Threat Summary: 28 February – 05 March 2020
28 February – 05 March 2020
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
Trending Vulnerable Products
|Open Source
|Name
|Heat 7d
|Apple iPadOS
|Snapdragon Mobile
|Apple iOS 13
|macOS Catalina
|Apple watchOS
|Deep & Dark Web
|Name
|Heat 7d
|Magento
|Apache Tomcat
|Mimikatz
|Spring Security OAuth
|SDelete
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
|Company
|Information
|Affected
|Total Quality Logistics (US)
|Total Quality Logistics is currently investigating a data breach, after attackers used its IT systems to gain access to sensitive business information. According to Corporate Communications Manager Tom Millikin, the breach is not the result of a malware or ransomware attack. Potentially compromised data includes carriers’ tax ID numbers, bank account numbers and invoice information. It has not been specified how many carriers were impacted.
|Unknown
|BGR India
|Researchers at Under the Breach reported that hackers are freely sharing the MySQL database of Indian tech new sites BGR India. The data was exposed through an unsecured Amazon Simple Storage Service bucket. The leaked data includes usernames, emails and passwords. The information is stored in hashed form but could be decrypted. The BGR information being shared is part of a larger data dump which is approximately 21.5GB in size. The dump contains details for at least two other websites. The data trove contains 16 SQL dumps and at least 36,000 emails and logins.
|Unknown
|Straffic (Israel)
|The Israeli marketing start-up accidentally exposed the credentials for its Elasticsearch database in plaintext on a random domain. This ultimately allowed unauthorised individuals access to their database. Straffic has since secured the database. The database contained two indexes with 140GB worth of individual’s personal information, including names, email addresses, phone numbers, email addresses, physical addresses, and gender. According to Troy Hunt, the database contained 49 million unique email addresses, 70% of which had previously been posted on Have I Been Pwned. Affected users are from Europe and the US.
|~49,000,000
|RailWorks Corporation (US)
|On January 27th, 2020, RailWorks Corporation suffered a data breach following a ransomware attack that ‘partly encrypted its servers and systems’. Data exposed in the attack included personal identifiable information belonging to that of current and former employees, their beneficiaries and dependants and independent contractors. The potentially exposed information includes names, addresses, driver license numbers, dates of birth, and more.
|Unknown
|Walgreens (US)
|Walgreens stated last week that their official mobile application contained a bug that resulted in the exposure of personal information associated with some of its users. The leak was the result of an ‘internal application error’, that allowed some personal messages from Walgreens that were stored in the database to be viewed by customers using the Walgreens app. Data exposed included first and last names, prescription details, store numbers and shipping addresses. The application error was present for a week, between Thursday January 9th and Wednesday January 15th.
|Unknown
|Visser Precision (US)
|The Colorado-based manufacturer confirmed a cyber attack on its systems, which security researchers say was caused by DoppelPaymer ransomware. Data belonging to the company has since been uploaded to the operators’ website, with some available for download. The data uploaded includes folders with Visser Precision customer names, including Tesla, SpaceX, Boeing, and Lockheed Martin.
|Interactive Medical Systems Corporation (US)
|IMS was the victim of a phishing attack that potentially exposed the private data of the school’s employees. Emails within the affected email account may have been exposed to an unauthorised third party between July 19th and December 31st, 2019. According to IMS, exposed data may include first and last names, the last four digits of Social Security numbers, transaction dates and amounts, plan sponsor or employer names, and addresses. In some cases, full Social Security numbers may have been exposed, as well as email addresses, mailing addresses, dates of birth, and more. Brunswick County Schools and Lincoln County Schools employees may have been affected.
|<658
|Kenneth Cole Productions (US)
|Sodinokibi ransomware operators claim to have stolen data from the fashion house Kenneth Cole Productions. Under the Breach reported that the criminals posted a download link to a file containing employee, customer, work, and financial information. The attackers are threatening to publish the company’s entire cloud data unless their ransom demands are met. The criminals claim to have more than 60,000 files containing personal data and 70,000 financial and work documents.
|Unknown
|C3UK (UK)
|Security Discovery researchers identified 146 million records exposed on a non-password protected database that belonged to internet service provider C3UK, which provides free Wi-Fi connections at rail stations. The records contained internal company information and personal information. Exposed user information included names, email addresses, age ranges, device IPs, and more. The company information included IP addresses, ports, pathways, storage information, and other details.
|~10,000
|Simon Fraser University (Canada)
|On March 2nd, 2020, Simon Fraser University revealed a security incident which exposed the details of students, staff, faculty members, alumni and retirees. The university stated that the breach was caused by ransomware which ‘found a weakness in the way the information was handled’. The exposed data includes names, birthdates, external email addresses, encrypted passwords, and more.
|Unknown
|Loqbox (UK)
|Loqbox informed its customers of a ‘sophisticated attack’ that targeted the company on February 20th, 2020, which may have exposed customer names, postal addresses, dates of birth, email addresses, and phone numbers. In addition, banking details of customers were also compromised. No passwords were compromised and according to Loqbox, all funds remain secure.
|Unknown
|Prince Edward Island (Canada)
|Personal data of individuals has been uploaded online by the Maze ransomware operators after the Government of Prince Edward Island refused to pay the demanded ransom.The uploaded files included financial reports, bank statements and payment details from the Agri-Stability programme. Some of these documents included Social Insurance Numbers, names, contact information and business numbers. The Maze operators’ website states that the uploaded documents are a portion of a further 200GB they have stolen from the government.
|Unknown
|Community Development Bank (US)
|On March 1st, 2020, DataBreaches[.]net reported that CD Bank, which is the online division of TBK Bank, was targeted by DoppelPaymer ransomware. The ransomware operators claimed that they successfully exfiltrated the bank’s data and uploaded files online as proof of the attack. Following the report, TBK Bank contacted DataBreaches and refuted the attackers’ claims. DoppelPaymer operators have since updated their leak site and clarified that they attacked the Community Development Bank in Minnesota, and not CD Bank.
|Unknown
|Hutt Valley High School (New Zealand)
|On February 25th, 2020, authorities at Hutt Valley High School informed students’ parents of a cyberattack that may have impacted personal data. Potentially exposed information includes names, addresses, and student records.
|Unknown
|University of York (UK)
|The University of York’s app MyUoY was taken offline twice due to reported issues after initial launches. According to Nouse, the university stated that the app had been taken offline due to issues ‘not related to attendance data or other personal data.’ An investigation by Nouse, however, found a university report stating that the app contained flaws that exposed the personal information of students and staff. This included full names, email addresses, home addresses, term-time addresses, dates of birth, and more.
|Unknown
|Hillsboro R-3 School District (US)
|A data breach at the Hillsboro R-3 School district is being investigated by detectives at Jefferson County Sheriff’s Office. The incident appears to be linked to the district’s use of Google G-Suite which would link to employees’ personal photos.
|Unknown
|T-Mobile
|T-Mobile issued a data breach notification, stating that a sophisticated phishing attack against their email vendor was discovered. This resulted in an unauthorised third party gaining access to employee email accounts containing employee and customer information. Potentially accessed information includes customer names, addresses, phone numbers, account numbers, rate plans and features, and billing information.
|Unknown
|Princess Cruises and Holland America Line (US)
|The companies, both owned by Carnival Corporation, reported a data breach that may have compromised the personal information of employees and guests.
According to Carnival, an unauthorised third party gained access to some employee email accounts between April 11th and July 23rd, 2019. The breach was first discovered in May 2019. Potentially accessed information may include customer names, addresses, Social Security numbers, passport numbers or driver’s license numbers, credit and financial information, and health-related information.
|Unknown
This table shows a selection of leaks and breaches reported this week.
Attack Type Mentions in Banking
This chart shows the trending Attack Type related to Banking over the last week.
Weekly Industry View
|Industry
|Information
|Cryptocurrency
|OKEx was targeted by distributed denial-of-service (DDoS) attacks on February 27th and 28th, 2020, but remained largely unaffected. Bitfinex was targeted in a similar attack on February 28th, 2020, and the platform was offline for about an hour. According to Bitfinex’s CTO Paulo Ardoino, the DDoS attack involved a large number of different IP addresses and sophisticated crafting of requests. As a precaution, the cryptocurrency exchange went into maintenance as soon as the attack was discovered. It remains unclear why both exchanges were targeted around the same time. Both platforms have resumed normal service.
|Governmnet
|PwndLocker operators began targeting a wide range of victims in late 2019, including local cities and organisations. Ransom amounts vary between $175,000 and $660,000. The ransom note states that the victim’s data has been downloaded on remote servers and will be made public if they refuse to pay the ransom. The operators informed Bleeping Computer that they were behind the recent ransomware attack on LaSalle County in Illinois and demanded a 50 Bitcoin ($442,000) ransom. The county reportedly does not plan on paying the ransom.
|Technology
|The FBI has been tipped off about a cybercriminal operation which involved a hacker breaching 130,000 Asus routers, and scoring them, depending on their potential level of use for fraud. The hacker is selling access to the individual Asus devices, which are predominantly based in the US, for just a few dollars each. In addition, the hacker is offering separate databases for sale, containing personal information on 500,000 American citizens, as well as stolen credit card details. The data is being sold via a website that began operating in August last year, and currently has 100 active users. Intelligence analysts from White Ops stated that they believe the website is selling the packages to cyber criminals who want to use the hacked routers to carry out fraudulent transactions using stolen credit card details. The hacked routers are useful because they mask the original IP address of the fraudster, and allow them to conduct fraud without being blocked for making transactions outside of the geographical location that the card is normally used in.
|Banking
|Kaspersky researchers found that the actors behind the Roaming Mantis campaign are using new malware and adding new functions to existing malware. The group, who target Android devices, have been distributing Wroba.g malware through SMiShing campaigns which impersonate courier companies. The attackers also targeted Japanese users with messages relating to the coronavirus. To evade security researchers, Roaming Mantis added a whitelisting feature to the Wroba.g Korean landing page. Targets on the page are prompted to enter their phone number before the malware installs. The researchers found that Wroba.g is also being used to detect packages of Japanese online banks or mobile phone carriers on the victim’s device. When one of these packages is detected, the malware begins a process which re-directs the victim to a phishing site. The attackers are also using two new Android malware families, tracked as Wroba.j and Fakecop, both of which currently have a low detection rate.
|Critical Infrastructure
|Researchers at Telsy observed APT33 shifting their focus from targeting IT networks to targeting critical infrastructure. The recently observed activity involved a new remote administration tool (RAT), dubbed POWERBAND, which the researchers have linked to APT33 with mid to high confidence. Due to similarities to the APT33 backdoor POWERTON, the researchers believe the new malware to be a variant of the backdoor. Both are structured in a similar way and use the same logic for C2 interactions, encryption and data communications. The methodology of how commands are received, parsed and processed are also similar. POWERBAND is written in .NET and highly obfuscated. The RAT creates a unique identifier called ‘Bkey’ for each infected victim, that is used to encrypt the machine’s fingerprint information, and to encrypt and decrypt all data exchanged with the C2 server. A detailed analysis is available on Telsy’s blog.
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team