Cyber Weekly Digest - Week #41


In this week's digest, we explore the biggest cyber security stories from the week, including how threat actors had access to databases of the largest SMS routing firm for five years and the threat group zoning in on the healthcare sector with ransomware attacks. Keep reading to stay up to date with the latest cyber security stories.


1. Attackers leak 12GB of data allegedly belonging to Twitch.

On Wednesday, someone shared a torrent link on 4chan leading to a 125GB archive containing data allegedly stolen from roughly 6,000 internal Twitch Git repositories. Twitch has since claimed that no login credentials or credit card numbers belonging to users or streams were exposed in the data leak. They added that attackers were able to gain access to the stolen data due to a faulty Twitch server configuration change. The 4chan user who leaked the archive named the post "twitch leaks part one", hinting that additional stolen data is likely to also be leaked.

2. FIN12 threat actor focuses on targeting healthcare with ransomware attacks.

FIN12 is a prolific threat actor with a strong focus on making money that executes ransomware attacks and has been active since October 2018. In a recent profile of FIN12, researchers noted that the threat group have been targeting the healthcare sector utilising Ryuk and Conti ransomware. The report found that the group also have been reducing their attack time, with the average time spent on a victim's network dropping to less than three days in 2021. Researchers believe that FIN12 could be choosing their victims through a TrickBot administration panel which allows them to interact with compromised machines.


3. Apache patches an actively exploited vulnerability for its HTTP Server product.

On Thursday, the Apache Software Foundation released additional security updates for its HTTP Server product to remediate what it says is an "incomplete fix" for an actively exploited path traversal and remote code execution flaw that it patched earlier this week. Apache HTTP Server is an open-source, cross-platform web server that powers approximately 25% of websites worldwide. A Shodan search revealed over 112,000 Internet-exposed and vulnerable Apache HTTP servers providing the attackers with a wide selection of potential targets.


4. The Telegraph exposes a 10TB database with subscriber information.

One of the UK's largest newspapers and online media outlets, the Telegraph, has leaked 10 TB of data after failing to secure one of its databases properly. The information exposed includes internal logs, subscribers full names, email addresses, device information, URL requests, IP addresses, authentication tokens and unique reader identifiers. Researchers who discovered the unprotected dataset confirmed that at least 1,200 unencrypted contacts were accessible without a password. Most concerning include registrant information of Apple News subscribers, including passwords in plaintext form.

5. Syniverse announces that attackers had access to its databases for 5 years.

Syniverse is one of the largest service providers for telecommunications companies such as Vodaphone AT&T, T-Mobile, Verizon and Telefonica. Syniverse disclosed that an unauthorised party had access, on several occasions, to databases on its network. They became aware of the intrusions in May 2021, and an internal investigation has been ongoing since. The investigation revealed that the unauthorised access began in May 2016. The attackers maintained access to the Syniverse internal databases and compromised the login data for the Electronic Data Transfer environment belonging to 235 customers.