04 February 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Libgcrypt
Apple macOS
SolarWinds Serv-U
ImageIO
SonicWall SMA 100 Series
Deep & Dark Web
Name Heat 7
Xbox 360
Oracle WebLogic
Golang
Apache ActiveMQ
Netsparker

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Comcast (US) Security researcher Jeremiah Fowler discovered an unprotected database belonging to the company. The database was 477.95GB in size and contained 1,507,301,521 records. Exposed data included technical logs and the email addresses and hashed passwords of Comcast’s Development team, as well as error logs, alerts, and job scheduling records, and more. The database has since been secured. Unknown
Bihar Police Subordinate Services Commission (India) CloudSEK researchers identified a threat actor advertising the personal information of Indian citizens. The exposed data includes transaction IDs, full names, family members’ names, mobile phone numbers, email addresses, dates of birth, and more. The data was associated with a police exam that took place on December 22nd, 2019. 500,000
DriveSure (US) Risk Based Security researchers discovered a threat actor selling multiple databases they claim to be from the company. The data was reportedly dumped on December 19th, 2020. In total, 91 sensitive databases related to dealership and inventory information, revenue data, reports, claims and client data were exposed. Impacted personal information includes names, addresses, phone numbers, 3,283,725 unique user email addresses, 93,063 bcrypt hashed passwords, and more. Unknown
Enel (Brazil) Customers in the city of Osasco were informed of a data breach affecting their personal information. This includes names, CPF numbers, phone numbers, and consumption data. It remains unclear how the breach occurred. 300,000
Washington State Auditor (US) Accellion informed the Office of the Washington State Auditor (SAO) its files had been accessed due to a flaw in Accellion’s file transfer service. The unauthorised access reportedly occurred in late December 2020. The SAO stated that the impacted data includes information from the Employment Security Department, such as names, Social Security numbers, bank account numbers, and more. The files of other state agencies and some local governments have also reportedly been impacted. 1,470,000
European Volleyball Confederation BleepingComputer linked a publicly exposed Azure storage blob, originally discovered by security researcher Bob Diachenko, to the organisation. Exposed data included identity documents and passports that belong to volleyball players and sports journalists. Unknown
UK Research and Innovation The UK Research Office portal and an extranet, known as BBSRC and used by its councils, have been impacted by a cyberattack. The incident involved a third-party encrypting data. UKRI revealed that the compromise of the extranet could have led to the exposure of grant applications and review information.  Unknown
British Mensa The organisation was reportedly hacked via compromised credentials of a director-level employee. Information from an emergency meeting obtained by Forbes revealed that members’ passwords were stored in plain text. According to Forbes, Mensa personal data also briefly appeared on Pastebin. Unknown
Minnesota Ramsey County (US) The county’s Family Health Division informed clients of a possible data breach which occurred on or around December 2nd, 2020, as a result of a ransomware attack against its vendor Netgain Technology LLC. Potentially exposed data includes names, addresseses, dates of birth, telephone numbers, account numbers, health insurance and medical information, and a small number of Social Security numbers.  8,700
Serco (UK) The vendor behind UK NHS’ Test and Trace service was targeted in a Babuk ransomware attack. The company has informed Sky News that the NHS service was not impacted in the incident. Unknown
Florida Healthy Kids Corporation (US) Several thousand Florida KidCare applicant addresses were found to have been inappropriately accessed and tampered with in an incident involving the host of FHKC’s website, Jelly Bean Communications Design. Cybersecurity experts discovered ‘significant vulnerabilities’ in the hosting platform dating back to November 2013. Potentially exposed data includes names, dates of birth, phone numbers, physical addresses, Social Security numbers, and more. Unknown
Unknown (Mexico) Cyble Inc researchers discovered a threat actor claiming to be in possession of 42 million records relating to residents of Mexico. The 6.14GB dataset contains files with national identification numbers, known as CURP. The files are dated between 2009 and 2011. Unknown
UScellular An attacker was able to gain access to its Customer Retail Management system via a store computer on January 4th, 2021. A number of employees in retail stores were reportedly successfully scammed into downloading software that allowed for remote access. The exposed information includes names, addresses, PIN code, cell phone numbers, and more. Unknown
Bykea (Pakistan) Researchers at Safety Detectives discovered the company’s production server information exposed online, allowing access to 200GB of data containing over 400 million records. These included full names, phone numbers and email addresses of Bykea’s customers, as well as names, phone numbers, addresses, national identity cards, and driver’s licence numbers of Bykea’s drivers. Other leaked data featured various GPS coordinates, API logs, user ID, and more. Unknown
Wind River Systems (US) The company disclosed that an outside party downloaded files on or around September 29th, 2020. The incident impacted personal information, including data from personnel records. The affected information includes dates of birth, Social Security numbers, passport or visa numbers, health information, financial account information, and more. Unknown
Foxtons (UK) The data of Foxtons Group customers has reportedly been leaked online, including 16,000 payment card details, addresses, and private correspondence. The leaked data is said to only impact customers from before 2010, yet the actor behind the leak has claimed to have only revealed 1% of all stolen records and warned that the remaining data is currently being traded. Unknown
Airtel India  Security researcher Rajshekhar Rajaharia discovered 2.5 million customer records, including full names, telephone numbers, Aadhaar numbers, physical addresses, and more. The records were leaked by Red Rabbit Team, who targeted Airtel with a web shell on the company’s server more than three months ago. Unknown
Metromile (US) The San Francisco-based car insurance startup disclosed that a bug in the quote form and application process on their website allowed a hacker to obtain driver license numbers. An investigation into the incident is still ongoing. Unknown
Oxfam Australia BleepingComputer observed a threat actor advertising a database which allegedly contains the contact and donor information for individuals associated with Oxfam. A sample of the database contained names, email addresses, phone numbers, and donation amounts. 1,700,000
EscortReview (US & Mexico) On January 31st, 2021, a threat actor posted a link to the site’s stolen vBulletin forum database. It contains names, email addresses, MD5 hashed passwords, IP addresses, and optional dates of birth and Skype account names. According to Cyble, the most recent data is from September 2018.  472,695
Philippine National Police On February 3rd, 2021, the actor Phantom Troupe targeted the site of the PNP Academy, and claimed to have obtained the personal data of its users. The official site was replaced with images of recent PNP controversies. 23,000

Malware mentions in Healthcare

Time Series

This chart shows the trending Malware related to Healthcare over the last week.

Weekly Industry View

Industry View
Industry Information
Government Unnamed sources informed Reuters that suspected Chinese hackers exploited a flaw in SolarWinds software to target the National Finance Center (NFC), a payroll agency inside the US Department of Agriculture (USDA). According to one source, the infrastructure and hacking tools have previously been used by state-backed Chinese espionage groups. The exploited flaw is different to the widely reported compromise of the SolarWinds Orion platform, which was allegedly carried out by Russian threat actors.
Retail & Hospitality Malwarebytes researchers discovered the websites for Costway France, UK, Germany and Spain were compromised by a credit card skimmer exploiting a flaw in Magento 1, a software that has reached end-of-life. Further analysis revealed the Costway sites had been compromised twice, with the second attacker’s skimmer harvesting credit card details from the skimmer injected in the first compromise. In addition, the second attacker’s skimmer also created its own form fields in the event that the first skimmer is removed. The researchers note that the first attacker’s custom domain used to host their code is linked to a previously seen family and warn that the group is ‘quite active’ at present. The researchers also stated that many sites still using Magento 1 have been targeted in recent months, with RiskIQ attributing such attacks to Magecart Group 12.
Technology An investigation by Citizen Lab and Motherboard found possible links between a fake WhatsApp app aimed at iPhone users and the Italian surveillance firm Cy4Gate. Cy4Gate stated that the config domains discovered by the researchers are not attributable to the firm. The attack was first detected by ZecOps and further analysis by Citizen Lab researchers revealed a site supposedly advertising Whatsapp for download. The download instead installs a special configuration file for iPhones. The app is potentially designed to collect information about the victim.This includes the Unique Device Identifier and International Mobile Equipment Identity numbers. Further details on the type of data collected could not be verified.
Banking & Finance ZDNet reported a wave of microloan app scams targeting Indian users. The apps allegedly leverage loan agreements to access the borrower’s WhatsApp contacts, and deposit more money to the target’s account than originally borrowed, using multiple loan providers. The scammers then invoke collection agents to obtain sums many times larger than originally expected by borrowers, and reportedly manufacture fake pornographic images of their targets to blackmail them. Cashless Consumer identified nearly 1,000 such apps which cannot be traced to a physical address, and are believed to bend legal requirements. SaveIndia Foundation researchers also found that ‘hundreds’ of lender accounts operated from abroad, with links to China.
Critical Infrastructure Researchers at ClearSky determined that activity and tools related to suspicious network activity discovered in early 2020 is strongly connected to Lebanese Cedar. The group has been active since 2012 and targets organisations to steal sensitive information. The researchers found that the group breached around 250 servers and attacked companies in a range of countries, including the US, the UK, Egypt, and Israel. The majority of targets operate in the IT and telecommunications sector. The attackers targeted vulnerable Atlassian and Oracle 10g servers and installed a modified JSP file browser to deploy Explosive RAT.  The group is believed to be connected to the Lebanese government or a political group in the country. Possible links to the Hezbollah Cyber Unit have also been identified.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal