Threat Reports / Weekly Threat Reports

Threat Summary: 03 – 09 January 2020

03 – 09 January 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
TiKToK

Mozilla Firefox ESR

Cisco Prime Data Center Network Manager

Mozilla Firefox

GitLab Enterprise Edition
Deep & Dark Web
Name Heat 7d
Microsoft Outlook

Mozilla Firefox ESR

McAfee Antivirus Plus

Norton 360

GnuPG

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Sinai Health System (US) The Chicago healthcare provider disclosed a data breach that may affect the personal health information of its patients, including names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. It is believed that attackers gained access to the organisation’s email via a phishing attack. 12,578
SureBet247 (Nigeria) An anonymous source contacted security researcher Troy Hunt to report six publicly accessible databases comprising about 32GB of data belonging to SureBet247. Exposed data includes names, email addresses, dates of births, and betting histories. iAfrikan analysed the databases and found that a number of other sports betting operators may also be affected. Unknown
Almex (Japan) The company’s search engine ‘HappyHotel’ suffered a security breach on December 22nd, 2019. Data compromised could include names, email addresses, login credentials, birth dates, gender information, home addresses, payment card details, and more. Almex suspended the website and posted a notice of the breach. Unknown
Alomere Health (US) On January 3rd, 2020, Minnesota-based Alomere Health began to notify patients of a data breach issue related to the unauthorised access of two employee email accounts. Access to the accounts would have allowed the unauthorised party to view personal and medical information. Exposed data included dates of birth, medical information, health insurance information, diagnostics, and more. 49,531
City of Bend (US) A utility payments portal administered by CentralSquare could have had malicious code inserted into it. Customers who paid their utility bills online between August 30, 2019 and October 14, 2019, may have had card details including name, number, security code, expiration date and billing address compromised. 5,000
Front Rush (US) A security researcher discovered an exposed Amazon Web Services server that belonged to Front Rush.The exposed server contained over 700,000 files which held data such as personal addresses, dates of birth, performance reviews, financial aid agreements, and more. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Critical Infrastructure

This chart shows the trending Malware related to Critical Infrastructure over the last week.

Weekly Industry View
Industry Information
Banking & Finance ComputerWeekly reported that the attack which hit Travelex on December 31st, 2019, was caused by Sodinokibi ransomware. The incident forced Travelex to take all their computer systems offline. BleepingComputer spoke to Sodinokibi operators, who claimed responsibility for the attack. The hackers stated that they also copied more than 5GB of personal data including Social Security numbers, card information, and more. Security researchers are speculating that the attackers gained access via an unpatched vulnerability in Pulse Secure VPN servers. On September 13th, 2019, Bad Packets informed Travelex about vulnerabilities on seven of their servers but did not receive a response.
Government On January 5th, 2020, the Austrian Foreign Ministry revealed that it had been hit by a ‘serious cyberattack’ which targeted their IT systems. The attack, which reportedly began on January 4th, 2020, was quickly detected and countermeasures were deployed. The Ministry stated that the severity of the attack meant that the potential involvement of a ‘state actor’ could not be dismissed.
Critical Infrastructure On December 29th, 2019, Iranian state-sponsored hackers deployed a new strain of data-wiping malware on the network of Bahrain’s national oil company Bapco. The company’s network continued to function after the attack, as only some of Bapco’s computers were impacted. The new strain of malware, dubbed Dustman is a data wiper malware created to delete data on infected computers. The malware is reportedly a more advanced version of the ZeroCleare wiper, which also has several similarities to the original Shamoon virus. The key differences between ZeroCleare wiper and Dustman are that Dustman’s drivers and loaders are all delivered in one executable file in contrast with ZeroCleare’s two files. In addition, Dustman overwrites the volume, while ZeroCleare wipes a volume by overwriting it with random data.
Retail, Hospitality & Tourism A researcher using the handle @AffableKraut discovered two new Magecart-type web skimmers, one using steganography as an evasion technique and the other transferring data via the WebSocket protocol. The skimmer using steganography is the first to have used this technique, and in this instance the image used was a ‘free shipping’ ribbon found on a shopping site. Malwarebytes’ Jeroma Segura stated that most web crawlers and scanners will focus on HTML and Javascript files, rather than media files, making image files useful for hiding code. According to the researcher, the other skimmer seemed to still be in development, however, it did have the ability to use the WebSocket communication protocol to load payloads and exfiltrate data over a TCP connection. The intention here is to ‘conceal a connection to a server controlled by criminals over a websocket.’
Cryptocurrency Bitdefender researchers identified a re-implementation of the Mirai botnet which is written in Golang and used for mining Monero cryptocurrency. The new botnet, which is named LiquorBot, was first spotted in May 2019. Since its initial discovery the botnet has been consistently updated by its authors. LiquorBot primarily spreads through SSH-brute forcing and by exploiting a range of unpatched flaws including remote command execution vulnerabilities and command injection vulnerabilities. The researchers found that the botnet uses the same C2 server and shares a number of features with Mirai variants. LiquorBot has at times also been deployed alongside Mirai.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Daily Alert – 29 January 2020

    Daily Alert: Update: Top 5 Health Data Breaches...
  • Daily Alert – 28 January 2020

    Daily Alert: Where to find data breaches...
  • Daily Alert – 27 January 2020

    Daily Alert: State, Private Attorneys Help Indiana Businesses Understand Data Breach Issues...
View all News

Request a demo

Get in touch