25 May 2023
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
Trending Vulnerable Products
Open Source
| Name | Heat 7 |
|---|---|
| WebKit Software Component |  |
| Apple tvOS | |
| Liferay Portal | |
| Liferay DXP |  |
| Apple watchOS | |
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| Apple Safari |  |
| Apple iOS | |
| KeePass | |
| Oracle WebLogic | |
| Google Android | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| Viking Coca-Cola (US) | Black Basta ransomware added the manufacturer to its leak site, claiming to have stolen data. They did not disclose what types of data they acquired. | Unknown |
| Asl 1 Abruzzo (Italy) | The oncology network reportedly suffered a data breach, with stolen data published on the dark web. Compromised information includes pathologies and medical treatments. | Unknown |
| Gentex Corp (US) | The company confirmed it suffered a data breach several months ago. They were initially added to the Dunghill ransomware leak site in April 2023, who claimed to have stolen 5TB of stolen data. This includes emails, client documents, and the personal data of employees, such as Social Security numbers. | 10,000 |
| BNY Mellon (US) | A data breach occurred after the IT system of one of its third parties was subject to unauthorised access. This exposed sensitive consumer information such as names and Social Security numbers. | Unknown |
| Great Expressions Dental Centers (US) | An unauthorised party gained access to its computer system on February 17th, 2023. Compromised patient information includes names, dates of birth, phone numbers, Social Security numbers, financial account information, and more. | Unknown |
| University of Missouri Health Care (US) | A workforce member accessed 736 medical records between July 2021 and March 2023. This may have exposed data such as names, dates of birth, medical record number, and limited treatment and/or clinical information. | Unknown |
| Indiana University (US) | Two unprotected Azure Storage blobs contained over 1.3 million exposed files, including data from the confidential Beginning College Student Engagement Survey. This includes answers about academic backgrounds and performances, sexual orientation, race, ethnicity, and more. | Unknown |
| Hammon Lumber (US) | The company was added to the LockBit ransomware leak site around March 30th, 2023. The leak allegedly involved 230GB of data. | Unknown |
| Orion Holdings Corporation (South Korea) | BlackCat ransomware allegedly stole over 1TB of data, including confidential documents on Korean and Chinese employees, non-disclosure agreements, and more. The attackers posted some screenshots as proof. | Unknown |
| Luxottica (Italy) | In April and May 2023 a hacker published a database containing 300 million records of personal information on customers in the United States and Canada. The company confirmed the breach affected names, email and physical addresses, phone numbers, and dates of birth. | 70,000,000 |
| PillPack (US) | An unauthorised person used customers’ email addresses and passwords to log into their PillPack accounts between April 2nd and April 6th, 2023. The actor successfully logged into 19,032 accounts, of which 3,614 accounts contained prescription information. | Unknown |
| Peachtree Orthopedics (US) | An unauthorised party gained access to limited systems within its computer network on April 20th, 2023. Potentially compromised data includes names, addresses, date of birth, driver’s license numbers, Social Security number and more. On May 12th, 2023, Karakurt added the Atlanta orthopedic to its leak site, claiming to have stolen 194GB of data. | Unknown |
| South Texas Health System (US) | A business associate fell victim to a phishing attack on or about January 9th, 2023 impacting its Edinburg facility. Compromised data may have included names, patient account or medical record numbers, and some treatment information. Hospital management firm UHS of Delaware also reported a breach, impacting the same information of 130,000 Texans. Both companies are owned by United Health Services. | Unknown |
| Shore Regional High School District (US) | LockBit ransomware added the New Jersey district to its leak site on May 18th, 2023, providing a ransom deadline of May 19th, 2023. | Unknown |
| Dish Networks (US) | A recent ransomware attack impacted confidential records and sensitive information belonging to current and former employees and their families. It is thought to be a Black Basta ransomware attack. | 296,851 |
| Solutran (US) | A data breach impacted employees of its member companies. Exposed data may include names and credit, debit, or benefit card numbers. | Unknown |
| Multiple (US & Canada) | Snatch ransomware actors have added the Medical Society of the State of New York and the Canadian Nurses Association to their leak site. | Unknown |
| Mazars Group (France) | BlackCat ransomware added the firm to its leak site, claiming to have stolen 700GB of data. This allegedly includes agreements, financial records, and other sensitive data. | Unknown |
| Rheinmetall (Germany) | On May 22nd, 2023, the manufacturer confirmed that a cyberattack detected in April 2023 was a Black Basta ransomware attack. The incident only affected the company’s civilian business. | Unknown |
| Insurance Information Bureau of India | A ransomware attack encrypted nearly 30 server systems. Compromised data includes confidential information and 16GB from firewall logs. | Unknown |
| Advisor Group (US) | The company suffered a data breach as a result of the December 23rd, 2021, cybersecurity incident at third-party vendor, RR Donnelly & Sons. Compromised data includes personal information of Advisor Group’s consumers, including names, addresses, and Social Security numbers. | Unknown |
| Apria Healthcare LLC (US) | A data breach impacted the personal information of patients and employees. Potentially compromised information includes personal, medical, health insurance, or financial information, and in some limited cases, Social Security numbers. | Unknown |
| Multiple (UK) | Multiple UK councils have revealed their data was impacted by Capita’s most recent breach, stemming from an unsecured Amazon Web Services bucket. This includes Colchester City Council, Coventry City Council, Adur & Worthing Councils, Rochford District Council, Derby City Council, and South Staffordshire Council. | Unknown |
| Clarke County Hospital (US) | The hospital confirmed it suffered a data breach on April 14th, 2023, that may have exposed the personal information of current and former patients. This includes names, addresses, dates of birth, health insurance information, medical information, and more. This comes after Royal ransomware listed the company on its leak site on April 24th, 2023. | Unknown |
| Zivame (India) | Threat actors advertised the sale of customer data. This allegedly includes names, emails, phone numbers, and physical addresses. | 1,500,000 |
| On Demand Staffing Inc (US) | Carvin Software disclosed a data breach on behalf of its client, after a cyberattack involved unauthorised access to ODS customer data between February 22nd and March 9th, 2023. Compromised data includes names, Social Security numbers, and financial account information. | Unknown |
| Morris Hospital (US) | Royal ransomware added the healthcare facility to its leak site on May 22nd, 2023. The group has currently not provided a ransom note or payment deadline. | Unknown |
| Chattanooga State Community College (US) | Snatch ransomware actors claimed responsibility for a cyberattack on the college that took place on May 6th, 2023. | Unknown |
| Harvard Pilgrim Health Care (US) | The healthcare provider was impacted by a ransomware attack at its parent organisation, Point32Health. Data was copied and taken from Harvard Pilgrim systems between March 28th, and April 17th, 2023, including names, physical addresses, phone numbers, dates of birth, Social Security numbers, and more. | Unknown |
| The Philadelphia Inquirer (US) | Cuba ransomware added the newspaper to its leak site following a cyberattack on May 13th, 2023. The group claims to have stolen a range of sensitive data, including financial documents and source code. The newspaper has denied that the leak data belongs to them. | Unknown |
| Voxx Electronics (US) | On May 24th, 2023, the BlackCat ransomware group added the company to its leak site, claiming to have stolen a large amount of sensitive data. This allegedly includes personal data like bank and financial records, confidential customer and partner documents, and more. | Unknown |
| Evotor (Russia) | An exposed environment file contained databases, tokens, and credentials for Redis and Zendesk. Threat actors could abuse these to gain access to sensitive company data and customer communications. | Unknown |
| United States Marine Corp | A breach caused by an unencrypted email on May 9th, 2023, exposed personal information of personnel. This includes names, last four digits of Social Security numbers, contact information, and account and routing numbers. | 39,000 |
Malware mentions in Critical Infrastructure
This chart shows the trending malware related to Critical Infrastructure within a curated list of cyber sources over the past week.
Weekly Industry View
| Industry | Information |
|---|---|
| Government |
CERT-UA warned of cyberattacks by the UAC-0063 threat group against government bodies as part of an espionage campaign. The intrusion set leverages email phishing lures to deploy various malicious tools. Amongst the objects of interest of the group are organisations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Observed malware includes HATVIBE, used to drop the LOGPIE keylogger, the CHERRYSPY backdoor, and either STILLARCH or DownEx to exfiltrate files. |
| Cryptocurrency |
ScamSniffer researchers discovered multiple phishing incidents related to a scam vendor, named Inferno Drainer, that specialises in multi-chain scams. Inferno Drainer has so far stolen around $5.9 million in cryptocurrency from 4,888 victims. This includes funds from multiple blockchains, such as Mainnet, Arbitrum, Polygon, and BNB. The crypto phishing service is promoted on Telegram Messenger and charges 20% of the stolen assets and 30% of the phishing site creation fee. Since March 27th, 2023, Inferno Drainer has created at least 689 phishing websites, targeting 229 brands such as Pepe, OpenSea, MetaMask, and more. |
| Technology |
On May 19th, 2023, Barracuda discovered a zero-day vulnerability on some of their Email Security Gateway (ESG) appliances. They determined that the flaw, tracked as CVE-2023-2868, was exploited in some of its customers’ ESG appliances, resulting in unauthorised access. Its investigations were limited to its ESG products and not the customers’ corporate network. Impacted organisations should therefore review their environments to confirm the actors did not spread further. |
| Critical Infrastructure |
Microsoft researchers discovered Chinese state-sponsored threat actor, Volt Typhoon, targeting critical infrastructure organisations in Guam and elsewhere in the United States. The group typically focuses on espionage and information gathering, with the observed campaign focusing on post-compromise credential access and network discovery. The campaign is described as stealthy and targeted, with Volt Typhoon relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. |
| Civil Society |
Sekoia researchers observed Russian threat group APT28 using multiple phishing techniques to target Ukrainian civil society. This includes using the man-in-the-browser technique to harvest credentials. HTML attachments impersonating the Ukrainian think tank, Centre for Defence Strategies, produce a fake login window that contains an iframe that embeds a fake UKR[.]NET login webpage. HTTP webhook services, such as Pipedream and Webhook, have been used to retrieve stolen credentials. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
