Threat Report December 2021
Shutterfly services disrupted by Conti ransomware attack
Photography and personalized photo giant Shutterfly has suffered a Conti ransomware attack that allegedly encrypted thousands of devices and stole corporate data.
Although many associate Shutterfly with their website, the company’s photography-related services are aimed at consumer, enterprise, and education customers through various brands such as GrooveBook, BorrowLenses, Shutterfly.com, Snapfish, and Lifetouch.
The main website can be used to upload photos to create photo books, personalized stationary, greeting cards, post cards, and more.
Global IT services provider Inetum hit by ransomware attack
Less than a week before the Christmas holiday, French IT services company Inetum Group was hit by a ransomware attack that had a limited impact on the business and its customers.
Inetum is active in more than 26 countries, providing digital services to companies in various sectors: aerospace and defense, banking, automotive, energy and utilities, healthcare, insurance, retail, public sector, transportation, telecom and media.
On Sunday, December 19, Inetum became the target of a ransomware attack that affe cted some of its operations in France and did not spread to larger infrastructures used by the customers.
Pro Wrestling Tees discloses data breach after credit cards stolen Popular wrestling t-shirt site Pro Wrestling Tees has disclosed a data breach incident that has resulted in the compromise of the financial details of tens of thousands of its customers. Pro Wrestling Tees is a website allowing professional wrestlers to set up their own mini-stores to sell merchandise like shirts, posters, action figures, and more to their fans. The platform also organizes regular meet-ups for fans to meet their favorite athletes, making the site is very popular among the various wrestling communities worldwide.
Albanian prime minister apologizes over database leak
TIRANA, Albania – Albania’s prime minister on Thursday apologized for a big leak of personal records from a government database of state and private employees, which he said seems more like an inside job than a cyber attack. A file containing the personal identity card numbers, employment and salary data of some 637,000 people became public this week and was widely shared through messaging apps.
Phishing incident causes data breach at West Virginia hospitals
A hospital system in West Virginia has suffered a data breach resulting from a phishing attack, which gave hackers access to several email accounts. Monongalia Health System – which runs Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company –
said that hackers had access to several email accounts from May 10 to August 15. These accounts contained sensitive information from patients, providers, employees, and contractors. The company concluded its investigation into the incident on October 29, finding that the attack resulted from an email phishing incident.
Virginia Still Working to Fix Issues After Ransomware Attack
The information technology agency that serves Virginia’s legislature is still working to fix problems caused by a ransomware attack earlier this month, a state official said Tuesday.
The attack substantially affected operations and occurred during preparations for a legislative session that is set to start Jan. 12.
Dave Burhop, executive director of Virginia’s Division of Legislative Automated Systems, told The Associated Press in an email that the agency’s “goal is to have the General Assembly session operational to the greatest extent possible.” “Our technical, investigative and administrative teams have been working tirelessly,” Burhop wrote.
Burhop said a full forensic analysis generally takes several weeks. And he said he hopes the initial analysis will be finished just after the New Year.
Belgian Defense Ministry confirms cyberattack through Log4j exploitation
The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that „quarantine measures“ were quickly put in place to „contain the infected elements.“ „Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners,“ the Defense Ministry said.
DeFi protocol Grim Finance lost $30M in 5x reentrancy hack
An apparent security flaw in the Grim Finance protocol allowed the attacker to fake five additional deposits.The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform’s deposits.
Grim Finance officially announced on Saturday that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.
According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform was processing the first deposit.
Leaks and Breaches
|
Company |
Information |
Affected |
|
Finite Recruitment (New Zealand) |
The company was listed on the Conti leak site, with actors claiming to have stolen 300GB of data, including financial information, contracts, employee contracts, passport details, customer databases, and more. The databases also contained customer phone numbers and addresses. The Conti operators later leaked more than 12,000 files. |
Unknown |
|
Gumtree.com Ltd (UK) |
The company was found to leak sellers’ personally identifiable information within the HTML source of adverts. The compromised data on every advertisement includes seller surnames, email addresses, postcodes, and GPS locations. |
Unknown |
|
McMenamins Inc (US) |
The company suffered a Conti ransomware attack on December 13th, 2021, that encrypted its servers and workstations. Corporate data and documents were stolen, but it remains unknown whether customer data was comrpomised as well. |
Unknown |
|
Hellmann Worldwide (Germany) |
The threat group RansomEXX published 70.64GB of exfiltrated data from the company on their leak portal. The files included credentials, correspondence, agreements, orders, and more. |
Unknown |
|
Tackle Warehouse, Running Warehouse, Tennis Warehouse, and Skate Warehouse (US) |
The four affiliated online stores confirmed on November 29th, 2021, that the personal information of customers was stolen in a cyberattack. Potentially compromised information included names, financial account numbers, credit and debit card numbers, full CVV numbers, and website account passwords. |
1,813,224 |
|
Lametayel and Tiuli (Israel) |
The hacker group Sharp Boys claimed responsibilty for a cyberattack against the two companies. The group claims to have stolen personal data of users, including usernames, emails, phone numbers, and passwords. |
3,000,000 |
|
Dacoll (UK) |
Clop ransomware operators targeted the company, allegedly stealing data from the UK’s Police National Computer and leaking it on the dark web. Stolen files supposedly include images exfiltrated from the national Automatic Number Plate Recognition system, as well personal information and records of individuals. A Home Office spokesperson since stated that no records were accessed, whilst links to the stolen data have been deleted from the actor’s Tor leak blog. |
13,000,000 |
|
ICV Digital Media (US) |
A publicly accessible bucket belonging to the company was discovered. The bucket contained more than 4TB of customer data. Affected companies include 24 Hour Fitness, American Association of Immunologists, Abbott Laboratories, Deloitte, FireEye, and more. |
Unknown |
|
Baylor Scott & White Medical Center (US) |
The healthcare facility reported a data breach after an employee may have accessed patient records without authorisation on two separate occasions during 2020. Potentially compromised information includes names, dates of birth, home and email addresses, phone numbers, medical record numbers, and more. |
883 |
|
Sennheiser (Germany) |
An Amazon Web Services S3 bucket belonging to the company was found to be publicly accessible. The bucket contained the personal data of customers collected between 2015 and 2018. Among the exposed data were names, email addresses, phone numbers, home addresses, and more. |
28,000 |
Here’s the top 10 list of CVEs released by Microsoft for December 2021:
Trending Vulnerable Products
Malware mentions in the Banking & Finance Industry
