DHS Warning about Iran & Sodinokibi Ransomware
Today is Tuesday January 7th, 2020 and here are today’s most pressing cyber stories in under 5 minutes.
Sodinokibi Ransomware Hits Travelex
It's been more than six days since a cyber-attack took down the services of the international foreign currency exchange company Travelex and we now know they were infected with Sodinokibi ransomware.
The attack occurred on December 31 and affected some Travelex services. This prompted the company to take offline all its computer systems, a precaution meant "to protect data and prevent the spread of the virus."
As a result, customers could no longer use the website or the app for transactions or make payments using credit or debit cards at its more than 1,500 stores across the world.
In the meantime, the company shows a cyber incident notification on the main page of its website and "planned maintenance" on other pages.
CyberHub Engage was able to independently confirm that Travelex systems were indeed infected by REvil ransomware.
We were told that the extension added to some of the encrypted files was a string of more than five random characters, similar to .u3i7y74. This malware typically adds different extensions to files locked on other computer systems.
In addition to the ransom note, the Sodinokibi crew encrypted the entire Travelex network and copied more than 5GB of personal data, which includes dates of birth, social security numbers, card information and other details.
We were told that they deleted the backup files and that the ransom demanded was $3 million; if not paid in seven days (countdown likely started on December 31), the attackers said they will publish the data they stole take a lesson from the Maze ransomware gang.
The Pulse Secure VPN servers being targeted with REvil haven't been applied with patches flagged in warnings from the US CISA, US National Security Agency and the UK's National Cybersecurity Centre in October. The warnings followed evidence that state-backed hackers were exploiting flaws in both Pulse Secure and Fortinet VPN products.
Now the flaw has been adopted by cybercriminals, probably because it's such a potent bug.
DHS: Iran maintains a robust cyber program
The US government has issued a security alert over the weekend, warning of possible acts of terrorism and cyber-attacks that could be carried out by Iran following the killing of a top general by the US military on Friday.
The warning comes in the form of a rare NTAS (National Terrorism Advisory System) alert, of which the US government has issued only a handful since 2011 when the system was put into place.
The alert was published a day after a targeted US drone strike killed Maj. Gen. Qassim Suleimani at the Baghdad airport. The airstrike came after violent protests and attacks on the American embassy in Baghdad by Iran-backed supporters.
Following Gen. Suleimani's killing, Iranian leadership and several affiliated violent extremist organizations publicly stated they intended to retaliate against the US. The DHS said that "Iran and its partners, such as Hizballah, have demonstrated the intent and capability to conduct operations in the United States."
According to the DHS' NTAS alert, possible attack scenarios could include "scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets."
"Iran maintains a robust cyber program and can execute cyber attacks against the United States," the DHS said. "Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States."
Although Acting US Secretary of Homeland Security Chad F. Wolf said that "there is no specific, credible threat against the homeland," the NTAS alert also warns that "an attack in the homeland may come with little or no warning."
MageCart Attackers Steal Card Info from Focus Camera Shoppers
The website of popular photography and imaging retailer Focus Camera got hacked late last year by MageCart attackers to inject malicious code that stole customer payment card details.
In true MageCart fashion, the script loaded at checkout to capture billing information and send it to the attacker's server.
To hide the malicious traffic, the attackers registered "zdsassets.com," a domain that resembles ZenDesk's legitimate "zdassets.com."
The MageCart domain was registered on November 11, 2019, with a hosting provider in the Netherlands and the thieving script was discovered in late December by Juniper employee Mounir Hahad.
Once decoded, the researcher was able to see the routines executed by the skimming script. The details it stole included email, customer name, address (billing, and shipping), phone number, and card details (number, expiration date, CVV code)
MP Says Austria Unprepared After Cyberattack on Foreign Ministry
The Austrian State Department's IT systems were under a 'serious attack' suspected to be carried out by a state-backed threat group according to a joint statement from the Foreign Ministry (BMEIA) and the Ministry of the Interior (BMI).
"A coordination committee has been set up on the basis of the Network and Information System Security Act, and all relevant federal agencies are already active," the press release says. "The problem was recognized very quickly and countermeasures were taken immediately."
The attack was disclosed during late Saturday evening and, according to a Foreign Minister Peter Guschelbauer statement quoted by Austrian national public service broadcaster ORF (Österreichischer Rundfunk), it was still active during Sunday.
"The recent and ongoing hacker attack on the Foreign Ministry clearly shows how important cyber defense is and how little Austria is apparently prepared to ward off cyberattacks," Austrian Parliament lower house member Robert Laimer said in a statement.
Laimer, SPÖ's (Social Democratic Party of Austria) regional defense spokesman also added that Austrian's Armed Forces should receive funding for cybersecurity training courses.
This would allow it to intervene and help defend the country's critical infrastructure against future cyberattacks attempting to either cause disruption.