Threat Reports / Weekly Threat Reports

Threat Summary: 25 – 31 October 2019

25 – 31 October 2019

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
PHP 7

WebKit Software Component

Nginx

YouPHPTube

IBM Cloud Orchestrator
Deep & Dark Web
Name Heat 7d
PHP 7

Nginx

WordPress

Debian

Pwn2Own (competition)

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
7-Eleven (Australia) On October 24th, 2019, a 7-Eleven customer discovered that the 7-Eleven Fuel App exposed personal information, including names, email addresses, mobile numbers and dates of birth, to other users. In response, the company took the application offline for several hours to resolve the issue. An investigation into the cause is ongoing. Unknown
Geisinger Health Plan (US) The protected health information of Geisinger Health Plan members may have been exposed due to a phishing attack on the company’s business associate Magellan NIA. The attack is believed to have been carried out for spamming purposes, however, unauthorised access to data cannot be ruled out. Unknown
Betty Jean Kerr People’s Health Center (US) The health centre is informing its patients of a ransomware attack on September 2nd, 2019. Potentially breached data includes patient, health care provider, and employee names, dates of birth, addresses, Social Security numbers, and more. No patient medical records were exposed. 152,000
Optus (Australia) A data leak exposed Optus customer names, phone numbers, and addresses, after the information was accidentally published in Sensis’ White Pages. The customers’ details were listed both online, as well as in printed version of White Pages. According to Optus, in the majority of cases, customer data was leaked before joining Optus. Sensis denies this claim. 50,000
UniCredit (Italy) UniCredit suffered a data breach that exposed a file from 2015 containing about three million records relating to Italian clients. Exposed data includes names, cities, telephone numbers, and email addresses. No bank details that could be used by third-parties to gain access to customer accoutns or complete transactions were breached. Unknown
Adobe (US) An exposed and unprotected Elasticsearch database containing nearly 7.5 million Adobe Creative Cloud user records was found online. Exposed information included email addresses, member IDs, payment status, account creation data, and more. Comparitech stated that the data could be used in phishing campaigns. Adobe were immediately notified of the breach and closed the database on the of discovery. Unknown
Electronic Settlements Limited (Nigeria) Two unsecured databases containing customer data belonging to CashEnvoy and PayPad were discovered. The first was discovered in Febraury 2019 and contained over 8 million records with names, account infromation, CashEnvoy wallet data, and more. The second was found in October 2019 and contained 2.59 million records relating to PayPad’s credit and debit card transactions, displating card numbers in plain text. Unknown
Unknown A new dump of 1.3 million card details was added to the carding shop Joker’s Stash, with over 98% of the 550,000 cards analysed belonging to Indian banks. The dump contains Track 1 and Track 2 data which is found on the card’s magnetic stip. This suggests that their details have been acquired from skimming devices on ATMs or PoS systems. 1,300,000
West Berkshire Council (UK) On October 25th, 2019, the West Berkshire Council exposed the email addresses of 1,107 individuals to each other after mistakenly adding the email addresses to the wrong field. 1,107
Unknown (Colombia) ESET researchers discovered a misconfigured ElasticSearch database that exposed personal details of Colombian citizens, including names, email addresses, phone numbers, and more. The database has since been secured. The researchers did not identify the owners of the database, only stating it was difficult to track down the responsible party. ~2,500,000
Prisma Health (US) Prisma Health is informing affected patients and volunteers of a data breach, first discovered on August 29th, 2019, that exposed personal information. The breached data includes information given on patient pre-registration and volunteer registration forms that had been completed on the Palmetto Health website. This includes names, addresses, dates of birth, Social Security numbers, as well as some health and insurance information. No medical records were exposed. Unknown
Web.com Group Inc (US) Domain name registrars NetworkSolutions[.]com, Register[.]com and Web[.]com warned customers that an unauthorised third-party gained accessed to their systems in late August 2019. The intrusion, which was not detected until October 16th, 2019, compromised user’s names, phone numbers, email addresses, and more. No financial data or passwords are believed to have been compromised. Unknown
Bed Bath & Beyond (US) Bed Bath & Beyond is informing its customers of a data breach that affects a small number of its online customer accounts. The company stated that an unauthorised party had gained access to customer login information. No payment data was affected. Unknown
Ontario Science Centre (Canada) The names and email addresses of Ontario Science Centre members, donors, and others were exposed in a data breach that took place between July 23rd and August 7th, 2019. The science centre was first made aware of the breach on August 16th, 2019 by Campaigner, which discovered a former employee’s credentials had been accessed by an unauthorised individual to make a copy of Ontario Science Centre’s subscriber emails and names. 174,000

This table shows a selection of leaks and breaches reported this week.

Attack Types Mentions in Banking

This chart shows the trending Attack Types related to Banking over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at Group-IB reported that a new dump of 1.3 million card details has been added to the carding shop Joker’s Stash. The majority of the cards appear to belong to Indian customers, of the more than 550,000 cards that the researchers analysed, over 98% belong to Indian banks. The dump contains Track 1 and Track 2 data which is found on the card’s magnetic stip. This suggests that their details have been acquired from skimming devices on ATMs or PoS systems. The cards are currently being sold for $100 per-card. At present, the party behind the card dump remains unidentified.
Technology ESET researchers uncovered an adware campaign involving 42 apps on the Google Play Store, active since July 2018. The adware involved is tracked by ESET as Android/AdDisplay.Ashas. Once launched, the apps begin to communicate with their C2 server and send data about the affected device including device type, OS version, language, and more. The app will not trigger the adware payload if it is being tested by the Google Play security mechanism. It can also set a custom delay between displaying adds meaning that a typical testing procedure will not detect any unwanted behaviour. The researchers were able to track down the developer of the apps and uncover his identity. All the apps have since been removed from the Play Store but remain available via third-party app stores.
Government A cyberattack on the city of Johannesburg on October 24th, 2019, which was initially thought to be a ransomware attack, did not encrypt any of the city’s computers. Rather, Shadow Kill Hackers, who claim to be behind the attack, stated they had gained access to the city’s Active Directory server and were the ones responsible for taking down the city’s website. Additionally, initial reports stated that Shadow Kill Hackers were also responsible for Distributed Denial-of-Service attacks on several South African banks, yet the group has since denied such claims. Instead, these DDoS attacks may have been part of a global campaign by a group pretending to be the Russian group Fancy Bear.
Retail, Hospitality & Tourism Link11 and Radware observed multiple distributed denial-of-service (DDoS) attacks and blackmail emails against companies in the payment, entertainment and retail sectors from a group claiming to be the Russian hacker group Fancy Bear, also known as APT28. The campaign asks for 2 Bitcoin (€14,200) as ‘protection money.’ If this is not paid, the threat actors launch a warning attack. The warning attacks use multiple vectors, including DNS, NTP, CLDAP and the new attack techniques WS Discovery and Apple Remote Control. Fancy Bear is known for major attacks against government agencies, embassies, NATO bases, and political parties, but have never engaged in DDoS attacks. Additionally, the blackmail email appears almost identical to the one used by another group posing as Fancy Bear in 2017. A difference between previous copycat groups is that the current threat actor appears to own a DDoS botnet, whereas others never actually carried out the attacks.
Critical Infrastructure Pukhraj Singh, a former analyst at India’s National Technical Research Organization, linked a Dtrack malware report on VirusTotal to an attack on India’s Kudankulam nuclear power plant. Dtrack malware has previously been associated with North Korea’s Lazarus Group. Ars Technica stated that the attack would have targeted research and technical data, rather than the plant’s reactor controls. Officials at the plant initially denied the attack, however, it was later confirmed as genuine by the Nuclear Power Corporation of India (NPCIL). The NPCIL stated that the attack affected a device that was isolated from the plant’s critical internal network.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • Silobreaker Daily Cyber Digest – 18 November 2019

      Malware NextCloud Linux Servers hit with new NextCry ransomware BleepingComputer and security researcher Michael Gillespie analysed a newly spotted malware, named NextCry, which...
  • Silobreaker Daily Cyber Digest – 15 November 2019

        Ongoing Campaigns Microsoft Office 365 administrator accounts targeted in new phishing campaign PhishLabs researchers observed threat actors impersonating Microsoft and its Office...
  • Threat Summary: 08 – 14 November 2019

    08 – 14 November 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
View all News

Request a demo

Get in touch