22 April 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Pulse Connect Secure
SonicWall Email Security
Zimbra Collaboration Suite
MediaWiki Software
Deep & Dark Web
Name Heat 7
Microsoft Windows Defender
Microsoft Windows API

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Geico (US) The auto insurer stated that attackers used information obtained from other sources to gain access to customer driver’s license numbers via its online sales system site. The data was accessed between January 21st and March 1st, 2021. Unknown
Nationalist Party of Malta Avaddon ransomware operators leaked the party’s data after the organisation did not meet the group’s ransom demands. The attackers claim to have employee documents, private data of clients and the party’s financial data. Unknown
Vermont Health Connect (US) Client information of the healthcare provider was leaked to other users within the network. An issue, likely caused by a bug, allows site visitors to view the information of other clients on their accounts. Ten breaches were recorded between November 2020 and February 2021. Client names, health care plans, annual revenue, birth dates and other data were compromised. Unknown
Domino’s (India) Security researcher Sourajeet Majumder reported that a threat actor has claimed to have accessed 13TB of the company’s files dating between 2015 and 2021. The seller claims to possess information relating to 250 employees, as well as 180 million order details and 1 million credit card details. The information allegedly includes delivery addresses, phone numbers, names, email addresses and more. Unknown
Phone House Spain Babuk ransomware demanded $6 million from the company for stolen information. The group proceeded to leak screenshots of the databases that they allegedly targeted during an attack. Unknown
Planned Parenthood of Metropolitan Washington DC (US) Unauthorised actors accessed the clinic’s network between August 27th, 2020 and October 8th, 2020. Information contained in the breach includes names, addresses, dates of birth, financial information, Social Security numbers, and more. Unknown
Municipalities of Brescia, Caselle Torinese, and Rho (Italy) DoppelPaymer ransomware operators leaked data allegedly stolen from the municipalities when they refused to pay the ransom demanded by the operators following an attack. Unknown
Med-Data (US) The healthcare billing vendor discovered a data breach following a notification of patients’ personal health information being published online. A former employee saved the data of patients to personal folders, and later uploaded them to a public site. The breach affected patient data at University Health in San Antonio, Houston Memorial Hermann Health System, University of Chicago Medicine, Aspirus in Wausau, Wisconsin, and OSF Healthcare in Peoria, Illinois. 135,908
Celsius (UK) The cryptocurrency company disclosed that an attacker accessed a back-up third-party email distribution system which featured the names of some customers. Customers were being contacted by messages purported to be official Celsius communications and prompted to disclose their information on a fraudulent site. Unknown
Codecov (US) An investigation revealed that periodic unauthorised alterations to the Bash Uploader script were made from January 31st, 2021. Credentials, tokens, or keys passed through a customer’s CI runner were possibly affected, as well as any services, datastores, and application code accessible via these credentials, tokens, or keys. Unknown
Houston Rockets (US) The Babuk ransomware gang claim to have stolen 500GB of data. As proof of the attack, the group shared screenshots of exfiltrated files. TechNadu reported that the files appear to include contracts, customer information, non-disclosure agreements, and more. Unknown
Swinburne University (Australia) Event registration information from multiple events from 2013 was exposed in a university site breach. The incident, which has only just been disclosed, impacts 5,200 members of staff, 100 students, and 200 other attendees. The exposed data includes names, email addresses, and some phone numbers. 5,500
Chesterfield County Public Schools (US) The school failed to properly redact personal information from a document requested by a parent. The names of all students and staff who tested positively for COVID-19 were inadvertently released to the parent. Unknown
Unknown (China) Cyble Inc researchers observed a threat actor on RaidForums advertising 1.3 billion records containing sensitive information related to Chinese citizens. The data was reportedly obtained via Dungeon Fighter Online, Tencent QQ, Shunfeng Express, JD[.]com and Sina Weibo[.]com. The actor also claims to be in possession of car owners’ data and citizen identity numbers. Among the data are email IDs and passwords, phone numbers, as well as full names and addresses, dates of birth, and more. Unknown
Eversource Energy (US) The company disclosed a data breach of customers’ personal information that was caused by a misconfigured cloud server. Exposed data included names, addresses, phone numbers, Social Security numbers, service addresses, and account numbers.  Unknown
Apple (US) REvil ransomware operators threatened to leak Apple data that they claim to have acquired from notebook manufacturer Quanta Computer. The threat actors claim to be in possession of drawings of all Apple devices and the personal data of Apple employees and customers. Unknown
GiveSendGo (US) The Guardian reported that a data breach of the Christian crowdfunding site shared with journalists by activist group Distributed Denial of Secrets revealed that serving police officers and public officials donated to fundraisers for far-right activists. Unknown
Braman Motors (US) Local 10 reported that the comapany was targeted in a ransomware attack. One employee stated that everything, including customer information, is at risk from the incident. The company’s official statement claims that Braman is suffering from a network outage, which is still being investigated. Unknown
Cegos Group (France) The distance learning and training provider was hit with a ransomware attack on April 15th, 2021. The company is still investigating whether personal information was compromised during the incident. Unknown
Hoya Vision Care (Japan) The glass manufacturer was targeted in a ransomware attack against its systems based in the United States. The actor Astro Team claims to have stolen 300GB of confidential corporate data, including finance information, emails, passwords, and more. Unknown
Ultimate Anonymity Services Unidentified researchers collected ‚Äčthe login names and passwords for 1,379,609 Windows RDP servers from the largest marketplace for stolen RDP credentials. The data was obtained by covertly collecting IP addresses, usernames and passwords for accounts sold on UAS since the end of 2018. The information has been passed to other researchers. Unknown

Threat Actor mentions in Banking & Finance

Time Series

This chart shows the trending Threat Actors related to Banking & Finance over the last week.

Weekly Industry View

Industry View
Industry Information
Banking & Finance Government authorities in India warned of an increase in man-in-the-middle (MiTM) attacks against ATMs. Security agencies reported that the attackers access the network cables of the target ATM and withdraw cash by changing declined messages from ‘ATM Switch’ to successful ones. The threat actors perform the attack by inserting a device that can alter ATM Switch responses between the ATM machines and the router or switch in the ATM premises. The attacker then uses the restricted cards to submit the withdrawal request.
Government Researchers at Anomali identified a campaign targeting Ukrainian government officials with malicious DOCX files that attempted to use template injection to download remote template DOT files. The campaign ran between January and late March 2021. The researchers attributed the campaign to Russian-sponsored group Primitive Bear. The cyberespionage group likely spread the files via spear phishing.
Tourism & Retail The Dhaka Tribune reported the spread of a new malware impersonating the popular e-commerce platform Daraz in Bangladesh. The malware is spread via Facebook Messenger, WhatsApp, and Viber, using a message falsely offering free gifts from ‘Darez’, a slight misspelling of Daraz. The message contains a link which leads to an infection resulting in the gathering of users’ contacts, photos, location and IP data, and more. One user has reportedly lost some cryptocurrency to the malware scam.
Technology Researchers at FireEye reported that threat actors are exploiting multiple related issues on Pulse Secure VPN devices which allow them to bypass single and multi-factor authentication and gain backdoor access. The attackers persist across upgrades and maintain access via webshells. FireEye emphasised that there is no evidence to suggest that the attack is a supply chain issue. Targeted entities operate in sectors such as defense, government, and finance. The initial infection vector is via a combination of known flaws and a zero-day issue tracked as CVE-2021-22893. Mitigation measures have been issued for a flaw related to the attack with a final patch expected in early May 2021. 
Cryptocurrency Researchers at Group-IB identified a campaign, dubbed Lazarus BTC Changer, which is linked to the clientToken=campaign previously reported by Sancsec researchers. The campaigns, which target e-commerce businesses, share the same infrastructure and are both linked to the North Korean Lazarus group. Instead of harvesting bank cards from target sites, the gang started targeting cryptocurrency payments. The modified skimmer swapped the intended payment address to the group’s BTC address.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

This website uses cookies.
See our privacy policy at www.silobreaker.com/legal