12 November 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Apple iOS 14
Apple iOS
iPhone
iPod Touch
Adobe Acrobat Reader
Deep & Dark Web
Name Heat 7
Instagram
Nmap
ESP8266
Ubuntu
Microsoft Office

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Campari Group (Italy) Ragnar Locker ransomware was likely used in an attack against the Campari Group. Allegedly stolen files include banking statements, contractual agreements, emails, and more. The attackers’ ransomware note also contains links to screenshots of the stolen data which apparently show employee tax forms, a US passport, Social Security numbers, and other such documents. Unknown
Ukrainian Armed Forces The Ukrainian Ombudsperson’s Officer stated that a law enforcement investigation has been launched in relation to a data leak concerning the personal data of 500 soldiers who had taken part in the Joint Forces Operation in the Donbas warzone. Exposed data included dates of birth, addresses, tax information, passport details and telephone numbers. 500
Cermati (Indonesia) According to security researcher Teguh Aprianto, the data of users of the fintech aggregator platform was leaked and sold online for about $28,000. The data includes names, addresses, bank accounts, emails, mothers’ maiden names, tax numbers and passwords. 3,000,000
Capcom (Japan) Ragnar Locker ransomware was used in an attack against the Capcom game company. BleepingComputer reported that the attackers claim to have downloaded over 1TB of data, with links to screenshots of stolen files posted in their ransom note. These include Japanese passports, Steam sales reports, bank statements, and more. The ransomware operators claim to have encrypted 2,000 devices on Capcom’s network, demanding a ransom of $11 million in Bitcoin. Unknown
Club Fitness (US) The gym facilities operator disclosed that a cyberattack against its servers on June 18th, 2020, may have exposed the personal information of an unspecified number of individuals. The attack reportedly cut access to ‘data and programs’ on the company’s network, while an unknown actor was found to have accessed and obtained information from the company’s servers. Unknown
Donald Trump 2020 presidential campaign (US) DontTouchTheGreenButton[.]com, established by the Trump campaign to collect sworn declarations of voting irregularities from voters in Arizona’s Maricopa County, contained an exposed API key and Application ID that could allow for the bulk collection of voter data. The information included names, addresses, and a unique identifier. The API has since been removed. Unknown
Luxottica Group (Italy) EyeMed, LensCrafters, Target Optical, and other medical practices operated by Luxottica have had their patients’ data exposed following an attack against the company’s appointment scheduling application. The incident, which occurred on August 5th, 2020, potentially exposed names, contact information, doctor or appointment notes which contained prescriptions, health conditions, or procedures, and more. In some cases, Social Security numbers and credit card numbers were exposed. Unknown
BigBasket (India) Cyble Inc researchers discovered a database belonging to BigBasket for sale on the dark web. The 15GB database contains details of about 20 million users, including full names, email IDs, password hashes, PINs, contact numbers, full addresses, dates of birth, and more.  20,000,000
Alfortville in Val-de-Marne (France) The French town was targeted in a ransomware attack on November 4th, 2020. Data was reportedly exfiltrated prior to the ransomware deployment. Unknwon
Lawrence General Hospital (US) The Massachusetts-based hospital discovered that an unauthorised party may have accessed its IT systems. Potentially accessed data includes patient names, patient and visit ID numbers, and insurance types. In some cases, clinical information may also have been accessed and less than five individuals may also have had their Social Security numbers compromised. Unknown
Flagship Group (UK) The social housing provider suffered a Sodinokibi ransomware attack. It is suspected that the incident originated with a successful phishing attempt. According to the company, the attack compromised ‘some personal staff and customer data’. Unknown
Cloud Clusters (US)  An exposed database belonging to the company was discovered which contained 63.7 million records, including usernames and passwords for Magento, WordPress, and MySQL accounts in plain text, as well as client panel and employee login paths and data. According researcher Jeremiah Fowler, any user could have edited, downloaded, or deleted data without administrative credentials. Unknown
Prestige Software (Spain) Website Planet researchers discovered a misconfigured AWS S3 bucket belonging to hotel reservation platform Cloud Hospitality by Prestige Software. The bucket exposed customer data, including names, addresses, national ID numbers, phone numbers, credit card and reservation details of hotel guests. Over 10 million files dating back to 2013 were discovered. Much of the leaked data originated from popular reservations websites such as Agoda, Amadeus, Booking[.]com, Expedia, and others. Unknown
Sandicliffe (UK)  The car dealership chain was targeted in cyberattack in February 2020. According to Nottingham Post, ‘possibly thousands’ of individuals, including customers and staff, were affected by the incident. Data such as names, dates of birth, bank and passport details, national insurance numbers, medical histories, and more were potentially exposed. 1000
RedDoorz (Singapore) BleepingComputer reported that a threat actor is advertising 5.8 million user records stolen from RedDoorz. A database sample shared by the threat actor contains the records of 587 users. The exposed user data includes email addresses, bcrypt hashed passwords, full names, gender, dates of birth, occupations, and more. Unknown
Gaiba Comune (Italy) The comune was subjected to a cyberattack on November 6th, 2020. According to the official notification, unspecified personal data held in a central server was affected by the incident. Unknown
Mashable (US) The company discovered that a hacker posted a copy of a Mashable database online. The breach is related to a previous feature that allowed readers to use their social media account sign-in to share content from Mashbable. Exposed data includes first and last names, general locations, email addresses, genders, dates of registration, links to social media profiles, and more. Unknown
Pakistan International Airlines Researchers at KELA discovered a threat actor advertising domain admin access to the airline. The threat actor also claims to be in possession of all databases on the airline’s network and published a sample of the stolen data online. According to the seller, the 15 databases contain the full names, phone numbers and passport details of all individuals who use Pakistan International Airlines. Unknown
Bidvest Bank (South Africa) The bank suffered a data breach discovered in early September 2020, during which a single client was able to view a ‘limited number’ of other clients’ profiles due to a manual processing error. The individual had access to data including names, account numbers, and bank balances. Unknown
LimitChat (China) Researchers at CyberNews discovered an unsecured Amazon S3 bucket likely owned by the China-based private social network. The bucket contained 132,214 media files, including 83,016 images and 4,932 videos. The files, most of which are explicit in nature, are believed to have been made by users of the network. Unknown
Wildworks (US) The makers of the online children’s game Animal Jam disclosed that user records had been exposed after an attack on the servers of a vendor which they utilise for intra-company communications. The database has been circulated by the attackers and contains roughly 46 million Animal Jam account records. Exposed data included a variety of information, including email addresses of parents managing player accounts, player usernames, encrypted passwords, the names and billing addresses of parents, and more. Unknown
Land Transportation Office (Philippines) A website containing a ‘motor vehicle authenticator’ reportedly reveals car make, plate and engine number, as well as registration date and the name of the registered owner. Individuals have confirmed that the data available on the site is correct, possibly indicating a leak from the LTO database. Unknown
UK Department for Work and Pensions The DWP reportedly exposed the data of PIP disability claimants in two spreadsheets published on the internet. The national insurance numbers of 6,842 individuals have been viewable online since the spreadsheets were released in March and June 2018. 6,842
Nexia (Australia) A spokesperson for the accountancy firm, which was targeted in a REvil ransomware attack on November 3rd, 2020, has denied that the attack resulted in data exfiltration. According to IT Wire, REvil operators claimed to have stolen 76GB of data from the company, and had uploaded screenshots of the affected directories on the dark web. Unknown
Jekyll Island Authority (US)  The ransomware attack against Georgia’s Jekyll Island Authority, discovered on September 11th, 2020, may have affected the data of over 7,000 individuals and businesses. The affected data may have included names, addresses, medical records and other information. 7,000

Malware mentions in Critical Infrastructure

Time Series

This chart shows the trending Malware related to Critical Infrastructure over the last week.

Weekly Industry View

Industry View
Industry Information
Banking & Finance Cofense researchers detected an increase in business email compromise campaigns that abuse the fact that recent government grants enable small businesses to access financial data quicker. A recent campaign involved an email asking the executive at a global financial firm to ‘please get this information.’ Social engineering tactics, such as the attacker providing support on where to find the information, as well as addressing the recipient by first name, were used.
Education  According to BleepingComputer, a non-public security advisory issued by Microsoft warns of numerous industries, most recently the education sector, being targeted with fake ads for Microsoft Teams updates.Targets are tricked into clicking malicious links which are spread via ads or poisoned search engine results. The user is then redirected onto a spoofed site containing the Teams software. The FakeUpdates attacks, which dropped DoppelPaymer in 2019 and more recently WastedLocker, have begun to use signed binaries, second-stage payloads, and exploits for CVE-2020-1472. The threat actor has used the campaign to deliver NJRat, ZLoader, Predator the Thief, Cobalt Strike beacons, and other payloads.
Critical Infrastructure Weather services authorities across Europe were targeted in a large-scale phishing campaign originating from a compromised email account of an individual in the meteorological community. Threat actors obtained a list of industry contacts and targeted The Met Office and the European Centre for Medium-Range Weather Forecasts in the UK, the State Meteorological Agency in Spain, and the Danish Meteorological Institute. According to New Scientist, the actor spoofed the addresses of several trusted contacts, including the European Commission. The attack caused ‘minor disruption’ as legitimate emails were caught in spam filters, however, no data is believed to have been breached.
Healthcare   The Australian Cyber Security Centre (ACSC) warned users of an increased SDBBot Remote Access Tool (RAT) threat faced by the healthcare sector in the country. According to ACSC, SDBBot consists of an installer which ensures persistence, a loader for additional components, and the RAT payload.Once a machine is compromised, SDBBot will move laterally within the targeted network and exfiltrate data. It may also be used as a precursor for Clop ransomware.
Cryptocurrency   The users of the hardware crypto wallet maker Ledger have been targeted in a phishing campaign, resulting in the theft of 1,150,000 Ripple tokens (XRP), or around $291,200. The phishing messages directed users to a website spoofing the legitimate Ledger site by using official branding and replacing one letter in the URL with a homoglyph. Users were asked to download a fake wallet update, which resulted in the exfiltration of XRP. In a different scam, a threat actor impersonated ‘Team Ripple’ in messages announcing a non-existent XRP giveaway, and asking users to register by submitting their Ledger seed phrase or crypto private key. According to the Coin Telegraph, the scammers may have obtained users’ email addresses as a result of a data breach suffered by Ledger earlier this year. 

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal