SecureFact - Cyber Security News - Week of December 16, 2024

Data Breaches

1. Krispy Kreme cyberattack impacts online orders and operations

Krispy Kreme experienced a cyberattack on November 2024, which disrupted its online ordering system and affected some business operations. The company detected unauthorized activity in its information technology systems, leading to operational challenges, particularly with digital orders, which account for 15.5% of its sales. Despite the attack, Krispy Kreme's physical stores remain open, and daily deliveries to partners are unaffected. The company has engaged cybersecurity experts to contain and remediate the incident, although the full scope and impact are still under investigation. The attack is expected to have a material financial impact, including lost revenue from digital sales and costs associated with recovery efforts. 

2. AWS customers face massive breach amid alleged ShinyHunters regroup

A significant data breach has impacted thousands of AWS customers, exposing terabytes of sensitive information, including customer details and AWS credentials. This breach is linked to the now-defunct hacking group ShinyHunters, with researchers Noam Rotem and Ran Locar uncovering the operation that exploited vulnerabilities in poorly configured public sites to gain unauthorized access to sensitive data. The attack involved scanning millions of websites for exploitable vulnerabilities, leading to the exposure of critical keys and secrets. Researchers noted that the attackers utilized a misconfigured S3 bucket, which inadvertently allowed them to analyze the stolen data. The breach was initiated through extensive scans targeting AWS IP ranges and exposed endpoints, resulting in the extraction of database credentials and AWS keys. Custom scripts were employed by attackers to exploit open-source tools, harvesting various credentials and establishing remote access for further exploitation.

3. Spain busts voice phishing ring for defrauding 10,000 bank customers

Spanish police, in collaboration with Peruvian authorities, have dismantled a large voice phishing (vishing) operation, arresting 83 individuals involved in defrauding over 10,000 bank customers. The crackdown included 29 simultaneous raids across Spain and Peru, leading to the capture of the ring's leader in Spain and the seizure of cash, mobile phones, computers, and documents. The scammers operated three call centers with around 50 agents, using stolen databases and social engineering tactics to deceive victims into revealing sensitive banking information. They employed caller spoofing technology to make their calls appear legitimate, impersonating banks and alerting victims about unauthorized ATM withdrawals. This ruse directed victims to fake account verification processes where they unwittingly shared one-time passcodes.

4. 390,000 WordPress accounts stolen from hackers in supply chain attack

A significant security breach has been reported, where a threat actor known as MUT-1244 has stolen over 390,000 WordPress credentials through a year-long supply chain attack. This operation targeted both malicious and ethical hackers by using a trojanized WordPress credentials checker, leading to the compromise of SSH private keys and AWS access keys from numerous victims, including penetration testers and cybersecurity researchers. The attacks were executed via trojanized GitHub repositories that delivered malicious proof-of-concept (PoC) exploits targeting known vulnerabilities. Victims were also lured through phishing campaigns that tricked them into installing malware disguised as a CPU microcode update. The attackers employed various methods, such as backdoored compilation files and malicious npm packages, to deploy their malware.

5. Auto parts giant LKQ says cyberattack disrupted Canadian business unit

Automobile parts giant LKQ Corporation reported a cyberattack that affected one of its Canadian business units, leading to data theft and operational disruptions. The breach, detected on November 13, 2024, prompted the company to activate its security incident response plans and collaborate with forensic investigators. LKQ stated that while operations were adversely impacted for several weeks, the affected unit is now functioning near full capacity. In its SEC filing, LKQ emphasized that it does not anticipate any significant financial repercussions from the incident for the remainder of the fiscal year. The company is also pursuing reimbursement for related costs through its cyber insurance.

6. Rhode Island says personal information potentially stolen in RIBridges data breach

Rhode Island's RIBridges system, previously known as UHIP, experienced a significant cybersecurity breach. The system, which manages various health and human services benefits, was taken offline following a notification from its vendor, Deloitte, about a major security threat. The breach potentially exposed sensitive personal information, including names, addresses, dates of birth, Social Security numbers, and banking details of individuals who have received or applied for benefits through the system. Deloitte first alerted the state on December 5 about a potential cyberattack. Subsequent confirmations revealed that a hacker had likely obtained files containing personally identifiable information. As a precaution, the state has offered free credit monitoring to those affected and has involved federal agencies and Rhode Island State Police in the investigation. During the downtime of the RIBridges system, current customers cannot access their accounts online or via mobile apps, although paper applications for benefits remain available.

Malware and Vulnerabilities

1. Microsoft 365 outage takes down Office web apps, admin center

Microsoft is currently dealing with a widespread outage affecting Microsoft 365 services, particularly impacting Office web apps and the Microsoft 365 admin center. Users have reported difficulties accessing applications like Outlook and OneDrive, receiving messages indicating service outages. The company is investigating the issue, focusing on token generation within its authentication infrastructure and reviewing recent changes to identify the root cause. While some users are affected, Microsoft suggests using desktop applications as a temporary workaround.

2. Chinese hackers use Visual Studio Code tunnels for remote access

Chinese hackers have been exploiting Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems, particularly targeting large IT service providers in Southern Europe. This tactic, observed by SentinelLabs and Tinexta Cyber during a campaign dubbed 'Operation Digital Eye', took place between June and July 2024.The attackers utilized Microsoft's Remote Development feature, which allows secure remote access through VSCode, to create backdoor access. They achieved initial access using the SQL injection tool sqlmap against vulnerable web and database servers.