Threat Reports / Weekly Threat Reports

Threat Summary: 12 – 18 June 2020

12 – 18 June 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
IBM Spectrum Protect

Schneider Electric Easergy T300

LibVNCServer

VLC Media Player

Cisco Small Business RV320
Deep & Dark Web
Name Heat 7d
Windows 7

Windows PowerShell

VirtualAlloc

WindDbg

TeamViewer

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
TAIT Towers Manufacturing LLC (US) On April 6th, 2020, TAIT identified that one of its computer servers and email accounts of certain employees had been compromised. The unauthorised access, which began on February 16th, 2020, allowed the unknown party to view names, addresses, email addresses, Social Security numbers, financial account numbers, and dates of birth. Unknown
Genworth Financial (US) The login credentials of a limited number of third-party insurance agents were compromised. The event, which was discovered on April 20th, 2020, allowed the attacker to view a combination of personal data, including names, addresses, dates of birth, Social Security numbers, financial information, and more. 1,600
A1 Telekom (Austria) Blogger Christian Haschek published details of a network intrusion at Austria’s A1 Telekom that lasted for 6 months. The company confirmed the breach, stating that the intrusion was first discovered in December 2019. Haschek had been contacted by a whistleblower who claimed that the attacker managed to access sensitive customer data, which both Haschek and A1 dispute. Unknown
Threadstone Advisors (US) The operators of Maze ransomware claim to have carried out an attack against Threadstone Advisors. They posted the phone number and email address of managing director Joshua Goldberg on their blog and stated that more evidence is ‘coming soon.’ Details on how much data or the demanded ransom were not provided. Unknown
Electronic Waveform Lab (US) The company was targeted in a ransomware attack on April 11th, 2020, which impacted some of its computer systems and may have compromised some client data. This includes names, addresses, insurance information, and in some cases limited diagnosis or treatment information. It is not believed that this data has been or will be misused. Unknown
Symbotic LLC (US) According to their blogpost, the operators behind REvil ransomware began publishing data belonging to Symbotic LLC on a dedicated website. The blogpost states that more data will be published every two days. At present, the leaked data includes employee names, addresses, Social Security numbers, salary details, non-competition agreements, and more. Unknown
Government of Mexico Lucy Security reported that a Russian hacker, operating under the alias m1x, leaked at least 14,000 Mexican taxpayer ID numbers, and an undetermined number of police records. Despite stating that they had given the government five days to pay a ransom, m1x leaked the information on a public cloud service on June 10th, 2020. The 100GB of data included home addresses, and phone numbers. 14,000
Unknown (Armenia) According to security affairs expert Samvel Martirosyan, an Azerbaijani hacker has released the data of Armenian coronavirus patients and those who contacted them. At present, only data pertaining to individuals from the Armavir province were leaked, which Martirosyan believes could indicate the hacker stole the data from an Armavir hospital. 3,500
Indian Blood Donors CloudSEK researchers discovered posts on two forums advertising a database containing the information of individuals registered with the organisation for free. The database contains 12,472 records, with each record containing personally identifiable information, blood type, passwords in plain text, and more. Unknown
Cano Health (US) On April 13th, 2020, Cano Health discovered that three employee email accounts containing patient data were accessed by an unauthorised individual. The exact period of access remains unclear yet is estimated to be between May 18th, 2018 and April 13th, 2020. Potentially compromised patient data includes names, dates of birth, contact information, health care information, Social Security numbers, government identification numbers, and more. Unknown
Rangely District Hospital (US) The hospital stated that part of its computer network was hit by ransomware on April 9th, 2020. RDH stated that while they had no evidence that files with personal health information were viewed or exported, some records had not been recovered or could not be accessed. Data within the files includes names, Social Security numbers, medical information, and more. Unknown
Postbank (South Africa) The Sunday Times reported that Postbank will replace 12 million bank cards after the bank’s encrypted master key was printed in unencrypted text. The key, which was reportedly stolen by employees, could be used to access the bank’s systems and read and alter data on any of the banks’ cards. The incident impacts between eight and ten million beneficiaries who receive social grants from Postbank and roughly one million other Postbank account holders. 12,000,000
Claire’s and Icing (US) Researchers at Sansec reported that Claire’s and its sister brand Icing had been targeted in a Magecart attack which injected skimmers onto the companies’ online stores to steal customer cards and data. The attackers registered a domain that spoofed Claire’s on March 20th, 2020. On April 25th, 2020, the attackers added malicious code to Claire’s and Icing which gathered up entered user credentials and sent it to the fake domain. The malware was removed by Claire’s on June 13th, 2020. Unknown
Intersport (Switzerland) Researchers at ESET reported that a Magecart attack was made against Intersport websites in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina. The attacks reportedly occurred between April 30th and May 3rd, 2020, and again on May 14th 2020. In the last incident, the malicious code was removed within hours of its deployment. Unknown
Multiple Dating Apps Researchers at vpnMentor discovered a misconfigured AWS account containing data belonging to a range of different niche and fetish dating apps, including 3somes, Cougary, Gay Daddy Bear, Xpal, and more. All apps appear to share a common developer, who has since secured all S3 buckets. The S3 buckets contained a total of 845GB with over 20 million file, including details of user profiles, private conversations, voice messages and recordings, and images and photos. Unknown
Foodora (Germany) Data belonging to the company, which is owned by Delivery Hero, was posted on a hacker forum on May 19th, 2020 and has subsequently been posted elsewhere since. Customers from 14 countries are affected. Delivery Hero stated that the data goes back to 2016, whereas one of the individuals who posted the data online said that it had been acquired in 2019. The information exposed includes names, addresses, phone numbers, hashed passwords, latitude and longitude data, and customer notes. 727,000
MaxLinear (US) The company disclosed that they were impacted by a Maze ransomware attack that was discovered on May 24th, 2020. The attackers accessed the company’s systems on April 15th, 2020. and posted 10.3GB of accounting and financial data two months later. The attackers claim to have exfiltrated over 1TB of data prior to encryption. Leaked data could include names, personal and company email addresses, financial account numbers, Social Security numbers, and more. Unknown
Goodman Mintz LLP (Canada) The operators of REvil ransomware claim to have targeted the accounting firm and are now auctioning off the stolen data on their dark web site. Leaked data includes company files, account and working documents of clients, databases, usernames and passwords for clients, and more. Unknown
Cognizant (US) Cognizant filed two data breach notification letters with the Office of the Attorney General of California, which disclose that its network was accessed by Maze ransomware operators between April 9th and April 11th, 2020. The letters state that it is likely that the Maze operator exfiltrated ‘a limited amount of data’ from the company’s systems, including names, Social Security numbers, passport information, corporate credit cards, and more. Unknown
ZEGG and Strategic Sites LLC (US) The operators of REvil ransomware have published data belonging to duty-free store ZEGG. The attackers also threatened to release sensitive information about Strategic Sites LLC if the company refuses to ‘come to an agreement.’ Unknown
KIPP SoCal (US) The charter school operator stated that a vendor notified them on June 2nd, 2020, that files containing student information were exposed on GitHub. Incorrect privacy settings meant that the data file was searchable within GitHub from October 3rd, 2019 to June 2nd, 2020. During this period, the page was accessed seven times . Exposed data included names, addresses, primary languages, dates of birth, and more. Unknown
Far Eastern University (Philippines) The university is investigating reports that its student portal was hacked after FEU’s Kadiwa student coalition stated that 1,000 student accounts had potentially been exposed by a group called Pinoy Grayhats. An individual operating under the alias DRK reportedly posted the names of 1,000 students, alongside their passwords and student numbers, on June 16th, 2020. 1,000
University of Cambridge (UK) The University of Cambridge Clinical School accidentally attached a spreadsheet containing the personal data of 305 third year medical students to a welcome email. Exposed data included names, student numbers, dates of birth, gender, and CRSID and colleges. Data pertaining to 19 students’ mental health, disabilities, or information on investigations into their fitness was also exposed in a ‘notes’ section in the spreadsheet. 305

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Banking

This chart shows the trending Malware related to Banking over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at F5 reported that the Qbot banking trojan, which has been active since 2008, is being used in a campaign that targets approximately 36 US financial institutions, and two banks in Canada and the Netherlands. The researchers analysed a new version of the Windows-based malware which contains techniques to avoid detection and analysis. Once on an infected machine, the malware creates a copy of itself to run when the system reboots. It appears to use browser hijacking or redirection as its main attack method.
Critical Infrastructure Blogger Christian Haschek published details of a network intrusion at Austria’s A1 Telekom that lasted for 6 months. The company confirmed the breach, stating that the intrusion was first discovered in December 2019. Haschek had been contacted by a whistleblower who claimed that malware had compromised nearly all internal servers, as well as one of A1’s managed customer networks. According to A1, only about a dozen servers were impacted and all compromised devices were inside their office network. The company and Haschek have disputed further claims made by the whistleblower, including the fact that the attacker managed to access sensitive customer data. The whistleblower attributed the attack to the Chinese nation-state actor Gallium. A1 has not commented on this attribution.
Government The Hindustan Times reported that India’s government websites and financial payment systems were targeted in a series of distributed denial-of-service (DDoS) attacks that began on June 16th, 2020. The majority of attacks were traced to Chengdu, a Chinese city known to be the headquarters of the People’s Liberation Army’s Unit 61398, the country’s main military covert cyberwarfare section. Many hacker groups are also said to originate from Chengdu.
Healthcare A NHS Digital spokesperson confirmed that 113 NHSmail mailboxes were compromised and used to send malicious emails between May 30th and June 1st, 2020. No evidence was found to suggest that patient records were accessed. The UK’s National Cyber Security Centre confirmed the compromise to be a part of a widespread credential-harvesting phishing campaign targeting numerous UK organisations.
Cryptocurrency Coil researchers detailed a campaign that advertised a fake giveaway of XRP and used homoglyph domains to trick users. The campaign, which began in January 2020, used Memo messages containing links that redirected users to a site imitating Ripple’s Insights blog. A new wave of attacks is now targeting users via emails that promote a stimulus package for XRP holders. To date, over 2,100,000 XRP has been stolen and 1,980,000 XRP has been laundered.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 08 July 2020

    Silobreaker's Daily COVID-19 Alert for 08 July 2020
  • Cyber Alert – 08 July 2020

    Cyber Alert: Exposed dating service databases leak sensitive info on romance-seekers...
  • COVID-19 Alert – 07 July 2020

    Silobreaker's Daily COVID-19 Alert for 07 July 2020
View all News

Request a demo

Get in touch