Threat Reports / Weekly Threat Reports

Threat Summary: 27 March – 02 April 2020

27 March – 02 April 2020

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7d
Apple iOS 12

Appled iPadOS

macOS Catalina

WebKit Software Component

Apple watchOS
Deep & Dark Web
Name Heat 7d
Zemana AntiMalware

Apple iOS

Microsoft Windows

Cobalt Strike

WhatsApp

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches
Company Information Affected
Chubb Limited (Switzerland) The operators of Maze ransomware updated their ‘News’ site to add insurance company Chubb Limited to their list of victims. The attackers claim to have encrypted the company’s network. At present, no data belonging to Chubb has been published. Chubb told BleepingComputer that their network was secure and stated that they were investigating to see if a third-party service provider had suffered any unauthorised access. Unknown
Data Deposit Box (Canada) On December 25th, 2019, researchers at vpnMentor discovered an open Amazon S3 bucket belonging to the company. The breach exposed files from 2016 to present and exposed data included admin usernames and unencrypted passwords, IP addresses, email addresses, and more. The researchers alerted Data Deposit Box on December 30th, 2019, and the database was closed on January 6th, 2020. Unknown
Kimchuk (US) The US manufacturer Kimchuk was targeted in a DoppelPaymer ransomware attack in early March 2020 and the operators have since published a portion of the data they had stolen during the attack. Compromised data includes payroll records, broker approvals and purchase orders. According to TechCrunch, who reviewed the data, none of it was marked as classified, however, some documents pointed to one of the company’s customers’ nuclear divisions. Kimchuk has not commented on the attack. Unknown
Zoom (US) Motherboard discovered that the iOS version of Zoom is sending analytics to Facebook, even if the user does not have a Facebook account. The data includes a user’s device model, time zone, location, which phone carrier the user is using, as well as a unique advertiser identifier. Zoom has acknowledged this collection of data, stating that they were only recently made aware that the Facebook SDK they had implemented is collecting unnecessary device data. In response to this discovery, Zoom removed the Facebook SDK and will shortly be adding a reconfigured version. Unknown
Gurugam Government (India) A database containing the private data of individuals with a travel history to COVID-19 affected countries is currently being circulated on WhatsApp groups in Gurugram. The database contains the names, addresses, contact numbers and travel dates of individuals currently placed under home quarantine. According to Gurugram’s health department’s district protocol officer Dr Anuj Garg, the database was likely leaked by a sanitation worker or lower-level official, and was not intended to be public. Unknown
BetUS (US) The Maze ransomware operators added BetUS to its list of victims, claiming to have compromised three BetUS emails. Nearly 1GB of data supposedly belonging to BetUS was uploaded by the operators. The leaked data includes files relating to the company’s gambling software and internal company documents, such as minutes of board meetings, directorship changes, bank forms and passport scans of some company executives. Personal information of BetUS customers does not appear to be included at present. Unknown
Unknown (Georgia) Researchers at Under the Breach discovered that a voter database containing the information of 4,934,863 Georgians, some of whom are deceased, was shared on a hacker forum on the weekend of March 28th, 2020. The data, which was shared in a 1.04GB Microsoft Access database file, includes names, addresses, dates of birth, ID numbers, and more. The poster claimed that the data was obtained from an official Georgian government portal where citizens can verify and update their voter registration information. 4,934,863
Teaching Council (Ireland) On March 26th, 2020, the Teaching Council notified 9,735 teachers that their personal data had been exposed after a security incident. An unidentified party sent a phishing email to Teaching Council employees which established an auto-forwarding rule. This allowed the attacker to receive messages that were being sent to the impacted staff members. The exposed data includes names, addresses, PSS numbers, and vetting information. 9,735
Toronto Transportation Services Division (Canada) 7,227 citizens of Toronto have had their personal data improperly disclosed to a city councillors’ office. Toronto’s transportation director, Vincent Sferrazza, has stated that it was provided in error. Shared information includes names, addresses, and the individual’s senior or disabled status, which was emailed across in an Excel spreadsheet. 7,227
Federal Court of Australia The ABC found that the Federal Court of Australia has been disclosing the names of asylum seekers through a searchable Commonwealth Courts database for several years. Migration lawyer Daniel Taylor reportedly informed the court of the data breach multiple times in individual cases, yet received no response. The Federal Court has since removed the search function on the database and removed the database after the ABC found that names were still visible. In some cases, the database contained both the full names of applicants, as well as their pseudonyms. ~400
Campaign Sidekick (US) On February 12th, 2020, researchers at UpGuard discovered that Campaign Sidekick exposed their code repository through a misconfigured git directory, hosted on Campaign Sidekick’s primary website. Other exposed data included scripts that showed how information was collected from sources, identifying details of Indian-based software developers, and a small amount of personally identifiable information of voters. The breach was resolved by Campaign Sidekick on February 15th, 2020. Unknown
118 118 Money (UK) 118 118 Money, which had previously informed customers of an intrusion into their network and has taken its site offline, now informed its customers that some of their personal data may have been affected. Customers who have used their customer service line may have had their name, address and date of birth, and other personal information exposed. The company noted that their database itself was not compromised, nor was any payment data. Unknown
Marriott International (US) On March 31st, 2020, Marriott International began to notify impacted guests of a data breach incident that was discovered on February 20th, 2020. The company stated that the login credentials of two employees at a franchise property had been used to access information from mid-January 2020. The exposed data includes names, addresses, dates of birth, genders, loyalty account numbers and points balances, and more. ~5,200,000
C-Planet IT Solutions (Malta) An unsecured database belonging to C-Planet IT Solutions was discovered on February 29th, 2020, which contained a voter database with the personal data of 337,384 Maltese citizens. Exposed data included ID numbers, names, addresses, gender, phone numbers, and dates of birth. The company was informed of the leak and fixed the issue on March 9th, 2020. 337,384
Unknown (Iran) On March 21st, 2020, Bob Diachenko identified a database on an Elasticsearch cluster that exposed 42 million records from a third-party version of Telegram. The data was posted by a group whose name, translated from Farsi, means ‘Hunting system’. The information exposed in the incident includes user account IDs, usernames, phone numbers, as well as hashes and secret keys. The data, which was deleted on March 25th, 2020, had already been posted on a hacker forum. Unknown
SOS Online Backup (US) Researchers at vpnMentor discovered an unsecured database belonging to SOS Online Backup that contained over 135 million records and almost 70GB of metadata related to user accounts. Exposed data also included personally identifiable data of customers, including full names, email addresses, phone numbers, internal company details, and account usernames. The database was first discovered in November 2019 and secured around December 19th, 2019. Unknown

This table shows a selection of leaks and breaches reported this week.

Malware mentions in relation to the coronavirus outbreak

This chart shows the trending malware related to the coronavirus outbreak over the last week.

Weekly Industry View
Industry Information
Banking & Finance Researchers at Phishlabs identified two related SMS attacks targeting customers of major Canadian banks. The first attack tells the user that their debit card has been locked due to the spreading of coronavirus. The user is prompted to click on a link which takes them to a phishing site which spoofs that of a Canadian bank. The target is then asked to enter their banking credentials. The second attack informs the user that they are receiving compensation via the ‘emergency response benefit of Canada’. The recipient is directed to a site where they are encouraged to select their bank and divulge their account information.
Healthcare On March 30th, 2020, the FBI released an alert warning users of an ongoing global hacking campaign targeting supply chain companies and other industry sectors with Kwampirs malware. The latest alert also mentions organisations in the healthcare industry as one of the targets. The FBI describes the threat actors, dubbed Kwampirs, as an advanced persistent threat, active since 2016. The agency notes that Kwampirs previously heavily targeted the healthcare sector in effective campaigns, in which the group gained access to numerous hospitals via vendor software supply chain and hardware products. The origin of the group remains unclear. However, the FBI identified code similarities between Kwampirs malware and Disstrack, also known as Shamoon, which has been attributed to threat actors associated with the Iranian government.
Government Researchers at Under the Breach discovered that a voter database containing the information of 4,934,863 Georgians, some of whom are deceased, was shared on a hacker forum on the weekend of March 28th, 2020. The data, which was shared in a 1.04GB Microsoft Access database file, includes names, addresses, dates of birth, ID numbers, and more. The poster claimed that the data was obtained from an official Georgian government portal where citizens can verify and update their voter registration information.
Retail, Hospitality & Tourism RiskIQ researchers discovered a skimmer, dubbed MakeFrame, that has compromised 19 different sites since January 24th, 2020. The sites are used to host the code itself, load the skimmer, and exfiltrate stolen data. The skimmer is capable of making iframes for skimming payment data. The researchers identified three different versions of it, each using different levels of obfuscation, such as clear JS code or encrypted obfuscation. The researchers have attributed the skimmer to Magecart Group 7 due to similarities in technique, such as the use of victim sites for skimmer development. In addition, the target group is also similar to past Group 7 skimmers.
Cryptocurrency Harry Denley of MyCrypto discovered a website that supposedly gives users the option to convert their Bitcoin address into a QR code. However, in reality, the site generates the same QR code, which points to the scammer’s own Bitcoin wallet, for every user. A further eight malicious websites sharing the same interface were found to generate QR codes for five different Bitcoin addresses. These addresses have received a total of 7 Bitcoin ($45,000). Denley also discovered that the three servers used to host these malicious sites were also hosting over 450 other websites, all of which have suspicious domains containing terms like Gmail, coronavirus, or brands of other cryptocurrency-related entities. The majority of these sites were not active and only contained ads for cryptocurrency gambling sites, whilst some sites were so-called ‘Bitcoin transaction accelerators’ where a user is asked to pay a small fee to accelerate their payment. The Bitcoin address linked to this site has collected over 17.6 Bitcoin ($117,000).

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team

More News

  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
  • Cyber Alert – 05 June 2020

    Cyber Alert: troyhunt - RT @haveibeenpwned: New breach: Indian self-drive car rental company Zoomcar was breached in 2018 and had 3.5M records exposed then...
  • Threat Summary: 29 May – 04 June 2020

    29 May – 04 June 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are...
View all News

Request a demo

Get in touch