MSP cybersecurity news digest, October 30, 2024

350 million Hot Topic customers’ data being sold on illicit forum: “Largest retail breach in history”

Researchers discovered a database containing personal and payment data of 350 million alleged Hot Topic customers for sale on an illicit forum.

The attacker named "Satanic" claimed to have data on customers of Hot Topic, Torrid and Box Lunch, including names, email and physical addresses, transactions and loyalty points. Researchers verified a sample, linking it to the three retailers, and suggested this could be the largest retail breach in history if confirmed. They believe the breach stemmed from an infostealer infection of a third-party vendor employee who lacked multifactor authentication (MFA) on a Snowflake account.

The attacker initially listed the database for $20,000, later lowering the price to $10,000, and demanded $100,000 from Hot Topic to delete it. Researchers have warned that this data could lead to identity theft, financial fraud and account takeovers.

LockBit's fame exploited to scare victims in latest ransomware attacks

Threat actors have been exploiting Amazon S3's Transfer Acceleration to exfiltrate data in ransomware attacks, often using LockBit’s reputation to scare victims. Researchers observed attackers disguising a Golang-based ransomware as LockBit to amplify intimidation, although this new ransomware is not related to LockBit.

Hard-coded AWS credentials are embedded in the ransomware, enabling it to upload exfiltrated data to attacker-controlled S3 buckets. Researchers have identified over 30 ransomware samples with embedded AWS access keys, indicating active development of cross-platform variants targeting both Windows and macOS.

Researchers named this variant “NotLockBit,” as it is unrelated to LockBit but attempts to exploit its notoriety. After data exfiltration and encryption, the ransomware renames files with a specific format and changes the victim’s wallpaper to a ransom note. Although macOS ransomware has historically been rare, researchers note a trend toward more sophisticated cross-platform ransomware, signaling a potential shift.

Resurfacing Bumblebee and Latrodectus malware engage in new phishing campaigns

Two malware families, Bumblebee and Latrodectus, have resurfaced in new phishing campaigns after being disrupted by a coordinated law enforcement action, "Endgame."

These malware loaders can steal personal data and download further malicious payloads onto compromised devices. Latrodectus, which also goes by aliases like BlackWidow and IceNova, is closely tied to IcedID due to shared infrastructure and has been linked to campaigns by initial access brokers TA577 and TA578. Although not specifically mentioned in the Endgame operation, Latrodectus’ infrastructure was also affected. Researchers highlighted that Latrodectus quickly adapted post-Endgame, strengthening its presence.

Current phishing campaigns are deploying Latrodectus through DocuSign-themed emails, which contain PDFs or HTML files that launch the malware. On the other hand, Bumblebee is spread by ZIP attachments containing LNK files, and uses stealth tactics to evade detection by executing its payload in memory, avoiding direct disk storage.

Networks breached by Black Basta posing on Microsoft Teams as IT help desks

The Black Basta ransomware group has shifted its social engineering tactics to Microsoft Teams, where members impersonate IT help desks to breach networks.

Originally active since 2022, Black Basta evolved from the disbanded Conti cybercrime group, using phishing, malware botnets and social engineering for intrusions. Previously, they overwhelmed employee inboxes with spam, then posed as IT support over the phone to gain remote access.

Now, attackers use Teams as external users, adopting names like "Help Desk" to appear legitimate and lure employees into installing remote-access tools like AnyDesk or Quick Assist. Once connected, the attackers install malware such as Cobalt Strike, enabling full network access and ransomware deployment.

Mexican airport management company suffers cyberattack via RansomHub ransomware gang

The RansomHub gang has claimed responsibility for a cyberattack on Grupo Aeroportuario del Centro Norte (OMA), which manages 13 airports in central and northern Mexico.

The attack led OMA’s IT team to activate backup systems to maintain airport operations, including Monterrey’s airport, which serves millions of passengers annually. RansomHub has threatened to leak 3 TB of data if its ransom demands remain unmet. OMA, working with cybersecurity experts, is investigating the breach, but has not confirmed RansomHub’s involvement.

The company reported that, so far, operations and financials remain unaffected. Meanwhile, passengers are advised to check flight details through QR codes as terminal screens are still down.