Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Holiday Inn’s Parent company Intercontinental Hotels Group has confirmed that it was a victim of a cyber-attack. An investigation is underway into “unauthorised access” on numerous internal systems and the nature, extent and impact of the incident. Speculation around the attack has generated rumours about ransomware however no official confirmation has been given. IHG has reported that there has been no loss of customer data. Just last month Holiday Inn in Istanbul was breached by LockBit ransomware, it is unknown whether these attacks are connected at the current moment in time. In a statement, the company said: "We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG's hotels are still able to operate and to take reservations directly."
By BBC.co.uk
The Federal Bureau of Investigations has issued a plea to all cryptocurrency decentralised finance platforms to boost their security or face the risk of a cyber-attack. This comes after $100 million was stolen from blockchain bridge firm Harmony, approximately $150 million stolen from hot wallets at cryptocurrency exchange BitMart and $130 million worth of tokens stolen from Cream Finance. A report produced by Chainalysis discovered that $1.3 billion was stolen in cryptocurrency between January and March 2022, 97% of that from decentralised finance platforms. The FBI has requested that decentralised finance platforms introduce real-time analytics and monitoring to prevent attacks, test code rigorously to identify vulnerabilities more quickly, and respond to suspicious activity to help stay secure from a growing number of attacks.
By Tripwire.com
The American Internal Revenue Service has managed to leak information about approximately 120,000 taxpayers who have filled in the 990-T form as part of their tax returns. The 900-T form is used to report unrelated business income paid to a tax-exempt entity which is confidential and only meant to be seen by the IRS unless for a non-profit organisation in which case it is publicly available for three years. The IRS accidentally publicly disclosed information for both charities and individuals who have filled out the 900-T form. "The IRS recently discovered that some machine-readable (XML) Form 990-T data made available for bulk download section on the Tax Exempt Organization Search (TEOS) should not have been made public," the IRS stated. The Wall Street Journal reported on the breach and declared that approximately 120,000 taxpayers were leaked. The information leaked included names, contact information, and reported income for those IRA’s. the information has since been removed and the IRS will notify affected taxpayers.
By BleepingComputer.com
The Google Play Store has been known for harbouring malware in the form of applications for years with failed measures put in place by Google to guarantee the safety of applications being allowed on there. SharkBot is an Android banking trojan that is capable of siphoning cookies for banking sites, injecting fake overlays to harvest bank account credentials, logging keystrokes, intercepting SMS messages, and carrying out fraudulent fund transfers using the Automated Transfer System. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT said in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The two known applications acting as droppers for this malware are:
Mister Phone Cleaner with more than 50,000 downloads
Kylhavy Mobile Security with more than 10,000 downloads
If either of these applications has been installed it is recommended to:
By TheHackerNews.com
A new Remote Access Trojan called MagicRAT is thought to have been produced and being used by Lazarus group, a north Korean state-sponsored hacking unit. MagicRAT installs itself into the \ProgramData\WindowsSoftwareToolkit file directory to disguise itself as part of the operating system. Once it’s established a connection to a c2 server it can allow Lazarus group to open a remote shell for arbitrary command execution as well as the ability to rename, move and delete files on the endpoint. Some other capabilities are screen capture, keylogging, self-delete, port forwarding and USB dumping through the TigerRAT malware that can be installed on the device once connected to the c2 server.
By Blog.TalosIntelligence.com
The French clothing company, Damart, are being extorted for $2 million after a cyberattack orchestrated by the Hive ransomware gang. Damart have more than 130 stores worldwide. Their systems have been encrypted and operations have been disrupted since August 15. A report from Valéry Marchive, has leaked that the hackers are not willing to negotiate and want Damartex to pay the full ransom. Damart have informed the national police of the incident, which makes it unlikely that the Hive will receive a payment. At the moment, it is unknown if Hive have managed to steal any data during the network intrusion.
By BleepingComputer.com
It hasn’t been long since Google released fixes for 24 Chrome vulnerabilities, yet another security update has landed. This update is even more important than the last as it addresses a zero-day that is already being actively exploited in the wild. CVE-2022-3075, is related to an insufficient data validation issue within the runtime libraries known as Mojo. The zero-day was only disclosed to google on August 30th. We recommend installing this emergency update ASAP, which will take Chrome to version 105.0.5195.102 across Windows, Mac, and Linux platforms.
By Forbes.com
Networking solutions provider Zyxel has released a patch addressing a critical vulnerability impacting the firmware of multiple NAS models. This flaw has been given a CVSS score of 9.8/10 and is a format string vulnerability impacting Zyxel NAS326 firmware versions earlier than V5.21(AAZF.12)C0. The way an attacker could exploit the vulnerability is by sending specially crafted UDP packets to the affected products. This could allow the attacker to execute arbitrary code on the impacted device. So far, the investigation has identified only three NAS models that are affected and which are within their support lifetime.
By SecurityWeek.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #205 – 9th September 2022
Why not follow us on social media:
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
