04 May 2023
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
Trending Vulnerable Products
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| PaperCut MF |  |
| Veeam Backup | |
| GoAnywhere MFT |  |
| ProFTPD Server | |
| MegaSync | |
Open Source
| Name | Heat 7 |
|---|---|
| Illumina Universal Copy Service |  |
| Gentoo Linux | |
| F5 BIG-IP |  |
| Moodle | |
| libwebp | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| Multiple (US & Canada) | Akira ransomware listed 4LEAF, Park-Rite, and Family Day Care Services to its leak site. The actors threatened to leak allegedly stolen data. | Unknown |
| Multiple | Several organisations leaked sensitive information through a misconfiguration in their public Salesforce Community websites. Affected entities include the state of Vermont, TCF Bank, and DC Health. Potentially exposed data may include names, Social Security numbers, bank account numbers, and more. | Unknown |
| Spartanburg County (US) | The South Carolina county was hit by a ransomware attack. Essential services remain operational. | Unknown |
| Vantage Travel (US) | The travel agency is investigating a data security incident. This comes after multiple customers experienced issues, including accessing the company’s website, cancellations, and problems with tickets. | Unknown |
| NYSARC Columbia County Chapter (US) | A data incident occurred following irregular activity consistent with a typical ransomware attack on July 19th, 2022. Potentially compromised data includes names, addresses, Social Security numbers, financial accounts, credit card information, medical information, and more. | Unknown |
| Hardenhuish School (UK) | The school suffered a ransomware attack that continues to cause disruptions to operations. | Unknown |
| T-Mobile (US) | Unauthorised access to ‘limited information’ of T-Mobile accounts occurred between late February and March 2023. Possibly compromised information may include full names, contact information, account numbers and associated phone numbers, T-Mobile account PINs, Social Security numbers, government IDs, and more. | 836 |
| Albany ENT & Allergy Services (US) | The company was added to both the BianLian ransomware and RansomHouse leak sites. RansomHouse posted a proof pack, claiming to have downloaded more than 2TB of files on March 27th, 2023. | Unknown |
| Happy State Bank (US) | A business email compromise attack resulted in unauthorised activity to an email account between July 28th and July 29th, 2022. The incident may have impacted names and Social Security numbers. | >17,000 |
| Queensway Carleton Hospital (Canada) | Unauthorised access to an ‘internal test environment’ belonging to the third-party software provider Aetonix Systems Inc occurred in March 2023. The incident affected names, dates of birth, home and email addresses, insurance policy numbers, phone numbers, OHIP numbers, and more. | 100,000 |
| United HealthCare (US) | A breach occurred between February 19th and February 25th, 2023. It may have impacted names, dates of birth, health insurance member identification numbers, addresses, and more. | Unknown |
| Multiple (South America) | On April 21st, 2023, the BlackCat ransomware group added the Chilean clothing store Saville Row, Venezuelan insurer Seguros la Occidental, and Guatemalan company Cementos Progreso to its data leak site. Among the sample data are internal company documents. | Unknown |
| Valid Certifcadora (Brazil) | The firm was added to the CrossLock data leak site on April 16th, 2023. CrossLock has threatened to sell legitimate valid certificates that could be used to sign malware, with some parties reportedly already interested. | Unknown |
| Santa Clara Family Health Plan (US) | Sensitive information of members may have been compromised in a cyberattack relating to the Clop ransomware spree that targeted Fortra’s GoAnywhere MFT. Possibly compromised information includes names, contact information, dates of birth, member IDs, and Medi-Cal credentials. | 276,993 |
| TIC Hostings Solutions (Romania) | An anonymous source alleges to have exploited an undisclosed vulnerability to access 4TB of customer and company data. The attack reportedly occurred on April 23rd, 2023, with the company’s status page confirming some services are down. | 300 |
| Amnesty International Australia | A data breach discovered on December 3rd, 2022, exposed ‘some low-risk information relating to individuals who made donations in 2019’. | Unknown |
| HWL Ebsworth (Australia) | ALPHV ransomware claim to have stolen 4GB of data, including client information and employee data such as resumes, IDs, financial reports, accounting data, credit card information, and more. | Unknown |
| Missouri (US) | A vulnerability in the state’s judicial records system website, Casenet, exposed the Social Security numbers and other private information of thousands of residents. Additionally, documents filed by an undisclosed state agency and local courts were found to have not redacted Social Security numbers. | Unknown |
| National Small-bore Rifle Association (UK) | A cyberattack compromised the data of some of its members. The attack targeted legacy servers rather than its entire database. | Unknown |
| Multiple (US) | BridgeValley Community and Technical College experienced an Akira ransomware attack, whilst Emmanuel College in Boston was added to the Avos Locker leak site. Penncrest School District in Pennsylvania was also targeted in a ransomware attack on the weekend of April 29th, 2023. | Unknown |
| Diocese of Las Vegas (US) | A breach discovered on March 12th, 2023, potentially compromised sensitive data of volunteers, parishioners, donors, and other stakeholders. | Unknown |
| US Job Services (US) | The suspected fraudulent company reportedly exposed its internal IT operations and a database of customers. The company was leaking its customer payment records in real-time and going back to 2016. | >900,000 |
| Mackenzie Investments (US) | The company’s vendor, InvestorCOM, was impacted by the Clop ransomware hacking spree against Fortra GoAnywhere MFT. Some personal information of current and former investors at MacKenzie was impacted. | Unknown |
| Petaluma Health Center (US) | The healthcare entity detected a network security incident on March 14th, 2023, in which an unauthorised third party potentially gained access to patient information. This includes payroll and human resources data such as full names, addresses, Social Security numbers, driver’s license numbers, and more. | Unknown |
| Health Plan Services Inc (US) | The company suffered data breach after initially discovering malware on its systems on June 23rd, 2022. This may have allowed unauthorised access to protected health information, including names, personal information, and Social Security numbers. | 9,457 |
| Mars Area School District (US) | Unauthorised individuals gained access to its network between January 27th and September 26th, 2022. The breach impacted the personal information, including Social Security numbers, driver’s license numbers, state identification numbers, health insurance information, medical information, and more. | 1,270 |
| Graceworks Lutheran Services (US) | Unauthorised individuals gained access to its computer system. Exposed data may include names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, and more. | 6,737 |
| Edison Learning (US) | Royal ransomware claims to have stolen 20GB of data, including personal information of employees and students. | Unknown |
| Montana State University (US) | Royal ransomware claimed to have exfiltrated 105GB of data from the university, which allegedly includes personal and medical information of students. | Unknown |
| Alto Calore Servizi SpA (Italy) | The company was added to the Medusa ransomware leak site on May 2nd, 2023, following a cyberattack on April 28th, 2023. Medusa gave Alto Calore seven days to pay a $10,000 ransom before allegedly stolen data is published. | Unknown |
| Carrington Mortgage Services (US) | On April 26th, 2023, Alvaria disclosed a customer data breach on behalf of the mortgage company. The breach likely stems from a previously disclosed Hive ransomware attack against Alvaria in November 2022. The actors obtained sensitive information, including Social Security numbers of Alvaria employees. It remains unclear what type of Carrington customer data may have been impacted. | Unknown |
| Multiple (Malaysia) | On May 1st, 2023, Kerala Cyber Xtractors claimed to have stolen names, email addresses, and passwords from educational institutions. The group also claimed attacks against the websites of the Energy Commission of Malaysia, Malaysian Central Bank, the iPay88 payment gateway, and the Civil Aviation Authority of Malaysia. | Unknown |
| Multiple | LockBit ransomware operators claim to have stolen data belonging to nearly 60 companies after an alleged ransomware attack on data solutions provider, Cloud 51. The stolen files reportedly include financial documents and employee customer information. The targeted companies supposedly retain Social Security numbers and copies of passports. | Unknown |
| Brightline (US) | The paediatric mental health provider suffered a data breach following the Clop ransomware attack on Fortra’s GoAnywhere MFT. The breach impacted names, physical addresses, dates of birth, member identification numbers, dates of health plan coverage, and employer names. The breach additionally impacts multiple entities partnering with Brightline. Clop has claimed to have since deleted the stolen data. | 783,606 |
| HealthPlan Services Inc (US) | An unauthorised party accessed or acquired certain files from portions of their network on June 23rd, 2022. Potentially compromised data on policyholders includes names, Social Security numbers, and medical or health information. | Unknown |
| AvidXchange (US) | RansomHouse published sensitive data allegedly stolen in an attack on the company. This includes non-disclosure agreements, employee payroll information, and corporate bank account numbers. Login details were also leaked. The company confirmed that it detected some data was exfiltrated in early April 2023. | Unknown |
| Eurasia Group (US) | The consulting firm discovered suspicious activity within its email system in December 2020, conducted by a sophisticated threat actor. Eurasia Group continued to experience additional intrusions, believed to have been conducted by the same group, including in June 2022. It remains unclear whether affected individuals were all employees, or if client data was involved. | Unknown |
| Dallas, Texas (US) | On May 1st, 2023, the city suffered a Royal ransomware attack. In response, it shut down some of its IT systems and police communications. The police website was also temporarily offline. Some jury trials and jury duties have also been cancelled. | Unknown |
| Murfreesboro Medical Clinic (US) | A cyberattack on April 22nd, 2023 forced the company to shut down all operations on May 1st, 2023, with limited services to return from May 4th. The clinic reportedly received ransom demands, though no data appears to have been encrypted. | Unknown |
| Lawrence Family Development Charter School (US) | On May 3rd, 2023, the Snatch ransomware group added the school to its leak site. | Unknown |
| Optima Tax Relief (US) | The tax resolution company disclosed a data breach initially discovered in November 2022. The exposed data includes information such as names, postal or email addresses, dates of birth, and Social Security numbers. | >5,000 |
| Charter Foods Inc (US) | On April 27th, 2023, the company suffered a data breach after an unauthorised party gained access to customer data on January 13th, 2023. Compromised data includes names, addresses, dates of birth, and Social Security numbers. The incident coincides with the ransomware attack against Yum! Brands in January 2023, of which Charter Foods is a franchise. | 109,194 |
| Häfele GmbH (Germany) | The company announced that it has recovered from a ransomware attack that occurred in February 2023. The incident forced the company to shut down its computer systems and disconnect from the internet. | Unknown |
Ransomware mentions in Education
This chart shows the trending ransomware related to Education within a curated list of cyber sources over the past week.
Weekly Industry View
| Industry | Information |
|---|---|
| Retail |
Malwarebytes researchers examined an ongoing Magecart credit card skimmer campaign involving the Kritec skimmer. A convincing payment form used original logos from the compromised store and leveraged modal forms to hijack the checkout page. This made the skimmer look more authentic than the original payment page. The custom modals were likely developed around one or two months ago. The heavily obfuscated skimmer was injected into the site and loaded a malicious JavaScript to alter the checkout process. |
| Critical Infrastructure |
Prodaft researchers identified a new campaign, dubbed Operation Paperbug, from espionage group Nomadic Octopus. The group, active since 2020, specifically targets high ranking government officials, telecommunication services, and public service infrastructure in Tajikistan. They are suspected to be Russian-speaking actors, with possible connections to state-sponsored groups like Sofacy. |
| Aviation |
Anonymous Sudan claimed multiple cyberattacks against the websites of Israeli aviation companies, including Israel Aerospace Industries, Israel Weapon Industries, Rafael Advanced Defense Systems Ltd, and Evigilo Ltd. This comes shortly after the group targeted other Israeli sites in distributed denial-of-service attacks, including Mossad and Shin Bet. Meanwhile, hacker group ‘Sharp Boys’ targeted the Atid International vocational training institute on April 26th, 2023, claiming to have stolen information and advertising it for sale. |
| Cryptocurrency |
Mandiant researchers analysed the abuse of LNK files by malicious actors to install malware, with additional Rilide infections identified. Rilide masquerades as a Chromium-based extension that steals emails and cryptocurrency. The malware was observed being spread via droppers like BRAINFOG, BRAINLINK, and BRAINSTORM. The latter is a Rust-based dropper found within an open directory linked to activity currently tracked as UNC4553. The open directory also contained the PUFFPASTRY backdoor. |
| Healthcare |
In March 2023, EclecticIQ researchers detected a spear phishing campaign targeting the healthcare industry in Poland. The email impersonated the Polish National Health Fund. A malicious Microsoft Excel XLL attachment downloads and executes Vidar infostealer malware upon user execution. A decoy file containing data about hospitals in Poland is also downloaded. The malware can collect sensitive information from infected devices and potentially lead to ransomware, with the attack likely carried out by a ransomware-affiliated member or group. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.
