MSP cybersecurity news digest: Feb. 5, 2024

Veolia North America, a subsidiary of the multinational conglomerate Veolia, experienced a ransomware attack affecting its Municipal Water division, which manages water and wastewater services for about 550 communities and operates around 100 industrial facilities.

Veolia is a global entity with nearly 213,000 employees, with a generated revenue of EUR 42.9 billion in 2022, providing drinking water to about 111 million people and wastewater services to roughly 97 million. The incident led to temporary shutdowns. Despite the attack, customer payments and accounts remain unaffected, and investigations are ongoing to assess the impact on personal information for a limited number of individuals.

In a separate case, the Black Basta ransomware group announced attacking Southern Water, a major UK water utility, and threatened to release 750 gigabytes of stolen data, including personal and corporate documents. Southern Water employs over 6,000 people, with an annual turnover exceeding EUR 1.2 billion, and delivers water and wastewater services for East Kent, parts of Sussex, Hampshire and the Isle of Wight.

AnyDesk has confirmed a recent cyberattack, disclosing that attackers gained access to the company’s production systems, resulting in the theft of source code and private code signing keys.

AnyDesk, a widely-used remote access solution, is popular among enterprises for tasks such as remote support and accessing colocated servers. The software is also favored by threat actors for persistent access to compromised devices and networks. With 170,000 customers, including notable entities like 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS and the United Nations, the company learned of the attack through server indications and conducted a security audit, enlisting a third-party company to activate a response plan.

AnyDesk assured users that no evidence suggested end-user devices were affected and that the situation is under control, with security-related certificates revoked, systems remediated or replaced, and a new code signing certificate implemented. The company recommends switching to the latest version (8.0.8), changing passwords for caution, and emphasizing that session authentication tokens were not stolen, stating they existed only on end-user devices and were associated with device fingerprints — never touching AnyDesk’s systems.

Mexican financial institutions are facing a spear-phishing campaign involving a modified version of the AllaKore RAT, an open-source remote access trojan, according to researchers.

The campaign, attributed to an unknown Latin America-based threat actor with financial motivations, has been active since at least 2021. The attacks use lures employing the naming schemas of the Mexican Social Security Institute (IMSS) and distribute benign documents during installation. Targeting large companies with gross revenues exceeding $100 million, the campaign spans sectors like retail, agriculture, public services, manufacturing, transportation, commercial services, capital goods and banking.

The infection chain starts with a ZIP file distributed via phishing or a drive-by compromise, containing an MSI installer file that drops a .NET downloader, confirming the Mexican geolocation and retrieving the modified AllaKore RAT. The RAT’s capabilities include keylogging, screen capturing, file upload / download, and remote control. The threat actor, persistently targeting Mexican entities for over two years, is identified through the use of Mexico Starlink IPs and Spanish-language instructions in the modified RAT payload. The campaign shows no signs of stopping, with ongoing activities linked to financial gain.

The Kansas City Area Transportation Authority (KCATA) fell victim to a ransomware attack, affecting its public transit operations in metropolitan Kansas City. KCATA is responsible for the Metro Area Express (MAX) bus rapid transit service and 78 local bus routes across seven counties.

The company promptly disclosed the attack, initiating an investigation and notifying relevant authorities, while external experts were engaged to restore impacted systems. Despite the ransomware incident, KCATA assures that its services, including fixed-route buses and paratransit services, remain unaffected, except for the temporary disruption of calls to regional RideKC call centers.

The Medusa ransomware gang has claimed responsibility for the attack, threatening to release stolen data unless a $2 million ransom is paid, with an option to extend the deadline for $100,000 per day.

Jason’s Deli has issued data breach warnings to customers, revealing that their personal data was exposed in credential stuffing attacks. The American restaurant chain, with 246 branches in 29 states, has an annual revenue exceeding $400 million and employs over 6,000 people.

Attackers gained access to member account credentials, obtained from external sources, and conducted a credential-stuffing attack on the restaurant’s website. The breach potentially exposed information such as full names, addresses, phone numbers, birthdays, and truncated credit card and gift card numbers.

Jason’s Deli detected unauthorized access attempts but wasn’t able to assess the full impact, prompting notifications to all potentially affected account holders, with an estimated 344,034 customers listed by the Office of the Maine Attorney General. The company advised impacted individuals to reset passwords, change credentials on other platforms, and enable two-factor authentication, and committed to restoring Deli Dollars reward points used without authorization.