Threat Reports / Weekly Threat Reports

Threat Summary: 22 – 28 November 2019

22 – 28 November 2019

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
GitLab Community Edition

GitLab Enterprise Edition

Google Chrome Browser

TrueCaller

Apache Solr
Deep & Dark Web
Name Heat 7d
Google Play

RTMPDump

WeChat

Libav

Facebook Messenger

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Allied Universal (US) Bleeping Computer were contacted by Maze ransomware operators, who claimed to have breached Allied Universal and demanded $2.3 million in bitcoin in return for decrpyting the firm’s network. After Allied Universal missed the deadline for the ransom payment, the perpetrators published 700MB of stolen data and files. This allegedly only represents about 10% of all data stolen from the company. Unknown
T-Mobile (Germany) According to the company’s statement, the account information of customers using their prepaid services was accessed by an unauthorized third party. The breached data includes names, billing addresses, phone numbers, account numbers, and rate plans and features. No financial data or Social Security numbers were breached. > 1,000,000
WeWork (US) Contracts between WeWork and its customers were freely accessible via a WeWork developer’s GitHub profile. The profile contained a script with URLs to PDF files of these contracts that were hosted on unprotected Amazon servers. A web portal related to WeWork in India was also found to be leaking data. Exposed information included names, phone numbers, addresses, email addresses and other personal information. In some cases, bank account information was also exposed. Unknown
Singapore Accountancy Commission (Singapore) Personal details, such as names, national identification numbers, dates of birth, and employment information, of past and current candidates of the Singapore Chartered Accountant Qualifications programme were ‘inadvertently’ sent to 21 Accredited Training Organisations and one vendor by the Singapore Accountancy Commission (SAC) between June 12th and October 22nd, 2019. 6,541
Unknown An unsecured Elasticsearch server hosted on Google Cloud was discovered that contains 4 billion user accounts that could be linked to 1.2 billion individuals. The database contained more than 4TB of data, including names, email addresses, phone numbers, LinkedIn and Facebook profile information, and more. The data sets have been linked to People Data Labs and OxyData, two data enrichment companies, however the server does not belong to these companies. 1,200,000,000
Catch Hospitality Group (US) The company’s POS devices were infected with card stealing malware, compromising devices at Catch NYC, including Catch Roof, from March 19th, 2019, to October 17th, 2019, and Catch Steak from September 17th, 2019, until October 17th, 2019. The malware which infected the POS devices had the capability to search for ‘track data’, this could include the cardholder’s name, the card number, expiry data, and internal verification code. Unknown
OnePlus (China) An unauthorized third party accessed OnePlus’ customer order information, exposing names, contact numbers, email addresses, and shipping addresses. Not all customers were impacted and the exact time frame of the incident is unclear. Unknown
Church’s Chicken (US) Payment cards used at certain restaurants in 2019 may have been impacted after unauthorised activity related to the company’s payment processing system was discoverd in later October 2019. Church’s Chicken said that potentially exposed information includes card numbers, cardholder names, and expiration dates. Unknown
Karnataka Examinations Authority (India) The private data of hundreds of thousands of students registered with Karnataka Examinations Authority was allegedly stolen by a marketing agency in July 2019. Some of the stolen data was allegedly sold on to third parties. Stolen data includes mobile phone numbers and course preferences. Unknown
Vistaprint (Netherlands) Security researcher Oliver Hough discovered an unencrypted database belonging to Vistaprint containing information on customers from the US, the UK and Ireland. The data was split into five tables storing over 51,000 customer service interactions, including details on calls to customer services, email threads, and more. The database also exposed personally identifiable information, including names, email addresses, phone numbers, and more. Unknown
Shenzhen Smart Care Techology Ltd (China) AV-TEST Institute researchers discovered an unprotected server exposing the private data of children wearing the company’s SMA-Watch-M2. Exposed data includes names, addresses, ages and images of over 5,000 children. Additionally, all voice messages and real-time GPS position data is exposed, as is the personal data of over 10,000 parent accounts. >15,000
Facebook and Twitter According to Twitter and Facebook, two software development kits (SDKs) used by third-party iOS and Android apps accessed users’ profiles and covertly collected data. Both companies’ SDKs allegedly harvested profile information such as names, genders, and email addresses, as well as Tweets in the case of oneAudience. Unknown
On the Border (US) On the Border is informing its customers of a malware attack on its payment processing system discovered on November 14th, 2019, and potentially affecting some of its customers’ payment card information. The security incident affects payment cards processed between April 10th and August 10th, 2019, in certain On the Border restaurants. Impacted information includes names, credit card numbers, and more. Unknown
Online Registration System (India) Security researcher Avinash Jain discovered a bug in the Indian government’s Online Registration System website in 2018, which allowed anyone to access patient details including full names, addresses, age, mobile numbers, partial Aadhaar numbers, and more. The flaw was fixed in October 2018, three weeks after CERT-In was alerted to it. ~2,000,000
Police and Border Guard Board (Estonia) An email sent out by an agency part of the Estonian Police and Border Guard Board was sent to 200 cryptocurrency trading service providers without hiding the individual recipients’ email addresses. 200
DiBella’s Old Fashioned Submarines (US) DiBella’s Old Fashioned Submarines revealed that their customer payment system was compromised by the FIN7 group. The company, who were informed of the breach by the FBI and credit cards companies on August 27th, 2019, stated that as many as 305,000 payment cards could have been affected. Stores in Connecticut, Indiana, Michigan, Ohio, New York and Pennsylvania, were impacted between March 22nd, 2018, and December 28th, 2018. ~305000
Magento Marketplace On November 27th, 2019, Adobe disclosed a security breach that impacted Magento Marketplace users, the issue impacted customers, and plugin and theme developers. An email sent to impacted users revealed that on November 21st, 2019, Magento discovered that an unauthorised party had access to Magento Marketplace account holder information. Exposed data included names, email addresses, billing and shipping addresses, phone numbers, limited commercial information, and more. Unknown
Ivy Rehab Network (US) On November 26th, 2019, Ivy Rehab Network disclosed that a number of employee email accounts may have been accessed by an unauthorised party. The incident, which was discovered in May 2019, potentially revealed patient information. Data accessible through the email accounts included patient names, protected health information, financial account information, Social Security numbers, and more. Unknown

This table shows a selection of leaks and breaches reported this week.

Attack Type Mentions in Healthcare

This chart shows the trending Attack Type related to Healthcare over the last week.

Weekly Industry View
Industry Information
Government Qihoo 360 researchers discovered a new campaign targeting individuals and organisations in Kazakhstan, including government agencies, military personnel, and others. According to researchers, this is a new threat actor called Golden Falcon or APT-C-34. However, Kaspersky believe it to be the Russian-speaking DustSquad, who have been active since 2017. After gaining access to the group’s C2, researchers discovered a variety of data stolen by the group, some of it sorted by the 13 largest cities in Kazakhstan. To gain access to a victim’s data, Golden Falcon makes use of the HackingTeam surveillance kit Remote Control System, as well as a custom backdoor trojan called Harpoon. The researchers also found contracts, including one for the procurement of Pegasus, a mobile surveillance toolkit, and another for defense contractor Yurion. In both cases no further evidence indicates whether the products were purchased.
Healthcare Virtual Care Provider Inc (VCPI) was hit by a Ryuk ransomware attack on November 17th, 2019, impacting around 110 nursing homes to which it provides its services. All of the company’s core offerings are affected, including internet service and email, as well as access to patient records, client billing, phone systems, and VCPI’s own payroll operations. A ransom of about $14 million in Bitcoin was demanded, which VCPI’s owner Karen Christianson said her firm could not afford to pay, adding that some of VCPI’s clients may be forced to close down if the company cannot recover.
Technology Check Point researchers found that many Android apps continue to contain long-known vulnerabilities. This is due to many apps utilising reusable components, called native libraries, from open-source projects. When the relevant vulnerabilities are fixed in an open-source project, they are not necessarily fixed in apps using these native libraries. The researchers looked at three known critical vulnerabilities, tracked as CVE-2014-8962, CVE-2015-8271, and CVE-2016-3062, and found them present in hundreds of Android apps, including Yahoo Browser, Facebook, Instagram and WeChat.
Cryptocurrency Researchers at ESET found that the Stantinko botnet, which has been active since at least 2012, now contains a cryptomining module which can mine Monero. The botnet primarily targets machines in Russia, Ukraine, Belarus, and Kazakhstan. The botnet, which has been deploying its new module since at least August 2019, uses a version of the open-source cryptominer XMR-STAK. The operators removed unneeded strings and functions, and applied obfuscation to the remaining ones. Communication is established with the mining pool via proxies, the IP addresses of which are retrieved from the description text of YouTube videos. The cryptominer contains a number of key features, including the ability to detect security software, suspend other cryptomining applications, and postpone its mining operations when Task Manager is opened.
Critical Infrastructure Microsoft security researcher Ned Moran revealed that the Iranian hacking group APT33 have begun to target industrial control system (ICS) equipment that is used in oil refineries, electrical utilities and manufacturing. In a presentation given at CYBERWARCON, Moran disclosed that during October and November 2019, the group focused their efforts on targeting approximately 2,000 organisations per month with password spraying attacks directed against multiple accounts. Approximately half of the top 25 targeted organisations were responsible for the manufacture, supply or maintenance of ICS equipment.
Moran speculated that the group are targeting ICS producers and manufacturers in order to impact their customers’ infrastructure.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Daily Alert – 10 December 2019

    Daily Alert: The Impact of Healthcare Data Breaches on Florida Patients...
  • Daily Alert – 09 December 2019

    Daily Alert: 2019 in review: data breaches, GDPR’s teeth, malicious apps, malvertising and more...
  • Silobreaker Daily Cyber Digest – 06 December 2019

    Ongoing Campaigns US Cybersecurity and Infrastructure Security Agency issue warning over Dridex malware On December 5th, 2019, the US Cybersecurity and Infrastructure Security Agency...
View all News

Request a demo

Get in touch