“It takes 20 years to build a reputation and a few minutes of a cyber-incident to ruin it”
Stephane Nappo
Last week I didn’t update the latest security news or the in Defense of Microsoft post due to the Maui Wildfires. While I don’t live in Maui, my wife and her family do. We are fortunate that they are ok and didn’t lose their homes. However, they do own a large self-storage business in Lahaina and a lot of their customers completely lost their homes. Everything they had left in their lives was in those storage units. I spent the week getting a Starlink terminal out to the self-storage and writing Python scripts to access their customer data. It’s been a trying week for everyone on the island. My father-in-law has been flying supplies back in forth every day since the disaster. If you have time, please go to Redcross and read how you can help. From the calls I have been a part of, they need food and water. With that said, here is this week’s Security Skim.
MLS Provider Rapattoni Hit By Cyber Attack
A cyberattack on Rapattoni, a California-based company that provides essential online services for tracking home listings, has disrupted home buyers, sellers, real estate agents, and listing websites across the United States for five days. Rapattoni offers Multiple Listing Services (MLS) to regional real estate groups, facilitating access to data about homes on the market, purchase offers, and sales. The attack, suspected to be a ransomware incident, has rendered MLS systems unusable, impacting the ability to list new homes, update prices, mark homes as pending or sold, and list open houses. Rapattoni is actively working to restore systems and investigate the attack’s nature and scope.
One of the things I am learning while writing these skims is how many unknown companies underpin much of the online world. I am not a real estate agent, I am sure Rapattoni is well known in those circles, but I doubt many would know who they are outside it. It hasn’t been confirmed as a ransomware incident, but if it is, it shows how quickly one malicious pdf or a user downloading a fake program can destroy a business. Without network segregation, without email security, it can all go up in smoke. A decade ago, a friend told me about how the insurance company he worked at had recently been infected by ransomware. The infection was so nasty they were throwing out laptops and servers and outright replacing them.
Synack Red Team Finds Vulnerabilities ScrutisWeb (ATM Monitoring)
In early 2023, security researchers from the Synack Red Team (SRT) identified several vulnerabilities (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189) in the ScrutisWeb web application developed by France-based company Iagona. These vulnerabilities were patched in July 2023 with the release of ScrutisWeb version 2.1.38. The SRT members involved in the discovery were Neil Graves, Jorian van den Hout, and Malcolm Stagg.
ScrutisWeb is a secure solution used for monitoring banking and retail ATM fleets. It enables organizations to track ATMs and respond quickly to any issues. The vulnerabilities discovered by the SRT team allowed unauthorized users to perform various actions, potentially compromising sensitive information and gaining control over the application.
The vulnerabilities included:
- CVE-2023-33871: Absolute Path Traversal Exploiting this vulnerability allowed attackers to download configurations, logs, and databases from the server by manipulating a parameter in the URL.
- CVE-2023-35189: Remote Code Execution (RCE) This vulnerability enabled unauthenticated users to upload and execute arbitrary scripts on the server, potentially leading to command injection.
- CVE-2023-38257: Insecure Direct Object Reference (IDOR) By manipulating a parameter in an HTTP POST request, attackers could retrieve sensitive user account information, including encrypted passwords.
- CVE-2023-35763: Hardcoded Encryption Key The researchers discovered a hardcoded encryption key used in the application’s encryption mechanism, allowing them to decrypt passwords and gain unauthorized access.
Exploiting these vulnerabilities could provide an attacker with significant control over the ScrutisWeb application, potentially enabling them to monitor and manipulate activities on ATMs within a fleet. The ability to upload and execute custom software on ATMs could facilitate malicious activities such as bank card exfiltration and Swift transfer redirection.
Iagona promptly addressed these vulnerabilities by releasing an update to ScrutisWeb (version 2.1.38). The discovered vulnerabilities highlight the importance of robust security practices in software development. I’ve worked at two companies with hardcoded encryption keys in their code. It shouldn’t be common, but it is. For those who don’t know the Synack Red Team, check out their site. They are a company that created a platform to crowdsource vulnerabilities.
Massive Ransomware Attack Hits Canadian Dental Service, Affecting 1.5 Million Individuals
Canadian dental benefits administrator, Alberta Dental Service Corporation (ADSC), has informed approximately 1.47 million individuals that their personal information was compromised in a ransomware attack that was initially discovered on July 9. The full extent of the data breach was determined two weeks later. The breach affected individuals enrolled in the Alberta Government’s Dental Assistance for Seniors Plan, Low-Income Health Benefits Plans, and Quikcard. Quikcard brokers and dental service providers that received direct payment for health claims were also impacted.
The attackers had unauthorized access to ADSC’s network for over two months before deploying file-encrypting malware. During this period, they copied specific data from compromised systems, including files containing personal and banking information. The compromised information includes names, addresses, birth dates, government identification numbers, details of dental benefits claims, personal bank account numbers, corporate emails, and corporate bank accounts.
ADSC managed to recover the affected systems and data with minimal operational impact. While the ransomware gang responsible for the attack is not explicitly named, ADSC President Lyle Best confirmed that a ransom payment was made to the 8Base ransomware gang. The attackers provided proof that the stolen data was deleted after the payment was made. The initial intrusion vector was a phishing email, and ADSC was able to restore the encrypted data from backups. The organization has taken steps to protect accessed or copied personal and corporate information from fraudulent misuse.
Let’s be honest. There is no way the ransomware gang deleted the data. They still have it and will probably sell it to a willing buyer. Two months is a long time for an attacker to have persistent access to your network. I wasn’t able to find out how the attack happened, but I believe that government agencies or administrators should be held to the same standard as banks.
Clorox Halts Operations Amid Cyberattack, Takes Systems Offline
Clorox, a major cleaning products manufacturer, has taken certain systems offline in response to a recent cyberattack. The company detected unusual activity on its IT systems and promptly halted the activity while implementing additional security measures. As a result, some operations are temporarily impaired, and workarounds are being utilized to ensure continued service to customers. While the exact nature of the attack was not disclosed, the company informed law enforcement and is collaborating with third-party cybersecurity experts for investigation and system restoration. Clorox did not confirm data theft or provide an estimated timeline for system recovery. The investigation is ongoing, and the company is committed to updating stakeholders as appropriate.
The only information we have on this is Clorox’s Form 8K filing. All public statements have basically been the same as the 8K filing statement. This could end up being very bad or a case where they got the drop on the attacker.
Conclusion
I’ll publish the Microsoft article next week as I am still busy helping my family in Maui. Things should get back on schedule next week. I hope you enjoyed the skim, and I will see you all next week. Good luck to all the engineers out there, and until next time, stay safe!