Weekly Cyber Digest

04 August 2022

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
VMware Workspace One Access
VMware vRealize Automation
VMware Identity Manager
F5 BIG-IQ
Samba
Deep & Dark Web
Name Heat 7
Magento
Solana (cryptocurrency)
WordPress
Digimon World
OpenSSL

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
St. Luke’s Health System (US) An unauthorised actor may have obtained personal information of patients and customers of all hospitals in the hospital system. Potentially compromised data includes names, addresses, phone numbers, ID numbers, dates of birth, the last five digits of Social Security numbers, and more. 31,573
Avamere Health Services (US) The company experienced intermittent unauthorised access to a third-party hosted network between January 19th and March 17th, 2022. The attacker allegedly removed several files and folders containing protected health information. This includes names, addresses, dates of birth, driver’s licence or state identification numbers, Social Security numbers, and more. 380,984
JusTalk (China) An unsecured database belonging to the messaging app exposed millions of unencrypted private messages to the internet for several months. The database, which contained hundreds of gigabytes of data, also exposed the phone numbers of the sender and recipient, and all placed calls, as well as users’ granular locations. Unknown
Newfoundland and Labrador English School District (Canada) The school district confirmed that two dozen email accounts were hacked on July 25th and July 26th, 2022. It is possible that some user-stored personal information may have been compromised. Unknown
Blue Shield of California (US) The company learned that a subcontractor of a vendor, Matrix Medical Network, was the victim of a ransomware event. On April 28th, 2022, Matrix’s subcontractor, OneTouchPoint, confirmed a threat actor had infiltrated its servers. Potentially compromised information includes names, addresses, dates of birth, and more. 1,506
Customer[.]io (US) Celsius Network disclosed that it was impacted by the data breach at Customer[.]io in June 2022 in which a Customer[.]io employee leaked a list of customer emails to a malicious third party. Beyond impacting Celsius and OpenSea, five other customers of Customer[.]io were also affected. Unknown
Microleaves (UK) The proxy service’s website exposed its entire user database through a vulnerability. Among the exposed data is information on its most active users, how much money each client has paid for their subscription, and the company’s payment records. Unknown
911 S5 (China) The proxy service is shutting down after a data breach destroyed key components of its business operations and resulted in a loss of data and backups. The service was allegedly hacked in early July 2022, during which the attacker manipulated the balances of a large number of user accounts. Unknown
Multiple companies (Thailand) Threat actor DESORDEN announced several new victims in Thailand from whom it has exfiltrated personal information. These include Frasers Property Thailand Public Co Ltd, Union Auction Public Co Ltd, Srikrung Broker Co Ltd. Other, unverified victim listings include Pruksa Clinic, a Thai university, the Royal Thai Police, the Thai Ministry of Public Health, and the Thailand Institute of Nuclear Technology. Unknown
MBDA (France) Whilst the missile manufacturer refuted claims about a cyberattack on its infrastructure, it confirmed that a criminal group acquired data from an external hard drive used by the organisation’s Italian division. Hacking group Adrastea had previously claimed to have downloaded 60GB of data from the company, and shared samples of the stolen data. Unknown
Public Access to Court Electronic Records and Case Management (US) Three hostile foreign actors breached the federal courts management system in an early 2020 cyberattack. The system provides access to documents across the US court system. Unknown
Allegheny Health Network (US) The company suffered a data breach in which the attacker may have accessed the personal information of patients, including names, birthdates, addresses, phone numbers, email addresses, driver’s license numbers, and medical information. In a small number of instances, Social Security numbers and financial information may also have been compromised. 8,000
Creos and Enovos (Luxembourg) Encevo Group confirmed that two of its entities suffered a cyberattack between July 22nd and 23rd, 2022, that impacted the entities’ customer portals and resulted in a data breach. BlackCat ransomware group claimed to have attacked Creos and stolen over 150GB of data. This allegedly includes 180,000 files containing data such as contracts, agreements, passports, bills, and emails. Unknow
Svaros Broliai (Lithuania) In early July 2022, hackers leaked information on customers, including names, car registration plates, emails, and phone numbers. ∼50,000
Vittoria Assicurazioni (Italy) Two misconfigured and unsecured Amazon S3 buckets belonging to the company contained almost identical datasets, with each exposing over 970,000 files, totalling around 280GB of data per bucket. Potentially exposed employee data includes names, email addresses, and email contents and attachments. Sensitive data was also exposed for course attendees and unknown people, which in some cases may include Social Security numbers. ∼800,000
WordFly (US) The ransomware attack against WordFly on July 10th, 2022, impacted additional Canadian arts and cultural organisations, including the National Ballet of Canada, the Canadian Opera Company, Canadian Stage, and the Musical Stage Company. Patrons’ personal data may have been exposed in the attack, including names, emails, and ID numbers. Unkknown
Nelsons Solicitors Ltd (UK) The legal firm was hit by a cyberattack on May 30th, 2022, in which confidential data, including clients’ personal details, was accessed. Nelsons stated that the hackers only accessed 2% of clients’ data. Unknown
Wiseasy (Singapore) Employee passwords were discovered on a dark web marketplace, allowing hackers access two dashboards controlling nearly 140,000 payment terminals worldwide.The dashboards also exposed names, phone numbers, and email addresses of users. Unknown
Multiple applications 3,207 apps are leaking valid Consumer Key and Consumer Secret Twitter API keys, 230 of which were leaking all four Auth Credentials, which can be used to gain access to or take over Twitter accounts in order to perform critical actions. Unknown
Fast Track Urgent Care (US) A data breach occurred after its billing vendor, PracticeMax, was targeted in a ransomware attack between April 17th and May 5th, 2021. Potentially exposed information includes names, dates of birth, Social Security numbers, passport numbers, financial information, and more. 258,411
Semikron (Germany) A ransomware attack partially encrypted its network. A ransom note deployed on its systems indicates the attack was conducted by LV Ransomware, who claim to have stolen 2TB of data. Unknown
First Choice Community Healthcare (US) A data security incident occurred on March 27th, 2022. Potentially compromised information includes names, Social Security numbers, diagnosis and clinical treatment information, dates of birth, and more. Hive ransomware added the company to their leak site in April 2022. Unknown
Unknown Two IP addresses with unprotected Elasticsearch clusters containing about 288 million records were found. The clusters contained indices titled ‘UAN’, which refers to Universal Account Number, allotted by India’s Employees’ Fund Organization. Other exposed data included marital status, gender, dates of birth, bank account numbers, and full names of pension fund account nominees.  Unknown
Multiple Companies (Central & South America) On August 3rd, 2022, environmentalist hacking collective Guacamaya published over 2TB of emails and files from a host of mining companies. The data originates from ENAMI, Agencia Nacional de Hidrocarburos, New Granada Energy Corporation, Quiborax, Oryx, Tejucana, and Guatemala’s Ministerio De Ambiente y Recursos Naturales. Unknown
Aetna ACE (US) The company confirmed it was impacted by the April 2022 ransomware attack against OneTouchPoint. The protected health information of plan members was affected, including names, addresses, dates of birth, member IDs, and limited medical information. 326,278
Linn-Mar School District (US) On August 1st, 2022, the Iowa school district informed staff and parents that it is experiencing technical difficulties with its computer networks.Screenshots of the district’s computers display a message from the Vice Society ransomware group that all files have been encrypted. The district has not yet confirmed the occurrence of a ransomware attack. Unknown
Unknown A hacker claims to have access to a managed service provider panel of over 50 companies, over 100 ESXi servers, and over 1,000 servers. A post on an underground forum asks for support in monetizing this access. Based on the typical MSP customer base, personal details, business data, and healthcare information may be at risk. Unknown

Threat actor mentions in Education

This chart shows the trending threat actors related to Education within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance Group-IB researchers identified several fake investment schemes targeting citizens in Europe. Around 11,197 domains were identified as part of the general fraudulent infrastructure targeting Europe, 5,091 of which remain active. The schemes aim to convince users to repeatedly transfer funds, using the promise of high returns on investments.
Technology SentinelOne researchers observed LockBit operators abusing the Windows Defender command line tool ‘MpCmdRun’ to decrypt and load Cobalt Strike payloads. Initial access was gained by exploiting the Log4j vulnerability against an unpatched VMware Horizon server and installing a web shell using PowerShell code. The actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter and PowerShell Empire.
Cryptocurrency Mandiant researchers discovered North Korean fraudsters plagiarising online resumes from LinkedIn and Indeed in an attempt to be hired remotely by cryptocurrency companies in the United States and Europe. Their end goal is reportedly to aid the government’s illicit money-raising effort.
Government Multiple government websites in Taiwan were hit by several overseas cyberattacks, including disitrbuted denial-of-service attacks against the website of the President of Taiwan. Other websites include Taiwan’s Ministry of Foreign Affairs, Taiwan Taoyuan International Airport, and Taiwan’s Defence Ministry. Some of the attacks are said to have been launched by China and Russia.
Education ASEC researchers discovered a malicious CHM file being distributed to certain Korean universities on a massive scale. The file contains an HTM file, the code of which is executed when the malicious CHM file is run. The infection chain ultimately leads to the execution of ReVBShell, which attempts to connect to the C2 upon which it can obtain system information, download and run files, and more.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal