Threat Reports / Weekly Threat Reports

Threat Summary: 24 – 30 April 2020

24 – 30 April 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
iPad

Sophos XG Firewall

Apple iOS 6

iPhone

Microsoft Teams
Deep & Dark Web
Name Heat 7d
iPhone

Telegram App

IBM QRadar

vBulletin

Apple macOS

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Paay LLC (US) Security research Anurag Sen identified an unprotected Paay database which was exposed for nearly three weeks. The database contained the details of approximately 2.5 million card transactions dating back to September 1st, 2019. The exposed information included plaintext card numbers, the amount spent, and expiry dates. Cardholder names and CVV numbers were not exposed. Unknown
SeaChange (US) BleepingComputer reported that data which supposedly belongs to US-based video delivery software solution company SeaChange has been uploaded to Sodinokibi’s data leak site. The uploaded information allegedly contains insurance certificates, driver’s licenses, a document relating to a proposed Pentagon video-on-demand service, and more. Unknown
Nintendo (Japan) Nintendo revealed that beginning in early April 2020, user accounts were accessed via Nintendo Network ID (NNID). Exposed information includes names, nicknames, dates of birth, email addresses, and more. The company warned that if users had the same password for their NNID and Nintendo account, then attackers could use stored financial information to make purchases via My Nintendo Store or the Nintendo eShop. 160,000
Huiying Medical Technology (China) THE0TIME claim to have stolen Huiying Medical Technology’s COVID-19 detection technology source code and experimental data, and are now selling it for 4 Bitcoin. The threat actors also claim to have stolen 1.5MB of user data. Unknown
City of Detroit (US) The City of Detroit’s health department’s website briefly exposed the personal details of about 2,000 residents on March 28th, 2020. No Social Security numbers were affected. 2,000
Ambry Genetics (US) The company identified unauthorised access to an employee’s email account between January 22nd and 24th, 2020. It is unclear whether any information was accessed or stolen during this period and the company is not aware of any misuse of personal information. Potentially exposed data includes customer names, medical information and more. 233,000
Tax2efile (US) Researchers at Cyble discovered a threat actor selling Tax2efile customer data on hacker forums. The stolen database included thousands of employer identification numbers, emails and passwords, bank accounts, as well as 39,601 Social Security numbers. The database was sold via auction, which has since been closed, meaning it has been sold. Unknown
Unknown Researchers at Group-IB reported that a database of 397,365 cards was uploaded to Joker’s Stash on April 9th, 2020. Approximately 49.9% of the dump was made up of South Korean cards, while roughly 49.3% of the data related to US banks. The database mainly consists of Track 2 information which includes account numbers, expiration dates, CVVs, and account numbers. Unknown
CivicSmart (US) The smart parking meters and technology company was hit by Sodinokibi ransomware in March 2020. The ransomware operators’ site ‘Happy Blog’ suggests that CivicSmart paid the demanded ransom amount to have its files decrypted. Previously, the operators’ site also contained a screenshot of stolen data suggesting they were preparing to publish nearly 159 GB of data. Unknown
ExecuPharm (US) The US pharmaceutical company informed its customers of a ransomware attack on March 13th, 2020, stating that personal information, such as Social Security numbers, taxpayer IDs, driver’s licence numbers, and more, may have been accessed. Data stolen from the company’s servers has since been posted on a dark web site associated with the CLOP ransomware operators. Unknown
Zaha Hadid Architects (UK) The company was targeted in a ransomware attack, which encrypted some server information. The attackers also claim to have stolen internal company data prior to encryption and a screenshot of payroll and cash book information was uploaded from an anonymous Twitter account on April 23rd, 2020. ZHA does not believe any project data was stolen. Unknown
University of Warwick (UK) Sky News reported that the University of Warwick’s administrative network was breached in 2019. The incident impacted students, staff, and research study volunteers. The university was unable to determine what information had been stolen and failed to inform individuals and research bodies impacted by the breach. Several sources told Sky News that numerous data breaches have occurred at the university. Unknown
Wuhan Institute of Virology (China) The South China Morning Post stated that staff login credentials were reportedly leaked and used in an attempt to login to email accounts. Other organisations who had credentials leaked in the previously reported incident include the World Health Organization, the Gates Foundation, and the Centers for Disease Control and Prevention. Unknown
UseNeXT and Usenet[.]nl The companies disclosed data breaches in which an attacker gained access to personal information, such as names, billing addresses, payment details, and more. Both companies stated that the breaches were the result of a vulnerability at a third-party company. Unknown
Prime Communications (US) A former Prime Communications employee was sent the personal information of thousands of Prime Communications employees by the HR department. The former employee stated that she notified the company multiple times about the incident but did not receive a reply. Unknown
Kavaliro (US) The company disclosed that in September 2019 an unknown attacker compromised two email accounts before compromising further accounts. Potentially exposed information includes customers names, dates of birth, phone numbers, email addresses, and more. The attackers also contacted clients and established spoofed domains to trick customers and employees. Unknown
Chegg Inc (US) The company discovered that an unauthorised individual may have stolen the personal information of about 700 current and former US Chegg employees on or about April 9th, 2020. The potentially stolen data may include names and Social Security numbers. 700
PaperlessPay Corporation (US) The e-payroll vendor shut down its web server and SQL server after being informed by the US Department of Homeland Security that a threat actor is offering access to its clients’ data on the dark web. It remains unclear what data may have been accessed, viewed, or copied. PaperlessPay clients who have recently issued data breach notifications include Marshall Medical Center, Community Memorial Health System, and others. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware mentions in relation to the coronavirus outbreak

This chart shows the trending malware related to the coronavirus outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at Group-IB reported that a database of 397,365 cards was uploaded to Joker’s Stash on April 9th, 2020. Approximately 49.9% of the dump was made up of South Korean cards, while roughly 49.3% of the data related to US banks. The dump, which is the largest dark web sale of South Korean records in 2020, was priced at $1,985,835 by Joker’s Stash. The database mainly consists of Track 2 information which includes account numbers, expiration dates, CVVs, and account numbers.
Government The website of Poland’s War Studies University was breached by hackers, after which a disinformation campaign was launched. This involved a fake letter supposedly from the University, in which the head of the University refers to US troop presence in Poland as an ‘American occupation.’ The attack is said to have sought to cause tension between the US and a key ally in Central Europe. At present, it is unclear who is behind the attack. Stanislaw Zaryn, spokesperson for the Minister-Special Services Coordinator, stated that the attack would be ‘congruent with disinformation activities carried out by the Russian Federation against Poland.’
Education Researchers at Proofpoint reported that Hupigon malware, which has been operational since at least 2006, has been spread in a campaign which delivered over 150,000 emails to more than 60 industries. Roughly 45% of the messages targeted the education sector. The emails seen in the campaign feature an adult dating lure and recipients are asked to click on links within the message which download an executable. Running the file installs Hupigon onto the victim’s system. The malware can gain rootkit functionality, steal passwords, log keystrokes, and more. The researchers stated that the malware, which has previously been associated with APT campaigns, has been repurposed by cybercriminals.
Healthcare The US pharmaceutical company ExecuPharm informed its customers of a ransomware attack on March 13th, 2020, stating that personal information, such as Social Security numbers, taxpayer IDs, driver’s licence numbers, passport numbers, financial information, and more, may have been accessed. Data stolen from the company’s servers has since been posted on a dark web site associated with the CLOP ransomware operators. This included thousands of emails, financial and accounting records, user documents and database backups. CLOP ransomware operators reportedly pledged not to attack hospitals, nursing homes or charities during the COVID-19 outbreak, yet stated that ExecuPharm does not qualify as pharmaceutical companies ‘are the only ones who benefit from the current pandemic.’
Critical Infrastructure Israel’s National Cyber Array revealed that, on the morning of April 23rd, 2020, they received reports about cyberattacks targeting the control and control systems of sewers, pumping stations, and wastewater treatment plants. The organisation stated that those operating in the sector should exchange passwords from the internet to control systems, ensure that they had the latest controllers installed, and reduce internet connectivity.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
  • Cyber Alert – 05 June 2020

    Cyber Alert: troyhunt - RT @haveibeenpwned: New breach: Indian self-drive car rental company Zoomcar was breached in 2018 and had 3.5M records exposed then...
  • Threat Summary: 29 May – 04 June 2020

    29 May – 04 June 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are...
View all News

Request a demo

Get in touch