Threat Reports / Weekly Threat Reports

Threat Summary: 17 – 23 July 2020

17 – 23 July 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
cPanel

Adobe Photoshop

Juniper Junos OS

IBM Verify Gateway

Apple iPadOS
Deep & Dark Web
Name Heat 7d
Microsoft Internet Explorer 11

Burp Suite

Windows 8

Twitter

Snapchat App

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Orange SA (France) Orange confirmed its Orange Business Services division was hit by ransomware on July 4th, 2020. On July 15th, 2020, Nefilim ransomware operators added Orange to its data leak site. The attack gave the threat actors access to the data of twenty Orange Pro/SME customers and they have leaked a 339MB archive file containing data stolen in the attack, including airplane schematics, emails, and files from French aircraft manufacturer ATR Aircraft. Unknown
MyCastingFile.com (US) Researchers at Safety Detectives discovered an unsecured Elasticsearch server belonging to the site that contained nearly 10 million records. The server has since been secured. Exposed data includes personally identifiable information, including full names, residential addresses, email addresses, phone numbers, and more. In some cases, photographs of the users were also present. 260,000
Tax Collector’s Office for Polk County (US) The Florida office issued a notice of a cyberattack against its computer systems involving an unknown malware that took place on June 23rd, 2020. An investigation into the incident revealed that driver license numbers may have been accessible to an unknown third party during this period. Unknown
Blackbaud (US) The cloud provider was targeted in a ransomware attack in May 2020. Blackbaud stated it had successfully stopped the encryption of files, yet the hackers had succeeded in stealing data from Blackbaud’s ‘self-hosted environment’. The company paid a ransom demand in exchange for the hackers deleting the stolen data. Unknown
Actuaries and Associates (US) The operators of REvil ransomware leaked files belonging to the retirement specialist on the dark web and threatened to leak further data if the company does not contact them. This supposedly includes 2,000 Social Security numbers. ~2,000
Telecom Argentina SA The company was hit by REvil ransomware, impacting internal systems that hold sensitive information. The ransomware operators stated that the company has until July 21st, 2020, to pay them $7.5 million in Monero. If this deadline passes without payment, the attackers stated that the ransom demand will increase to over $15 million. Unknown
Multiple VPN Services (Hong Kong) Researchers at vpnMentor identified seven free VPN apps, most likely by the same developers, that exposed the information of users on a single ElasticSearch server. The seven VPNs are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. The exposed data included cleartext passwords, names, email, home addresses, and multiple instances of internet activity logs, which the services claim not to record. ~20,000,000
Lorien Health Services (US) The company disclosed a ransomware incident which was detected by the company on June 6th, 2020. Impacted information including names, Social Security numbers and treatment information. Despite Lorien Health Services only recently confirming the breach, Netwalker ransomware operators published various screenshots in mid-June which showed that they had accessed the company’s systems. 47,754
Government of Western Australia On July 20th, 2020, over 400 web pages containing confidential medical data from the state’s coronavirus management system were posted online. This includes patient names, addresses, phone numbers, health concerns, and more. The data is not only coronavirus-related but also includes data from a number of government agencies. Premier Mark McGowan stated that the breach was related to the use of a third-party pager service, which has since been shut off. A 15-year old individual is said to be behind the breach. Unknown
Multiple E-Learning Platforms WizCase researchers discovered four misconfigured and unencrypted Amazon S3 buckets and one ElasticSearch server leaking sensitive user data. The databases belong to the e-learning platforms Escola Digital, MyTopDog, Okoo, Square Panda, and Playground Sessions. Leaked data includes full names, email addresses, ID numbers, phone numbers, home addresses, dates of birth, specific course and school information, and more. 1,000,000
Software MacKiev (US) Researchers at WizCase identified an exposed ElasticSearch server containing 25GB of Software MacKiev user subscription and Ancestry user data. The exposed data included email addresses, IP addresses, user support messages, and more. ~60,000
Highpoint Foot and Ankle Center (US) The Pennsylvania-based podiatrist was targeted in a ransomware attack on May 20th, 2020. No evidence was found that any private data had been misused but the company could not rule out the possibility of the attacker having viewed patient records. These include names, addresses, dates of birth, Social Security numbers, and more. Unknown
Regatta (UK) Researchers at Cyble reported that Netwalker ransomware operators claim to have attacked the company. The threat actors have leaked a sample of data online, which they claim to have stolen in the attack. Cyble stated that the data appears to include financial information and the details of customers. Unknown
DeepSource (India & US) On July 11th, 2020, the GitHub Security Team informed DeepSource of potential malicious activity related to their GitHub application. An investigation revealed that one of its employees had been the victim of the Sawfish phishing campaign, allowing the attacker to gain access to DeepSource GitHub application credentials. Unknown
Key Food Stores Co-op Inc (US) Two Gala Foods Supermarket stores in Bridgeport and a Key Food store in Waterbury were found to have been compromised by point-of-sale malware. According to the company, customer payment details may have been compromised between April 2019 and January 2020. Compromised data includes card numbers and expiration dates, as well as cardholder names and verification codes in some instances. Unknown
Twitter Inc (US) Further details provided by Twitter about the recent hacking that occurred on July 15th, 2020, reveal that the hackers had accessed the DM inbox for 36 of the 130 targeted Twitter accounts. 36
Delaware Division of Developmental Disabilities Services (US) The DDDS accidentally sent sensitive data to four students requesting data for a geo-mapping project without anonymising the data. This included names, dates of birth, primary diagnoses, and counties of residence of 350 recipients of DDDS support. The data was subsequently shared in a presentation given via Zoom on May 8th, 2020. 350
Slack Technologies (US) Researchers at KELA reported that they identified over 17,000 Slack credentials for over 12,000 Slack workspaces being sold on the cybercrime underground. The price for the credentials varied from between $0.50 to over $300 per bot. Unknown
CaptainU (US) Researchers at Cybernews discovered an unsecured Amazon S3 bucket belonging to recruitment platform CaptainU, which exposed nearly 1 million records of high school students. Exposed data included GPA scores, student and parent names, email addresses, pictures and videos of students, and more. Amazon secured the indexing on June 9th, 2020, however the files are still accessible. CaptainU stated that the data was ‘meant to be openly available.’ Unknown
Verogen (US) On July 19th, 2020, millions of GEDmatch users’ DNA profiles were leaked online in what Verogen described as a ‘sophisticated attack’ against an existing user account. The breach resulted in user permissions resets for all users, which in turn made all profiles visible. On July 21st, 2020, genealogy site MyHeritage warned its customers of an email phishing campaign targeting users that also have a GEDmatch account. The company suspects that the attackers obtained the email addresses and names via the GEDmatch breach. 1,450,000

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Banking

This chart shows the trending Malware related to Banking over the last week.

Weekly Industry View
Industry Information
Banking & Finance Following a five-month hiatus, Emotet was observed being distributed in a mass spam campaign on July 17th, 2020. The malware was first seen installing the TrickBot trojan, which infects Windows machines and downloads additional modules that can steal banking credentials, OpenSSH keys, spread laterally through a network, and more. Emotet’s payload has since changed to QakBot, with the threat actor replacing TrickBot distribution across all three epochs of the botnet. QakBot is also used to drop further malware on an infected system.
Critical Infrastructure In April 2020, Palo Alto Networks Unit 42 observed an attack against a Middle Eastern telecommunications organisation that involved RDAT. RDAT is a custom backdoor associated with OilRig that has been under active development since 2017 and has since been used to target organisations in the Middle East. The latest attack involved a new email-based C2 channel that relies on steganography. This allows the threat actors to hide their commands and data within BMP images that are attached to emails, making detection more difficult.
Government North Macedonia’s State Electoral Commission’s (SEC) website was targeted in a distributed denial-of-service (DDoS) attack for three hours on election day. This resulted in the SEC not being able to announce official results on their website and instead release partial results via YouTube clips. The news site TIME[.]mk was also targeted in a DDoS attack during the same period, with Cloudflare blocking at least 3 million IP addresses. Anonymous Macedonia has claimed responsibility for this attack, citing ‘empty promises from all political parties’ as a reason.
Healthcare The UK’s National Cyber Security Centre (NCSC) released a report stating that throughout 2020, APT29 have targeted a variety of organisations in the UK, US, and Canada that are working on COVID-19 vaccines. The motives for the attacks are suspected to be information and intellectual property theft. The NCSC report states that APT29 are using the custom malware tools WellMess and WellMail to target several organisations globally. Both malware had not previously been publicly associated with APT29. The NCSC and Canada’s Communications Security Establishment (CSE) assessed that APT29 is ‘almost certainly part of the Russian intelligence services’ – an attribution the US National Security Agency agrees with. A spokesperson for President Vladimir Putin stated ‘Russia has nothing to do with those attempts’ to hack research centres and pharmaceutical companies in the UK.
Cryptocurrency Researchers at ESET found that GMERA malware is being used in a new series of campaigns. The malware operators have wrapped the malware in legitimate applications and are spoofing platforms such as Kattana, Cointrazer, Cupatrade, Licatrade and Trezarus. The researchers stated that they are unsure how the apps are promoted but hypothesised that the operators directly contact targets and try to convince them to download the trojanized application bundle. The researchers stated that the threat actors are interested in acquiring browser information, screen captures, and cryptocurrency wallets.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 03 August 2020

    Silobreaker's Daily COVID-19 Alert for 03 August 2020
  • Cyber Alert – 03 August 2020

    Cyber Alert: InfoSecHotSpot - 10 billion records exposed in unsecured databases, study says The databases contain personal information that could… https://t.co/LYBl2kpNgL...
  • COVID-19 Alert – 02 August 2020

    Silobreaker's Daily COVID-19 Alert for 02 August 2020
View all News

Request a demo

Get in touch