Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 03/07/2023

    Chick-fil-A Confirms Some Data Breach Details

    Overview

    Fast food vendor Chick-fil-A announced in January 2023 that it was investigating suspicious activity related to customer accounts after some customers began posting on social media about fraudulent charges on their accounts. On March 2, 2023, in filings with multiple state attorneys general, the company confirmed that more than 71,000 customer accounts had been compromised.

    Potential Impact

    Some customers impacted by this breach had money taken out of their bank accounts to replenish compromised Chick-fil-A accounts so that more fraudulent orders could be placed. It is still unclear whether attackers had access to payment card information.

    Recommended Actions

    As an individual, exercise caution when signing up for rewards programs or merchant applications. The convenience of mobile app ordering with the ability to replenish your account with a bank account or credit card number can become a major headache if your account gets compromised.

    If you’re reading this as a corporate leader in any capacity, take note that Chick-fil-A did not announce it was investigating suspicious activity until after their social media feeds were filled with posts from victimized customers. This begs the question of whether the company’s security team had detected anything before customer complaints started arriving. Use this story as an example of why an effective information security program is critical to any business in today’s environment.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      LastPass Shares Security Incident Details

      Overview

      On March 1, 2023, LastPass shared findings from its months-long breach investigation.

      Potential Impact

      As long as it’s implemented correctly, the “Zero-Knowledge” approach advertised by LastPass, in which only users (and not LastPass) have access to master passwords, should keep items stored in customer vaults secure. Because LastPass has disclosed that encrypted customer vault data has been exposed,

      LastPass users with weak master passwords may be at risk of having their vault decrypted. Leaked customer data includes phone numbers used for Multi-Factor Authentication (MFA) and MFA seed values. For reasons inexplicable to this author, apparently, LastPass does not encrypt URL data for customers, but only passwords and secure notes. Exposure of URLs and phone numbers can lead to future attacks against LastPass customers.The exposure of MFA seed values can allow attackers to defeat MFA, so ensure that you read the recommended actions below.

      Recommended Actions

      If you are a LastPass user and don’t have MFA enabled, enable it immediately. Consider using FIDO2 keys for MFA, especially for accounts with access to sensitive passwords. Take action according to the LastPass security bulletins in the links below. Pay close attention to the procedures for regenerating MFA Shared secrets.

      Sources

      https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers 

      https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators 

      https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ 

      https://www.lastpass.com/security/zero-knowledge-security

      OpenSSL Patches Several Vulnerabilities

      Overview

      On February 7, 2023, OpenSSL released fixes for “one high and seven moderate severity fixes.”

      Potential Impact

      The ubiquity of OpenSSL in operating systems and applications makes any significant OpenSSL vulnerability worth noting. Perhaps the most significant CVE, 2022-4203, was caused by a buffer overrun which, according to OpenSSL, could lead to “disclosure of private memory contents (such as private keys, or sensitive plaintext).” Because this buffer overrun occurs during certificate verification, exploitation will largely be limited to clients, not servers. OpenSSL also reports that they do not know of a working exploit for this vulnerability.

      Recommended Actions

      Ensure that operating systems are patched in a timely manner, and if you develop applications that utilize OpenSSL, ensure that OpenSSL libraries are up to date, according to the OpenSSL advisory in the link below. 

      Sources

      https://www.openssl.org/news/secadv/20230207.txt

      Qakbot Spreads Through Malicious OneNote Documents

      Overview

      Researchers at Sophos published a report on February 6, 2023, describing the spread of Qakbot malware by sending .one  files from OneNote. The report describes spam campaigns whereby the malware injects malicious documents as attachments into email conversations on compromised hosts or sends malicious links in an impersonal spam message. The spam campaigns began on January 31, 2023.

      Indicators:

      The malicious attachments analyzed by Sophos were all named “ ApplicationReject_#####(Jan31).one or ComplaintCopy_#####(Feb01).one (where the ##### was a random, five-digit number)”. Emails from the spam campaigns all used the recipient’s last name in the subject line.

      Potential Impact

      Qakbot infection allows attackers to control the infected host. It has been known to be used by several major ransomware groups.

      Recommended Actions

      Search email systems for the indicators referenced above, and consider including this information in end-user security training efforts.

      Sources

      https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

      Hospitality Industry Targeted by Spear-Phishing Campaign

      Overview

      A spear-phishing campaign targeting the hospitality industry has been recently observed by Trend Micro researchers. The campaign focuses on hotel staff and sends phishing emails about booking reservations, assistance requests, and website help. Most of these emails contain links to Dropbox directories that harbor malware, with the links often shortened through Bitly to avoid detection.

      Potential Impact

      The malware in the Dropbox directories is designed to download and install the RedLine information-stealing malware variant. RedLine can collect data from browsers, VPN applications, and specific installed applications such as Discord and Slack. It can also be used as a dropper to install additional malware strains.

      Recommended Actions

      To protect against spear-phishing campaigns like this, organizations should take a two-pronged security approach. First, having a well-configured email security tool to block out most phishing emails is crucial in reducing

      the likelihood of phishing attacks. Second, organizations should conduct regular security awareness training to educate employees on how to identify and delete potentially malicious emails. Internal phishing campaigns can also be a valuable tool for training team members and exposing them to various phishing tactics.

      Sources

      https://www.trendmicro.com/en_us/research/23/c/managed-xdr-exposes-spear-phishing-campaign-targeting-hospitalit.html?&web_view=true

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us