Threat Reports / Weekly Threat Reports

Threat Summary: 01 – 07 November 2019

01 – 07 November 2019

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Magento

Snapdragon Mobile

Google Chrome Browser

Typo3

Cryptocat
Deep & Dark Web
Name Heat 7d
ProtonMail

Amazon Web Services

Metasploit

Android Beam

Google Chrome Browser

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Marriott International (US) Marriott International began to notify associates that their personal information may have been exposed after an unknown party gained access to confidential information contained on the system of an outside vendor. The vendor handled official records such as subpoenas, and court orders for Marriott. 1,552
Vedantu (India) Vedantu confirmed that data relating to 687,000 customers was exposed in a data breach incident in September 2019. The information exposed includes IP and email addresses, names, phone numbers, genders and hashed passwords. 687,000
Virginia Department of Behavioral Health (US) Patient data was allegedly exposed when patients applied for aid via the department’s Individual and Family Support Program. Affected individuals have been notified. 1,442
BitMEX (Seychelles) BitMEX exposed the email addresses of thousands of its customers by accidentally adding them to the ‘To’ field rather than the ‘Bcc’ field when sending an email, allowing all recipients to view the email addresses of other recipients. According to the company, the leak was due to a flaw in the software it uses to send emails, which has since been fixed. Security researcher Larry Cermak has linked a data dump of 30,000 email addresses to the data breach, estimating about 50% of the addresss could be used to dox customers. 30,000
Utah Valley Eye Center (US) A security incident in June 2018, in which Utah Valley Eye Center’s business portal was hacked, may have exposed demographic information of over 20,000 patients. The incident involved an unauthorised third party sending fake PayPal notification emails to 5,764 patients. Only email addresses are believed to have been accessed, however, patient names, addresses, dates of birth, and phone numbers may also have been exposed. 20,000
VTS Media (Spain) An unprotected back-end database which lacked password protection for weeks exposed daily logs of multiple ‘camgirl’ sites. The database has since been secured. The logs included detailed records of login activity, including usernames and occasionally user-agents and IP addresses, as well as failed login attempts that stored usernames and passwords in plain text. They also revealed email addresses and other identifiable information, as well as users’ private chat messages, and which videos a user was watching and renting. Additionally, the ‘camgirls’ using the websites also had their account information exposed. Unknown
Desjardins Group (Canada) Desjardins Group revealed that the data breach which occurred in December 2018 impacted all of its 4.2 million customers. The incident, which was discovered and disclosed in June 2019, was originally thought to have impacted 2.9 million customers. Stolen information included names, contact information, dates of birth, and banking details. 4,200,000
Washington University School of Medicine in St Louis (US) Washington University School of Medicine (WUSM) informed patients of a recent data breach incident related to the Department of Ophthalmology and Visual Sciences in which an individual with a personal relationship with an employee had accessed the employee’s personal laptop and WUSM email address. Potentially exposed data included names, dates of birth, medical record numbers, certain treatment information, and more. Unknown
Asus (Taiwan) vpnMentor researchers discovered a data leak in the AsusWRT app, which could give an attacker access to a user’s home network, allowing them to hijack connected devices, such as Amazon Alexa. The leaked data includes users’ names, IP addresses, device names, usage information, longitude and latitude coordinates, location, and commands. Asus has since closed the leak. Unknown
California DMV (US) On August 2nd, 2019, the California Department of Motor Vehicles (DMV) discovered that seven US federal agencies had improper access to Social Security information of 3,200 individuals for four years. The access error has since been corrected and the DMV has sent notices to impacted individuals. 3,200
Three UK (UK) Three UK customers are able to view other customers’ data via the My3 Home area, a login-protected part of its website containing personal details and billing information. According to Three UK, fewer than 10 customers have reported being able to access other users’ account information and no sensitive financial information was exposed. The matter is currently being investigated. Unknown
Universiti Malaysia Sabah (Malaysia) Hackers contacted the Malaysian paper The Star with sample files which appear to contain information of Universiti Malaysia Sabah (UMS) students. The sample contains names, student ID, MyKad numbers, and more. The hackers, known as BreachDB, also published a post on Twitter which states that they have stolen the information of 50,000 students. BreachDB are attempting to sell the data for approximately $50 in BitCoin. 50,000
Trend Micro (Japan) Trend Micro revealed that a company insider stole and sold a database containing the details of customers who purchased consumer products. The scammers only targeted English speakers, and the stolen data was for customers in predominantly English-speaking countries. The details on the stolen customer support database included names, email addresses, Trend Micro ticket numbers, and in some cases phone numbers. 68,000
Facebook (US) Facebook disclosed that approximately 100 developers were found to have access to Group data such as names and profile photos. Such information was supposed to be inaccessible to developers following changes that were implemented in the wake of the Cambridge Analytica scandal. Unknown
Monash IVF Group (Australia) Monash IVF Group is currently investigating a cyberattack on its servers. Its patient database does not appear to have been affected. According to the company’s chief executive Michael Knaap, patients were informed of the incident. A patient told ABC that she was not informed, but instead received a scam email from someone pretending to be the company, urging her to open an attachment. Unknown
Texas Health Resources (US) On August 23rd, 2019, Texas Health Resources discovered a misconfiguration of its billing system, which may have resulted in billing information having been mailed to someone other than the intended patient or guarantor between July 19th and September 4th, 2019. Potentially exposed information includes patient names, account numbers, service dates, names of treating physicians, and more. Unknown
IronMarch An unidentified hacker published a carbon copy of the now defunct IronMarch forum, including sensitive data such as emails, IP addresses, usernames and private messages. Law enforcement, among others, are analysing the data dump to see if any connections can be made between forum members and accounts on other sites, and possibly expose real-world identities. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Critical Infrastructure

This chart shows the trending Malware related to Critical Infrastructure over the last week.

Weekly Industry View
Industry Information
Critical Infrastructure Threat Researchers at FireEye identified an APT41 campaign, beginning in 2019, that targeted four telecommunication network providers with a 64-bit ELF data miner named MESSAGETAP. The Chinese APT group have previously been involved in state-sponsored espionage attacks and financially motivated operations. This recent campaign was discovered following an intrusion into a telecommunication network. The targeted network used a cluster of Linux servers as Short Message Service Centre (SMSC) servers. APT41 installed MESSAGETAP onto these SMSC servers. The malware monitors all network connections to the server and detects International Mobile Subscriber Identity (IMSI) numbers and specific phone numbers. MESSAGETAP also monitors for SMS messages which contain keywords which would be of interest to Chinese intelligence.
Government Researchers at Positive Technologies discovered a new advanced persistent threat (APT) dubbed Calypso. They first detected Calypso activity in March 2019 and believe the group has been active since at least September 2016. The APT is suspected to be of Asian origin and has targeted governmental institutions in Brazil, India, Kazakhstan, Russia, Thailand and Turkey. Their primary goal is the theft of confidential data. In one attack, Calypso was spotted using their own unique malware called Calypso RAT, along with PlugX trojan and Byeby trojan.
Technology Researchers at the University of Michigan and the University of Electro-Communications discovered an attack method, dubbed ‘light commands’, which allowed them to hack smart microphones with laser beams. The attack can be used against smart speakers, tablets or phones, and was tested against devices which used Apple Siri, Amazon Alexa, Facebook Portal, and Google Assistant. The researchers found that the MEMS microphones in these devices react to light beams. By modulating the electrical signal of the beam, the microphone acts as if it is receiving an audio signal. The ‘light commands’ can then be used to execute inaudible commands on the targeted device. The researchers successfully tested their attack from a distance of 110 meters and found that the attack works even when the device is behind a window.
Retail, Hospitality & Tourism Whilst examining the recent skimming attack against Sixth June, the PerimeterX Research Team observed a new trend in attacks by Magecart groups. Multiple Magecart groups were seen targeting the same websites at the same time. According to the researchers, the attacks had different techniques and did not appear to be coordinated. The researchers also found that Magecart attacks have become more organised and that the threat actors are sharing tools in their attacks against sites using e-commerce platforms. In their blog post, they provide a breakdown of the attack against Sixth June, as well as an analysis of another attack against PEXSuperstore[.]com which they discovered and that also involved simultaneous attacks by multiple Magecart groups. Their analysis also revealed that the perpetrators appear to name skimmers after the targeted websites. Some of the skimmers the researchers came across suggest that ‘upscalestripper’ and ‘galeriedebeaute’ may be targeted in future attacks.
Cryptocurrency Security researcher Kevin Beaumont discovered that hackers are attempting to exploit the BlueKeep vulnerability, tracked as CVE-2019-0708, to install a cryptocurrency miner on unpatched Windows systems. The first instance of the cryptomining attack dates back to October 23rd, 2019. When the BlueKeep vulnerability was first discovered, Microsoft engineers expressed concerns regarding the exploit’s capability to self-spread to other unpatched machines. However, this recent attack does not appear to be wormable, instead the attackers appear to launch the attack by searching for Windows systems with exposed RDP ports. The attackers also appear to have struggled to get their exploit code to work as intended. Beaumont reported that the attack crashed 10 out of the 11 honeypots that he was running.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Silobreaker Daily Cyber Digest – 18 November 2019

      Malware NextCloud Linux Servers hit with new NextCry ransomware BleepingComputer and security researcher Michael Gillespie analysed a newly spotted malware, named NextCry, which...
  • Silobreaker Daily Cyber Digest – 15 November 2019

        Ongoing Campaigns Microsoft Office 365 administrator accounts targeted in new phishing campaign PhishLabs researchers observed threat actors impersonating Microsoft and its Office...
  • Threat Summary: 08 – 14 November 2019

    08 – 14 November 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
View all News

Request a demo

Get in touch