Weekly Cyber Digest

01 September 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Apple iOS 12
Android System WebView
Atlassian Bitbucket
Lastpass
Golang
Deep & Dark Web
Name Heat 7
TikTok
Microsoft Exchange Server Enterprise
Microsoft Security Blog
PHP 5
Sony PlayStation 4

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
ASL Città di Torino (Italy) On August 19th, 2022, the company was targeted in a suspected ransomware attack that resulted in all computer systems being blocked as a precaution. The incident continues to impact the San Giovanni Bosco, Maria Vittoria, Martini and Oftalmico hospitals. Unknown
PT Jasamarga Tollroad Operator (Indonesia) Desorden claimed to have exfiltrated 252GB of data on users, customers, and employees, as well as corporate and financial data from five servers. The company stated that the stolen data is limited to internal data and company-related information, and does not include customer data. Unknown
DoorDash (US) A third-party vendor was targeted in a sophisticated phishing campaign that affected certain personal information maintained by DoorDash. The attacker gained access to names, email addresses, delivery addresses, and phone numbers, whilst a small subset of customers also had their basic order information and partial payment card information compromised. Unknown
OneTwoTrip (Russia) An open and unsecured Elasticsearch cluster containing over 21 billion records was discovered. This includes over 1000 catalogues of data, with some of these containing customer data, including booking and payment information, names, email addresses, phone numbers, and passport numbers, and more. Unknown
Baton Rouge General Medical Center (US) Hive ransomware added the center to its leak site on August 23rd, 2022. Personal and protected health information was dumped, some of which is thought to belong to the Baton Rouge General Health System. Unknown
National Consumer Service (Chile) The service was targeted in a cyberattack on August 25th, 2022, that took down its website. The incident has since been confirmed as a ransomware attack. Unknown
EmergeOrtho (US) A ransomware attack occurred on May 18th, 2022. It remains unclear who was responsible for the incident, whether any files were encrypted, or whether a ransom was demanded. Potentially compromised data includes names, addresses, Social Security numbers, and dates of birth. 75,200
Primary Care of Long Island (US) Bl00dy ransomware gang added the company to their leak site on August 7th, 2022. The breach occurred on or about May 23rd, 2022, and impacted names, phone numbers, addresses, Social Security numbers, and dates of birth. oncallpractice[.]com was also listed as part of the same incident, whilst some of the data leaked as proof appears to relate to Brighter Dental Center. Unknown
START (Russia) The streaming service revealed that personal information of customers was leaked during a cyberattack. The leak allegedly contains 72GB of data including usernames, email addresses, hashed passwords, IP addresses, county of registration, and more. 7,455,926
BSA Hospice of the Southwest and Family Medicine Centers (US) Vice Society ransomware group recently listed the two entities on their leak site, along with 272,000 files. It is unclear if the two healthcare institutions were targeted in the same attack. Unknown
Zimbra (US) An exposed Amazon Web Services S3 bucket appears to contain private user data, such as emails, passwords, configurations, archives, system logs, and more. Unknown
Altice (France) On August 9th, 2022, Altice was reportedly hit by a Hive ransomware attack. Whilst it is unclear what data may be impacted, Hive listed some allegedly stolen files on its leak site that were available to download. Unknown
Perusahaan Listrik Negara (Indonesia) On August 18th, 2022, a user on Breach Forums listed the personal data of customers for sale. This includes names, addresses, customer ID numbers, kilowatt-per-hour usage, and electricity meter numbers. ~17,000,000
Nelnet Servicing (US) The data of individuals with student loans from the Oklahoma Student Loan Authority and EdFinancial was exposed after hackers breached the systems of technology services provider Nelnet Servicing. Potentially compromised data includes names, physical and email addresses, phone numbers, and Social Security numbers. 2,501,324
Vodafone Idea (India) Multiple critical vulnerabilities reportedly resulted in the exposure of personal data of customers. This includes call logs, SMS records, internet usage details, location details, full names, phone numbers, and more. Vodafone Idea has denied the breach. 301,000,000
San Diego American Indian Health Center (US) A cyberattack on May 5th, 2022, resulted in unauthorised access to personal information. Potentially compromised data includes dates of birth, Social Security numbers, driver’s licence or state identification card numbers, tribal identification card numbers, medical information, and health insurance information. 27,000
Department of Medical Sciences (Thailand) Data allegedly stolen from the department was observed for sale on several dark web marketplaces and a Telegram channel. The data contains the personally identifiable information of patients with COVID-19 symptoms, including names, age, contact details, medical history, and more. 15,000
Baker & Taylor (US) The company confirmed it was hit by a ransomware attack on August 23rd, 2022, that caused an outage impacting the company’s phone systems, offices, and service centres. Unknown
Akasa Air (India) The airline’s website exposed personal data of customers due to a technical error on the login and sign-up service. Exposed data includes names, gender, email addresses, and phone numbers. 34,533
Xinai Electronics (India) An exposed database contained over 800 million records and full web addresses of image files hosted on several domains. This includes links to high-resolution photos of faces and other personal information, such as the person’s name, age, sex, resident ID number, along with records of vehicle license plates collected by Xinai cameras. Unknown
Government of Montenegro Cuba ransomware targeted the government’s digital infrastructure and claimed to have stolen files from parliament, including financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code. The attack has been confirmed by the government, though the parliament  denied any data theft, adding that any data taken by the actors is publicly available. Unknown
Los Angeles Department of Public Health (US) Some operators whose food businesses underwent health inspections over the past two years had their personal information posted on the agency’s website by accident. This includes names, driver’s license numbers, and possibly dates of birth. The release affected operators of 806 facilities. Unknown
Eni SpA (Italy) On August 31st, 2022, the oil giant confirmed that unauthorised access to its network had been detected in recent days. The incident is believed to be a ransomware attack, although this has yet to be confirmed by the company. Unknown
Goodwill Industries of New Mexico (US) On August 28th, 2022, LockBit 3.0 ransomware added the non-profit to their leak site, claiming to have acquired nearly 250GB of data. The listing includes screenshots of file directories containing the organisation’s data. Unknown
Government of Brazil Everest ransomware operators claim to have infiltrated the Brazilian government network and stolen 3TB of data. The group is now allegedly selling access to the system to third parties. Unknown
International Centre for Migration Policy Development The Karakurt ransomware group claimed responsibility for a recent attack in which they allegedly stolen 375GB of data. This reportedly includes correspondence on contracts, scans of contracts, project budgets, financial and insurance documents, invoices, passports, mailboxes of key members of the organisation, and more. Unknown
TAP Air Portugal Ragnar Locker ransomware claimed responsibility for a recent attack, stating that it has ‘reasons’ to believe that hundreds of gigabytes of data might have been compromised. A screenshot of what appears to be stolen customer information includes names, dates of birth, emails, and addresses.  Unknown

Malware mentions in Government

This chart shows the trending malware related to Government within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Healthcare HC3 is warning the United States healthcare sector of Karakurt ransomware attacks after the group targeted at least four organisations in the last three months. The group typically steals data, including sensitive patient information like names, addresses, Social Security numbers, and more, and threatens to leak it if the requested ransom is not paid. HC3 recommends the healthcare and public health sector be aware of their operations and apply appropriate cybersecurity principles and practices to defend their infrastructure and data against compromise.
Education Trend Micro researchers discovered a new Golang ransomware targeting education and healthcare enterprises in Indonesia, Saudi Arabia, South Africa, and Thailand. Agenda ransomware is customised for each victim, with identified samples containing leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files. In one identified incident, a public-facing Citrix server was used for initial access via a compromised valid account. The ransomware can reboot systems in safe mode, attempts to stop multiple services and processes, and has multiple modes to run. Persistence is achieved by injecting a DLL into the svchost executable.
Government Authorities confirmed that government IT infrastructure in Montenegro was hit by an ‘unprecedented’ cyberattack on August 25th, 2022. The coordinated attack was originally believed to have been conducted by Russian hackers, with Cuba ransomware since claiming responsbility. On the same day, Moldova’s Information Technology and Cyber Security Service confirmed that a series of cyberattacks were targeting the country’s state systems over the past 72 hours. The distributed denial-of-service attempts targeted a total of 80 information systems, platforms, and public portals with limited success. The Administration for Protection and Rescue of the Republic of Slovenia was also hit by a cyberattack in August 2022, which impacted the incident reporting system.
Critical Infrastructure Proofpoint and PricewaterhouseCoopers researchers identified a cyber espionage campaign targeting federal government, energy, and manufacturing sectors in Australia, Malaysia, Europe and the South China Sea between April and June 2022. The campaign is assessed with moderate confidence to be conducted by China-based threat actor TA423. Phishing emails are used to deliver the ScanBox framework, which contains numerous modules such as keyloggers, browser plugins, browser fingerprinting and more. This campaign is believed to be phase three of an intelligence gathering campaign that has been operating since March 2021.
Technology Group-IB researchers discovered that the recent phishing attacks against Twilio and Cloudflare were part of a massive phishing campaign that resulted in 9,931 accounts of 136 organisations being compromised. Named 0ktapus, the campaign has been ongoing since at least March 2022 and aims to steal Okta identity credentials and two-factor authentication (2FA) codes to gain access to an organisation’s network, steal information, and escalate access if possible. The majority of victims were located in the United States, with the top targeted industry being software, telecommunications, and business services.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal