Threat Reports

Threat Summary: 11 – 17 October 2019

11 – 17 October 2019

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Apple iTunes

Oracle Java SE

Oracle Fusion Middleware

Java SE Embedded

HP Touchpoint Analytics
Deep & Dark Web
Name Heat 7d
Snapchat App

Instagram

WhatsApp

Telegram App

Bitcoin

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Escort Forums (Netherlands and Italy) The Dutch news site NSO reported that a hacker is selling the database of Dutch prostitution forum hookers[.]nl on online forums. The database contains the details of about 250,000 members and exposed details include usernames, email addresses, hashed passwords and IP addresses. A forum post by the owner of the site confirmed the breach. BleepingComputer found that the same user is also advertising the database for an Italian based escort forum. The database allegedly contains passwords, usernames, and email addresses of 33,152 users. 283,152
Monterey Health Center (US) On August 12th, 2019, Monterey Health Center was hit by a ransomware attack which targeted a server containing patient medical records. No evidence of attempted or actual misuse of data was found. Potentially accessed patient data includes names, addresses, driver’s licenses, financial account information, Social Security numbers, and more. Unknown
Click2Mail (US) Click2Mail is informing over 200,000 customers of a data breach in which unknown parties used customer data to send spam emails. The intrusion point was found and closed on October 4th, 2019. Compromised customer data includes names, organisation names, account mailing addresses, email addresses, and phone numbers. >200,000
Magnolia Pediatrics (US) Louisiana-based Magnolia Pediatrics was hit by a ransomware attack in August 2019, after its IT company was targeted. The incident is currently being investigated by the FBI and at present it is not believed that any patient data was removed by an unauthorised party. Potentially accessed data includes names, dates of birth, Social Security numbers, addresses, phone numbers, and more. No financial information was present on the system. Unknown
Philadelphia Department of Public Health (US) Private health data of Philadelphia patients that were diagnosed with hepatitis B and C between 2013 and the end of 2018 was found exposed on the Philadelphia Department of Public Health website, which had collected the data as part of its opioids initiative. Exposed information included names, gender, dates of birth, address, test results, and in some cases Social Security numbers and notes by health providers. It is unclear how many individuals had accessed the website before the data was removed. Unknown
Leafly (US) On September 30th, 2019, the marijuana information and review website Leafly discovered that some of their users’ information had been exposed by a data breach and is notifying affected customers. The set of records were stored in a secondary database that was dated July 2nd, 2016, and contained information such as emails, usernames, and encrypted passwords. Some users also had additional information exposed, such as names, ages, gender, location, and mobile numbers. Unknown
E4 Strategic (South Africa) Multiple vulnerabilities in E4 Strategic systems have left personal data of individuals who applied for home loans in South Africa exposed. According to E4 Strategic, the flaws in question were fixed and no unauthorised access to the data is believed to have taken place. However, according to MyBroadband, there continue to be vulnerabilities in the system, specifically in its API. Exposed data includes ID documents, home loan application information, and property valuation. Affected individuals may include those who applied for home loans from 2010 onwards. Unknown
WHEDA (US) Up to three Wisconsin Housing and Economic Development Authority (WHEDA) email accounts were accessed by an unauthorised third party in a phishing attack on or around August 22nd, 2019. Potentially accessed data includes the personal information of 2,100 individuals part of WHEDA’s single family mortgage program. 2,100
BriansClub Security researcher Brian Krebs reported that in September 2019, he was contacted by a source who provided a plain text file containing the database of criminal marketplace BriansClub. The database contains more than 26 million credit and debit card records, stolen from online and physical stores. 7.6 million of them were added between January and August 2019. Unknown
Whirlpool Corporation (US) Security Discovery researchers discovered an unsecured database belonging to Whirlpool, which contained 28,151,181 records relating data collected during full system scans of home appliances. This included customer emails, SAID numbers, model names and numbers, and different attributes of scanned appliances. Whirlpool has since taken the database offline and affected customers are being notified. 48,000
Hunt Regional Healthcare (US) Hunt Regional Healthcare, targeted by a cyberattack in May 2018 that was discovered on May 14th, 2019, has revised the number of affected patients. The attack was originally believed to have only exposed protected health information of 3,700 Hunt Regional Medical Center patients. However, an investigation revealed the data breach was more widespread and affected additional parts of the network. The figure of affected patients is due to be updated by the health centre. Unknown
Pouring Pounds Ltd (UK) Safety Detectives researchers discovered an unprotected Elastic Server belonging to Pouring Pounds Ltd, which exposed personally identifiable information of Pouringpounds[.]com and Cashkaro[.]com customers. The leak affects active customers from the UK and India who have logged into the platforms in recent months. Exposed data includes full names, phone numbers, email addresses, login credentials, bank details, emails to users, and IP addresses, all of which was stored in plain text. The leak has since been resolved. 3,500,000
Authentic Jobs (US) Security researcher Gareth Llewellyn discovered an unsecured and publicly available Amazon Web Services bucket belonging to Authentic Jobs that contained 221,130 CV. The bucket has since been secured. 221,130
Sonic Jobs (UK) Job applicants using Sonic Jobs, the retail and restaurant jobs app, had their private data exposed via a publicly accessible Amazon Web Services bucket. The bucket contained 29,202 CVs. It has since been set to private. 29,202
Wheaton High School (US) The private data of 1,344 Wheaton High School students was exposed in a data breach, in which an individual gained access to a college preparation programme Naviance. According to Montgomery County Public Schools, a student not affiliated with Wheaton High School used brute-forcing to gain access and then download the personal information. Exposed data included students’ names, dates of birth, highest ACT scores, highest SAT scores, GPAs, addresses, and ethnicities. No Social Security or financial information was accessed. 1,344

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Critical Infrastructure

This chart shows the trending malware related to critical Infrastructure over the last week.

Weekly Industry View
Industry Information
Banking & Finance Security researcher Brian Krebs reported that in September 2019, he was contacted by a source who provided him with a plain text file containing the database of criminal marketplace BriansClub. The database contains more than 26 million credit and debit card records, 7.6 million of which were added between January and August 2019. The card details have been stolen from online and physical stores. The data provided to Krebs has been shared with individuals who work with financial institutions, which will allow banks to reissue cards that appeared on the database.
Education Researchers at Proofpoint ascertained that the Iranian-based hacking group TA407, also known as Silent Librarian, are continuing to target higher education institutions. The group’s most recent activity occurred in September 2019 and involved registering new Freenom domains to host phishing services. The group aims to acquire the login details for students at universities in North America and Europe, which it then uses to exfiltrate intellectual property and academic data. The researchers warned that detection is difficult due to the group’s use of university based and free URL shorteners, and abuse of legitimate services and infrastructures.
Technology SophosLabs discovered 15 apps in Google Play that generate intrusive ads and hide app icons in the launcher to make removal difficult. In addition, some of the apps also disguise themselves in the phone’s App settings page. Over 1.3 million devices worldwide have installed at least one of the applications. SophosLabs also observed the apps using one name and icon for the application and a different name and icon for the Main Activity, to conceal their activity. The majority of these apps were posing as utility tools, such as QR code readers, image editors, backup utilities, and more.
Government In June 2019, researchers at Palo Alto Network’s Unit 42 identified a domain, associated with the xHunt campaign, being utilised as the C2 for a new backdoor dubbed CASHY200. The backdoor is PowerShell based and uses DNS tunneling to connect with its C2. At present the researchers are unsure how the backdoor is delivered. After performing open source collection, the researchers stated that the threat actors may have used CASHY200 to target Kuwaiti government organisations in Spring 2018 and 2019.
Cryptocurrency MalwareHunterTeam discovered a scheme that distributes a cryptocurrency trading program, called JMT Trader, that drops a backdoor on the victim’s Mac and Windows PCs. The attackers created a fake company, Twitter account and website that offered the trading platform for free. Users who attempted to download the software were redirected to a GitHub repository, which contained Windows and Mac executables for the JMT Trader platform, as well as source code for the trading programme, for those who want to compile it under Linux. The programme can be used legitimately to trade cryptocurrency. When the programme is installed, the installer also extracts a secondary program call CrashReporter[.]exe, which acts as a backdoor. When launched, CrashReporter connects to a C2 server to receive commands, which are executed by the backdoor.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Silobreaker Daily Cyber Digest – 18 November 2019

      Malware NextCloud Linux Servers hit with new NextCry ransomware BleepingComputer and security researcher Michael Gillespie analysed a newly spotted malware, named NextCry, which...
  • Silobreaker Daily Cyber Digest – 15 November 2019

        Ongoing Campaigns Microsoft Office 365 administrator accounts targeted in new phishing campaign PhishLabs researchers observed threat actors impersonating Microsoft and its Office...
  • Threat Summary: 08 – 14 November 2019

    08 – 14 November 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
View all News

Request a demo

Get in touch