Breach Roundup: LabHost Goes Down – Source: www.databreachtoday.com

LabHost Phishing-As-a-Service Site Disrupted

U.S. federal authorities seized four domains that resolve to Russian internet infrastructure used by cybercriminals to spoof the websites of major banks and online providers, Department of Justice officials said.

The seizure was part of an international law enforcement operation that resulted in 37 arrests, including one arrest in the United Kingdom of the alleged original developer of the phishing-as-a-service operation. Known as LabHost, it service had more than 100,000 users worldwide and created more than 40,000 phishing websites, authorities said. It operated on the open internet through LabHost.ru and the .ru top level domain resolved to Russian internet infrastructure company DDoS-Guard.

Prosecutors obtained a warrant authorizing seizure of the domains. An parallel investigation by Britain’s Metropolitan Police Service found more than one million user credentials and nearly 500,000 stolen payment cards on LabHost infrastructure.

Australian Federal Police reported seizing 207 servers used to host the fraudulent phishing websites created by LabHost.

Fortra reported in February that LabHost began operations during the last three moneths of 2021 and overtook competitor Frappo as the preferred provider of phishing webpages for much of 2023. LabHost underwent a mysterious outage in October but restored service in early December.

Upscale hotel chain Omni Hotels & Resorts on Friday said cybercriminals stole personal information of its customers, including names, email addresses, postal addresses and loyalty program details. The company earlier this month acknowledged the cyberattack.

Hackers did not compromise financial information or Social Security numbers. The attack forced Omni to shut down systems on March 29, causing system outages across its properties, including phone and Wi-Fi issues and key card malfunctions.

Could it be? Why yes it is – more security vulnerabilities in Ivanti products, although the company said Wednesday that none of the 27 vulnerabilities in its Avalanche mobile device management solution are under active exploitation. The Utah manufacturer earlier this month vowed make comprehensive changes in the company’s approach to cybersecurity after threat actors including suspected Chinese state hackers turned its gateway devices into the objects of a monthslong hacking spree. Ivanti’s Endpoint Manager Mobile product also had a star turn in a July 2023 incident involving a zero day used to hack the Norweigan government (see: Ivanti Zero-Day Used in Norway Government Breach).

Among the Avalanche fixes, two are critical heap overflow flaws, tracked as CVE-2024-24996 and CVE-2024-29204. The flaws pose severe risks, enabling remote attackers to execute arbitrary commands without user interaction. Ivanti also patched another 25 medium and high-severity bugs, including those facilitating denial-of-service attacks, arbitrary command execution and data theft.

U.S. federal prosecutors charged Moldovan national Alexander Lefterov, aka Alipako, Uptime and Alipatime, for aggravated identity theft, computer fraud and wire fraud. The newly unsealed nine-count indictment from 2021 accuses Lefterov of infecting computers in order to harvest user credentials and brokering the sale of those credentials, as well as access to the computers themselves, on criminal black markets.

Lefterov also allegedly facilitated malware distribution and ransomware attacks. He is a fugitive from the U.S. judicial system and wanted by the FBI.

Cisco-owned Duo Security disclosed a breach in an unnamed network provider used for sending multifactor SMS messages. The breach, which occurred on April 1, resulted from a phishing attack targeting a provider employee’s credentials. Hackers accessed and downloaded a MFA SMS message logs from the entire month of March, exposing phone numbers, carriers and metadata of affected Duo accounts.

Cisco acquired Duo Security in 2018 in a transaction worth $2.35 billion.

The company said hackers didn’t access message content or send unauthorized messages using the stolen data. Affected Duo account owners can request copies of the compromised message logs from Cisco. In an emailed statement, a Cisco spokesperson said the attack affected “approximately 1% of Duo’s customers were impacted. Our investigation is ongoing, and we are notifying affected customers via our established channels as appropriate.”

A March ransomware attack on a medical company servicing Spain’s Guardia Civil, the national gendarmerie force, and the Ministry of Defense almost certainly failed to capture sensitive medical data, reported online newspaper The Objective on Wednesday, citing “sources close to the investigation.”

Hackers using a leaked version of LockBit ransomware malware attacked Medios de Prevención Externos Sur SL on March 22 in an incident that came to light this week (see: Free Ransomware: LockBit Knockoffs and Imposters Proliferate).

The company, which conducts medical examinations, told local press that it was able to recover quickly from the attack thanks to having backed up data. Hackers potentially compromised data including ID card numbers, mobile phone numbers, email addresses, birthday and medical exam results.

El Independient reported that Guardia Civil agents have reported an uptick in phishing emails.

Other Stories From Last Week

• Ransomware Victims Who Pay a Ransom Drops to Record Low
• The Global Menace of the Russian Sandworm Hacking Team
• Likely Sandworm Hackers Using Novel Backdoor Kapeka
• Exploited TP-Link Vulnerability Spawns Botnet Threats

With reporting from Information Security Media Group’s David Perera in Washington, D.C.