Threat Reports / Weekly Threat Reports

Threat Summary: 22 – 28 May 2020

22 – 28 May 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Apple iOS 11

Apple iOS 13

Apple iPhone 11

iPhone

iPhone X
Deep & Dark Web
Name Heat 7d
Reddit

EternalBlue

PowerDNS

Ruby on Rails

PowerDNS Recursor

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
North Bay Parry Sound District Health Unit (US) The Ontario-based health department revealed that a member of the public informed them that their online coronavirus dashboard inadvertently displayed personally identifiable information. Exposed data included first and last names, testing date and locations, test results, and more. The information, which related to those who were tested for coronavirus on or before May 8th, 2020, has since been removed. Unknown
Florida Department of Economic Opportunity (US) The department notified 98 individuals that its unemployment computer system had been impacted by a data breach. Details on when the breach occurred, how many indiviudals are impacted, or what data was taken were not provided. Unknown
Harvest Food Distributors & Faro Technologies (US) Harvest Food Distributors and the 3D technology firm Faro Technologies were reportedly targeted by REvil ransomware. This follows the recent announcement by the ransomware operators of an attack against Sherwood Food Distributors. The demanded ransom for both Harvest Food Distributors and Sherwood Food Distributors is said to be $7.5 million. Unknown
General Elections Commission (Indonesia) Under the Breach reported that the data of 2,300,000 Indonesian citizens was stolen and leaked on a hacker forum. The data is said to include names, addresses, ID numbers, dates of birth, and more personal information. The hacker claims the information was taken from a KPU database and contains the personal data of voters for the 2014 legislative election at the Yogyakarta province. The hacker has threatened to release the personal details of a further 200 million individuals. 2,300,000
San Raffaele Hospital (Italy) The hospital was reportedly targeted in a cyberattack in which the personal data of patients and employees, such as names, tax codes, email accounts and passwords, were stolen. The hospital denied these claims, stating that that the attempted intrusion refers to an event that took place months ago. The leaked data reportedly relates to an old online training application that is no longer used. In response, LulzSec Italia published the personal data of about 40 individuals and has threatened to release the remainder on May 22nd, 2020. Unknown
Zoomcar (India) A hacker is reportedly selling the data of 9 million Zoomcar users for $300 on the dark web. The data includes names, email IDs, passwords, mobile numbers and IP addresses. The hacker purports to have obtained the data in a 2018 breach. Zoomcar’s CEO stated that the claim regarding a breach involving customer passwords is ‘patently untrue’ and that Zoomcar customer data is ‘absolutely secure.’ 9,000,000
Ministry of Economy and Finance (North Macedonia) The Powerful Greek Army hacker group claims to have stolen and leaked dozens of email addresses and passwords belonging to staffers at North Macedonia’s Ministry of Economy and Finance and the municipality of Strumica. Authorities stated that the data obtained by the hackers dates back to 2013 and that no evidence suggests any recent breaches took place. Unknown
District Medical Group (US) On March 11th, 2020, the medical group discovered that an unauthorised individual had gained access to employee email accounts containing the personal health information of its patients. This included names, medical record numbers, medical information, and health insurance information. In some cases, Social Security numbers may also have been exposed. 10,190
Mathway (US) The data breach broker group Shiny Hunters advertised a database which they claim contains 25 million Mathway user records. BleepingComputer stated that the database, which is being advertised on the dark web for $4,000, contains system data, hashed passwords, and emails. Unknown
Multiple BleepingComputer reported that an attacker has been hacking into insecure servers from online stores that are accessible via the public web, copying databases and asking for ransom in return for the stolen data. 31 SQL databases were found listed on a public website, containing over 1.5. million rows of records. However, BleepingComputer stated that the total amount of stolen data is much larger. Unknown
The Little Clinic (US) The clinic notified patients across several states that their protected health information could have been accessed due to a failure in the clinic’s online appointment functionality. The exposed data consists of patient names, dates of birth, phone numbers, and addresses. The issue began on October 7th, 2018 and was discovered in February 2020. 10,974
Advanced Wireless Network (Thailand) A security researcher known as ‘xxdesmus’ discovered an exposed Elasticsearch database belonging to the company. The database contained a combination of DNS query logs and NetFlow logs for what appeared to be AWN customers. As of May 21st, 8,336,189,132 documents were stored in the database. The database has since been secured. Unknown
Bolloré Transport & Logistics (Democratic Republic of Congo) The operators of NetWalker ransomware claim to have infiltrated the company’s network and stolen data. The company confirmed that a cyberattack against a part of its servers took place on May 14th, 2020. As proof of the attack, the operators posted screenshots of accounting and invoice files. The operators have threatened to publish the data if their ransom demand is not met. Unknown
IN SPORT (Australia) The head office of the Australia-based retailer was hit by Sodinokibi ransomware. It remains unclear what files were accessed, however, the company stated that affected information may include email addresses, shipping addresses and phone numbers. A cache of documents purported to be from IN SPORT was posted on the dark web last week. Unknown
Multiple Hacking Forums Cyble researchers reported that on May 15th, 2020, Sinful Site’s full database, including private messages, appears to have been dumped online. On May 20th, 2020, the databases of Nulled and SUXX TO also appear to have been posted online. These databases reportedly contain detailed user information. Unknown
Mukhya Mantri Parivar Samridhi Yojana (India) Researchers at Security Discovery reported that an Elasticsearch misconfiguration exposed the details of families registered under the social security programme operating in Haryana state. The data exposed in the incident, which impacted millions of families, includes names, addresses, Aadhar numbers, income details, emails, and more. The database has since been removed. Unknown
Unknown (India) On May 22nd, 2020, researchers at Cyble reported that a hacker shared a 2.3GB zipped file containing the data of roughly 29 million Indian job seekers from multiple states. The leak, which appears to be from a resume collection service, includes data such as emails, phone numbers, qualifications, and more. On May 24th, 2020, Cyble researchers reported that a separate threat actor dropped nearly 2,000 Aadhar cards on a hacking forum. The data appears to date back to 2019. The same criminal appears to have recently leaked the data of 1.8 million individuals from Madhya Pradesh state. >29,000,000
Trezor, Ledger, and Keepkey Researchers at Under The Breach reported that a hacker is allegedly selling the databases of Trezor and Ledger. The data, which was supposedly obtained through a Shopify exploit, includes names, addresses, phone numbers, emails, and more. The hacker also stated that they have the full SQL database for BnkToTheFuture. Unknown
EduCBA (India) On May 22nd, 2020, the online education site sent a data breach notification to its customers, stating that some user data was compromised ‘due to unauthorized access by a malicious third party’. Data exposed in the incident includes emails, names, passwords, and more. In response to the attack, the company reset all user passwords. Unknown
Historical Abuse Inquiry Interim Advocate’s Office (Northern Ireland) A newsletter sent in an email by the Historical Abuse Inquiry Interim Advocate’s Office on May 22nd, 2020, inadvertently exposed the details of 150 survivors of historical institutional abuse. Measures were taken to recall the email and the Information Commissioner was informed of the incident. 150
PetFlow (US) The company, which was breached in December 2017, had their data appear on the dark web. The incident, which impacted 990,919 accounts, exposed email addresses and passwords stored as unsalted MD5 hashes. 990,919
Truecaller (Sweden) Researchers at Cyble Inc discovered a hacker offering 47.5 million Indian Truecaller records for $1,000 on a dark web market. The data, which is from 2019, includes information such as phone number, carrier, name, gender, city, email, Facebook ID, and more. The company has denied any data leak on their end and suggested the hacker may have compiled the data from other sources. 47,500,000
Arbonne International (US) The California-based company discovered that an unauthorised actor may have accessed a data table that contained personal information. The exposed data includes names, email and mailing addresses, Arbonne account passwords, and more. Residents in other states have been instructed to contact their Attorney General for additional information. 3,527
LiveJournal (Russia) From around May 8th, 2020, a data dump which allegedly contains 26 million LiveJournal accounts has been freely shared on multiple hacker forums. The dump reportedly contains usernames, email addresses, and plain text passwords. 26,000,000
City of Weiz (Austria) On May 20th, 2020, researchers at Cyble reported that data allegedly belonging to the Austrian city of Weiz was leaked by Netwalker ransomware operators. The attackers posted a sample of the data leak online. Unknown
Tellus (US) Researchers at CyberNews identified an unsecured and unencrypted Amazon S3 bucket containing 6,728 CSV files linked to the Tellus application. The data bucket contained 16,861 user records, which included 1,294 verified tenant records and 3,194 verified property owner records. The exposed information includes names, addresses, phone numbers, chat logs, document scans, and more. Unknown
Michigan State University (US) Netwalker ransomware operators claimed that they infected the network of Michigan State University (MSU) and exfiltrated data. The attackers posted two scans of Michigan State financial documents, a student’s passport scan, and an alleged directory structure from MSU’s network. The ransomware operators threatened to leak further documents if MSU refuses to pay the demanded ransom or attempts to restore from backups. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Banking

This chart shows the trending malware related to Banking over the last week.

Weekly Industry View
Industry Information
Banking & Finance Seguranca Informatica researchers discovered a new variant of the Grandoreiro banking trojan, which has previously targeted users in Brazil, Mexico, Spain and Peru. This new variant is targeting users in Portugal via its typical method of malspam campaigns, using the name of the victim in a malicious HTML attachment. Once a user clicks on the file, a malicious VBScript is downloaded, after which an ISO file is downloaded from the attacker’s server. Similarities between Grandoreiro web traffic and Latenbot C2 traffic were found, which has led the researchers to suspect the malware has included Latenbot botnet modules to improve its C2 communication, essentially creating its own botnet.
Critical Infrastructure A German government advisory sent to operators of critical infrastructure warns of ongoing attacks against German companies’ IT systems, with evidence of ‘longstanding compromises’ at unnamed companies. According to German authorities, no evidence was found of any disruptive attacks on any company’s industrial network. The alert, issued by the Bundesamt für Sicherheit in der Informationstechnik, Bundesnachrichtendienst and Bundesamt für Verfassungsschutz, states that Berserk Bear is using the supply chain to infiltrate IT networks and steal information. The group, which has suspected links to Russia’s FSB intelligence agency, reportedly uses publicly available and custom-made malware in their campaigns.
Government Researchers at ESET reported that the Turla espionage group are using an updated version of ComRAT. The original version of the malware was most likely released in 2007. The newest version of the Remote Access Trojan was first seen in 2017 and used as recently as January 2020. The researchers stated that ComRAT is used exclusively by Turla, based on TTPs and victimology. The complex C++ backdoor, which has recently been used against two Ministries of Foreign Affairs and a national parliament, exfiltrated sensitive documents via 4shared, OneDrive and similar services. The malware has two C2 channels, one of which uses HTTP protocol and was present in previous versions of ComRAT. The second C2 uses the Gmail web interface to receive commands and exfiltrate data.
Technology Researchers at ESET reported that the Winnti Group, who have engaged in high profile supply chain attacks since 2012, used a new malware against video game companies based in South Korea and Taiwan. The targeted companies develop Massively Multiplayer Online (MMO) games. The group used a new modular backdoor, dubbed PipeMon, which persists as a Print Processor. In one case, the attackers compromised a build system which could have allowed them to trojanize game executables. Another successful attack against game servers could have allowed the attackers to manipulate in-game currencies. Full details of the attacks and malware are available via ESET.
Healthcare Following the US government’s accusations that Chinese-linked hackers attempted to steal coronavirus vaccine research, the FBI issued an industry warning about attacks targeting the healthcare, public health, and research sectors. The advisory, which was obtained by CyberScoop, stated that nation-state attackers shifted their cyber resources to target the healthcare and public health sector, whereas criminals targeted similar entities for financial gain. The FBI stated that this shift could likely be attributed to the coronavirus pandemic. The agency also gave multiple examples, dating back to February 2020, of nation-state-linked hackers attempting to gain and retain access to the networks of US healthcare and public health sector organisations.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 08 July 2020

    Silobreaker's Daily COVID-19 Alert for 08 July 2020
  • Cyber Alert – 08 July 2020

    Cyber Alert: Exposed dating service databases leak sensitive info on romance-seekers...
  • COVID-19 Alert – 07 July 2020

    Silobreaker's Daily COVID-19 Alert for 07 July 2020
View all News

Request a demo

Get in touch