13 May 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Foxit Reader
Adobe Acrobat Reader
Qualcomm Snapdragon
WPA3 Wi-Fi Protected Access 3
Siemens Simatic HMI
Deep & Dark Web
Name Heat 7
WPA3 Wi-Fi Protected Access 3
Microsoft Internet Explorer 11
Apple MacBook
Ethereum 2.0

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Volue Technology (Norway) The technology supplier was hit by Ryuk ransomware on May 5th, 2021. The attack encrypted some of the firm’s files, databases and applications. All affected front-end customer platforms were shut down for security assessments. Unknown
UPMC Cole and UPMC Wellsboro (US) The data of UPMC patients was compromised during the CaptureRx ransomware incident. The exposed data includes health information. 7,400 
Lourdes Hospital (US) The data of the hospital was compromised during the CaptureRx ransomware incident. Unknown
Thrifty Drug Stores  (US) The data of the store chain was compromised during the CaptureRx ransomware incident. Unknown
Cluj County Council (Romania) The council had its website defaced to display a message claiming all their files have been encrypted and stolen. The hackers, calling themselves ‘Meowless,’ threatened to publish the stolen files if a $100 ransom is not paid. According to the council, no personal data was impacted. Unknown
Unknown (India) Comparitech researchers identified a visa assistance website for travelers to India that is leaking visa applications. Among the exposed data are passport scans, passport-style headshot photos, names, ages, email addresses, national ID numbers, passport numbers, and more. Credit card numbers or other payment information was not exposed. 6,516
Pacific Biomarkers (US) A malware attack on its server resulted in data being accessed without authorisation between September 26th and November 9th, 2020. The compromised data appears to relate to Washington residents who participated in clinical trials in the mid-1990s. The information includes Social Security numbers, driver’s licenses, medical information, payment card information, passport numbers, and more. 957
Unknown SecurityDetectives discovered an open ElasticSearch database containing direct messages between Amazon vendors and customers offering to provide fake reviews in exchange for free products. A total 7GB with over 13 million records were exposed. This included the personal data of an estimated 200,000 individuals, including email addresses, phone numbers, Amazon and PayPal account details, as well as usernames that often contained full names. Unknown
Unknown Security researcher Bob Diachenko identified an exposed Elasticsearch server exposing millions of authentication cookies and hundreds of thousands of stolen passwords. The data came from users infected with the malware-as-a-service Raccoon Stealer. The server also contained personal data, such as email addresses, usernames, and device details. Unknown
Medtronic (US) On March 12th, 2021, an unauthorised actor briefly accessed the devices of an employee of the medical device company.  An investigation was unable to determine whether the actor accessed any information or took any screenshots. Customers’ names, addresses, phone numbers, emails, dates of birth, and Social Security numbers may have been compromised during the incident. Unknown
RX Pharmacies (US) The Pharmacy chain detected suspicious activity resulting in an email compromise on October 6th, 2020. Protected health information and personal information may have been compromised during the incident. Unknown
Mayor of Chicago (US) On April 19th, 2021 DDoSecrets dumped a cache of tens of thousands of emails containing the details of Mayor Lori Lightfoot’s administration. Among the files are about 50,000 documents and nearly 750,000 images. DDoSecrets stated they had discovered the files on the dark web after Clop ransomware operators had stolen them from Jones Day, one of several companies impacted by a series of breaches that had targeted Accellion. Unknown
Colonial Pipeline (US) On May 6th, 2021, DarkSide ransomware attackers infiltrated the pipeline’s network and stole 100GB of data before proceeding to encrypt files the following day. Unknown
American Family Insurance Attackers used names and dates of birth, acquired from another source, to obtain information via the company’s quote platform, including driver’s license numbers. Customers who had not made a claim between February 6th and March 19th, 2021, may have been impacted. The company warned that the exposed data may be used to make fraudulent unemployment benefit claims. 283,734
Noblr Reciprocal Exchange  (US) The company first identified suspicious activity on January 21st, 2021. Attackers used names and dates of birth, acquired from another source, to obtain additional information via the company’s quote platform, including driver’s license numbers. 97,633
The Three Affiliated Tribes (US) The organisation informed its staff on April 28th, 2021, that it was attacked in what is believed to be a ransomware incident. DataBreaches[.]net noted that three additional tribes were recently listed on data leak sites, including Squamish Nation, Washoe Tribe, and Colorado River Indian Tribes. Unknown
MedNetwoRX (US) The CompuGroup Medical data center partner was targeted in a ransomware attack on April 22nd, 2021, resulting in some customers not being able to access their Aprima electronic health record systems. Unknown
United Overseas Bank (US) The bank disclosed that an employee became the victim of a China police impersonation scam and revealed the personal details of customers that are Chinese nationals. Exposed data included names, identification and mobile numbers, and account balances. 1,166
TC Transportation (US) On March 22nd, 2021, the company identified that it had been hit in a ransomware attack that resulted in the encryption of certain servers. Attackers had unauthorised access to certain systems between March 4th and March 22nd, 2021. The attackers appear to have accessed names, Social Security numbers, and Department of Transport required drug test results of applicants, and former and current employees. Unknown
Wolfe Eye Clinic (US) The clinic is currently investigating an attack against its system that took place in April 2021. It was added to the Lorenz data leak site on April 1st, 2021, with the actor selling the the clinic’s data and access to its internal network. It remains unclear whether any patient data was accessed or stolen. Unknown
Unknown CyberNews researchers discovered 29,219 unsecured Hadoop, MongoDB, and Elasticsearch databases exposing nearly 19 petabytes of data. Most of the exposed databases were located in China, followed by the United States, Germany and India. Unknown
The Edinburgh Practice (UK) The mental health clinic was targeted in a phishing attack resulting in the actor accessing patient email addresses. Patients reported phishing attacks resulting from the incident. Unknown
Brevard County School Board (US) Twelve email accounts of the school boards’ employees, which were subject to unauthorised access in October 2020, may have exposed identifying information, including some Social Security numbers. 10,000
Veja (France) The eco-friendly footwear brand was targeted in a cyberattack on April 26th, 2021. The attackers obtained a database featuring customer emails. According to the company, no banking information was affected while stolen passwords were encrypted. Unknown
University of Florida Shands (US)  A former employee accessed a number of medical records outside the scope of their duties during the incident, which took place between March 30th, 2019 and April 6th 2021. The data involved demographic information, including names, addresses, phone numbers, medical record numbers and dates of birth, as well as clinical information. 1,562
San Diego Family Care (US) The SDFC is informing its current and former patients and employees of a breach potentially involving personal information. It was first identified in December 2020, after SDFC and its business associate Health Center Partners of Southern California were informed of a ransomware attack against their information technology hosting provider, Netgain Technology. Unknown
Timberland Regional Library (US) An investigation into suspicious activity revealed that the email accounts of two employees had been accessed without authorisation between August 21st, 2020 and January 25th, 2021. Limited personal data was present in the accounts, including dates of birth. Unknown
SEIU 775 Benefits Group (US) An unauthorised individual accessed the group’s systems on April 4th, 2021, and deleted some files with personal and protected health information. The affected files include names, addresses, Social Security numbers, and more. There is reportedly no evidence that any files were accessed, downloaded, exfiltrated, or misused. 140,000
Herff Jones (US) The University of Houston cap and gown vendor suffered a data breach exposing students’ payment data. According to the university, the breach is not unique to Houston and affects other clients across the United States. Some victims have reported fraudulent card activity resulting from the breach. Unknown
 Logansport Community School (US) The Indiana school was hit by Pysa ransomware on April 11th, 2021, possibly resulting in the theft of unspecified data. The ransomware operators added the school to their leak site, and dumped approximately 40GB of documents. Unknown
Centennial School District (US) Babuk ransomware operators published 10GB of data allegedly stolen from the Oregon school. Unknown
SAC Health Systems (US) The company disclosed that the data of its patients may have been accessed due to an incident that impacted its former third-party service provider Netgain Technology. The data varied for each potentially impacted individual but may have included a combination of names, addresses, Social Security Numbers, dates of birth, tax identification numbers, medical histories, and more. Unknown
Yamabiko Corporation (Japan) The operators of Babuk ransomware claim to have stolen 0.5TB of data from the company. The attackers also posted screenshots of accessed files, which include file systems, Solidworks files, personal information relating to employees, financial reports, and more. Unknown
United Valor Solutions (US) On April 18th, 2021, security researcher Jeremiah Fowler identified a non-password protected database containing 189,460 records. The exposed information included names, email credentials, dates of birth, medical record numbers, doctor information, and more. A ransomware note was also found in the dataset, claiming that the records had been downloaded. Unknown
BabyChakra (India) Researchers at vpnMentor found a misconfigured AWS S3 bucket belonging to the parenting platform. The exposed files include user uploaded photos featuring children, families, medical test results and prescriptions. Additionally, the unsecured bucket stored invoices and packing slips revealing the names, phone numbers, addresses, and more of over 55,000 people. The database also contained over 132,000 records such as names, phone numbers, and more obtained from a wide range of sources. Unknown
Municipality of Konya (Turkey) Konya confirmed it was targeted in a cyberattack on March 29th, 2021. According to the Sözcü newspaper, ID numbers and other personal information was stolen in the attack. The data has since been posted on a hacker forum by ‘Maxim Gorki.’ 1,000,000
Muckross Park Hotel & Spa (Ireland) Muckross Park Hotel & Spa suffered a cyberattack that targeted an email account associated with the hotel. The breach may have allowed an unauthorised actor to access some email addresses of the hotel’s guests. Unknown

Attack Type mentions in Critical Infrastructure

Time Series

This chart shows the trending Attack Types related to Critical Infrastructure over the last week.

Weekly Industry View

Industry View
Industry Information
Banking & Finance Cleafy researchers discovered a new Android banking trojan dubbed TeaBot, disguised as an application for DHL, UPS, VLC MediaPlayer, and other legitimate services. The malware targets Spanish, Italian, German, French, Belgian, and Dutch banks. TeaBot can steal credentials and SMS messages, log keystrokes, and perform overlay attacks targeting 60 predefined banks. The attackers can also livestream the infected device’s screen and interact with it via accessibility services, obtaining full control.
Technology MIT Technology Review learned that the United States government surveillance spotted the Chaos exploit for Apple iPhones being used against the Uyghur minority in China. The exploit was developed by Qihoo 360 researcher Qixun Zhao during the inaugural Chinese hacking competition Tianfu Cup in November 2018. An update that patched the flaw was made available by Apple in January 2019, but exploitation reportedly predated the fix. US officials are reportedly concerned about the links between the organisers of the Tianfu Cup and the Chinese military.
Retail & Tourism Microsoft warned of an ongoing spear phishing campaign that is targeting organisations in the aerospace and travel sectors. The campaign involves phishing emails impersonating legitimate organisations that contain a new loader, dubbed Snip3, which is used to deliver RevengeRAT or AsyncRAT. The aim of the campaign is to harvest and steal data from targeted devices.
Education Researchers at Sophos recently responded to a Ryuk ransomware attack against a European biomolecular research institute that led to the institute losing weeks of research data and having to construct its computers and servers from the ground up. The incident could be traced back to a student working with the institute who downloaded a cracked version of a visualisation software tool that contained info-stealing malware onto their personal laptop. The attackers exfiltrated the student’s access credentials that allowed them to remotely connect to the institute’s network. The operators of the malware possibly sold the credentials on an underground market where they were purchased by ransomware attackers.
Critical Infrastructure On May 6th, 2021, DarkSide ransomware attackers infiltrated Colonial Pipeline’s network and stole 100GB of data before proceeding to encrypt files the following day. These actions impacted some of the company’s IT systems, and pipeline operations were stopped as a precaution. James Chappell of Digital Shadows believes that the attackers conducted the attack by purchasing account login details for remote desktop software. The DarkSide operators released a statement suggesting the the incident was carried out by an affiliate, and stated that future affiliates will be vetted to prevent social consequences. The pipeline restarted operations on May 12th.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

This website uses cookies.
See our privacy policy at www.silobreaker.com/legal