Home – Reports – Weekly Cyber Digest – Weekly Cyber Digest:16 – 22 July 2021
22 July 2021
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
Trending Vulnerable Products
Open Source
| Name | Heat 7 |
|---|---|
| Apple iOS 14 |  |
| Oracle MySQL | |
| Microsoft Exchange Server Enterprise | |
| Oracle Fusion Middleware | |
| Google Chrome Browser |  |
Deep & Dark Web
| Name | Heat 7 |
|---|---|
| THORchain |  |
| CDNJS | |
| Google Chrome Browser | |
| Nmap | |
| Fortinet FortiOS | |
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
Leaks & Breaches
| Company | Information | Affected |
|---|---|---|
| Campbell Conroy & O’Neil (US) | The law firm stated that its network was targeted by a ransomware attack on February 27th, 2021. An investigation revealed that the targeted system contained some personal information of individuals, including names, dates of birth, driver’s license numbers, financial account information, Social Security numbers, passport numbers, and more. | Unknown |
| Comparis (Switzerland) | An analysis of the recent ransomware attack against the consumer outlet found that the attackers had access to some internal customer data. On July 12th, 2021, the operators of Grief ransomware added the company to their data leak site and posted 189 files as proof of the attack. | Unknown |
| University Hospital of the West Indies (Jamaica) | The Jamaica Gleaner reported that the Hospital Information Management System (HIMS) used by the hospital is exposing the private information of thousands of patients. The HIMS system stores patient names, addresses, telephone numbers, and financial and medical data. The issue is due to HTTP rather than HTTPS being used when accessing HIMS. | Unknown |
| Testcoronanu (Netherlands) | The coronavirus testing company experienced a leak that allowed anyone to create their own Covid vaccination or test certificates, in addition to altering the data of others. The personal data of individuals who had taken a coronavirus test at the company was also leaked. This includes full names, addresses, phone numbers, Social Security numbers, passport numbers, and medical information. | 60,000 |
| The Court of Accounts (Moldova) | The authority was hit by attackers who hacked its websites and destroyed audit reports and other public data. | Unknown |
| BackNine (US) | A storage server misconfiguration exposed 711,000 files that contained insurance files featuring names, addresses, Social Security numbers, medical diagnoses, lab results, some driver’s license numbers, and more. | Unknown |
| Whitehouse Independent School District (US) | On July 8th, 2021, the Texas school disclosed that it was impacted by a cybersecurity incident. DataBreaches[.]net reported that the attack was conducted by the Vice Society ransomware gang. The attackers have dumped more than 18,000 files containing the data of current and former employees, dependents, and students. This includes names, postal addresses, Social Security numbers, and more. | Unknown |
| Corporación Nacional de Telecomunicación (EcuadorS) | On July 16th, 2021, CNT disclosed that it had suffered a ransomware attack. RansomEXX ransomware operators claim to have stolen 190GB of data, including contact lists, contracts, and support logs. CNT stated that no corporate or client data has been exposed. | Unknown |
| Seoul National University Hospital (South Korea) | Ha Tae-kyung of the People Power Party stated that the June 5th, 2021, cyberattack against the hospital was carried out by the North Korean actor Kimsuky. The attack resulted in the theft of 6,969 files, including patient records containing medical information. | Unknown |
| D-BOX (Canada) | The haptic motion technology company was hit with a ransomware attack on July 12th, 2021. The attack encrypted data stored on the corporation’s network, causing it to become inaccessible. Some employee information may have been exposed. | Unknown |
| Booneville School District (US) | Grief Ransomware operators added the Mississippi school to their data leak site on June 30th, 2021, and later dumped files allegedly stolen from the district. The files contain some students’ writings, which reveal limited personal information. | Unknown |
| Lancaster Independent School District (US) | Grief Ransomware operators added the Texas school to their leak site, and published data containing demographic information of current and former employees, payroll information, banking information, Social Security numbers, and other human resources-related files. The personal information of some students was also exposed. | Unknown |
| City of Revelstoke (US) | On July 15th, 2021, Revelstoke Mountaineer journalists found that the city’s emergency notification system contains flaws allowing users to access any account with just the account’s email address and no password, which enables others to disable users’ notifications. In addition, using simple code could allow an actor to download the telephone numbers of the system’s users and match them with emails. | Unknown |
| Chicago’s Lake County Health Department (US) | Department officials disclosed two cyberattacks that affected the county. In the first incident, discovered on July 22nd, 2019, an unencrypted email was sent to an employee’s personal email address, affecting unspecified information relating to 24,241 individuals. The second breach, which took place on May 14th, 2021, involved an unencrypted Google Doc used by volunteers and staff. The document contained the names, dates of birth, phone numbers, email addresses and vaccination status of some seniors, with 705 people potentially affected. | Unknown |
| Walter’s Automotive Group (US) | The operators of Vice Society ransomware claim to have encrypted and stolen data from the company. The attackers have since dumped all stolen data, including over 21,000 images of driver’s licenses dated between May 2018 and May 2021. The data dump also contains Audi Ontario and Porsche Ontario data, including nearly 5,000 files related to credit applications that expose names, dates of birth, current addresses, Social Security numbers, and more. | Unknown |
| Independent Electoral and Boundaries Commission (Kenya) | A university student identified as ‘Kiprop’ reportedly hacked into the IEBC database and stole the personal details of voters. | 61,617 |
| Pionet (Israel) | A ransomware attack against the IT company has impacted its systems and the sites of over a hundred of the company’s customers. Impacted customers include Assuta Hospital, Rambam Health Care Campus, Hadassah Medical Center, Budget Car Rental, Sonol Israel, and Idigital. | Unknown |
| City of Geneva (US) | On July 16th, 2021, the Ohio city identified that its website and online data systems had been breached. On July 18th, 2021, AVOSLocker ransomware operators claimed that the city was attacked by one of its partners and uploaded screenshots of files as proof of the attack. | Unknown |
| Humana (US) | CyberNews researchers discovered the sensitive data of customers published on a hacker forum on July 16th, 2021. The leaked SQL database contains full names, email and physical addresses, patient IDs, treatment data, and more. | 6,487 |
| PeopleGIS (US) | WizCase researchers discovered 86 misconfigured Amazon S3 buckets containing data of United States municipalities. Over 1,000GB of data was exposed across 1.6 million files, including business licenses, residential records and job applications. The compromised data includes email and physical addresses, phone numbers, drivers’ licences, and more. | Unknown |
| Aruba[.]it (Italy) | The Italian web hosting firm recently informed some of its customers of a data breach incident that took place on April 23rd, 2021. The exposed data includes full names, tax codes, physical addresses, encrypted hashes of customer portal passwords, and more. | Unknown |
| Washoe Tribe (US) | The Nevada and California tribe was targeted in a ransomware attack on April 27th, 2021. The attackers stole 100GB of data from their server, and the stolen data was seen leaked on the dark web on May 5th, 2021. | Unknown |
| Hudson Envelope and JAM Paper & Envelope (US) | The company disclosed a cyberattack which impacted customers who have used a credit or debit card to make purchases at jampaper[.]com between June 25th, 2020, and January 11th, 2021. Customers’ card information may have been stolen. | Unknown |
| Unknown (Mexico) | DataBreaches[.]net observed a post on a popular hacking forum offering the entire Mexican voter database for 2021, featuring 91 million records. According to the formatting of the data fields posted by the actor, the database contains full names, addresses, and other personal information. | Unknown |
| Saudi Aramco | A threat actor operating under the name ZeroX is selling 1TB of data dating between 1993 and 2020 that they claim to have stolen from Saudi Aramco. The stolen data allegedly includes details on Saudi Aramco’s refineries, client contracts, reports and other documents, and the personal information of 14,254 employees. The exposed employee information includes names, pictures, passports, phone numbers, and more. | Unknown |
| TicketClub (Italy) | A RaidsForum user called ‘bl4ckt0r’ is advertising a database belonging to the company that reportedly contains user data. The threat actor also released some of the data as proof of their breach. | 340,957 |
Attack Type mentions in Critical Infrastructure
Time Series
.png)
This chart shows the trending Attack Types related to Critical Infrastructure within a curated list of cyber sources over the past week.
Weekly Industry View
Industry View
| Industry | Information |
|---|---|
| Banking & Finance | Prodaft researchers observed a Toddler Android banking malware campaign primarily targeting Spain since the second half of 2020. The malware also contains some textual content for targeting English, Italian, German, French, and Dutch-speaking users. The Android application containing Toddler is named after shipping services with names like ‘BPOST’, ‘UPS’, and ‘Correos’. Toddler uses a specially crafted login phishing page fetched from its C2 to overlay a targeted application launched by the victim. It targets mobile banking and cryptocurrency applications, and gathers data from apps installed on the victim’s device. |
| Technology | Microsoft researchers linked two Windows zero-day exploits, tracked as CVE-2021-31979 and CVE-2021-33771, to a private-sector offensive tracked as SOURGUM. The group has targeted at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore with the DevilsTongue spyware. Among the victims are human rights defenders, dissidents, journalists, activists and politicians. The spyware is installed via a chain of browser and Windows exploits, including the two zero-days that were fixed in the July 2021 update. Citizen Lab researchers assess with high confidence that the threat actor is the Israeli company Candiru Ltd, currently called Saito Tech Ltd, which sells spyware exclusively to governments. |
| Retail & Tourism | Kyodo News reported that on July 21st, 2021, an anonymous Japanese government official informed it of a data breach involving Tokyo Olympic and Paralympic ticket purchasers. The exposed data was said to include login IDs and passwords of ticket buyers, as well as volunteer portal credentials. A spokesman of the Tokyo 2020 International Communications Team later denied that the leak originated from the systems used by the Olympics, but stated that some passwords had been reset for a limited number of IDs. Security researcher ‘pancak3’ told ZDNet that the leak did not result from a breach. Instead individuals were reportedly targeted with RedLine malware and other stealers. |
| Critical Infrastructure | Facebook reported that the Iranian Tortoiseshell group used its platform as part of a campaign targeting military personnel and the aerospace and defence sector in the United States, the United Kingdom, and Europe. The group employs relatively strong operational security and appears well-resourced and persistent. It primarily used Facebook for social engineering and created sophisticated fake online profiles that often appeared as industry recruiter and employees of aerospace and defence companies. The threat actors attempted to move conversations off Facebook to send malware to their targets. To steal credentials, the group created fake defence company recruiting sites. |
| Cryptocurrency | Researchers at Inky identified dozens of credential harvesting campaigns targeting Coinbase users. One example shared by the researchers uses a hijacked email account to send messages to victims. The email instructs the recipient that they need to resolve an account issue by signing into Coinbase. Users who click on a link are redirected to a hijacked site that features a ‘perfect’ reproduction of a Coinbase login page. Any credentials entered into the site are harvested by the attackers. |
News and information concerning each mentioned industry over the last week.
Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
