04 March 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Microsoft Exchange Server Enterprise
Apple iOS 11
SaltStack Salt
Gab Social Network
Microsoft Exchange Server 2010
Deep & Dark Web
Name Heat 7
Microsoft Office
VMware vCenter
Accellion FTA

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Volunteers of America Chesapeake & Carolinas The organisation stated that a phishing incident resulted in the unauthorised access to information in some of its email accounts. This includes names, as well as Social Security numbers, financial or checking account numbers, payment card numbers, driver’s license numbers, and limited medical information. Unknown
Health Service Executive (Ireland) An unidentified individual reported that a ‘human error’ allowed them to access the HSE system and view the personal information of individuals who have received the COVID-19 vaccine. Exposed data includes PPS numbers, addresses, names, dates of birth, phone numbers, and more. The data can reportedly be accessed by anyone uploading data into the HSE system. An HSE spokesperson stated they are unaware of a data breach. Unknown
Home for Little Wanderers (US) The Massachusetts-based organisation discovered that some of its employee email accounts were compromised between November 10th and December 31st, 2020. It remains unclear whether any emails or attachments were viewed. Unknown
Summit Behavioral Healthcare (US) An investigation into suspicious activity first detected in May 2020 determined that two employee email accounts had been accessed by an unauthorised party. The accounts contained protected health information of some of its patients. Unknown
Jacobson Memorial Hospital and Care Center (US) Around August 5th, 2020, the North Dakota hospital discovered that the personal information of current and former patients may have been exposed to an unauthorised individual due to an incident involving an employee email account. Potentially exposed information includes Social Security numbers, credit card numbers, and bank account numbers. 1,547
SuperVPN, GeckoVPN, and ChatVPN CyberNews reported that a hacker claims to have acquired data from VPN services via vulnerable publicly available databases. The hacker is advertising information such as names, email addresses, usernames, randomly generated passwords strings, and more. 21,000,000
JamCOVID (Jamaica) On February 25th, 2021, Jamaica’s JamCOVID app and website were taken offline. A security researcher informed TechCrunch that the app exposed over 500,000 quarantine orders issued to travellers. Some of the orders dated back to March 2020. Unknown
Philippine’s Civil Service Commission An actor using the name ‘IamNoobie’ claims to have identified unspecified vulnerabilities in the commission’s website, allowing them to access passport copies, company IDs, official receipts, and personal user information. The actor claims to have secured the site, but another group has already leaked some user data. 52,000
T-Mobile (US) T-Mobile has confirmed a data breach exposing the names, physical and email addresses, Social Security numbers and more for an unspecified number of clients. The affected data has been used in SIM swapping attacks. Unknown
Zee5 (India) Security researcher Rajshekhar Rajaharia discovered leaked user data belonging to the media service. Names, phone numbers, email addresses, and other details were leaked on February 23rd, 2021. 9,000,000
Gab (US) The activist group Distributed Denial of Secrets released a 70GB dataset, dubbed GabLeaks, collected from the social network. The data includes public and private posts, user profiles, hashed passwords, direct messages, and plaintext passwords.The CEO of the social media site acknowledged the incident. Unknown
Ticketcounter (Netherlands) A threat actor advertised data stolen from the company on February 21st, 2021, before removing it. The hacker informed BleepingComputer that the database, which reportedly contains 1.9 million unique email addresses, full names, hashed passwords, and more, was sold privately. Unknown
Transport for NSW (Australia) The operators of Clop ransomware published screenshots of files they claim to have stolen from the agency in an attack against their Accellion FTA. This includes confidential documents, steering committee documents, and emails. Unknown
Malaysia Airlines An unspecified breach at a third-party IT service provider of the airline has resulted in the exposure of the airline’s customer data. Possibly affected data includes the names, dates of birth, contact details and more of the airline’s frequent flyer programme Enrich members who were active between 2010 and 2019. Unknown
Hurtigruten (Norway) The December 2020 ransomware attack against the cruise company resulted in a breach of customer data for former passengers of two ships. Possibly impacted information includes customer names, passport numbers and expiration dates, email and physical addresses, phone numbers, and more. Unknown
Mariana Tek (US) CyberNews researchers discovered a publicly accessible AWS server belonging to the software company that contained CSV files exposing over 1.5. million user records. Exposed information included usernames, full names, addresses, email addresses, phone numbers, and more. Unknown
Prisma Promotora (Brazil) Researchers at vpnMentor discovered an unsecured AWS S3 bucket belonging to an Enterprise Resource Planning system used by the company. The S3 bucket contained personally identifiable information of thousands of individuals, including full names, email addresses, phone numbers, debit card information, ID numbers and photos, and more. Unknown
Polecat (UK) Security researcher Ata Hakcil discovered an unsecured Elasticsearch server owned by the data analytics firm. The exposed server contained records dating back to 2007, tweets and posts collected from various sites, as well as employee usernames and hashed passwords. The data was compromised in a series of attacks, one of which involved Meow bot. Unknown
CSX (US) The rail operator suffered a ‘data security incident’ stemming from the breach of its software provider, Accellion. Clop ransomware operators posted screenshots, revealing spreadsheets containing information about pension plan recipients and an employee roster. Unknown
Oxfam Australia The organsiation has confirmed a data breach incident after a threat actor was seen selling 1.7 million user records. The database, which contains donor information, was accessed by an unauthorised party on January 20th, 2021. Information within the database includes names, addresses, phone numbers, and more. Unknown
Stadgenoot (Netherlands) The website of the Amsterdam housing corporation was hit by a cyberattack that resulted in data theft. The exfiltrated information includes names, addresses, email addresses, and in some cases license plate numbers and indications of annual salaries. 30,000
Fisher-Titus Medical Center (US) An unauthorised individual gained access to an employee email account between August and October 2020. Possibly impacted personal data includes patients’ full names, Social Security numbers, credit and debit card numbers, as well as some medical data. Unknown
Morgan County (US) Data stolen from the Missouri county has been posted online by DoppelPaymer operators following a ransomware attack. The incident involved the theft of sensitive data. Unknown
Npower (UK) The energy supplier suffered a credential stuffing attack against its official app, with the actor gaining access to some customers’ contact details, addresses, partial bank account numbers and sort codes. Unknown
New Jersey University Hospital (US) The hospital disclosed an instance of unauthorised access to its systems which was identified on September 14th, 2020. Patient names, Social Security numbers, driver’s licenses, state identifications, passport numbers, medical and financial information may have been exposed. Unknown
Steris Corporation (US) Clop ransomware operators claimed to be in possession of data belonging to the US medical equipment company Steris Corporation. The allegedly stolen documents include a confidential study report and a trade secret formula for a product. Unknown
AllyAlign Health  (US) The company informed members and providers of an attempted ransomware attack that occurred on November 13th, 2020. Potentially exposed information includes first and last names, mailing addresses, dates of birth, Social Security numbers, and more. 76,348
Atlanta Allergy & Asthma (US) DataBreaches[.]net reported that the operators of Nefilim ransomware have added the company to their data leak site. The group also uploaded 2.5GB of data supposedly stolen from the company and claim to have about 19GB in total. The leaked data includes 597 files containing personal health information of thousands of patients. Unknown
American Patriots Three Percent An unidentified group of activists informed The Guardian of a misconfiguration of the AP3% membership plugin, which resulted in the exposure of member data. AP3% members stated that they did not specifically provide their personal data to the site, with it believed to have been collected from state-level organisations. Unknown
Adecco Group (Switzerland) CyberNews discovered a hacking forum user advertising data stolen from the human resources provider. The information reportedly contains 5 million records from Peru, Brazil, Argentina, Colombia, Chile, and Ecuador. Impacted data includes full names, hashed passwords, email addresses, IDs, and more. Unknown
CallX (US) vpnMentor researchers discovered an unsecured AWS S3 bucket owned by the telemarketing analytics company. The exposed bucket contained over 114,000 files and was 485GB in size. The leaked data includes audio recordings of phone conversations and text chat transcripts, which revealed names, phone numbers, addresses, and more.  Unknown

Threat Actor mentions in Healthcare

Time Series

This chart shows the trending Threat Actors related to Healthcare over the last week.

Weekly Industry View

Industry View
Industry Information
Banking & Finance According to BleepingComputer and security researcher Germán Fernández, the financially motivated Hotarus Corp deployed Ronggolawe ransomware to a site used by Ecuador’s Ministry of Economy and Finance. Following the attack, the hackers proceeded to post a text file containing 6,632 login names and hashed passwords to a hacker forum. The group then targeted Ecuador’s largest bank, Banco Pichincha. The bank stated that the attackers hacked a marketing partner and sent phishing emails to customers. Hotarus Corp dispute this and claim that they used the marketing company as a launchpad into the bank’s systems and then deployed ransomware. They claim to have stolen employee information, emails, contracts, and sensitive documents from the Ministry of Economy and Finance, as well as 1,636,026 million customer records and 58,456 sensitive system records from Banco Pichincha. The attacker’s claims are currently unverified.
Government Researchers at Kaspersky reported that in early 2020, Lazarus Group began to target the defence industry with ThreatNeedle. The malware family, which the researchers attribute to an advanced version of Manuscrypt, was previously used by the group to attack cryptocurrency businesses and a mobile game company. The attacks have impacted organisations in over a dozen countries. The attacks began with spear phishing emails featuring personal information acquired from public sources. The malware can execute received commands, profile systems, manipulate files, and more. Following exploitation, the attackers drop the ‘Responder’ credential harvesting tool, moving laterally from workstation to server hosts, overcoming network segmentation, and exfiltrating information. 
Critical Infrastructure Insikt Group researchers observed a China-linked threat actor, dubbed RedEcho, targeting the power sector in India. The actor used ShadowPad C2 servers to target 10 distinct Indian power sector organisations and two seaports. The targets included four of India’s five Regional Load Despatch Centres, which operate the power grid. The attacks share some infrastructure with other China-affiliated groups, such as APT41 and Tonto Team.
Technology Microsoft disclosed multiple zero-day exploit being used to attack on-premises Exchange servers. Microsoft attributed the campaign with high confidence to the state-sponsored group HAFNIUM, which operates out of China. Exploiting the issues could allow attackers to access email accounts, and deploy web shells and additional malware. Volexity stated that China Chopper variants, ASPXSPY, and a new web shell, dubbed SPORTSBALL, were used by the attackers. The group focuses on entities across several sectors in the US, including infectious disease researchers, law firms, defence contractors, NGOs, higher education institutes, and policy think tanks. ESET reported that APT27, Bronze Butler, Calypso, and other unidentified state-sponsored groups, are now also actively exploiting one of the flaws. Patches for the flaws are available.
Healthcare According to Cyfirma, the Chinese-backed threat actor Stone Panda is actively targeting the IT systems of the Indian vaccine makers Bharat Biotech and Serum Institute of India (SII). Bharat Biotech is behind the COVAXIN vaccine, while SII is currently making the AstraZeneca vaccine and is due to manufacture Novavax. The threat actor reportedly discovered a number of gaps and vulnerabilities in the companies’ IT infrastructure and supply chain software. Cyfirma Chief Executive Kumar Ritesh stated that the attackers aim to exfiltrate intellectual property and gain a competitive advantage over Indian pharmaceutical companies.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

This website uses cookies.
See our privacy policy at www.silobreaker.com/legal