Threat Reports / Weekly Threat Reports

Threat Summary: 17 – 23 April 2020

17 – 23 April 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Apple iOS 6

IBM Data Risk Manager

Foxit PhantomPDF

Apple iOS 12

Qualcomm Snapdragon
Deep & Dark Web
Name Heat 7d
Windows NT

Mozilla Firefox

Apple macOS

Metasploit

Bitcoin

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Applications Software Technology LLC (US) The company has notified its employees of a data breach that took place on March 9th, 2020. An unauthorised individual gained access to employee payroll information via a previously compromised employee email address. Accessed data includes employee’s 2019 W-2 wage and tax statements, which contained data such as names, addresses, wages, and more. Unknown
Hartford HealthCare (US) On February 13th, 2020, the US-based healthcare provider identified suspicious activity on two employees’ email accounts, one of which contained personally identifiable information. The incident could have exposed names, dates of birth, medical record numbers, and more. 23 individuals also potentially had an insurance account, containing their Social Security number, exposed. 2,651
Facebook Inc (US) A threat actor advertised the data of 267 million Facebook users online, asking for €500. Cyble researchers verified the data, which includes email addresses, first and last names, phone numbers, Facebook IDs, last connection, status and age of users. At present, it remains unclear how the threat actor gained access to the data. 267,000,000
Webkinz (Canada) A hacker leaked the usernames and passwords of 22,982,319 players of online children’s game Webkinz World. According to ZDNet, the hack occurred earlier this month after an attacker accessed the game’s database using an SQL injection vulnerability in one of the site’s web forms. The hacker was also able to access hashed versions of parents’ email addresses. 22,982,319
Aptoide SA (Portugal) The details of 20 million users of the Android third-party app store were leaked on a well-known hacking forum. The data is allegedly part of a larger batch of 39 million records that were obtained by a hacker earlier this month. The leaked data contains personally identifiable information on users who registered or used the app between July 21st, 2016 and January 28th, 2018. >20,000,000
Thunder Bay Regional Health Sciences Centre (Canada) At the end of March 2020, the hospital accidentally published the personally identifiable information of 245 employees on their website. The data, which included names and Social Insurance Numbers, was available for roughly a week and a half. 245
Aurora Medical Center Bay Area (US) An email phishing scam, which occurred around January 1st, 2020, allowed an attacker to gain access to employee email accounts through which patient information could be accessed. The hospital became aware of the incident on January 9th, 2020. Potentially exposed information includes full names, addresses, Social Security numbers, medical record numbers, passport numbers, full face photos, and more. Unknown
PrimoHoagies Franchising Inc (US) PrimoHoagies revealed that customers who made purchases online between July 15th, 2019 and February 18th, 2020, may have had their payment information stolen. The breach at the New Jersey headquartered Italian specialty sandwich shop exposed names, addresses payment card numbers, expiration dates, and security codes. Unknown
Oakland County (US) An internal coronavirus map that was mistakenly marked as public during an upload contained information about positive coronavirus cases related to race, age, address, gender, and mortality. The leak, which happened on April 14th, 2020, led to under 100 WeChat users being given access to the data before it was re-secured. Unknown
Lincoln Financial Advisor (US) The company revealed a data breach incident that they discovered on March 19th, 2020. The leak relates to an unknown third party who had a hard disk drive that contained client data. The breach was announced by the Charpentier Wealth Strategies office in Bakersfield, California. Leaked information includes names, addresses, Social Security numbers, bank account information, and more. Unknown
Beaumont Health (US) On March 29th, 2020, Beaumont Health discovered that email accounts accessed by an unauthorised party between May 23rd and June 3rd, 2019, would have given them access to personally identifiable information. Potentially exposed information includes, names, dates of birth, diagnosis codes, treatment locations, and more. 112,000
Covid19 Alert App (Netherlands) The source code of an app proposed to the Dutch government, called Covid19 Alert, was accidentally leaked online. As the source code contained user data from another application, it also leaked the personal details of 200 individuals. This includes full names, email addresses, and hashed user passwords. 200
UniCredit SpA (Italy) A threat actor is currently advertising a database containing the personal data of employees, including emails, phone, encrypted passwords, and first and last names. The threat actor, going by the name of ‘c0c0linoz’, claims the data to be from late 2018 to 2019. At present, it is unclear how the seller gained access to the data. Unknown
Brandywine Counseling and Community Services Inc (US) The company disclosed a ransomware attack that had infected their servers on February 10th, 2020. The incident involved the exfiltration of personal information for some clients. This includes names, addresses, dates of birth, prescriptions, treatment information, and more. Some clients also had their Social Security numbers, health insurance information, and driver’s license numbers stolen. Unknown
Chartered Institute for Securities and Investment (US) A breach on the company’s website is being investigated after members reported fraudulent transactions after using their credit cards on the site. The CISI stated that they are currently unsure when or how the compromise occurred but did reveal that they believe that their site was deliberately attacked. Unknown
Small Business Administration (US) An error on the government agency’s website may have exposed the personal data of applicants for the Economic Injury Disaster Loan program, which was recently expanded to include those economically impacted due to the coronavirus pandemic. Potentially exposed information includes names, Social Security numbers, addresses, dates of birth, email addresses, phone numbers, citizenship and insurance information. ~ 8,000
City of Torrance (US) DoppelPaymer ransomware operators created a new page on their ‘Dopple Leaks’ site claiming that they attacked the City of Torrance and exfiltrated data. Local media reported that Torrance had been hit by a cyberattack in March 2020. At the time the city claimed that no ‘public personal data’ was involved in the incident. The attackers claim that they erased the City’s local backups, encrypted roughly 150 servers and 500 workstations, and stole over 200GB of data. Unknown
Fortum Poland Security researcher Bob Diachenko discovered an unprotected and publicly accessible Elasticsearch cluster belonging to the energy company Fortum Poland. The cluster contained 3,376,912 records, including personally identifiable information of its customers. This includes names, emails, addresses, phones, PESEL, and contract details. Unknown
Kinomap (France) Researchers at vpnMentor discovered that the exercise company Kinomap exposed 42 million records via an unsecured database. The database contained over 40GB of information. Exposed data included names, email addresses, genders, exercise timestamps, and more. Many entries also contained links to users’ Kinomap profiles and records of their activity. Unknown
WHO, CDC, & Gates Foundation A data dump containing the email addresses and passwords of members of the Gates Foundation, World Health Organization and US Centers for Disease Control and Prevention, is currently circulating on a right-wing extremist network. According to Motherboard, much of the data is likely outdated and it appears to have been compiled from a previous data breach. 25,000
Squar Milner (US) Squar Milner stated they had become aware of a potential data breach on March 25th, 2020, when it experienced issues with processing its clients’ tax returns. It was discovered that an unauthorised individual had stolen client login credentials and reset them. Information potentially accessed by the attacker includes full names, addresses, Social Security numbers, Tax ID numbers and more. Unknown
Government of Nagaland (India) The personal data of 900 individuals was leaked via a Nagaland government website intended for individuals stranded outside the state to apply for aid, due to the nationwide COVID-19 lockdown. Leaked data includes bank account details, AADHAAR numbers, phone numbers, addresses, and more. 900
Robert Dyas (UK) A malicious card skimmer was present on Robert Dyas’ payment processing page between March 7th and March 30th, 2020. The skimmer stole customers’ personal and payment details, including names, addresses, card numbers, expiry dates, and security codes. Unknown
PinnacleCart (US) Sucuri researchers discovered two malicious web skimmers and a backdoor on PinnacleCart. One of the skimmers makes an HTTP request to save payment data. The researchers note that no evidence was found to suggest the malware was installed by exploiting a vulnerability in PinnacleCart. Instead, stolen, guessed, or compromised server credentials may have been used. Unknown
KandyPens (US) KandyPens has informed its customers of a security incident, in which an attacker gained access to the company’s online check-out platform from March 7th, 2019 to February 13th, 2020. Personal information entered during this period may have been compromised. This includes names, card numbers, expiration dates, and security code or card verification codes. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware mentions in relation to the coronavirus outbreak

This chart shows the trending malware related to the coronavirus outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance IBM researchers discovered a new banking trojan, dubbed BankerBR, targeting users in Spain, Portugal, Brazil and other countries in Latin America. The malware is currently spread via messages redirecting users to a malicious domain, where they are prompted to update a supposed security app needed for mobile banking. The malware does not appear to rely on previously leaked code or existing mobile malware. It is written in B4X, which is not often seen in malware apps. An earlier version of this malware had previously been discovered, containing only basic SMS stealer capabilities. This new version is capable of overlay attacks and can steal two-factor authentication codes sent via SMS. It abuses the Accessibility service to obtain the needed permissions without the user’s knowledge.
Healthcare FBI Deputy Assistant Director Tonya Ugoretz reported that the FBI had observed attempted cyberattacks by state-backed threat actors on healthcare and research institutions, in particular ones known to be working on COVID-related research. Ugoretz stated that the biopharmaceutical industry has often been a target of state-backed threat actors but that there is certainly an increase during the coronavirus crisis.
Technology IT managed services company Cognizant confirmed that they were hit with Maze ransomware. The company began to notify their clients of the incident on April 17th, 2020. The company stated that the attack involves its internal system and revealed that the incident was causing disruption for some of its clients. Before Cognizant disclosed the identity of the attackers, Maze operators denied responsibility for the incident when approached by BleepingComputer.
Government The government of North Rhine-Westphalia (NRW) may have lost tens of millions of euros after criminals made a copy of an official website used to distribute coronavirus financial aid. The criminals sent out links to the malicious site in emails. Targets then entered their personal information which was taken by the attackers and used to apply for aid on the real site. Unlike other German states, the NRW government was not applying additional citizen verification steps to ensure the legitimacy of payments. The scam, which ran from mid-March to April 9th, 2020, led to 576 official reports of fraud. Officials stated that they believe 3,500 to 4,000 fraudulent funding requests have been made. Estimated losses range between €31.5 million ($34.25 million) and €100 million ($109 million).
Critical Infrastructure Researchers identified two spearphishing campaigns attempting to deliver Agent Tesla spyware via emails containing legitimate information and industry jargon. The malware, which is spread through malicious attachments, can steal credentials, log keystrokes, perform screen captures, and more. The first campaign, which occurred on March 31st, 2020, targeted the oil and gas sector primarily in the US, MENA region, and Malaysia. The attackers posed as the Egyptian state oil company Enppi. The second campaign, which began on April 12th, 2020 and lasted for two days, targeted shipping companies in the Philippines. The attackers posed as Glory Shipping Marine Co Ltd and sent emails containing a malicious attachment that purported to be an Estimated Port Disbursement Account for the MT.Sinar Maluku.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
  • Cyber Alert – 05 June 2020

    Cyber Alert: troyhunt - RT @haveibeenpwned: New breach: Indian self-drive car rental company Zoomcar was breached in 2018 and had 3.5M records exposed then...
  • Threat Summary: 29 May – 04 June 2020

    29 May – 04 June 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are...
View all News

Request a demo

Get in touch