Threat Reports / Weekly Threat Reports

Threat Summary: 15 – 21 May 2020

15 – 21 May 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Monero

Adobe Acrobat Reader

IBM X-Force ID

Magento Mass Importer

rconfig
Deep & Dark Web
Name Heat 7d
Monero

Jays Booter

Easy Hide IP

ByteDos

High Orbit Ion Cannon

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
MyBudget (Australia) MyBudget was targeted in a ransomware attack that resulted in a nationwide systems outage, including the company’s payment and messaging services, as well as app and client portal. At present, no evidence was found to suggest that ‘significant data’ was accessed, yet the company is advising customers and staff on how to keep their data safe. Unknown
City Index (UK) On May 8th, 2020, the financial trading and spread betting service provider disclosed that its network had been accessed by an unauthorised third party. The incident, which took place on April 14th, 2020, exposed names, dates of birth, gender, and bank details. Unknown
CDEK Express (Russia) A database containing the personal data of nine million CDEK Express customers is currently being sold online. It reportedly contains information about delivery and locations of goods, as well as personal information of customers, including Tax Identification Numbers. CDEK Express stated that there had been no data leak at the company, adding that personal data is collected by other companies it works with, which may be where the leak occurred. Unknown
The West Australian The subscription administration email of The West Australian was accessed by an unauthorised individual on March 23rd, 2020, which may have compromised the personal data of WAtoday subscribers. This includes names, phone numbers, email addresses, and home addresses. Unknown
Wright County (US) On January 31st, 2019, Wright County identified unusual activity on a Wright County email account. An investigation revealed that 11 email accounts in the county network could have been accessed. The exposed data could have included names, dates of birth, social security numbers, health insurance information, and more. 12,320
Interserve (UK) The company was targeted in a cyberattack and reported that ‘some operational services may be affected.’ The attack resulted in the theft of current and former employee data, which may have included names, addresses, bank details, payroll information and more. 100,000
Arkansas and Illinois Pandemic Unemployment Assistance (US) A computer programmer discovered that Arkansas’ Pandemic Unemployment Assistance program contained vulnerabilities that allowed access to the information of roughly 30,000 applicants. The exposed data includes bank account numbers, Social Security numbers, routing numbers, and more. The issue was confirmed by the state governor on May 15th, 2020. On May 17th, 2020, a spokesperson for the governor of Illinois revealed that its Pandemic Unemployment Assistance program was also impacted by a flaw that exposed personal information. Unknown
General Administration for Traffic Safety of the Ministry of Internal Affairs (Russia) A database containing the full names, addresses, passport numbers, and more, of 129 million Russian car owners is currently being sold on a darknet forum. The data was reportedly leaked from the registry of Russia’s General Administration for Traffic Safety of the Ministry of Internal Affairs. 129,000
Covve Visual Network Limited (Cyprus) Security researcher Troy Hunt analysed a publicly accessible Elasticsearch instance that contained nearly 90GB of personal information. The source of the leak was initially unclear, however Covve Visual Network Limited has since confirmed to be the origin of the leak. The company stated that an unauthorised third party gained access to one of its legacy, decommissioned systems. Leaked data included names and contact details, yet the company stated the data could not be associated with specific users and that no passwords were compromised. 90,000
Management and Network Services LLC (US) The company issued a breach notification stating that an unauthorised individual gained access to several employee email accounts between April and July 2019. The accounts contained protected health information of patients of its clients, including names, medical treatment information, dates of birth, Social Security numbers, and more. 30,132
Santa Rosa & Rohnert Park Oral Surgery (US) The surgery discovered that an employee email account had been compromised between December 20th, 2019 and March 11th, 2020, during which time protected health information of its patients may have been viewed or obtained by the attacker. Unknown
Orchard Medical Consulting (US) Orchard Medical Consulting reported that an unauthorised individual gained access to an employee email account that contained names, dates of birth, and in some cases Social Security numbers and medical information of its patients. No evidence was found to suggest any data had been accessed, stolen or misused. Unknown
Nikkei Inc (Japan) The company suffered a cyberattack after an employee opened a malicious email attachment on May 8th, 2020. The attachment infected the employee’s computer with a previously unidentified virus. The names and email addresses of board members, regular and part-time employees, and others at Nikkei Inc were leaked as a result. The company stated that it has not detected any abuse of the data. Unknown
European People’s Party (EU) Researchers at Shadowmap discovered an unsecured database containing the data of 1,200 European Parliament elected officials and staff, as well as a further 15,000 accounts of journalists, members of political parties and members of other other EU agencies. Exposed data included hashed passwords, job descriptions, and other personal information. The European People’s Party have since confirmed that a database with email addresses and passwords had been exposed, adding that it was an outdated database. The data has since been taken offline. >16,200
Edison Mail (US) Users of the Edison Mail app took to Twitter and contacted The Verge to report that they could see other user’s data after applying an update which was meant to allow them to sync data across devices. Edison Mail acknowledged that a bug in the update ‘rolled out to a small percent of our users’. 64,000
Stop & Shop (US) The company stated that three locations in New Jersey, one in Connecticut, and another in Massachusetts had been compromised with illegal skimming devices known as ‘shimmers’. The issue impacted one self-checkout lane for each store. Transaction data on the devices covered a five-day period. Unknown
LeaseSolution (UK) TurgenSec researchers discovered a publicly accessible database belonging to LeaseSolution, which contained 6 million entries and over 150 files. The leak affects at least nine companies, including Rolls Royce, Tesco, and Samsung, which the researchers believe are LeaseSolution clients. The company has since restricted public access. Unknown
Sherwood Food Distributors (US) The REvil ransomware operators posted a preview of data that appears to have been stolen from the company. The data was posted on May 15th, 2020 and contains approximately 2,300 files. The exposed information includes cash-flow analysis, sub-distributor and proprietary vendor information, scanned drivers license images, and more. Unknown
PsyGenics Inc (US) On May 18th, 2020, PsyGenics Inc began to notify impacted individuals that their data had been exposed after an employee forwarded an Excel spreadsheet containing customer details to their personal email address. The spreadsheet, which was shared on March 24th, 2020, contained names, diagnosis codes, appointment times, and provider names. Unknown
City of Moscow (Russia) The blog Nora Ezhika reported that a web portal used by Muscovites to pay quarantine fines would display a user’s full name and passport number if the quarantine fine ticket number was entered. The blog warned users not to share pictures of their tickets online. Security researcher Alexey Drozd stated that a user did not even need a ticket number to view this data, as it could be accessed via a simple brute force attack. Unknown
easyJet (UK) The airline reported that hackers had managed to access the email and travel details of customers in a ‘highly sophisticated’ attack. The credit card details of over 2,000 customers were also accessed. easyJet stated that no evidence suggests that any of the personal information has been misused. 9,000,000
Colorado Department of Labor and Employment (US) The department was made aware of an issue with the state’s pandemic unemployment assistance site, which allowed six applicants to view the data of other applicants. This may have included Social Security numbers. The error has been fixed. 72,000
Serco (UK) The outsourcing company, who are currently training staff to trace cases of coronavirus on behalf of the UK government, exposed the email addresses of new trainees. The incident occurred when a staff member accidently entered their email address into the CC section of an email sent to new trainees. 300
BlockFi (US) The cryptocurrency lender informed its clients of a data breach that exposed its client account activity information, email addresses and postal addresses. Social Security numbers or government-issued IDs were not exposed, nor were client’ funds impacted. The breach took place on May 14th, 2020, and was the result of a SIM card swap attack on a BlockFi employee’s phone number, in which the attacker unsuccessfully attempted to withdraw client funds. Unknown
Páramo (UK) The clothing retailer discovered a Magecart malware infection on its website, which had been present for nearly eight months without detection. The full card details of 3,734 individuals were stolen between July 2019 and March 2020, including names, addresses, card numbers and CVV codes. 3,734
Luxembourg Justice System On May 19th, 2020, The Luxembourg Wort reported that roughly 1GB of data was passed to a member of the press. The exposed information includes internal notes, reports, email exchanges, the personal information for people and businesses, and more. Unknown
Geisinger Wyoming Valley Medical Center (US) The medical centre reported that an employee accessed the medical records of over 800 patients without a business need. An investigation, which showed that the records were not maliciously accessed, found that the records were breached from July 2017 to March 2020. The exposed information included medical conditions, Social Security numbers, names, dates of birth, email addresses, and more. >800
Natura & Co (Brazil) Security Detectives researchers discovered a 272GB Amazon-hosted server belonging to the Brazilian company Natura & Co, as well as one with 1.3TB of data. Natura & Co were informed of the leak and have since secured their servers. Exposed data included pesronal data of Natura&Co customers, as well as payment information from 40,000 customers related to the third-party company Wirecard. This included full names, mother’s maiden names, dates of birth, nationality, email and physical addresses, and more. In addition, login credentials including hashed passwords with salts were exposed. 250,000
Bank of America (US) The Bank of America issued notices of a data breach to its clients, stating that a subset of individuals who applied for Paycheck Protection Program loans are impacted. Exposed data included tax identification numbers, full names, phone numbers, email addresses, physical addresses, Social Security numbers, and more. Unknown
Science Mobile LLC (US) A hacker is advertising the data of 40 million Wishbone app users for 0.85 Bitcoin (approximately $8,000) across multiple hacking forums. The attacker claims to have obtained the data in a hack that took place earlier in 2020. A data sample was published which indicates that the data includes usernames, emails, phone numbers, city/state/country, and hashed passwords. 40,000,000
Fresenius Medical Care (Germany) Snake ransomware operators published a small amount of medical and personally identifiable data belonging to Fresenius Medical Care on a paste site. The exposed information includes names, date of birth, profession, postal address, phone numbers, and more. The leaked details also includes information for next of kin as well as doctors’ notes. The attackers stated that they will leak more data in the future. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in relation to the Coronavirus Outbreak

This chart shows the trending malware related to the Coronavirus Outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance Quick Heal researchers observed a spear phishing campaign against co-operative banks in India. The campaign involves emails impersonating the Reserve Bank of India (RBI), or other large banking organisations, which claim to have details about new RBI guidelines amidst the pandemic in an attached ZIP file. The ZIP file contains a malicious JAR file made to appear as a PDF or Excel document. Once the file is opened, Adwind RAT is executed. The malware is capable of keylogging, capturing screenshots, downloading additional payloads, and obtaining user information.
Critical Infrastructure Symantec researchers observed Greenbug targeting telecommunications companies in South Asia, with one company believed to have been targeted as early as April 2019. The group is suspected to be based in Iran and connected to the Shamoon group. The campaign uses a mixture of off-the-shelf tools and living-off-the-land techniques in order to gain access to database servers, steal credentials, and maintain a low-profile presence on the targeted networks. The initial infection vector appears to be via emails and the researchers believe Greenbug makes use of the publicly available Covenant post-exploitation framework to gain an initial foothold. In addition, tools such as Mimikatz and Plink were also used.
Government Researchers at Agari reported that Nigerian cybercrime group Scattered Canary are involved in a range of coronavirus-themed fraud schemes. They found that the group filed fraudulent claims for CARES Act Economic Impact Payments and committed mass unemployment fraud in several US states. The group are scaling their attacks by leveraging so-called Gmail ‘dot accounts’ to mass create accounts on targeted websites. The researchers also found 47 Green Dot accounts that the gang used to receive the fraudulent payments. The researchers warned that Scattered Canary’s next target for fraudulent unemployment claims appears to be Hawaii.
Education On May 11th, 2020, the UK’s ARCHER, National Supercomputing Service and the German Baden-Württemberg High Performance Computing project reported security incidents. By the end of the week, SPIEGEL reported that nine supercomputers in Germany had been impacted by malicious cyber activity. Other victims have been reported in Spain and Switzerland. The European Grid Infrastructure (EIG) Computer Security Incident Response Team (CSIRT) reported that ‘a malicious group is currently targeting academic data centers for unknown purpose’. An earlier report by EIG CSIRT stated, that a group was targeting academic data centres for CPU mining. EIG CSIRT said that the two incidents ‘may or may not be correlated’. Researchers at Cado Security reviewed malware samples, reporting that the attackers gained access via compromised SSH credentials. In one incident, the attackers gained access to a supercomputing node and deployed a Monero cryptocurrency miner.
Retail, Hospitality & Tourism Researchers at Sucuri reported that hackers are taking advantage of flaws in other WordPress plugins to deploy malware that identifies whether a site is using WooCommerce. The malware, which is installed as a malicious PHP script, can scan for other WordPress targets and exfiltrate WooCommerce data from their databases. BleepingComputer stated that attackers could use this information to decide what sites to deploy Magecart skimmers on.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
  • Cyber Alert – 05 June 2020

    Cyber Alert: troyhunt - RT @haveibeenpwned: New breach: Indian self-drive car rental company Zoomcar was breached in 2018 and had 3.5M records exposed then...
  • Threat Summary: 29 May – 04 June 2020

    29 May – 04 June 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are...
View all News

Request a demo

Get in touch