Threat Summary: 29 May – 04 June 2020
29 May – 04 June 2020
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
Trending Vulnerable Products
|Cisco IOS XE|
|Deep & Dark Web|
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
|NTT Communications (Japan)||On May 7th, 2020, NTT Communications detected unauthorised access to some of its systems, with an investigation revealing that files may have been stolen. The attack impacted its Active Directory server, as well as an operational server and an information management server containing customer information. The data breach may have impacted 621 companies.||Unknown|
|Bigfooty[.]com (Australia)||Safety Detectives researchers discovered about 132GB of data leaking from the AFL fan website. This data included about 70 million records, including private conversations that could be traced to specific users. The unsecured port was fixed on May 14th, 2020, and the site’s parent company Big Interest Group stated that it did not find any evidence that data had been copied or downloaded.||Unknown|
|Ministry of Education and Culture (Indonesia)||A hacker reportedly breached data belonging to Indonesia’s Ministry of Education and Culture and leaked the personal data of up to 1.3 million civil servants. This includes full names, citizenship identification numbers, family card numbers, home addresses, dates of birth, and more.||1,300,000|
|Minted (US)||The company stated that its database containing user information was accessed by attackers on May 6th, 2020. Exposed data includes names, email addresses, hashed and salted passwords, billing addresses, and more. On May 9th, 2020, BleepingComputer reported that the Shiny Hunters hacking group was advertising a database containing the user records of 5 million minted customers.||5,000,000|
|Mat-Su Surgical Associates (US)||The Alaska-based medical service was targeted in a ransomware attack on March 16th, 2020. During the incident, an unauthorised individual may have gained access to files containing the protected health information of its current and former patients. This includes patient names, addresses, Social Security numbers, and more.||Unknown|
|Kentucky Unemployment Insurance (US)||Kentucky Governor Andy Beshear informed the public of a data breach that was discovered on April 23rd, 2020, that exposed the personal data of some unemployment insurance claimants. An error with the state’s unemployment portal allowed visitors to the website to view data uploaded by other claimants.||Unknown|
|Unknown||Researchers at Cyble Inc discovered a data dump containing detailed information of over 80,000 credit cards from a number of countries including the US, France, Australia, the UK, Canada, Singapore and India.||Unknown|
|Amtrak (US)||On April 16th, 2020, the company discovered that an unknown third party accessed Amtrak Guest Rewards accounts without authorisation. The incident, which exposed passwords, impacted an undisclosed number of accounts. The company stated that some personal information may have been viewed, however, it did not state what this data might include. Financial data, credit card information, or Social Security numbers were not impacted.||Unknown|
|Joomla||Joomla disclosed that a full unencrypted backup of the Joomla Resources Directory site was stored in a third-party company Amazon S3 bucket. The incident exposed full names, business addresses, encrypted passwords, IP addresses, and more.||2,700|
|Daniel’s Hosting (Germany)||A hacker, operating under the alias KingNull, uploaded the database of Daniel’s Hosting which was stolen on March 10th, 2020. The data shared by KingNull includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for dark web domains. KingNull claims to be a member of the hacker group Anonymous.||Unknown|
|Unknown (Taiwan)||Cyble Inc researchers discovered a database being advertised on the dark web by known actor Toogod. The database contains over 20 million records, including full names, full addresses, IDs, genders, dates of birth, and phone numbers. Toogod alleges that the data comes from Taiwan’s Department of Household Registration, under the Ministry of Interior. According to the government, the database consists of old data from different sources and stated that an investigation has confirmed that no leak had occurred at the Department of Household Registration.||20,000,000|
|Elexon (UK)||The operators of REvil ransomware uploaded a cache of 1,280 files supposedly belonging to Elexon. The company was hit by a cyberattack on May 14th, 2020. The published files reportedly include passport details of Elexon employees and a business insurance application form.||Unknown|
|National Payments Corporation of India||Researchers at vpnMentor identified a misconfigured Amazon Web Services S3 bucket containing 409 GB of data related to India’s mobile payment app BHIM. The breach, which included roughly 7.26 million records, exposed scans of Ardaar cards and caste certificates, screenshots of financial and banking apps, photos used as proof of residence, and more. The database appears to have been closed around May 22nd, 2020. The company stated that they have no evidence of a data breach.||Unknown|
|Digital Management Inc (US)||The operators of DoppelPaymer ransomware claim to have breached the network of IT company Digital Management Inc (DMI). As proof of their attack, the threat actors published 20 archive files relating to NASA on their dark web portal. This includes HR documents and project plans. The attackers also posted a list of 2,582 servers and workstations that are reportedly part of DMI’s internal network.||Unknown|
|TVSmiles (Germany)||UpGuard researchers discovered a public Amazon S3 bucket containing data related to the TVSmiles app. The database contained personally identifiable information of users and business clients, as well as device data. Exposed data included 901,000 unique email addresses, first and last names, gender, dates of birth, and more.||Unknown|
|8Belts (Spain)||Researchers at vpnMentor discovered a misconfigured Amazon Web Services S3 bucket belonging to the e-learning platform. Exposed data included personally identifiable information (PII) of over 150,000 individuals. This included full names, email addresses, phone numbers, and more. In addition, PII of the company’s corporate clients was also exposed, many of whom registered with their company work email address.||150,000|
|10up Inc (US)||A database belonging to 10up Inc, which hosts the website for San Francisco Employees’ Retirement System (SFERS), was hacked on February 24th, 2020. Potentially stolen data includes full names, home addresses, dates of birth, and more.||74,000|
|Westech International (US)||The company, who operate as a subcontractor for the US military contractor Northrop Grumman, were hit with Maze ransomware. The malware encrypted the company’s machines and the operators have started to leak documents to encourage Westech to meet their ransom demands. The hackers appear to have access to payrolls and emails. At present it is unclear if military classified information has also been exfiltrated.||Unknown|
|University of California San Francisco (US)||NetWalker ransomware operators claimed that they have encrypted devices and exfiltrated unencrypted data belonging to the university.
As evidence of the attack, the group shared a student application, a spreadsheet, and folder listings that appear to relate to employee information, financials, medical studies, and more.
|Telkom (South Africa)||The operators of REvil ransomware claimed responsibility for a recent attack against South Africa’s Telkom and threatened to leak stolen data on their dark web blog. It was previously suspected that PonyFinal was involved. Telkom initially denied that its system outage was due to a ransomware attack, stating that it was dealing with a malware infection that it became aware of on May 29th, 2020.||Unknown|
|Ahmadu Bello University, University of Benin, Mount Kenya University (Kenya and Nigeria)||Security researcher Touseef Gul found that the websites and databases of the universities contain vulnerabilities that left student records exposed. Mount Kenya University’s data was reportedly being shared on hacker forums and contained names, addresses, phone numbers, and more.||~467,743|
|Minneapolis Police Department (US)||Social media reports claim that a database containing email addresses and passwords was stolen and leaked from the Minneapolis Police Department (MPD) and that Anonymous was behind the hacking. Security researcher Troy Hunt investigated the claims about the database and believes it is a collection of MPD email addresses taken from old data breaches or credential stuffing lists, rather than from an MPD system that was recently hacked.||Unknown|
This table shows a selection of leaks and breaches reported this week.
Attack Types Mentioned in Critical Infrastructure
This chart shows the trending attack type related to Critical Infrastructure over the last week.
Weekly Industry View
|Banking & Finance||Researchers at Cofense identified attackers posing as tax collection authorities to compromise the credentials of the customers of African banks, including ABSA, Capitec, First National Bank, Nedbank and Standard Bank. The attackers, posing as the South African Revenue Service’s eFiling service, sent an email claiming that the recipient is due a tax return deposit. The email contains the logos of banks which the target is encouraged to click on. Clicking on an image will take the target to a spoofed portal, created using Webnode, that impersonates the target’s bank. The portal asks for account numbers, mobile numbers, passwords, and PINs.|
|Critical Infrastructure||The Ukraine-based cable operator Volia has been targeted in a number of UDP flooding attacks that began on May 31st, 2020. The attacks, described as ‘massive and well-organised’, initially targeted Volia’s subscriber systems before also impacting its telecommunications infrastructure. This resulted in over 100,000 subscribers experiencing problems using the internet, IPTV, multiscreen platforms and digital TV.|
|Government||On June 2nd, 2020, the Minnesota Senate’s server was hacked and accessed in a further cyberattack targeting the state and local computer systems. The server was taken offline as a precaution. An investigation revealed that a file containing the Senate Wi-Fi password was accessed during the attack, which has since been reset. Login information for senators and staff were not accessed. The same hacker group that has targeted 10 state agencies in recent days is believed to be behind the attack on the Senate website. It remains unclear whether the cyberattacks relate to the ongoing George Floyd protests.|
|Technology||Wordfence reported that between May 29th and May 31st, 2020, they blocked over 130 million attacks that targeted 1.3 million WordPress sites. The attacks attempted to download a file critical to WordPress installations which contains database credentials, connection information, and unique keys and salts. Wordfence stated that the attacks are linked to a threat actor who previously launched similar large-scale attacks targeting cross-site scripting (XSS) flaws. The attacker launched the XSS attacks and the recent attacks from the same batch of over 20,000 IP addresses.|
|Cryptocurrency||Motherboard reported that data stolen from Canadian cryptocurrency exchange Coinsquare will be used for SIM swapping attacks. A hacker who obtained the data informed Motherboard that they originally intended to embarrass the company and sell the data before deciding to SIM swap accounts instead. A version of the data shared with Motherboard contained over 5,000 rows of users’ email addresses, phone numbers, and in some instances physical addresses. The data does not appear to contain any passwords. Coinsquare informed Motherboard that the data was stolen by a former employee of the company. The company stated that they became aware of the issue last year and informed law enforcement and other authorities.|
News and information concerning each mentioned industry over the last week.
The Silobreaker Team