07 – 13 August 2020
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
Trending Vulnerable Products
Open Source
| Name | Heat 7 |
|---|---|
| Qualcomm Snapdragon |  |
| Microsoft Internet Explorer | |
| vBulletin | |
| Windows Print Spooler | |
| TeamViewer | |
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| vBulletin |  |
| TeamViewer |  |
| Google Android | |
| Qualcomm Snapdragon | |
| ImageMagick | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| Boyce Technologies (US) | On their blog, the operators of DoppelPaymer ransomware posted files allegedly stolen in an attack against the ventilator manufacturer. Stolen files include sales and purchase orders, assignment forms, and more. The group has threatened to leak more data in a week’s time if their demanded ransom is not met. | Unknown |
| Interactive Data LLC (US) | Personal and financial records are reportdely advertised by scammers to be used in fraudulent loan applications, with much of the data appearing to come from Interactive Data. The company acknowledged that ‘a handful’ of customer accounts had been compromised and stated that a law enforcement investigation is ongoing. Compromised data includes full Social Security numbers, dates of birth, current and former physical addresses, and more. | ~2,000 |
| ProctorU (Australia) | A database containing 440,000 ProctorU user records was published by ShinyHunters. Honi Soit reported that the breach exposed records with emails for numerous Australian universities, including the University of Sydney, the University of New South Wales, the University of Melbourne, the University of Queensland, the University of Tasmania, and others. | Unknown |
| Metrolinx (Canada) | Metrolinx accidentally exposed the email addresses of over 2,000 customers when sending out a mass-email to users who had interacted with Go Transit compliance services. | 2,000 |
| Slice (India) | Cyble Inc discovered a hacker selling 56GB of data containing the personal data of over 21,000 Indian students, which according to the seller was taken from an exposed Cloudinary bucket belonging to the fintech start-up. The data was reportedly stolen in July 2020 and contains Aadhaar cards, university IDs, photos and full signatures, revealing names, phone numbers, email addresses, Aadhaar numbers, dates of birth, and more. | ~21,000 |
| Pepperstone (Australia) | One of the financial exchange broker’s third-party vendors was hit by a malware attack on July 22nd, 2020. The attackers then used stolen credentials to access the company’s internal client relationship management system, impacting the personal data of some of its clients. This includes names, contact details, and dates of birth. | Unknown |
| Monsoon Accessorize (UK) | VPNPro researchers found that Monsoon Accessorize is using the unpatched version of Pulse Connect Secure VPN servers containing the critical flaw CVE-2019-11510. The researchers managed to gain access to the company’s internal files, including customer information, sensitive business documents, and more. | Unknown |
| Bridgford Foods (US) | The operators of Netwalker ransomware claim to have targeted the company and uploaded screenshots of data they have supposedly stolen. This includes files related to accounting, Amazon, Walmart, marketing, payroll files, and more. They have threatened to make the stolen data public within 29 days. | Unknown |
| Government of San Juan (Argentina) | Researchers at Comparitech identified an exposed Elasticsearch cluster containing 115,281 patient records. The records include information such as names, genders, photos, DNI numbers, CUIL numbers, and more, of individuals who applied for a COVID-19 circulation permit. The details in the database could be used to gain access to even more data, including employers, employer locations, curfew times, and more. The database has been secured. | Unknown |
| Ma Labs (US) | In a blogpost, the operators of REvil ransomware stated that they had stolen 949GB of data from the company. This allegedly includes confidential data about the company, its employees, clients, partners, and other documents. The blogpost also claims that the group’s attack affects over 1,000 servers. The group published screenshots of some of the stolen data and has threatened to publish the stolen data within 48 hours. | Unknown |
| Scholarship America (US) | Around April 28th, 2020, Scholarship America detected suspicious activity within its email system. An investigation revealed that an unauthorised party accessed Microsoft Office 365 email accounts. Data that was potentially exposed in the incident includes names, mailing addresses, telephone numbers, and in some cases Social Security numbers. | Unknown |
| The SPIE Group (France) | On their blog, the group behind Nefilim ransomware published ‘Part 1’ of a leak involving 11.5GB of data which they claim to have stolen from the company. This includes corporate operational documents such as the company’s telecom services contracts, dissolution legal documents, power of attorney documents, and more. | Unknown |
| Unknown (US) | Cyble Inc researchers discovered two threat actors leaking a total of 2,267,453 records relating to doctors working in the US. Leaked data includes national provider identifiers, full names, residential addresses, contact numbers, license numbers, and more. | Unknown |
| Michigan State University (US) | The university disclosed that an attacker exploited a vulnerability in the website of MSU’s online store to deploy malicious code which exposed the details of shoppers. The attack impacted roughly 2,600 customers between October 19th, 2019, and June 26th, 2020. The data exposed in the attack included names, addresses, and credit card numbers. | 2,600 |
| Olympia House Rehab (US) | The operators of Netwalker ransomware published screenshots of data they claim to have stolen from the California-based rehabilitation clinic. This includes files related to the facilities, HIPAA, first names, outcomes, and possible QuickBooks information. A second set of files includes financial information and photocopied patient IDs. | Unknown |
| Piedmont Orthopedics (US) | The operators of Pysa ransomware published about 3.5GB of data belonging to Atlanta-based Piedmont Orthopedics / OrthoAtlanta. The data includes files related to rentals and business aspects, as well as detailed medical records that include patient names, dates of birth, addresses, contact information, and more. | Unknown |
| Premier Health Partners (US) | The information of patients and clients of the Clinical Neuroscience Institute, Help Me Grow Brighter Futures, Samaritan Behavioral Health Inc, and CompuNet Clinical Laboratories may have been exposed after an unauthorised party gained access to certain accounts. The company first discovered unusual activity relating to Premier Health email accounts on June 8th, 2020 and an investigation is currently ongoing. | Unknown |
| Owen’s Ear Center (US) | Owen’s Ear Center in Texas was targeted in a ransomware attack on May 28th, impacting the personal data of its patients. This includes names, dates of birth, healthcare information, and Social Security numbers. No evidence to indicate that the information has been misused was found. | 19,908 |
| SANS Insitute (US) | A SANS Institute employee was successfully targeted in a phishing attack on August 6th 2020, allowing the attacker to set up a forwarding to rule an external email address. The attacker received 513 emails containing names, email and physical addresses and phone numbers. Passwords and financial information were not affected. | 28,000 |
| Unknown | CyberNews researchers discovered an unprotected Amazon AWS server containing 300 million unique strings of email addresses, 50 million of which were unencrypted. The data appears to have been stolen or acquired on the black market in October 2018. The database was secured on June 10th, 2020. The owner of the database remains unknown. | 300,000,000 |
| Seek (Australia) | The job search engine Seek reported that an ‘internal technical issue’ resulted in users being able to see other candidate’s career history and education. No names, contact details, or resumes were impacted. | 2,000 |
| FHM (US) | An unauthorised individual accessed the Illinois healthcare system’s email accounts between February 12th and February 13th, 2020. It remains unclear whether any emails or attachments in the accounts were viewed during this period. Potentially exposed data includes patient names, dates of birth, medical record or patient account numbers, health insurance and social security and more. | Unknown |
| Adit (US) | Security researcher Bob Diachenko discovered an unsecured database belonging to the medical software company containing patients’ personal data.This included names, email addresses, phone numbers, and the practices where patients receive treatment. The database was exposed for about 10 days before being destroyed by ‘meow bot’, a malicious bot that has been attacking unprotected databases in recent weeks. | >3,100,000 |
| Devire (Poland) | Cyble Inc researchers discovered a threat actor leaking a database containing about 570,000 records of personal information of Devire customers. The data includes Recruitment IDs, first and last names, email addresses, phone numbers, addressed and job position details. | Unknown |
| Canadian Tire (Canada) | The operators of Netwalker ransomware claim to have breached the retail company and stolen sensitive data from one of its stores, which they have threatened to publish in eight days. The group posted screenshots that show folders and files containing employee details, financial statements, bank reconciliation statements, and more. | Unknown |
| Woodstream Corporation (US) | In a blogpost, the operators of Netwalker ransomware shared screenshots of data they claim to have stolen from Woodstream Corporation. This includes audit reports, confidentiality agreements, endorsement related documents, and more. The group has threatened to release the stolen data within 29 days. | Unknown |
Malware Mentions in Banking
Industry View
This chart shows the trending malware related to banking over the last week.
Weekly Industry View
Industry View
| Industry | Information |
|---|---|
| Critical Infrastructure | Since August 10th, 2020, the Southeastern Pennsylvania Transportation Authority (SEPTA) has been experiencing issues with sharing important travel information with customers. An ongoing investigation revealed that its servers had been targeted with malware. SEPTA Key card information was not compromised, nor did the attack affect its services or cause disruptions. According to SEPTA, other organisations were also impacted, though no further details were provided. |
| Government | Between June and August 2020, ClearSky researchers investigated an espionage campaign, dubbed Dream Job, that primarily targets defence and governmental companies. The attacks have been ongoing since the start of the 2020 and have targeted companies and organisations globally. Some of the attacks were successful. The campaign has been attributed with high probability to Lazarus Group and involves several social engineering methods in job offer-themed campaigns. |
| Technology | Security researchers at Shadow Intelligence reported that a threat actor, operating under the alias bcorp33, has been providing access to the networks of large and small companies across the globe. The attacker is using botnets to identify and enumerate targets and exploits CVE-2019-11510 in Pulse Secure VPN and CVE-2020-5902 in F5’s Big-IP devices. Breaches associated with bcorp33 include Hyundai Corporation, LG Electronics, PepsiCo, the Cernavoda Nuclear Plant, government organisations in Taiwan and Peru, and many others. Shadow Intelligence reported that bcorp33, alongside ‘Drumrlu’ and ‘Marlon_Brando,’ are new affiliates of the FXMSP group. The group had previously advertised access to the networks of Symantec, Trend Micro, and McAfee. |
| Healthcare | Researchers at Checkpoint identified that the number of vaccine-related coronavirus domains doubled between June and July 2020. Out of every 25 malicious coronavirus-themed sites, one is now vaccine related. Two malspam campaigns were observed, the first of which purported to contain information about an approved vaccine and delivered an info stealer on the victim’s device. The second email informed the user that the UK coronavirus vaccine effort was progressing badly. The message contained a link, which at one point redirected to a medical phishing site that impersonated a Canadian pharmacy. |
| Cryptocurrency | The cryptocurrency platform Ethereum was targeted by the same attacker on July 31st and August 6th, 2020, resulting in the theft of over $5 million worth of Ethereum Classic. In response to the attacks, Coinbase has increased its confirmation time for ETC to two weeks, while Ethereum Classic is also recommending all exchanges, mining pools and other ETC service providers raise their confirmation times. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
