Last Updated on October 5th, 2023, By
 In AppSec Bulletin

Phishing Attacks Target US Executives by Exploiting Vulnerability in Indeed Job Platform

A  recent phishing campaign has targeted senior executives, exploiting an open redirection vulnerability in the popular job search platform, Indeed. Cybersecurity firm Menlo Security discovered this campaign and reported that attackers have been using an open redirection flaw on Indeed’s website since July 2023 to lead victims to a phishing page aimed at stealing their Microsoft credentials. 

These attacks primarily focused on executives in banking, financial services, insurance, property management, real estate, and manufacturing organizations, particularly in the US. The phishing campaign involved sending victims emails with links that appeared to lead to indeed.com but instead directed them to a fake Microsoft login page created using the EvilProxy phishing framework. This fake login page acted as a reverse proxy, enabling attackers to intercept victims’ credentials before they reached the real login page. Additionally, the attackers stole victims’ session cookies, which could be used to impersonate the victims and access their Microsoft accounts, bypassing some multi-factor authentication (MFA) methods. 

Menlo Security reported the issue to Indeed, but it remains unclear whether the company has addressed the vulnerability. This campaign highlights the potential for identity theft, intellectual property theft, and significant financial losses if account compromises lead to business email compromises.

Source – Security Week Network

Hotel Chain ‘Motel One’ Falls Victim to ALPHV/BLACKCAT Ransomware Gang Hack

Motel One, a German hotel chain renowned for its stylish yet budget-friendly accommodations, has fallen victim to the ALPHV/BlackCat ransomware gang. This cybercriminal group claims to have pilfered a substantial 6 TB of data, totaling 24,449,137 files. Among the exposed records are booking confirmations spanning the past three years, containing guests’ personal details such as names, addresses, reservation dates, payment methods, and contact information. More alarmingly, the stolen data also encompasses customers’ credit card information and internal company documents.

The ransomware group has issued a stern warning to Motel One, urging them to respond within five days and pay the demanded ransom. Failure to comply may result in the public release of the stolen data, potentially causing a significant reputation and legal crisis for the company. This incident adds Motel One to the growing list of victims targeted by the ALPHV/BlackCat ransomware gang, which has been active since November 2021 and has previously targeted various organizations, including industrial explosives manufacturer SOLAR INDUSTRIES INDIA, US defense contractor NJVC, and fashion giant Moncler, among others.

Source – Security Affairs

Lorenz Ransomware Group Launches Major Cyber Assault on Allcare Pharmacy

The notorious Lorenz ransomware group has recently claimed responsibility for a cyberattack on Allcare Pharmacy, adding another victim to its list. This breach exposed sensitive customer information, including Social Security Numbers, posing a significant threat. Allcare Pharmacy, known for its commitment to data protection, faces challenges to its security measures.

The healthcare sector has become a prime target for cybercriminals, with a surge in attacks in recent years. Lorenz ransomware stands out among these threat groups, employing sophisticated tactics. Healthcare organizations faced a staggering 1,426 attacks per week in 2022, with the cost of data breaches averaging $10.10 million per incident.

Ransomware attacks have hit healthcare organizations hard, with one out of every 42 falling victim in Q3 2022. The Lorenz group employs double extortion tactics, demanding ransoms ranging from $500,000 to $700,000 for data release.

Despite their seemingly modest demands, the aftermath of their attacks can be catastrophic, especially for smaller healthcare businesses. Lorenz’s origins trace back to the .sZ40 ransomware discovered in October 2020, and they have shown persistence and adaptability in targeting English-speaking countries.

Source – The Cyber Express

Ransomware Attack Hits Johnson Controls International (JCI)

Johnson Controls International (JCI) has fallen victim to a ransomware attack that has disrupted its operations and impacted partners. The company initiated its incident response plan, collaborating with cybersecurity experts and insurers to mitigate the situation. While many applications remain operational, the incident is expected to continue causing disruptions.

JCI subsidiaries, such as Simplex and Ruskin, have reported technical issues affecting their websites and customer portals. The attack’s impact on the release of financial results and annual performance is under evaluation.

The Department of Homeland Security (DHS) is investigating whether sensitive security information and personally identifiable data were compromised in the breach, as JCI holds contracts related to DHS security systems.

The Dark Angels Team ransomware gang is believed to be responsible for the attack, demanding a $51 million ransom for data decryption and non-release of stolen data. The group uses double extortion tactics and primarily targets government, healthcare, finance, and education sectors.

The attack has raised concerns about supply chain vulnerabilities, emphasizing the need for stronger cybersecurity standards in government contracts.

Cybersecurity experts suspect the ransomware used in the attack may be a new variant targeting Johnson Controls, leveraging known vulnerabilities and social engineering tactics.

Source – CPO Magazine

Critical Alert: Google Urges Immediate Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google has released fixes to address a recently exploited zero-day vulnerability, CVE-2023-5217, in the Chrome browser. This high-severity flaw is a heap-based buffer overflow in the VP8 compression format within the libvpx video codec library. Exploiting such vulnerabilities can lead to program crashes or arbitrary code execution, impacting system availability and integrity. The issue was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group and has been actively abused by a commercial spyware vendor to target high-risk individuals. Users are urged to update their Chrome browsers to version 117.0.5938.132 to mitigate potential threats.

This marks the fifth zero-day vulnerability in Google Chrome addressed this year, with previous flaws including CVE-2023-2033, CVE-2023-2136, CVE-2023-3079, and CVE-2023-4863. Additionally, there are suspicions that Cytrox, an Israeli spyware maker, may have exploited a recently patched Chrome vulnerability (CVE-2023-4762) as a zero-day to deliver malware, although details on such attacks are limited.

Mozilla has also released Firefox updates to address CVE-2023-5217, and users are advised to apply the fixes as they become available for other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi.

Source – The Hacker News

AppSealing
AppSealing
AppSealing is the only cloud-based pay-as-you-go solution to protect mobile apps without writing a single line of code. Our solution is easy to use and allows you to protect mobile apps from hackers and illegal application modification, thus making it secure in run-time with RASP Security Features.
Mobile App Fraud - Detection and Prevention blog by appsealing