On-demand Webinar – World vs Cyber: Bridging the Gap to Mitigate Threats Learn More +

Weekly Cyber Digest

20 October 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Oracle MySQL
Apache Commons
Adobe ColdFusion
F5 BIG-IP
Oracle Linux
Deep & Dark Web
Name Heat 7
Fortinet FortiOS
Shodan
Fortinet FortiProxy
Adobe Acrobat
Fortinet FortiSwitchManager

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Consorci Sanitari Integral (Spain) The RansomExx threat group leaked 52GB of data they claim to have stolen during a ransomware attack on October 7th, 2022. This reportedly includes medical test results and identity cards. Unknown
Snap (US) Employee data was exposed due to a breach at its third-party document analysis firm, Elevate, in March 2022. Affected data may include names, addresses, employment history, and compensation information. Unknown
Church of Jesus Christ of Latter-day Saints (US) The church detected unauthorised activity on certain computer systems in March 2022. The incident impacted the personal data of some Church members, employees, contractors, and affiliates. Potentially compromised data includes names, gender, email addresses, dates of birth, mail addresses, phone numbers, and more. Unknown
Advanced (UK) The service provider for the NHS confirmed that attackers stole data from its systems during a ransomware attack in August 2022. The company has not disclosed whether any patient data was impacted. Unknown
University of Otago (New Zealand) A security flaw enabled anyone with a university email to access a database containing sensitive staff and student data. This includes homes addresses, passport information and visa details, staff user IDs, bank statements, and more. Unknown
MyDeal (Australia) On October 14th, 2022, the Woolworths subsidiary discovered that its customer relationship management system was accessed by a compromised user credential. The data breach exposed names, email addresses, phone numbers, delivery addresses, and dates of birth. 2,200,000
Municipality of Belen (Costa Rica) On October 11th, 2022, the municipality learned it was the target of a possible cyberattack. Karakurt threat actors claimed responsibility for the attack, allegedly stealing 373GB of corporate data, including PDF and Excel documents, real estate images, invoices, and more. Unknown
Emtelco (Colombia) On October 8th, 2022, threat actor Qilin added the firm to their leak site, claiming to have acquired hundreds of gigabytes of data in August 2022. A small proof pack contains very little personal information, however there are clear indications that Emtelco files are involved. Unknown
Lojas Torra (Brazil) On October 8th, 2022, threat actor Qilin added the retailer firm to their leak site, claiming to have stolen the data of customers and employees on September 7th, 2022. Unknown
New Mexico Regulation and Licensing Department (US) The department experienced unauthorised access, which has since bene isolated and mitigated. The RLD is notifying individuals and organisations whose records may have been accessed. Unknown
Nationwide Retirement Solutions (US) In September 2022, the company disclosed that an anonymous individual claimed to have obtained certain personal information about its customers. This includes surnames, Social Security numbers, dates of birth, email addresses and incomplete phone numbers of retirement-plan participants. 1,687
Hamilton, Ontario (Canada) The city inadvertently breached the privacy of individuals by leaving personal email addresses visible in a mass update to Hamilton residents registered to vote by mail in the upcoming election. 450
Oomiya (Japan) LockBit 3.0 operators claim to have stolen data from the tech firm, threatening to leak it by October 20th, 2022, if ransom demands are not met. The attackers have yet to publish samples of allegedly stolen data. Unknown
Heilbronn Stimme (Germany) The newspaper’s printing systems were crippled following a ransomware attack on October 14th, 2022. The attack was reportedly conducted by a well-known cybercriminal group that encrypted data and left ransom notes behind. The incident impacted the entire Stimme Mediengruppe, including its Pressedruck, Echo, and RegioMail companies. Unknown
Keystone Health (US) An unauthorised party accessed files containing patient information within their systems between July 28th and August 19th, 2022. Information in some of those files includes names, Social Security numbers, and clinical information. 235,237
Multiple Health Systems (US) Six health systems reported data breaches affecting patient and employee data following a June 2022 ransomware attack against third-party vendor, Kaye-Smith. The breached information includes names, addresses, medical records numbers, dates of service, payment instalment plans, and employee Social Security numbers. Affected systems include UW Medicine, Geisinger, Seattle Children’s St Luke’s Health System, and MultiCare Health System. Unknown
Kingfisher Insurance (UK) The LockBit ransomware gang recently added the insurer to its leak site, along with one of the company’s vehicle insurance brands, First Insurance. The group claims to have stolen 1.4TB of data, including the personal data of employees and customers. Unknown
Vinomofo (Australia) An unauthorised third party accessed its database on a testing platform. Potentially compromised information on customers and members includes names, gender, dates of birth, addresses, email addresses, and phone numbers. Unknown
Aarti Drugs (India) BianLian ransomware added the company to its leak site on September 9th, 2022, advertising around 6GB of allegedly stolen data for sale. This includes business and administration data like loan documents, tax filings, employee data, insurance details, and more. Unknown
Verizon (US) A third party accessed the last four digits of some customers’ credit cards used to make automatic payments on their accounts between October 6th and October 10th, 2022. Using this information, the actor was able to gain access to accounts and the personal information within them. The attacker did not access full credit card numbers, banking information, financial information, passwords, Social Security numbers, tax IDs, or other personal details. Unknown
Mitsubishi UFJ Morgan Stanley Securities (Japan) On October 19th, 2022, the Japan Securities Dealers Association (JSDA) disclosed that client data was leaked from the brokerage. Mitsubishi reportedly shared 499 cases of confidential information from clients to some of its corporate bond issuers. 401
Agency for the Safety of Air Navigation in Africa and Madagascar (Senegal) In September 2022, the agency suffered a ransomware attack. The LockBit gang reportedly demanded a $25,000 ransom from the agency. Unknown
Whitworth University (US) The university suffered a data breach following a LockBit ransomware attack on July 29th, 2022. The attackers may have accessed names, student identification numbers, state identification numbers, passport numbers, Social Security numbers, and health insurance information. 5,182
Parler (US) On October 17th, 2022, the social networking service sent an email to all users that had some of their verified users’ names and email addresses visible. Amongst these were Ivanka Trump, Republican Congresswoman Elise Stefanik, right-wing social media influencer Andy Ngo, and Candace Owens. ~200
L’Hôpital Pierre-Rouquès – Les Bluets (France) On October 9th, 2022, the hospital was targeted in a Vice Society ransomware attack that impacted email systems. The group allegedly exfiltrated over 150GB of files from the network. Vice Society claims to have encrypted all files, however the hospital claims that most medical records remain accessible. Unknown
Microsoft (US) A misconfigured Azure server belonging to Microsoft reportedly exposed 2.4TB of data, including files from 2017 to August 2022. The leak included critical data belonging to over 65,000 companies from 111 countries and includes over 335,000 emails. Microsoft has confirmed the leak, with exposed data including names, email addresses, email content, company name, and phone numbers. However, they state that the scope of the breach has been ‘greatly exaggerated’. Unknown
Medibank (Australia) The company confirmed that a recent cyberattack involved ransomware. The attacker stole 200GB of data during the attacker, which includes customer medical information. Unknown

Threat Actor mentions in Government

This chart shows the trending threat actors related to Government within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance Threat Fabric researchers discovered a network of phishing websites targeting the banking credentials of Italian online banking users. The network operators use telephone-oriented attack delivery (TOAD) tactics to distribute the Copybara Android banking trojan. The malware abuses accessibility services to perform fraudulent actions within the victim’s banking applications. It can also dynamically build fake input forms and display them to victims.
Cryptocurrency The Japanese National Police Agency warned that the North Korean hacker group Lazarus is conducting cyberattacks against Japanese cryptocurrency asset companies. The attackers are reportedly using phishing emails impersonating company executives, as well as social media to target employees and infect computers with malware. Some targeted companies had their internal systems hacked and cryptocurrency stolen.
Critical Infrastructure Microsoft observed a novel ransomware campaign, dubbed Prestige, targeting transportation and related logistics industries in Ukraine and Poland. The activity shares victimology with recent Russian state-aligned activity, as well as overlaps with previous victims of the FoxBlade malware. Prestige ransomware has yet to be linked to a known threat group and is tracked as DEV-0960. The ransomware leverages the CryptoPP C++ library to AES-encrypt certain files, and creates a custom file extension handler. Any files carrying the custom file extension use Notepad to display a ransom note once opened.
Retail & Hospitality An advanced persistent threat group, dubbed DiceyF, is targeting online casino development and operations environments in Southeast Asia with GamePlayerFramework malware. According to Kaspersky, the group aligns with Earth Berberoka activity and Operation DRBControl, whilst overlaps were also seen with LuckyStar PlugX. This activity is believed to be a subsequent campaign with a newly developed core malware set, possibly used for espionage and IP theft. The campaign distributes GamePlayerFramework via an employee monitoring system and a security package development service, using a potentially stolen digital certificate from a secure message client development studio.
Government In August 2022, Malwarebytes researchers identified a new campaign targeting government entities in Sri Lanka. The campaign uses ISO files as the initial infection vector, and delivers a new backdoor, dubbed DBoxAgent. The backdoor uses Dropbox for C2, and can steal information and download additional malware. This includes SerialVlogger, a third-stage DLL loader called VLOG.IPDB, and KeyPlug malware. The campaign is believed to fall under the Winnti umbrella. The attack time frame coincides with a major geopolitical event involving China and Sri Lanka, and is thought to be the first time the group has targeted Sri Lanka.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.