Weekly Cyber Digest

25 August 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
macOS Monterey
Apple Safari
WebKit Software Component
Apple iPadOS
WWBN AVideo
Deep & Dark Web
Name Heat 7
Linux OS
Libstdc++ For Linux
CentOS 6
Veeam Backup & Replication
CrowdStrike Falcon

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Entrust (US) LockBit ransomware actors added the company to its data leak site and threatened to leak all allegedly stolen data on August 19th, 2022. The company previously disclosed that it suffered a cyberattack on June 18th, 2022, in which some files were taken from its internal systems. Unknown
Holdcroft Motor Group (UK) On July 27th, 2022, the car dealership was hit by a ransomware attack in which the hackers stole years’ worth of data, including employees’ personal information. No client information was reportedly affected. Unknown
WestJet Airlines (Canada) A technical glitch in the airline’s app allowed users to see the personal information of other users. A user first discovered the data exposure on August 17th, 20222. Unknown
Columbia River Mental Health Services (US) The mental health service was subject to unauthorised access to some employee email accounts between May 14th, 2021, and April 8th, 2022. Certain protected health information may have been involved. Unknown
Airplane Accelerates VPN (China) An exposed 626GB Elasticsearch instance belonging to the company exposed 5.7 billion entries, including user IDs, what IP addresses users were connecting to and from, domain names, and timestamps. Unknown
SFERRA Fine Linens (US) Certain files on the company’s servers may have been accessed without authorisation between April 14th and April 24th, 2022. Possibly compromised data may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, account access credentials, and more. Unknown
Wabtec (US) LockBit claims to have been behind the June 2022 ransomware attack against the engineering firm. At the time of the attack, employees could no longer log into the company network. Multiple Wabtec facilities were reportedly impacted. Unknown
IndiHome (Indonesia) A potential data leak may have exposed the personal data of IndiHome subscribers. The browsing history, along with names, email addresses, identification numbers, and more, was reportedly leaked and uploaded to illegal websites. The company has yet to confirm the leak. Unknown
Hjedd (China) The platform has leaked user accounts with over 24GB worth of files since July 2022. Among the exposed data are usernames, phone numbers, email addresses, Bcrypt hashed passwords, messages between users, and more. >14,000,000
Florida Springs Surgery Center (US) Between May 25th and June 2nd, 2022, the health centre was hit by a phishing attack. The attacker gained access to patient data, including individual information, Social Security numbers, driver’s license numbers, financial account information, medical information, insurance information, and billing information. 2,203
Brasseler USA The dental manufacturer suffered a data breach following a ransomware attack in which consumer information was compromised. This includes names, Social Security numbers, driver’s license numbers, passport numbers, financial account information, including debit card and credit card numbers, medical and insurance information, and more. Unknown
Overlake Medical Center & Clinics (US) An unidentified third party had access to one staff member’s email account between June 13th and June 14th, 2022. Possibly compromised data includes names, dates of birth, medical record numbers, health insurance information, and more. 557
South Francilien Hospital Center (France) The hospital was targeted in a ransomware attack on August 21st, 2022, which severely disrupted its operations. It remains unknown what data may have been involved. Unknown
South Staffordshire Water (UK) Clop ransomware actors posted a data dump of the water supplier. This reportedly includes a significant amount of personally identifiable information of staff, such as passports, driver’s licenses, IPs, mail IDs, and more, along with corporate data, and passwords stored in an Excel sheet. Unknown
Mansfield Independent School District (US) On August 22nd, 2022, a ransomware attack disrupted the school district’s communication systems and caused an outage in all systems requiring internet connectivity. An investigation is ongoing to determine what, if any, data was potentially compromised. Unknown
Sturm, Ruger & Co Inc (US) The company suffered a data breach after its vendor, Freestyle Solutions Inc, suffered a malware attack. The payment card information of certain ShopRuger customers was accessible to an unauthorised party between September 21st, 2020, and February 3rd, 2022. Other compromised data of the company includes first and last names, shipping addresses, email addresses, and billing addresses. Unknown
North Dakota Workforce Safety & Insurance (US) On June 28th, 2022, the insurance agency was hit by a cyberattack after an employee opened a malicious attachment in a phishing email. Whilst the attack was limited to a single computer, the attacker gained access to personal data. 182
DESFA National Natural Gas System Operator (Greece) The company suffered a limited scope data breach and IT system outage after hackers attempted to infiltrate its network. Though the attack attempt was mostly thwarted, some files and data may have been accessed. Ragnar Locker since posted a list of allegedly stolen data on their data leak site, along with a small set of files. Unknown
Cellebrite (Israel) Haaretz reported that sensitive and confidential information relating to intelligence, defence, and law enforcement agencies across the globe, including the Federal Bureau of Investigation and Interpol, was leaked from the company. The information is from 2015 to 2017 and includes nearly half a million emails from senior officials and directors at Cellebrite, their internal communications, exchanges with clients, invoices, and contracts. Unknown
Onyx Technology (US) The healthcare provider discovered that a server may have been ‘removed or accessed’ between March 29th and June 28th, 2022. Possibly compromised information includes names, dates of birth, addresses, phone numbers, iCare member ID numbers, and more.  96,814
California Department of Corrections and Rehabilitation (US) CDCR discovered suspicious activity in one of its file transfer systems dating back to December 2021. Possibly exposed data includes personal information of individuals who received a COVID-19 test between June 2020 through January 2022. Data of the incarcerated population from the Mental Health Services Delivery System may also have been exposed, including names, CDCR numbers, mental health treatment, Social Security numbers, driver’s license numbers, and more. Unknown
Plex (US) The company is currently investigating a potential data breach and is requiring a password reset for all accounts. A third party was found to have accessed a limited subset of data, including emails, usernames, and encrypted passwords. No payment data was impacted. Unknown
BRP Inc (Canada) Certain employee and supplier data was accessed by an unauthorised third party and leaked on the dark web. The RansomEXX ransomware gang listed the company on its data leak site and posted 29.9GB of allegedly stolen files. This includes non-disclosure agreements, passports and IDs, material supply agreements, contract renewals, and more. Sensitive customer data does not appear to have been impacted. Unknown
Accelya Group (Spain) The company disclosed that some of its data was posted on the AlphV ransomware leak site on August 15th, 2022. The threat actor claims the stolen data includes emails, worker contracts, and more. Unknown
City of Kent, Washington (US) A staff member of the city inadvertently disclosed a file containing the 2020 W-2 Wage and Tax Statement information for all city employees to an employee of another city. The recipient reportedly received the information to their personal email account and reported the incident to the city. Exposed information includes full names, addresses, Social Security numbers, salary information, and more.  Unknown
Instituto Agrario Dominicano (Dominican Republic) The government agency was targeted in a ransomware attack on August 18th, 2022. The Quantum ransomware operation was reportedly behind the attack. The group claims to have stolen over 1TB of data. Unknown
Multiple organisations (India) Cybernews researchers discovered an open 24GB dataset containing over 33.5 million records, including highly sensitive information like bank account numbers, holder names and balances, transaction types, destinations, and amounts. This includes records from over 200 Indian banks. The dataset also contained information on financial fraud investigations in India associated with the Central Bureau of Investigation. Unknown
Orion Innovation (US) On August 23rd, 2022, the LockBit ransomware group added the company to its leak site. It is unclear how much data may have been stolen. Unknown
Securities and Exchange Commission of Pakistan Sensitive data belonging to the financial regulator was stolen in an incident on July 27th, 2022. The leaked database included private information, such as of chief executive officers of certain companies, their identity cards, email addresses, residential addresses, financial information, and more. Unknown
Government of the United Kingdom The names of some civil servants claiming expenses were accidentally published on the government’s website, before being taken down a week later. Unknown
Tinkoff Bank, OTPbank, Rosgosstrakh Bank (Russia) On August 23rd, 2022, the pro-Ukraine hacktivist group 2402Team claimed to have leaked around 500GB from Russian banks like Tinkoff Bank, OTPbank, Rosgosstrakh Bank, and more. This includes information on software for the financial sector Unknown

Threat actor mentions in Technology

This chart shows the trending threat actors related to Technology within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance Resecurity researchers discovered a new remote access trojan (RAT), dubbed Escanor, being advertised on the dark web and Telegram. The RAT is offered as Android and Windows versions, alongside a HVNC module and exploit builder to weaponise Microsoft Office and Adobe PDF documents. The mobile version is currently used to target online banking customers by intercepting one-time password codes and steal credentials. The majority of victims are based in the United States, Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore.
Critical Infrastructure Cyble researchers analysed the BianLian Golang ransomware. At least nine organisations have been targeted with BianLian, including from industries like media and entertainment, manufacturing, energy and utilities, and healthcare. The operation uses the double extortion tactic of threatening to leak stolen data if no ransom is paid. To perform faster encryption and make reverse engineering more difficult, the ransomware creates multiple threads. Following encryption, BianLian deletes itself from the machine, leaving only the encrypted files and ransom note. The ransom note contains a TOX Messenger ID to be used for ransom negotiations and the Onion URL to the leak site. 
Technology Sucuri researchers recently discovered a malicious JavaScript injection affecting WordPress websites that results in a fake Cloudflare distributed denial-of-service (DDoS) protection popup. Clicking the prompt initiates a download of a malicious ISO file, followed by a message asking the user to open the ISO to obtain a verification code to access the website. Whilst the ISO does return a verification code, it also delivers the NetSupport remote access trojan (RAT) and installs RaccoonStealer.
Retail & Hospitality In 2022, Proofpoint researchers observed a significant increase in activity by the financially motivated threat actor TA558 that targeted hospitality, hotel, and travel organisations. TA558 recently moved away from using macro-enabled documents in their email campaigns and instead began using URLs and container files, such as RAR or ISO attachments, to distribute malware. The group attempts to install at least 15 different malware payloads, typically remote access trojans like Loda RAT, Revenge RAT, AsyncRAT, and Vjw0rm.
Cryptocurrency Microsoft noted that cryptojackers have become stealthier by using living-off-the-land binaries to evade detection. Notepad executables are the main legitimate system binaries used by cryptojackers, followed by Explorer and AddInUtil. One observed campaign involved an updated version of the Mehcrypt cryptojacker that packs all routines into one script and connects to a C2 in the latter part of the attack chain.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal