Threat Summary: 21 – 27 August 2020
21 – 27 August 2020
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
Trending Vulnerable Products
|Open Source
|Name
|Heat 7d
|IBM Security Guardium
|Parallels Desktop for Mac
|F5 BIG-IP
|WebGL
|F5 BIG-IQ
|Deep & Dark Web
|Name
|Heat 7d
|Wincor Probase
|APTRA XFS
|G Suite
|Wincor Nixdorf ProCash
|Stor2RRD
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
|Company
|Information
|Affected
|University of Utah (US)
|The university disclosed that it paid ransomware attackers $457,000 to delete student and employee data which was stolen following an attack on the College of Social and Behavioral Science on July 19th, 2020. The university stated that the hackers were only able to encrypt 0.02% of the data stored on its servers. Netwalker ransomware is speculated to have been behind the attack.
|Unknown
|Social Data (US)
|Comparitech researchers discovered an unsecured database with from YouTube, TikTok and Instagram. Exposed data included names, contact information, personal information, images and statistics about followers. It has since been secured. A Social Data spokesperson noted that the data was not obtained ‘surreptitiously,’ adding that the exposed data would be available to anyone, as the users themselves have set their profiles to public.
|235,000,000
|Instacart (US)
|The company disclosed a data breach incident caused by two employees at a third-party support vendor who were found to have reviewed the personal data of customers without cause. The viewed information may have included names, email addresses, telephone numbers, driver license numbers, and a thumbnail image of the driver’s license. No evidence was found to suggest that the data has been downloaded or otherwise removed from premises.
|2,180
|Freepik Company (Spain)
|Freepik Company disclosed that an SQL injection in Flaticon impacted both Freekpik and Flaticon. The attackers gained access to the email addresses of the oldest 8.3 million users, 3.77 million of whom also had the hash of their password exposed.
|8,300,000
|Mental Health Partners (US)
|Mental Health Partners (MHP) disclosed a potential data breach during which the personal information of MHP clients and employees may have been accessed and downloaded. Potentially compromised data includes names, dates of birth, Social Security numbers, passport and other ID numbers, financial account information, medical record information and more.
|Unknown
|Rezzan Günday (Turkey)
|The pharmacy suffered a data breach arising from employee misconduct. Since 2019, the employee allegedly illegally copied patient data and supplied it to another pharmacy to set up illicit supply chains for medications. The data obtained by the suspect includes healthcare system ID numbers, phone numbers, medical records, employment status and affiliate healthcare institution information.
|Unknown
|Kariyer.net (Turkey)
|Turkish careers website Kariyer.net became the victim of a data breach affecting 40,955 individuals and 55,149 records. A file containing login credentials and personal information, including names, phone numbers, photos and addresses, was uploaded to an unspecified public website.
|40,995
|Isetan Mitsukoshi and MICard (Japan)
|Isetan Mitsukoshi and MICard disclosed a data breach caused by unauthorised access. The breach occurred on the MICard homepage and Isetan Mitsukoshi Online Store. Exposed data for Isetan Mitsukoshi customers included names, addresses, phone numbers, email addresses, and dates of birth. Impacted customer details for MI Card customers included member names, current membership points, and expected billing amounts.
|19,000
|RailYatri (India)
|Security Detectives discovered an unsecured, publicly accessible Elasticsearch server belonging to the company. The database was destroyed by a Meow bot attack on August 12th, 2020. Exposed data included full names, ages, genders, physical addresses, email addresses and more, as well as partial credit and debit card payment logs. According to the company, the server in question was only a test server.
|~700,000
|Brookfield Residential Properties (US)
|The company confirmed that a cybersecurity incident resulted in an attacker gaining access to ‘a limited subset of files’. The company did not address claims made by DarkSide ransomware operators they had exfiltrated data from the company, which was subsequently dumped online. DataBreaches.net stated that the leaked files appear to contain employee information.
|Unknown
|South Dakota Fusion Center (US)
|The FBI is currently investigating a data breach at the South Dakota Fusion Center responsible for handling emergency calls. The breach occurred on June 19th, 2020, and may have exposed names, addresses and virus status of patients. The data was stored on Netsential servers, who had disclosed a breach of their servers in June 2020.
|Unknown
|Canpar Express (Canada)
|Files allegedly stolen from the courier company were leaked on the dark web. The leaked files contained a small amount of information about the company’s internal operations. FreightWaves stated that the leak appears to have come from Doppelpaymer ransomware attackers.
|Unknown
|CryptoTrader.Tax (US)
|CryptoTrader.Tax suffered a data breach on April 7th, 2020, when an unauthorised actor gained access to a customer service employee’s account. The attacker managed to steal about 13,000 records containing customer data, including 1,082 unique email addresses. Customer passwords were not affected. The data has since been posted for sale on a dark web forum.
|~1,082
|National Western Life (US)
|REvil ransomware operators claim to have successfully attacked the company and exfiltrated 656GB of data. The group initially posted screenshots to their data leak site which purported to contain screenshots of database files, passports, contract agreements, and more. On August 23rd, 2020, the operators claimed that they also had access to the company’s mail and released roughly 1% of the stolen data.
|Unknown
|Valley Health Systems (US)
|The operators of REvil ransomware claim to have breached Valley Health Systems and stolen data pertaining to its clients and employees. As proof of their attack, the group uploaded screenshots of folders and a small portion of the stolen data. This includes patients’ prescriptions, patient details such as names, dates of birth, gender and patient ID, and more.
|Unknown
|Volkswagen (Germany)
|The operators of Conti ransomware published data supposedly stolen from a Volkswagen Group franchise based in Salzkotten, Germany. The leak contains invoices relating to workshop services or automotive part sales.
|Unknown
|Wellington-Dufferin-Guelph Public Health (Canada)
|The healthcare provider disclosed a data leak incident, during which a dashboard containing confidential information was made publicly accessible on the organisation’s website between January and May 2020. The leak contained addresses and Influenza strain and symptom details for patients. The names of clients were not exposed.
|Unknown
|Ventura Orthopedics (US)
|Following a data leak by Maze ransomware operators, Conti ransomware operators also added Ventura Orthopaedics to their data leak site. Leaked data, consisting of 1,850 files, exposed patient files that contained names, dates of birth, medications, and laboratory findings. The information posted on Conti News reportedly differs from that shared by Maze.
|Unknown
|City of Lafayette, Colorado (US)
|The city issued an update regarding the July 27th, 2020 ransomware attack against the city’s online infrastructure. An investigation into the attack revealed that the attackers may have accessed the personal information of residents, including names, driver’s license or ID card numbers, medical information and more. Credit and debit card information was not compromised. The city is unaware of any misuse of the data.
|Unknown
This table shows a selection of leaks and breaches reported this week.
Attack Type Mentions in Banking
This chart shows the trending Attack Types related to Banking over the last week.
Weekly Industry View
|Industry
|Information
|Banking & Finance
|The US Cybersecurity and Infrastructure Security Agency, Department of the Treasury, Federal Bureau of Investigation and US Cyber Command issued a joint advisory detailing the techniques used by BeagleBoyz, a North Korean threat actor believed to be a subset of HIDDEN COBRA. The group, which is known for robbing banks via remote internet access, has been active since at least 2014, attempting to steal nearly $2 billion from financial institutions across the globe. The advisory warns that, since February 2020, an increase in their ATM cash-out-schemes and fraudulent international money transfers has been observed. Malware associated with the group includes CROWDEDFLOUNDER, ECCENTRICBANDWAGON, ELECTRICFISH, FASTCash for Windows, HOPLIGHT, and VIVACIOUSGIFT.
|Government
|According to Bill Evanina, the Director of the National Counterintelligence and Security Center, nation-state actors affiliated with Iran, China, Russia, Cuba, Saudi Arabia, and North Korea pose a cyber-threat to the upcoming US elections. Evanina added that Cuba, Saudi Arabia, North Korea and other smaller threat actors are likely to have lesser capability and narrower interests than the ‘big three’ others. Other election period concerns include potential ransomware attacks against machines critical for voting, as well as surveillance on networks responsible for reporting voting results.
|Technology
|Since late 2019, researchers at White Ops tracked an ad fraud malware, dubbed TERRACOTTA, which in the final week of June 2020 was being disseminated via over 5,000 apps, infected 65,000 devices, and made over 2 billion bid requests. The apps were distributed on the Google Play Store and offered users free items such as shoes, tickets, coupons, and dental treatment. In actuality, users’ devices were infected with a custom Android browser packaged with a control module written in the React Native development framework. The malware is used to defraud advertisers by generating fraudulent ad impressions which are sold into the programmatic advertising ecosystem. Google has since performed takedown actions that resulted in a sharp drop in TERRACOTTA traffic.
|Healthcare
|Netskope researchers identified an ongoing COVID-19 relief package scam targeting Indian users that has been active since April 2020. The scam spreads via social media, mainly Facebook and WhatsApp, where users are presented with links to a fake government lockdown funds page. The researchers believe the purpose of the scam is to collect ad revenue, rather than steal credentials, as no credentials are stored. Further analysis revealed that the attacker also launched similar scams in other countries, including Egypt, Ghana, India, Kenya, Malaysia, Nigeria, South Africa, and Uganda. All attacks were based on the same template, with one Blogspot profile hosting 23 scam links.
|Cryptocurrency
|In 2019, researchers at F-Secure identified an ongoing financially motivated Lazarus campaign targeting the cryptocurrency sector in over a dozen countries. The attackers used LinkedIn to send fake job offers tailored to the recipient’s profile, and evaded defences by disabling anti-virus protection and removing evidence of their implants. The group uses a combination of native operating system utilities and custom malware in pursuit of their final objective. The researchers stated that the attacks are part of a wider campaign that has been operational since January 2018. Similar artifacts have been spotted in at least 14 countries, including the US, UK, China, German, and Russia.
News and information concerning each mentioned industry over the last week.
