MSP cybersecurity news digest, June 11, 2024

Data of 560 million Ticketmaster customers for sale on Exploit hacking forum    

ShinyHunters hacking group claims they have personal and financial data of 560 million Ticketmaster customers — and it's up for sale on BreachForums for $500,000.

Allegedly containing 1.3 TB of data, the data includes customers' names, addresses, phone numbers, ticket sales, order and event information, as well as hashed credit card details spanning from 2012 to 2024. ShinyHunters mentioned potential buyers, including Ticketmaster themselves, but did not disclose how the data was stolen.

Researchers suggested the data was taken from Ticketmaster's AWS instances via a managed service provider. Ticketmaster has not confirmed the breach, and the FBI declined to comment, but the published samples appear legitimate.

London NHS hospitals revert to paper records after Qilin ransomware cyberattack

cyberattack by the Qilin ransomware group has disrupted a wide range of healthcare providers in London, including GPs and community and mental health services, forcing hospitals to revert to paper records.

Guy’s and St Thomas’ trust (GSTT) and King’s College trust have canceled numerous operations, blood tests, and transfusions due to the attack on Synnovis, which analyzes blood tests for these hospitals. The attack has led to severe disruptions in service delivery across south-east London, affecting acute and specialist care for two million people.

The attackers locked Synnovis out of its systems, resulting in manual handling of blood test results and concerns over the accuracy of patient data. While urgent and emergency services remain operational, non-emergency appointments and some surgeries have been postponed. Qilin, known for its double-extortion tactics, demands ransom payments in cryptocurrency and has previously targeted various sectors globally.

New AllaKore RAT variant called AllaSenha hit Brazilian banks

Brazilian banking institutions are being targeted by AllaSenha, a variant of the Windows-based AllaKore remote access trojan (RAT).

This malware aims to steal banking credentials and uses Azure Cloud for command and control. The campaign targets banks like Banco do Brasil, Bradesco, and Itaú Unibanco, with initial access likely through phishing messages containing malicious links.

The attack starts with a malicious Windows shortcut file masquerading as a PDF, which then downloads and executes additional malicious scripts. Researchers linked the AllaSenha trojan to Brazilian actors through domain registration mistakes. These actors are focused on Brazilian victims, using tactics similar to other Latin American banking malware families.

Dutch bank ABN Amro discloses data breach

Dutch bank ABN Amro, with a revenue of €8.78 billion, disclosed a data breach following a ransomware attack on third-party services provider AddComm.

The attack, which occurred in late May, may have exposed data of a number of ABN Amro clients. AddComm has stated that it contained the incident and restored impacted systems, but the investigation into the stolen data is ongoing with external security experts.

ABN Amro has stopped using AddComm's services and is contacting affected clients while notifying the Dutch Data Protection Authority. The bank assures that its systems remain unaffected and urges clients to be vigilant against phishing messages.

LilacSquid cyber espionage group targets IT, energy and pharmaceutical sectors

cyber espionage group called LilacSquid has targeted various sectors in the U.S., Europe and Asia in a data theft campaign since at least 2021.

According to researchers, the previously undocumented group aims to establish long-term access to compromised organizations in order to siphon data to attacker-controlled servers. Targets include IT organizations in the U.S., energy companies in Europe and the pharmaceutical sector in Asia.

LilacSquid exploits known vulnerabilities or uses compromised RDP credentials to deliver tools like MeshAgent and a custom version of Quasar RAT called PurpleInk. The campaign's tactics bear some similarities to those used by North Korean APT groups, such as Lazarus and its sub-cluster Andariel.