Threat Reports / Weekly Threat Reports

Threat Summary: 15 – 21 November 2019

15 – 21 November 2019

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Windows Phone

Google Android

Symantec Endpoint Protection

Moodle

Google Play
Deep & Dark Web
Name Heat 7d
cPanel

WordPress

Telerik Fiddler

Bing Search Engine

Ragebooter

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Sunshine Behavioral Health LLC (US) A misconfigured AWS S3 bucket exposed private data of patients of Monarch Shore, Chapters Capistrano and Willow Springs Recovery facilities. The database contained files related to billing information, exposing patient names, dates of birth, postal and email addresses, telephone numbers, full credit card numbers with partial expiry dates and full CVV codes, and more. Unknown
Select Health Network (US) Select Health Network disclosed that an unauthorised party gained access to employee email accounts from May 22nd until June 13th, 2019. Exposed data that was accessible via the email accounts included names, addresses, dates of birth, treatment information, and more. Unknown
Solara Medical Supplies (US) Solara Medical Supplies revealed that a series of successful phishing attacks allowed an attacker to access employees’ Office 365 accounts between April 2nd and June 20th, 2019. Potentially accessed information included names, addresses, dates of birth, financial information, Social Security numbers, and more. Unknown
Disney+ (US) ZDNet reported that Disney+ user accounts are being sold or given away on hacking forums hours after the service launched. The accounts which are being sold are advertised for prices ranging between $3 to $11. Unknown
Wizards of the Coast (US) An unsecured database exposed the names, email addresses, and passwords of 452,634 players of Magic: The Gathering Arena and Magic: The Gathering Online, as well as 470 email addresses linked to the company’s employees. According to TechCrunch, none of the data was encrypted and some accounts date back to at least 2012. 453,104‬
Liver Wellness (Ireland) Liver Wellness disclosed that a hacker had accessed the company’s email account and wrote to customers requesting sensitive information. The company stated that they do not believe that the hacker accessed any company information. Unknown
University of North Carolina School of Medicine (US) An unauthorised third party gained access to several UNC School of Medicine email accounts between May 17th and June 18th, 2018, potentially exposing personal data contained in the affected email accounts. This includes names, dates of birth, addresses, health insurance information, Social Security numbers, credit card information, and more. 3,716
Macy’s Inc (US) An unidentified party hacked Macy’s website and placed a Magecart skimming script on their ‘Checkout’ and ‘My Wallet’ pages. Customer information that attackers could steal included full names, addresses, phone numbers, card information, and more. The company stated that they removed the script on October 15th, 2019. Unknown
PayMyTab (US) An unsecured AWS S3 bucket belonging to PayMyTab exposed personally identifiable information of customers who dined in restaurants using the service. Records in the database date back to July 2nd, 2018. Exposed data includes customer names, email addresses or phone numbers, last four digits of payment cards, and more. Unknown
GateHub (US) Security researcher Troy Hunt stated that the details of 1.4 million accounts from cryptocurrency wallet service GateHub have been leaked online. Information exposed in the GateHub database includes names, email addresses, password hashes, 2FA keys, and more. 1,400,000
EpicBot 800,000 accounts from Runescape bot provider Epic Bot were leaked online on a hacker forum on October 25th, 2019. Exposed information includes email addresses, usernames, IP addresses, and bcrypt hashed passwords. 800,000
VEED (UK) vpnMentor researchers discovered an unsecured Amazon Web Services S3 bucket belonging to the video editing platform VEED on October 12th, 2019. Thousands of private videos of individuals, such as family videos and home-made pornography, as well as marketing material belonging to businesses are currently exposed via the database. Unknown
Gekko Group (France) An unsecured database exposed 1TB of data belonging to Gekko Group. This included information such as login credentials for client accounts, hotel and transportation reservation, personally identifiable information, and more. The personal information exposed belonged to citizens throughout Europe, and included names, home addresses, email addresses, financial information, login credentials, PII of children, and more. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Banking

This chart shows the trending Malware related to Banking over the last week.

Weekly Industry View
Industry Information
Banking & Finance ESET researchers observed a new Latin American banking trojan, dubbed Mispadu, targeting Brazilian and Mexican users. Different versions were created for each country, each using different installers and stages and other slight variations were observed. Similarities were found with other Latin American banking trojans, such as Amavaldo and Casbaneiro. Mispadu’s distribution methods include spam and malvertising. For example, when targeting Brazilian users, sponsored advertisements on Facebook offering discount coupons for McDonald’s were used to lure victims to a malicious site. The fake coupons are downloaded from the same Yandex[.]Mail account in both the spam emails and the fake websites. Mispadu was also observed being spread alongside a malicious Google Chrome browser. Its purpose is to steal credit card data and banking data, specifically from the Brazilian payment system Boleto.
Government In response to ongoing anti-government protests that started on November 15th, 2019, the Iranian government cut off internet access for its citizens. The protests were in response to an announcement by the government of a 50% increase in fuel prices. According to the government, its response was out of ‘national security interests.’ Some citizens discovered that a second internet network, which the government and universities can access, is still operational. Iran’s IT minister Mohammad-Javad Azari Jahromi denied suspicions that the government is building its own nationwide ‘internal internet’ that could be used to track citizens and prevent them from accessing the broader global internet.
Technology Researchers at Checkmarx identified a vulnerability, tracked as CVE-2019-2234, which stems from a permission bypass issue in applications that access the camera on Android devices. The researchers originally tested their attack on Google smartphones and warned of its potential impact on other Android devices. Samsung has since confirmed it is affected. An attacker could exploit the vulnerability by creating a malicious application that can retrieve input from the microphone, camera and GPS locator without requiring permission. This works even in a situation when the phone is locked or being used to make a call. The researchers also found attack paths that gave them access to stored videos, photos and GPS metadata.
Retail, Hospitality & Tourism Researchers at Venafi identified over 100,000 lookalike domains which were being used to target the customers of 20 major retailers in the US, UK, France, Germany and Australia. The attackers, who were primarily attempting to acquire financial information, used valid TLS certificates. Sixty percent of the malicious domains were using free certificates from Let’s Encrypt.
Cryptocurrency A coin stealer has been found in the Linux 64-bit command line (CLI) of Monero binaries download. Monero warned users who downloaded the CLI wallet between ‘2:30 AM UTC and 4:30PM UTC’ on November 18th, 2019, to check the hashes of their binaries. Researcher Bary Parys was also able to get a Windows malware sample from the attacker’s C2. The Windows version attempts to exfiltrate the binaries in a similar manner to the Linux coin stealer.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Daily Alert – 10 December 2019

    Daily Alert: The Impact of Healthcare Data Breaches on Florida Patients...
  • Daily Alert – 09 December 2019

    Daily Alert: 2019 in review: data breaches, GDPR’s teeth, malicious apps, malvertising and more...
  • Silobreaker Daily Cyber Digest – 06 December 2019

    Ongoing Campaigns US Cybersecurity and Infrastructure Security Agency issue warning over Dridex malware On December 5th, 2019, the US Cybersecurity and Infrastructure Security Agency...
View all News

Request a demo

Get in touch