Threat Reports / Weekly Threat Reports

Threat Summary: 08 – 14 May 2020

08 – 14 May 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Palo Alto Networks PAN-OS

Advantech WebAccess

FreeRDP

Typo3

Microsoft .NET Framework
Deep & Dark Web
Name Heat 7d
Metasploit

Tenable Nessus

Trillium Security MultiSploit

Netsparker

Microsoft PowerPoint

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Sparboe Companies (US) The operators of Maze ransomware claim to have stolen data from Sparboe Companies in a ransomware attack on May 1st, 2020. A file uploaded by the operators as proof appears to contain current and former employee data, nest-run inventory, expense reports, injury reports, dock schedules, and more. Unknown
Southeastern Wire (US) The Maze ransomware operators claim to have stolen data from Southeastern Wire before encrypting the company’s IT systems. A total of 20GB belonging to the company was reportedly leaked, which consists of highly sensitive corporate data, including payrolls, production data, tax-related documents, and more. Unknown
Koller Craft LLC (US) The company was targeted in a Maze ransomware attack, which impacted its IT systems. As proof of the attack, the operators published an undisclosed amount of data stolen from the company before encryption. Unknown
Government of Madhya Pradesh (India) Security researcher Robert Baptiste reported that the Madhya Pradesh government’s coronavirus web portal exposes the personal details of quarantined individuals. The leaked information includes names, device ID names and numbers, locations, and more. Unknown
Stadler Rail (Switzerland) The rail vehicle manufacturer stated that on May 7th, 2020, an unidentified attacker infiltrated its network and infected machines. The company revealed that It was ‘highly probable’ that data was exfiltrated. Following the incident, the attackers demanded a large ransom and threatened to leak the company’s data. Unknown
Professional Association of Diving Instructions (US) Security researcher Bob Diachenko discovered an unprotected Elasticsearch server containing data belonging to the US Professional Association of Diving Instructions (PADI). A total of 2,313,197 records were discovered, which included full names, phone numbers, email addresses, mailing addresses, and dates of births of individuals registering with PADI. Unknown
Grubman Shire Meiselas & Sacks (US) REvil ransomware operators claim to have stolen 756GB of data from the law firm. The attackers shared a screenshot of stolen folders which contain file names such as Lady Gaga, Madonna, Nicki Minaj, and more. The attackers claim to have contracts, email addresses, non-disclosure agreements, personal correspondence, and more. Unknown
US Marshals Service On December 30th, 2019, US Marshals were notified by the US Department of Justice of a public-facing server containing the personal data of current and former prisoners. Exposed data may have included addresses, dates of birth and Social Security numbers. Unknown
DigitalOcean (US) An internal document that contained customer’s personal information was publicly accessible for an unknown period. The document was accessed at least 15 times during its exposure, with information including email addresses, usernames, support notes and the total amount of money paid being detailed. Unknown
Ashtabula County Medical Center (US) The center published a ‘Notice of Data Security Incident’, after accidently publishing an Excel spreadsheet on their website that contained protected health information about some of their patients. The incident occurred on March 12th, 2020, and the data included names, diagnosis, health, and treatment history information. Unknown
MobiFriends (Spain) Risk Based Security researchers discovered the credentials of 3.68 million MobiFriends users being distributed on a deep web hacking forum. The leaked data includes dates of births, genders, website activity, mobile numbers, usernames, email addresses and MD5 hashed passwords. The data had originally been offered for sale by ‘DonJuji’ and attributed to a data beach in January 2019. 3,680,000
Multiple Companies A hacker group dubbed Shiny Hunters are selling 73.2 million user records from 11 different companies on a dark web marketplace. Information sold by the hackers comes from Tokopedia, Homechef, Bhinneka, Minted, Styleshare, Ggumim, Mindful, StarTribune, ChatBooks, The Chronicle Of Higher Education, and Zoosk. BleepingComputer stated that the data breaches appear legitimate, despite not having all been confirmed. Unknown
Pitney Bowes (US) The company was targeted in a Maze ransomware attack. As proof of the attack, the operators published screenshots of directories belonging to the company. At present, it remains unclear what type of data was stolen in the attack, yet the company believes it to be limited. According to a Pitney Bowes spokesperson, the company detected the attack and immediately took steps to avoid the encryption of data. Unknown
WeLeakData Researchers at Cyble reported that the database of the now-defunct WeLeakData hacking forum and marketplace is accessible on the dark web. The database exposes member information such as email addresses, usernames, passwords, private messages, and IP addresses. The members of the site were mostly hackers, researchers, crackers, and cybercriminals. Unknown
Toll Group (Australia) Toll Group provided details concerning the recent Nefilim ransomware attack, stating that the attackers accessed at least one corporate server. This server contained data related to past and present Toll employees, as well as commercial agreements with current and former enterprise customers. The company is currently trying to determine which of the accessed data was exfiltrated. Unknown
Magellan Health Inc (US) Magellan Health were hit with a ransomware attack on April 11th, 2020, during which the attacker accessed the company’s systems and stole information from one of its corporate servers. This includes confidential company and personal information, such as names, addresses, employee ID numbers, Social Security numbers, and in some cases employee passwords and usernames. Unknown
Orchard Villa Retirement Community (Canada) An investigation is ongoing into a data breach at the care home, which may have exposed the personal and health information of its residents. Orchard Villa has informed the Information Privacy Commissioner Office of the data breach. Unknown
Multiple Companies Comparitech researchers found that 4.8% of apps using Google Firebase are leaking sensitive user data via unsecured databases. It is estimated that about 24,000 apps have misconfigured databases. The databases exposed email addresses, usernames, passwords, phone numbers, full names, chat messages, GPS data, IP addresses, and street addresses. Credit card numbers and identification documents were also found in some cases. Unknown
Aeries Software Inc (US) The student data management system software provider notified customers of a data breach incident which impacted 166 databases on or about November 4th, 2019. The incident exposed parent and student login information, physical addresses, email, and student permanent IDs. Password hashes may also have been exposed. Unknown
HEPACO LLC (US) The company stated that an unauthorised party accessed employee email accounts between August 8th and October 24th, 2019. The breach impacts current and former clients and employees. Potentially accessed information includes names, dates of birth, Social Security numbers, medical information, credit, or debit card numbers, and more. Unknown
Government of New South Wales (Australia) The government of New South Wales (NSW) confirmed it was the victim of a malicious phishing attack on April 22nd, 2020. An investigation into the attack revealed that an unauthorised individual had accessed 47 Service NSW staff email accounts, which may have contained personal customer data. Unknown
North Shore Pain Management (US) Data belonging to the practice was posted on the Ako ransomware site. The data, which amounted to over 4GB, was composed of 4,000 files, many of which were PDF scans of bank account information, health insurance information and more. The breach exposed patients and employees names, addresses, treatment codes, Social Security numbers, and more. Unknown
Government of Novia Scotia (Canada) Decisions made by the Nova Scotia Workers Compensation Appeals Tribunal between 1998 and 2009 were posted on the Canadian Legal Information Institute site without properly redacted information. Information exposed in the incident includes workers’ names, the names of their employer, and personal information. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in relation to the Coronavirus

This chart shows the trending malware related to the Coronavirus over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at IBM reported that the Zeus Sphinx banking trojan, which first appeared in 2015, is being used again to target North American banks. The malware, which was described by the researchers as ‘an on-and-off type of operation’, was updated in late 2019 and has been spread in the first quarter of 2020 via malspam campaigns. Changes to the trojan include new persistence mechanisms, injection techniques, bot configurations, and more.
Critical Infrastructure The Swiss-based rail vehicle manufacturer Stadler Rail stated that on May 7th, 2020, an unidentified attacker infiltrated its network and infected machines. The company revealed that It was ‘highly probable’ that data was exfiltrated. Following the incident, the attackers demanded a large ransom and threatened to leak the company’s data.
Government Researchers at Check Point reported that the Chinese-based APT Naikon have been targeting government entities in Australia, Indonesia, Vietnam, Thailand, and other countries in the Asia Pacific region. The group, who appeared to have been quiet since 2015, have been silently updating their TTPs and infrastructure. The attackers used common tools such as the RoyalRoad RTF weaponizer, and their own tools such as the Aria-body backdoor. The researchers stated that the group’s attacks focus on espionage activity. The attackers have been seen launching attacks from breached government entities and utilising compromised servers within infected ministries for C2 purposes.
Healthcare According to Reuters and three cybersecurity researchers, biopharmaceutical company Gilead Sciences Inc has recently been targeted by Iranian linked hackers. One of the attacks involved sending a fake email login page to a top Gilead executive. Ohad Zaidenberg of ClearSky stated that the attackers are trying to gain access to staff email accounts by posing as journalists. Two other cybersecurity researchers, who chose to stay anonymous, stated that the hosting servers and webdomains used in the attack are linked to Iran. It is unclear if the attacks succeeded. Iran has denied any involvement in the attacks, while Gilead Science Inc refused to comment on the matter.
Law On May 8th, 2020, the Office of Court Administration detected a ransomware attack on the IT systems of the appellate courts and judicial agencies in the Texas Judicial Branch. In response, the branch network, including websites and servers, was shut down to prevent any further damage. No evidence was found to suggest that personal information was compromised in the attack.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 08 August 2020

    Silobreaker's Daily COVID-19 Alert for 08 August 2020
  • Cyber Alert – 08 August 2020

    Cyber Alert: CryptoInsane - Intel hacked, 20GB of confidential, intellectual data leaked by anonymous hacker 😱🖥️🛡️ https://t.co/gbcu23IV3a...
  • COVID-19 Alert – 07 August 2020

    Silobreaker's Daily COVID-19 Alert for 07 August 2020
View all News

Request a demo

Get in touch