Daily Brief

Low-budget hotel chain, Motel One Group, has disclosed a data breach involving customer data and credit card information following a ransomware attack. The hotel chain has a presence across numerous countries and houses over 90 hotels with 25,000 rooms. The attackers aimed at launching a ransomware attack, but Motel One's effective protective measures limited their success, as stated by the company. Initial findings from the ongoing investigation reveal the theft of customer addresses and information on 150 credit cards. However, BlackCat/ALPHV, the ransomware gang claiming responsibility, counter these claims by stating they stole nearly 24.5 million files equating to a size of 6 TB. BlackCat/ALPHV has given Motel One five days to negotiate the ransom payment or they will leak all stolen data. At present, it's unknown if Motel One is revisiting its initial findings after the ransomware gang's public disclosure.

The FBI has issued a warning about a surge in 'phantom hacker' scams specifically targeting senior citizens in the US. These evolved tech support scams involve fraudsters masquerading as bank representatives, tech support personnel, or government officials and tricking victims into transferring their funds to supposedly 'secure' accounts controlled by the scammers. Between January and June 2023, the FBI Internet Crime Complaint Center (IC3) received 19,000 related complaints, with estimated victim losses amounting to over $542 million. Nearly 50% of the victims were over 60 years old, accounting for 66% of the total losses. In addition, losses from these scams in August 2023 were already 40% higher than total losses in 2022. The FBI advises individuals to avoid unsolicited pop-ups, text messages, emails, and granting control of their computers to unknown individuals. It also emphasized that the U.S. government will never demand payments via cryptocurrency, prepaid cards, or foreign wire transfers. Victims of such scams are encouraged to report incidents to the IC3, providing details like the identity of the caller, mode of communication, and the recipient's name and address to which funds were sent.

Researchers at Rapid7 have spotted potential exploitation of vulnerabilities in Progress Software's WS_FTP server software. The attacks started on 30 September, shortly after Progress Software released fixes for eight vulnerabilities in WS_FTP, indicating a possible mass-scale exploitation attempt. Although the attacks appear to be low in volume and limited in visibility, notable customers of WS_FTP include RockSteady, Denver Broncos, Scientific American, and H&M. An AssetNote scan showed that 2,900 hosts are running the WS_FTP software, many of which are large enterprises, governments, and educational institutions. Proof of concept (PoC) code began circulating online two days after Progress’s security advisory, further increasing the risk of exploitation. Rapid7 urged users to upgrade to the latest version of WS_FTP to mitigate security risks, and for customers using the Ad Hoc Transfer module, they are advised to disable or remove it. Progress Software has faced challenges this year with mass exploitation of another of its products, MOVEit Transfer, by the Cl0p cyber criminal group. Subsequently, they are involved in multiple lawsuits due to data breaches that affected at least 400 organizations.

AWS has disclosed the existence and function of MadPot, a threat intelligence tool that was hitherto kept secret. Operating since 2010, MadPot includes tens of thousands of threat sensors to track and analyze potential threats visiting AWS decoy sites. The system reportedly spots more than a 100 million potential threats daily, of which about 500,000 turn out to be malicious activity. The intelligence gathered is added to a massive data lake for future reference. Historical cases include preventing Chinese espionage attempts on US critical infrastructure, identifying and mitigating activities of the Beijing-backed cyber-espionage organization, Volt Typhoon, by identifying unique signature elements of their payloads. More recently, MadPot has disrupted the cyber activities of Sandworm, a group tied to Russia's GRU military intelligence unit, who intended to hijack WatchGuard and ASUS routers to manage its botnet (Cyclops Blinks) for future attacks. Additionally, the tool stopped over 1.3 million botnet-driven DDoS attacks in Q1 of 2023, identified almost 2,000 botnet command-and-control hosts, and collaborated with hosting providers and domain registrars to dismantle the control infrastructures. The platform is also instrumental in spotting and curbing network-flooding DDoS attempts and blocking credential-stuffing attacks by providing insights into attackers' tactics and targeted entities. AWS aims to continue to expand MadPot's capabilities and intelligence to respond more effectively to evolving cyber threats.

The BlackBerry Research and Intelligence Team identified a financially-driven cyberattack campaign targeting online payment businesses in Asia Pacific, North America, and Latin America. The campaign, known as 'Silent Skimmer', uses web skimmers to exploit vulnerabilities in web applications to compromise the payment checkout page and obtain sensitive payment data. After an initial successful breach, open-source tools and 'living-off-the-land' techniques are used for privilege escalation, post-exploitation, and code execution. The threat actors use a PowerShell-based remote access trojan to infiltrate the web server and place a scraper in the payment checkout service in order to capture financial information. The servers used for Command-and-Control (C2) are chosen based on the location of the victims to avoid detection. The attackers focus primarily on regional websites collecting payment data, capitalizing on vulnerabilities in widely used technologies to gain unauthorized access and extract sensitive payment data. Meanwhile, cybersecurity firm Sophos has warned of a pig butchering scam luring victims into false cryptocurrency investment schemes through dating apps. The scam, unlike Silent Skimmer, does not involve malware or hacking but utilizes fraudulent websites and social engineering techniques.

LUCR-3, known to overlap with groups like Scattered Spider, Oktapus, UNC3944, STORM-0875, targets Fortune 2000 companies across various sectors, including but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms. Their mission primarily involves stealing Intellectual Property (IP) for extortion. The group uses victim's tools, applications, and resources for their operations, with less reliance on malware or scripts. Initial Access is attained through compromising identities in the Identity Provider (IDP). LUCR-3 then leverages SaaS applications to understand the victim organization's operations and to access sensitive information. The data stolen is mostly related to IP, Code Signing Certificates, and customer data. The extortion demands made by the group often run into tens of millions of dollars, with the intentions of financial gain. LUCR-3 utilizes various evasion tactics and persists within the victim's infrastructure through several means. It also makes use of Windows 10 systems running GUI utilities to execute their operations in the cloud. The group predominantly focuses on large organizations that possess valuable IP, and companies that can be leveraged for supply chain attacks. The recent activities of LUCR-3 suggest an expansion into previously untargeted sectors such as hospitality, gaming, and retail. LUCR-3 observes extensive recon activities before deciding their target, and subtle modifications in the MFA settings to evade detection. Once initial access is gained, they focus on understanding where crucial data resides, navigating through native applications and SaaS tools without raising any alerts.

Application Programming Interfaces (APIs) provide bridges facilitating the sharing of information and functionalities, however, an increased use of APIs has made them attractive targets for cybercriminals across industries. The Open Web Application Security Project (OWASP) has identified broken object-level authorization (BOLA) as the top-ranked vulnerability in APIs. This flaw allows attackers, even those with minimal technical ability, to manipulate the ID of an object in an API request, granting access to other users' data. API-targeted cyber attacks have increased by 137% with healthcare and manufacturing as primary targets. New devices under the Internet of Medical Things and its associated API ecosystem, along with the increase in IoT devices and systems in manufacturing, have contributed to these sectors' vulnerability. The use of APIs in different sectors offers benefits such as enhanced connectivity and streamlined operations but can also lead to significant cyber risks. This was clearly demonstrated in high-profile breaches like those at Quest Diagnostics in healthcare, Latitude Financial in financial services, DropBox in technology, and Peloton in retail. To mitigate the risks posed by APIs, organizations need to prioritize robust security measures including strong authentication, regular vulnerability assessments, and compliance with industry regulations. Initiating comprehensive security protocols for integrating third-party APIs along with ongoing monitoring to detect and address potential threats can also be effective. Breachlock recommends that organizations update their API security practices to defend against increasing sophisticated and frequent API attacks. This should be a significant cyber initiative for organizations.

A significant security flaw, known as a 'Zip Slip' vulnerability, has been discovered in the open-source data cleanup and transformation tool, OpenRefine, potentially allowing arbitrary code execution on systems that are impacted. This vulnerability is labelled CVE-2023-37476 and has a CVSS score of 7.8. The flaw has serious implications, particularly in versions 3.7.3 and below, and when importing a carefully-crafted project. The exploit is based on a directory traversal bug, which could potentially allow access to areas of the file system that ought to be inaccessible. Users could be misled into importing a malicious project file, which an attacker could use to execute arbitrary code on the user's machine. The vulnerability was responsibly disclosed on July 7, 2023 and has since been repaired in version 3.7.4, launched on July 17, 2023. This comes in the wake of alerts about high-severity bugs in Microsoft SharePoint Server and Apache NiFi, all of which have now been patched. However, these types of flaws can cause significant damage by allowing unauthorized access, compromising data integrity and potentially causing financial and reputational harm if left unaddressed.

Cybersecurity experts have identified a new Malware-as-a-Service threat named BunnyLoader being sold in the cybercrime underground with functionality including downloading and executing a second-stage payload, credential theft, keystroke logging, and altering cryptocurrency wallet addresses on the victim's clipboard. BunnyLoader is a C/C++-based loader available for a lifetime license fee of $250 and is continuously updated with new features and enhancements since its September 2023 debut, including anti-sandbox and antivirus evasion capabilities. Notable features of BunnyLoader include command-and-control (C2) panel that offers buyers monitoring and control over compromised systems. The initial access mechanism used for distributing BunnyLoader is unknown. Once installed, it maintains persistence via a Windows Registry change and performs various checks before activating its malicious payloads. The threats BunnyLoader can inject and activate include a Trojan that downloads next-stage malware, a keylogger, a data stealer for harvesting data from messaging apps and web browsers, and a clipper that redirects cryptocurrency transactions to benefit illicit actors. The discovery of BunnyLoader joins previous findings of similar tools like MidgeDropper, Agniane Stealer and The-Murk-Stealer, highlighting the increasing sophistication and prevalence of malware-as-a-service offerings in the cybercriminal underground.

A new Android banking trojan called Zanubis is posing as a Peruvian government app and infecting devices in Latin America, specifically targeting 40 banks in Peru. The collaborative study published by Kaspersky discovered the trojan's ability to take full control of impacted devices by deceiving users into enabling accessibility permissions. Once installed, the malware operates covertly in the background, maintaining connections to a malicious-controlled server to receive next-stage commands. Furthermore, it keeps track of the applications being launched on the device for data theft. The trojan goes unnoticed because it creates a façade of authenticity by loading the genuine Peruvian customs and tax agency site via WebView and monitoring the applications opened by the user. A distinguishing feature of Zanubis is its ability to mimic an Android operating system update, thus rendering the device inoperable and monitoring any attempts to lock or unlock the phone. Overlapping with this, AT&T Alien Labs disclosed another Android-based Remote Access Trojan dubbed MMRat that is capable of capturing user input and screen content along with command and control functionalities.

Singapore has passed the Immigration Amendment Bill, enabling passport-free, end-to-end biometric clearance at airports from 2024. Singapore will be one of the first few countries globally to implement such a system, and while Dubai offers similar clearance for select enrolled travellers, no other countries currently plan similar measures. For the time being, passports will still be required for international travel, and airlines will likely continue checking them for identity and visa confirmation. The drive towards biometric clearance is due to a boom in travellers, an ageing population, security threats, and a reduction in Singapore's Immigration & Checkpoints Authority workforce. Biometric information will need to be provided to the airport operator for bag management, access control, gate boarding, duty-free purchases and security purposes. Concerns have been raised regarding data privacy and technical glitches, and as such, only Singaporean companies will be issued related IT contracts, all data will be encrypted, and vendors will be given non-disclosure agreements. Provision for manual clearance will be available for those unable to provide certain biometrics or are less digitally literate.

Progress Software has issued crucial patches for its WS_FTP file-handling product after eight vulnerabilities, some scoring a full 10/10 on the CVSS severity scale, were identified. All versions of WS_FTP Server prior to 8.7.4 and 8.8.2 are vulnerable to .NET deserialization attacks from a pre-authenticated attacker, among other issues such as path traversal, XSS, SQL injection, etc. Other high-profile companies including H&M and the Denver Broncos, who use WS_FTP, are advised to update their installations immediately. Industrial systems firm, Johnson Controls, acknowledged a "cybersecurity incident" in a recent SEC filing that multiple sources reported as a massive ransomware attack, which allegedly resulted in loss of over 27 terabytes of company data. Dark Angels, a ransomware group, is reportedly demanding a $51 million ransom from Johnson Controls. Japanese cell carrier, NTT Docomo, is believed to have been targeted in a potential supply chain attack by Ransomed.vc, a group that earlier claimed to have online leaked data stolen from Sony. Researchers at Resecurity are investigating a possible link between these two incidents.

Amazon mistakenly sent out purchase confirmation emails for Hotels.com, Google Play, and Mastercard gift cards to customers. Many recipients of the emails were alarmed, thinking their accounts were compromised. Customers reported three separate emails from Amazon Prime for each gift card purchase, though no such purchases were found in their accounts. The emails were sent using Amazon Simple Email Service and passed DKIM and SPF authentication headers, indicating they were verified as coming from Amazon. According to a support agent, the error was made by Amazon and all customers received these emails by mistake. The situation may have raised concerns about potential scam attempts, as the emails discussed how gift cards are commonly requested as payment in online scams. As this issue unfolded, Amazon has yet to respond officially to media queries.

Red Hat researchers have found a revived flaw (originally discovered in 1998) related to the PKCS #1 v1.5 padding in secure socket layer (SSL) servers that still affects various widely-used projects. Named the 'Marvin Attack', this method exposes vulnerabilities enabling attackers to decrypt RSA ciphertexts, forge signatures, and decipher sessions recorded on a susceptible transport layer security (TLS) server. The researchers found it feasible to execute the Marvin Attack within a few hours using ordinary hardware, thus demonstrating its practicality. The risks associated with the Marvin Attack are broad and are not restricted to RSA; they extend to most asymmetric cryptographic algorithms, making them prone to side-channel attacks. It is advised not to rely on RSA PKCS#1 v1.5 encryption and users are urged to seek alternate backward compatibility solutions from vendors. Moreover, disabling RSA doesn't negate the risk. While no instances of the Marvin Attack being used by cybercriminals have been observed so far, publicizing the issue and testing details could increase this risk in the future.

The LostTrust ransomware operation is suspected to be a rebranding of the MetaEncryptor gang, with almost identical data leak sites and encryptors. LostTrust commenced its attacks on organizations in March 2023, but gained extensive recognition in September the same year when it started using a data leak site. The data leak site currently lists 53 victims globally, with some having their data already leaked for not complying with the ransom payment. Cybersecurity researchers discovered that both the LostTrust and MetaEncryptor encryptors are almost identical, with minor changes to ransom notes, embedded public keys, and ransom note names. Researchers revealed that the LostTrust and MetaEncryptor are based on the SFile2 ransomware encryptor, which is further substantiated by a significant code overlap identified through an Intezer scan. The ransom demands for LostTrust attacks range between $100,000 to multiple millions. It is currently unknown if the payment of a ransom demand will lead to the deletion of data and provision of a functioning decryptor.