Upcoming Webinar – Tools and Tactics to solve the top 3 Open-Source Intelligence Challenges Learn More +

Weekly Cyber Digest

22 December 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Trending Vulnerable Products

Open Source
Name Heat 7
macOS Ventura
Adobe Experience Manager
Gatekeeper (macOS)
macOS Monterey
macOS Big Sur
Deep & Dark Web
Name Heat 7
cPanel
Microsoft Office 2016
Adobe Premiere
Synapse X
Adobe Premiere Pro CC

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Social Blade (US) The social media analytics platform suffered a data breach after its database was hacked and put up for sale on the Breached hacking forum on December 12th, 2022. Compromised information includes email addresses, password hashes, client IDs, tokens for business API users, authorisation tokens for connected accounts, and more. Unknown
Healthcare Management Solutions LLC (US) On October 8th, 2022, the company, a subcontractor for the Centers for Medicare & Medicaid Services (CMS), suffered a ransomware attack on its corporate network. The incident led to a data breach that may involve personally identifiable information and protected health information belonging to Medicare beneficiaries. This includes name, address, date of birth, phone number, Social Security number, Medicare Beneficiary Identifier, banking information, and more. 254,000
City of Port Phillip (Australia) The city discovered that 33 new users of the My Port Phillip online customer portal may have been able to view requests other than their own. Names, addresses, phone numbers, and email addresses of other users may have been viewed by one of these 33 individuals. Unknown
Empresas Públicas de Medellín (Colombia) The public energy supplier was targeted in a ransomware attack on December 12th, 2022, which caused devices to be encrypted and data to be stolen. The BlackCat ransomware operation took responsibility, claiming to have stolen corporate data during the incident. Unknown
The Learning Channel (US) The Karakurt cyber extortion group added the company to its leak site, claiming to be in possession of 931GB of stolen data, including scripts, videos, internal documents, and employee information. The group has threatened to leak the data by December 23rd, 2022, if the company does not pay the ransom. Unknown
Cornerstone Payment Systems (US) An open and non-password protected database belonging to the company contained 9,098,506 records and personally identifiable information. This includes names, payee names, partial credit card numbers, expiration dates, email addresses, security or access tokens, and more. Unknown
Khadi India Threat actor LeakBase dumped a stolen database belonging to the e-commerce portal on BreachedForums. Potentially compromised data includes personally identifiable information, payment details, order history, and more. 13,122
Bangalore Water Supply and Sewerage Board (India) Threat actor KelvinSecurity reportedly leaked a database belonging to the Indian government agency. The database is said to contain residential information, contact information, payment data, and more. BWSSB spokesperson, Sudhir, asserted that the agency did not experience a data breach, and that they have not received any communication pointing to a ransomware attack. 202,231
H-Hotels (Germany) Play ransomware operators claimed responsibility for an attack against the hotel chain on December 11th, 2022. The group claims to have stolen an undisclosed amount of private and personal data, which allegedly includes client documents, passports, IDs, and more. No data samples to support these claims have been released, while H-Hotels denied seeing any evidence of data exfiltration. Unknown
Little Rock School District (US) The board of the school district approved a $250,000 settlement with the hacker responsible for a recent ransomware attack. The payment appears to be an attempt to secure the data that was stolen during the incident. Unknown
Medical Assurance Society (New Zealand) The insurance company disclosed that a third-party supplier of after-hours call-centre services recently suffered a systems breach in a cyberattack. Chief executive of Medical Assurance Society, Martin Stokes, stated that the third party may hold certain personal data of anyone who has used the service. Unknown
Archives New Zealand On September 19th, 2022, Archives New Zealand discovered that Royal Commission records were marked as open access on Collections Search, rather than restricted, and that two individuals accessed files containing sensitive health information. Potentially exposed data includes 8,900 files and three sets of health records from 1952 to 1973 relating to a mental health facility in Canterbury. Unknown
SevenRooms (US) The restaurant customer management platform suffered a data breach after a threat actor started selling stolen data on the Breached hacking forum on December 15th, 2022. The hacker claimed to have stolen a 427GB backup database containing thousands of files with customer information. Exposed guest data may include names, email addresses, and phone numbers. Unknown
Rochester Public Library (US) A partner of the library, MNLINK, suffered a data breach on December 15th, 2022. The names and email addresses of Rochester Library customers may have been compromised. 1,709
DraftKings (US) Customers had their personal data exposed following the credential stuffing attack against the company in November 2022. The attackers obtained the credentials required to log into customer accounts and could also have viewed other customer information. This includes names, addresses, phone numbers, email addresses, the last four digits of payment cards, profile photos, and more. 67,995
McGraw Hill (US) Two misconfigured Amazon Web Services S3 buckets belonging to the education publishing company were exposed. Combined, the buckets contained more than 22TB of data and over 117 million files. This includes private digital keys and source code, as well as student names, email addresses, grades, performance reports, and more.  >100,000
Moscow Electronic School (Russia) During the week of December 12th, 2022, the pro-Ukrainian hacker group NLB Team reportedly leaked the personal data of children and parents who used the online learning platform. This includes names, dates of birth, Social Security numbers, login credentials, email addresses, and more. Whilst the Moscow government denied that the leaked data pertained to real users, multiple users have confirmed that the leaked data was theirs. >17,000,000
Nio Inc (China) Hackers breached the electric automaker’s computer systems and accessed data on users and vehicle sales. The attackers demanded $2.25 million in Bitcoin and claimed to possess the company’s internal data. Unknown
Keppel Telecommunications & Transportation (Singapore) An unidentified threat actor accessed a server previously owned by the company on which some files were stored. The data breach may have compromised the personal data of former shareholders, former employees, and its affiliates’ employees. Unknown
Clearview Public Schools (Canada) Between December 13th and December 15th, 2022, the education system’s third-party recruitment site, Indeed, was hacked. At present, the breach is believed to have affected individuals who applied to Clearview since 2019. Potentially compromised data may include names, contact information, work information, and any other information provided in resumes. ~800
Mercury IT (New Zealand) Data stolen during the recent ransomware attack against the IT provider is being listed for sale on the dark web. The advertised data includes information pertaining to some of Mercury IT’s clients, including the Accuro insurance company, flooring business Polyflor, business mentoring programme Business Central, and architecture company Catalyst Group. Unknown
Events D.C. (US) BlackCat ransomware operators recently published 85GB of files belonging to the sports and convention authority. Screenshots of the leaked file cache display several folders containing employee and operations information. This includes contracts, bank statements, and tax forms that contain information such as Social Security numbers. Unknown
Federal Bureau of Investigation (US) Killnet claims to have infiltrated the FBI’s database, allegedly stealing the personal information of US federal agents. Screenshots posted on Telegram include passwords to online stores, medical ID cards, and Google, Apple, and Instagram accounts. The group also leaked a text file allegedly showing the login credentials of FBI agents. 10,000
The Guardian (UK) The newspaper reported a ‘serious IT incident’, which is believed to be a ransomware attack. The incident caused disruptions to its ‘behind the scenes services’. Unknown
Ecco (Denmark) A misconfigured server exposed 50 indices to the public, with over 60GB of data left publicly accessible since June 2021. Millions of sensitive documets were exposed, ranging from sales and marketing to logging and system information. Unknown
Queensland University of Technology (Australia) The university was targeted in a ransomware attack that caused printers on campus to produce ransom notes in bulk. The notes claim to be from the Royal ransomware operation, and state that the university’s critical data was encrypted and copied. Unknown
BetMGM (US) The personal information of customers was obtained by an unauthorised actor in May 2022. Potentially compromised data includes names, contact information, dates of birth, hashed Social Security numbers, account identifiers, and information related to transactions with BetMGM. Unknown

Malware mentions in Government

This chart shows the trending malware related to Government within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance
ThreatFabric researchers discovered an ongoing multi-platform malware campaign that targets mobile and desktop users in Brazil. The campaign involves a new and highly flexible Android malware, dubbed BrasDex, that has been active for over a year, generating thousands of infections. BrasDex’s backend further revealed that the Casbaneiro malware was distributed through the same drop point, indicating that both malware are operated by the same threat actors. Whilst the malware has previously posed as Android settings applications, it has now started posing as an application for Banco Santander Brazil to target banking applications. It features a complex keylogging system designed to abuse Accessibility Services to steal credentials from multiple Brazilian apps, as well as a highly capable Automated Transfer System engine to make fraudulent payments.
Cryptocurrency
The Lazarus Group is distributing a fake app on Telegram channels, named ‘Somora’, that is modelled after the Mycelium Wallet. Somora is laced with trojan-like software and aims to compromise victims’ systems and steal cryptocurrency. The distribution of Somora is believed to be part of the same campaign by Lazarus that recently distributed AppleJeus via BloxHolder, a clone of the HaasOnline cryptocurrency trading platform.
Government
CERT-UA discovered a phishing campaign leveraging a compromised Ukrainian Ministry of Defense email account to target users of the ‘DELTA’ situational awareness program with FateGrab and StealDeal information stealing malware. The threat actors use emails or instant messages to send fake warnings that users need to update the ‘DELTA’ certificates to continue using the system securely. FateGrab is an FTP file stealer that targets documents and emails with specific file formats, including PDF, Microsoft Word documents, and RTF files. StealDeal can steal internal browsing data and passwords stored on the web browser.
Technology
Trustwave researchers identified a new phishing campaign that leverages Meta’s Facebook. Dubbed Meta-Phish, the attack could result in the loss of personally identifiable information, login credentials, and Facebook profile link. Phishing emails are used to distribute URLs that point to an actual Facebook post containing content that appears to be legitimate. A link in the post leads to an external phishing URL, which mimics Facebook’s copyright appeal page. Clicking the send button on the page sends any entered information to the threat actors, along with the victim’s client IP and geolocation information.
Critical Infrastructure
The United States Cybersecurity and Infrastructure Security Agency disclosed that Russian state-sponsored hackers, Fancy Bear, gained access to a US satellite network sometime in 2022. The intrusion involved a satellite communications provider with customers in US critical infrastructure sectors. Fancy Bear appeared to have maintained access into the victim’s network for months. The hackers reportedly exploited a vulnerability from 2018 in an unpatched virtual private network, enabling them to scrape the credentials with active sessions.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.