Cybercrime , Endpoint Security , Fraud Management & Cybercrime
Breach Roundup: Sisense Supply Chain Attack
Also: A Romanian Botnet and Alcohol Counselor Monument Settles With US FTC Over AdsEvery week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, a U.S. warning for Sisense customers, a likely Romanian botnet, a really big Patch Tuesday, Apple warns iPhone owners in 92 countries about a potential spyware infection and AT&T notifies customers of data breach. Also, Online alcohol treatment firm Monument won't be able to share client data with advertisers, Home Depot employees affected by breach, Targus discloses breach and a threat actor is targeting activists in Morocco.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
US CISA Urges Sisense Customers to Change Credentials After Apparent Supply Chain Attack
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday urged customers of data analytics service provider Sisense to reset logon credentials and authentication secrets.
The agency said it is responding to "a recent compromise discovered by independent security researchers" at Sisense and is working with industry to address the incident. New York-headquartered Sisense counts Air Canada, Philips and Verizon among its customers. Citing a "source familiar with the investigation," CyberScoop reported the incident "may have exposed hundreds of Sisense’s customers to a supply chain attack and provided the attacker with a door into the compans’s customer networks."
Brian Krebs posted a message he said the Sisense CISO sent to customers warning that "company information may have been made available on what we have been advised in a restricted access server (not generally available on the internet)." The independent cybersecurity journalist described the incident as a supply chain attack potentially affecting many millions of credentials and hundreds of tenants.
Founded in 2004 in Tel Aviv, Sisense software allows customers to collect, analyze and visualize data by tapping into corporate networks.
Rubycarp Botnet Uncovered After a Decade
Security researchers at Sysdig said they spotted a botnet in action for at least 10 years operated by an apparently Romanian criminal group
The threat actor, which Sysdig calls Rubycarp, "is interested in payloads that enable financial gain" including cryptomining, phishing and distributed denial of service. "We have seen it deploy a number of different tools to monetize its compromised assets," including harvesting credit cards through phishing operations.
Rubycarp spreads its botnet through public exploit and brute force attacks. Sysdig said it may be related to the Outlaw hacking group discovered by Trend Micro in 2018. Both use Shellbot, a botnet using a Perl-written script that exploits Shellshock, the collection of vulnerabilities in the Bash command line interface discovered in 2014 (see: Bash Bug: Bigger Than Heartbleed). But that's hardly a definitive indicator: "In the murky world of cybercriminal threat intelligence, there is often a lot of crossover in both tools and targeting."
Rubycarp came to Sysdig's attention through its exploitation of CVE-2021-3129, a year-old vulnerability allowing unauthenticated remote attackers to execute arbitrary code in Laravel applications. The cybersecurity firm also discovered evidence of Rubycarp targeting WordPress sites using dumps of usernames and passwords.
Monster Patch Tuesday Update
Microsoft unveiled a monster monthly update on Tuesday, addressing close to 150 security vulnerabilities across various products, including Windows, Office, Azure, and more.
Dustin Childs of Trend Micro's Zero Day Initiative labeled it the largest Patch Tuesday release in years. Despite the vast number, only three vulnerabilities were "critical," with most falling under the "important" category, requiring user interaction for exploitation.
Among the noteworthy bugs is CVE-2024-20670, an Outlook for Windows spoofing vulnerability allowing password hash theft through malicious links. Another bug, CVE-2024-29063, exposes hard-coded credentials in Azure's search backend.
Microsoft confirmed two actively exploited zero-days, including CVE-2024-26234, a "proxy driver spoofing" weakness. The other, CVE-2024-29988, enables attackers to bypass Windows SmartScreen.
Microsoft also publishes fixes for two dozen flaws in Windows Secure Boot.
Apple Warns Users in 92 Countries About Commercial Spyware
Smartphone giant Apple on Wednesday notified users in 92 countries that their iPhones could be infected with mercenary spyware such as NSO Group's Pegasus. In the alert, reviewed by Information Security Media Group, Apple advises recipients to enable Lockdown mode, update their device and contact nonprofit Access Now's digital security helpline (see: Apple Lockdown Mode Aims to Prevent State-Sponsored Spyware).
The Biden administration has attempted to crack down on the proliferation of commercial spyware, recruiting allies to join a coalition against the misuse of commercial spyware and sanctioning spyware developers.
AT&T Notifies Customers Affected by Data Breach
AT&T is notifying 51 million individuals they are affected by a tranch of leaked customer data posted onto a criminal hacking forum.
The telecommunications giant confirmed in late March the authenticity of the leaked customer records, which include information such as full names, email addresses, mailing addresses, dates of birth, phone numbers, and Social Security numbers dating back to 2019 and earlier.
"To the best of our knowledge, personal financial information and call history were not included," reads a notification sent to consumers.
Multiple criminal forums have hosted the leak since it first appeared online in 2021. For years, AT&T denied the data originated in its systems, renewing the denial in mid-2019 after the data again resurfaced. It did a sudden about-face on March 30 in a statement acknowledging "AT&T data-specific fields" in the leak (see: Leaked Dataset Belongs to AT&T Current and Former Customers).
The company in March tallied the number of affected individuals at 73 million, although it's only notifying 51 million about the leak. The lower number reflects customers who may have had more than one account in the dataset or whose sensitive information did not show up in the leak, AT&T said.
Online Alcohol Treatment Firm Banned From Disclosing Health Data to Advertisers
Online alcohol rehab provider Monument shared customer information with advertisers, the U.S. Federal Trade Commission said Thursday while announcing a settlement with the New York-based company.
In a federal court complaint, the agency said Monument since January 2020 through at least December 2022 used a tracking pixel on its website to monitor customer behavior such as paying for weekly therapy sessions. The company had told customers that it would not disclose that information without prior written consent and asserted that it was compliant with the Health Insurance Portability Accountability Act.
The company shared that information along with identifying data such as email and IP addresses with advertisers in order to show them additional ads for Monument services, the complaint states. Monument hashed the email addresses before disclosing them to third parties such as social media giant Meta.
"Monument knew, however, that third parties such as Meta would effectively undo the hashing and reveal the email addresses of those users with accounts on the respective third parties’ platforms, which is how Meta matched these email addresses with Facebook user IDs," the complaint reads.
Meta in June 2020 told Monument to stop transmitting when clients signed up or paid for therapy or the specific therapy plan names. Monument responded by substituting "Paid - Total Care with Bi-Weekly Therapy" with data fields such as "Paid - A."
Other recipients of Monument client data included Microsoft, AdRoll, Amazon, Google, Pinterest and Quora.
Under the proposed settlement order, which requires approval by a federal judge, Monument must stop disclosing information to third parties for advertising and first obtain express consent before disclosing it for any other purpose. It must also ask all the advertisers that receive client information to delete it.
Monument did not immediately respond to a request for comment. The company must additionally inform customers about what it did and institute a privacy program subject to independent review every two years for the next 20 years.
Home Depot Confirms Data Breach
Home improvement retailer Home Depot acknowledged a data breach affecting approximately 10,000 employees, Bleeping Computer reported.
The breach stemmed from a mistake by a third-party software-as-a-service vendor, inadvertently exposing employee names, work email addresses and user IDs during system testing. While the leaked data isn't highly sensitive, it could facilitate targeted phishing attacks against Home Depot staff. IntelBroker, the threat actor responsible for leaking the data, is known for previous breaches, including DC Health Link, PandaBuy, Acuity, Hewlett Packard Enterprise, and Weee! grocery service, as well as an alleged breach of General Electric Aviation.
Targus Discloses Cyberattack Disrupting Operations
Computer laptop bag maker Targus revealed a cyberattack on Friday, telling U.S, federal regulators that hackers accessed the company's file servers, prompting the implementation of incident response measures. Parent company B. Riley Financial said the company's response to the breach "resulted in a temporary interruption in the business operations of the Targus network."
B. Reiley Financial said it doesn't believe the incident will materially impact its financial condition "or results of operations taken as a whole."
New Threat Actor Targeting Human Rights Activists in Africa
Cisco Talos identified a new threat actor it dubs Starry Addax that's targeting human rights activists in Morocco and the Western Sahara region. The group employs phishing attacks, directing victims to install fake Android apps or accessing bogus login pages for Windows users.
Operating since January, Starry Addax sends spear-phishing emails, urging victims to install a decoy app or visit credential harvesting pages. The Android malware, dubbed FlexStarling, is capable of delivering additional malicious components and stealing sensitive data.
The attackers uses infrastructure such as ondroid.site
and ondroid.store
to host credential harvesting pages and establish command-and-control servers on Firebase. .
Other Stories From Last Week
- Half of UK Firms, Charities Failed to Report Cyber Incidents
- Silent Surge: The Sudden Rise in Synthetic Business Fraud
- Cybercrime Group Uses Likely AI Script to Load Info Stealer
With reporting from Information Security Media Group's Mihir Bagwe in Mumbai, India and David Perera in Washington, D.C.