Upcoming Webinar – Tools and Tactics to solve the top 3 Open-Source Intelligence Challenges Learn More +

Weekly Cyber Digest

01 December 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Trending Vulnerable Products

Deep & Dark Web
Name Heat 7
Microsoft Windows
Atlassian Bitbucket
Windows Internet Key Exchange
Windows Server
Fortinet FortiOS
Open Source
Name Heat 7
Google Chrome Browser
Oracle Fusion Middleware
Mali GPU
OpenStack Cloud

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Norman Public Schools (US) Hive ransomware operators began leaking student and employee data after the school district refused to meet their ransom demands. The district stated that employee names, addresses, Social Security numbers, and financial account information may have been impacted, as well as student names and Social Security numbers. Hive claims to be in possession of over 311GB of data, which is said to also include backups, contracts, private company information, and more. Unknown
South Walton Fire District (US) The provider suffered a ransomware attack after an unauthorised individual gained access to its computer network. The attack may have impacted protected patient information, including names, addresses, Social Security numbers, dates of birth, treatment dates, and more. Unknown
Southampton County, Virginia (US) The county was hit by a ransomware attack on September 6th, 2022. LockBit 3.0 previously added the company to its data leak site. Possibly compromised information including names, Social Security numbers, driver’s license numbers, and addresses. Unknown
Meta (US) A hacker is reportedly advertising a database of active WhatsApp user mobile numbers. Cybernews’ investigation of a sample dataset confirmed all numbers are WhatsApp users. A Meta spokesman dismissed the reports as ‘speculative’, stating that the company has found no evidence of a data leak. 487,000,000
Twitter (US) Additional threat actors reportedly exploited the Twitter API vulnerability that led to a data breach affecting 5.4 million users. A further data dump containing different Twitter user data was discovered, reportedly containing 17 million records. Unknown
Zwijndrecht Police (Belgium) The Ragnar Locker ransomware group leaked numerous files dating between 2006 and September 2022. This reportedly includes car number plates, fines, crime report files, personnel details, investigation reports, camera footage, and more. According to the police department, the hackers only accessed data on the administrative network and the attack primarily affects personnel. Unknown
Tridas Group LLC (US) An open, non-password protected database exposed over 16,000 records detailing mental health diagnoses of children, as well as names, dates of birth, patient ID numbers, home addresses, and more. Public access has since been revoked. Unknown
Bahmni (India) An OpenMRS database exposed medical information of individuals based in India’s Chhattisgarh state. Hashed passwords of healthcare professionals and staff were also exposed. The breach was closed on September 21st, 2022. 197,497
Unknown (Australia) An unnamed healthcare entity is currently exposing protected health information of individuals that participated in respiratory clinical trials. The data, 80GB in total, includes medical files alongside demographic information and relevant medical history. Unknown
Coinsquare (Canada) An unauthorised third party accessed a customer database, which exposed customer names, email addresses, residential addresses, phone number, and more. Unknown
Sonder Holdings (Canada) Unauthorised access to guest records created prior to October 1st, 2021, was discovered. Potentially compromised information includes usernames, encrypted passwords, and credit card information. For some guests, copies of government-issued identification such as driver’s licenses or passports may have been accessed. Unknown
Cincinnati State Technical and Community College (US) Vice Society began leaking data they claim to have stolen from the college following a ransomware attack. The college previously disclosed it is investigating a cybersecurity incident that occurred in early November 2022. Unknown
Harry Rosen (Canada) The menswear retailer discovered a cyberattack against its systems on October 9th, 2022. The BianLian ransomware group previously listed the company on its leak site, along with a 1GB file as proof which allegedly includes Harry Rosen’s Gold+ clients, sales information, and various other types of documents. Unknown
GameStop (US) GameStop customers reported seeing other users’ data when refreshing their account, including names, addresses, phone numbers, and partial credit card information. Some users also reported receiving calls to inform them of their data being leaked. The company has denied any customer data was leaked, stating that the visible data was test data created by the company. Unknown
IKEA (Sweden) The Vice Society ransomware gang added IKEA Morocco and IKEA Kuwait to their leak site along with allegedly stolen data. Names of the stolen files indicate that the group may have also taken data from IKEA Jordan, as well as confidential business information and sensitive employee data such as passports. Unknown
Hope Health Systems (US) The healthcare entity reported a data breach after sensitive information stored on its network was leaked following a ransomware attack. An unauthorised third party first gained access to its computer network on June 10th, 2022. Compromised information includes names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and more. Unknown
Connexin Software Inc (US) On August 26th, 2022, an unauthorised individual gained access to the internal computer network of the company, accessing and removing an offline set of patient data. Possibly compromised patient information includes names, the names of guardians, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, and more. 2,216,365
Keralty (Colombia) The organisation was targeted in a RansomHouse ransomware attack on November 27th, 2022, in which 3TB of data was allegedly exfiltrated. The attack disrupted the websites and operations of the company and its subsidiaries, Colsanitas, Sanitas USA, and EPS Sanitas. Unknown
One Brooklyn Health System (US) Certain systems at the Interfaith Medical Center, Brookdale Hospital Medical Center and Kingsbrook Jewish Medical Center went offline on November 19th, 2022, following a cybersecurity incident that caused a network disruption. The exact cause of the disruption remains unknown, though it may have involved ransomware. The incident has impacted electronic health records, patient portals, and other systems at the three hospitals. Unknown
Immigration and Customs Enforcement (US) ICE inadvertently posted the names, dates of birth, nationalities, and detention locations of immigrants seeking asylum on its website on November 28th, 2022. 6,252
LastPass (US) GoTo suffered a security breach in which hackers gained access to its development environment and third-party cloud storage. The affected storage was also shared by LastPass, who stated that unknown hackers breached its cloud storage by using information that was stolen in a previous security incident in August 2022. The hackers managed to access customer data stored in these compromised storage devices. Unknown
Ministry of Foreign Affairs (Guatemala) The ministry disclosed that it is investigating a ransomware attack that occurred earlier this year. The ministry was previously added to the leak site of the Onyx ransomware group on September 27th, 2022, and again on November 21st, 2022. Unknown
Département des Alpes-Maritimes (France) The operators of Play ransomware leaked 13GB of data allegedly stolen from the administrative division during a cyberattack on November 10th, 2022. The Play ransomware group claimed it had stolen a total of 290GB of data. Screenshots of the data indicate that they gained access to information pertaining to salary, work-from-home, COVID-19, and more. Unknown
South Staffordshire PLC (UK) The company disclosed that the August 2022 cyberattack has led to a customer data breach. Clop ransomware operators previously took responsibility for the attack. Information potentially accessed and leaked on the dark web includes names, along with sort codes and account numbers for direct debit payments. Unknown
SSP (UK) The software company was targeted in a Lockbit ransomware attack on November 15th, 2022, that affected its internal network and systems. Lockbit allegedly demanded a $7 million ransom. The company has confirmed the incident. Unknown

Threat Actor mentions in Government

This chart shows the trending threat actors related to Government within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Abnormal Security researchers detailed the activities of the business email compromise (BEC) group, Lilac Wolverine, which has targeted users with gift card attacks. Lilac Wolverine has a massive attack volume and is highly centralised in Nigeria. Once the group has compromised a target’s email account, they set up lookalike accounts to send out large email campaigns targeting everyone on the victim’s contact list. When contact is established, the attacker eventually asks for help to purchase gift cards for a friend or relative.
Banking & Finance
Technisanct researchers discovered a new Android banking trojan being spread via a phishing page masquerading as a rewards app. The downloaded malicious app purports to be a Reliance Jio Tower mobile application. The malware is capable of stealing SMS messages, personally identifiable information, Aadhaar and PAN card numbers, bank card details, and one-time passwords sent to the infected device. The malware requests 10 permissions, four of which it abuses, including camera access, location, and access to contacts and call logs.
The pro-Russian hacker group Killnet recently claimed distributed denial-of-service (DDoS) attacks against numerous websites, including ones belonging to Starlink and the official United States White House site. Other hacker groups, such as Msidstress, Radis, Anonymous Russia, Mirai, and Halva, were reportedly also involved in the attacks. Killnet also claimed to have targeted the Prince of Wales website in response to UK’s support for Ukraine. The group further claimed UK healthcare and government sites would be the targets of future DDoS attacks, as well as the London Stock Exchange, the British Army, and the Bankers’ Automated Clearing System.
Confiant researchers detailed the CashRewindo malvertising campaigns, active since about 2018. The campaigns entail multiple redirects that ultimately lead victims to a fake cryptocurrency platform, where they are encouraged to make a deposit. The threat actor flips between placeholder ads and scam ads to remain undetected. The actor also makes use of domain aging to make their sites appear legitimate. The majority of CashRewindo domains were registered two or three years ago, and only recently activated for each active campaign.
Evina researchers discovered a fake Android SMS application, named Symoo, that secretly acts as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook. The app has 100,000 downloads on the Google Play Store. Once installed, the app requests to send and read SMS messages, after which a fake loading screen is relayed that allows the attacker to send and steal multiple one-time passwords to make new accounts. The accounts can then be rented out to other threat actors for various cybercriminal purposes.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.