Hackers are targeting luxury hotels, a Red Cross scam and more.
Welcome to Cyber Security Today. It’s Wednesday, September 27th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
The recent cyber attacks on MGM Resorts and Caesar’s Palace weren’t isolated incidents. That’s according to researchers at Cofence. In a report this week they said luxury hotel chains and resorts are now being targeted by an unnamed group. It’s part of wider attacks on the hospitality sector. The goal is to trick victims into downloading malware that steals information from computers like passwords.
The campaign sends emails and instant messages to employees such as phony room booking requests. In follow-up messages the hacker sends an infected attachment — for example, a photo of food or a list of cleaning products the supposed guest is allergic to. The trick: The attachments are in a password-protected format, with the password supplied in the message so it can be opened. This tactic may get around email defences. The email campaign isn’t new but it picked up in August, and, the researchers say, “has continued at an alarming rate” this month. Security awareness training of employees is vital to help stop this type of attack.
A threat actor is impersonating the U.S. Red Cross in a phishing campaign with the goal of infecting computers. That’s according to researchers at NSFocus. Targeted people get an email with an attachment entitled ‘Blood Drive September 2023.” To read it the victim has to click a button to disable macros so the attachment’s content can be shown. That’s the trick. If an employee enables macros the hidden malware executes. IT should configure all employee systems to not allow macros in externally created documents to run. Employees need to be regularly reminded not to bypass that security control without management or administrator permission.
One of Britain’s biggest privately owned trucking companies, KNP Logistics, declared insolvency on Monday in the aftermath of a ransomware attack three months ago. According to a news report the company had been in financial trouble before that. But the attack meant it couldn’t secure additional funding. The insolvency has cost over 700 people their jobs.
More on ransomware: Researchers have found a new criminal group that over the past 12 months has installed seven different ransomware strains in victims’ networks. The researchers, from Group-IB and Bridewell, aren’t sure if the gang they call ShadowSyndicate is an affiliate of a ransomware-as-as-service group, or an initial access broker responsible for initially breaking into an IT network.
Finally, administrators of Openfire messaging servers are being warned to install a patch to close a vulnerability in the software that’s been known about since May. Threat actors are spreading malicious plugins that can take advantage of the hole if it hasn’t been patched yet, according to researchers at Doctor Web. An exploit performs a directory traversal attack allowing unauthorized access to the Openfire administrative interface. Then the attacker can create a new user with administrative privileges. And we all know where that goes.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
