09 – 15 October 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
NameHeat 7
Adobe Flash Player
SonicOS
Apple iCloud
Microsoft Outlook
IBM Curam Social Program Management
Deep & Dark Web
NameHeat 7
Apple iCloud
Pulse Connect Secure
Hindotech HK1 TV Box
PyInstaller
Microsoft Server Message Block

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
CompanyInformationAffected
Sam’s Club (US) Sam’s Club has been notifying certain customers that their accounts may have been compromised by unauthorised parties. The company stated that the breached credentials were not stolen from Sam’s Club but likely gained via credential stuffing, phishing attacks, or from data breaches that impacted other companies. Unknown
Airlink International UAE (UAE) Cyble Inc researchers identified a threat actor sharing leaked Airlink International UAE data on two dark web platforms. The initial data leak was first reported by DefCon Lab on May 30th, 2020, and was due to a misconfigured server. The data shared by the threat actor consists of 14 folders and 53,555 files containing passport scans, flight bookings, hotel bookings, and more. Unknown
Dr Lal PathLabs (India) The company stored hundreds of spreadsheets with patient data in an AWS bucket without password protection. The leak, discovered by security researcher Sami Toivonen in September 2020, allegedly contained ‘millions of individual patient bookings’ featuring their name, date of birth, address, phone number, and more. It is unknown how long the information was exposed and if it was viewed or obtained by third parties. Unknown
Friendemic (US) Security researcher Aaron Phillips discovered a data leak attributed to Friendemic on September 12th, 2020. The company stored the data in an Amazon S3 bucket accessible without authentication. Over 2.7 million records were exposed, including names, phone numbers, and email addresses, and more. Unknown
Georgia Department of Human Services (US) Hackers gained access to some employee email accounts between May 3rd and May 15th, 2020, that contained the personal information of adults and children involved with Child Protective Services. This includes names, county of residence, case and identification numbers, Social Security numbers, Medicaid identification numbers, and more. Unknown
Docsketch (US) Docsketch emailed customers informing them that an unauthorised party accessed a copy of its database in early August 2020. The company stated that the attackers could see the information that users and users’ recipients entered into form fields. Exposed data included names, signatures, payment card details, and more, as well as login information. The company asserted that all passwords are salted and hashed. Unknown
Bitexlive (Turkey) CyberNews reported that the cryptocurrency exchange platform exposed support tickets via the socket, allowing any site visitor to view information related to the support tickets. This included time of requests, name and email of the ticket creator, the full text of the ticket, and more. The issue was reported to the company and appears to have been resolved. Unknown
EW Wylie (US) Freight Waves reported that Conti ransomware operators published thousands of internal files allegedly stolen from the trucking company on a dark web site. The documents contain trip reports from truck drivers, as well as ‘significant amounts of personal information.’ Unknown
Playback Now (US) Researchers at Malwarebytes identified dozens of Magento sites hosted on an IP address belonging to Playback Now that had been injected with a reference to credit card skimmer code. The attackers served the code and collected stolen data on a recently registered domain which impersonated Playback Now. The researchers speculated that the attack could be due to the impacted sites running a vulnerable version of the Magento CMS, for which an exploitation tool was recently released. Unknown
Software AG (Germany) The company was targeted in cyberattack on October 3rd, 2020, during which data was downloaded from employee notebooks and its servers. BleepingComputer reported that the attack involved Clop ransomware. The attackers claim to have stolen roughly 1 TB of data which they allege contains reports, documents, contact lists, mail correspondence, and more. The company has since stated that stolen data was publicly released by the hackers. Unknown
State of Hawaii (US) Hawaii is currently investigating a potential data breach affecting who applied for a travel exemption via the state Attorney General’s website between September 18th and September 21st, 2020. The system may have been exploited to gain access to personal information of other applicants, including names, phone numbers, and copies of state IDs. It remains unclear if any data was actually compromised and the system has since been fixed. ~150
HomeWAV (US) Security researcher Bob Diachenko discovered that the prison video visitation provider exposed a dashboard for one of its databases on the internet. According to the HomeWAV’s CEO, the unprotected database was exposed due to a third-party vendor. The exposed database allowed access to call logs and transcriptions of inmate calls to their family and friends, as well as to their attorneys. Unknown
Walled Lake Consolidated Schools District (US) The Michigan school district was targeted in a cyberattack disclosed on October 11th, 2020. According to a statement by the district, the attackers successfully breached the schools’ system and may have accessed ‘credential and other information.’ Unknown
Lonrho (UK) Cyble Inc researchers discovered a leak warning issued by Avaddon ransomware operators to the London-based investment firm Lonrho. The actor published evidence of 74.5GB of files from a folder titled ‘Finance’ purportedly exfiltrated from the company and threatened to leak the files around October 15th, 2020. Unknown
Oswego Health (US) A letter sent to patients by the New York-based healthcare system stated that it had discovered unauthorised access to one of its employee email accounts between June 11th and June 15th, 2020. Becker’s had initially reported on an Oswego Health breach on June 17th, which referred to an employee email account that was compromised on June 16th, 2020. DataBreaches[.]net note that the two incidents are likely related. Unknown
Metaformers Inc (US) A security incident at Metaformers Inc may have exposed the personal data of 570 current and former Lexington city employees. Potentially compromised data includes Social Security numbers, addresses and dates of birth. The breach was caused by a cyberattack against Metaformers’ email server in July 2020. 570
Various IP Cameras Hackers reportedly stole and leaked 3TB of footage taken from Internet Protocol (IP) cameras to pornographic sites. The majority of footage appears to come from IP cameras in Singapore, but some victims also appear to be from Thailand, South Korean and Canada. Unknown
Indian Railway Catering and Tourism Corporation Cyble Inc researchers observed a user on the dark web sharing data allegedly containing records from the railway company, claiming that the information was taken from a 2019 data leak. The researchers analysed the data and found it contained at least 900,000 unique rows of user information, including mobile numbers, dates of birth, gender, marital status, names, cities and states. Unknown
Intcomex (US) CyberNews researchers discovered Intcomex data being leaked on a popular Russian hacker forum, with one part leaked on September 14th and the second part on September 20th, 2020. The leaker originally stated they would release the entire database over an undisclosed period of time, which reportedly contains full credit card details, document scans, Social Security number, dates of birth, addresses, financial documents, employee information, and more. Unknown
Barnes & Noble (US) The bookseller was hit by a cyberattack on October 10th, 2020, during which the attacker gained access to corporate systems and possibly personal data of customers. Potentially accessed information includes email addresses, billing and shipping addresses, telephone numbers, and purchase histories. BleepingComputer speculated that the incident could be a ransomware attack. Unknown
Fisher & Paykel (New Zealand) Nefilim ransomware operators published part 3 of documents stolen from Fisher & Paykel, which appears to largely consist of financial documents. Previous parts were released in June and July 2020, following a ransomware attack against the company. Unknown

Attack Types Mentions in Critical Infrastructure

Industry View

This chart shows the trending Attack Types related to Critical Infrastructure over the last week.

Weekly Industry View

Industry View
IndustryInformation
Banking & Finance360 Total Security researchers discovered a new trojan distribution framework, dubbed SolarSys, that is mainly active in Brazil. The framework is distributed using fake MSI installers for programmes such as Java, MS HTML Help and others. It consists of multiple modules, including a stealing module for Google Chrome browser, which collects login credentials, browsing history and other data, and a banking trojan, which detects the user’s browsing activity and presents them with a fraudulent banking interface corresponding to a number of Brazilian banks.
GovernmentThe US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, warned that APT actors are targeting legacy vulnerabilities in combination with the critical Windows Netlogon flaw CVE-2020-1472, also known as Zerologon. The attacks often targeted federal, state, local, tribal, and territorial government networks. In some cases, the attackers gained access to election support systems, however, CISA stated that election data appears uncompromised.
EducationMalwarebytes researchers observed the Iran-linked threat actor Silent Librarian targeting universities globally in a series of ongoing phishing campaigns. The group registers subdomains that imitate the targeted organisation, with only the top level domain being different. A number of phishing sites were discovered, most of which use Cloudflare to hide its hosting origin. The researchers note that, although many of the group’s sites have been taken down, Silent Librarian is currently one step ahead and continues to target many possible targets at once.
LawThe US-based law firm Seyfarth stated it was targeted in a ‘sophisticated and aggressive’ ransomware attack on October 10th, 2020, that encrypted many of its systems. According to the company, a number of its entities were impacted simultaneously by the attack, including its email system. No evidence was found to suggest that any client or firm data was accessed or removed during the attack.
CryptocurrencyZDNet discovered multiple Bitcoin accounts that were used to gather stolen funds from attacks against users of the Electrum wallet app. The attacks took place throughout 2019 and 2020, with the most recent occurring in September 2020. The campaigns involved a fake update request sent via a popup message to Electrum wallet users. The technique, first observed in 2018, involves attackers abusing a loophole in Electrum that allows anyone to set up an ElectrumX gateway server. Once updated, the user’s funds would be stolen and sent to the attacker’s Bitcoin account.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal