stealers, including Stink stealer, which are wrapped into executables via the Nuitka framework and PyInstaller. Remote access is achieved via commodity malware like AveMaria, LodaRAT, and Meterpreter. |
| Cryptocurrency |
The Federal Bureau of Investigation is warning of a spike in cryptocurrency investment schemes. The criminals behind the schemes, typically based overseas, defrauded victims of over $2 billion in 2022. The schemes leverage social engineering and usually begin with a romance or confidence scam that evolves into investment fraud. The threat actors use fictitious identities and target individuals via dating apps, social media, professional networking sites, and encrypted messaging apps. Once trust is established with the victims, the attackers ultimately convince them to use fraudulent websites or apps. |
| Healthcare |
The US Health Sector Cybersecurity Coordination Center issued a security advisory warning of data exfiltration in cyberattacks against the healthcare industry. Breach notifications detail that 28.5 million records were exposed in the second half of 2022, with more than 44 million patient records exposed through the whole year. In 2022, at least 24 healthcare ransomware attacks occurred, impacting operators of 289 US hospitals, with sensitive data exfiltrated in 70% of those attacks. Federal records further show that healthcare breaches have exposed 385 million patient records from 2010 to 2022, with hacking incidents against healthcare firms skyrocketing over the past five years. |
| Technology |
Mandiant researchers observed an ongoing campaign by North Korean threat actor UNC2970 targeting Western media and technology companies, in particular security researchers, since at least June 2022. The group uses spear phishing tactics, contacting its victims by posing as recruiters on LinkedIn, with conversation moved to WhatsApp once engaged. The campaign involves a large toolset, which includes a trojanised version of TightVNC, dubbed LIDSHIFT, used to reflectively inject the LIDSHOT DLL downloader. The group also makes use of new custom tools, including the TOUCHSHIFT dropper, used to employ keyloggers and backdoors like TOUCHKEY, HOOKSHOT, TOUCHMOVE, and SIDESHOW. Bring Your Own Vulnerable Device tactics are used to further enable operations. This includes the use of the in-memory dropper, LIGHTSHIFT, to distribute LIGHTSHOW to perform arbitrary read and write operations to kernel memory. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
