Weekly Cyber Digest

22 September 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Deep & Dark Web
Name Heat 7
Paxful
Rust Programming Language Standard Library
Facebook Messenger
Ansible
Linux Kernel
Open Source
Name Heat 7
Slack
Adobe InDesign
Aruba ClearPass Policy Manager
Adobe Experience Manager
Adobe Bridge

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Bell Technical Solutions (Canada) Some operational company and employee information was accessed by an unauthorised party. Potentially compromised data includes names, addresses, and phone numbers of residential and small business customers in Ontario and Quebec who booked a technician visit. Hive ransomware added the company to its data leak blog. Unknown
Unknown (Israel) The Iranian hacker group ‘war_dark’ claimed to have seized a database containing the personal data of Israeli citizens, including data belonging to Prime Minister Yair Lapid and opposition leader Benjamin Netanyahu. The group has also released partial information on 8,300 records. This includes name, identity card, date of birth, and voting rights. 9,500,000
Customs and Border Protection (US) Senator Ron Wyden revealed that the law enforcement agency is conducting warrantless searches of the phones and other electronic devices of up to 10,00 citizens each year, and uploading information from those devices to a massive government database. The database retains records for up to 15 years. It includes text messages, call logs, contact lists, photos, and other sensitive records. Unknown
Revolut (UK) On September 11th, 2022, the company was targeted in a ‘highly targeted’ cyberattack that resulted in unauthorised third-party access to personal customer information. Possibly exposed data includes email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data. 50,150
Lubbock Heart & Surgical Hospital (US) An unauthorised party gained access to the hospital’s IT systems on July 11th, 2022, before being terminated on July 12th, 2022. The attacker may have been able to access sensitive patient information, including names, contact information, dates of birth, Social Security numbers, and more. 23,379
Google and Microsoft (US) Google Chrome’s enhanced spell check and Microsoft Edge’s MS Editor are exposing users’ sensitive information. Any data entered into form fields, such as usernames, emails, dates of birth, and Social Security numbers, is being sent to third party servers when either of the browser features are enabled. The features also send users’ passwords if ‘show password’ is clicked.  Unknown
Multiple Companies (South America) On September 19th, 2022, the Guacamaya hacking group released approximately 10GB of emails and other materials from military and police agencies in Chile, Mexico, El Salvador, Colombia, and Peru. Unknown
Kiwi Farms (US) An unknown hacker attempted to export 120,000 user data files from the forum, which resulted in the site crashing. Kiwi Farms warned users that their passwords should be assumed stolen. Any email and IPs used on their account in the past month may have been leaked. Unknown
American Airlines (US) An unauthorised actor compromised the email accounts of a limited number of employees through a phishing campaign. Potentially compromised data of customers and employees includes names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s licence numbers, passport numbers, and certain medical information. Unknown
Uber Technologies (US) Following reports of a recent cyberattack, the company confirmed that an attacker successfully compromised the account of an external contractor. The attacker, believed to be affiliated with the Lapsus$ hacking group, was able to access several internal systems, as well as Uber’s bug bounty dashboard at HackerOne. Unknown
Multiple Companies Trend Micro researchers discovered that several e-commerce platforms and logistics platforms have been leaking personally identifiable information and purchase information. This is due to insufficient API security and authentication measures. Unknown
Parliament of Bosnia and Herzegovina Prosecutors in the country are investigating a cyberattack that began on or around September 8th, 2022. The attack caused the parliament’s website to remain offline for nearly two weeks, with users unable to access the server, and email address services also being inactive. Some lawmakers have reportedly been told not to turn on their computers out of fear that ransomware could spread to their device. Unknown
Empress Emergency Medical Services (US) The company suffered a customer data breach after it was hit by a ransomware attack on July 14th, 2022. The attacker gained access to systems on May 26th, 2022, and exfiltrated a small subset of files on July 13th before initiating encryption. Some of the stolen files contain patient names, dates of service, insurance information, and in some instances, Social Security numbers. 318,558
Starbucks Singapore The coffeehouse chain’s Singapore division suffered a data breach after a threat actor offered to sell a database containing sensitive details of customers on a hacking forum on September 10th, 2022. Compromised customer information includes names, gender, dates of birth, mobile numbers, and email addresses. The breach does not impact financial information. 219,675
ePenyata Gaji (Malaysia) An unidentified hacker group recently claimed to have breached the salary data system for civil servants and obtained a significant amount of data. This includes over a million rows of identities containing full name, MyKad number, position, department, payslip number, mobile phone number, and email address. The group also claimed it extracted nearly two million pay slips and tax forms. Unknown
Wagner Group (Russia) The IT Army of Ukraine successfully hacked Wagner Group’s website and obtained the personal data of its members. Unknown
expat[.]ru and forum[.]expat[.]ru (Russia) Hacktivist groups KiraSec and DarkLulz reportedly gained access to a database containing users’ information, including usernames, passwords, emails, and more. Anonymous has since published all the user data. 3,600
Suffolk County (US) The BlackCat ransomware group claimed responsibility for the recent attack against the county and leaked a sample of allegedly stolen data. The group also claimed to have extracted over 4TB of data, including court records, sheriff’s office records, contracts with the State of New York, and other personal data of citizens. Unknown
New York Racing Association (US) The organisation suffered a data breach after it was hit by a Hive ransomware attack in June 2022. Potentially compromised data of current and former employees include first and last names, Social Security numbers, driver’s license numbers, health records, health insurance information, and other personal information.   Uknown
ASKfm (Ireland) Threat actor ‘Data’ claims to be selling a user database allegedly belonging to ASKfm and ask[.]com on the Breached forum. The database supposedly includes 350 million records, about 45 million of which use single sign-on login. The seller also claimed to have 607 repositories, as well as the platform’s Gitlab, Jira, and Confluence databases.  Unknown
Tift Regional Medical Center (US) Hive claims to have breached the medical centre between July 14th and August 8th, 2022. The actors were allegedly able to download around 1TB of data, including patients’ medical records, personal information of employees, private company information, and emails. Potentially compromised employee and patient data includes names, addresses, Social Security numbers, passports, and more. Unknown
Sigmund Software (US) Hive ransomware claim to have had access to the company’s system for six months, during which they exfiltrated 160GB of data. The firm’s files were encrypted by Spy ransomware before Hive could encrypt them themselves. Hive dumped the company’s data on September 20th, 2022. The dump appears to also include files from other VSS Medical Technologies companies, including Medicfusion, and New England Medical Billing. Unknown
NYSARC Columbia County Chapter (US) RedAlert threat actors added the company to their data leak site, claiming to have exfiltrated financial documents, credentials to local and remote devices, and customer and employee data. The customer data allegedly includes Social Security numbers, driver’s licences, and credit card information. Unknown
Multiple Companies (South America) On the week of September 12th, 2022, LockBit added the Comisión Nacional de Acreditación in Chile, the Colombian manufacturing firm, Quintal, and the Venezuelan insurance brokerage firm, Makler, to their data leak site. They also added the Colombian drilling and maintenance services firm, Independence, claiming to have exfiltrated 180GB of data. Unknown
SERV Behavioral Health System (US) SERV confirmed it suffered a data breach after discovering suspicious activity related to their computer network on May 27th, 2022. Potentially compromised data includes names, Social Security numbers, driver’s licence numbers, medical or health information, and contact information. 8,110
Instituto Peruano De Desarrollo Y Formación Profesional (Peru) Data allegedly belonging to the institute was found on a popular hacking forum. The user claims to have 1GB of data in SQL format. The data reportedly includes IDs, usernames, passwords, email and physical addresses, and phone numbers. 1,100
TAP Air Portugal The Ragnar Locker ransomware group published 581GB of stolen data on September 19th, 2022. The data relates to customers, as well as corporate documents about employees and partners, and contract details with other carriers. 1,500,000
Wolfe Eye Clinic (US) Patient data was among the information accessed, deleted, and possibly stolen during a ransomware attack against Eye Care Leaders in December 2021. Potentially compromised data includes names, contact information, dates of birth, Social Security numbers, diagnostic details, and health insurance information. 542,776
Singtel Optus (Australia) The company is investigating possible unauthorised access of current and former customers’ information following a cyberattack. Potentially exposed information includes names, dates of birth, phone numbers, and email addresses. A subset of customers may also have had their addresses and ID document numbers exposed, such as driver’s licence or passport numbers. Unknown
Chandrababu Naidu’s Government (India) A House Committee determined that a large volume of citizen data from the state’s servers was transmitted to unknown external sources during the Chandrababu Naidu government’s regime. Collected information includes Aadhar card, ration card, voter ID, property tax, bank account details, caste certificate, birth certificate, and more. The Naidu government stated the data was collected to ensure that government schemes would reach the beneficiaries. Unknown

Malware mentions in Banking and Finance

This chart shows the trending malware related to Banking and Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Cryptocurrency Netskope researchers observed an expansion of an ongoing phishing campaign that abuses Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts. The activity previously targeted Coinbase, MetaMask, Kraken, and Gemini, and has since expanded to target Binance, Crypto[.]com, Gate[.]io, KuCoin, PancakeSwap, and Shakepay. The attackers use SEO techniques to spread phishing pages mimicking the targeted cryptocurrency websites. Advanced techniques, such as using live chats to interact with victims, are used to steal data.
Technology VMware researchers warned of an ongoing ChromeLoader campaign targeting Google Chrome browsers since January 2022. The malware uses ISO image file downloads and relies on user execution to initiate infection. The malware ultimately aims to install a Chrome extension that acts as a browser hijacker to gather personal data and track the user’s browsing activity. A more recent wave of activity used the same delivery mechanism, but relied on a batch script in the mounted drive to install the second stage payload, delivered within the same ISO. Since August 2022, the malware has also been delivered via ZipBombs.
Government Cofense researchers identified a series of improvements and evolutions in ongoing phishing campaigns that spoof several departments of the United States government. The campaigns have been ongoing since at least mid-2019, and target companies in the energy and professional services sectors, including construction companies. The phishing emails spoof the US departments of Commerce, Labor, and Transportation. More recent emails make use of logos, signature blocks, consistent formatting, and more detailed instructions, as well as links to access PDFs rather than directly attaching them.
Banking & Finance Microsoft researchers identified a new version of the Banker O information stealing Android malware being delivered through an ongoing SMS campaign. The updated malware has additional remote access trojan (RAT) capabilities and increased obfuscation. It masquerades as a banking rewards app and targets customers of banks in India. The messages impersonate a known Indian bank and contain links that install a malicious APK file. Once opened, the fake app displays a splash screen with the bank logo and asks for credit card information after being granted all permissions.
Retail & Hospitality NSFOCUS researchers observed Evilnum targeting European online gambling platforms in a series of phishing activities that aim to steal transaction credentials of service providers and customers. The ongoing campaign, dubbed Operation DarkCasino, involves the use of two new trojans, DarkMe and PikoloRAT, that are disguised as the client identity file. Typical Evilnum attack methods were observed, such as delivering shortcut decoy files with a malicious MSHTA command. Other attack flows included the use of the AgentVX trojan, InstallShield to generate the installer, steganography, and more.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal