Threat Reports / Weekly Threat Reports

Threat Summary: 08 – 14 November 2019

08 – 14 November 2019

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Microsoft Internet Explorer

Microsoft Hyper-V

Intel CPU

Microsoft Edge

Microsoft Windows
Deep & Dark Web
Name Heat 7d
Apple macOS

Telegram App

Magnitude Exploit Kit

Apple iOS

Magento

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
InterMed (US) InterMed disclosed that an unauthorised party accessed four employees’ email accounts in September 2019. Messages and attachments in the email accounts displayed patient information, such as names, dates of birth, health insurance information, a select number of Social Security Numbers, and more. 30,000
Veritas Genetics (US) Vertias Genetics’ customer-facing portal had been subject to a data breach. Details around the security incident are unclear as Veritas Genetics has not stated when the breach occurred or what information was compromised. Unknown
Georgia Institute of Technology (US) A staff member at the Georgia Institute of Technology sent out an email which contained an attachment detailing the personally identifiable information of over 1,100 students. Disclosed data included names, ethnicities, GPAs, and school ID numbers. 1,100
TennCare (US) On November 8th, 2019, TennCare announced that a hacker may have stolen private information belonging to 43,847 members. The compromise was the result of a phishing attack on May 28th, 2019 against an employee at Magellan Health, TennCare’s pharmacy benefits manager. Potentially compromised data includes names, Social Security numbers, member IDs, health plans, provider names and names of prescribed drugs. 43,847
Salem Health (US) In August 2019, Salem Health discovered that an unauthorised party gained access to a number of employee email accounts on July 31st, 2019. Patient details included in the email accounts included dates of birth, names, and treatment information. It is unclear whether the data was accessed by the intruder. Unknown
Delta Dental (US) An unauthorised individual gained access to an employee email account of Delta Dental in July 2019 and patients have since been informed of the potential data breach. Potentially exposed data includes Social Security numbers, financial account information and credit or debit card information. Unknown
ZoneAlarm (US) An unauthorised individual gained access to the private data of the ZoneAlarm discussion forum users by exploiting a known vulnerability in vBulletin. Exposed data included names, email addresses, hashed passwords and dates of birth. 4,500
University of Hertfordshire (UK) An email sent out by the university contained an attachment with all recipients’ names and email addresses, exposing the data of approximately 2,000 students. The university has informed the Information Commissioner’s Office, as well as all affected students, of the data breach. 2,000
Starling Physicians (US) Starling Physicians was targeted in a phishing attack on February 8th, 2019, and a recent investigation found that affected email accounts contained personal data belonging to patients. Potentially exposed data includes names, addresses, dates of birth, passport numbers, Social Security numbers, medical information and health insurance or billing information. Unknown
Purcellville (US) Purcellville residents were recently informed of a 2017 data breach that exposed personal information. The breach was the result of a missing USB stick containing emails of police chief Cynthia McAlister. 1,800
BT Security (UK) Following a Westminster Cyber Expo, BT Security sent an email to approximately 150 information security professionals which listed all recipient in the ‘cc field’ rather than the ‘bcc field.’ Recipients were able to see the email addresses and names of other attendees, including of police and government employees. 150
Florida Blue (US) Personal information of Florida Blue members may have been exposed due to a data breach at its third-party vendor Magellan Health. Less than 1 percent of members are believed to have been affected. Potentially exposed member data includes names, dates of births and prescriptions. Florida Blue and Magellan Health do not believe the data has been misused. Unknown
PrankDial (US) Security Discovery researchers discovered a non-password protected database belonging to PrankDial that contained 138 million records. Among the records were user emails, credentials and password reset tokens, IP addresses and more. No phone numbers were visible. The database has since been secured. Unknown

This table shows a selection of leaks and breaches reported this week.

Microsoft Products Mentions in Vulnerabilities

This chart shows the trending Microsoft Products related to Vulnerabilities over the last week.

Weekly Industry View
Industry Information
Banking & Finance Anomali researchers, in partnership with a major European financial institution, analysed Cerberus, a banking trojan first discovered by ThreatFabric in June 2019, but which is believed to have been active since at least 2017. Cerberus is offered as a malware-as-a-service on the Russian hacking forum XSS[.]is by a Premium account holder going by ‘Android’. The malware is also advertised on the Twitter account ‘AndroidCerberus’, which claims to be from the Ukraine. The threat actor states that their starter kits are pre-packaged with injections for the US, France, Turkey and Italy, however the researchers found the injections include targets across 16 countries. The majority of samples analysed targeted banking organisations, whilst some also targeted the e-commerce, FinTech, and telecommunications industries.
Government Researchers at Kaspersky discovered that the Platinum group, which have been tracked since 2012, developed a new backdoor, named Titanium. The group, who are described as ‘one of the most technologically advanced APT actors’ primarily target political, military, and government entities in South and Southeast Asia. The researchers stated that the attack begins with malicious code which is hosted on local intranet websites. Following the initial infection, the attack proceeds by a sequence of dropping, downloading and installing stages. At each stage of the infection, the attack chain is disguised by mimicking the actions of common software. The final stage of the attack is the deployment of the Titanium backdoor. The backdoor can drop and run files, read files and send them to the attacker’s C2, update configuration patterns, and more.
Technology Researchers at Trend Micro discovered 49 adware apps, with a collective download count of over 3 million, on the Google Play Store. The applications were primarily related to photography and gaming. The applications contain multiple tactics that make detection and termination difficult, such as heavily obfuscated code, strings which are encrypted with base64 and custom algorithms, disguised icons, and more. Once installed on a user’s device, the adware will register as a foreground service which ensures that it runs regardless of user interaction. The apps display full screen adverts on the user’s screen at regular intervals, draining the device battery and impacting memory. The malicious applications have since been removed from Google Play Store.
Retail, Hospitality & Tourism Researchers at PerimeterX identified two new carding bots, dubbed canary bot and shortcut bot, that are being employed to target e-commerce sites. Canary bot targets e-commerce platforms that are used by thousands of businesses. Before the bot executes the carding attack it mimics user activity by creating a shopping cart, adding products, and setting shipping information. Shortcut bot attempts to reduce attack time by avoiding e-commerce websites and directly targeting the card payment vendor APIs used by websites or mobile apps. The researchers stated that in some cases the attackers are discovering paths with API calls that website operators are unaware of.
Cryptocurrency Security researcher hxFrost discovered a scammer uploading videos to YouTube which promoted a key generator which could allegedly be used to steal Bitcoin. The attacker provided a link in the video description which appears to link to a file containing the key generator but in actuality it contains Predator the Thief malware. Users who download the software will inadvertently infect their machine with the malware. Predator the Thief can steal passwords, steal files, copy the target’s clipboard, download additional malware from the attacker’s C2, and more.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Daily Alert – 10 December 2019

    Daily Alert: The Impact of Healthcare Data Breaches on Florida Patients...
  • Daily Alert – 09 December 2019

    Daily Alert: 2019 in review: data breaches, GDPR’s teeth, malicious apps, malvertising and more...
  • Silobreaker Daily Cyber Digest – 06 December 2019

    Ongoing Campaigns US Cybersecurity and Infrastructure Security Agency issue warning over Dridex malware On December 5th, 2019, the US Cybersecurity and Infrastructure Security Agency...
View all News

Request a demo

Get in touch