On-demand Webinar – World vs Cyber: Bridging the Gap to Mitigate Threats Learn More +

Weekly Cyber Digest

27 October 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Deep & Dark Web
Name Heat 7
VMware Workspace One Access
Joomla
XMRig
Windows Powershell
Windows 8
Open Source
Name Heat 7
Apple iPadOS
Robustel R1510
Java Runtime Environment
OpenJDK
Brocade Fabric OS

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Defense Health Headquarters (US) The Office for Civil Rights at the United States Department of Health and Human Services is currently investigating a suspected hacking or IT incident at the government agency. 1,279
Advocate Aurora Health (US) The healthcare system suffered a data breach in which personal patient data was exposed. Potentially compromised information includes IP address, appointment information, proximity to Advocate Aurora Health location, insurance information, and more. 3,000,000
EnergyAustralia The electricity company suffered a cyberattack on September 30th, 2022, that impacted the My Account customer platform, with residential and small business customer accounts accessed. Potentially compromised information includes names, addresses, email addresses, electricity and gas bills, phone numbers, and the first six and last three digits of credit cards. 323
Carousell (Singapore) On October 14th, 2022, the e-commerce platform experienced a data breach that exposed the personal information of users. This includes email addresses, mobile numbers, and dates of birth. 1,950,000
Pendragon (UK) The car dealer group suffered a cyberattack in which hackers stole 5% of its database. The attackers are reportedly connected to LockBit 3.0, and are demanding a £54 million ransom. They later threatened to release sensitive data on the dark web. Unknown
Atomic Energy Organization of Iran An email server belonging to one of the agency’s subsidiaries was hacked from a foreign country. Operational data about a nuclear power plant was subsequently published online. The Iranian hacktivist group Black Reward claimed responsibility for the attack, stating they exfiltrated 324 inboxes comprising over 100,000 messages and totalling over 50GB in files. Unknown
Massy Jamaica On September 19th, 2022, Hive ransomware operators released data allegedly stolen from the supermarket chain. The company confirmed that it suffered a data breach involving personal information. This reportedly includes names, addresses, taxpayer registration numbers, signatures, and videos and pictures of employees and contractors in Massy Jamaica. Unknown
Kingfisher Insurance (UK) The firm was the target of an attack against its IT systems after it was added to the LockBit ransomware leak site in October 2022. The attackers claimed to have stolen 1.4TB of company data, however the company stated that the actors could not have stolen that much data. The stolen data allegedly includes personal data of employees and customers, and more. Unknown
Simplify Group (UK) A cyberattack against the company in November 2021 exposed certain files that contained information about past and present employees. This includes bank account information, contact details, dates of birth, health and medical information, and well as tax and national insurance numbers. Unknown
Kenosha Unified School District (US) On October 23rd, 2022, the Snatch ransomware group added the school district to their leak site. It was not disclosed what information may have been stolen. Unknown
Ministry of Health of Argentina The ministry’s computer system was attacked after a hacker infiltrated the personal account of a civil servant and sent chain emails. The incident led to sensitive data of individuals infected with HIV being leaked. Unknown
Midland Information Technology Consortium (US) On October 20th, 2022, the company suffered a ransomware attack that affected clients’ internet and email services as well as phone lines. An investigation is ongoing to determine what, if any, information has been compromised. Unknown
Tata Power (India) The operators of Hive ransomware leaked files allegedly stolen from the company on their Tor leak site. Among the data are said to be contracts, financial and business documents, engineering projects, and employees’ personally identifiable information, including Aadhaar card numbers. Unknown
See Tickets (UK) The ticketing service disclosed a data breach that resulted from a JavaScript skimmer injected on its order checkout pages between June 25th, 2019, and January 8th, 2022. Unauthorised parties may have stolen customers’ personal and credit card information, including full names, physical addresses, ZIP codes, payment card numbers, card expiration dates, and CVV numbers. Unknown
Unknown A 34GB cache of leaked data that revealed the inner workings of a stalkerware operation spying on hundreds of thousands of individuals around the world. The leaked data comes from Android phones and tablets compromised by numerous near-identical stalkerware apps. The cache contains the stalkerware operation’s core database, including detailed records on every device compromised since early 2019. The leaked data includes call logs, text messages, granular location data, and other personal device data. Unknown
Australian Clinical Labs The company suffered a cyberattack in which the personal information of individuals was exposed. This includes individual medical and health records, names, and credit card numbers. Data from subsidiary Medlab had also previously been leaked to the dark web. This data was since removed. 223,000
Davenport Community Schools (US) Karakurt threat actors added the school district to its leak sites claiming to have stolen 845GB of student personal information and more in an attack. The group has not published any proof. Unknown
WakeMed (US) Between March 2018 and May 2022, some patient’s data may have been transmitted to Meta due to the hospital’s improper use of the Meta’s pixel tracker. This regards information that was entered into the MyChart patient portal and appointment scheduling page, including email address, phone number, other contact information, computer IP address, emergency contact information, and more. Unknown

Attack Type mentions in Healthcare

This chart shows the trending attack types related to Healthcare within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance Doctor Web discovered two banking trojans hidden inside mobile shopping apps that are advertised on malicious websites. The apps target online banking accounts of Malaysian users. Current targets include Maybank, HLB Connect, CIMB Group, Public Bank Berhad, and other Malaysian banks, though this list may be changed or expanded. When a user attempts to make a purchase, the apps ask for personal details like names, residential addresses, mobile phone and identification card numbers, and in some cases dates of birth. The user is then asked to select a bank to make their payment, after which they are prompted to provide their online banking login details. All information is sent to the C2 server, while the user is shown an error message stating their payment has failed.
Education In recent months, Microsoft researchers observed the Vice Society threat actor engaging in ransomware and extortion campaigns aimed against the global education sector, particularly the United States. Active since June 2021, Vice Society has used various payloads over time, including BlackCat and QuantumLocker, with Zeppelin variants and RedAlert as the most recent payloads. In some cases, the group did not deploy ransomware, but rather extorted the victim using only stolen data. The group relies on tactics, techniques, and procedures commonly used by other ransomware actors, including the use of commodity backdoors like SystemBC and PortStarter, PowerShell scripts, and repurposed legitimate tools like Rclone, Megasync, WMIC, PsExec, and more.
Technology Researchers at the Leiden Institute of Advanced Computer Science discovered thousands of repositories on GitHub offering fake proof-of-concept (PoC) exploits for various vulnerabilities, including some containing malware. The researchers determined that the possibility of becoming infected with malware, rather than obtaining a legitimate PoC, is as high as 10.3%. Amongst the observed malware are Houdini RAT, information stealer malware, Cobalt Strike, and more.
Healthcare The United States Cybersecurity and Infrastructure Security Agency released a joint advisory warning that cybercrime group Daixin Team has actively targeted US businesses, primarily the healthcare and public health sector, since June 2022. The group deploys ransomware against servers responsible for healthcare services, including electronic health records, and exfiltrates personal data and patient health information. The group uses virtual private network servers for initial access, exploiting unpatched vulnerabilities or using compromised credentials.
Cryptocurrency Sysdig researchers discovered an extensive and sophisticated active cryptomining campaign, dubbed PURPLEURCHIN. The freejacking campaign uses trial accounts at cloud and continuous integration and deployment (CI/CD) service providers like GitHub, Heroku, and Buddy Works, to build, run, scale, and operate the cloud operation. Among the targeted cryptocurrencies are Tidecoin, Onyx, Sugarchain, Sprint.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.