MSP cybersecurity news digest, May 20, 2024

Panda Restaurant Group, which oversees Panda Express, Panda Inn and Hibachi-San, revealed a data breach following an intrusion into its corporate systems that compromised the personal information of an undisclosed number of associates. 

Panda Express, the largest Chinese fast-food chain in the U.S., with over $3 billion in sales and 47,000 associates across 2,300 branches, was affected by the breach. Although the breach impacted some corporate systems, in-store operations and guest experiences remained unaffected. The breach reportedly involved current and former associate data, with no guest information being compromised, as stated by a company spokesperson.

Upon discovery, Panda secured its environment, initiated remediation efforts, and collaborated with cybersecurity experts and law enforcement agencies to investigate the breach's scope and nature. Affected individuals were notified via letters detailing the breach.

The Zloader malware, based on the Zeus banking trojan, has resurfaced with a new feature, indicating active development. According to researchers, the latest version introduces an anti-analysis feature similar to one found in the Zeus 2.X source code.

Zloader, also known as Terdot or DEloader, reappeared in September 2023 after a two-year hiatus and has since evolved with RSA encryption and updates to its domain generation algorithm. The recent addition of an anti-analysis feature restricts the malware's execution to the original infected machine, terminating abruptly if run elsewhere. This technique, seen in versions above 2.4.1.0, relies on a Windows Registry check and a specific key and value generated from a hardcoded seed.

Researchers noted that Zloader's evolving stealthy tactics, including this anti-analysis feature, pose challenges for detection and analysis.

The Iranian state-sponsored threat group APT42 has been observed by cybersecurity experts posing as journalists in a social engineering campaign. 

APT42 attackers imitate journalists and human rights activists to obtain credentials for cloud operations and extract data. These attackers utilize tactics like impersonating news outlets such as The Washington Post and The Economist and use "typosquatted" domains to trick victims into entering credentials on fake Google login pages. This campaign, active since 2021, also involves posing as legitimate services like YouTube to obtain credentials. 

Researchers observed APT42 using custom backdoors dubbed NICECURL and TAMECAT to gain initial access to victim systems and deploy additional malware.

While there’s no evidence that the impersonated entities themselves were attacked, organizations should remain vigilant against increased use of social engineering campaigns.

UnitedHealth Group’s CEO confirmed the payment of a $22 million ransom to attackers who breached its subsidiary Change Healthcare, causing significant disruptions in the health care sector. 

Change Healthcare, which merged with UnitedHealth's Optum unit in 2022, provides payment and revenue management solutions, and the breach left many doctors temporarily unable to fill prescriptions or receive payments for their services. The breach occurred due to a server lacking multifactor authentication. Responsibility for the attack has been claimed by the BlackCat ransomware group.

In a separate ransomware attack, the LockBit ransomware group has claimed responsibility for disrupting the City of Wichita's IT systems, including online bill payment, prompting authorities to shut down affected services. Wichita, Kansas is home to nearly 400,000 people and a key economic center. The city was added to the LockBit ransomware group's extortion portal, with the threat actors threatening to publish stolen files unless a ransom was paid. Reportedly, city investigations are still ongoing to determine if data was stolen, but LockBit’s usual tactics include stealing data prior to file encryption. 

Debt collection agency Financial Business and Consumer Solutions (FBCS) has reported a data breach affecting two million individuals, exposing personal information such as names, dates of birth, social security numbers and account details. The breach prompted FBCS to secure its infrastructure and launch an investigation with third-party forensic experts. Although no misuse of the exposed information has been identified, FBCS has initiated notifications to affected individuals.

In a separate data breach, the personally identifiable information (PII) of over five million citizens from El Salvador has been found on the Dark Web, affecting more than 80% of the country's population. The breach, attributed to a threat actor known as 'CiberinteligenciaSV,' included a 144 GB data dump posted on Breach Forums, containing high-definition photos labeled with corresponding Salvadorian document identification (DUI) numbers. This breach is notable for its inclusion of biometric data, such as victim headshots, posing a heightened risk of identity theft and fraud across various digital platforms, as underscored by a Federal Trade Commission advisory on biometric information. 

In another case, cloud storage services provider Dropbox disclosed a breach affecting Dropbox Sign (formerly HelloSign), revealing unauthorized access to user data, including emails and account settings. An investigation found no access to user content or payment details, and that it was limited to Dropbox Sign's infrastructure. While the exact number of affected customers remains undisclosed, Dropbox is reaching out to all impacted users and collaborating with law enforcement. This latest breach is Dropbox’s second security incident within two years.