29 July 2021

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Trending Vulnerable Products

Open Source
Name Heat 7
Apple iOS 14
Checkbox Survey
Jira
VBScript
VLC Media Player
Deep & Dark Web
Name Heat 7
Apache Struts
Freepik
iPhone
iPad
Master of Orion

The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.

Data Leaks & Breaches

Leaks & Breaches
Company Information Affected
Savory Spice (US) The online marketplace discovered that an unauthorised third-party gained access to its computer network between April 5th, 2018, and March 27th, 2021. Savory Spice informed its customers that the attacker stole customer names, as well as credit and debit card numbers, expiration dates, and security codes. TechNadu noted that the compromise was likely a Magecart attack. Unknown
Florida Heart Associates (US) The clinic is currently recovering from a ransomware attack that took place in May 2021, which led to its phone lines and computer systems being shut down. Florida Heart Associates also informed its patients that some information may have been exposed.  Unknown
 Express MRI (US) On July 10th, 2020, the MRI scans provider discovered that unauthorised emails were sent from the company’s email account. The company disclosed that it is possible that emails containing patient information may have been accessed or stolen. Possibly impacted information includes patient names, addresses, email addresses, dates of birth, and more. Unknown
Jefferson Health’s Kimmel Cancer Center (US) The oncology care provider was affected in the security breach of its cloud services vendor Elekta. The breach resulted in the theft of the centre’s SmartClinic database that stored patient data. This includes patient names, dates of birth, medical record numbers, clinical information, and some Social Security numbers. 1,769
Scripps Health (US) An employee of the hospital allegedly shared the identities of patients that were dead or dying of COVID-19 with scammers. The accused allegedly obtained and verified patient data such as health insurance, name, age, date of birth, and employment. The information was then passed to three others who used it to try and acquire COVID-19 unemployment benefits. Unknown
Guntrader[.]uk A hacker exfiltrated the company’s user database and advertised the data on the dark web on July 16th, 2021. The hacker has since published the data for free on RaidForums. The company, which has confirmed the breach, stated that personal contact details were exposed, but passwords and credit card details appear to be secure.  111,321
Florida Department of Economic Opportunity (US) The department disclosed a data breach affecting unemployment claimant accounts on its CONNECT website. A threat actor may have stolen personal information of the affected users between April 27th and July 16th, 2021. This includes Social Security numbers, driver’s license numbers, bank account numbers, addresses, phone numbers, dates of birth, and more. 57,920
HealthAlliance (New Zealand) HealthAlliance discovered ‘indications of unusual activity’ on its IT systems and informed potentially impacted District Health Boards (DHBs) of a possible data breach. The company offers IT services to Counties Manukau, Auckland, Waitemata and Northland DHBs.  Unknown
UK National Lottery Community Fund The fund was hit with a data breach that impacted data provided to the organisation by grant holders and applicants between September 2013 and December 2019. The information includes full names, physical and email addresses, dates of birth, bank account sort codes, account numbers, and more.  Unknown
Magacoin (US) The Guardian reported that the email addresses, passwords, IP addresses, and cryptocurrency wallet addresses of Magacoin users have been exposed due to poor security configurations in a website associated with Magacoin. Unknown
Mobile County (US) The Alabama county found that the Grief ransomware attack against its servers resulted in unauthorised access to certain computer systems on May 24th, 2021. Unspecified employee information was compromised in the breach.  Unknown
Haliburton, Kawartha, Pine Ridge District Health Unit (Canada) The healthcare provider accidentally sent a mass email to around 500 residents in Kawartha Lakes, Northumberland, and Haliburton. The email exposed residents’ email addresses to everyone else receiving the letter. Unknown
Yale New Haven Health (US) The healthcare provider was affected in the data breach of their software vendor Elekta. Patient names, addresses, phone numbers, emails, Social Security numbers, some financial information, and more, were exposed in the breach. Unknown
Talbert House (US) On July 9th, 2021, the threat actor Marketo claimed that it stole 80GB of data from the company. Among the data are files exposing sensitive medical details, as well as names Social Security numbers, dates of birth, and more. On July 15th, 2021, the agency revealed that it discovered an unauthorised access incident on its network on June 11th, 2021.  Unknown
UC San Diego Health (US) On April 8th, 2021, the hospital identified that an unauthorised actor had accessed some employee email accounts between December 2nd, 2020, and April 8th, 2021. The accessed email accounts contained personal data linked to a subset of its patient, student, and employee community. Potentially accessed data includes names, addresses, Social Security numbers, government identification numbers, payment card numbers or financial account numbers, and more. Unknown
Thessaloniki (Greece) The recent cyberattack against the municipality was confirmed to be a ransomware attack, with the attackers demanding a $20 million ransom. The operators of Grief ransomware have since published a 92MB file containing data stolen in the attack. The leaked data appears to be mostly public information, such as building drawings and old budget spreadsheets. Some of the files also included private letters and financial reports. Unknown
Bank Rakyat Indonesia Life Hudson Rock researchers discovered a RaidForums post advertising 460,000 documents allegedly compiled from the user data of BRI Life insurance clients on July 27th, 2021. The poster published some proof of the allegations, including a video clip showing stolen bank account details, as well as copies of Indonesian identification cards and taxpayer details.  2,000,000
City of Grass Valley (US) The California city was targeted in a cyberattack discovered on June 29th, 2021. An unknown actor accessed the city’s information systems and stole unspecified data from its servers. Unknown
Allegheny Intermediate Unit (US) AIU disclosed a breach of its servers that was discovered on January 22nd, 2021. The actor obtained the information of some current and former employees and their dependents, including names, addresses, email addresses, dates of birth, Social Security numbers, and tax identification numbers. Unknown
Emma Willard School (US) The New York school was targeted in a ransomware attack resulting in the theft of employees’ Social Security numbers, some financial information, and possibly more data. Unknown
Calgary Parking Authority (Canada) Security researcher Anurag Sen identified an exposed logging server containing unencrypted data that belongs to the authority. The server was exposed between May 13th, and July 27th, 2021. TechCrunch found that the exposed personal details included full names, dates of birth, phone numbers, email addresses, some partial card payment numbers, and more.  Unknown
Homewood Health (Canada) Data belonging to the mental health service provider was put up for auction on the Marketo marketplace. Homewood stated that they were hacked earlier in 2021 by Hafnium, however, Marketo stated that the data was obtained via other means. Leaked documents contain the details of BC Housing employees and potentially their family members, including names, dates of birth, phone numbers, mental health information, and more. The incident also possibly impacts TransLink, Canada Post, Costco, and BC Clinical Support Services. Unknown
LINE (Taiwan) The company’s headquarters discovered that attackers had turned off the ‘Letter Sealing’ encryption function on certain users’ accounts and extracted data. Local politicians and officials were reportedly targeted. 100
Estonian Information System Authority RIA A resident of Talinn compromised the authority by leveraging a malware network, forged digital certification, and a vulnerability to obtain the names, ID numbers, and ID pictures of Estonia’s residents. 286,438
Northern Ireland’s Department of Health (UK) The departement suspended its COVID-19 vaccine certification online service following a data exposure incident. According to the department, some COVIDCert NI users were presented with the data of other users in the system. Unknown

Malware mentions in Banking & Finance

Time Series

This chart shows the trending Malware related to Banking & Finance within a curated list of cyber sources over the past week.

Weekly Industry View

Industry View
Industry Information
Banking & Finance In February 2021, Cleafy researchers observed a new version of Oscorp Android malware targeting EU retail banks. The same malware, possibly used by other actors, also targeted banks in the United states, Australia, and Japan. The malware was distributed via smishing, while the actor sometimes physically reached out to the victims over the phone in vishing attempts, impersonating bank operators to obtain multi-factor authentication tokens. Oscorp can intercept authentication codes, SMS messages, perform overlay attacks, and arbitrarily interact with the device in any way. Following a period of no activity, new Oscorp samples with minor changes were seen in May and June 2021, alongside a new variant named Ubel. The malware is believed to be a fork or a rebrand of Oscorp, possibly by an affiliate.
Technology Sygnia researchers observed a campaign operating almost completely in-memory carried out by a new advanced persistent threat actor named Praying Mantis. The actor gained initial access by leveraging a variety of deserialisation exploits, including zero-days, targeting Windows IIS servers and vulnerabilities targeting web applications. So far Praying Mantis has targeted high-profile public and private entities in two major Western markets.The actor uses a malware framework tailor-made for IIS servers. The actor’s behaviour was found to strongly correlate with Copy-Paste Compromises that targeted Australian public and private sector organisations in 2020.
Retail & Tourism SentinelOne researchers discovered and prevented an attack from a threat actor exploiting a zero-day remote code execution flaw in NCR Aloha POS to steal credit card data. The vulnerability, tracked as CVE-2021-3122, is reportedly a widespread client misconfiguration. Users are advised to update Aloha POS and ensure the Command Center Agent is not internet-facing.
Critical Infrastructure Researchers at Proofpoint discovered a years-long social engineering campaign by the Iranian threat actor TA456, in which the group used the social media persona ‘Marcella Flores’ to target an aerospace and defence contractor. After establishing a relationship across corporate and personal communication platforms, TA456 delivered LEMPO to the targeted employee. The malware, an updated version of Liderc, is a plaintext stealer. ‘Marcella Flores’ first interacted with the targeted employee on social media in late 2019, and the Facebook profile appears to be friends with multiple other defence contractor employees.
Healthcare The German Pharmacists’ Association (DAV) has stopped issuing digital COVID-19 vaccination certificates after it was discovered that hackers managed to create fake passes using its portal. The hackers reportedly made up their own pharmacy identities and used these to produce two vaccination certificates. The DAV stated that an investigation is ongoing, adding that no further indication of unauthorised access to the portal was identified.

News and information concerning each mentioned industry over the last week.

Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.

Silobreaker Weekly Cyber Digest

Sign up for weekly news on data breaches, hacker groups, malware and vulnerabilities.

Silobreaker
This website uses cookies.
See our privacy policy at www.silobreaker.com/legal