Upcoming Webinar – Tools and Tactics to solve the top 3 Open-Source Intelligence Challenges Learn More +

Weekly Cyber Digest

05 January 2023

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.

Trending Vulnerable Products

Open Source
Name Heat 7
NVIDIA GPU Display Driver
VPN Plus
ArcGIS
IBM Sterling B2B Integrator Standard Edition
Aruba ClearPass Policy Manager
Deep & Dark Web
Name Heat 7
Atlassian Bitbucket
Gentoo Linux
Bitcoin Core
iPad
iPhone 11

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Company Information Affected
Port of Lisbon (Portugal) The website was hit by a cyberattack on December 25th, 2022, and was shut down as a precaution. LockBit ransomware operators have since claimed responsibility for the attack, allegedly acquiring all financial reports, personal data of customers, port documentation, mail correspondence, and more. Unknown
Copper Mountain Mining Corporation (Canada) The firm confirmed it was the target of a ransomware attack on December 27th, 2022, that impacted operations but did not compromise safety measures. The infected systems were isolated, and the mill was shut down as a preventative measure, with other processes switched to manual operations. Unknown
Azienda Ospedaliera di Alessandria (Italy) On December 28th, 2022, the operators of Ragnar Locker ransomware claimed to have stolen data from the healthcare system, including clients’ personal information, medical cards, financial reports, and department reports. The group leaked 37GB of stolen data, which they claim amounts to only 5% of the stolen data. Unknown
Multiple (Malaysia) An alleged data leak reportedly concerns the personal data of users stolen from Maybank, the Election Commission, and Astro. The data was reportedly made available by a threat actor on the dark web. It is said to include full names and identity card numbers, as well as contact information. Astro and Maybank have both denied the leak. 13,000,000
Howard Memorial Hospital (US) The hospital revealed that files may have been stolen by an unknown actor between November 14th and December 4th, 2022. Possibly stolen information includes patient names, contact information, dates of birth, Social Security numbers, health insurance numbers, medical record numbers, and more. Unknown
City of Tomball (US) The Texas city was targeted in a ransomware attack on December 20th, 2022. The incident impacted the city’s online payment systems, though emergency services remained operational. City Manager David Esquivel did not reveal whether utility customers’ passwords or credit card information was compromised. Unknown
Sargent & Lundy (US) The Chicago-based engineering firm was targeted in a Black Basta ransomware attack in October 2022. The hackers reportedly stole data belonging to multiple electric utilities. Unknown
Lake Charles Memorial Health System (US) The health system was targeted in a Hive ransomware attack detected on October 21st, 2022. Impacted information may include patient names, addresses, dates of birth, medical record of patient identification numbers, payment information, and more. Unknown
Toyota Kirloskar Motor (India) One of its service providers experienced an incident that may have exposed the personal information of some Toyota Kirloskar Motor customers on the internet. The company has not disclosed the size of the breach, or how many customers were affected. Unknown
Wabtec (US) A LockBit ransomware attack occurred on March 15th, 2022, with stolen data published on August 20th, 2022. Compromised information includes names, dates of birth, non-US national ID numbers and social insurance numbers or fiscal codes, passport numbers, IP addresses, NHS numbers, Social Security numbers, financial account information, and more. Unknown
Volvo Cars (Sweden) Threat actor IntelBroker claims to be selling data allegedly stolen from the manufacturer in an Endurance ransomware attack. The data allegedly includes database access, CICD access, Atlassian access, API, employee lists, keys and system files, and more. Unknown
Centro Médico Virgen De La Caridad (Spain) Hive ransomware added the Spanish health system to its leak site, allegedly encrypting their systems on December 21st, 2022. The listing indicates data was stolen, however no data pack is currently available. Unknown
Housing Authority of the City of Los Angeles (US) On December 31st, 2022, the LockBit ransomware operators claimed to be in possession of 15TB of stolen data. The currently uploaded information includes a HACLA bank statement and a list of folders suggesting the group may be in possession of sensitive data like payroll and audits. Unknown
Monarch NC (US) The healthcare provider disclosed a data breach following a ransomware attack against its systems on August 29th, 2022. A group calling themselves Don#t_Leaks added Monarch to their leak site on September 1st, 2022, however the listing was quickly removed. 56,155
Monte Cristalina S.A. (Brazil) On December 19th, 2022, LockBit ransomware added the company to their leak site, claiming to have stolen 135GB of data. The threat actors uploaded some data as proof. Unknown
Einatec (Spain) Snatch Team actors added the firm to their leak site on December 28th, 2022. The group claims to be in possession of 105GB of data, and posted three file images as proof of claim. Unknown
Cerveceria Regional (Venezuela) PLAY ransomware added the brewery to their leak site on December 18th, 2022, before dumping data allegedly stolen from the firm on December 26th, 2022. Unknown
Argentina de Soluciones Satelitales On December 16th, 2022, PLAY ransomware actors claimed responsibility for a December 2nd, 2022, attack. They began to leak data on December 23rd, 2022. Unknown
Retreat Behavioral Health (US) A ransomware attack occurred in July 1st, 2022, in which attackers may have gained access to a dataset. Potentially compromised data includes names, addresses, Social Security numbers, and in some cases, dates of birth, and medical and treatment information. Unknown
Queensland University of Technology (Australia) On January 1st, 2023, Royal ransomware operators claimed responsibility for a cyberattack. The actors have since begun to leak data allegedly stolen from the university. This includes HR files, email and letter communications, ID cards and documents, and financial administrative documents that they state represents 10% of the stolen data. Unknown
Huron-Superior Catholic District School Board (Canada) A Royal ransomware attack on December 15th, 2022, resulted in the theft of a ‘significant number of files’ from a file server. The data includes social insurance numbers and banking information for staff members employed between 2019 and 2022. Unknown
Twitter (US) On January 4th, 2023, a threat actor published a data leak allegedly containing email addresses for Twitter users on the Breached hacking forum for about $2. The data is reportedly the same as the set of 400 million that circulated in November 2022, but cleaned up to remove duplicates. The validity of many of the email addresses has been confirmed by BleepingComputer, however they also confirmed duplicates in this latest leaked data. 200,000,000
Cricketsocial[.]com The platform exposed over 100,000 entries of private customer data and admin credentials in an open Amazon Web Services instance. The database contains email addresses, phone numbers, names, hashed user passwords, dates of birth, and physical addresses. Plaintext credentials for a website administrator account were also identified. Unknown
RailYatri (India) The train ticketing platform confirmed that it suffered a data breach on December 28th, 2022, in which unauthorised individuals may have viewed user information. This includes age, email, preference city, and phone numbers pertaining to over 30 million user records. Unknown
Five Guys (US) Unauthorised access to a single file server occurred on September 17th, 2022. The files contained personally identifiable information of individuals who applied to work for the fast-food chain. It remains unclear what type of data may have been accessed, aside from individuals’ names. Unknown

Attack Type mentions in Banking & Finance

This chart shows the trending attack types related to Banking & Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry Information
Banking & Finance
Researchers at Security Joes identified a new version of Raspberry Robin that is currently targeting the financial sector in Europe, specifically focusing on Spanish and Portuguese speaking organisations. The improved version boasts additional anti-analysis capabilities, with changes made to the execution mechanism, code obfuscation, and added encryption layers. At least five layers of protection are used before the actual malicious code is executed. The malicious code is compiled as a x86 shellcode only available in memory.
Technology
On December 30th, 2022, PyTorch learned of a malicious dependency package that was uploaded to the PyPI code repository, with the same name as the framework’s ‘torchtriton’ library. The dependency was automatically installed for users installing PyTorch-nightly Linux packages via pip, leading to a successful compromise via a dependency confusion attack. The malicious dependency has had over 2,300 downloads. The malicious package surveys compromised systems for basic fingerprinting information and steals sensitive data. The actor behind the campaign claims that the operation was not malicious.
Education
Security researcher Will Thomas detailed an ongoing phishing campaign targeting Chinese-speaking students at UK universities with fraudulent calls since at least May 2021. The threat actor, dubbed RedZei, attempts to obtain personal information from users by posing as the Bank of China, China Mobile, government officials, and couriers like Royal Mail, DHL, and UPS. RedZei alternates between SIM cards from different UK mobile carriers, using a new pay-as-you-go number for each wave of scam calls.
Healthcare
On December 31st, 2022, the LockBit ransomware gang released a free decryptor for the Hospital for Sick Children (SickKids) after revealing that one of its members violated their rules by attacking the Canadian healthcare organisation on December 18th, 2022. The ransomware attack impacted internal and corporate systems, hospital phone lines, and the website. Only a few systems were encrypted, however SickKids stated that delays in receiving labs and imaging results were experienced, as well as longer patient wait times.
Cryptocurrency
Multiple financial regulators in the United States warned banking organisations of security risks associated with cryptocurrency assets and the sector’s participants. This includes fraud, lack of maturity and robustness, vulnerabilities related to cyberattacks, outages, lost or trapped assets, and illicit finance.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker.