02 March 2023
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
Trending Vulnerable Products
Open Source
| Name | Heat 7 |
|---|---|
| ArubaOS |  |
| Wormhole Portal Token Bridge |  |
| Lastpass | |
| SourceCodester | |
| Zoho ManageEngine | |
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| Kali Linux |  |
| Nmap | |
| Scapy | |
| Microsoft Windows Defender | |
| Tenable Nessus | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| Federation of Indian Chambers of Commerce & Industry | Mallox ransomware added the federation to its leak site, alongside a 1.28GB file. The file included confidential credit notes, details of employee bank accounts, internet banking credentials, and more. | Unknown |
| Hutchinson Clinic (US) | An unauthorised actor gained access to the company’s systems in December 2022. Potentially compromised data includes names, contact information, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, and more. | Unknown |
| TELUS (Canada) | A threat actor on a breach forum claims to be in possession of employee names and 76,000 unique email addresses. TELUS stated they have seen no evidence of data theft. | Unknown |
| Long Beach Unified School District (US) | A database of student information was uploaded to the dark web, which includes names, emails and student identification numbers. | 130,000 |
| Breeze Center (Taiwan) | Hackers posted allegedly stolen data on BreachForums. This includes information on business operations and customer transactions, including details of customer accounts and passwords. | 900,000 |
| MySejahtera (Malaysia) | The personal information of COVID-19 vaccine recipients who used the MySejahtera app was downloaded in an October 2021 breach. | 3,000,000 |
| Porsche South Africa | A Faust ransomware attack in Feburary 2023 impacted systems and backups. | Unknown |
| Royal Mail (UK) | LockBit ransomware published files stolen in the January 2023 ransomware attack alongside chat logs of the negotiations. | Unknown |
| EDEESTE (Dominican Republic) | La Empresa Distribuidora de Electricidad del Este was added to BlackCat’s leak site. The group claimed to have exfiltrated 420GB of information which can supposedly be viewed through an Onion link, however the URL is currently not online. | Unknown |
| Âncora Sistemas de Fixação (Brazil) | Royal ransomware added the company to their leak site, uploading 88GB of allegedly stolen data as proof. | Unknown |
| La Segunda Seguros (Argentina) | LockBit ransomware added the company to its leak site, with some data samples added as proof. | Unknown |
| Joaquín Paz Borrero Hospital (Colombia) | A ransomware attack encrypted data on a specified server. It remains unknown what ransomware strain was involved. | Unknown |
| Stanford University (US) | A misconfigured folder allowed data to be downloaded from the university website. Compromised data includes names, dates of birth, home and mailing addresses, phone numbers, email addresses, and more. Access to the files has since been blocked. | 897 |
| News Corp (US) | A two-year long data breach, beginning February 2020, was confirmed to be conducted by hackers associated with a foreign government. Potentially comprised information includes names, dates of birth, Social Security numbers, passport information, and more. | Unknown |
| Encino Energy (US) | The ALPHV ransomware group added the company to it’s leak site along with 400GB of alleged stolen data. Whilst the company confirmed a cyberattack, it did not disclose whether ransomware was involved or whether any data was stolen. | Unknown |
| United States Marshals Service | A ransomware attack led to data exfiltration from a standalone system, which has since been disconnected. The system contains sensitive law enforcement information, including information pertaining to the subjects of investigations, third parties, and certain employees. | Unknown |
| Dental Health Management Solutions (US) | Unauthorised access to the company’s systems was gained via an employee’s email account. Potentially compromised data includes patients’ names, Social Security numbers, driver’s license numbers, addresses, and financial, health insurance, and medical information. | 3,205 |
| Alvaria (US) | A November 2022 Hive ransomware attack led to the breach of confidential customer and employee information. Compromised data includes names, Social Security numbers, passport numbers, financial account and health insurance information, and tax-related information. | Unknown |
| Beeline (US) | A threat actor posted a database containing data allegedly stolen from Beeline’s Jira account that includes customer and employee names, usernames, and more. The samples include data of Beeline’s customers like Amazon, Credit Suisse, 3M, Boeing, BMW, Daimler, JPMorgan Chase, McDonalds, the Bank of Montreal, and more. | Unknown |
| Multiple | LockBit ransomware claimed to have compromised Pierce Transit and the City of Lakewood, Washington. Potentially compromised data from Pierce Transit includes the personal data of customers, contracts, postal correspondence, and non-disclosure agreements. | Unknown |
| Fayvo (Saudi Arabia) | An insecure server, publicly accessible for at least 80 days, exposed nearly 45 million documents. Compromised data includes full names, usernames, email addresses, phone numbers, dates of birth, post details, and profile images of users. It is not clear if the server has since been secured. | Unknown |
| Infrastructure Leasing & Financial Services Limited (India) | LockBit ransomware added the company to its leak site, posting screenshots as proof. Potentially compromised data includes details of contracts, personal data, passports, postal correspondence, and financial documents. The company was given a deadline of March 10th, 2023. | Unknown |
| Unknown | The operators of the BidenCash darknet marketplace released a dataset of 2,165,700 credit and debit cards to commemorate one year of operations. Compromised data includes names, emails, phone numbers, and home addresses, as well as payment card numbers, expiration dates, and CVV codes. | Unknown |
| Sentara Health (US) | A PDF containing patient data was uploaded to the Adobe Acrobat site in October 2022, which has since been removed. Potentially compromised data includes names, Medicare ID numbers, dates of service, the last four digits of account numbers, and more. | 741 |
| Group 1001 (US) | A ransomware infection caused system interruptions at the company and also affected Group 1001 member companies. Group 1001 asserted it did not pay a ransom but did not address whether any data was impacted. Full operations have since been restored. | Unknown |
| Inland Revenue Board of Malaysia | The personal information of taxpayers could reportedly be accessed by anyone via the MyTax platform. Potentially compromised data includes home addresses, telephone numbers, bank account numbers, email addresses, and tax identification numbers. | Unknown |
| WH Smith (UK) | A cyberattack led to threat actors accessing company data, including that of current and former employees. Potentially compromised data includes names, addresses, National Insurance numbers, and dates of birth. | Unknown |
| White Settlement Independent School District (US) | The LockBit ransomware group added the school district to its leak site, along with several files as proof. The files do not appear to be recent. The district since reported a possible cyberattack which compromised documents belonging to some staff members. | Unknown |
| Texas Department of Public Safety (US) | Replacement driver’s licences were fraudulently obtained from the department by an organised crime group based in New York using personal data obtained from the dark web. Other states were reportedly similarly targeted. | ~3,000 |
| O’Neal Industries Inc (US) | A data breach occurred following unauthorised access to the company’s computer network. Potentially compromised data includes names, addresses, and Social Security numbers. | 726 |
| Meriplex Communications (US) | The company learned of unauthorised access to confidential information belonging to one of their customers, Malaga Bank. Potentially compromised data includes names and Social Security numbers. | Unknown |
| CompSource Mutual Insurance Company (US) | Unauthorised access to confidential customer information was obtained by an unauthorised actor. Possibly exposed information includes names, Social Security numbers, driver’s licence numbers, financial account information, and protected health information. | Unknown |
| Rockler Companies Inc (US) | An unauthorised actor gained access to the company’s network in May 2022. Potentially compromised data includes names, Social Security numbers, driver’s licence numbers, financial account numbers, and credit or debit card numbers. | 8,604 |
| Emtec Inc (US) | An unauthorised party gained access to the company’s network in September 2022. Potentially compromised data includes names, addresses, Social Security numbers, driver’s licence numbers, financial account information, and protected health information. | 7,657 |
| Cleveland Brothers Holdings Inc (US) | Suspicious activity was uncovered on the company’s network in November 2022. Potentially exposed customer information includes names and Social Security numbers. | Unknown |
| Indigo Books & Music (Canada) | LockBit ransomware claimed responsibility for a recent attack against the bookseller in which the attackers stole employee information, with the type of data yet to be specified. LockBit has given the company until March 2nd, 2023. | Unknown |
| Lubbock Heart and Surgical Hospital (US) | A July 2022 cyberattack allegedly led to a threat actor accessing confidential information. Potentially compromised information includes names, contact information, demographic information, dates of birth, Social Security numbers, and medical information. | 23,379 |
| Dish Network (US) | A multi-day network and service outage was caused by a ransomware attack, which some sources attributed to the Black Basta ransomware group. Dish confirmed that the attackers stole data, but did not disclose what type. Investigations are ongoing to determine if personal information was involved. | Unknown |
Attack Type mentions in Banking & Finance
This chart shows the trending attack types related to Banking & Finance within a curated list of cyber sources over the past week.
Weekly Industry View
| Industry | Information |
|---|---|
| Government |
Menlo Security researchers observed an unknown threat actor leveraging Discord and the PureCrypter downloader in an evasive campaign targeting government entities in Asia Pacific and North America. PureCrypter uses the domain of a compromised non-profit organisation as a C2 to deliver a secondary payload. Observed payloads include Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia ransomware. |
| Cryptocurrency |
Researchers from the ZenGo cryptocurrency wallet identified a suspected North Korean hacking group that stole almost $25 million worth of non-fungible tokens (NFTs) from their owners. The actor used a novel offline signature attack to steal ERC-20 tokens and take control of the wallets associated with the NFTs. The group’s attacks had ties to phishing infrastructure previously linked to North Korean groups. The attack was carried out by the same group that was observed stealing NFTs last year by researchers from SlowMist. |
| Technology |
KrebsOnSecurity revealed that Telegram data suggests three different cybercriminal groups claimed access to internal networks at T-Mobile in more than 100 separate incidents throughout 2022. All claimed to have gained access by phishing employees and conducting SIM swapping attacks. In the last seven and a half months of 2022, the three groups collectively made SIM swapping claims against T-Mobile on 104 separate days, often with multiple groups claiming access on the same day. These actors also periodically offer SIM-swapping for other providers, including AT&T and Verizon. T-Mobile declined to confirm or deny any of the claimed intrusions. |
| Retail |
Cyble researchers analysed the R3NIN skimmer, which steals payment card data and personally identifiable information entered by victims on compromised e-commerce sites. R3NIN has multiple features, including generating custom JavaScript codes for injection and cross-browser exfiltration of compromised payment card data. Recent improvements include the addition of a keylogger functionality, script obfuscation, and remote execution from the skimmer panel. Cyble noted that this malicious operation occurs on a legitimate domain, and that the malicious scripts do not directly interact with the victim’s device, making it difficult for users to identify if the e-commerce site is secure. |
| Healthcare |
The United States Department of Health & Human Services warned of the threat of MedusaLocker ransomware. The malware targets multiple sectors, with a primary focus on healthcare. MedusaLocker currently targets unsecured Remote Desktop Protocol servers, desktops, and vulnerabilities. The threat actors may also gain access to targeted networks via phishing campaigns. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
