05 – 11 June 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Foxit PhantomPDF

Foxit Reader

Microsoft Server Message Block

Microsoft SMBv3

macOS Catalina
Deep & Dark Web
Name Heat 7d

Burp Suite

Microsoft Server Message Block

Windows 7

Microsoft SMBv3

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Chartered Professional Accountants of Canada CPA discovered that its websites had been breached by unauthorised parties after members began to receive phishing emails in April 2020. The data exposed in the incident includes names, addresses, email addresses, and employer names. Encrypted credit card numbers and passwords were also included in the breach. 329,000
Conduent (US) The firm confirmed that its European operations were hit with a ransomware attack on May 29th, 2020. On June 4th, 2020, Maze ransomware operators claimed responsibility for the attack and posted 1GB worth of files allegedly belonging to Conduent onto their data breach site. The files include financial spreadsheets, customer audits, invoices, commission statements, and more. Unknown
Unknown (Israel) Anonymous Islamic, also known as JEArmy, claimed responsibility for a cyberattack that exposed the personal information of hundreds of Israelis. This includes credit card details, ID cards, phone numbers, and security codes. Unknown
Kentucky Employees’ Health Plan (US) The Commonwealth of Kentucky Personnel Cabinet revealed that between April 21st and April 27th, 2020, the details of 971 members were accessed without authorisation. The attacker infiltrated the systems of the StayWell third-party vendor used by KEHP members and was able to view biometric screening and health assessment data. A second incident linked to the first, took place from May 12th to May 22nd, 2020. 971
San Beda University (Philippines) On June 4th, 2020, a hacker leaked the private data of thousands of San Beda University students on Twitter. Exposed data includes full names, dates of birth, addresses, email addresses and passwords, contact numbers, and more. Unknown
Zee5 (India) A hacker, operating under the alias ‘John Wick’, claims to have hacked into the company’s database and code repositories on Bitbucket. They claim to have exfiltrated 150GB of data relating to source code and user information. Data shared with Quickcyber shows information such as live code secret keys and credentials of unsecured Amazon Web Services buckets. The hackers also claim to be in possession of subscribers’ transactions, passwords, emails, mobile numbers, and more. Unknown
Fitness Depot (Canada) The retailer announced that a breach on the company’s e-commerce platform allowed a hacker to access personal and financial data from February to May 2020. Exposed data includes names, addresses, phone numbers, credit card numbers, and more. BleepingComputer stated that the incident has all the markings of a Magecart attack. Unknown
Multiple (Chile) An audit conducted by Chilean Transparency Council revealed that 12 purchase orders by hospitals and six by health services had resulted in the exposure of sensitive patient data. In most cases the data was shared without proper security measures or patient consent. In other instances, the data was publicly exposed via portals. Unknown
Castro Valley Health Inc (US) The organisation reported that the information of its patients was transferred to Docker Hub during 2016 to 2017. The information, which Castro Valley Health described as ‘heavily coded’, contains patient names, dates of birth, medical record numbers, and more. The organisation became aware of the incident on April 21st, 2020, and the data has been removed. Unknown
University of Utah Health (US) The hospital discovered a phishing attack that compromised some employee email accounts between April 6th and May 22nd, 2020. These email accounts contained private patient data, such as names, dates of birth, and medical record numbers. At present, it is not believed that the data has been misused. Unknown
VT San Antonio Aerospace (US) Maze ransomware operators have hit VT San Antonio Aerospace (VT SAA) with ransomware and claim to have exfiltrated 1.5TB of data belonging to the company. The attackers leaked the IT manager’s memorandum of the attack which showed that they used a compromised administrator account to connect to one of VT SAA’s servers via a remote desktop connection. It also reveals that three days after the attack, the company managed to recover encrypted systems. Other documents leaked by the attackers so far include financial spreadsheets, expired NDAs, and more. Unknown
Student Advocates Group (US) CyberNews discovered that 56,422 call recordings and 25,143 PDFs relating to student loans were exposed through an unsecure Amazon Simple Storage Service bucket. The details exposed in the breach include names, dates of birth, Social Security numbers, credit card numbers, PIN numbers, emails, total loan amounts, and more. The earliest confirmed data goes back to 2018. The database was secured by Amazon on May 26th, 2020. Unknown
Fraser Wheeler & Courtney LLP and Vierra Magen Marcus LLP (US) The operators of REvil ransomware added a further two US-based law firms to their official darknet blog and have begun auctioning off stolen data belonging to the companies. This includes 50GB of data from Fraser Wheeler & Courtney LLP and 1.2TB from Vierra Magen Marcus LLP. The auctioned data supposedly includes client files, customer information, internal documentation, electronic correspondence, business plans, and more. Unknown
Sias University (China) A document called ‘list of returning students’ is currently being shared on WeChat and QQ, which contains the personal information of Sias University students. The list exposes student names, ages, national ID numbers, majors, campus addresses, and college entrance exam registration numbers. The source of the leak remains unclear. The university stated it is investigating the leak and has reported it to the police. 20,000
Hockley Medical Practice (UK) The GP practice was made aware of a possible cyberattack that may have impacted medical records. It remains unclear whether any sensitive data was stolen in the attack. One patient reportedly received an email purporting to be from the NHS that contained his personal details and urged him to click on a likely malicious link. An investigation is ongoing. Unknown
Everett & Hurite Ophthalmic Association (US) On March 23rd, 2020, the ophthalmologist discovered unusual activity on one of its employee email accounts and an investigation revealed that it had been accessed without authorisation between February 25th and March 25th, 2020. Personal and health information of its patients was present on the account and may have been accessed. This includes first and last names and in some cases dates of birth, financial information, Social Security numbers, and more. Unknown
Aban Offshore Limited (India) Posted as ‘part 8’ of the data leak, the operators of Nefilim ransomware published data belonging to the company. According to Cyble researchers, the data includes sensitive information of contractors and employees, including passport details of over 250 individuals, medical records, remunerations details, immigration documents, bank account details, and more. Unknown
City of Florence, Alabama (US) The city’s authorities confirmed on June 5th, 2020, that they had been hit by a DoppelPaymer ransomware attack. On June 9th, 2020, the city’s mayor Steve Holt told KrebsOnSecurity that the attack impacted the city’s email systems. The mayor stated that the city plans on paying roughly $291,000 in Bitcoin to the attackers to recover any stolen data. Unknown
Bharat Earth Movers Limited (India) Researchers at Cyble reported that data stolen from the company in May 2020 was posted online on May 25th, 2020. The data was downloaded from seven employee email accounts and includes email conversations, interoffice memos, customer detail records, and more. The internal email addresses and login passwords of the seven compromised accounts were also published. Unknown
Greenworks (China) On June 8th, 2020, researchers at RapidSpike identified a self-cleaning and self-destructing skimmer on the US site of the DIY tools company. The skimmer, which was still present when the researchers reported on the issue on June 10th, 2020, is capable of exfiltrating personal and credit card information entered on the site. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in relation to the Coronavirus

This chart shows the trending malware related to Coronavirus over the last week.

Weekly Industry View
Industry Information
Banking & Finance The FBI, pointing to US financial data indicating a 50% increase in the use of mobile banking since the start of 2020, warned that they expect to see an increase in cyber threat actors targeting these platforms. The bureau warned that they expect attacks to utilise app-based banking trojans and fake banking apps to target customers.
Government The head of Google’s threat analysis Shane Huntley tweeted that the company had warned the Biden campaign that they had been targeted by Chinese linked threat actors APT31. Huntley also disclosed that similar warnings had been sent to the Trump campaign related to Iranian activity by APT35. Both cases involved phishing attacks targeting the email accounts of campaign staff. Google stated that they had no evidence to indicate that the attacks were successful.
Education Researchers at Blackberry and KPMG discovered Tycoon ransomware being used against small to medium sized companies and organisations in the education and software sectors. The multi-platform malware targets both Windows and Linux machines. The malware comes in the form of a ZIP archive with a trojanized Java Runtime Environment build. The attackers compiled the malware into a Java image file within the build directory, a method not previously identified by the researchers. Following the initial intrusion, which occurs via an internet facing RDP jump-server, the attackers encrypt file servers and demand a ransom.
Healthcare Jeremy Fleming, head of UK’s Government Communications Headquarters (GCHQ), has warned of hackers from hostile states attempting to steal secrets regarding a potential coronavirus vaccine. Hackers were observed targeting the UK’s health infrastructure and some of its research labs, often looking for ‘pretty basic vulnerabilities’ to exploit.
Cryptocurrency Sophos researchers published a report detailing the tactics, techniques and procedures of the Kingminer botnet, which spreads via brute-forcing attacks against SQL servers. Most recently, it also started experimenting with the EternalBlue exploit, using a script similar to one found in the Powerghost botnet. The botnet’s operators tend to leverage open source tools like Powerspoilt and Mimikatz which are stored on public GitHub repositories linked to over 20 user accounts. The DLL side-loading technique is used to execute its payload – a method frequently used by Chinese APT groups. The botnet also makes use of a domain generator algorithm, likely to change the domains for its C2 servers to prevent having to release new versions of the downloader if one of its download servers is shut down.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

This website uses cookies.
See our privacy policy at www.silobreaker.com/legal