Threat Reports / Weekly Threat Reports

Threat Summary: 10 – 16 April 2020

10 – 16 April 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Oracle E-Business Suite

Snapdragon Mobile

Oracle MySQL

Oracle Fusion Middleware

Microsoft SharePoint Server
Deep & Dark Web
Name Heat 7d
Google Android

Snapchat App

DomainMOD

Bitcoin

Google Gmail

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Unknown (Pakistan) Rewterz researchers discovered a data dump containing the data of Pakistani mobile users being offered for $2.1 million in Bitcoins. The stolen data includes users’ full names, addresses, mobile numbers, NIC numbers and tax numbers. The researchers are unsure whether this is a result of a single breach or multiple breaches, and whether a specific telecom operator or numerous telecom operators were affected. 115,000,000
Quidd (US) RiskBased Security researchers reported that the online marketplace for trading stickers, cards, toys, and other collectibles, seems to have suffered a data breach in 2019. The details of roughly four million users are now being shared on underground hacking forums. This includes usernames, emails addresses, and hashed account passwords. 4,000,000
RigUp (US) vpnMentor researchers discovered an exposed AWS S3 bucket belonging to RigUp, a labour marketplace and services provider for the US energy sector. The database contained over 70,000 private files related to HR, recruitment and a variety of other business activities, of companies and individuals using RigUp’s platform. These contained resumes, personal photos, IDs, professional certificates, Social Security details, birthdates, full contact details and other personally identifiable information. Unknown
Monte dei Paschi (Italy) Some company employees’ emails were accessed and used to send emails containing voice attachments to clients. Unknown
SCUF Gaming (US) Comparitech researchers discovered a database without password protection containing over 1.1 million customer records, including customer names, contact information, payment information, order histories, and more. A note demanding a ransom was also discovered. The note claims that the database has been downloaded and asks for 0.3 Bitcoin. According to SCUF Gaming’s parent company Corsair, an automated bot had connected to the database, yet was not connected long enough to download it. Unknown
Brandywine Urology Consultants (US) On March 28th, 2020, the practice revealed that they were hit with a ransomware attack that appears to have begun on January 25th, 2020. The notification states that ‘It is possible, though we believe that it is unlikely’ that names, addresses, medical file numbers, and other such information was compromised. Information contained in the electronic medical records system was not compromised. Unknown
Lafayette Regional Rehabilitation Hospital (US) Following a first data breach disclosed in January 2020, the hospital discovered a second incident, where an employee email account was compromised between February 3rd and February 8th, 2020. The hospital began notifying patients of this second incident on April 10th, 2020. Potentially exposed information includes names, dates of birth, and possibly care information. Some individuals may also have had their Social Security numbers exposed. Unknown
Doctors Community Medical Center (US) On April 13th, 2020, the hospital revealed that several employees had successfully been targeted in a phishing attack in which an attacker gained access to employee accounts between November 6th, 2019 and January 30th, 2020. Through the email accounts an attacker could have accessed patient information such as names, addresses, dates of birth, Social Security numbers, military identification numbers, and more. Unknown
Saint Francis Ministries (US) On April 10th, 2020, Saint Francis Ministries revealed that an unauthorised third-party had gained access to an employee email account between December 13th and December 20th, 2019. An attacker could have used the email account to access Social Security numbers, dates of birth, drivers’ licenses, names, treatment cost information, health insurance information, and more. Unknown
San Francisco International Airport (US) The airport disclosed that hackers had gained access to the SFOConnect and SFOConstruction sites. The attacks, which occurred in March 2020, involved the insertion of malicious code onto the websites which was then used to gain some users’ login credentials. Unknown
Energias de Portugal RagnarLocker ransomware operators claim to have exfiltrated over 10TB of company files which they are now threatening to leak unless they are paid 1,580 Bitcoins (approximately $10.9 million). The group has already leaked a KeePass password manager database which includes EDP employees’ login names, passwords, accounts, and more. Unknown
Rocket Text (US) On March 13th, 2020, security company Vigilante and researcher Bob Diachenko reported that Rocket Text, formerly known as ApexSMS, leaked customer details through a Mongo database that exposed over 63 million customer phone numbers and email addresses. Unknown
Wappalyzer (Australia) A hacker going by the name of ‘CyberMath’ emailed Wappalyzer customers claiming to have access to the company’s database. The attacker offered to sell the database for $2,000 in Bitcoin and provided screenshots of the stolen files. According to the company, the database largely contained ‘technological data’ and no personal information, but did contain the email addresses of up to 16,000 customers and a small number of billing addresses. 16,000
Washington University School of Medicine (US) The protected health information of 14,795 oncology patients may have been accessed by an unauthorised individual as a result of a phishing attack against the email account of a research supervisor in January 2020. Exposed data includes names, dates of birth, medical record numbers, patient account numbers, and more. In some cases, health insurance and Social Security numbers may also have been exposed. 14,795

This table shows a selection of leaks and breaches reported this week.

Malware mentions in relation to the coronavirus outbreak

This chart shows the trending malware related to the coronavirus outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at IBM reported that Grandoreiro, which was first seen in Brazil, has begun to be used against targets in Spain. The malware is commonly spread through malspam containing a URL which redirects victims to a malicious site. Recently, the malware has been spread through a coronavirus-themed attack. Grandoreiro can collect a variety of information and waits in the background until the victim visits one of the targeted banking sites. The attacker can then display full-screen overlay images after the victim has logged into their banking account. The attacker can then move money or ask the target to divulge their credentials. The researchers found that the source code of Grandoreiro used in Brazil and in Spain are 80-90% identical. This led them to believe that there were some ties between those operating the malware in Brazil and those in Spain.
Critical Infrastructure RagnarLocker ransomware operators claim to have exfiltrated over 10TB of company files belonging to Energias de Portugal (EDP), which they are now threatening to leak unless they are paid 1,580 Bitcoins (approximately $10.9 million). The group has already leaked a KeePass password manager database which includes EDP employees’ login names, passwords, accounts, and more. BleepingComputer reported that the attackers goaded EDP in a live chat ‘client room’. The ransomware operators told EDP to check tech-blogs and stock market sites to see how the incident was being reported.
Government The Wall Street Journal reported that the hackers took advantage of unpatched flaws in Citrix enterprise software to compromise parts of the New York State government’s network. The intrusion was discovered on January 28th, 2020 but was not disclosed by officials until after the story was reported on April 13th, 2020. The attack, which allegedly came from outside the US, targeted databases used by the New York State Police, the Department of Civil Service, and the Department of Environmental Conservation.
Retail, Hospitality & Tourism Researchers at Sucuri discovered a credit card swiper running on the site of a client who was using WordPress and WooCommerce. The researchers stated that ‘a dedicated credit card swiping malware within WordPress is something fairly new.’ The JavaScript injection saved credit card numbers and CVVs in plain text in cookie form.
Healthcare Researchers at Unit 42 identified an attacker attempting to deliver an EDA2 ransomware variant to Canadian government healthcare organisation and a Canadian medical research university. The organisations are involved in responding to and researching coronavirus. The attacks took place between March 24th and March 26th, 2020. The malware was distributed via a coronavirus-themed email containing a malicious RTF phishing lure. The document attempted to deliver the ransomware by exploiting a Microsoft component vulnerability, tracked as CVE-2012-0158. The researchers also reported that the info stealer AgentTesla was being used in coronavirus-themed attacks. Targets included a US defence research organisation, a Korean chemical manufacturer, a Japanese research institute, a Turkish government agency, among others. None of the attacks covered in their report successfully infected their targets.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
  • Cyber Alert – 05 June 2020

    Cyber Alert: troyhunt - RT @haveibeenpwned: New breach: Indian self-drive car rental company Zoomcar was breached in 2018 and had 3.5M records exposed then...
  • Threat Summary: 29 May – 04 June 2020

    29 May – 04 June 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are...
View all News

Request a demo

Get in touch