Threat Reports / Weekly Threat Reports

Threat Summary: 26 June – 02 July 2020

26 June – 02 July 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
F5 BIG-IP

Palo Alto Networks PAN-OS

Atlassian JIRA

Magento

IBM DB2
Deep & Dark Web
Name Heat 7d
Tenda

MariaDB

Palo Alto Networks PAN-OS

Microsoft SharePoint

Microsoft Excel

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Preen.me (Israel) A threat actor claims they have information of over 100,000 affiliate influencers under ransom. They shared the records of 250 influencers on Pastebin, including social media links, home addresses, email addresses, names, and more. Despite withholding the records of influencers, the threat actor leaked 253,051 records of individuals who use Preen.Me ’s application, ByteSizedBeauty. This includes addresses, dates of birth, Facebook ID, Facebook URL, Facebook friends lists, and more. >100,000
LG Electronics (South Korea) The operators of Maze ransomware posted screenshots of files supposedly belonging to LG Electronics. They claim to have obtained the source code of an LG product developed for a major telecommunications company, with the screenshots suggesting it may be AT&T. Unknown
When Georgia Smiled (US) vpnMentor researchers discovered a misconfigured Amazon Web Services S3 bucket containing data from the domestic abuse prevention Aspire News App. It has since been secured. Exposed data included over 4,000 voice recordings that contained personally identifiable data, such as victims’ full names and home addresses, details of their emergencies, and abusers’ names and personal details. Unknown
Logéal Immobilière (France) The operators of DoppelPaymer ransomware leaked about 1GB of data belonging to the real estate company, including multiple sensitive and corporate operational documents. Unknown
OneClass (Canada) Researchers at vpnMentor identified an exposed Elasticsearch database, 27GB in size, that contained 8,972,251 records. The records contained a mix of personally identifiable information, including names, email addresses, phone numbers, and more. The researchers stated that some of the data may belong to minors. The database has been secured. >1,000,000
Columbus Metro CU (US) The operators of Maze ransomware published some sensitive Columbus Metro CU data as proof of their attack. This includes members’ data, addresses and Social Security numbers. The ransom amount was not disclosed. Unknown
E27 (Singapore) The company informed its members that they had been hit with a malicious cyberattack. The hackers claim to have stolen source code, emails, passwords, and other documents. The group, calling themselves ‘Team Johnwick’, asked E27 for a ‘small donation’ to reveal the vulnerability that they exploited to access the company’s system. Unknown
Lollicupstore (US) Security researcher Jeremiah Fowler discovered a publicly accessible database that allowed anyone to edit, download and delete data. The company has since secured its database. It contained 112,723,640 records, including customer names, shipping related data, email addresses and more. Internal records were also present, including internal logs, emails, and Magento eCommerce production logs, some of which appear to be payment records. Unknown
Star Tribune (US) Cyble Inc researchers discovered a credible actor advertising 2.3 million Star Tribune user records on the dark web. The data includes usernames and passwords, email addresses, names, physical addresses, phone numbers and gender. 2,300,000
Lion Breweries (Australia) Sodinokibi ransomware operators, who claim responsibility for a recent attack against the company, posted screenshots on their data leak site which allegedly show data stolen from Lion. The attackers have threatened to publish or auction off the company’s financial and client information unless Lion meets their extortion demands. Unknown
Kreditplus (Indonesia) Researchers at Cyble Inc reported that a credible dark web marketplace user is advertising a stolen database, claiming to have over 890,000 records belonging to Kreditplus customers. Fields within the database include names, email addresses, passwords, telephone numbers, and more. Unknown
Local Governments (US) Researchers at Trend Micro found eight US cities that had their websites infected with a Magecart skimmer in an active campaign that began around April 10th, 2020. The JavaScript-based skimmer is capable of exfiltrating credit card data as well as personal information such as names and contact address. All affected sites appear to have been built using Click2Gov. Unknown
Delhi State Health Mission (India) Kerala Cyber Warriors stated that they hacked the website to expose the organisation’s lack of security. The attack, which took place on June 27th, 2020, allowed the hackers to gain access to the data of at least 80,000 COVID-19 patients. The information exposed by the incident includes names, addresses, phone numbers, test results, and more. 80,000
Multiple Companies A data breach broker is selling a database containing records from 14 companies breached in 2020. Only four of the breaches have been previously reported and new companies on the database operate in multiple sectors. While the databases contain a range of different information, all include usernames and hashed passwords. In total, the databases contain 132,957,579 user records. Unknown
Heartland Farm Mutual (Canada) The insurance specialist discovered that an employee’s email was targeted in a cybersecurity incident that may have exposed the personal information of ‘a small number of individuals.’ Heartland Farm Mutual added that it did not have evidence to suggest that the information had been misused. Unknown
Iowa Total Care Inc (US) An employee at the managed care organisation accidentally sent an Excel spreadsheet with claims data to a larger provider organisation, exposing protected health information. This included names, Medicaid ID numbers, dates of birth, and procedure and diagnosis codes. 11,581
LimeRoad (India) Researchers at Cyble Inc reported that a threat actor appears to be selling the legitimate data of roughly 1.29 million LimeRoad customers. The exposed information includes full names, phone numbers, and email IDs. 1,290,000
Xerox Corporation (US) Maze ransomware operators told BleepingComputer that they compromised the company’s network and stole over 100GB of files. As evidence of the attack, the ransomware operators published 10 screenshots which showed network shares, the ransom note, and directory listings from June 24th and June 25th, 2020. Unknown
Multiple Websites Lucy Security identified archived SQL files stolen from 945 websites leaked on the dark web. Two databases containing the files were released on June 1st and June 10th, 2020, which contained a combined total of about 150GB. The actor behind the leak claims to have more databases that they plan to share or sell to the highest bidder. Exposed information includes full names, phone numbers, hashed and non-hashed passwords, IP and email addresses, physical addresses, and more. ~14,000,000
Chicken Express (US) Researchers at Gemini reported that at least 56 Chicken Express locations suffered a payment card breach between May 2019 and March 2020. From August 2nd, 2019, onwards the card information has appeared for sale on the dark web. The incident appears to be linked to a remote hack. The breach resulted in the theft of approximately 165,000 card present payment cards. ~165,000
LogBox Inc (South Africa) Security researcher Anurag Sen discovered an exposed database belonging to the medical data firm LogBox. Exposed data included account access tokens for thousands of users which grant full access to a user’s account without the need of a password. LogBox took the database offline after being notified. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware Mentions in Critical Infrastructure

This chart shows the trending Malware related to Critical Infrastructure over the last week.

Weekly Industry View
Industry Information
Banking & Finance Trustwave researchers recently reported on GoldenSpy, a backdoor that was found to be installed under the guise of the ‘Intelligent Tax’ software by Aisino Corporation, required by a Chinese bank. The researchers now discovered a new file downloaded by the Intelligent Tax software that deletes and removes all traces of GoldenSpy. They found that the threat actor behind GoldenSpy followed the removal instructions that Trustwave had provided. The researchers do not believe this development signifies a slow-down in the campaign.
Critical Infrastructure Researchers at Palo Alto Networks Unit 42 observed EKANS ransomware, first seen in January 2020, being used against targets in Europe and the US. The Golang written ransomware is commonly delivered via spear phishing attachments. The ransomware can kill Industrial Control Systems and antivirus processes and services, as well as disable backups. The ransomware also attempts to use the network to encrypt resources connected to the target machine.
Government Researchers at Elastic observed an ongoing campaign targeting Malaysian government officials by using the 2020 Malaysian political crisis as a phishing lure. Victims are sent a lure image made to appear as a legitimate broadcast announcement by a Malaysian blogger. The campaign leverages remote templates, VBA code evasion and DDL side-loading techniques to deliver a backdoor, as well as a second-stage implant. The similarities in code and TTPs led the researchers to believe this campaign may be linked to APT40.
Education The US Federal Bureau of Investigation issued a Private Industry Notification warning K12 schools of an increase in ransomware attacks during the coronavirus pandemic. The warning states that ransomware operators, particularly those behind Ryuk ransomware, are especially targeting Remote Desktop Protocol connections.
Cryptocurrency Researchers at Group-IB identified a Bitcoin investment scam being propagated through SMS messages. Each target is sent a message with a unique short link which redirects the user to a regionally specific fake news site containing fabricated stories about local celebrities getting rich from cryptocurrency. The URL for the fake news site contains the target’s name, email address and phone number. Clicking anywhere on the news site redirects to a Bitcoin investment platform which features a form that already contains the target’s personal details. The scam uses 248,926 sets of personally identifiable information. 147,610 of the targets are from the UK, 82,263 from Australia, and 4,149 from South Africa. The campaign also targeted users in many other countries. The source of the exposed information is currently unclear.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 03 August 2020

    Silobreaker's Daily COVID-19 Alert for 03 August 2020
  • Cyber Alert – 03 August 2020

    Cyber Alert: InfoSecHotSpot - 10 billion records exposed in unsecured databases, study says The databases contain personal information that could… https://t.co/LYBl2kpNgL...
  • COVID-19 Alert – 02 August 2020

    Silobreaker's Daily COVID-19 Alert for 02 August 2020
View all News

Request a demo

Get in touch