Threat Reports / Weekly Threat Reports

Threat Summary: 07 – 13 February 2020

07 – 13 February 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Android Oreo

Android 10

Node.js

Apache Struts

Android Pie
Deep & Dark Web
Name Heat 7d
SQLi Dumper

Twitter

Android Oreo

Android 10

Microsoft SQL Server

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
eHealth Saskatchewan (Canada) eHealth Saskatchewan was hit by a ransomware attack on January 5th, 2020. The organisation initially stated that all patient data was safe. An investigation into the incident revealed that a large number of encrypted files had in fact been transferred to ‘suspicious’ IP addresses. According to CEO Jim Hornell, the possibility that personal information was compromised cannot be ruled out. Unknown
Unknown On February 5th, 2020, researchers at Group-IB discovered a database called ‘INDIA-BIG-MIX’ containing 461,976 payment records for sale on the popular carding forum Joker’s Stash. Over 98% of the records were found to be from the largest Indian banks. The database contains records with card numbers, expiration dates, CVV/CVC codes, and in some cases cardholders’ full names, email addresses, phone numbers and addresses. 461,976
Likud (Israel) Developer Ran Bar-Zik discovered an exposed server belonging to the Israeli political party Likud containing the personal data of Israeli citizens, including full names, phone numbers, ID card numbers, home addresses, gender, age, and political preferences. Bar-Zik managed to access the server via a security flaw in the app’s website that allowed him to access the site’s backend. The app’s website has been taken offline. 6,453,254
TCL Communications (China) Darren McCormack discovered that the app for the TCL Movetime Family Watch is showing data of unknown individuals after choosing the ‘connect with Facebook’ option. A different random individual’s account would connect with him with each login to the app, allowing him to view the user’s GPS location, phone number, date of birth and contacts, as well as having the option to message the person. A spokesperson of TCL Communications stated that the company was aware of the issue and had released an update on January 28th, 2020. Unknown
Education Enrichment Systems (US) Educational Enrichment Systems Inc announced it had become aware of a potential data breach on August 30th, 2019, due to unusual activity being observed on an employee email account. The account had been accessed by an unauthorised party between May 27th and July 15th, 2019. Email attachments present in the employee email account contained sensitive customer data, including names, physical addresses, Social Security numbers, financial data and health insurance information. No evidence was found that the unauthorised party had attempted to access or misuse such data. Unknown
Shields Health Solutions (US) An unauthorised individual gained access to an employee email account between October 22nd and October 24th,2019, potentially exposing protected health information. Potentially viewed or copied data includes names, dates of birth, medical record numbers, provider names, and more. Unknown
Lafayette Regional Rehabilitation Hospital (US) A data breach was discovered on November 29th, 2019, which may have exposed the names, dates of birth, clinical and treatment infomration of patients. In some cases, Social Security numbers were also exposed. 1,360
My Health My Resources (US) A small number of employee email accounts were accessed by an unauthorised indivdiual between October 12th and October 14th, 2019, potentially exposing patient data. This includes names, Social Security numbers, driver’s license numbers, and information relating to the care received at MHMR. It remains unclear whether any data was viewed, but no evidence suggests that patient information has been misused. 6,524
Reva Inc (US) A phishing attack against employees at Reva resulted in unauthorised access of employee email accounts between July 23rd and September 13th, 2019. The accounts in question contained patients’ names, travel insurance information, dates of service, limtied clinical information, passport numbers, driver’s license numbers, and in some cases Social Security numbers. ~1,000
Lawrenceville Internal Medicine Associates (US) Lawrenceville Internal Medicine Associates accidentally exposed the email addresses of 8,031 of its patients by sending an email with other patients’ email addresses visible in the BCC field. No further information was exposed. 8,031
JailCore (US) Researchers at vpnMentor discovered an exposed S3 bucket that belonged to JailCore containing 36,077 files. The exposed data included inmates’ mugshots, names, dates of birth, medical information, activities reports, names of correctional officers, and more. Impacted individuals were housed in detention centres in Florida, Kentucky, Missouri, Tennessee, and West Virginia. The researchers warned that additional states may have also been impacted. Unknown
TastSelv Borger (Denmark) During an audit by the Danish Agency for Development and Simplification (UFST), a software error was discovered on the country’s government tax portal, which exposed the personal identification (CPR) numbers of about a fifth of Denmark’s citizens. The data was exposed from February 2nd, 2015 until January 24th, 2020. UFST believes that, because Adobe and Google were likely the only ones to have collected the data, affected individuals are not in immediate danger of fraud. 1,260,000
MCLSC/NMRLS (US) Mississippi Center for Legal Services and North Mississippi Rural Legal Services (MCLSC/NMRLS) are informing clients, contractors, vendors, attorneys and other business partners of a Ryuk ransomware attack that took place on December 24th, 2019. The attack resulted in the shutdown of the organisations’ services and may have compromised data containing personal or confidential information. The Clients Prime Database server, which stores all client information, was not affected. Unknown
Estée Lauder (US) On January 30th, 2020, security researcher Jeremiah Fowler discovered a database with no password protection belonging to Estée Lauder and containing 440,336,852 logs and records. Leaked data included references to internal documents, email addresses in plain text, including internal company addresses, production, audit, error, CMS, and middleware logs. The company stated that the leaked email addresses were ‘non-consumer addresses’ from an education platform and that no evidence was found to suggest the unauthorised use of the exposed data. Unknown
Central Kansas Orthopedic Group (US) The clinic first discovered ransomware on its computer system on November 11th, 2019 and issued a breach notice on January 9th, 2020. CKOG stated that, although no evidence was found that patient data was misused, an unauthorised individual may have accessed the records. Information on the records included addresses, dates of birth, driver’s license numbers or other forms of ID, health information, health insurance numbers, Social Security numbers and email addresses. 17,214
Altice USA Inc (US) Altice USA Inc suffered a data breach as a result of a phishing attack that occurred in November 2019. Affected individuals were notified on February 5th, 2020. The exposed data included Social Security numbers, dates of birth, and more. Altice found no evidence that any personal data has been misused. >12,000
Fifth Third Bank (US) The Cincinnati-based bank notified an undisclosed number of customers about a data breach incident caused by a ‘small number of employees’. The employees, who were subsequently fired, gave the personal information of customers to individuals outside of the bank. The exposed data includes names, Social Security numbers, driver’s license information, account numbers, and more. Unknown

This table shows a selection of leaks and breaches reported this week.

Attack Types Mentions in Healthcare

This chart shows the trending Attack Types related to Healthcare over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at Group-IB discovered a total of 461,976 payment records for sale on the popular carding forum Joker’s Stash. The database was put online on February 5th, 2020, as ‘INDIA-BIG-MIX’. Over 98% of the records were found to be from the largest Indian banks. The database contains records with card numbers, expiration dates, CVV/CVC codes, and in some cases cardholders’ full names, email addresses, phone numbers and addresses. Such data is considered ‘fullz’ and was most likely stolen online via the use of phishing, malware, or JS-sniffers.
Critical Infrastructure Researchers at FireEye analysed a recent attack by an unidentified Chinese-linked threat group that was launched as part of a campaign targeting construction, transportation and media organisations in Southeast Asia. The attack began with a phishing email sent to the target’s Gmail account. The message contained an embedded OneDrive link. Upon clicking the link, a password-protected attachment delivered CHAINLNK malware. The malware proceeded to download and execute a newly discovered backdoor dubbed DUOBEAN. DUOBEAN retrieved additional modules from the attacker’s C2 infrastructure. The modules were then injected into the victim’s process memory.
Retail, Hospitality & Tourism Security researcher Jan Kopriva reported on a new PayPal campaign that seeks to steal as much data as possible from its victims, including Social Security numbers, ID details, and bank card PINs. The delivery is similar to previously observed PayPal campaigns, in which the victim receives an email stating their account has been locked due to suspicious login activity. Once redirected to the phishing page, the victim is asked to enter personal details such as name, address and phone number, as well as full card details, including CSC number. In addition to the typically collected data, the victim is also asked to provide their date of birth, Social Security number, and ATM or debit card PIN. The last page asks the victim to upload a copy of a valid ID or credit card. No confirmation of the upload is presented, which may lead the victim to upload several copies.
Healthcare Researchers have discovered that an Advanced Persistent Threat based in India has been targeting Chinese medical organisations in an email phishing campaign. The attackers send emails containing documents titled ‘Preventive measures to cope with coronavirus’ and ‘Application form of Wuhan passengers’ to lure targets into opening them. They are then redirected to a website containing malware capable of obtaining sensitive information.
Cryptocurrency The Italian cryptocurrency exchange Altsbit notified users of a cyberattack on its platform during which ‘almost all funds from BTC, ETH, ARRR and VRSC were stolen.’ This suggests that the majority of funds were stored on hot wallets, due to funds on cold wallets being deemed safe. The exchange is currently investigating the extent of the theft.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Daily Alert – 24 February 2020

    Daily Alert: 97% of IT leaders worried about insider data breaches...
  • Daily Alert – 23 February 2020

    Daily Alert: Anxiety, depression and PTSD: The hidden epidemic of data breaches and cyber crimes...
  • Daily Alert – 22 February 2020

    Daily Alert: Defense Department Agency Reports Data Breach...
View all News

Request a demo

Get in touch