On-demand Webinar – World vs Cyber: Bridging the Gap to Mitigate Threats Learn More +

Weekly Cyber Digest

 

17 November 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Liferay Portal
Cisco FirePOWER Management Center
Concrete5
Liferay DXP
Intel NUC
Deep & Dark Web
Name Heat 7
Apache Log4J
Windows Server 2003
Google Pixel
AMD Ryzen
Microsoft Exchange Server Enterprise

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
TransUnion LLC (US) The consumer credit reporting company suffered a data breach. Compromised information includes names, Social Security numbers, financial account numbers, and driver’s license numbers. Unknown
Silverstone Circuit (UK) The Royal ransomware gang took responsibility for a ransomware attack against the motor racing circuit that occurred on November 8th, 2022. Unknown
Commack School District (US) On November 8th, 2022, a ransomware attack against the school district caused a network outage that shut down the district’s main phone lines. Unknown
PGT Innovations Inc (US) On November 5th, 2022, a ransomware infection impacted portions of the company’s network and caused disruption to daily business operations. Unknown
Deutsche Bank (Germany) Threat actor ‘0x_dump’ claims to have hacked the bank, and is offering access to its network on Telegram. 0x_dump claims to have compromised around 21,000 machines in the bank’s network, and to have access to the chat services used for internal communications, as well as file servers allegedly containing over 16TB of internal data. Unknown
Sobeys (Canada) The company’s parent company, Empire Company Limited, was impacted by an IT systems issue. Local media reported that multiple provincial privacy watchdogs have since received confidentiality incident notifications from Sobeys. This could indicate personal information has been accessed in a breach. BleepingComputer reported that the attackers may have deployed Black Basta ransomware against the company. Unknown
Conforama (France) The retailer was listed on the BlackCat ransomware data leak site, with the attackers claiming to have stolen over 1TB of data. The data allegedly contains financial documents and reports, customer credit card data, marketing, analytical and strategic, logistics documents, personal client information, and more. Unknown
Thales (France) The company confirmed that the LockBit ransomware group released stolen data on its leak site on November 10th, 2022. Unknown
Dallas Central Appraisal District (US) The district’s systems went down after it was hit by a ransomware attack, including its computer system, servers, email, and website. The district first became aware of the attack on November 8th, 2022. Unknown
eKRÉTA (Hungary) Hacker group Sawarim reportedly breached the company. Whilst Sawarim stated they do not plan to release any personal details of students, they have already begun to leak source code, internal chats, and email messages, including with state officials. Unknown
Whoosh (Russia) Hackers began to sell a database containing the details of customers on a hacking forum on November 11th, 2022. The database includes first names, email addresses, and phone numbers. It also allegedly contains partial payment card details for a subset of users, as well as promotion codes. The company disclosed that a leak occured, but that it did not affect sensitive user data. 7,200,000
OakBend Medical Center (US) Hackers downloaded data from the medical records of individuals in a recent ransomware attack. OakBend does not believe the attackers were able to remove complete medical records, but that they did obtain personal and medical information. In some cases, this includes Social Security numbers and dates of birth. 500,000
Salud Family Health (US) Lorenz ransomware actors claim to have stolen two databases and other files belonging to the company. Lorenz claim they are in possession of around 400,000 Social Security numbers. Unknown
Multiple organisations
Multiple nuclear power organisations Russia, Taiwan, Brazil, Indonesia, Iran, Thailand, India, and South Africa suffered data breaches throughout 2022 after being listed on various cybercrime forums. Alleged stolen data pertaining to the entities varies, but includes information like source code, internal documents, client data, financial documents, operational and strategic plans, and more. Unknown
Legal Aid ACT (Australia) The organisation was targeted in a ransomware attack on November 3rd, 2022, in which private and confidential information on clients was stolen. The company asserted it will not pay the demanded ransom. Unknown
Suffolk Police (UK) The police department accidentally published data of victims of sexual assault on its website. The exposed information is thought to have included names, addresses, dates of birth, and details of the alleged offence. Unknown
NewYork-Presbyterian Hospital (US) An unauthorised third-party gained access to the laptops of several of the hospital’s workforce members, and copied and removed files from some of the devices. One of the compromised laptops contained protected health information of certain patients. This includes names, addresses, insurance authorisations, medical records numbers, and exam results. ~12,000
Lake Charles Memorial Health System (US) Hive ransomware added the health system to its leak site on November 15th, 2022, and began leaking data the following day. Hive allegedly claimed to have exfiltrated 270GB of files, including patient and employee data. Unknown
Jackson County Intermediate School District (US) Schools in Jackson County and Hillsdale County in Michigan have been forced to close following a ransomware attack against the district over the weekend of November 2nd, 2022. The district has continued to experience system outages affecting critical operating systems. Unknown

Malware mentions in Retail & Hospitality

This chart shows the trending malware related to Retail & Hospitality within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance
Hold Security researchers identified a financial cybercrime group, dubbed Disneyland Team, that uses punycode and common misspellings to create phishing domains spoofing popular banks. Disneyland Team uses the phishing domains in conjunction with Gozi 2.0 banking malware in order to harvest credentials and ultimately steal money from victims. Banks and financial services impersonated by the threat actors include US Bank, Ameriprise, and Emirates NBD Bank.
Government
Symantec observed the state-sponsored actor, Billbug, compromising a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted. Whilst data exfiltration was not observed in this activity, Billbug is regarded as being an espionage actor. The campaign has been ongoing since at least March 2022. To gain initial access into networks, Billbug likely exploits public-facing applications. They use custom malware, including Hannotog and Sagerunex backdoors, as well as multiple dual-use and living-off-the-land tools.
Retail & Hospitality
Sansec researchers observed an increase in the number of TrojanOrders attacks against Magento and Adobe Commerce websites. TrojanOrders attacks leverage a critical mail template vulnerability in Magento 2, tracked as CVE-2022-24086, which ultimately allows the attacker to take over the website. Once they have access to the website, a remote access trojan is installed, often hidden in a legitimate Magento component. As of November 2022, seven different Magecart groups are actively conducting these attacks on Magento 2 websites. A driving factor behind this increase is the availability of several low-cost exploit kits and the upcoming Black Friday and Christmas season. In addition, at least a third of all Magento and Adobe Commerce stores are estimated to have yet to be patched.
Technology
In early November 2022, multiple malicious PyPI packages were observed. Checkmarx tracks this activity as WASP, noting a continous release of more malicious packages. The attacker uses polymorphic malware, reboot persistent code, steganography to hide code inside packages, and attempts to establish a fake GitHub reputation. The WASP Stealer malware steals victims’ Discord accounts, passwords, cryptocurrency wallets, credit cards, and more.
Cryptocurrency
Netskope researchers discovered an ongoing phishing campaign targeting at least 21 cryptocurrency wallets via one dedicated phishing page. The page was created and hosted with the free cloud service Netlify. The phishing page falsely advertises a service to revoke stolen Ethereum Request for Comments assets. Users are asked to choose from a list of different cryptocurrency wallets and prompted to provide their private key, security recovery phrase, and a keystore file in JSON file format, all of which can be used to access a cryptocurrency wallet.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

 

 

17 November 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Deep & Dark Web
Name Heat 7
Apache Log4J
Windows Server 2003
Google Pixel
AMD Ryzen
Microsoft Exchange Server Enterprise
Open Source
Name Heat 7
Liferay Portal
Cisco FirePOWER Management Center
Concrete5
Liferay DXP
Intel NUC

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
TransUnion LLC (US) The consumer credit reporting company suffered a data breach. Compromised information includes names, Social Security numbers, financial account numbers, and driver’s license numbers. Unknown
Silverstone Circuit (UK) The Royal ransomware gang took responsibility for a ransomware attack against the motor racing circuit that occurred on November 8th, 2022. Unknown
Commack School District (US) On November 8th, 2022, a ransomware attack against the school district caused a network outage that shut down the district’s main phone lines. Unknown
PGT Innovations Inc (US) On November 5th, 2022, a ransomware infection impacted portions of the company’s network and caused disruption to daily business operations. Unknown
Deutsche Bank (Germany) Threat actor ‘0x_dump’ claims to have hacked the bank, and is offering access to its network on Telegram. 0x_dump claims to have compromised around 21,000 machines in the bank’s network, and to have access to the chat services used for internal communications, as well as file servers allegedly containing over 16TB of internal data. Unknown
Sobeys (Canada) The company’s parent company, Empire Company Limited, was impacted by an IT systems issue. Local media reported that multiple provincial privacy watchdogs have since received confidentiality incident notifications from Sobeys. This could indicate personal information has been accessed in a breach. BleepingComputer reported that the attackers may have deployed Black Basta ransomware against the company. Unknown
Conforama (France) The retailer was listed on the BlackCat ransomware data leak site, with the attackers claiming to have stolen over 1TB of data. The data allegedly contains financial documents and reports, customer credit card data, marketing, analytical and strategic, logistics documents, personal client information, and more. Unknown
Thales (France) The company confirmed that the LockBit ransomware group released stolen data on its leak site on November 10th, 2022. Unknown
Dallas Central Appraisal District (US) The district’s systems went down after it was hit by a ransomware attack, including its computer system, servers, email, and website. The district first became aware of the attack on November 8th, 2022. Unknown
eKRÉTA (Hungary) Hacker group Sawarim reportedly breached the company. Whilst Sawarim stated they do not plan to release any personal details of students, they have already begun to leak source code, internal chats, and email messages, including with state officials. Unknown
Whoosh (Russia) Hackers began to sell a database containing the details of customers on a hacking forum on November 11th, 2022. The database includes first names, email addresses, and phone numbers. It also allegedly contains partial payment card details for a subset of users, as well as promotion codes. The company disclosed that a leak occured, but that it did not affect sensitive user data. 7,200,000
OakBend Medical Center (US) Hackers downloaded data from the medical records of individuals in a recent ransomware attack. OakBend does not believe the attackers were able to remove complete medical records, but that they did obtain personal and medical information. In some cases, this includes Social Security numbers and dates of birth. 500,000
Salud Family Health (US) Lorenz ransomware actors claim to have stolen two databases and other files belonging to the company. Lorenz claim they are in possession of around 400,000 Social Security numbers. Unknown
Multiple organisations
Multiple nuclear power organisations Russia, Taiwan, Brazil, Indonesia, Iran, Thailand, India, and South Africa suffered data breaches throughout 2022 after being listed on various cybercrime forums. Alleged stolen data pertaining to the entities varies, but includes information like source code, internal documents, client data, financial documents, operational and strategic plans, and more. Unknown
Legal Aid ACT (Australia) The organisation was targeted in a ransomware attack on November 3rd, 2022, in which private and confidential information on clients was stolen. The company asserted it will not pay the demanded ransom. Unknown
Suffolk Police (UK) The police department accidentally published data of victims of sexual assault on its website. The exposed information is thought to have included names, addresses, dates of birth, and details of the alleged offence. Unknown
NewYork-Presbyterian Hospital (US) An unauthorised third-party gained access to the laptops of several of the hospital’s workforce members, and copied and removed files from some of the devices. One of the compromised laptops contained protected health information of certain patients. This includes names, addresses, insurance authorisations, medical records numbers, and exam results. ~12,000
Lake Charles Memorial Health System (US) Hive ransomware added the health system to its leak site on November 15th, 2022, and began leaking data the following day. Hive allegedly claimed to have exfiltrated 270GB of files, including patient and employee data. Unknown
Jackson County Intermediate School District (US) Schools in Jackson County and Hillsdale County in Michigan have been forced to close following a ransomware attack against the district over the weekend of November 2nd, 2022. The district has continued to experience system outages affecting critical operating systems. Unknown

Malware mentions in Retail & Hospitality

This chart shows the trending malware related to Retail & Hospitality within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance
Hold Security researchers identified a financial cybercrime group, dubbed Disneyland Team, that uses punycode and common misspellings to create phishing domains spoofing popular banks. Disneyland Team uses the phishing domains in conjunction with Gozi 2.0 banking malware in order to harvest credentials and ultimately steal money from victims. Banks and financial services impersonated by the threat actors include US Bank, Ameriprise, and Emirates NBD Bank.
Government
Symantec observed the state-sponsored actor, Billbug, compromising a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted. Whilst data exfiltration was not observed in this activity, Billbug is regarded as being an espionage actor. The campaign has been ongoing since at least March 2022. To gain initial access into networks, Billbug likely exploits public-facing applications. They use custom malware, including Hannotog and Sagerunex backdoors, as well as multiple dual-use and living-off-the-land tools.
Retail & Hospitality
Sansec researchers observed an increase in the number of TrojanOrders attacks against Magento and Adobe Commerce websites. TrojanOrders attacks leverage a critical mail template vulnerability in Magento 2, tracked as CVE-2022-24086, which ultimately allows the attacker to take over the website. Once they have access to the website, a remote access trojan is installed, often hidden in a legitimate Magento component. As of November 2022, seven different Magecart groups are actively conducting these attacks on Magento 2 websites. A driving factor behind this increase is the availability of several low-cost exploit kits and the upcoming Black Friday and Christmas season. In addition, at least a third of all Magento and Adobe Commerce stores are estimated to have yet to be patched.
Technology
In early November 2022, multiple malicious PyPI packages were observed. Checkmarx tracks this activity as WASP, noting a continous release of more malicious packages. The attacker uses polymorphic malware, reboot persistent code, steganography to hide code inside packages, and attempts to establish a fake GitHub reputation. The WASP Stealer malware steals victims’ Discord accounts, passwords, cryptocurrency wallets, credit cards, and more.
Cryptocurrency
Netskope researchers discovered an ongoing phishing campaign targeting at least 21 cryptocurrency wallets via one dedicated phishing page. The page was created and hosted with the free cloud service Netlify. The phishing page falsely advertises a service to revoke stolen Ethereum Request for Comments assets. Users are asked to choose from a list of different cryptocurrency wallets and prompted to provide their private key, security recovery phrase, and a keystore file in JSON file format, all of which can be used to access a cryptocurrency wallet.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.