23 December 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Adobe Premiere Rush
Maven Central Repository
VMware vCenter
Apache Log4J
WebKit Software Component
Deep & Dark Web
Name Heat 7
Apache Log4J
Oracle MySQL
WinRAR
Shodan
Instagram

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Finite Recruitment (New Zealand) The company was listed on the Conti leak site, with actors claiming to have stolen 300GB of data, including financial information, contracts, employee contracts, passport details, customer databases, and more. The databases also contained customer phone numbers and addresses. The Conti operators later leaked more than 12,000 files. Unknown
Gumtree.com Ltd (UK) The company was found to leak sellers’ personally identifiable information within the HTML source of adverts. The compromised data on every advertisement includes seller surnames, email addresses, postcodes, and GPS locations. Unknown
McMenamins Inc (US) The company suffered a Conti ransomware attack on December 13th, 2021, that encrypted its servers and workstations. Corporate data and documents were stolen, but it remains unknown whether customer data was comrpomised as well. Unknown
Hellmann Worldwide (Germany) The threat group RansomEXX published 70.64GB of exfiltrated data from the company on their leak portal. The files included credentials, correspondence, agreements, orders, and more. Unknown
Tackle Warehouse, Running Warehouse, Tennis Warehouse, and Skate Warehouse (US) The four affiliated online stores confirmed on November 29th, 2021, that the personal information of customers was stolen in a cyberattack. Potentially compromised information included names, financial account numbers, credit and debit card numbers, full CVV numbers, and website account passwords. 1,813,224
Lametayel and Tiuli (Israel) The hacker group Sharp Boys claimed responsibilty for a cyberattack against the two companies. The group claims to have stolen personal data of users, including usernames, emails, phone numbers, and passwords.  3,000,000
Dacoll (UK) Clop ransomware operators targeted the company, allegedly stealing data from the UK’s Police National Computer and leaking it on the dark web. Stolen files supposedly include images exfiltrated from the national Automatic Number Plate Recognition system, as well personal information and records of individuals. A Home Office spokesperson since stated that no records were accessed, whilst links to the stolen data have been deleted from the actor’s Tor leak blog. 13,000,000
ICV Digital Media (US) A publicly accessible bucket belonging to the company was discovered. The bucket contained more than 4TB of customer data. Affected companies include 24 Hour Fitness, American Association of Immunologists, Abbott Laboratories, Deloitte, FireEye, and more. Unknown
Baylor Scott & White Medical Center (US) The healthcare facility reported a data breach after an employee may have accessed patient records without authorisation on two separate occasions during 2020. Potentially compromised information includes names, dates of birth, home and email addresses, phone numbers, medical record numbers, and more. 883
Sennheiser (Germany) An Amazon Web Services S3 bucket belonging to the company was found to be publicly accessible. The bucket contained the personal data of customers collected between 2015 and 2018. Among the exposed data were names, email addresses, phone numbers, home addresses, and more. 28,000
Basil Read Holdings (South Africa) The company took all of its systems offline following a ransomware attack that was first discovered on December 15th, 2021. The attack resulted in some delays in administrative functions, however, the company’s operations reportedly continued unaffected. Unknown
CompuGroup Medical SE & Co. KGaA (Germany) The company was targeted in a ransomware attack on December 20th, 2021, that affected the availability of some internal systems. The company isolated major parts of their services to try and prevent the spread. Unknown
Unknown A cache of millions of stolen emails and passwords was discovered, stored in a compromised cloud storage facility that could be accessed by third parties. The credentials are a combination of known and unknown breached datasets. Over 250 million credentials were found to be new. Unknown
Big White Ski Resort (Canada) An unauthorised intrusion occurred against the company’s servers sometime before September 10th, 2021. Potentially compromised data includes personal and business information, such as names, addresses, banking information, electronic funds, transfer arrangements, and CRA business numbers. Unknown
Monongalia Health System (US) The health system and its affiliated hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital, announced that unauthorised access to several email accounts was gained between May 10th and August 15th, 2021. Potentially compromised information includes names, addresses, dates of birth, medical record numbers, medical and clinical treatment information, and more, possibly including Social Security numbers. Unknown
Bkav Corporation (Vietnam) Personal data of users was published on a data trading website on December 19th, 2021. User ‘seasalt123’ claimed to have obtained the data from Breport[.]vn. Possibly compromised data includes email addresses and phone numbers. ~ 200
Albanian Internal Revenue Services Local media reported that a Microsoft Excel file containing citizen data is circulating online via WhatsApp and other media portals. The file reportedly contains names, ID numbers, monthly salaries, positions, and employer names. 657,138
Orthopaedic Institute of Western Kentucky (US) An unauthorised actor gained access to several employee email accounts between June 24th and July 8th, 2021. The attacker may have accessed or viewed protected health information, including names and Social Security numbers. 107,000

Malware mentions in the Banking & Finance Industry

Time Series

This chart shows the trending malware related to Banking & Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry View
Industry Information
Cryptocurrency The recently discovered Phorpiex botnet was found to distribute a new bot variant, named Twizt, that is targeting more than 30 cryptocurrency wallets across blockchains and has hijacked 969 transactions to steal nearly $500,000 during the past year. Twizt is capable of operating in peer-to-peer mode and therefore does not require active C2. The botnet maintains compromised devices in 96 countries, with most victims located in Ethiopia, Nigeria, and India. Currencies supported by Phorpiex include Bitcoin, Ethereum, Dogecoin, Dash, Monero, Zilliqa, and more.
Technology Conti ransomware operators have been observed leveraging the Log4J Shell vulnerability in unpatched VMware vCenter servers for lateral movement from compromised networks. Numerous nation state actors have also been observed exploiting the flaw, including APT10, Turla, and URSNIF operators, the actors behind the Grizzly Steppe campaign, and APT28 who have used the flaw to deliver Drovorub. The mostly inactive ransomware strain TellYouThePass has also been delivered by unknown actors, whilst others have been installing the Dridex banking malware, Linux ransomware, and Dofloo malware. Google researchers investigated the impact of the Apache Log4j vulnerability, noting that 35,863 Java packages are impacted. Additionally, the Belgian Ministry of Defence discovered a cyberattack against its systems involving Log4Shell on December 16th, 2021.
Banking & Finance ThreatMark researchers analysed the latest samples of the S.O.V.A. banking malware. The samples disguised themselves as various applications, including Adobe Flash Player, InPost, DPD, or YouTube Adblocker. When the user clicks on the app, they are prompted to allow accessibility permissions, after which the malware automatically grants itself permissions to record audio, access contacts, make and manage phone calls, access files, and send and view SMS messages. One of S.O.V.A.’s key functionalities is cookie stealing, which it does through WebView and CookieManager. Newer capabilities focus on cryptocurrency, wallets, and apps, including modifying the clipboard if text similar to a cryptocurrency wallet is detected. The researchers noted that newer versions of the malware do not launch if certain conditions are met, including the location of the device and whether certain applications are installed.
Critical Infrastructure Trend Micro researchers observed Earth Centaur targeting organisations in the transport industry and transport-related government agencies since July 2020. The group attempts to access documents and information on the compromised targets, however, the researchers have yet to discover any substantial damage. The attackers use vulnerable Internet Information Services and Exchange server vulnerabilities as entry points before installing web shells. The attackers use multiple custom second-stage backdoors, including ChiserClinet, HTShell, SmileSvr, and customised versions of both Lilith RAT and Gh0st RAT.
Healthcare Inky researchers discovered a phishing campaign targeting Google Workspace and Microsoft 365 users between August 15th and December 13th, 2021. Approximately 410 phishing emails were detected as part of a request-for-quotation scam, originating from a set of domains designed to look like they are controlled by Pfizer. Some emails were also sent from freemail accounts on Gmail, Outlook, and Ziggo. Many of the phishing emails requested the recipient to bid on supplying expensive equipment. The emails had PDF attachments, with no malicious links or malware in either the attachment or the email itself. Instead, if the victims engaged with the attackers and made it to the end of the process, the attackers either harvested their banking details and other credentials, or took the merchandise without paying for it, before reselling it on the black market.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal