29 August - 03 September 2020
Silobreaker's Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
Trending Vulnerable Products
Open Source
Name
Heat 7d
Cisco IOS XR
Firebase Cloud Messaging
Slack
FasterXML jackson-databind
QNAP Network Attached Storage
Deep & Dark Web
Name
Heat 7d
WordPress
QNAP Network Attached Storage
Cisco IOS XR
cPanel
ElFinder
The tables show the products which have been mentioned more than usual during the last week in connection with vulnerabilities.
Data Leaks & Breaches
Company
Information
Affected
Southern Water (UK)
Security researcher ‘Chris H’ identified a flaw in the Southern Water website customer management area which allowed a logged-in user to view the details of fellow customers. The exposed customer information included names, addresses, customer account numbers, meter details, limited banking information, and more.
Unknown
United Memorial Medical Center (US)
Maze ransomware operators added United Memorial Medical Center to their data leak site. The group also leaked files which they claim to have exfiltrated. While most of the leaked data were general files, one folder did appear to contain patient records. Researchers found that names within the files matched those of individuals living within the Houston area.
Unknown
Jands (Australia)
The staging equipment distributor Jands was targeted in a ransomware attack by a threat actor using NetWalker ransomware. NetWalker operators posted screenshots on their website purportedly showing financial data, customer details and other information obtained from the company.
Unknown
PULAU Corporation (US)
An unauthorised party gained access to the PULAU network and acquired a number of confidential company files. The affected data may include employee names, contact information, dates of birth, government-issued IDs, bank account or payment card information, online credentials and medical information.
Unknown
Greenville Technical College (US)
Avaddon ransomware operators claim to have exfiltrated 600 GB of data from the college. According to a college spokesperson, personal data was not impacted, an assertion contested by the ransomware operators, who claim to be in possession of Social Security numbers, driver’s licenses, medical information, and more. The attackers posted financial documents relating to the college president, his wife, the vice president for finance, and other employees.
Unknown
American Payroll Association (US)
An unknown threat actor deployed a card skimmer on the Association's website and online store. Further investigation revealed that the malicious activity dates back to May 13th, 2020. The perpetrator was able to access personal information such as names, email addresses, job title, dates of birth, and more, as well as payment card information. In some cases, the attackers also accessed social media usernames and profile photos of affected members and customers.
Unknown
Utah Pathology Services (US)
On June 30th, 2020, the laboratory found that an unknown third party attempted to fraudulently redirect funds. No financial transaction was completed; however, the personal information of certain individuals was accessible to the unauthorised party. This includes names and personal details such as date of birth, gender, phone number, mailing address, insurance information, medical information, and in some cases Social Security numbers.
Unknown
Manitoba Government (Canada)
On August 26th, 2020, an employee accidentally sent an email containing a spreadsheet with information related to Children Disabilities Services clients, intended for the Manitoba Advocate for Children and Youth, to about 100 other organisations. Exposed data included the children’s personal information such as diagnoses and addresses.
9,000
Transport for NSW (Australia)
An open AWS storage instance exposed scanned driver’s licenses of New South Wales (NSW) residents. The exposed bucket contained both the front and back image of the driver’s license, along with scans of Road and Maritime Services tolling notice statutory declarations that included individuals’ birth dates and phone numbers. Transport for NSW believes an unnamed third party may be responsible for the leak.
54,000
State of Michigan (US)
Russian media outlet Kommersant alleged that the personal data of 7.6 million Michigan voters was illegitimately obtained by hackers and leaked on the dark web. Personal data exposed in the database includes names, dates of birth, gender, dates of voter registration, email and physical addresses, and more. The leaked database reportedly contains only data compiled from publicly available sources, possibly including requests under the Freedom of Information Act.
Unknown
K7 Maths (Australia)
AusCERT found that data which purported to be from the Australian Department of Education, despite no organisation of that name existing, came from a service called ‘K7 Maths’. The data was originally published in March 2020, and has been republished. The breach, which AusCERT report was likely caused by an exposed Elasticsearch instance, revealed first and last names, email addresses, countries, and bcrypt hashed passwords.
Unknown
This table shows a selection of leaks and breaches reported this week.
Attack Type Mentions in Education
This chart shows the trending Attack Types related to Education over the last week.
Weekly Industry View
Industry
Information
Banking & Finance
Researchers at IBM X-Force identified an ongoing malspam campaign distributing the Wacatac trojan. The attacks were first observed on August 21st, 2020 and aim at stealing personal information. The malware is disseminated via emails purporting to be notifications of failed bank transactions that contain a RAR or ACE archive file. These archives contain the malicious executable obfuscated with an XLS extension.
Government
The Norwegian Parliament, Stortinget, stated that information had been stolen from breached email accounts of elected representatives and employees. Details on how many accounts are affected or who was behind the attack have not been provided.
Technology
Prevailion CEO Karim Hijazi informed SC Media of a Lethic trojan infection at NCR Corporation, noting that it could potentially pose a supply chain risk to its customers. Prevailion researchers reportedly observed C2 beaconing activity from an IP address traced to NCR over a period of 180 days.
Retail, Hospitality & Tourism
Group-IB researchers linked three campaigns that involved various JavaScript sniffer families to one group dubbed UltraRank. These campaigns had previously been attributed to Magecart Group 2, Magecart Group 5 and Magecart Group 12. The researchers note that each of the group’s operations used a different JavaScript sniffer, namely FakeLogistics, WebRank and SnifLite. UltraRank also changed its infrastructure and malicious code multiple times, which likely led to the wrong attributions. An investigation into their activity revealed that they compromised 691 websites and 13 third-party suppliers over the space of five years. The group was also found to have built its own business model by selling its stolen bank card data on ValidCC, a card shop whose infrastructure is linked to UltraRank.
Cryptocurrency
Researchers at Palo Alto Networks Unit 42 discovered a new Docker cryptojacking worm that mines for Monero. Dubbed Cetus, the cryptominer disguises itself as the legitimate binary ‘Portainer’ and deploys XMRig on an infected device. To find targets, the malware uses Masscan to scan subnets for Docker daemons, after which it is spread by sending requests to daemon’s REST API using the Docker command line interface tool.
News and information concerning each mentioned industry over the last week.
Silobreaker's Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created using our award-winning intelligence product Silobreaker Online.
The Silobreaker Team
↧