25 February 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
VMware vCenter Server
Aruba ClearPass Policy Manager
Cisco NX-OS
Qualcomm Snapdragon
Cisco Nexus 9000
Deep & Dark Web
Name Heat 7
Microsoft Office
WinRAR
NVIDIA GeForce Now
MyBB Forum Software
Roblox

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Goverment of India Sakura Samurai researchers identified a number of flaws on government websites that led to the exposure of sensitive personal information. This includes 35 instances of exposed credential pairs, three instances of sensitive file disclosure, five exposed private-key pairs for servers, and a remote code execution flaw. Exposed data included over 13,000 personally identifiable information records, dozens of sensitive police reports, and backups of financial records. Unknown
Grand River Medical Group (US) An unauthorised individual gained access to an employee’s account, potentially compromising patients’ names, Social Security numbers, dates of birth, addresses, and more. 34,000
Scottish Borders Council (UK) The organisation accidentally sent three emails to multiple individuals which exposed the email addresses of all the recipients. 600
Sequoia Capital (US) On February 19th, 2021, the compay disclosed a phishing attack which successfully targeted an employee’s email account. Some of its investors’ personal and financial information may have been accessed by a third party following the attack. Unknown
StarMed Specialist Centre (Singapore) The centre was targeted in a ransomware attack, resulting in the encryption of a database containing patient names, NRIC numbers, dates of birth, some health data, and more. 373
University of Alabama in Hunstville (US) The university was targeted in a phishing attack in January 2021, resulting in the compromise of multiple email accounts potentially exposing names, dates of birth, and Social Security numbers. No banking or card information was affected. 272
Cashalo (Philippines) The fintech platform disclosed an unauthorised access incident involving a customer database archive. An actor operating under the alias ‘creepxploit’ is selling Cashalo user data, including their usernames, passwords, email addresses, phone numbers, and device identifications.    3,300,000
Unknown (France) CERT-FR warned the Ministry of Health that a threat actor on a cybercriminal forum advertised a database under the name ‘FR medecine related database’. The seller claims that the database contains the list of passwords and email addresses for user accounts. 50,000
Chalon-sur-Saône (France) The director general of the commune’s services stated that the city was hit with a ‘crypto-virus’ on the night of February 20th, 2021. Databreaches[.]net stated that some files were encrypted in the incident and IT staff are unsure whether data was exfiltrated. Unknown
Hyundai Motor America DoppelPaymer ransomware operators leaked data relating to the logistics firm Hyundai Glovis, another undisclosed trucking partner, and more. The company acknowledged an IT outage but denied that it was affected by a ransomware attack. Unknown
Hellenic Defence Systems (Greece) An investigation by the Greek Ministry of National Defense and police was launched following a reported ransomware attack against the company. Concerns of potential foreign cyberespionage were initially reported. The attackers are not believed to have accessed the production part of the system, which stores more sensitive data. Unknown
Amber Group (Jamaica) TechCrunch researchers discovered an unprotected storage server belonging to the government contractor. The leaked data included over 70,000 negative COVID-19 lab results, over 425,000 immigration documents that contained names, dates of birth, and passport numbers, as well as over 250,000 quarantine orders, and more. The government stated that no evidence was found to suggest data had been extracted. Unknown
Bombardier (Canada) Bombardier issued a statement confirming a breach took place, stating it was due to a vulnerability in its third-party file-transfer application, which is believed to be Accellion. The personal data of employees in Costa Rica was compromised. Some stolen data has since been released by CLOP ransomware operators. 130
Transport for NSW (Australia) The agency disclosed that it was impacted by the Accellion breach, with some of its data stolen in the incident. The breach was limited to its Accellion servers. Unknown
Pentair (US) The company has been added to the CLOP ransomware data leak site. Recent listings on the leak site included companies impacted by the Accellion breach. Unknown
CSA Group (Canada) The company has been added to the CLOP ransomware data leak site. Recent listings on the leak site included companies impacted by the Accellion breach. Unknown
Enders (US) On May 7th, 2020, the insurance company discovered one of its employee’s email accounts had been compromised. Potentially impacted data includes individuals’ names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, and more. Unknown
Indian Railways Indian Railways disclosed that a number of incidents related to breaches ‘in various IT applications’ took place. Exact details of the nature of the breaches and which applications are affected were not provided. Some of the breaches have been put down to ‘improper handling of the IT assets’ by some of its employees. Unknown
Ministry of Finance of Angola The Ministry disclosed that on February 18th, 2021, its technical platform was targeted by an unknown cyberattack. The platform reportedly has access to emails and shared folders. Unknown
Covenant HealthCare (US) On December 21st, 2020, the health system discovered that an unauthorised party had obtained access to two employee email accounts on May 4th, 2020. The affected accounts contained some personal information, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and more. Unknown
West Bengal Health and Family Welfare Department (India) Security researcher Sourajeet Majumde found that the department’s website was leaking COVID-19 test data. URLs which linked to test results could be enumerated to retrieve results. The exposed data includes names, ages, genders, partial home addresses, COVID-19 test results, and more. Unknown
Clearfield County (US) Clearfield County is notifying potentially affected individuals that a cyberattack against its systems on January 9th, 2021, may have resulted in a data breach involving their personal information. Impacted data includes names, dates of birth, addresses, and Social Security numbers. Unknown
Netherlands Organisation for Scientific Research NWO disclosed that they were hit with a DoppelPaymer ransomware attack on February 8th, 2021. Stolen NWO ‘sensitive personnel documents’ were leaked on February 24th, 2021. Unknown
İnova Yönetim (Turkey) Researchers at WizCase discovered a misconfigured, publicly accessible AWS S3 bucket that contained information on 15,000 court cases dating from 2018 to 2020. This includes personally identifiable information of victims, such as name, national ID number, and more. Some files also exposed data of witnesses, complainants, and others. Unknown
Unknown (France) Libération and Zataz reported that the medical data of French residents has been leaked in at least seven different places online. The data, which includes names, phone numbers, postal addresses, and medical information, was reportedly stolen from roughly 30 different medical laboratories in the northwest of France. The information dates from between 2015 and October 2020, during which time the companies were using administrative software from Dedalus France. 491,840

Attack Type mentions in Critical Infrastructure

Time Series

This chart shows the trending Attack Types related to Critical Infrastructure over the last week.

Weekly Industry View

Industry View
Industry Information
Banking & Finance Akamai researchers tracked the activity of Kr3pto, a phishing kit developer who sells unique kits targeting financial and other institutions. The researchers found more than 7,600 domains being deployed using Kr3pto kits dating back to May 2020, targeting 8 UK banking brands and using commercial web hosting to avoid detection. The kits typically target users with SMS messages, delivering fake notifications of suspicious payee requests which direct victims to the phishing page via an attached link.
Government Ukraine’s National Security and Defence Council reported that its own site, sites belonging to Ukraine’s Security Service, and other strategic enterprises and state institutions were targeted on February 18th, 2021. The attacks attempted to infect vulnerable government servers and add them to a botnet that could be used for distributed denial-of-service attacks. The council stated that ‘addresses belonging to certain Russian traffic networks were the source of these coordinated attacks.’
Critical Infrastructure Austin Energy is warning of scammers impersonating the company and threatening to cut off the user’s power unless their supposed overdue bills are paid. The company noted that it company does not conduct any disconnects as of March 2020. The US Federal Trade Commission (FTC) also warned of scammers taking advantage of the current extreme weather by impersonating utility companies via phone calls, SMS messages and emails. The scammers seek to obtain payment and personal information, often asking for payment via gift cards, cash reload cards, money transfer and cryptocurrency.
Technology Minerva Labs researchers discovered adware in the Adobe Flash Player distributed by Zhong Cheng Network, China’s only official distributor of the software. The executable, named FlashHelperService, contains an embedded DLL capable of downloading files from the distributor’s site, reflectively loading downloaded DLLs, and more. The service loads a popup producing binary, which opens the browser with ads at predetermined timestamps. The adware uses the Windows API function ShellExecuteW to open Internet Explorer with a URL fetched from an encrypted JSON. The researchers noted that if this adware framework was used with malicious intent, the attacker would have initial foothold in numerous Chinese organisations.
Cryptocurrency In late December 2020, researchers at Akamai identified that the operators of a known and long-running crypto mining botnet operation had begun to disguise their backup C2 IP address on the blockchain. The researchers found that new versions of the threat actor’s malware contained a Bitcoin (BTC) wallet address, a URL for a wallet checking API, and a cryptic series of nested bash-one liners. The attackers were achieving persistence and conducting further infection operations by fetching wallet data from the API which was then being used to calculate an IP address. By pushing a small amount of BTC into the wallet, the attackers were able to recover infected systems. The researchers warned that this previously unseen method makes the infection difficult to combat. Akamai estimated that over the past three years the campaign’s operators have mined over $30,000 in Monero.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal