07 January 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
IBM Cloud
Dovecot Server
FasterXML jackson-databind
SoftMaker TextMaker
WordPress
Deep & Dark Web
Name Heat 7
Instagram
Minecraft
Telegram App
WordPress
Adobe Acrobat Reader

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
IndiGo (India) On December 31st, 2020, IndiGo disclosed that they were targeted by hackers. The incident impacted ‘some segments of data servers.’ The company, who disclosed the incident in a filing to the BSE, warned that ‘some internal documents may get uploaded by the hackers on public websites and platforms.’ Unknown
Weibo (China) Researchers at Cyble reported that a Russian-speaking cybercrime forum advertised 41.8 million records allegedly belonging to Weibo users. The forum poster claims that the records contain mobile numbers and Weibo IDs. Unknown
Gong’an County (China) Researchers at Cyble reported that the data of Gong’an County residents is being advertised online. The data reportedly contains names, addresses, mobile numbers, and more. 7,300,000
QQ (China) Cyble researchers reported that a threat actor was attempting to sell 192 million records from QQ. The data allegedly includes QQ numbers and phone numbers. Unknown
Kawasaki Heavy Industries (Japan) On June 11th, 2020, the company discovered that its network was breached by an unknown party. During the investigation into the incident, the company identified that its servers in Japan were accessed from several overseas locations. Kawasaki acknowledged that data may have been leaked in the attack, however, it is unable to determine the exact nature of what may have been accessed. Unknown
Whirlpool (US) BleepingComputer were informed by a cybersecurity source that Whirlpool was targeted in a Nefilim ransomware attack during the first weekend of December, 2020. The attackers reportedly published data stolen from the company, including ‘documents related to employee benefits, accommodation requests, medical information requests, background checks, and more.’ Unknown
T-Mobile (US) T-Mobile informed its users of a data breach which may have exposed their phone numbers, the number of lines subscribed to on user accounts and, in some cases, call-related information. Other personally identifiable information was not affected. Unknown
Juspay (India) Security researcher Rajshekhar Rajaharia identified credit and debit cardholder data sold on the dark web that may belong to payment platform Juspay. The exposed information contains email addresses, phone numbers, masked card numbers, and more. Vimal Kumar of Juspay stated that the company was impacted by an incident in August 2020 that involved the compromise of email addresses, phone numbers, and masked card numbers. 100,000,000
TransLink (Canada) Global News obtained an email sent by TransLink to Coast Mountain Bus Company (CMBC) which disclosed that Egregor ransomware operators accessed a restricted network drive during a recent attack. The attackers may have also copied files. The drive contains payroll data, such as banking information and some Social Security numbers, for employees of TransLink, CMBC, and Metro Vancouver Transit Police. The validity of the email has been confirmed by the company. Unknown
Apex Laboratory (US) On December 31st, 2020, Apex Laboratory disclosed that some of its data was exposed following an attack which it discovered on July 25th, 2020. The information, which Databreaches[.]net reported was published by DoppelPaymer attackers on December 14th, 2020, contains patient names, dates of birth, test results, and some Social Security numbers and phone numbers. Unknown
NSO Group (Israel) According to reporting by TechCrunch, the private intelligence company used real phone location data of unsuspecting users during a demonstration of their COVID-19 tracing system, dubbed Fleming. On May 7th, 2020, security researcher Bob Diachenko discovered an exposed NSO database containing ‘thousands of location data points’ used in the demo.The data was verified by Forensic Architecture researchers, who determined that the information is ‘most likely not dummy’ and ‘reflects the movement of actual individuals’. This would reportedly amount to a privacy violation of ‘unsuspecting individuals in Rwanda, Israel, Saudi Arabia, Bahrain and the United Arab Emirates’. 30,000
Aurora Cannabis (Canada) In an email to affected individuals, Aurora Cannabis disclosed a cybersecurity incident which took place on December 25th, 2020, and resulted in unauthorised access to company data. According to some of the affected individuals, data such as credit card information, government identification, home addresses and banking details of current and former employees may have been exposed. Unknown
New Pensions (UK) The personal data of the UK pension provider’s clients were exposed in a public software forum. One of the company’s service partners unintentionally posted the data on the forum between December 11th and 14th, 2020. The exposed information includes names, addresses, birth dates, email addresses and National Insurance numbers.The data was reportedly ‘copied by a small number of unknown parties.’ 36,000
Inchcape Australia The automotive services provider was reportedly targeted in a Ransomexx ransomware attack. The ransomware operators posted documents allegedly stolen from the company on a dark web site. The documents include administration, customer fulfilment and client information. Unknown
Portnox (Israel) The Iran-linked actor Pay2Key claims to have successfully targeted the Israeli cyber security company. The attackers published stolen documents concerning Portnox clients, including some of Israel’s most prominent companies such as Bezeq, Elbit, El Al, and the Clalit health provider. The actor alleges to have obtained nearly 1TB of data, of which only 3GB were made public. Unknown
ho. Mobile (Italy) On January 4th, 2021, the Vodafone Group subsidiary disclosed a data breach that involved the theft of personal and SIM-related data. The stolen information includes customer names, phone numbers, dates of birth, SIM Integrated Circuit Card Identification Numbers, and more. BleepingComputer warned that the information could be combined to conduct SIM-swapping attacks. The data has been advertised on dark web forums since December 22nd, and may have been purchased by at least one threat actor. 2,500,000
NameSouth (US) NetWalker ransomware operators leaked a 3GB archive allegedly stolen from the auto parts shop. According to CyberNews, the archive appears to contain confidential company data and sensitive documents, such as financial and accounting data, credit card statements, personally identifiable employee information, customer names and addresses, and more. Unknown
American Express (US) Bank Security reported that a threat actor has shared the data of Mexico-based American Express credit cardholders on a hacker forum. The poster claims that they have more data for sale pertaining to Mexican banking customers of American Express, Banamex, and Santander. BleepingComputer stated that the data appears to contain full American Express credit card numbers, and information such as addresses, names, phone numbers, dates of birth, and more. The publication stated that they had not seen data that could be used to carry out fraudulent transactions. 10,000
New Delhi Government Agencies (India) BleepingComputer researchers discovered multiple PDF documents containing COVID-19 test results belonging to government agencies. The documents were indexed by Google and accessible over the internet. The data exposed in the leak includes patient names, dates of birth, report identifier numbers, dates of testing, hospital sites, and COVID-19 results. 1,500
Firebrand Technologies (US) The NetGalley book review service website was targeted with defacement, while an unauthorised actor gained access to a backup file of its database. The exposed user data includes usernames, passwords, names, email addresses, mailing addresses, birthdays, company names, and Kindle email addresses. According to The Next Web, the stolen credentials may have been stored in plain text.  Unknown

Attack Types mentions in Government

Time Series

This chart shows the trending Attack Types related to Government over the last week.

Weekly Industry View

Industry View
Industry Information
Government  The Australian Cyber Security Centre (ACSC) warned that scammers are impersonating them in emails sent to Australians. The email prompts the target to download antivirus software, but users who interact with the malicious link contained within the message will download malware instead. The ACSC also warned that scammers using spoofed Australian phone numbers are posing as ACSC employees in an attempt to convince users to download TeamViewer or AnyDesk to resolve malware issues. The targets are then prompted to visit online banking sites which can result in their data being compromised.
Technology ThreatNix researchers discovered a phishing campaign using targeted Facebook ads directed against users in Nepal, Egypt, the Philippines, Tunisia, Pakistan, as well as around 50 other countries. The campaign uses ‘almost indistinguishable’ pages and ads spoofing legitimate companies, such as Nepal Telecom. Upon interacting with the ads, users are directed to a static Github site which features a Facebook login panel. The credentials entered into the panel are forwarded to a Firestore database and a domain owned by the threat actor. The researchers discovered 500 GitHub repositories hosting the campaign’s phishing pages, and accessed a database containing the phished credentials, which number over 615,000 entries.
Banking & Finance Researchers at ESTsecurity reported that APT37 performed a supply chain attack targeting users of a stock investment messenger service. The attackers created a Windows executable using Nullsoft Scriptable Install System that featured legitimate files from the stock investment application as well as malicious code. The attackers injected commands to retrieve malicious XSL scripts from a rogue FTP server with the legitimate installer of the stock investment platform. The operation culminated in the threat actors performing reconnaissance of infected systems and deploying a remote access trojan. The group’s objective is unclear at present, while the researchers speculate that the attackers are motivated by financial or espionage aims.
Healthcare Derbyshire Police in the UK warned the public of a text messaging scam impersonating the National Health Service (NHS) that offers the user to register for a COVID-19 vaccine. Victims receive messages falsely notifying them of vaccine eligibility and are prompted to follow a link.The link leads to a fake site using official NHS iconography, where victims are asked to enter their bank details to ‘register’. The police also stated that a similar scam is being carried out over the phone.
Education A distributed denial-of-service (DDoS) attack in the German state of Rhineland-Palatinate interrupted the first day of school in the new year. The attack disrupted access to the state’s Moodle distance learning platform and its embedded conferencing system BigBlueButton, which are used by around 900 schools in the state. According to the state’s Ministry of Education, the situation has since been stabilised.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal