30 September 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Apple iOS 12
VMware vCenter Server
Adobe FrameMaker
Irfanview
Microsoft Azure Active Directory
Deep & Dark Web
Name Heat 7
Apple iOS
Google Android
Dogecoin
OpenSSL
WordPress

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Illinois Department of Healthcare and Family Services & Department of Human Services (US)   An issue with the state’s Integrated Eligibility System was discovered on November 24th, 2020. Household members who had been removed from an account could continue to access information. Possibly exposed information includes names, addresses, case numbers, Social Security numbers, medical information, financial information, and more. Unknown
Ministry of Defence (UK) An email sent by the Afghan Relocation and Assistance Policy team containing email addresses and some names of individuals was visible to all recipients. 55
United Health Centers (US)  All 21 locations were impacted by an August 2021 Vice Society ransomware attack. A number of files containing sensitive information supposedly stolen during the attack have been leaked online. Among the leaked information are patient benefits, financial documents, patient lab results, and audits. Unknown
Grupo GSS (Spain) The company was hit by Conti ransomware on September 18th, 2021. Services were interrupted, with call centers and automated customer support phone services being unreachable. Conti dumped six dozen files on September 28th, 2021, with at least one file thought to contain personal data on employees. Unknown
Clubhouse & Facebook (US) A hacker is selling a database that combines phone numbers from a scraped Clubhouse database with users’ Facebook profiles. The data includes names, phone numbers, Facebook profile links, and more. 3.8 billion
ABX Express Enterprise (Malaysia) Dresorden Group allegedly carried out a cyberattack against the company, wiping the servers and stealing 200GB of files, including corporate financial data and tens of millions of customer records revealing shipping details. Unknown
Council on Aging of Southwestern Ohio (US) An employee’s email account was targeted and accessed by an unknown party on July 27th, 2021. The attacker accessed a file possibly containing clients’ names, birth dates, addresses, Medicaid numbers, and medical information. Unknown
FarFaria (US) An unprotected MongoDB database containing 38GB of personal data was discovered. Amongst the exposed data were emails, authentication tokens, encrypted passwords, sign-in information, social media tokens and related information. 2.9 million
Blue Sky Group (Netherlands) A malicious actor gained access to a company email account in August 2021. Potentially compromised information includes names, dates of birth, policy and employee numbers, bank account details, and pension amounts. Unknown
Stonington Schools (US)  The school district was targeted in a ransomware attack on September 27th, 2021. An investigation is ongoing to determine the nature and origin of the attack, and whether any information was compromised. Unknown
El Instituto Nacional de Medicina Genómica (Mexico) CoomingProject claimed a cyberattack against the COVID-19 research centre in which 50GB of data was allegedly stolen. The threat actors also published a database containing 400 records with names, birth dates, emails, phone numbers, and other details of COVID-19 patients. 400
Robinwood Orthopaedic Specialty Center (US) The company was listed as a victim on the Groove leak site on September 13th, 2021. The actor posted screenshots of folders related to medical files and health records allegedly stolen from the healthcare provider. Unknown
Lufkin Independent School District (US) The Texas school district was targeted in a ransomware attack discovered on September 25th, 2021. Several systems were taken down to stop the attack. An investigation is ongoing to determine whether any data was compromised. Unknown
Hawaii Payroll Services LLC (US) The company’s servers were accessed by an unauthorised party between February 15th and February 16th, 2021. The attack resulted in the deployment of ransomware. Customers’ personal information, including Social Security numbers, dates of birth, full names, and bank account information may have been compromised. ~4,500
Oath Keepers (US) A hacker gave around 5GB of data supposedly exfiltrated from the militia to Distributed Denial of Secrets. The data included a membership list of email addresses. Some accounts reportedly linked to names, physical addresses, telephone numbers and IP addresses. Other sensitive information such as financial information, passwords, and decryption keys may have also been exposed. 38,000
MyIdentity (Malaysia) A database containing 31.8GB of data has been made available for sale online. Possibly compromised information includes names, email addresses, mobile numbers and addresses grouped by birth year from 1979 to 1998. 4,000,000
PORTpass (Canada) The private COVID-19 vaccination proof app exposed the profiles of its users to the internet. Among the exposed data were photos of driver’s licenses and passports, as well as email addresses, names, blood types, and phone numbers. The information was reportedly unencrypted and viewable in plain text. Unknown
TiteLive (Belgium) Operations were disrupted at hundreds of bookstores in Europe after the company’s IT systems were targeted by a ransomware attack. Unknown
McAllen Surgical Specialty Center (US) A ransomware attack was detected on May 14th, 2021. Potentially compromised information includes names, addresses, Social Security numbers, dates of service, health insurance information, medical records and more.  29,277
Unknown (Brazil)  On September 19th, 2021, PSafe researchers discovered a public website exposing records with personal data of the country’s residents. The leak includes names, ITIN numbers, addresses, dates of birth, income, 109 million employer identification numbers, vehicle licence plates, emails, phone numbers, and more. The site is freely accessible over the internet.  426,000,000
Cadence Health (US) An anonymous hacker exfiltrated files from the company. Potentially compromised information of patients includes notes on patient’s phone consultations, medical history, and prescription information. 281,000
Forward Air (US) The company confirmed their systems were accessible between November 2020 and December 2020 following a ransomware attack by Evil Corp operating under the name Hades ransomware. Potentially compromised information includes names, addresses, Social Security numbers, and more of current and former employees. Unknown

Mobile Malware mentions in Banking & Finance

Time Series

This chart shows the trending Mobile malware related to Banking & Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry View
Industry Information
Government The UK’s HM Courts & Tribunals Service warned users of scammers impersonating County Court bailiffs by distributing emails that falsely inform users of required payments. The emails contain attachments with HM Courts & Tribunals Service iconography, include bank account details for the payments, and are often followed by a telephone call from the scammers.
Technology  Armorblox observed a credential phishing campaign targeting multiple of their customers’ environments across Office 365, Google Workspace, and Exchange. The emails are sent from an abused legitimate domain belonging to the Full Gospel Baptist Church. The campaign impersonates the email encryption company Zix, inviting users to view a ‘secure’ message. Clicking on the message’s link prompts an install of an HTML file which directs to a page blocked by site blockers. The campaign is highly targeted, with targets deliberately chosen from across departments, including high-ranking positions, and never targeting more than one employee of the same department.
Banking & Finance  The Indian Computer Emergency Response Team warned users of an active Android banking trojan campaign leveraging Drinik malware. Victims receive SMS directing them to a phishing website impersonating India’s Income Tax Department, which prompts them to enter personal details and launches a download of a malicious APK. The app falsely informs the user of a pending tax refund, and creates a personalised mobile banking overlay based on the information previously submitted by the user. The victim is then prompted to enter their banking credentials, which are captured by the scammers.
Retail & Tourism  ESET researchers uncovered a new cyberespionage group, dubbed FamousSparrow, which has largely targeted hotels since at least August 2019. Other targets have included governments, international organisations, engineering companies and law firms in 12 countries. FamousSparrow leveraged the ProxyLogon Microsoft Exchange vulnerabilities in March 2021 to take over Exchange mail servers globally. Remote code execution flaws in Microsoft Sharepoint and Oracle Opera have also been exploited to deploy various custom tools. Among these is a new backdoor, dubbed SparrowDoor, that is loaded via DLL search order hijacking, and two custom versions of Mimikatz. The group was also observed using the Motnug loader, which has been linked to SparklingGoblin, as well as a domain linked to DRBControl. However, the researchers believe FamousSparrow to be a separate threat actor.
Cryptocurrency  On September 23rd, 2021, the Bitcoin[.]org website was hijacked by hackers who encouraged users to send Bitcoin to an attacker-controlled wallet and receive double the amount in return. To exert pressure, the notification impersonating The Bitcoin Foundation stated that the offer was only limited to the first 10,000 users. The attackers reportedly made just over $17,000. Namecheap, the site’s registrar, temporarily disabled the domain until the issue was resolved. It remains unclear how the attack occurred, with some speculating it may have been a DNS hijack.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal