24 June 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Android 11
PHPGurukul
WebGL
VMware Tools
Serenity OS
Deep & Dark Web
Name Heat 7
Microsoft Excel
Linux OS
WebGL
Pling Store
WinRAR

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
WorkForce West Virginia (US) The company learned that on April 13th, 2021, its Mid Atlantic Career Consortium Employment Services database was accessed by an unauthorised party. Accessed data might have included names, addresses, phone numbers, dates of birth, and Social Security numbers. Unknown
City of Liège (Belgium) The city Liège suffered a ransomware attack, causing municipal staff to shut down its network and interrupt online services. It remains unclear if any data was stolen. RTC Tele Liege reported that Ryuk ransomware was responsible for the incident. Unknown
Reproductive Biology Associates (US) The company and its affiliate MyEggBank North America disclosed that they suffered a data breach following a ransomware attack. The threat actors likely gained access to the system on April 7th, 2021, and encrypted a file server containing embryology data. The exposed information includes names, addresses, Social Security numbers, laboratory results, dates of birth, and more. Unknown
Cosmolog Kozmetik (Turkey) WizCase identified an exposed Amazon S3 bucket belonging to the online retailer. The exposed data that included over 637,000 unique orders placed by users on numerous e-commerce sites. The leaked information includes names, addresses, purchase details, and more. In some cases, phone numbers and email addresses were also exposed. 567,000
Wegmans Food Markets  (US) The company disclosed that two of its cloud databases could have been accessed by an outside party due to a ‘previously undiscovered configuration issue’. Exposed data includes customer names, addresses, phone numbers, shoppers club numbers, and email addresses and account passwords. Unknown
Lightfoot, Franklin & White (US) The Alabama law firm notified its clients about a ransomware attack discovered on April 17th, 2021. An unauthorised third party gained access to case files compromising the information of some plaintiffs, defendants, witnesses, and non-parties. This may have included Social Security numbers, other government-issued identification, and medical information. 6,145
Volkswagen (Germany) On June 11th, 2021, the company disclosed that it was impacted by a data breach that impacted customers and prospective buyers. An actor is currently selling data purportedly stolen from the company, which is said to include email addresses and Vehicle Identification Numbers. Two data samples posted by the actor contain full names, email addresses, mailing addresses, and phone numbers. 3,300,000
Eggfree Cake Box (UK) The bakery chain disclosed that on April 27th, 2020, their then-payment processing provider informed them of a data breach incident. An unauthorised third party infected the chain’s website with malware, which exfiltrated customer names, email and postal addresses, and payment card information. This information has subsequently been used to make fraudulent purchases. According to BleepingComputer, the incident was likely a MageCart attack. Unknown
CIUSSS de l’Est-de-l’Île-de-Montréal  (Canada) The hospital discovered a cyberattack against its systems that began in late May 2021. The identities of 2,340 medical residents may have been stolen. In addition, files containing sensitive information of nine patients who had filed complaints were stolen. 2,349
Jones Family Dental  (US) An unauthorised actor gained access to some of the clinic’s computer systems between April 15th and April 18th, 2021. The impacted systems may have contained patient names, addresses, driver’s license numbers, treatment notes, and more.  Unknown
The Woodruff Institute (US)   On June 15th, 2021, Pay or Grief threat actors published data which they claim to have stolen from the practice. The information includes profit and loss statements, incentive compensation for named employees, and more. Roughly 50 files reportedly relate to patient data, and contain details such as names, addresses, dates of birth, lab tests, and more. Unknown
Sports Club NAS (Japan) The Daiwa House Group subsidiary was targeted in a ransomware attack discovered on April 2nd, 2021. The ransomware involved reportedly does not steal data, though some reports are suggesting that data has been posted to an external site. The type of data that was stored on the impacted server included names, addresses, dates of birth, credit card information, and more, of 150,084 customers. The names and dates of birth of 460 employees were also present. 150,544
RHB Banking Group (Malaysia) A number of RHB customers stated that they had received personal bank account statements belonging to other customers. According to the company, a technical issue caused the error. Some customers also stated they could access other customers’ e-statements using their own passwords. Personal data exposed on the statements include full names, home addresses, transaction history, salary amount deposited and account numbers. Unknown
Ito Yogyo (Japan) The company confirmed a ransomware attack that took place on June 10th, 2021. The company could not confirm if any information stored on its servers was leaked. Unknown
Prominence Health Plan (US) The Nevada health insurer is sending notices regarding a data theft incident that occurred in November 2020. Those affected were served by the company between 2010 and 2020. The breach, which includes audio recordings, exposes patient names, dates of birth, sex, and more. 45,000
Coastal Medical Group (US) The company discovered unauthorised access to its systems which began on March 25th, 2021. Certain files were stolen by the intruder, potentially exposing patient names, home addresses, dates of birth, Social Security numbers, insurance and treatment information, and more.  Unknown
ADATA (Taiwan) On June 19th, 2021, Ragnar Locker ransomware attackers published download links to over 700GB of data belonging to the company. Based on the names of the archives, BleepingComputer speculated that the threat actors likely stole data such as non-disclosure agreements, financial agreements, and more. Unknown
Maximus (US) The Ohio Department of Medicaid’s provider for data management stated that an unauthorised party gained access to an application’s data between May 17th and May 19th, 2021. This may have resulted in the theft of personal information of healthcare providers, including names, dates of birth, and Social Security numbers.  Unknown
NATO An unknown threat actor claims to have made copies of NATO data from the Polaris platform, the centralized security, integration, and hosting information management SOA & IdM platform used by the agency. The attackers reportedly initially targeted the data of the platform’s maker Everis in Latin America, and were surprised to obtain access to NATO data and documents related to drones and military defence systems. Unknown
The Asia Pacific Network Information Centre (Australia) APNIC stated that a ‘dump’ file of its Whois SQL database was copied to a Google Cloud storage bucket that was publicly visible for three months. The exposed file contained hashed authentication details for APNIC Whois maintainer and Incident Response Team (IRT) objects, as well as some private Whois objects.  Unknown
Wolfe Eye Clinic (US) The clinic disclosed that it was impacted by a cyberattack which took place on February 8th, 2021. The company stated that an unauthorised party accessed its computer network. Data that might have been accessed includes names, mailing addresses, dates of birth, Social Security numbers, and more. Unknown
Patari (Pakistan) On June 13th, 2021, the database of the music streaming site was dumped online. The database contains users’ personal information and login credentials, and has been shared on Russian and English hacker forums. The database contains names, email addresses, password hashes, playlists, and avatar links. According to the hackers, the database was exposed on a misconfigured MongoDB database prior to May 2021. 257,000
Grupo Fleury (Brazil) On June 23rd, 2021, the medical diagnostic company disclosed that it was targeted in a cyberattack. The attack was reportedly carried out by the REvil ransomware group, who are said to be demanding a $5 million ransom to receive the decryptor and prevent any allegedly stolen data from being published.  Unknown
City of Tulsa (US) The city issued an update regarding the May 2021 ransomware attack that impacted the city, stating that over 18,000 files were leaked online. The operators of Conti ransomware claimed responsibility for the attack. The majority of files are police citations and internal department files, some of which contain personally identifiable information. This includes names, dates of birth, addresses, and driver’s license numbers. Unknown
TidalHealth (US) The health system was affected by the CaptureRx ransomware attack and data breach in February 2021. Some patient data was compromised. Unknown
Bayhealth (US) The health systems was affected by the CaptureRx ransomware attack and data breach in February 2021. The extent of the compromise remains unclear. Unknown

Malware mentions in Critical Infrastructure

Time Series

This chart shows the trending Malware related to Critical Infrastructure within a curated list of cyber sources over the past week.

Weekly Industry View

Industry View
Industry Information
Healthcare Bitdefender researchers observed a phishing campaign targeting Windows machines with one of the most recent versions of Agent Tesla. Targets receive an email purportedly containing an attached COVID-19 vaccination schedule. The attachment is in fact an RTF document that exploits a known Microsoft Office flaw tracked as CVE-2017-11882. Once accessed, the document downloads Agent Tesla malware. Most of the attacks originated from IP addresses located in Vietnam, with 50% of the emails targeting South Korea, and the remainder dispersed globally.
Government Researchers at Proofpoint identified a new malware, dubbed LastConn and attributed to TA402, targeting government organisations in the Middle East and entities with diplomatic relations in the region. The malware is spread via spear phishing emails containing lure documents with a geopolitical theme, such as references to a Hamas members list. The most recent campaigns involved a PDF attachment with geofenced URLs that lead to a password-protected RAR archive containing malware. Another observed method involved Google Apps Script URLs placed directly in the emails, which redirect to either a password-protected archive or a benign decoy site.
Banking and Finance IBM researchers observed an ongoing campaign targeting online banking users in Italy with the Ursnif banking trojan. The malware targets a victim’s desktop and also tricks them into downloading a malicious mobile app that leads to a Cerberus Android malware infection. Cerberus is used to bypass the bank’s SMS-code verification challenge. The actual fraudulent transactions take place on the victim’s desktop, with a fake maintenance notice displayed to prevent the victim from accessing their account.Cryptocurrency
Critical Infrastructure South Korea’s main opposition party representative Ha Tae-keung claimed 13 unauthorised IP addresses accessed the internal network of the Korea Atomic Energy Research Institute (KAERI) on May 14th, 2021. Some of the addresses could allegedly be traced to the North Korean Actor Kimsuky. KAERI confirmed that an unidentified outsider accessed parts of its system using flaws in its virtual private network. On June 20th 2021, local media reports also revealed that military shipbuilder Daewoo Shipbuilding & Marine Engineering had been suffering recurring attacks attributed to North Korea since 2020.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal