20 May 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
GNU LibreDWG
Red Hat Product Security
Liferay Portal
Mercedes MBUX
MikroTik RouterOS
Deep & Dark Web
Name Heat 7
AMD Epyc
Alternate Data Stream
JScript
VBScript
Apple Safari

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Gastroenterology Consultants PA (US) The clinic informed the Maine Attorney General’s Office of a ransomware attack that occurred on January 10th, 2021. The company first disclosed the breach on its website in March 2021, stating that they are investigating ‘the potential exposure of patient information.’  460
Möbelstadt Sommerlad (Germany) The retail furniture store disclosed that it was targeted in a DarkSide ransomware attack on April 30th, 2021. The attack impacted its phone and email services, and up to 400 hard drives. The company encouraged all customers to change their passwords, though it is unclear whether any data was leaked. Unknown
Apex America (Argentina) The digital customer experience service company was hit by REvil ransomware operators. The group claims that they have stolen data and posted screenshots as proof. Unknown
Acer Finance (US) The operators of Avaddon ransomware claim to have targeted the company and stolen confidential data relating to clients and employees. This is said to include banking information, personal correspondences, contract agreements, forms of payment, and more. Sample data published by the attackers includes several ID cards, personal documents, contracts, and more. Unknown
Ireland’s Health Service Executive Conti ransomware operators claim to have exfiltrated over 700GB of information from HSE. The gang claims to have accessed the HSE network for over two weeks prior to the attack. The threat actors claim to have stolen patient and employee information, financial statements, payrolls, contracts, and more. Unknown
Rede Bahia (Brazil) The business conglomerate disclosed that its servers were hit with a cyberattack that impacted its operations. The company also stated that the personal data of some of its employees and former employees was exposed. Unknown
Armed Forces of Brazil On May 3rd, 2021, the army published a booklet revealing the personal details of Brazilian generals on the ebook publishing platform Calaméo. The booklet exposed the generals’ names, phone numbers, emails, and names of their spouses and aides. According to Núcleo Jornalismo, the booklet contained classified information. The Army Social Communication Center stated the information in the booklet is outdated. Unknown
La Place 0-5 (Canada) The centralised daycare registration portal was targeted in a cyberattack on May 8th, 2021. The attacker reportedly created an administrator-level account, allowing them to access data hosted by the portal’s IT vendor. The actor stole data including names, telephone numbers, dates of birth, NIREC identification numbers, and others. 5,000
Axa Asia Avaddon ransomware operators claimed an attack against the Thailand, Philippine, Hong Kong, and Malaysia-based operations of AXA Group. The actor claims to have stolen 3TB of data, including customer medical reports, claims, bank account documents, IDs, and more. The group has leaked several sensitive documents containing AXA’s letterheads and stamps. Unknown
Brenntag North America (US) The company was targeted in a DarkSide ransomware attack in early May 2021. The attackers claim to have stolen 150GB of data from the company and some screenshots of the supposedly stolen data were added to the DarkSide data leak site. Unknown
Gary, Indiana (US) A ransomware attack impacted several of the city’s servers which are currently being rebuilt and restored. It is currently unclear whether personal information was impacted. Unknown
Lemonade (US) Researchers identified a security flaw which exposes the details of customers of the insurance company. Muddy Waters Research stated that they could login and edit customer accounts by clicking on search results from public search engines without entering any credentials. TechCrunch confirmed that the flaw allowed them to login without credentials and see customer names, addresses, and quote details. Unknown
Toshiba (France) On May 14th, 2021, DarkSide ransomware operators claimed to have stolen confidential information from a Toshiba entity in France. Over 740GB of data, including management, new businesses, and personal data, were allegedly exfiltrated. Toshiba confirmed a cyberattack against some of its European servers. Unknown
Utility Trailer Manufacturing (US) The company was targeted in a ransomware attack that temporarily disrupted some of its systems. Clop ransomware operators leaked over 5GB of data allegedly exfiltrated from the company. FreightWaves reported that the leak contains an extensive amount of sensitive personal data about employees, including payrolls and human resources information. Unknown
Rapid7 (US) Rapid7 discovered that some of its internal credentials and alert-related data for a subset of Managed Detection and Response service customers were accessed by an unauthorised party due to the malicious modifications in Codecov’s Bash Uploader. A small subset of impacted customers was informed about the breach, and the exposed credentials were rotated. Unknown
Guard[.]me (UK) On May 17th, 2021, the company began informing customers that it had suffered a data breach due to unauthorised individuals exploiting a website vulnerability. The exposed data includes dates of birth, gender, encrypted passwords, and in some cases email addresses, mailing addresses, and phone numbers. Unknown
Buffalo Public Schools (US) An investigation into a March 2021 ransomware attack found that the personal information of an unknown number of students, parents, and employees was exposed. The bank account information of some vendors was also exposed. Unknown
monday[.]com (Israel) The company found that the attacker which recently exploited a vulnerability in Codecov’s software accessed one of its files containing a list of URLs that point to publicly broadcasted customer forms or views hosted on their site. Unknown
Malta’s Nationalist Party Avaddon ransomware operators published 1.3GB of data stolen from the party in an April 2021 attack, exposing the personal information of paying party members, and the employees of the party’s media affiliate Media Link Communications. The leaked data includes names, addresses, ID cards, and, in some cases, phone numbers. 21,049 
Unknown (Vietnam) The Ministry of Public Security revealed that Vietnamese identity cards have been for sale on RaidForums since May 13th, 2021. The forum user ‘Ox1337xO’ is selling a 17GB database containing names, dates of birth, addresses, emails, phone numbers, identity card numbers, and pictures of the front and back of ID cards. Ngo Tuan Anh of the security company Bkav stated that there is no evidence of an information leak from the national population database of Vietnam. 10,000
Oxford University (UK) A technical issue with DARS, the relationship management system used by the university, has allowed unauthorised Oxford Single Sign-On users to view sensitive data of Pembroke College’s alumni. The exposed data includes full names, ages, addresses, telephone numbers, and notes taken during calls held between telethon workers and the alumni. Some telethon training documentation was also compromised. Unknown
Eduro Healthcare (US) On April 7th, 2021 Astro Team added Eduro Healthcare to its data leak site before dumping 40GB of allegedly stolen data on April 23rd. The group has been linked to Mount Locker ransomware. The exposed information includes patient names, health insurance information, financial statements, and more. Unknown
Sincera Reproductive Medicine (US) The company disclosed that a threat actor had access to its systems between August 10th and September 13th, 2020. Some information was impacted by the attack. The company was featured on the data leak site of Maze ransomware operators, however, proof of the attack posted by the threat actor appeared to be unrelated to the company. Unknown
BtcTurk (Turkey) On May 14th, 2021, a data set containing the information of BtcTurk users was advertised on an online forum. The information belongs to users who registered before July 2018 and contains names, citizens’ ID numbers, email addresses, dates of birth, and mobile numbers. The seller also claimed that the data set contains selfies that were submitted by users. 516,954
Allergy Partners (US) The North Carolina healthcare provider confirmed that an unauthorised person gained access to its network between January 12th and February 23rd, 2021. The actor deployed malware against the servers, and stole some of the company’s data, possibly including patient names, addresses, driver’s license numbers, Social Security numbers, financial account numbers, medical details, and more. Unknown
Health Plan of San Joaquin (US) An unknown actor accessed certain  HPSJ employee email accounts between September 26th and October 12th, 2020. Member names and ID numbers, dates of birth, lab results, medical ID numbers, financial account information, Social Security numbers, and more, were contained within one or more of the impacted emails. Unknown
TeamBMS (UK) Website Planet researchers identified a misconfigured AWS S3 bucket belonging to the company, now part of Team Resourcing Ltd. The leak may affect tens of thousands of nationals from Europe, Western Asia and the United States, though the researchers suspect all to be residents in the UK. The database exposed 21,000 files, including CVs alongside personal IDs such as passports or citizen ID cards. Leaked data included full names, email addresses, mobile phone numbers, home addresses, dates of birth, passport numbers, and more. Unknown
  MyHome[.]ie (Ireland)  Researchers at Vadix discovered that the personal details of customers of the property website were leaked online. Over 700,00 documents were exposed, dating from 2014 to 2017. The leaked information includes passports, drivers’ licenses, and compliance-related forms. Unknown

Threat Actor mentions in Baking & Finance

Time Series

This chart shows the trending Threat Actors related to Banking & Finance Infrastructure over the last week.

Weekly Industry View

Industry View
Industry Information
Banking & Finance The United States Federal Bureau of Investigation warned of an ongoing spear phishing campaign impersonating Truist Bank. Victims are sent emails that prompt the target to download a malicious Windows application using the Truist brand. The malware is a remote access trojan currently not detected by security products. It is capable of logging keystrokes, taking screenshots, escalating privileges, manipulating the system registry, downloading files, injecting code, and more. According to BleepingComputer, other financial institutions, such as MayBank, FNB America, and Cumberland Private, have also been impersonated in this campaign.
Technology Researchers at BI[.]ZONE reported that FIN7 is distributing its Lizar toolkit disguised as a legitimate pen testing tool for Windows networks. The group searches for victims by filtering companies by revenue using the Zoominfo service. Multiple instances where the attackers pose as Check Point Software Technology and Forcepoint have been identified. The researchers found that the Lizar toolkit is structurally comparable to Carbanak backdoor. BI[.]ZONE warned that the complex toolkit is still being actively developed. At present, most devices infected by Lizar are based in the United States, however, the researchers stated that they believe that the tool will be used against targets around the world. 
Retail & Tourism Malwarebytes researchers observed an ongoing skimming campaign targeting multiple Magento 1 online stores. The campaign involves new PHP web shells, called Smilodon or Megalodon, that dynamically load JavaScript skimming code via server-side requests, making it more difficult to block. The malware disguises itself as a PNG favicon. The researchers believe Magecart 12 is behind the campaign.
Healthcare On May 13th, 2021, the National Cyber Security Centre discovered that the operators of Conti ransomware attempted an attack against the Department of Health. The execution of ransomware payloads was reportedly halted by antivirus software and other tools deployed by investigators. The department suspended some functions of its IT systems as a precaution. The attack is currently under investigation but was found to be part of the same campaign that recently targeted Ireland’s Health Service Executive.
Critical Infrastructure While analyzing an attempted poisoning attack against the Oldsmar water treatment plant, which occurred in February 2021, researchers at Dragos identified a separate intrusion. The incident was linked to a watering hole attack using malicious code hosted on the website of a Florida water infrastructure construction company. More than 1,000 users were profiled by the site, including municipal water utility customers, state and local government agencies, and water industry private companies. The code was linked to the dark web market DarkTeam Store. The store was also where systems infected with a new Tofsee botnet variant, named Tesseract, reported to. The researchers believe that the watering hole was deployed to collect browser data in order to improve Tesseract’s ability to impersonate legitimate web browser activity.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal