MSP cybersecurity news digest, April 12, 2024

MarineMax, a leading recreational boat and yacht retailer globally, reported a cyberattack, revealing the theft of employee and customer data. MarineMax operates over 130 locations worldwide and has reported a $2.39 billion revenue in 2023.

Although initially stating that sensitive data wasn't stored in the compromised systems, a subsequent filing disclosed the theft of personal data by malicious actors. The company reported that a cybercrime organization accessed a portion of its retail business information environment, extracting limited customer and employee data, including personally identifiable information.

While the attack wasn't attributed to a specific threat group, the Rhysida ransomware gang claimed responsibility and is offering stolen data for sale at a price of 15 BTC (just over $1 million). Screenshots of financial documents, employee IDs, and passports purportedly belonging to MarineMax have been leaked on the dark web. Despite this, Rhysida is still seeking a buyer for the stolen data, implying that the ransom hasn't been paid.

Google addressed seven security vulnerabilities in the Chrome web browser, including two zero-days exploited during the Pwn2Own Vancouver 2024 hacking competition.

The first zero day, tracked as CVE-2024-2887, involves a high-severity type confusion weakness in the WebAssembly (Wasm) open standard. The second zero-day, CVE-2024-2886, a use-after-free (UAF) weakness in the WebCodecs API. Both of the vulnerabilities can be exploited for remote code execution and were promptly fixed by Google in the Chrome stable channel, ensuring users' protection. Additionally, Google recently addressed another Chrome zero-day, CVE-2024-3159, related to an out-of-bounds read weakness in the V8 JavaScript engine, with a fix already available for users worldwide.

In 2023, researchers reported that 97 zero-day vulnerabilities were exploited, compared to 62 in 2022. They identified 29 of these vulnerabilities as exploited in the wild, with 36 targeting enterprise-specific technologies and 61 affecting end-user platforms. Additionally, they observed a surge in zero-day vulnerabilities in third-party components and libraries, attributing many to commercial surveillance vendors and government espionage actors, while also noting an increase in government-linked APT group activity.

Attackers have claimed to have breached PandaBuy, a popular global shopping platform, posting over 3 million rows of data on an illicit forum, with researchers identifying 1.3 million unique accounts.

The exposed database contains user IDs, full names, phone numbers, emails, home addresses, login IPs, and order data. The breach is attributed to two bad actors known as Sanggiero and IntelBroker, with IntelBroker being notorious for previous breaches involving major entities like General Electric and Facebook Marketplace.

The attackers claimed they gained access to PandaBuy’s internal services by exploiting critical vulnerabilities in the platform's API. The stolen data posted by the threat actors was confirmed to appear legitimate by cybersecurity researchers. Despite PandaBuy's reassurances that orders and payment information remain unaffected, it is recommended that users change login credentials as a precaution.

A recent analysis revealed a backdoor inserted into the widely used XZ Utils open-source library, posing a severe security risk for Linux distributions. Tracked as CVE-2024-3094 with a Common Vulnerability Scoring System (CVSS) rating of 10 out of 10, indicating its high potential for severe impact, the backdoor allows remote code execution, potentially granting attackers complete system access. The discovery, made by researchers, shed light on the compromise's sophistication, implicating a supply chain attack spanning multiple years.

Jia Tan (aka JiaT75), a project maintainer, intentionally introduced the backdoor, leveraging a carefully orchestrated social engineering campaign. Over two years, Tan built credibility within the open-source community, ultimately gaining maintainer responsibilities. This allowed them to inject the malicious code into XZ Utils, which made its way into versions 5.6.0 and 5.6.1, released in February 2024.

Despite being caught early, the breach underscores the vulnerabilities within the open-source supply chain and prompts reflection on reliance and risk management. The backdoor, executed through the OpenSSH server process, could have granted unauthorized access to countless systems.

Vietnam’s financial sector encountered difficulties as VNDirect, the country's third-largest securities broker, grappled with a severe cyberattack, leaving investors unable to access the platform.

Despite ongoing efforts to restore services, VNDirect emphasized the severity of the situation, prompting a phased recovery plan. The restoration plan for VNDirect progresses through four phases that include preserving client status and account information, resuming money trading and stock trading, reinstating other financial products, and achieving full restoration of all features. The company has completed Phase 1, urging customers to review their account information and change passwords promptly, but anticipates potential technical issues due to high traffic. Additionally, VNDirect scheduled flow checks with stock trading departments to ensure system security, emphasizing the importance of cybersecurity awareness among investors.

The fallout extended to the broader financial ecosystem, prompting the temporary suspension of remote trading by the Hanoi Stock Exchange and causing market fluctuations.