Sodinokibi Ransomware Hits Travelex, Demands $3 Million
On December 31, Travelex, an international foreign currency exchange company, fell victim to a cyberattack that temporarily affected several services within the organization. As a precaution to protect data and reduce the spread of the virus, Travelex had to shut down all of its computer systems, causing issues for the 1,500+ stores across the world.
According to ComputerWeekly, it was a Sodinokibi ransomware attack that infiltrated the company.
A conversation between BleepingComputer and the Sodinokibi group revealed that the malicious actors have “encrypted the entire Travelex network and copied more than 5GB of personal data, which includes dates of birth, social security numbers, card information and other details.” Furthermore, the Sodinokibi group states that they’ve deleted the backup files and are demanding a $3 million ransom.
Information on how the attackers gained an initial foothold on the Travelex network has not been revealed; however, Travelex has been known to utilize insecure services in the past.
Read more here
Microsoft: RDP Brute-Force Attacks Last 2-3 days on Average
Microsoft recently published a months-long study into the impact of RDP brute-force attacks throughout various organizations in the corporate world. In the study, over 45,000 workstations running Microsoft Defender Advanced Threat protection collected data on RDP-login related events. And researchers for in total, 0.08% of RDP brute-force attacks are successful, and they last an average of 2-3 days.
RDP stands for Remote Desktop Protocol; it’s a feature within the Windows operating system that allows users to log in to a remote computer using a similar interface as a standard desktop.
According to Microsoft, “successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events.”
Recommendations for system administrators to lessen the risk of a successful RDP attack include combining and monitoring multiple signals that incorporate the:
-
hour of the day and day of the week of failed sign-in and RDP connections
-
timing of a successful sign-in following failed attempts
-
Event ID 4625 logon type (filtered to network and remote interactive)
-
Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
-
cumulative count of distinct usernames that failed to sign in without success
-
count (and cumulative count) of failed sign-ins
-
count (and cumulative count) of RDP inbound external IPs
-
count of other machines having RDP inbound connections from one or more of the same IP
Read more here
School Software Provider Active Network Discloses Data Breach
Active Network, a web-based school management software for kindergarten to twelfth-grade schools and counties, has suffered a significant security breach affecting thousands of individuals. According to the company’s breach notice, parents who accessed a portion of their accounting software to pay school fees or pay for materials between October 1, 2019, and November 13, 2019, may have had their personal information stolen.
Exposed data includes:
-
Names,
-
Store username and password,
-
Payment card number,
-
Payment card expiration date,
-
Payment card security code.
Malicious actors were able to steal payment data through a software skimmer as parents sent payments through the Active Network web application.
Active Network has launched an investigation with the help of a cybersecurity firm to analyze the issue further.
Get more information here
Google Boots Security Camera Maker From Nest Hub After Private Images Go Public
A Reddit user named Dio-V first reported the issue, stating that their Google Nest Hub (which is connected to a Xiaomi Mijia 1080p Smart IP camera) shows videos of strangers instead of their footage. The post drew a great deal of attention, including Google Support – who stated that Google would disable “all Xiaomi integrations on [their] devices” while they work on the issue.
Further investigation into the issue revealed that a cache update to improve camera streaming quality was responsible for the issue and only happened in “extremely rare conditions.” A Xiaomi spokesperson spoke to Threatpost, stating that the Reddit user experienced this bug due to poor network conditions in combination with the cache update.
As connected cameras have caused significant privacy issues for consumers, bugs like these certainly do not instill confidence in the technology.
Read more here
Chrome Extension Caught Stealing Crypto-Wallet Private Keys
A Chrome extension was recently caught injecting JavaScript code into web pages to steal private keys and passwords from cryptocurrency portals and wallets. The malicious wallet, aptly named Shitcoin Wallet, allows users to manage Ethereum (ETH) coins as well as ERC20-based tokens. To use the service, though, a user has to install a chrome extension or download a Windows desktop app.
According to Harry Denley, the director of security at MyCrypto, the Shitcoin Wallet utilizes malicious code when users “navigate to five well-known and popular cryptocurrency management platforms.” The code then steals login credentials along with private keys and sends them to an erc20wallet[.]tk third-party website.
According to ZDNet and Denley, the malicious process follows these steps:
-
Users install the Chrome extension
-
The Chrome extension requests permission to inject JavaScript (JS) code on 77 websites [listed here]
-
When users navigate to any of those 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
-
This JS file contains obfuscated code [deobfuscated here]
-
The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
-
Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and finally, sends the data to erc20wallet[.]tk
It is still unclear whether the Shitcoin Wallet team or a third-party actor is responsible for the malicious code.
Read more here