Threat Reports / Weekly Threat Reports

Threat Summary: 20 – 26 March 2020

20 – 26 March 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Adobe Photoshop CC

Adobe Photoshop

Windows 7

Foxit Studio Photo

Adobe Creative Cloud
Deep & Dark Web
Name Heat 7d
Apple macOS

Adobe Acrobat Reader

Oracle WebLogic

VMware Workstation

OpenSSL

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Henning Harders (Australia) On March 15th, 2020, the company noticed unusual activity on its systems. The company believes that some of its customers’ commercial data may have been accessed. Maze ransomware operators have since published 6.5GB worth of data belonging to the company. The published data includes financially sensitive information and employee salary information, as well as information that exposes the names of its corporate clients, client email contact lists, and more. The data is reportedly only meant to be proof of the Maze group’s breach. This could mean that more data may be published in the future. Unknown
Rogers Communications (Canada) The company stated that on February 26th, 2020, they became aware that their external service providers had made information available online that provided access to a database managed by that provider. Credit card information, banking information and passwords were not present on the exposed database, however, it did contain addresses, account numbers, email addresses and telephone numbers. Unknown
Unknown (UK) Security researcher Bob Diachenko discovered an unprotected Elasticsearch instance belonging to a UK-based security company that contained over five billion records pertaining to past data breaches. The data was a collection of security incidents from 2012 to 2019 and included hashes, leaked dates, passwords, emails, email domains, and sources of the leaks. Unknown
Tandem Diabetes Care (US) An unauthorised party successfully gained access to multiple employee email accounts via a phishing scam between January 17th, and January 20th, 2020. Tandem have since conducted an investigation, and have reported that some customer information may have been contained within breached email addresses. This information includes names, clinical data regarding diabetes therapy, and some social security numbers. Unknown
Brooks International (US) The operators of Sodinokibi ransomware have published over 12GB of stolen data belonging to Brooks International, after they refused to pay the ransom demand. In addition to leaking the data, Cyber intelligence firm Cyble has stated that hackers have now begun selling the information on hacker forums. An example of information belonging to Brooks International being sold contained usernames, passwords, credit card statements, alleged tax information, and more. Unknown
Oregon Department of Human Services (US) On March 6th, 2020, the department was targeted in a spear phishing attack affecting one of its employees’ email accounts. It is unclear whether any personal data belonging to clients or employees was copied or misused. Unknown
Sina Weibo (China) ZDNet discovered ads on the dark web and other places posted by a hacker claiming to have obtained a database containing the personal details of over 538 million Weibo users in mid-2019. Data allegedly includes real names, site usernames, gender, and location. For 172 million users, their phone numbers are also included. No passwords are included. >538,000,000
Golden Valley Health Centers (US) The private health information of Golden Valley Health Centers patients may have been exposed after an unauthorised third party gained access to an email account containing patient data. The data breach was first discovered on March 3rd, 2020, and may have compromised patients’ medical information, including billing and insurance information, patient referral information, and appointment records. Unknown
Norwegian Cruise Lines On March 13th, 2020, security researchers at DynaRisk identified a breached Norwegian Cruise Lines database that exposed the information of travel agents, including TUI Travel and Virgin Holidays. The data, which was breached on March 12th, 2020, included email addresses and plaintext passwords that were used by travel agents to login to Norwegian Cruise Line’s Portal. The researchers found 29,969 data records, of which 24,602 are unique. Unknown
Doxzoo (UK) On January 22nd, 2020, security researchers at vpnMentor identified a leaking S3 Bucket on an AWS server belonging to the company. The database, which contained over 270,000 records and was larger than 343GB, held information belonging to Fortune 500 companies, universities, and branches of the UK and US military. The exposed data included full names, addresses, passport scans, payment methods, full-length books, university course material, medical documents, classified military documents, and more. Unknown
University of Utah Health (US) The organisation stated that between January 22nd and February 27th, 2020, an unauthorised party gained access to employee email accounts, as the result of a phishing attack. An internal investigation has discovered that names, dates of birth, medical record numbers and some clinical information about care may have been accessed. Unknown
Hammersmith Medicines Research (UK) The medical research company suffered a data breach, resulting in the theft of the medical files of former patients. They initially suffered a ‘severe attack’ on March 14th, 2020, but managed to repel this and restore their computer systems. The Maze ransomware group then stated that they were behind this attack, and subsequently published the historic sensitive medical information online a week later. The group has demanded a ransom, but the organisation has stated that they have no intention of paying it. Unknown
Vijay Sales (India) Vijay Sales has suffered a data leak, resulting in the release of a database containing the details of nearly 200,000 users. The records within the database include names, email addresses, passwords, phone numbers and device information. Some customer service records and administrative account information is also present. It is alleged that the source was an exposed backup server that was breached in February 2020. ~200,000
PropTiger (India) PropTiger suffered a data breach in January 2018, in which a database containing 3.46GB worth of files was stolen. This data has now been uploaded and shared on a popular hacking forum. Exposed data includes user records and login histories with over 2 million unique customer email addresses, as well as names, dates of birth, genders, IP addresses and passwords stored as MD5 hashes. According to PropTiger, the usability of the data is ‘limited.’ >2,000,000
Canon Business Process Services (US) General Electric (GE) revealed that the information of current and former employees, and their beneficiaries, has been exposed after a hacker gained access to the email account of an employee at their service provider Canon Business Process Services (Canon). Canon informed the company that the email account was compromised between approximately February 3rd and February 14th, 2020. The data exposed in the breach includes passports, birth certificates, marriage certificates, tax withholding forms, and more. Unknown
Ameren Missouri (US) A ransomware attack that targeted LTI Power Systems led to the theft of schematics and equipment diagrams for Ameren’s Sioux Power Plant and Labadie Power Plant. LTI Power Systems provides utility equipment to Ameren Missouri. The data appeared on a ransomware server towards the end of February 2020. A spokesperson for Ameren Missouri asserted that it has ‘no reason to believe that the information obtained is confidential or critical to our operations’. Unknown
Geidi IT Services (Australia) The operators of the Sodinokibi ransomware published a message threatening to release data stolen from Australian IT company Geidi if the company refuses to pay the demanded ransom. The group also uploaded a screenshot of the stolen files as evidence. The data itself has not been leaked. Unknown
Tamodo (US) Details of a data breach affecting the affiliate marketing network Tamodo were added to HaveIBeenPwned after the data stolen in the breach was found being shared on a popular hacking forum. The breach took place on February 28th, 2020, and exposed nearly 500,000 accounts, including names, email addresses, dates of birth, and passwords stored as bcrypt hashes. At present, Tamado has not publicly disclosed the data breach. ~500,000
EV Cargo Logistics (UK) Data belonging to EV Cargo Logistics was uploaded to a file-sharing platform by CL0P ransomware operators. The data has since been removed by the hosting provider. Cyble researchers note that the data was likely uploaded after the company refused to pay a ransom following a breach of the company’s systems, which appears to have occurred in early 2020. The leaked data included network drive passwords, client information, financial summaries, and more. Unknown
Watford Community Housing (UK) On March 23rd, 2020, the company sent an email asking its customers to update their contact details alongside a spreadsheet attachment containing the personal data of its customers. Individuals who are not a tenant of the housing association also reportedly received the email. The data in the spreadsheet included customer names, addresses, dates of birth, religion, sexual orientation, ethnic origin, and disability status. 3.544
Tupperware Brands Corporation (US) On March 20th, 2020, researchers at Malwarebytes discovered a credit card skimmer running on the site of Tupperware and some of its localised sites. The attackers used a malicious iframe to acquire users’ names, addresses, credit card details, and telephone numbers. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware mentions in relation to the Coronavirus outbreak

This chart shows the trending malware related to the Coronavirus outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at IBM X-Force identified a malicious app, dubbed TrickMo, being deployed in Germany. The app is sophisticated and is used to bypass the authentication methods put in place by banks to authorise transactions. The researchers stated that the app is ‘most likely’ being spread by the banking trojan TrickBot. When installed on the victim’s device, TrickMo can intercept SMS messages, steal pictures, and steal personal device information. IBM stated that the app’s most substantial feature is an app recording function allowing it to circumvent new security measures, including pushTAN app validations used by German banks. The app also contains a ‘kill switch’ that can be triggered with an SMS message and removes the app from the target device. The researchers warned that TrickMo is still under development.
Critical Infrastructure In August 2019, researchers at Kaspersky identified a campaign, dubbed WildPressure, delivering a trojan exclusively to organisations in the Middle East. The malware, named Milum, was compiled in March 2019 and has been used to target groups related to the industrial sector. The first attacks using Milum appear to have begun in late May 2019. The attackers can use the malware to execute commands, collect and exfiltrate information, and more. The researchers are currently unsure how Milum is being spread. The campaign, which is still active and ongoing, has not been attributed to any known actor. The researchers warned that the malware is not designed to target a specific victim and could therefore be used in future operations.
Government Security researcher SecSome discovered that an HHS[.]gov open redirect, which is connected to the website of the US Department of Health and Human Services (HHS), is being used to push malware payloads to victims by using coronavirus-themed phishing emails. The open redirect is present on the subdomain of HHS’s Departmental Contracts Information System. The redirect is used to link to a malicious attachment that downloads and executes Raccoon malware, which is capable of stealing credit card information, cryptocurrency wallets, browser data, and more. The attackers are conducting the campaign via phishing emails containing information about coronavirus. The link that leads to the delivery of the malware is supposedly a Microsoft Word document with additional material. At present, the server used to deliver the malware has been taken down and the US HHS have been informed of the redirect.
Retail, Hospitality & Tourism On March 20th, 2020, researchers at Malwarebytes discovered a credit card skimmer running on the site of Tupperware and some of its localised sites. The attackers hid malicious code within an image file that displays an iframe when the user is attempting to checkout. The iframe is loaded from a site that was created on March 9th, 2020. The domain was registered with a Russian email address and is hosted on a server alongside several phishing domains. The iframe is also loaded dynamically and does not show up in the checkout page’s HTML source code. The attackers use the iframe to acquire users’ names, addresses, credit card details, and telephone numbers. Once the target enters the information, they are shown a fake timeout message before the legitimate payment form loads. The researchers attempted to contact the company but did not receive a response, however, it appears that the issue was resolved by Tupperware on March 25th, 2020.
Healthcare Cybersecurity expert Alexander Urbelis observed an attempted attack on the World Health Organisation (WHO), after discovering a group of hackers activating a malicious site imitating the legitimate WHO internal email system on March 13th, 2020. WHO’s CISO Flavio Aggio confirmed the hacking attempt, stating that it had been an unsuccessful attempt to steal passwords from WHO staffers. Aggio added that hacking attempts and other cybersecurity incidents have more than doubled since the coronavirus outbreak. It remains unclear who was responsible for the latest attempted attack, yet two sources informed Reuters that DarkHotel is suspected to be behind it. Whilst not confirming DarkHotel’s involvement, Kaspersky researcher Costin Raitu stated that the same malicious web infrastructure had recently been used to target other healthcare or humanitarian organisations.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 08 July 2020

    Silobreaker's Daily COVID-19 Alert for 08 July 2020
  • Cyber Alert – 08 July 2020

    Cyber Alert: Exposed dating service databases leak sensitive info on romance-seekers...
  • COVID-19 Alert – 07 July 2020

    Silobreaker's Daily COVID-19 Alert for 07 July 2020
View all News

Request a demo

Get in touch