Hornetsecurity IT Security Incident Center

Latest IT Security Incident Reports

October 25, 2019 - The City of Ocala Loses $530,000 Due to Spear Phishing Attack

City of Ocala – Spear Phishing Attack

Date Issued: October 25, 2019
Method: Spear Phishing Email
Target: City of Ocala Employees

Report Details

A hacker successfully received payment of $530,000, after tricking a City of Ocala employee with a sophisticated spear phishing email. The hacker was imitating a construction contractor, and had used a legitimate invoice in the email to trick an employee in sending over the payment. The email address from the sender looked to be legitimate but was off by a letter. The city had no loss to their networks, so no malware was used. Law enforcement was immediately notified, and an ongoing investigation is underway.

October 23, 2019 - 9 Massive Medical Companies Expose Patient Data From Unprotected Servers Globally

9 Global Medical Companies – Servers Exposed

Date Issued: October 23, 2019
Method: Unprotected Servers
Target: 9 Global Healthcare Companies

Report Details

The following 9 healthcare companies exposed patient data from having unprotected servers. Biosoft, ClearDent, DeepThink Health, Essilor, Naiis, Stella Technology, Tsinghua University, VScript, and Sichuan Lianhao Technology had exposed patient personal information including prescriptions, contract info, treatment info, medical observations, and other medical details. The leaks came from MongoDB and Elasticsearch servers that were either misconfigured, unprotected, unguarded, or just plain open. Millions of records were released, each company leaking large amounts of patient information.

October 22, 2019 - Jasper County, South Carolina Countywide Systems Hit with Ransomware Attack

Jasper County, S.C – Ransomware Attack

Date Issued: October 22, 2019
Method: Ransomware Attack
Target: Jasper County Systems

Report Details

On September 25^th, Jasper County reported that they had been hit with a cyber-attack on their entire countywide systems, which included email, some telephone lines, and emergency response systems. It is now being reported that 911 and emergency services are experiencing service disruption. The dispatchers are being forced to many things manually and retain information by hand. They are currently working to get their systems back up to normal service, but in the meantime are working through difficult situations.

October 22, 2019 - Avast Antivirus Network Breached By Hackers Through Insecure VPN

Avast – Breach Through VPN

Date Issued: October 22, 2019
Method: Temporary VPN Breach
Target: Avast Security

Report Details

On September 25^th, Avast detected a breach by an outside hacker, where the unauthorized party was able to gain access to their internal network. The hacker gained access through stolen credentials on a temporary VPN account. Avast has revealed that the hacker began penetrating the vulnerabilities on May 14^th and 15^th of this year. The actor was able to gain access on an temporary VPN that had not had 2FA active. It is believed the actor was targeting the CCleaner, and Avast shut down updates of the software on September 25^th. They both immediately pushed updates to provide enhanced security and privacy features. Law enforcement has been notified, and an active investigation is currently underway.

October 16, 2019 - Iranian Hacker Group, Silent Librarian, Has Been Targeting Universities in North America To Steal Student Library Access

USA Universities – Phishing Scheme

Date Issued: October 15, 2019
Method: Sophisticated Phishing Schemes
Target: USA Universities

Report Details

University students across the globe have been targeted by the Iranian hacker group, Silent Librarian, which is believed to be tied to the Iranian government. From June through October there has been a spike in targets toward the United States and Europe. The hackers are running a fake library phishing scam aimed at university students to gain access to their library accounts granting the ability to steal intellectual property from the universities. Hackers might say the student’s account will expire if they don\t update their password, or losing access to library resources if they don’t refresh their login credentials. This is an extremely sophisticated phishing scheme, as the hackers have real time weather info and notifications on the fake sites. The US Federal Government is currently after the group, and has charged nine hackers in the last year.

October 15, 2019 - Over 200 Million Zynga Users Had Data Stolen By Hacker

Zynga Users – Data Breach

Date Issued: October 15, 2019
Method: Unauthorized Data Breach
Target: Zynga

Report Details

Zynga, the online game and mobile application creator of Words with Friends, Farmville, Solitaire, and more was hacked exposing millions of users data. A hacker has made a statement saying they breached 200 million Zynga Android and iOS users, gaining access to names, email addresses, login IDs, hashed passwords, SHA1, password reset tokens, phone numbers, and Facebook IDs. Zynga has informed the users of suspicious logins, and requested a password reset for accounts.

October 15, 2019 - Pitney Bowes Shipping Company Hit With Ransomware Attack Encrypting Systems

Pitney Bowes – Ransomware

Date Issued: October 14, 2019
Method: Ransomware
Target: Pitney Bowes

Report Details

The global shipping conglomerate, Pitney Bowes, supplys e-commerce, shipping, data, and financial services for over 1.5 million clients around the world. It was just announced yesterday, that the company had suffered a ransomware attack which encrypted systems, leading to a temporary outage on some of their services. The breach is said to not have released any customer information, but many customer services like mailing machine, SendPro Online, and Pitney Bowes web supply store are all down. The company is currently working with third party security investigators to figure out how and where the attack took place.

October 14, 2019 - Click2Mail Suffers Data Breach Exposing Customer Credentials

Click2Mail – Hacked Customer Accounts

Date Issued: October 14, 2019
Method: Unauthorized Breach
Target: Click2Mail Users

Report Details

The email service, Click2Mail, suffered a data breach which exposed customer credentials. The breach was discovered after customers email addresses were found to be sending outgoing email spam messages. It is believed that customers’ names, company names, account mailing addresses, email addresses, and phone numbers were leaked. The company has alerted its customers, and is investigating the situation.

October 14, 2019 - The Cannabis Resource Platform Leafly’s Exposed Data Base Leaks User Info

Leafly – Exposed Server

Date Issued: October 14, 2019
Method: Unauthorized Breach
Target: Leafly Users

Report Details

Leafly, an online resource that helps cannabis consumers “discover, find, and buy cannabis and empowers cannabis businesses to attract and retain loyal customers through advertising and technology services” had a data base containing user information exposed. On September 30, Leafly found that a data base storing customer information was exposed on July 2, 2016. Some users may have had their emails, usernames, and encypted passwords leaked … while others may have had names, gender, location, and mobile phone numbers. Leafly sent emails to all those affected advising that passwords be changed, and that if other applications or accounts have the same password to change those as well.

October 9, 2019 - Volusion E-Commerce Websites Suffer MageCart Payment Credential Attack

Volusion E-Commerce Website Builder – MageCart

Date Issued: October 8, 2019
Method: Malicious JavaScript
Target: Thousands of Volusion Hosted Sites

Report Details

Sesame Street Live Store’s online website was found to be infected with malicious JavaScript by malware hunter Marcel Afrahim. This store is one of thousands that are hosted by the E-Commerce Builder, Volusion. The embedded malicious JavaScript was inserted intp customer checkout pages, which allowed it to steal payment credentials sending it to the hacker’s server. Thousands of websites have been infected, and it is believed the initial process began on September 12. Google placed the “red malware danger” symbol in the browser warning users not to access the site. Volusion has reported that the issues have been addressed and fixed as of 4:00 PM on October 8^th.

October 8, 2019 - TransUnion Canada Breached Through Credential Stuffing Method Leaking Customer Information

TransUnion Canada – Credential Stuffing Breach

Date Issued: October 8, 2019
Method: Credential Stuffing
Target: TransUnion Canada

Report Details

Some time between June 28^th and July 11^th, 2019, an unauthorized user or party was able to gain access to a TransUnion Canada Business Portal in which credit file look ups were performed. The hackers were able to access the portal through credential stuffing methods, gaining access to CWB National Leasing\s access code and password. TransUnion confirmed that they had deleted the account, and any credentials have been terminated. The hacker was able to pull information such as name, address, date of birth, and possibly Social Insurance Numbers, information related to credit history, loan obligations, and payment history. This was a controlled hack, where only limited consumers were affected. TransUnion has sent out postal mail letting clients whom may have been involved information of the incident, and how to move forward.

October 8, 2019 - DCH Health System Crushed by Ryuk Ransomware Attack Forced To Pay Ransom

DCH Health System – Ryuk Ransomware

Date Issued: October 1, 2019
Method: Ransomware
Target: DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center

Report Details

On October 1^st, DCH Health System including DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center in Tuscaloosa, Northport, and Fayette Alabama were crushed by a Ryuk ransomware attack. The attack forced the facilities to completely shut down computer systems, and to cease accepting new (non-emergency) patients. Working together with third party IT Security experts, DCH decided to purchase a decryptor key from the hackers. Over the weekend they were able to recover and back up several systems but are nowhere near full decryption. It has yet to be announced how much the decryption key cost the organization.

September 30, 2019 - Rheinmettal AG Plants in Brazil, Mexico, and USA Were Infiltrated by Powerful Malware Attacks

Rhenmettal Automotive Plants – Malware Attack

Date Issued: September 24, 2019
Method: Malware
Target: Plants in Brazil, Mexico, and the USA

Report Details

American Rheinmetall Automotive Plants in Brazil, Mexico, and the US were hit with malicious malware attacks that may result in around 4 million euros per week, which could be for up to four weeks. Rheinmettall stated that IT systems outside of other plants it operates have not been affected by this attack. They are currently investigating how the attack happened, and have told customers that they should expect all orders without delay.

September 27, 2019 - DoorDash Hit With Data Breach Exposing Personal Information of 4.9 Million Merchants, Customers, and Workers.

DoorDash Users – Data Breach

Date Issued: September 26, 2019
Method: Server Data Breach
Target: DoorDash Merchants, Workers, Customers

Report Details

This month DoorDash has made a public statement regarding a data breach that took place back on May 4, 2019 which compromised 4.9 million merchants, customers, and workers information. Hackers were able to infiltrate with unauthorized access leaking names, email addresses, order history, delivery addreses, phone numbers, as well as passwords. A few unlucky customers had the last 4 digits of their credit cards exposed. 100,000 drivers also had their drivers license numbers exposed. Those affected were ones who joined the platform on or before April 5, 2018. DoorDash immediately launched an investigation, and confirmed they done what was necessary to protect their data for the future. It is urged that all users change their passwords.

September 25, 2019 - YouTube Video Creators Fall Victim to Sophisticated Account Hijacking Campaign

YouTube Users – Sophisticated Phishing Campaign

Date Issued: September 23, 2019
Method: Phishing Emails with Fake Google Login Pages
Target: YouTube Video Creator Accounts

Report Details

A large amount of YouTube Video Influencers were hit with a highly sophisticated phishing scam that used fake google login pages to steal credentials via Email. The target seems to be aimed at popular influencers in the automotive and racing industries, but other creators outside of that realm fell victim as well. Some of the more popular targets that were hit include Troy Sowers, PURE Function, Built, etc. It appears that the phishing campaigns via Email were sent in some instances to groups and in others to lone individuals. Also, in some cases the hackers were able to bypass the multifactor authentication.

September 24, 2019 - WeWork Suffered a Data Breach Through Their WiFi Network Exposing Customer Data

WeWork Co-Working Spaces – Unsecured WiFi Vulnerabilities

Date Issued: September 23, 2019
Method: Unprotected WiFi
Target: WeWork Co-Working Spaces

Report Details

WeWork’s poor WiFi security has allowed for over 700 devices that were connected to be exposed. Devices including computers, servers, mobile phones, printers, and other connected appliances had information such as bank account credentials, email addresses, ID Scans, and client databases exposed. WeWork had its WiFi passwords visible in plain text inside of their mobile application, and had quite a large amount of companies sharing the networks. WeWork states that they take the security of their customers very seriously, advising that they offer enhanced security features to their clients like private VLAN, private SSID, or dedicated end-to-end network stacks.

September 23, 2019 - Unprotected Verlo Mattress Factory Database Exposed 387,000 Customer Records

Verlo Mattress Factory Database – Open Unsecured Database Leak

Date Issued: September 05, 2019
Method: Unprotected Open Database
Target: Verlo Mattress Factory

Report Details

An open database that contained a directory for Verlo Mattress Factory was found to have exposed over 387,604 customer records. The customer information included IP addresses, Ports, Pathways, and storage info which included login credentials and hash passwords. There were no records exposed containing payment information or banking credentials. The leak was found by security researcher, Jeremiah Fowler on September 5, 2019. The database has been taken down since notified of the leak.

September 23, 2019 - Campbell County Health in Gillette, Wyoming Hit With Major Ransomware Attack

Campbell County Health, WY. – Ransomware

Date Issued: September 19, 2019
Method: Ransomware
Target: Campbell County Health

Report Details

A ransomware attack was launched against Campbell County Health in Gillette Wyoming last Friday, which has crippled their infrastructure and operations. Steve Crichton, VP of Plant and Facilities said that all computers have been affected, and a majority of systems they depend on for patient care are down. All computers in the hospital are shut off. The hospitals are taking patients on a case by case basis, and phone systems are operational. The Department of Homeland Security, the FBI, the Federal Emergency Management Agency and the Governor are all working with CCH to restore systems and bring justice.

September 23, 2019 - Travis Central Appraisal District in Houston, Texas Struck With Ransomware Attack

Travis Central Appraisal Dist. TX. – Ransomware

Date Issued: September 23, 2019
Method: Ransomware
Target: Travis Central Appraisal District

Report Details

On September 11th, Travis Central Appraisal District was struck by a ransomware attack that affected their website property search, phone, email, and Computer Assisted Mass Appraisal systems. Daily operations in regards to customer service and appraisals were not impacted by the ransomware. The agency confirmed the breach on September 19th, and decided to attempt restoring files on their own without paying the requested ransom. Due to the fact that back up data was stored in offshore locations, they were able to restore seems quickly. All primary systems are reported to be active and running. Travis Central Appraisal District is working with cybersecurity experts to figure out the full extent of the attack, and are revamping their security incase of future attacks.

September 19, 2019 - AVA R-I School District in Missouri Impacted by A Ransomware Attack

AVA R-I Schools Dist. MO. – Ransomware

Date Issued: September 19, 2019
Method: Data Breach
Target: AVA R-I School District

Report Details

Ava R-I School District in Missouri was hit by a ransomware attack, which caused some of the computer network to be shut down. The attack had infiltrated Ava School’s printers, where they could see ransom noted requesting that an email be sent for decryption code and payment instructions. It is believed there were some small vulnerabilities in the system, and this is how the actors were able to get through. The school district uses encrypted data methods, and stores information on outside servers. No employee or student information was breached. The school is now implementing security awareness and tests for the employees and students.

September 16, 2019 - The Carle Foundation Hospital in Illinois Falls Victim To Phishing Attack Compromising Patient Data

Carle Foundation Hospital, Illinois – Phishing Attack

Date Issued: September 16, 2019
Method: Data Breach
Target: The Carle Foundation Hospital

Report Details

Hackers were able to infiltrate private patient information from the Carle Foundation Hospital in Urbana, Illinois. The hackers used phishing attack methods to compromise three employees’ email accounts. Once inside the network, the attackers exposed patient email addresses, names, medical record numbers, clinical information of treatment and diagnosis, as well as dates of birth. Carle says they were able to immediately secure the compromised accounts, and have hired a cyber-security firm to launch an investigation on the incident. The leaked data came from specifically people who had received cardiology or surgery services..

September 13, 2019 - Groton Central School District in New York State Suffers Data Breach

Groton Central Schools Dist. NY. – Pearson Data Breach

Date Issued: September 13, 2019
Method: Data Breach
Target: Groton Central School District

Report Details

Another Pearson customer affected by their massive data leak that happened the beginning of this year. Groton Central School District in New York suffered a breach through Pearson which resulted in personal information of students to be exposed. The information contained student’s names, dates of birth, email addressed, and student ID numbers. The school’s superintendent, Margo Martin, made a statement that Pearson never informed their district that they had been a victim of the data breach. It is believed that around 846 students in the district had their information compromised.

September 10, 2019 - Rockford Public Schools Dist. 205 in Illinois suffers Ransonware Attack

Rockford Public Schools Dist. 205 in IL. – Ransomware Attack

Date Issued: September 10, 2019
Method: Ransomware
Target: Rockford Public Schools Dist. 205

Report Details

Rockford Public Schools (IL.) fell victim to a ransomware attack. All electronic and digital systems in the district have been affected. It has been announced that all schools will remain open while the district works on recovering from the attack. Last Friday, Rockford Public Schools observed issues with their phone and internet services. The district’s website is currently down and emails are not working. The outage is expected to continue this entire week. The district has not shared any information on how the attack happened or how much ransom was demanded by the hackers. Officials said that the matter is under investigation and have refused to comment further. Parents and teachers have raised concerns about the security of personal information in this attack.

September 10, 2019 - Trail’s End suffers a Data Breach

Trail’s End – Data Breach

Date Issued: September 10, 2019
Method: Vulnerability that allowed unauthorized users to view the personal data
Target: Children’s full names, dates of birth, email addresses, phone numbers, parent names, favorite products, and affiliation

Report Details

Trail’s End is a fundraising organization that partners with the Boy Scouts of America to help them raise money for programs and activities. A web developer and a Scout parent noticed that the personal information of Boy Scouts was visible through a simple search. Upon which, the web developer notified Trail’s End about the data exposure. Upon becoming aware of the incident, Trail’s End promptly fixed the vulnerability that allowed unauthorized users to view the data. The fundraising organization then notified the Boy Scouts of America and other local councils about the data exposure.

September 10, 2019 - Premier Family Medical in Utah suffers Ransomware Attack

Premier Family Medical in Utah – Ransomware Attack

Date Issued: September 10, 2019
Method: Ransomware
Target: Premier Family Medical, Utah, 320,000 patients affected

Report Details

Patients who have been treated at any of Premier’s ten Utah County locations including American Fork Clinic, Copper Peaks Clinic, Eagle Mountain Clinic, Lehi Main Street Clinic, Lindon Clinic, Mountain Point Clinic, Orem Clinic, Pleasant Grove Clinic, Premier Dermatology Clinic, and Saratoga Springs Clinic are impacted by this ransomware attack.

The ransomware attack infected the healthcare organization’s servers and computer systems. The healthcare firm became aware of the incident after its staff faced issues in accessing data from certain systems.

Upon discovery, Premier notified the appropriate law enforcement authorities and the Department of Health and Human Services about the incident.

The organization has engaged technical consultants to investigate the incident. The investigation determined that no patient information was compromised. However, the healthcare firm has taken the necessary steps to restore access to its systems and further improve the security of its systems.

September 10, 2019 - New Phishing Campaign uses Captcha Boxes to hide a Fake Microsoft Account Login Page from Secure Email Gateways (SEGs)

New Phishing Campaign targets SEGs

Date Issued: September 10, 2019
Method: Captchas block automated URL analysis from processing dangerous pages
Target: Secure email gateways (SEGs)

Report Details

Attackers are after credentials for Microsoft accounts and they’ve created a webpage that mimics the original for selecting an account and logging in.

The emails delivering the phishing links are from a compromised account from ‘avis.ne.jp’ and pretends to be a notification for voicemail message.

A button promising to provide a preview of the alleged communication is embedded in the email; when clicked, it takes the victim to the page with the captcha code.

Both the captcha and the phishing pages are hosted on the Microsoft infrastructure. As a result, they have legitimate top-level domains, which ensures no negative reaction from domain reputation databases, used by SEGs in their URL analysis process.

September 10, 2019 - Three Advisories on Cybersecurity Vulnerabilities identified in Medical Devices

Federal Regulators issue three advisories on cybersecurity vulnerabilities identified in medical devices.

Date Issued: September 10, 2019
Method: Unauthorized access could lead to cybercriminals gaining access to devices, patient data, and medications
Target: Legacy Medical Devices

Report Details

The advisories from the U.S Computer Emergency Response Team, or U.S. CERT, a unit of the recently launched Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, address the following issues:

A “session fixation” vulnerability. This is in certain versions of the BD Pyxis medication management platform from Becton Dickinson.

Existing access privileges are not restricted in coordination with the expiration of access based on Active Directory user account changes when the device is joined to an Active Directory domain. Successful exploitation of this vulnerability could allow the AD credentials of a previously authenticated user to be used to gain access to the device, patient data, and medications.

For exploitation to occur, products must be actively using AD for login and be connected to the hospital domain. Users who do not use AD are not impacted by this vulnerability.

A “use of obsolete function” vulnerability. This vulnerability occurs in the Philips HDI 4000 Ultrasound system if it runs an outdated and unsupported operating system, such as Windows 2000. The vulnerability could allow an unauthorized user to access ultrasound images or compromise image integrity.

An “incorrect default permissions” vulnerability. This is found in some cardiology products from Change Healthcare, which was created in 2016 when McKesson Corp.’s information technology unit merged with Change Healthcare Holdings.

The vulnerability affects Horizon Cardiology 11.x and earlier, Horizon Cardiology 12.x, McKesson Cardiology 13.x, McKesson Cardiology 14.x and Change Healthcare Cardiology 14.1.x. Insecure file permissions in the default installation could enable an attacker with local system access to execute unauthorized arbitrary code.

In a statement, BD says it is not aware of any instances in which patient data was viewed without authorization as a result of the vulnerability in BD Pyxis.

September 10, 2019 - Arizona School District Cancels Classes Due to Ransomware

Flagstaff Unified School District – Ransomware Attack

Date Issued: September 10, 2019
Method: Ransomware
Target: Flagstaff Unified School District

Report Details

Schools in Flagstaff, Arizona, were closed on Thursday after ransomware appeared on the district’s network. Friday’s classes were called off while the recovery effort continued. District officials have confirmed the situation is a ransomware attack — the attacker has demanded payment in bitcoin in exchange for the locked data. Officials could not confirm if any personal, identifiable information has been compromised.

September 10, 2019 - Monster.com Job Applicants Information exposed due to Unprotected Server

Monster.com Job Applicants Information exposed due to Unprotected Server

Date Issued: September 10, 2019
Method: Exposed server
Target: Monster.com Job Applicants

Report Details

The personal information of job applicants from the job recruitment site Monster was exposed due to a misconfigured server that was publicly accessible without any authentication. As per a statement from Monster, the server was operated by one of its customers. The exposed server contained hundreds of resumes, CVs, and other files from job applicants who applied for jobs between 2014 and 2017. The resumes included personal information of the job applicants including phone numbers, email addresses, home addresses, and work history. The other files found on the exposed server included immigration documentation for work, which Monster does not collect. Monster said that the unprotected server belongs to a recruitment company that was a customer of Monster.com and other recruitment sites. The job recruitment site added that it no longer works with the recruitment customer. A security researcher who discovered the leaky server alerted Monster’s security team about the data leak in August 2019. Upon learning about the incident, it notified the recruitment company of the issue and secured the server. Monster said that it is unable to determine the impacted users as the exposure occurred on a customer system. Furthermore, the job recruitment site did not notify its users about the exposure stating that customers are the owners of this database and they’re responsible for notifying the impacted users.

September 10, 2019 - City of Unalaska, Alaska falls victim to phishing attack resulting in loss of over $2.9 Million

City of Unalaska, Alaska – Phishing Attack

Date Issued: September 10, 2019
Method: Phishing via email to employee
Target: City of Unalaska, Alaska

Report Details

The City has managed to recover around $2.3 million which was lost in a phishing attack. The scammers had posed themselves as a known vendor and sent an email. The City of Unalaska has managed to recover around $2.3 million which was lost in a phishing attack. The recovered amount is part of $2,985,406.10 which the City had sent scammers. The cybercriminals posed as a known vendor and sent an email. The email included a request for the change in payment method. This caused the employees to sent payments for legitimate invoices to a fraudulent bank account that did not belong to the subject vendor. The payment was done between May 15 and July 9, 2019. When government officials became aware of the situation, they ceased the payments and immediately contacted the FBI.

September 10, 2019 - Email Hack Leads to the Theft of Funds from Pension system for Retired Oklahoma Law Enforcement

Email Hack Leads to the Theft of Funds in Oklahoma

Date Issued: September 10, 2019
Method: Email hack of employee
Target: Pension system for retired Oklahoma Highway Patrol troopers and other state law enforcement officers

Report Details

The FBI is investigating after computer hackers managed to steal about $4.2 million in funds from a pension system for retired Oklahoma Highway Patrol troopers and other state law enforcement officers. Duane Michael, the executive director of the pension system, told The Oklahoman newspaper that the theft happened Aug. 26 after an employee’s email account was hacked. He said the funds were being managed by an outside investment manager on behalf of the pension system and that the agency was able to recover about $477,000 of the stolen funds.

September 4, 2019 - WordPress sites being hacked by Sodinokibi developers launching ransomware

WordPress – Unauthorized Malicious Third Party Hacking

Date Issued: September 4, 2019
Method: Unauthorized Third Party Access
Target: WordPress Sites

Report Details

The cybercriminals who devised the Sodinokibi ransomware have been distributing the ransomware through WordPress sites inserting JavaScript that mimics a fake French Q&A forum. Here’s how it works: “Hackers hack WordPress sites and inject a JavaScript script into the HTML page. The injected URL is active to all visitors, but only contains data if the user is visiting for the first time or hasn’t visited the site for a certain amount of time. For first time visitors, the injected script will display a fake French Q&A forum post over the content. This Q&A forum post contains an answer from the site’s admin with an attached URL. Upon clicking on the link, a zip file is downloaded. The Zip file contains a JScript file, which includes an obfuscated code that will connect to a remote server. The server responds with data, which will be decrypted and saved as a GIF file. This GIF file contains an obfuscated PowerShell command that downloads and executes the Sodinokibi ransomware. The Sodinokibi ransomware encrypts files, delete shadow copies, and drops a ransomware note. The ransomware note leads the victims to a Tor payment site that contains instructions on how to purchase a decryptor.”

September 3, 2019 - Foxit Software Data Breach Compromises Over 328,000 User Accounts

Foxit Software, “My Account” – Data Breach

Date Issued: September 3, 2019
Method: Unauthorized Third Party Access
Target: Foxit Software “My Account” Feature

Report Details

The .PDF software company Foxit Software “My Account” feature was impacted by a data breach where unauthorized third-party actors infiltrated their data systems containing user data. Foxit has reported that approximately 328,549 accounts were leaked. It is understood that the information leaked contained usernames, passwords, names, addresses, phone numbers, and IP addresses. An immediate investigation was launched, and Foxit is working with law enforcement agencies and forensic data analysts to fully resolve the matter. In the mean time, those whom fell victim had their accounts’ passwords reset. There was also an additional security management firm hired to analyze the incident and improve security for the company.

August 30, 2019 - Sodinokibi Ransomware hits DDS Safe Cloud Backup leading to 400 Dental Offices being affected

DDS, PerCSoft – Ransomware

Date Issued: August 25, 2019
Method: Sodinokibi Ransomware
Target: 400 US Dental Offices

Report Details

Sodinokibi Ransomware, also known as Sodin or REvil Malware struck DDS Safe, a cloud based data back up system used by hundreds of dental practices in the United States. Digital Dental Record and PerCSoft, the backend systems of affected medical records archiving and backup have been hit by the ransomware. It is unknown what detonated the ransomware, but it is projected that over 400 US dental offices are affected. The ransomware crushed many systems, leaving patients scheduling, files, and billing unable to accessible.

August 28, 2019 - New Kent County Public Schools, Virginia Hit With Crypto-Lock Ransomware

New Kent County School District, VA – Ransomware

Date Issued: August 28, 2019
Method: Crypto-Lock Ransomware
Target: New Kent County School District Systems

Report Details

New Kent County Public Schools were hit with a ransomware attack that encrypted the entire districts internal hard drives. The hackers used a form of a crypto-lock, and are currently requesting ransom for decryption of the files. The district is still unable to access the files, but has stated that school will continue on schedule like normal. They have hired cyber-security experts and a forensics analysis team to investigate the incident and retrieve the encrypted data. The Federal Bureau of Investigation is working hand and hand with the district to resolve the issue.

August 28, 2019 - CamScanner Android App was downloaded over 100 million times containing Necro.n Trojan Dropper

Trojan Dropper Embedded into CamScanner Android App

Date Issued: August 28, 2019
Method: Trojan Dropper through Advertising Library
Target: Android Users

Report Details

CamScanner the Android App was downloaded over 100 million times all while containing a malicious Trojan Dropper, which aides hackers in installing malware to steal banking information or create spam advertisements. Security researchers at Kapersky found malware components on one of the advertising libraries of the back end of the application. The Trojan Dropper, Necro.n downloads modules from the command control server to execute code that downloads and launches payloads from malicious servers. It has been recommended that the app be uninstalled. The Google Play Store had the free version removed from the marketplace, but the licensed and HD version is still available for purchase.

August 27, 2019 - New Apple iPhone X Calendar Invitation Spam Campaign

Scammers Fool Users of iPhone X with Calendar Invite Spam Campaign

Date Issued: August 14, 2019
Method: Spam
Target: iPhone X users

Report Details

Discovered by a security blogger Graham Cluley, the scam involves users being bombarded with calendar invitation spams. The invitation claims that the recipient has won an Apple iPhone X from AppleStore.

In order to claim the prize, the recipient is asked to check the store’s location by visiting the link provided within.

However, Cluley has warned that visiting the link could ‘range from anything to a survey scam to a webpage attempting to phish your passwords, or even install malware.’

Users can prevent themselves such unwanted spam invitations by following these steps:

Go to your Google calendar, and click on the gear icon near the top right of the screen. Choose Settings from the drop-down menu that appears;
Select Event settings from the choices in the left-hand menu bar;
Change the Automatically add invitations setting from Yes to No.

August 27, 2019 - New Phishing Campaign Distributes Quasar RAT onto Windows Systems

Phishing Campaign Distributes Quasar RAT

Date Issued: August 14, 2019
Method: Phishing campaign that distributes the Quasar RAT
Target:
Quasar RAT is capable of opening remote desktop connections, keylogging, stealing credentials, taking screenshots, recording video from webcams, downloading or exfiltrating files, and managing processes on infected machines

Report Details

This phishing campaign employs multiple anti-analysis methods and counter-detection measures to camouflage the infection vectors.

The phishing emails include malicious Microsoft Word document disguised as a password protected resume document.

The email prompts the users to open the resume by entering the password ‘123.’

Once the users enter the passwords, the fake resume document will ask the users to enable the macros in order to start the infection process.

The macros come in the form of base64 encoded garbage code, which is designed to crash analysis tools.

Once the macro is successfully run, it will display a series of images that claim to load the content.
However, the images repeatedly add a garbage string to the document contents and then display an error message, while downloading and executing the Quasar RAT in the background.

The last significant step the threat actors take to avoid discovery is to download a Microsoft Self Extracting executable. This executable then unpacks a Quasar RAT binary that is 401MB.

August 27, 2019 - Rockville Center, N.Y. School District Pays $88,000 Ransom to Regain Access To Data

The Rockville Center, N.Y. School District pays an $88,000 Ransom to Cyberattackers

Date Issued: August 27, 2019
Method: Ransomware
Target: Files belonging to Rockville Center, N.Y. School District

Report Details

The attack took place on July 25, and according to a document sent to SC Media, the ransomware was able to avoid the cybersecurity measures the district had in place.

The district’s IT director shut down the computer network on July 26 to limit the damage and district officials believe this move enabled their insurance carrier to negotiate a lower ransom payment.

The decision to pay the ransom was based on an evaluation of what it would cost to recover from the attack without the decryption keys and the less expensive option was to pay.

August 27, 2019 - Hostinger.com Server Compromised, Exposing 14 Million User Credentials

Hostinger.com – Data Breach

Date Issued: August 23, 2019
Method: Third Party Access to API
Target: Hostinger.com Customers

Report Details

On August 23^rd, Hostinger realized they had been breached from a third party whom gained access to their API. Hackers used an authorization token to gain access to and change permissions to Hostinger’s RESTful API Server. Over 14 million user records were exposed in the breach which included customers’ names, email addresses, passwords, and IP addresses. Hostinger said there was no breach on payment information. The server was immediately disabled, and clients had automatic password resets.

August 21, 2019 - IP Address Connected to the Domain www.whipautogear.com is Compromised, Scammed over $120,000 in 24 Hours

IP Address Connected to over 80,000 URLs – Ransomware, Malware, Formjacking, etc.

Date Issued: August 20, 2019
Method: PayPal Scam from a Compromised Website
Target: Customers for a Electric Scooter Promotional Sale

Report Details

A hacker under the alias (marshalladscash@gmail.com) cashed in on over $120,000 USD in fraudulent PayPal charges off of a fully built drop shipping account running a promo for an electric scooter. There was a countdown for the item quantity left in stock, but a bug had the counter going up instead of down. Which was an immediate indicator to me that something was up. Within 2 hours 12,000 people had spent $10 on the site. The scam seems to have originated from the website (cashster period net) which is a cesspool for malicious web activity. The IP addresses that I was able to maintain all had malicious reports against them.

August 20, 2019 - 23 Local Government Entities in Texas hit by Coordinated Ransomware Attacks

23 Texas Local Government Agencies – Ransomware Attack

Date Issued: August 20, 2019
Method: Ransomware
Target: The impacted government organizations are not revealed because of security concerns.

Report Details

Up to 23 Texas entities, the majority of which are local governments were hit by a ransomware attack last Friday that Texas officials say is part of a targeted attack launched by a single threat actor.

Details are few about the specific agencies hit by the ransomware attacks, which began on the morning of Aug. 16, as well as which systems are impacted by the attack.

The Texas Department of Information Resources did say that responders are actively working with all 23 entities to bring their systems back online and that the State of Texas systems and networks are not impacted.

“Currently, DIR, the Texas Military Department, and the Texas A&M University System’s Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions,” according to the DIR in a statement on its website. “Further resources will be deployed as they are requested.”.

This is the first time there’s been an attack against several local governments in a state.

August 16, 2019 - Over 85,000 patients’ data was leaked at Grays Harbor Community Hospital and Harbor Medical Group

Grays Harbor Community Hospital and Medical Group – Ransomware

Date Issued: August 16, 2019
Method: Ransomware
Target: Employees of Hospital and Group

Report Details

Grays Harbor Community Hospital was hit by a ransomware attack before the weekend that exposed 85,000 patient files. Out of the 85,000, only 10,000 had the possibility of critical information being stolen. The leaked data includes,

Patients’ medical records
Patients’ personal information
Demographic information
Insurance information
Medical history
Medical treatment
Billing information

The ransomware was deployed through a phishing email that was clicked on by one of the hospital’s

employees. A bitcoin ransom of 1 Million was requested from the hackers. They have not paid the

ransom, and are working with the FBI to rebuild and reorganize so that incidents like this do not occur

again.

August 16, 2019 - Camp Verde Unified School District in Arizona hit with Ransomware Attack

Camp Verde Unified School District – Ransomware

Date Issued: August 16, 2019
Method: Ransomware
Target: Employees of School District

Report Details

Camp Verde Unified School District in Arizona was hit with a Ransomware that reportedly struck on July 19^th. When school systems went to boot up they were immediately locked and encrypted. A bitcoin ransom was held on the school district’s system. The school district has yet to pay the ransom and is working with authorities and forensic analysts to find the best solution to the problem. The new school year is still on schedule, and they will notify if any updates occur.

August 14, 2019 - 700,000 Choice Hotels Customer Records Compromised

Choice Hotels – 700,000 Customer Records Stolen, and held for $3,800 Ransom

Date Issued: August 14, 2019
Method: Unsecured server(s)
Target: Customer records of Choice Hotels

Report Details

Cybercriminals took advantage of an open MongoDB database containing data from Choice Hotels and stole 700,000 customer records and then demanded a $3,800 ransom payment for their return.

Malicious actors found the database and removed the data and left a ransom note demanding 0.4 Bitcoin, or about $3,856. The database actually contained 5.6 million records, but Comparitech reported that Choice said the vast majority were test data. However, 700,000 were true records containing customer names, email addresses, and phone numbers.

August 14, 2019 - New Variant of the Troldesh Ransomware Spreading via Compromised Websites

Ransomware Attacks on Compromised Websites

Date Issued: August 14, 2019
Method: New variant of the Troldesh ransomware, threat actors used at least two malicious URLs from compromised websites considering the case if one of them stops working
Target: The malware is found to target Windows OS

Report Details

A new variant of the Troldesh ransomware is observing a rise in the past couple of weeks and spreading via compromised websites. The threat actors involved in spreading the malware trick victims into visiting malicious URLs by sending emails and messages on social media platforms.

The newer variant initially downloads a JavaScript host file, which when executed, downloads the actual ransomware file. The threat actors use TOR for data transmission and communication with victims, and two malicious URLs for ransomware file delivery.

The malicious JavaScript file that acts as the host has a 57% detection rate with antivirus software. Additionally, the actual ransomware file downloaded to the victims’ computer has a detection rate of 82%.

If the antivirus program installed on the victims’ computer does not detect the malicious host file or the ransomware executable file, then the ransomware starts encrypting files from the victims’ computer using a notable method.

August 14, 2019 - Four Major Dating Apps Expose Precise Locations of 10 Million Users

3Fun, Grindr, Romeo, and Recon – Users can be Victims of GPS Spoofing and Trilateration

Date Issued: August 14, 2019
Method: GPS spoofing and trilateration
Target: 3Fun, Grindr, Romeo, and Recon

Report Details

Four popular mobile applications offering dating and meetup services (3Fun, Grindr, Romeo, and Recon) have security flaws which allow for the precise tracking of users, it’s been possible to develop a tool able to collate the exposed GPS coordinates. By supplying spoofed locations (latitude and longitude) it is possible to retrieve the distances to these profiles from multiple points, and then triangulate or trilaterate the data to return the precise location of that person,

3Fun was not only leaking the locations of users but also information including their dates of birth, sexual preferences, pictures, and chat data.

August 14, 2019 - NetWiredRC Trojan Attacks Target Hotel Industry in North America

North American Hotel Industry – Phishing Attacks

Date Issued: August 14, 2019
Method: Phishing attacks, NetWiredRC Trojan

Report Details

A series of phishing email attacks have been targeting the hotel industry in North America. The attackers are leveraging these attacks to distribute a powerful trojan named NetWiredRC.

Attackers are sending malicious attachments through emails to the finance department of the target company.

The malware steals credentials stored in IE, Comodo Dragon, Yandex, Mozilla Firefox, Google Chrome, Chromium, Opera browser and Outlook.

August 14, 2019 - Hackers Deface Minnesota State & County Websites

Minnesota State & County Websites – Webpage Defacement

Date Issued: August 14, 2019
Method: Webpage Defacement
Target: Minnesota Department of Human Services refugee services page and administrative portal and the homepage of Stearns County, a part of the larger Minneapolis metro area

Report Details

Hackers vandalized two of the state of Minnesota’s webpages last week, for a brief time on Aug. 5, messaging that officials have described as “anti-government” covered a Minnesota Department of Human Services refugee services page and administrative portal, according to reports. Minnesota’s Security Operations Center quickly pulled them down and as of Friday was still investigating the incident. There was no loss of information.

On July 30, the homepage of Stearns County, a part of the larger Minneapolis metro area, displayed a photo of an individual with a Guy Fawkes mask and a sign advertising crudely for “the revolution,” according to local news outlets. The county’s information services director, George McClure, told press that the company hosting the site took it down temporarily and it’s since been restored, sans Guy Fawkes.

August 14 2019 - Data breach exposes the PI of 18,500 Bismarck Public Schools Students

Bismarck Public Schools – Data Breach

Date Issued: August 14, 2019
Method: Data breach at the systems of third-party vendors
Target: Bismarck Public Schools who uses the Pearson Clinical Assessment’s software called AIMSweb 1.0

Report Details

About 18,500 current and former Bismarck Public Schools students had some of their personal information exposed in a data breach at a company that provides a universal screening tool to the district.

The nationwide data breach involved Pearson Clinical Assessment’s software called AIMSweb 1.0, which Bismarck Public Schools uses as a screening tool for students in kindergarten through fifth grade, as well as to monitor progress for students receiving support intervention. About 13,000 schools and universities were impacted, according to a July 31 statement from Pearson.

The company said the exposed data was isolated to first name, last name, and possibly in some instances date of birth and/or email address. Pearson said it believes the breach occurred around November 2018, according to a letter to Bismarck Public Schools. The FBI is investigating.

August 13, 2019 - Over 800 Employees of Charleston County, SC Suffer From Data Breach

824 Employees Infected – Human Error?

Date Issued: August 6, 2019
Method: Error from HR Department

Report Details

824 employees of Charleston County, South Carolina were impacted by a data breach after a Human Resources employee somehow accidently shared a list to a former employee. The list included the employees’ names, DOB, SSN, Gender, Salary, Hire dates, and eligibility for health care and benefits. It has been stated no banking information has been leaked, according to Jennifer Miller the County’s Administrator.

August 12, 2019 - Over 51.7 Million Android Users Infected by Clicker Trojan

51.7 Million Android Users Infected – Clicker Trojan

Date Issued: August 12, 2019
Method: Embedded Clicker Trojan in Mobile Applications for Android Users
Target: Android Users

Report Details

A new version of the Clicker Trojan dubbed the Android.Click.312.origin has been reported to have infected over 51.7 million Android users. The malicious trojan is embedded in over 34 apps in the Google Play store, ranging from dictionaries, barcode scanners, online maps, audio players, etc. One the app is downloaded and the trojan is activated, it sends the following information to the C2 Server.

Manufacturer and model
Operating system version
User’s country of residence and default system language
User-Agent ID
Mobile carrier
Internet connection type
Display parameters
Time zone
Data on apps containing the trojan

This is an highly sophisticated attack, as the applications are not only on the google store being advertised but by many third party websites. Google has removed and updated several apps with the malicious trojan.

August 7, 2019 - Vulnerability in SuperINN Plus Web Application Impacts Over 43,000 Customers

Sark Technologies’ reservation and management software – Database Breach

Date Issued: August 7, 2019
Target: Application vulnerability

Report Details

A vulnerability in the image upload function of SuperINN plus web application allowed attackers to upload PHP web shells and export customer data from the database. Apart from this, an attacker identified a SQL injection vulnerability in the web application and abused it to extract encrypted cardholder data.

Sark Technologies’ reservation and management software SuperINN had a vulnerability in its image upload function. This allowed attackers to extract customers’ personal information.

SuperINN became aware of the incident on May 26, 2019. After this, the organization launched an investigation and determined that a vulnerability in the image upload function of the application allowed attackers to upload PHP web shells.

The PHP web shells were uploaded on the web application on September 23, 2018. Using the PHP scripts, the attackers were able to export customer data from the SuperINN plus database and obtain the decryption key. The database was accessed between January 01, 2019, and May 30, 2019. Apart from this, an attacker identified a SQL injection vulnerability in the web application and abused it to extract encrypted cardholder data from the database between June and July 2019

August 7, 2019 - 6.2 million Email Addresses Exposed by the Democratic Senatorial Campaign Committee

Democratic Senatorial Campaign Committee – Database Breach

Date Issued: August 7, 2019
Target: Misconfigured Amazon S3 storage bucket

Report Details

The UpGuard Data Breach Research Team can now disclose that approximately 6.2 million email addresses were exposed by the Democratic Senatorial Campaign Committee in a misconfigured Amazon S3 storage bucket. The comma separated list of addresses was uploaded to the bucket in 2010 by a DSCC employee.

The bucket and file name both reference “Clinton,” presumably having to do with one of Hillary Clinton’s earlier runs for Senator of New York. The list contained email addresses from major email providers, along with universities, government agencies, and the military.

At approximately 4PM on Thursday, July 25th, 2019, UpGuard researchers discovered an Amazon S3 storage bucket named “toclinton.” This bucket was available to globally authenticated AWS users, one of the two public groups available in S3 permissions. This means that anyone with a free AWS account could access the bucket and its contents. The bucket contained a single file, EmailExcludeClinton.zip.

August 7, 2019 - Kern County, CA suffers Data Breach compromising over 15,000 Employees’ Personal Information

Personal Informaton of Kern Medical Center – Data Breach

Date Issued: August 5, 2019
Method: Data breach at the systems of third-party vendors
Target: Personal Informaton of Kern Medical Center employees, their dependents, and medical staff

Report Details

A data breach at the systems of third-party vendors might have impacted the health benefits program run by Kern County on behalf of its employees. This could have exposed the personal information of current and former Kern County employees, their dependents, and medical staff at Kern Medical Center.

A potential security incident at a third-party vendor could have exposed the personal information of current and former Kern County employees, their dependents, and medical staff at Kern Medical Center.

A spokeswoman for Kern County, Megan Person said that a data breach at the systems of third-party vendors might have impacted the health benefits program run by the County on behalf of its employees. Person confirmed that the data breach did not occur on the county networks and systems. County officials have launched an investigation to determine if any data was compromised. She added that if a data breach is confirmed, then all affected employees will be provided with complimentary credit-monitoring services.

“The security of our plan participants and their information is our primary concern, and we remain vigilant in monitoring the situation. We want to assure our employees and our constituents this did NOT affect our county networks and systems. It’s a reminder that all of us should be cautious and take extra measures when it comes to our online security,” Person said, Techwire reported.

August 6, 2019 – CafePress Hacked, 23 Million Accounts Compromised

CafePress – Data Breach

Date Issued: August 6, 2019
Target: 23,205,290 accounts targeted/breached
Passwords exposed encoded in base64 SHA1, a very weak encryption method

Report Details

CafePress, the custom T-shirt and merchandise company has been hacked, the breach that compromised more than 23 million accounts happened on February 20, 2019.

The breach itself took place on Feb 20 and compromised a total of 23,205,290 accounts, it was barely mentioned online or in the press, a brief mention on the “pwned” subreddit did appear on July 13th.

The exposed data included 23 million unique email addresses; some of the compromised records also included names, physical addresses and phone numbers. It has been mentioned that passwords were also amongst the compromised data.

August 5, 2019 - Hackers replace customer data on unprotected MongoDB with ransom note

Bookseller in Mexico, Librería Porrúa – Database Breach

Date Issued: August 5, 2019
Target: Unprotected MongoDB instance

Report Details

Hackers who found an unprotected MongoDB instance which was publicly accessible without any authentication erased all the contents of the database and replaced them with a ransom note.

The open database belongs to a bookseller in Mexico named Librería Porrúa, it contained almost 1.2 million customer records, including:

Customers’ personal details such as names, dates of birth, email addresses, and phone numbers
Purchase details such as shopping cart ID, discount codes, activation codes and token, invoices, and payment card details.

Additionally, the database stored 958,000 personal data records including client ID, names, dates of birth, email addresses, phone numbers, user tokens, discount card activation codes, and discount card activation dates.

The people whose information was exposed could be at risk of spam, targeted phishing, and fraud. For example, affected users might receive emails claiming to be from Librería Porrúa with a link to a fake Librería Porrúa website. Users might be directed to enter login details on the identical fake website, giving hackers their passwords.

August 5, 2019 - Broken Arrow Public Schools, OK. hit with Ransomware Attack

Broken Arrow Public Schools (Oklahoma) – Ransomware Attack

Date Issued: August 5, 2019
Target: Broken Arrow Public Schools in Oklahoma
Method: Malware which launched a ransomware varietal

Broken Arrow Public Schools suffered a ransomware attack that caused network and server issues, thereby disrupting operations of the school district.

Upon experiencing network and server issues, the school launched an investigation on the situation and notified its cyber insurance carrier. The school also hired cybersecurity experts to assist them with the investigation.

The investigation revealed that the school has been a victim of a ransomware attack. After discovery, the school district began recovery efforts which included enhancing the security of its digital environment. It promptly notified the FBI about the incident and began working with the vendors to restore normal operations. The school’s superintendent noted that the district will not pay the ransom.

“We are aware of the ransomware incident that has affected Broken Arrow Public Schools and have offered to support the district in any way we can,” said Executive Director of Communications Steffie Corcoran, a local media reported.

School officials said they’re not aware of any personal data or financial information that has been leaked.

August 5, 2019 – Murfreesboro, Tenn. City Water Department’s Bill Payment Website Hacked by Iranian Hackers

Murfreesboro City Water Dept. – Online Portal Page Hacked

Date Issued: August 5, 2019
Target: Murfreesboro, Tenn. City Water Dept.
Method: Online hack of website/compromised webpage displayed

Report Details

Murfreesboro City’s payment website for the water and sewage department has been hacked. The hacked site appears when users try to access their LINK account from the Water Department site.

The compromised webpage displayed an image of the Iranian flag and the Guy Fawkes mask. A message below the image says “Hacked by Iranian Hackers” and “Hacked by Mamad Warning.”

“We are always closer to you. Your idenity is known to us. Your information is for us 😉 take care,” the message read. The department immediately shut down the website and launched an internal assessment to determine the source and extent of the hack. The assessment determined that the compromise was limited to the online portal page.

“After a fuller assessment, Information Technology for the City of Murfeesboro indicates that a compromise this morning to link to an online portal of the Water Resources Customer webpage was limited to one script page. No customer info was accessed in the propaganda attack,” the City tweeted.

August 5, 2019 – Presbyterian Healthcare Services Suffers Data Breach Impacting 183K Patients

Presbyterian Healthcare Services – Data Breach

Date Issued: August 5, 2019
Target: Presbyterian Healthcare Services
Method: Phishing scam compromising employee’s email accounts

Report Details

Presbyterian Healthcare Services suffered a data breach impacting nearly 183000 patients and health plan members after a few of its employees fell victim to a phishing scam.

On June 6, 2019, Presbyterian Healthcare Services discovered that an unauthorized third-party gained access to some of Presbyterian’s employee email accounts sometime around May 9, 2019.

After this, Presbyterian secured the compromised email accounts and began a thorough review of the impacted emails. The healthcare center also notified the appropriate federal law enforcement about the incident.

“With any such event, it takes time to investigate what happened, identify the affected individuals and arrange for the assistance services that are being offered. Once we became aware of this incident, Presbyterian secured these email accounts and alerted federal law enforcement,” stated Melanie Mozes, Presbyterian Communications Director.

The compromised email accounts contained patient and/or health plan member names, dates of birth, Social Security numbers, and clinical and information.

Dale Maxwell, the President and CEO of Presbyterian, said in a statement that there is no evidence that electronic health record or billing information has been accessed.

August 2, 2019 – Deer Valley Restaurants Mariposa and the Royal Street Café suffered a Security Breach Leaking Customer Payment Information

Deer Valley Restaurants – Data Breach

Date Issued: August 2, 2019
Target: Mariposa and Royal Street Cafe
Method: Breach through POS (Point-of-Sale)

Report Details

Two restaurants in Deer Valley, Mariposa and the Royal Street Café were hit by a data breach when an unauthorized third party hacked their POS and deployed a malicious malware. The malware was engineered to search track data, and copy the magnetic strip of credit cards. From what we know, card information of customers had been stolen from January 10 to January 28^th. An investigation began in early May, where the malicious malware was found and removed. The restaurants are currently upgrading security features to prevent this from occurring again.

August 1, 2019 – Pearson Hit With Data Breach Exposing Thousands of Educational Institutions Accounts Across the US

Pearson – Data Breach

Date Issued: July 31, 2019
Target: Pearson
Method: Breach through third party web portal

Report Details

The UK-Based Educational Company, Pearson, was hit by data breach that exposed students’ personal information. The information comprised included names, date of births, and email addresses. It is believed that roughly 13,000 school and university AIMSweb 1.0 accounts in the US were affected by the incident. Hackers were able to gain unauthorized access through the AIMSweb portal. It is important to note that this breach actually took place back in November of 2018, but only became aware of the incident by March 2019. Yesterday, Pearson notified customers about the incident and is offering free credit monitoring services for those who fell victim to the data breach. The vulnerability has been repaired, and Pearson is keeping an eye out to stop this from happening again.

July 31, 2019 – Washoe County School District Hit with Breach Exposing 114,000 Students

Washoe County School District – Data Breach

Date Issued: July 31, 2019
Target: Pearson – Washoe County
Method: Pearson Hack

Report Details

Washoe County School District was hit with cyber attack that impacted 114,000 students who attended Washoe Schools between 2001 and 2016. This breach came from the Pearson data breach which exposed 13,000 schools and universities. The incident occurred from a vulnerability in an older version of Pearson Clinical Assessment’s Program. The information included students names, dates of birth, addresses, as well as some staff information as well. The school is currently working with Pearson to handle the situation.

July 31, 2019 – Cabarrus County Targeted in Business Email Compromise Scam

Cabarrus County, North Carolina – Data Breach

Date Issued: July 31, 2019
Target: Employees of Cabarrus County’s schools and government
Method: Phishing Email

Report Details

Cabarrus county officials have released details of the BEC scam that diverted nearly $2.5 million to scammers. Out of this, $1,728,082.60 remains missing.

Officials said that the County had intended to send the money to Roanoke, Virginia-based Branch and Associates Inc. Roanoke serves as a general contractor for the construction of West Cabarrus High school.

The investigation revealed that scammers posed as a representative of the Roanoke Branch and Associate and targeted employees of the County’s schools and government through a series of phishing emails. The scam had begun in November 2018.

The phishing email that was sent under the name of Roanoke, stated that the bank account for the Branch and Associates had been changed and the County should use it for future invoice payments.

The email also included documents that looked legitimate. This tricked the County officials into believing that updated banking information was real and allowed the scammers to steal a sum of $2,504,601.

The County has notified SunTrust bank about the fraud transaction. On the other hand, Branch and Associates have also informed Bank of America about the fraudulent wire transfer of $2.5 million. Following this, Bank of America has frozen $776,518.40 of the $2,504,601.

The recovered amount of $776,518.40 was paid to Branch and Associates on March 20, 2019. The County paid the remaining balance on May 22, 2019.

July 31, 2019 – Watertown City School District (NY) hit with ransomware attack

Watertown City School District – Ransomware Attack

Date Issued: July 31, 2019
Target: Watertown City School District, New York
Method: Ransomware

Report Details

Watertown City School District in New York suffered a ransomware attack crippling the district’s computer network and systems. The attack jeopardized all computers and disabled access to files.

School Superintendent Patricia LaBarr became aware of the attack after she couldn’t access her email. Later, security experts from the Mohawk Regional Information Center (MORIC) launched an internal investigation and confirmed the ransomware attack.

The attack jeopardized all computers and disabled access to files. Staff were asked not to log in any computer. LaBarr said that the attackers behind this incident did not demand a ransom amount from the district.

July 31, 2019 - Insurance Firm Ameritas Suffers Data Breach Compromising Customer Data

Insurance Firm Ameritas – Phishing Attack – Data Breach

Date Issued: July 31, 2019
Target: Ameritas
Method: Phishing attack via email

Report Details

Lincoln-based insurance company, Ameritas suffered a data breach incident compromising its customers’ personal information including Social Security numbers.

The data breach occurred after Ameritas’ employees fell victim to a phishing attack providing their email credentials. Upon discovery, Ameritas immediately responded by disabling the unauthorized access and deploying an enterprise-wide password reset.

The data breach occurred after Ameritas’ employees fell victim to a phishing attack providing their email credentials. Upon learning about the incident, it launched an internal investigation to accurately determine the impacted customers. After this, it notified the customers about the incident.

“Ameritas is committed to our customers and we work hard to earn their trust. Protecting customer privacy is the cornerstone of that commitment,” Ameritas said in a statement, Lincoln Journal Star reported.

July 31, 2019 – Los Angeles Police Department hit by Data Breach that Leaked Private Data of 2,500 Police Officers and 17,500 Applicants

Los Angeles Police Department – Data Breach

Date Issued: July 25, 2019
Target: LAPD
Old Database Hacked

Report Details

The Los Angeles PD has reported that a breach occurred exposing personal information such as names, dates of birth, email addresses, and passwords of 2,500 LAPD police officers and 17,500 police office applicants. When made aware of the breach an investigation was unleashed, and additional security measures were taken/implemented. The Office of Mayor Eric Garcetti stated the breach took place due to an unused old database that contained the personal information.

July 30, 2019 – Capital One impacted by data breach that exposed over 106 million people in the USA and Canada

Capital One – Data Breach

Date Issued: July 17, 2019
Target: Capital One
Misconfigured Web App Firewall

Report Details

Capital One suffered a data breach after hackers exploited a configuration vulnerability. The intrusion occurred through a misconfigured web application firewall that enabled access to the data Personal information that had been leaked included personal information, credit card data, transaction data, Social Security numbers, Social Insurance numbers for people and SMBs who applied for credit card products between 2005 and 2009, as well as linked bank account numbers. The breach took place back in March between the 22 – 23. The incident was immediately reported to the FBI, and had arrested the person responsible. A software engineer by the name of Paige. A Thompson, who went by the alias ‘erratic’ was the hacker who posted the data theft info on GitHub.

July 29, 2019 –Multiple Local Government (North Carolina) Websites Attacked by Hackers and Ransomware attack

Lincoln County, Concord and Anson County (North Carolina – Data Breach

Date Issued: July 29, 2019
Target: Lincoln County, Concord and Anson County – North Carolina
Website hack and ransomware attack on Lincoln County Sheriff’s Office

Report Details

Multiple local government websites have been attacked by hackers in the last few days, including, but not limited to, Lincoln County, Concord and Anson County (North Carolina).

According to the Lincoln County Sheriff’s Office, officials are working to recover from a ransomware attack that happened last Wednesday morning.

Deputies say the night shift noticed the system went down around 12:30 a.m. and contacted the IT Department.

“It was not a security breach where the hackers retrieved information but they destroyed the recent system backup and encrypted the information on the main server preventing access,” Lincoln County Sheriff Bill Beam said.

The sheriff’s office contacted the FBI and they immediately started an investigation. IT personnel from the Sheriff’s Office are working to gain access to the files and update security. No information on the computers was compromised.

Officials say the sheriff’s office website had been taken down and will be put back up as soon as possible.

Anson County’s website appears to have been attacked as well as hackers have left vulgar language on the site last week.

The city of Concord’s website is working again after the site was attacked by hackers who apparently also targeted several other websites globally Thursday night.

According to the City of Concord, as of last Friday morning, concordnc.gov remained unavailable after it was defaced by a hacker that made similar attacks on a variety of websites around the world last Thursday evening.

(*via w.wbtv.com)

July 29, 2019 – Wallingford, CT school Suffers Data Breach

Wallingford School (CT) – Data Breach

Date Issued: July 29, 2019
Target: Wallingford school and a third party app (Pearson Clinical Assessment) the school used to track student reading and math assessments
Data Breach

Report Details

Student information may have been exposed in what school administrators called a “security incident” involving a third-party vendor.

Danielle Bellizzi, assistant school superintendent, said in an email to parents last Thursday that Pearson Clinical Assessment, a vendor that “many school districts in Connecticut and nationwide use for assessment services,” notified the school district Tuesday about a security incident.

The incident affected a tool that the school district formerly used to track student reading and math assessments.

The affected information included “a limited number” of student names and, in some cases, dates of birth and email addresses, Bellizzi wrote.

She added that the incident did not involve any Social Security numbers, credit card data, financial information, grades or other educational or assessment information. (*via myrecordjournal.com)

July 29, 2019 – Two Hospitals in Puerto Rico Suffer Ransomware Attack that Impacts 520,000+ Patients' Data

Bayamón Medical Center and its affiliated Puerto Rico Women And Children’s Hospital – Ransonware Attack

Date Issued: June 24, 2019
Target: Marin Community Clinics
Type: Ransomware infection

Report Details

Bayamón Medical Center and its affiliated Puerto Rico Women And Children’s Hospital fell victim to a ransomware attack impacting over 520,000 patients’s data.

Bayamón Medical Center reported that 422,496 patients were potentially impacted, while Puerto Rico Women And Children’s Hospital reported that 99,943 patients were potentially impacted by the incident.

The ransomware infection encrypted all computer files that contained patients’ personal information.

“As a precautionary measure, Bayamon Medical Center y Puerto Rico Women And Children’s Hospital (collectively, the “Hospitals”) would like to notify the community that the Hospitals faced a recent security incident which potentially involves personal information of the Hospitals’ patients,” the press release read.

July 29, 2019 –Houston County Schools Hit with Ransomware Attack

Houton County Schools -Ransonware Attack

Date Issued: June 29, 2019
Target: Houston County Schools
Method: Malware attack – ransomware

Report Details

Cyber criminals infected the school system’s servers impacting the computer functionality school-wide. The school has postponed the re-opening date for the students to August 5, 2019.

Cyber-attackers infected the school system’s servers impacting the computer functionality school-wide. The attack also disrupted the phone services at the Central Office. The school ordered the teachers and staff to not use the school computers until further notice.

July 26, 2019 – Park DuValle Community Health Center (Louisville, KY) Pays $70,000 Ransom for Patient Records in Cyber-Attack

Park DuValle Community Health Center – Ransonware Attack

Date Issued: July 26, 2019
Target: Park DuValle Community Health Center
Location: Louisville, Kentucky

Report Details

Park DuValle Community Health Center, a nonprofit that runs medical clinics for low-income and uninsured patients in western Louisville and other areas, has paid hackers nearly $70,000 in hopes of unlocking the medical records of some 20,000 patients that have been held hostage for nearly two months. The ransom was paid in the form of 6 bitcoin, the digital crypto-currency.

Park DuValle, one of three federally qualified health centers in Louisville, provides primary care, dentistry, behavioral health, laboratory services and obstetrics-gynecology, among other services.

Besides its main clinic in the Park Duvalle neighborhood, it has locations in Russell, in Newburg and in Taylorsville., KY.

Elizabeth Ann Hagan-Grigsby, Park DuValle’s CEO, said in an interview Thursday that the organization has not been able to access its records or appointment scheduling system since June 7 because of a “ransomware” attack – the second such attack on Park DuValle’s computer system since April.

Park DuValle Community Health Center hasn’t been able to send patients in a mass letter or email about the situation – because as long as the data is held for ransomware, their contact information is not accessible.

Park DuValle Community Health Center is using encryption keys provided by the hackers to restore the data, and the organization hopes to have full access to the data by Aug. 1.

July 26, 2019 – Customers of Sprint Corporation Informed of Data Breach

Sprint Corporation – Data Breach

Date Issued: July 26, 2019
Target: Undisclosed amount of Sprint Corporation customers
Hackers breached Sprint customer accounts using Samsung’s ‘Add a Line” feature on their website

Report Details

Customers of the American telecommunications company Sprint Corporation received an email last week as the company sent a notification of a data breach to an undisclosed amount of network users.

Recent reports revealed that the hackers behind this data breach have gained access to the customers’ online logins and could see all data available in the accounts.

Sprint characterized the breach as not causing “a substantial risk of fraud or identity theft.” The credit of information and social security numbers aren’t visible in these accounts, but there is other sensitive information that can be used by a cyber attacker. The identity thief or phisher can access most of the information once they have the first and last name of a user, phone number, device type, home address, PIN, billing number, device ID and subscriber ID account number of a customer.

It is unknown exactly when the hackers started targeting Sprint or accessing the accounts or for how long they had access. Even though the breach window has been identified to be from June 22 to 25, it is possible that the cybercriminals could have targeted the company earlier too.

July 25, 2019 - Louisiana Governor declares emergency after ransomware attacks hit three school districts

Three School Districts – Ransomware

Date Issued: July 24, 2019

Report Details

On July 24, Louisiana Governor John Bel Edwards issued an emergency declaration after Monroe, Morehouse Parish, and Sabine Parish school districts were impacted by ransomware attacks. The declaration extends to August 21, and the Louisiana National Guard, State Police, and Office of Technology Services are working to resolve and prevent future attacks.

July 23, 2019 – AMCA Breach Update: 12 Additional Healthcare Firms Notify Patients of Data Breach

American Medical Collection Agency (AMCA) Data Breach Expands

Date Issued: July 23, 2019
Original Target: American Medical Collection Agency (AMCA) and two of its biggest customers, Quest Diagnostics and LabCorp
Data Breach accessing payment system

Report Details

The AMCA data breach came to light in early June 2019, the company’s investigation revealed that the hackers may have had gained accessed to its payment system since August 2018. New details about the AMCA data breach have emerged, the breach has affected many more healthcare firms in the United States than previously known.

The firms that have been lately added to the list of providers affected by the data breach are:

American Esoteric Laboratories (534,500 impacted and another 7,400 with financial data);
Sunrise Medical Laboratories (412,000 impacted and 15,000 with financial data);
CBLPath (143,100 impacted and 4,200 with financial data);
Laboratory Medicine Consultants (143,400 impacted and 4,200 with financial data);
Austin Pathology Associates (44,700 impacted and 1,800 with financial data);
South Texas Dermatopathology (14,900 impacted and another 1,200 with financial data);
Pathology Solutions (12,700 impacted and 600 with financial data).

Victim firms that include less than 10,000 patients:

Laboratory of Dermatopathology ADX (4,000 impacted and another 240 with financial data);
Seacoast Pathology (9,200 impacted and 800 with financial data);
Western Pathology Consultants (4,200 impacted and 350 with financial data);
Arizona Dermatopathology (6,500 impacted and 500 with financial data);
Natera (unknown number of impacted patients).

July 22, 2019 - Town of Collierville, Tennessee hit with Ryuk Ransomware

Collierville, Tennessee – Ryuk Ransomware

Date Issued: July 22, 2019

Report Details

The Town of Collierville, Tennessee was the victim of a cyber attack last week, which launched the Ryuk Ransomware infecting town computers and servers. Once unleashed, the infection shut down the towns computer systems and encrypted files, denying access. The ransomware also was able to halt permit requests, public record requests, and business services. Immediately the towns IT staff were minimizing the damage, and attempting to restore their systems.

July 19, 2019 - Hackers make fake Office 365 website that launches TrickBot Trojan

Fake Microsoft Website – TrickBot Trojan in Executable File

Date Issued: July 19, 2019

Report Details

It has been uncovered that hackers have been working on a new malicious campaign in which a fake Office 365 website was created to deceive users in updating their browsers. The website was an close-to-accurate design of Microsoft’s page, with many of their page links being hosted off of Microsoft’s server. When entering the site on Google Chrome or Firefox, a pop up would occur requesting the user update their browsers. Where the trojan TrickBot is then launched in an executable file on the update window. The executable file was named, ‘upd365_58v01.exe’. This specific trojan is disguised as a svchost.exe process to make it invisible in the Task Manager.

July 17, 2019 - Evite Application get hacked, exposes over 100 million user accounts

Evite – Data Breach

Date Issued: July 17, 2019
Target Company: Evite

Report Details

July 14^th it was reported that 100,985,047 unique user accounts for Evite had been exposed in a data breach. The stolen data was put up for sale on Dream Market on the dark web. It has been determined that the hack was orchestrated by ‘Gnosticplayers’. The user information contained names, email addresses, passwords, date of birth, phone numbers. It was originally believed that only 10 million accounts were accessed, but Have I Been Pwned shows that over 100 million were breached.

July 16, 2019 - Syracuse City School District and Onondaga County Public Library Disabled by Ransomware

Syracuse City School District / Public Library – Ransomware

Date Issued: July 9, 2019

Report Details

Hackers launched a ransomware attack on Syracuse City School District which along with disabling their systems, also led to the shut down of Onondaga County Public Library’s online catalog and account network. Upon notice of the breach, the school began restoration of their back end, and filed an investigation immediately. The breach trickled to the library and all branches are currently shut down from accessing accounts and online catalogs still. Phone services were affected as well for both parties. The FBI has recommended that no ransom be paid, but the insurance company backing the parties says they should pay up!

July 12, 2019 - LaPorte County, Indiana dishes out $130,000 in Bitcoin for Ransom

LaPorte County, Indiana – Ryuk Ransomware

Date Issued: July 6, 2019
Target Company: LaPorte County, Indiana

Report Details

LaPorte County, Indiana suffered a data breach from a ransomware attack on July 6^th. The breach disabled network services, and impacted computer networks, email accounts, and their website. LaPorte County worked with the FBI to attempt to decrypt the files, but the FBI decryption keys were unable to work. The failed decryption led to a Bitcoin ransom payout out of $130,000 USD. Luckily, an insurance policy for the county was able to cover $100,000 of the ransom. The policy was implemented just a year earlier after request by the county liability agent, John Jones. The ransomware that crushed LaPorte County’s systems was a form of Ryuk.

July 12, 2019 - KHSU Radio Station in Humboldt County, hit by Ransomware attack

KHSU Radio Station – Ransomware

Date Issued: July 1, 2019
Target Company: KHSU Radio Station

Report Details

KHSU Radio Stations owned by Humboldt State University, suffered a ransomware attack at the beginning of the month that shut down the station’s programming systems and storage servers. One positive thing to note, there was no important information on the compromised servers. They aren’t sure of the source for the attack, and there was no specific ransom requested. KHSU is currently in the process of rebuilding and reprogramming its security systems.

July 12, 2019 – K12.com MongoDB database exposes 7 million student records

K12.com MongoDB Database – Bug in Software

Date Issued: July 12, 2019
Target Company: K12.com

Report Details

Over 7 million student records from K12.com were exposed due to a fault in a MongoDB database. The records were accessible for over a week before they were secured. The visible information included

Primary personal email address
Full name
Gender
Age
Birthdate
School name
Authentication keys for accessing ALS accounts & presentations

The database was visible to the public from June 23-July 1, but it is unknown whether or not the activity was malicious. K12.com came out and stated that they take data privacy extremely seriously, and that they are doing everything they can to make sure no malicious activity takes place.

July 11, 2019 - Philadelphia Federal Credit Union Customers hit with fraudulent transactions

Philadelphia Federal Credit Union – Malicious Hack

Date Issued: July 11
Target Company: Philadelphia Federal Credit Union
Undisclosed Email that led Department Chair to transfer funds

Report Details

Nearly 400 customers of the Philadelphia Federal Credit Union fell victim to a breach over the weekend, in which hackers made fraudulent purchases of $200-$500 with customers debit cards. Something important to note is that the fraudulent funds were actually withdrawn from ATMs, meaning the hackers used the credit card date to make their own debit cards with the stolen numbers. PFCU has stated they will work to reimburse customers who were effected, and are working with security experts to find out what really occurred.

July 9, 2019 - Hackers exploit a pizza shop’s website to deliver diet pill scam campaigns

Pizza Shop Website – Website Hacked to Run Spam Campaign

Date Issued: July 9, 2019
Target Company: Pizza Delivery Shop’s Website

Report Details

A pizza delivery shop whom had been running an outdated version of WordPress (4.9.6), were infiltrated by hackers whom had been running a highly sophisticated scam campaign through hyperlinks on the shop’s website homepage. The scam campaign revolved around Xenical, a diet pill company. The scam website promoted DietxPills, and was connected to a server of 46 other sites who sold medications without requiring prescriptions.

July 8, 2019 – American Land Title Association Suffers Data Breach Compromising Over 600 Company Records

American Land Title Association (ALTA) – Email Phishing Campaign/Data Breach

Date Issued: July 9, 2019
Target Company: American Land Title Association (ALTA)
Breach Type: Email Phishing Campaign – Data Breach

Report Details

The American Land Title Association (ALTA) suffered a data breach compromising hundreds of company records in a phishing campaign.

ALTA is the U.S. national trade association representing nearly 6000 title insurance companies, title and settlement agents, independent abstracters, title searchers, and real estate attorneys.

The files obtained from the hacker contain almost 600 data entries for title and non-title companies. The data included domain identification, IP addresses, usernames, and passwords.

ALTA recommends the potentially impacted companies to monitor their systems for unauthorized access, and in case of any suspicious access immediately alert their IT departments.

The national trade association also recommends reporting any suspicious emails to the Federal Bureau of Investigation Internet Crime Complaint Center.

The association also suggested some steps to protect company systems which includes:

Scanning all the systems and devices for malware.
Updating or patching the installed software and operating systems.
Requiring company staff to update and change system passwords, especially those containing customer information and banking services.

July 8, 2019 – Maryland Department of Labor suffered data breach compromising PII of 78000 customers

Maryland Dept. of Labor -Data Breach

Date Issued: June 24, 2019
Target: Customer’s Personally Identifiable Information

Report Details

The Maryland Department of Labor (Maryland DoL) suffered a data breach compromising the sensitive information of almost 78000 customers including their Social Security Numbers.

The customer information stored on the Literacy Works Information System and a legacy unemployment insurance service database were accessed by an unauthorized third party.

However, there has been no evidence that any personally identifiable information was downloaded or extracted from the compromised servers.

The files stored in the Literacy Works Information system were from 2009, 2010, and 2014. These files included names, Social Security numbers, dates of birth, city or county of residence, graduation dates, and record numbers.

The files stored in the legacy unemployment insurance service database were from 2013 and included names and Social Security numbers.

“We live in an age of highly sophisticated information security threats. We are committed to doing all we can to protect our customers and their information,” James E. Rzepkowski, Acting Labor Secretary said in an interview.

The agency is providing two-years of free credit monitoring services for all impacted customers.

July 8, 2019 – Massive Magecart attack campaign breaches over 960 e-commerce stores

Magecart Hackers – Customized Malicious Javascript on e-commerce Websites

Date Issued: July 8th, 2019
Target: 962 e-commerce stores
Type of Attack: PHP object injection exploit

Report Details

This latest Magecart campaign (automated attack campaign) breached over 962 e-commerce stores and successfully stole customers’ payment card details in just 24 hours time-frame.

Attackers inserted a customized Javascript on e-commerce sites, essentially inserting a fake credit card payment section. The customized skimmer script was designed to collect e-commerce customers’ payment details including full credit card data, names, phone numbers, and addresses.

Victims of this latest Magecart campaign are from all over the world, including the United States. This newest attack appears to be a PHP object injection exploit for an existing vulnerability.

July 8, 2019 – Florida state worker steals resident’s Personally Identifiable Information (PII)

2,000 Florida Residents have their PII Stolen

Date Issued: July 8, 2019
Target Company: 2,000 Florida residents

Report Details

“About 2,000 Florida residents were potentially victimized by an employee of that state’s Department of Children and Family Services (DFCS) who accessed and used their PII to fraudulently make $260,000 in purchases.

Allegedly, state staffer Bertanicy Garcia, an interviewing clerk at the Miami DFCS, worked in conjunction with six accomplices to whom she distributed personal information gathered at her job enabling the gang to create fake credit cards and pull off tax fraud, The Gainsville Sun reported.

The investigation began in May when the sheriff’s office looked into Roxana Ruiz and Eduardo Lamigueiro when they opened multiple credit card accounts and used them to make several large purchases, The Sun reported. Information connecting the pair to Garcia was found on their cellphones leading to their arrest. However, they were released on bond and have since disappeared.

Lamigueiro allegedly sent Social Security information to Marcos Cobo-Gonzalez who used the information to commit tax fraud.”

(via scmagazine.com)

July 8, 2019 – The City of Griffin, Georgia hit with Phishing Email Scam that cost over $850,000

City of Griffin, GA – Malicious Phishing Scheme

Date Issued: July 8
Target Company: City of Griffin Finance Department
Undisclosed Email that led Department Chair to transfer funds

Report Details

Hackers were able to get a massive payout through a sophisticated phishing scheme aimed at the City of Griffin’s Finance Department. The scam was designed to be an email requesting funds from their third party water company, PF Moon. The phishing email was targeted at the Finance Department Official Chuck Olmstead, and it worked because he was the one who fell for the scheme.” The Finance Department officials believed the email to be from the water treatment facilities PF Moon and had made the first transaction of $581,180.51 on June 21, 2019. This was followed by a second transaction – $221,318 – which was done on June 26, 2019. The total amount lost in these two transactions stood at $802,499.29.” The City of Griffin has yet to recover any funds from the transactions, and is currently working with the FBI to resolve the matter.

July 5, 2019 – Hackers gain access to 7-Eleven’s App, Steal over $500,000 from Japanese Customers

7-Eleven Mobile Phone App (7-Pay) – Data Breach

Date Issued: July 5, 2019
Target Company: Japanese 7-Eleven 7-Pay App Downloaders

Report Details

Hackers were able to infiltrate 7-Eleven’s Mobile Phone Application through a security flaw in their 7Pay feature. The application was created for it’s Japanese market and was just released to the public on July 1, 2019. Victims reported they had been locked out of their accounts, just one day after creating them. 7-Eleven stated that over 900 accounts had been breached, stealing personal data and payment information through a faulty password reset function. The hack cost the 900 customers over 55 million Yen, or $500,000 USD. Immediately 7-Eleven had the banking accounts and cards suspended for the breached accounts, as well as shut down new registration for 7 Pay.

July 2, 2019 – Georgia Court Agency has its Systems Shut Down by Ransomware Attack

Georgia Court Agency – Ransomware

Date Issued: July 2, 2019
Target Company: Georgia Court Agency

Report Details

Right after three Florida Cities fall victim to attacks, the Administrative Office of the Courts in Georgia was targeted and taken down by Ransomware. The AOC reported that their infrastructure was taken offline by a ransomware infection. The AOC spokesperson, Bruce Shaw stated that they were able to cut off and quarantine the servers, but it has yet to be determined how many computers or systems were affected by the breach. The databases apparently contain no personal information. We are unsure if a ransom was paid at the moment.

July 2, 2019 – Father Bill's and MainSpring hit with a Ransomware Attack

Non-Profit Father Bill’s and MainSpring – Ransomware Attack

Date Issued: July 2, 2019
Target Company: Father Bill’s MainSpring Non-Profit Organization

Report Details

Yet again another ransomware attack hits, and this time it strikes the non-profit Father Bill’s and MainSpring, an organization that provides necessities for the homeless. Luckily, an anti-virus software was detected and blocked the threat in less than 30 seconds. Due to the anti-virus software, the ransomware was unable to encrypt or lock any of the files or computer systems. President and CEO, John Yawinski stated that there had be no exposure, and all files were restored without being compromised. The incident was immediately reported to the Massachusetts Attorney General Maura Healey, and any individual who had personal information stored within the system was notified.

July 1, 2019 – Malicious Android App Disguised as Game Steals Personal Information through Google Sign In API

‘Scary Granny ZOMBY Mod: The Horror Game 2019 – Malicious Android Game App

Date Issued: July 1, 2019
Target Company: ‘Scary Granny ZOMBY Mod’ Users with Google API Access
Google Sign-In API
Malicious Fake Google Sign In API during in-game account creation

Report Details

It was uncovered by researchers at Wandera, that an Android mobile phone application with over 50,000 downloads was phishing personal information from its user base whom had created an account through the Google Sign-In API that was built in. The application, “Scary Granny ZOMBY Mod: The Horror Game 2019” was a malicious phishing scheme disguised as an android mobile puzzle phone game. In the application, it would prompt the user to pay $22: the user would then click out of the pop up. After the user exited out of that pop up, it would ask for an account to be created through Google’s Sign In API. Once the credentials were given through the app, the scheme had succeeded. The hackers now had access to Google accounts, and the personal information that goes along with them (banking credentials, credit card details, personal conversations and info).

July 1, 2019 – Summa Health Breached By Phishing Scheme Compromising Important Patient Information

Summa Health – Malicious Phishing Scheme

Date Issued: Through August 2018 – March 2019
Target Company: Summa Health
Undisclosed Email or Link that unleashed Ransomware on 4 Employee Accounts

Report Details

Summa Health spoke out about an incident they discovered within their infrastructure. Two employee accounts were accessed in August of 2018, and two other accounts were accessed between March 11 and March 29. The employee accounts that were breached contained over 500 patients’ personal information which included, names, dates of birth, medical records, patient account numbers, social security, driver’s license number, and clinical and treatment information. This attack was the result of a highly sophisticated phishing scheme. Summa immediately hired a forensic investigator and secured the breached accounts and is providing identity protection services and credit monitoring for those impacted by the hack.

June 28, 2019 – FDA warns about potential cyber-security concerns with certain Medtronic insulin pumps

MiniMed 508 Insulin Pump and MiniMed Paradigm Series are both vunverable to cyberattacks

Date Issued: June 28, 2019
Target Company: Medtronic
Device Targeted: MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps
Attack Type: Undisclosed cybersecurity vulnerabilities

Report Details

FDA announced Thursday, June 27th 2019 that some Medtronic MiniMed insulin pumps are being recalled because of potential cybersecurity risks and said that patients using these models should switch to models that are better equipped to protect against such potential risks.

The agency noted it is not aware of any confirmed reports of patient harm stemming from these potential cybersecurity risks. According to FDA, the potential risks are linked to the wireless communication between Medtronic’s MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller, and CareLink USB device used with these pumps. FDA said it “is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.”

The recalled pumps are Medtronic’s MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps. The company is providing alternative insulin pumps to patients with enhanced built-in cybersecurity capabilities. Medtronic has identified about 4,000 U.S. patients who are potentially using insulin pumps that are vulnerable to this issue.

*FDA News Release (07/27/19)

June 28, 2019 – Unprotected database belonging to MedicareSupplement.com exposed almost 5 million user records

MedicareSupplement.com’s database of 5+ million left unprotected

Date Issued: June 28, 2019
Company: MedicareSupplement.com

Report Details

A security researcher, Bob Diachenko along with Comparitech uncovered a MedicareSupplement.com MongoDB database that was left open to the public without any authentication. MedicareSupplement.com responed quickly by taking down the database and disabling public access.

The leaky database included almost 5 million records containing personal information of users such as names, addresses, dates of birth, gender, email addresses, and IP addresses.
Additionally, almost 239,000 records were related to insurance interest area such as cancer insurance.

June 28, 2019 - Huntington Ingalls compromised by a large-scale hacking campaign

Navy’s largest shipbuilder was the target of several organs of the Chinese government.

Date Issued: June 28, 2019
Targets: Huntington Ingalls, Navy and Navy-affiliated industrial base partners
Attack Variant: Cloud Hopper

Report Details

According to a Reuters report, the Navy’s largest shipbuilder was the target of several organs of the Chinese government and the recipient of a hacking campaign.

Huntington Ingalls denied the allegation in a June 27 email to Fifth Domain (fifthdomain.com), saying, “there was no breach of information” from Newport News Shipyard, nor were their systems connected to a foreign server controlled by a Chinese group, known as APT10.

“During a private briefing with HPE staff, Huntington Ingalls executives voiced concern the hackers could have accessed data from its biggest operation, the Newport News, Va., shipyard where it builds nuclear-powered submarines, said a person familiar with the discussions. It’s not clear whether any data was stolen,” Reuters reported.

June 28, 2019 – EA Gaming's Origin Platform Exposed 300 Milllion User Acer Accounts

EA Sports Gaming – Bug in Script on Subdomain

Date Issued: June 27, 2019
Target Company: EA Sports Gaming
Subdomain Bug Exploits Accounts

Report Details

EA Sports Gaming company just reported that a bug in the subdomain eaplayinvite.ea[.]com, which is exploited and can be hijacked by Azure users. A trust mechanism that was built into the script could be used to mess with the OAuth protocol. This protocol is used by EA to authenticate user. Once hijacked, a complete take-over of accounts is capable. It is believed that the hackers stole credit card information, and were used to make purchases.

June 27, 2019 – Microsoft Warns Users of Malicious Campaign that Drops FlawedAmmyy RAT

FlawedAmmyy Remote Access Trojan (RAT)

Date Issued: June 25, 2019
Target: Known to target the automotive industry and is associated with TA505’s campaigns.
Type of Attack: Spam emails containing malicious .xls attachments, msiexec.exe deployed which downloads an MSI archive which executes a series of executable files and a FlawedAmmyy RAT is the final executable file in this series and is directly ran in memory.

Report Details

Microsoft has uncovered a new attack campaign which delivers the well-known FlawedAmmyy remote access trojan (RAT). The campaign has weaponized spam emails that come with a .xls attachment and makes use of Excel macros to spread the RAT. According to Microsoft’s Security Intelligence team, the campaign employs a complex infection chain to execute FlawedAmmyy RAT directly in memory.

The FlawedAmmyy RAT payload (malware) does not target a specific vulnerability and can compromise a fully-patched Windows system. Users are advised to be wary of suspicious emails written in foreign languages and make sure they do not open attachments present in them.

June 27, 2019 – Westwood Borough, NJ. Compromised by Undetected Malware Attack

Westwood Borough, Bergen County, New Jersey – Malware

Date Issued: June 27, 2019
Target: Customer Information (Banking, SS#, Addresses)

Report Details

Westwood Borough in Bergen County, New Jersey was breached by a malware attack that compromised data stored within their systems. The borough had hired a 3^rd party forensics analysis company back in January, when they had noticed unusual activity within their network. The information compromised included Social Security numbers, State and Driving IDs, as well as bank account details.

The forensics analysis team stated they could not find how or where exactly the malware was unleashed. As a precaution Westwood wanted to bring this to the public’s attention

June 27, 2019 – Lake City, Florida crushed by Malicious Malware Link

Lake City, Florida crushed by Malicious Malware Link – Ransomware

Date Issued: June 27, 2019
Target: Lake City, Florida Local Government

Report Details

Big time hackers target Lake City, Florida local government this week. The mayor stated the community paid a $460,000 ransom to get back control of their email and servers that had been down for two weeks ago. The ransomware attack froze city workers out of their email accounts which disabled the community’s ability to pay city bills online. Lake City’s insurance was able to cover the whole ransom, except for around $10,000. The mayor says this could lead to higher taxes for better insurance so this doesn’t happen again. The hackers were able to infiltrate the malware through an malicious email link that was clicked on by a city employee.

June 24, 2019 – U.S. government agencies targeted by Iranian spearphishing campaigns

U.S. Government Agencies targets of Iranian spearphishing campaigns

Date Issued: June 24, 2019
Target: Undisclosed U.S. government agencies
Spearphishing campaigns

Report Details

Representatives from two cyber threat intelligence firms told Fifth Domain (fifthdomain.com) June 24 that they were aware Iran had conducted highly-customized spearphishing campaigns. In some cases, experts said, the attacks included what’s known as a lure document to entice victims to click and inadvertently install malware. U.S. government agencies were among the targets of the attacks.

June 24, 2019 – Marin Community Clinics Sodinokibi Ransonware attack

Marin Community Clinics – Sodinokibi Ransonware Attack

Date Issued: June 24, 2019
Target: Marin Community Clinics
Sodinokibi Ransonware attack via malicious link in email

Ransomware Methods

Genuine Looking Content
Disguised Hyperlinks
Cryptolock

Report Details

Marin Community Clinics was able to resume use of its computer system after being hit by a ransomware attack last week.

Unidentified hackers managed to encrypt the clinics’ data and demanded a ransom to decrypt it. Mitesh Popat, the clinics’ CEO, said no patient information was compromised during the attack and little or no information was lost.

Cyber Threat Report

Read the latest Cyber Threat Report on current cyber threats now, benefit from exclusive assessments by Hornetsecurity security experts, and learn how you can effectively protect yourself as an organization. All figures and statistics on Advanced Persistent Threats, Malware and Digital Espionage are available at the following link.

» Get Report

First name:
Last name:
Email:*
Hidden
newsletter_type
Hidden
mkt_optin
Hidden
website_lang
Data Privacy*
- I agree to the processing of my data in order to receive this newsletter of Hornetsecurity Inc. with regard to the stated contents. I can revoke this agreement at any time affecting the future, at the simplest by confirming the unsubscribe link at the end of each newsletter or by sending a message to privacy@hornetsecurity.com. I have taken note of the data protection regulations and the information about the processing of data included therein, in particular regarding my rights.
Phone
This field is for validation purposes and should be left unchanged.

Stay informed

Be the first to receive blog updates, threat alerts, information on cloud security trends, and details on new services from Hornetsecurity.



Threat Alerts

Get information about the latest cybercrime threats and dangers.



Exclusive Content Access

As a subscriber you get free access to exclusive content, such as case studies, white papers, webcasts, and other interesting information.



News and Updates

Get information on current cloud security trends in the form of technical papers.



Service Information

We are proud to inform you about new features of our services, as well as show you in detail how you can benefit from our services.

Benefit from our Premium Services

As one of the leading cloud security providers, we offer you a wide range of services for your email security. These include 365 Total Protection, Advanced Threat Protection and our Spam Filter Service.

» More

Test our innovative services today

Do not buy a pig in a poke, but get an insight into our Cloud Security Services in advance for a 30-day trial period. Find out how you can protect your business against cybercrime.

» More

Reliable services

We protect our customers against cyber attacks of various kinds. Our premium services – based on sophisticated engines – protect you against spam, business email compromise (BEC), phishing and ransomware.

» More

Hornetsecurity – The Cloud Security Pioneer

Our experienced specialists from the Security Lab recognize and analyze current threat situations. Benefit from our knowledge and convince yourself of our 24/7 Cloud Security Services.

» More

Latest Blog Articles & Security Informations

» Subscribe now

HTML Phishing Asking for the Password Twice

Security Information, Security information

Nothing but the same old threat? Phishing campaigns always seem to proceed by the same principle: A link or attachment placed in an email redirects to a phishing website to retrieve specific data about the recipient. However, for some users, a certain process has now become established that is designed to expose the traditional phishing tactics. Now the Hornetsecurity Security Lab has discovered a phishing scheme that is designed to circumvent this method…

The XZ Utils Backdoor, CSRB’s Report on Storm-0558 & More

Podcast

In this episode of the Security Swarm Podcast, our host Andy Syrewicze discusses the key findings from Hornetsecurity’s Monthly Threat Report with guest Michael Posey. The Monthly Threat Report is a valuable resource that provides monthly insights…

HTML Phishing Asking for the Password Twice

Security Information, Security information

Unmasking Phishing: Understanding the Insidious Threat to Your Organization

Email Security

In this article, we delve into the pervasive threat of phishing and its profound implications for organizational security. Phishing, an ever-evolving tactic employed by cybercriminals, continues to pose a significant risk to businesses worldwide. From impersonating...

Brute Force Attacks

A brute-force attack is a trial-and-error method used to obtain information such as passwords or other access codes. Here, the attacker tries a variety of …

» More

Cryptolocker Ransomware

The cryptolocker ransomware was a polymorphic virus, which was used to encrypted computer systems. The only option affected …

» More

Cyber Kill Chain

To identify and combat attacks along the Cyber Kill Chain in time, you need to understand the strategies of the criminals …

» More

Ransomware Kill Chain (Part 1)

Why ransomware is not a typical cyberattack? Normally, the data theft remains undetected. This is especially true when the systems are insufficiently protected. But it is quite a different case with ransomware …

» More

Ransomware Kill Chain (Part 2)

How to use the Ransomware Kill Chain model to devise countermeasures? The Ransomware Kill Chain using Wanna Cry as an example …

» More