Here is the weekly security roundup where we offer an overview of the most interesting cybersecurity incidents and data breaches made headlines over the past week, including data breach affecting millions of Marriott guests, the resurrection of Zeus Sphinx banking malware, and more.
Last week hotel chain Marriott has disclosed a data breach that impacted personal information of approximately 5.2 million hotel guests.
Marriott said personal information such as names, birthdates, and phone numbers may have been taken in the breach, along with language preferences and loyalty account numbers. The company believes that payment information was unaffected.
It is worth noting that it is the second data breach the hotel giant has suffered in the last two years. In November 2018, hackers breached the Starwood Hotels reservation system and stole the personal info of more than 383 million hotel guests.
Researchers from IBM X-Force have reported that Zeus Sphinx banking malware once again resurfaced on the threat landscape after a long period of inactivity.
In the new campaign the attackers leveraged a slightly modified version of Zeus Sphinx that has been distributed via coronavirus-themed malicious .doc or .docx files.
Once on the machine, the malware achieves persistence by writing itself to numerous folders and files and adds some Registry keys in order to hide itself and manage its configuration files over time. Zeus Sphinx signs the malicious code using a digital certificate when injected into the browser processes.
The FBI has issued an alert about ongoing Kwampir (Orangeworm) malware attacks on the supply chain.
Targeted industries include healthcare, software supply chain, energy, and engineering across the United States, Europe, Asia, and the Middle East, as well as financial institutions and prominent law firms. The attacks have been ongoing since 2016.
The agency said the Kwampir operators compromised a large number of global hospitals via vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.
Researchers have discovered a long-running malicious campaign that has been active since at least May 2018. Dubbed Vollgar, the campaign targets Windows machines running MS-SQL servers in order to infect victims with backdoors, multifunctional remote access tools (RATs) and cryptominers. The target list includes organizations in various industry sectors, including healthcare, aviation, IT & telecommunications and higher education among the targets.
Over the past two years, the campaign managed to infect roughly three thousand database machines daily, with attacks originating from more than 120 IP addresses, most of them in China.
The attacks involve hackers using brute force password hacking to breach targeted MS-SQL hosts. On the compromised machines, the attackers deploy an initial payload to eliminate competitors and fetch additional payloads, including multiple RAT modules and an XMRig-based cryptominer to mine for Monero and an alt-coin named VDS, or Vollar.
Another interesting hacking campaign disclosed last week involved hackers exploiting zero-day flaws in Mozilla Firefox (CVE-2019-17026) and Internet Explorer (CVE-2020-0674) browsers in attacks aimed at Chinese and Japanese entities. Both vulnerabilities have been patched by Mozilla and Microsoft in early January and in February this year accordingly.
The attacks have been attributed to the threat actor known as DarkHotel. The hackers attempted to trick victims into visiting a maliciously crafted web site set up to deliver exploits depending on the user’s browser.
If successful, the attack will result in users downloading a Gh0st RAT, a popular tool used by attackers to control infected endpoints, originally attributed to threat actor groups in China.