Threat Reports / Weekly Threat Reports

Threat Summary: 01 – 07 May 2020

01 – 07 May 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Cisco FirePOWER Threat Defense

LineageOS

Cisco FirePOWER

Cisco ASA Adaptive Security Appliance

F5 BIG-IP
Deep & Dark Web
Name Heat 7d
LineageOS

Burp Suite

sqlmap

Microsoft Internet Explorer

Burp Suite Professional

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Alabama Department of Labor (US) The Pandemic Unemployment Assistance app launched by the Alabama Department of Labor contained an error which displayed to users the information of other individuals. The exposed data included names, addresses, Social Security numbers, bank account numbers, and more. The issue has been fixed. 4
Banco BCR (Costa Rica) Maze ransomware operators claimed on their data leak site that they accessed the bank’s network in August 2019 and February 2020 and to have stolen over 11 million credit cards, 4 million of which are allegedly unique. Roughly 140,000 cards are apparently from individuals in the US. The attackers posted 240 partial credit card numbers, alongside expiration dates and CVC numbers as proof of their attack. The attackers have threatened to sell the data on the dark web if the ransom demands are not met. ~4,000,000
Main Event Entertainment Inc (US) The company has informed its customers of a security incident that involved unauthorised access to customer payment card data. An investigation by Main Event Entertainment found malware present on point-of-sale (POS) devices at some of its centres that was designed to steal payment card track data. The malware was present on the POS devices between July 19th, 2019 and March 16th, 2020. Unknown
Le Figaro (France) Researchers at Security Detectives discovered a publicly exposed Elasticsearch server belonging to the French newspaper Le Figaro, containing over 8TB of data and 7.4 billion records. Data present on this server included API logs for its websites dating back to at least the last three months. These logs contained personally identifiable information of newly registered individuals and pre-existing users logging into their accounts, including emails, full names, addresses, passwords in cleartext and hashed with MD5, and more. Some employee data was also present, as were technical logs exposing the company’s backend servers. Unknown
Tokopedia (Indonesia) Researchers at Under the Breach reported that hackers were selling the account information for 15 million Tokopedia user accounts on an online forum. This was followed by the sale of a larger dump containing the details of 91 million Tokopedia users. The exposed credentials include email addresses, full names, dates of birth, hashed user passwords, and in some cases Mobile Station International Subscriber Directory Numbers. Roughly 200,000 usernames and cracked passwords are being circulated online for free in hacking forums. 91,000,000
Supersonic (South Africa) The internet service provider fixed a vulnerability in its usage portal that would return the data of eight customers if a user submitted a request for information without mobile number input. Leaked data included names, mobile numbers, account numbers and usernames. In addition, as Supersonic account numbers are sequential, a script could be used to collect data. No evidence was found to suggest such an attack took place. Unknown
Unknown (Poland) On April 30th, 2020, the Polish data protection authority (UODO) stated that they were investigating a ransomware attack at SWPS University. The university failed to inform impacted employees and students of the incident. Unknown
PeroxyChem (US) The Philadelphia-based company reported that they were hit with a ransomware attack on April 24th, 2020. A security notification posted by the company on May 1st, 2020, states that the attack ‘partly affected our core corporate infrastructure and a small number of user endpoints’. On May 2nd, 2020, Maze ransomware operators claimed responsibility for the attack. Unknown
Dakota Carrier Network (US) Dakota Carrier Network (DCN), was hit with a ransomware attack on April 26th, 2020. In response to the attack, DCN shut down their systems and restored their data from tape backup. On April 30th, 2020, DCN became aware that Maze ransomware attackers had posted some of their stolen files online. The information, which the DCN states is only administrative data, includes invoices, payroll information, password-reset information, and more. Unknown
Department of Home Affairs (Australia) The Guardian Australia discovered a publicly available database belonging to the home affairs department, which contained data from the SkillSelect platform hosted by Australia’s employment department. The platform is used by individuals wishing to migrate to Australia. The database contained 774,326 unique ADUserIDs and 189,426 completed expressions of interest dating as far back as 2014. Other leaked data includes applicant’s birth country, age, qualifications, marital status, and outcome of the applications. 774,326
MJ Payne Ltd (UK) On May 1st, 2020, the operators of Sodinokibi ransomware claimed to have targeted MJ Payne Ltd in an attack and posted a screenshot that is supposedly from the company’s directory. No client data or individual files were posted. Unknown
Jio India Researcher Anurag Sen informed TechCrunch that a security lapse exposed one of the databases that was used by Jio’s coronavirus symptom checker. The database was found on May 1st, 2020, shortly after it was exposed. The leaked information includes self-test data such as ages, genders, medical information, and the person’s user agents. In some cases, precise geolocation data was also exposed. The logs and records covered the period from April 17th, 2020, until the database was secured. Unknown
GoDaddy Inc (US) GoDaddy told customers that the incident, which occurred on October 19th, 2019, involved an unauthorised individual gaining ‘access to [their] login information used to connect to SSH on [their] hosting account’. The notification letter states that the company does not have evidence that files were added or modified on the affected user accounts. The company also stated that the incident only impacted hosting accounts and not main GoDaddy accounts. 28,000
Roblox (US) Motherboard reported that a hacker gained access to the back-end customer support panel of Roblox, firstly by allegedly bribing an employee, and then via a phishing attack against an employee. The perpetrator was able to view data, disable two-factor authentication, change passwords, ban users, and more. A spokesperson for Roblox stated that the incident impacted a ‘very small amount of customers.’ Unknown
Granity Entertainment (Ireland) Safety Detectives researchers discovered an unsecured database containing user and company information relating to the adult live-streaming site CAM4[.]com. The database belonged to Granity Entertainment, which has since secured the database. The data consisted of 10.88 billion records amounting to over 7TB, with production logs dating back to March 16th, 2020. Exposed data included personally identifiable information, such as first and last names, countries of origin, payment logs, email addresses and more. Unknown
Tesla Inc (US) A hacker, operating under the alias ‘Green’, informed Electrek that he had acquired used Tesla computers that exposed the previous user’s information. The accessible details include items such as Google and Spotify usernames and unencrypted passwords. Green claimed that the computers, which Tesla stated were ‘stolen’, could be found in the dumpsters of Tesla’s service centre. Electrek speculated that the people were ‘dumpster diving’ for the computers and selling them online, or that Tesla staff were selling them. Unknown
MAS Holdings (Sri Lanka) The clothing manufacturer was targeted in a Nefilim ransomware attack. Data supposedly from MAS Holdings had been posted to the ransomware operators’ site some weeks ago, before being taken down. The operators now claim to have stolen 300GB of company data and have reuploaded the previously leaked information, alongside further data. Unknown
BJC HealthCare (US) An unauthorised individual gained access to three employee email accounts on March 6th, 2020, potentially exposing the personal information of patients. Potentially exposed data includes names, dates of birth, medical record or patient account numbers, as well as some treatment and/or clinical information. In some instances, health insurance information and Social Security numbers may also have been exposed. Unknown
Cactus SA (Luxembourg) REvil ransomware operators claim to have breached the systems of the supermarket chain Cactus. As evidence the group have uploaded files allegedly belonging to Cactus, and have also threatened to release more data. Unknown
Argentine Federal Police Researchers at Cyble discovered data belonging to the Argentine Federal Police leaked online. The leak contains about 259GB of data, including highly confidential and sensitive information such as email documents, wiretap recordings, personal photos of police officials, crime case reports, and more. Unknown
Ann & Robert H. Lurie Children’s Hospital of Chicago (US) The hospital issued a data breach notice to its patients, stating that an employee may have accessed patient data without a work-related reason from November 1st, 2018 to February 29th, 2020. Potentially accessed data includes names, addresses, dates of birth, and medical information. Social Security numbers, insurance information, and financial account information were not accessed. Unknown
Advanced Computer Software Group Limited (US) Researchers at TurgenSec identified a publicly accessible database that was owned and run by the company, containing the data of 193 law firms. The researchers stated that all firms had staff data breached. The exposed information includes usernames, hashed passwords, IDs, and more. Some firms also had documentation exposed, including names, addresses, passport numbers, company details, and other sensitive data. Unknown
Kristin J. Tarbet, MD (US) Washington-based plastic surgeon Kristin J. Tarbet, MD’s company has been attacked with Maze ransomware according to the malware’s operators. The criminals claim to have attacked the company on May 1st, 2020. The attackers dumped files that purportedly belong to the company on their website. Exposed information includes patient’s names, email addresses, dates of birth, medical information, and more. ~22,000
Unacademy (India) On May 3rd, 2020, researchers at Cyble Inc identified a Unacademy database containing 21,909,707 user records, being sold online for $2,000. The exposed data includes usernames, SHA-256 hashed passwords, email addresses, the account status, and more. Cyble Inc stated that the database contains corporate emails from companies such as Google, Facebook, and InfoSys. Unacademy released a statement which claimed that only 11 million accounts were impacted and that no passwords were exposed. Unknown
Maxwell Aesthetics (US) Maze ransomware operators claim to have targeted the Nashville-based plastic surgery on May 1st, 2020. The attackers uploaded files containing protected health information of the company’s patients, including names, dates of birth, diagnostic information, and more. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware mentions in relation to the coronavirus outbreak

This chart shows the trending malware related to the coronavirus outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance Bitdefender researchers observed a new phishing campaign targeting customers of the Standard Bank of South Africa. The emails impersonate the bank and supposedly offer financial strategies to aid customers that have been impacted economically due to the coronavirus pandemic. The user is urged to click on the attachment to receive their government-issued financial relief and is redirected to a fake login page, which is used to steal the user’s banking credentials.
Government The Government of India issued a warning to its military personnel of a malicious app made to appear as the legitimate Aarogya Setu COVID-19 contact-tracing app. Pakistani operatives have reportedly been sending the malicious app to WhatsApp groups belonging to Indian military personnel. Users are urged to only download Aarogya Setu from the government website or official app stores.
Education On May 3rd, 2020, researchers at Cyble Inc identified a Unacademy database containing 21,909,707 user records, being sold online for $2,000. The company is one of India’s biggest online learning platforms. The exposed data includes usernames, SHA-256 hashed passwords, email addresses, the account status, and more. The last account in the database is dated January 26th, 2020. Cyble Inc stated that the database contains corporate emails from companies such as Google, Facebook, and InfoSys. Unacademy released a statement which claimed that only 11 million accounts were impacted and that no passwords were exposed. BleepingComputer disputed this claim after viewing the data. BleepingComputer also spoke to the hackers who claimed that they have stolen more of Unacademy’s data.
Healthcare On May 5th, 2020, the UK’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning of ongoing APT activity targeting coronavirus responses. Threat actors are reportedly targeting entities operating at both international and national levels. Targets include healthcare bodies, pharmaceutical companies, medical research organisations, academia, and local governments. CISA and NCSC are investigating APTs attempting to gain access to data via large-scale password spraying campaigns. The advisories warned that the attackers seek to acquire personal information, intellectual property, and ‘intelligence that aligns with national priorities’.
Cryptocurrency After recently removing 49 Chrome extensions from the Chrome Web Store, 11 more malicious extensions have been identified on the platform. Harry Denley of MyCrypto told The Register that at least eight of the 11 extensions have been removed. The extensions purport to be crypto-wallet software, such as KeyKeep, Jaxx, Ledger, and MetaMask. When downloaded, the extensions ask that the user enters their credentials, at which point they are exfiltrated to the attacker.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
  • Cyber Alert – 05 June 2020

    Cyber Alert: troyhunt - RT @haveibeenpwned: New breach: Indian self-drive car rental company Zoomcar was breached in 2018 and had 3.5M records exposed then...
  • Threat Summary: 29 May – 04 June 2020

    29 May – 04 June 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are...
View all News

Request a demo

Get in touch