Breach Roundup: Omni Hotels Acknowledges Cyber Incident – Source: www.databreachtoday.com

Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response

Also: Insurer Predicts Ransomware for Cars, Offers to Cover Towing Costs

Anviksha More (AnvikshaMore) •
April 4, 2024    

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Omni, OWASP and MarineMax suffered cyber incidents, Ivanti disclosed flaws, Cisco gave tips to stop password-spraying attacks, a court upheld an FCC ban, India rescued citizens in Cambodia, Americans lost $1.1 billion to impersonation scams, and an insurer introduced a cyber auto policy.

See Also: Ransomware Response Essential: Fixing Initial Access Vector

Privately held Omni Hotels & Resorts said Wednesday that a Friday cyber incident reportedly affecting hotel operations such as reservations, hotel room door locks, and point-of-sale system is indeed a cyberattack.

“Omni immediately took steps to shut down its systems to protect and contain its data. As a result, certain systems were brought offline, most of which have been restored. Omni quickly launched an investigation with a leading cybersecurity response team, which is ongoing,” the upscale hotel chain said. Texas-based Omni operates 50 properties in North America. One guest of the Omni Shoreham in Washington, D.C., said on Reddit that room keys worked but that all transactions were either cash or room charge.

But “the bar is open,” the poster said.

It can happen to anybody: The Open Web Application Security Project Friday reported it experienced a data breach due to a misconfigured web server. The breach, it said, affected resumes uploaded from 2006 to around 2014 by OWASP members. The resumes contained “names, email addresses, phone numbers, physical addresses, and other personally identifiable information.” OWASP no longer collects resumes as a preliminary step to membership.

“We recognize the unfortunate irony here, and are determined to make it our last breach,” it said on social media.

Ivanti CEO Jeff Abbott vowed to make comprehensive changes in the company’s approach to cybersecurity. Threat actors went on a monthslong hacking spree of Ivanti devices this year after likely Chinese nation-state hackers used zero-days to penetrate devices – setting off a cavalcade of additional vulnerability disclosures (see: Hackers Compromised Ivanti Devices Used by CISA).

The deluge may not be over: Ivanti on Tuesday disclosed three additional vulnerabilities, including a flaw allowing remote code execution.

“We will use this opportunity to begin a new era at Ivanti,” said Abbott. He highlighted efforts to enhance core engineering, security and vulnerability management practices, and embrace the “secure by design” ethos. Ivanti will also establish a customer advisory board to ensure transparency and accountability.

Cisco issued recommendations to help customers safeguard their remote access VPN services from password-spraying attacks that target Cisco devices. The attacks involve adversaries attempting to use the same password across multiple accounts to gain unauthorized access.

Indicators of compromise include difficulties in establishing VPN connections with Cisco Secure Client and an influx of authentication requests. Cisco’s mitigation guide suggests measures such as enabling logging to a remote syslog server, securing default VPN profiles, blocking malicious IPs manually, configuring control-plane ACLs and implementing certificate-based authentication for RAVPN.

Security researcher Aaron Martin highlighted a probable link between these attacks and an undocumented malware botnet dubbed Brutus. This botnet uses 20,000 IP addresses globally and initially targeted SSLVPN appliances from several vendors but expanded to include web apps that use Active Directory for authentication.

While Brutus operators are unidentified, Martin’s investigation uncovered two IPs associated with past activities of APT29, a threat group believed to operate for the Russian Foreign Intelligence Service.

A U.S. federal appeals court upheld a Federal Communications Commission ban on video surveillance products from Chinese-owned companies Hikvision and Dahua but agreed with the companies that the agency defined “critical infrastructure” too broadly.

A unanimous decision published Tuesday by a three-judge panel found the FCC acted within the limits of authority by blacklisting the companies. Congress in 2021 charged the agency with stopping communication equipment deemed a risk to national security from entering the U.S. market – to the extent that the equipment would be used to surveil critical infrastructure.

The FCC interpreted its mandate as not authorizing equipment that could be “connected to” any of the 16 critical infrastructure sectors recognized in the United States.

“It is entirely implausible that every single system or asset that is ‘connected to,’ for example, the food and agriculture sector, or to the function of supplying water, is ‘critical’ to the national security of the United States,” the judges said. They ordered the agency to come up with a new definition of critical infrastructure.

The Indian Ministry of External Affairs warned citizens Thursday about the false promise of lucrative job opportunities in Cambodia, where there’s a high chance that the employers are human traffickers and the job entails cyber fraud.

The warning comes after the Ministry last Friday said it collaborated with Cambodian authorities to rescue about 250 nationals deceived by job offers and coerced into cyber fraud operations.

American consumers reported $1.1 billion worth of losses due to impersonation scams last year, the U.S. Federal Trade Commission reported Monday.

“Scammers have switched things up. Comparing 2020 to 2023, for example, reports of scams starting with a phone call have plummeted, while reports of scams starting with a text or email have increased,” the agency said. Losses through bank transfer and cryptocurrency skyrocketed during that same period.

Scammers have also upped their sophistication by impersonating more than one organization for a single scam. “For example, a fake Amazon employee might transfer you to a fake bank or even a fake FBI or FTC employee for fake help.”

A rule that went into effect Monday empowers the FTC to sue in federal court any scammers who impersonate governments and businesses. The agency is proposing to expand the rule to cover those who impersonate individuals (see: US FTC Proposes Penalties for Deepfake Impersonators).

Security researchers have long called modern cars “computers on wheels” and taken special glee in hacking into them. Now an insurance company says the risks of hackers obtaining personal information stored in cars or connected cloud computing centers are high enough for it to offer insurance covering attacks on personal data connected and stored in a vehicle. Germany-based insurer Munich RE, via its subsidiary HSB, introduced the new coverage while warning that “it is only a matter of time when peoples’ cars will become the target for ransomware, identity theft, and other types of cybercrime.”

The policy reimburses drivers for identity recovery coverage and services as well as “towing, labor, and temporary transportation charges while affected auto systems are restored” after a cyber incident.

Leading yacht retailer MarineMax told federal regulators that the “cyber incident” it reported in March was more serious than initially thought. In an update for federal regulators, the Florida boat seller said hackers in fact did steal “some customer and employee information, including personally identifiable information.” The company initially told regulators that it “does not maintain sensitive data in the information environment impacted by the incident.”

The Rhysida ransomware gang claimed responsibility for the attack and offered MarineMax’s data for sale. The group leaked screenshots of financial documents and personal IDs on the dark web and demanded over $1 million in bitcoin for the data.

Among the retailer’s many offerings is the 2023 Ocean Alexander 28 Explorer, which boasts a skylounge and a flybridge each complete with “comfortable seating areas, a wet bar and a custom-made grill. And the glass-enclosed beach club serves as the perfect hideaway for a relaxing afternoon lounge or a satisfying late-night cocktail.” Call for a quote.

Other Coverage From Last Week

• Google Proposes Method for Stopping Multifactor Runaround
• US and UK Partner to Align on AI Safety and Share Resources
• Feds Ask Telcos: How Are You Combating Location Tracking?

With reporting from Information Security Media Group’s David Perera in Washington, D.C.