03 – 09 July 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Apache Guacamole
Citrix Application Delivery Controller
Deep & Dark Web
Name Heat 7d
WPA2 Wi-Fi Protected Access II

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
V Shred (US) Researchers at vpnMentor discovered a publicly accessible database belonging to V Shred. The database was 606GB in size and contained custom meal plans, user photos and CSV files exposing personally identifiable information. The CSV files, which have since been removed, contained full names, home addresses, email addresses, phone numbers, dates of birth, Social Security numbers, and more. <99,000
Central California Alliance for Health (US) The organisation discovered that an unauthorised third party accessed three employee email accounts on May 7th, 2020. An investigation revealed that some member health information may have been accessed. Financial data and Social Security numbers were not exposed. Unknown
City of Knoxville (US) The operators of DoppelPaymer ransomware leaked stolen data from Knoxville following a ransomware attack against the city on June 11th, 2020. This includes employee names, phone numbers, addresses, salaries and work performance scores. City officials are currently investigating the full scope of the leak. Unknown
Unknown Researchers at KELA reported that the KelvinSecurity Team are attempting to profit from a database containing the details of 384,319 UK-based BMW owners. The data includes names, email addresses, vehicle numbers and more. KELA stated that the database, which the group claims came from a call centre, contains almost 500,000 customer records related to UK car owners. The data covers the years from 2016 to 2018. Other impacted brands include Mercedes, SEAT, Honda, Hyundai, and others. 384,319
CNY Works (US) The agency began to notify its clients that a suspected ransomware attack may have exposed their personal details. The agency stated that no evidence was found to suggest that data was ‘viewed, accessed, or removed’. Information exposed in the attack, which was discovered on December 21st, 2019, may have included names and Social Security numbers. ~56,000
Trinity Metro (US) A post on the Netwalker ransomware operator’s data breach site lists over 200 Trinity Metro folders that were allegedly exfiltrated from the Texas-government operated transit agency. On July 1st, 2020, Trinity Metro stated that their phone lines were impacted by an IT incident. Unknown
Legacy Community Health (US) The Texas-based health clinic is informing 19,000 patients of a potential data breach discovered in April 2020. The breach is the result of a phishing attack against one of its employee email accounts. Potentially exposed data includes patient names, dates of service and health information. 19,000
Healthcare Fiscal Management Inc (US) The conversion and insurance eligibility service provider was hit by ransomware on April 13th, 2020. The attacker may have accessed protected health information of St Mary’s Health Care System patients, including names, dates of birth, Social Security numbers, and more. 58,000
Multiple Websites and Apps Researchers at WizCase identified dating sites in the US, Japan, and South Korea that exposed the data of their users via unprotected, exposed servers. The breach impacted Charin, Kyuun, Blurry, YESTIKI.com, SPYKX.com, and CatholicSingles.com. Exposed information includes real names, email addresses, billing addresses, private messages, cleartext passwords, and more of millions of users. A further six unsecured servers were found containing information from different apps and sites but the owner of these servers is unclear. Unknown
Cooke County, Texas (US) The operators of REvil ransomware posted screenshots of files reportedly belonging to the county and have threatened to release the stolen data in seven days. Unknown
Government of Australia The login credentials for over 3,600 MyGov accounts are being sold on the dark web. The accounts are on a list of over 150,000 .com.au logins that are being sold on dark web marketplaces. >3,600
Delhi University (India) The Delhi University (DU) website reportedly exposes student information via the DU admit card 2020 download portal where students acquire their DU admit cards for upcoming exams. Two users on Twitter reported that the gateway password was identical for each DU college. A user who knows a student’s name and roll number can therefore log into the portal as the student. Unknown
NHS Orkney (UK) A confidential health board file was sent via email to a local journalist, exposing the personal information of ten NHS Orkney journalists. The information exposed in the incident includes names, job titles, travel information, tax filing information, and more. 10
EDP Renewables North America (US) EDP Renewables North America (EDPR NA) was informed that an unauthorised individual gained access to its systems on May 8th, 2020 following a Ragnar Locker ransomware attack against its parent company Energias de Portugal on April 13th, 2020. The company stores data such as names, and Social Security numbers but EDPR NA stated that they did not have evidence that attackers accessed this data. EDPR NA asserted that they were notifying customers ‘out of an abundance of caution.’ Unknown
Hapvida Sistema de Saúde (Brazil) The company was targeted in a cyberattack that may have exposed the personal data of its customers. Medical records and financial information were not impacted. An investigation into the extent of the breach is ongoing. Unknown
Xiaoxintong (China) CyberNews identified an accessible databases belonging to the elder-care service provider. It contained 340,000 records including mobile numbers, hashed passwords, personal IDs, mobile numbers, and more. It has since been secured. Unknown
Shanghai Yanhua Smartech (China) A leaking database was discovered by CyberNews researchers, who state they are ‘fairly confident’ it belongs to Shanghai Yanhua Smartech. It contains over 4.2 million records, exposing names, ID numbers, audio files, vehicle and facility information, and more. The database has since been closed. Unknown
Swvl (Egypt) The bus-hailing service stated that they had become aware of unauthorised access to its systems on July 3rd, 2020. The breach impacts customer names, email addresses and phone numbers. Passwords and credit card information were not exposed. Unknown
Southwest Funding (US) On May 20th, 2020, Jeremiah Fowler of Security Discovery identified pubicly accessibe database exposing 695,636 records. This included names, email addresses, loan amounts, internal content management records, configuration information, and more. A ransomware note named ‘howtogetmydataback’ was also found inside the database. It is unclear how long the database was accessible, who may have accessed it, and if data was exfiltrated. Unknown
Zipari (US) Providence Health Plan was notified of a coding error by business associate Zipari on April 17th, 2020, which exposed the enrollment documents for employer-sponsored plans online without encryption. Zipari found that certain documents had been accessed by unauthorised IP addresses in May, September and November 2019. Exposed data included employer names, member names, and member dates of birth. 49,511
Clubillion Researchers at vpnMentor discovered an Elasticsearch database belonging to the app that exposed user activity and private information of thousands of users. The database was secured around April 5th, 2020. Exposed data included technical logs amounting to about 200 million records per day. These records also included personally identifiable information such as IP addresses, email addresses, winnings, and private messages. Unknown
Freddie Mac (US) A ransomware attack against a contractor of the firm may have compromised loan applicant data. Freddie Mac stated that it cannot determine what kind of data may be affected. Data stored on the systems included full names, addresses, Social Security numbers, dates of birth, and credit and bank account information. The company added that this type of data was encrypted as per contract agreement terms with the contractor. Freddie Mac added that it also holds information on individuals who had no direct contact with them, which was acquired through mortgage loans bought from other lending firms. Unknown
Chilton County, Alabama (US) The county was targeted in a ransomware attack on July 7th, 2020, causing temporary disruptions to the county’s records systems, including the tag office and probate court records. An investigation is ongoing to determine whether any specific data was targeted. Unknown
Independence Blue Cross, AmeriHealth HMO Inc, AmeriHealth Insurance Company of New Jersey (US) The member portals of these companies were accessed by unauthorised individuals between March 17th and April 30th, 2020. An investigation revealed that valid credentials, obtained via breaches at third-party websites and applications, were used. Potentially exposed data included names, member identification numbers, plan types, spending account balances, user reward summaries and claims information. Unknown
Impact Guru (India) Researchers at Cyble identified an actor on the dark web claiming to possess data belonging to the crowdfunding platform. The exposed information is composed of over 507,000 user records. The data includes email IDs and passwords stored in plain and encrypted formats, banking details for over 8,000 users, chat history, IP address locations, Aadhar card numbers, and more. >8,000
National Highways Authority of India The operators of Maze ransomware leaked about 2GB of data. This includes NHAI’s staff list, a passport copy of a former chairman, details of dependent family members of NHAI employees, NHAI internal audit reports, and more. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Banking

This chart shows the trending Malware related to Banking over the last week.

Weekly Industry View
Industry Information
Banking & Finance Avast researchers detected a Cerberus banking trojan on Google Play Store, under the guise of a currency converter app called ‘Calculadora de Moneda’. The app targets users in Spain and has been downloaded over 10,000 times. It appears to have managed to bypass Google Play’s security mechanisms by initially hiding its malicious intentions, likely to gain a large number of users before engaging in malicious activity. The app then served as a dropper that secretly downloaded another app that eventually downloaded the malware. The malware’s C2 was only active for a short period before disappearing and the app has since reverted back to being benign. The discovery was reported to Google Play Store.
Critical Infrastructure The Brazilian energy company Light SA confirmed a cyberattack against its systems but provided no further details. Researchers at AppGate analysed the binary likely used in the attack, which pointed to it being Sodinokibi ransomware. The attackers initially requested $7 million in Monero but have since raised the ransom to $14 million after their deadline passed.
Government The operators of Maze ransomware leaked about 2GB of data belonging to the National Highways Authority of India (NHAI). They claim that this represents 5% of the total data that they stole from the servers. Leaked data includes NHAI’s staff list, a passport copy of a former chairman, details of dependent family members of NHAI employees, NHAI internal audit reports, and more.
Technology CriticalStart researchers identified a bypass to the mitigation measures put in place for the recently disclosed flaw in F5 BIG-IP that is tracked as CVE-2020-5902. The flaw grants an unauthenticated remote attacker access to the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller. Successful exploitation could allow an attacker to remotely execute arbitrary system commands and Java code. Bad Packets reported that they identified the flaw being exploited to deliver DDoS malware.
Retail, Hospitality & Tourism Researchers at Gemini reported that from April 1st, 2017, to the present, the Keeper Magecart group targeted over 570 e-commerce sites in 55 countries. Over 85% of attacks used Magento CMS. The US hosted the largest number of victims, followed by the UK, and the Netherlands.
The researchers identified 64 attacker domains and 73 exfiltration domains which use identical login panels and are linked to the same dedicated server. The server hosts stolen data and the payload used in the attack. The researchers estimated that the group made over $7 million from selling compromised payment cards. Gemini warned that the group, who have continually upgraded the sophistication and scale of its operations, will likely continue to launch attacks.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal