MSP cybersecurity news digest, September 30, 2024

Dell is investigating claims of a data breach after an attacker named "grep" leaked information of over 10,000 employees.

The attacker claims the breach occurred in September 2024, exposing employee and partner details such as unique identifiers and employment status. A small sample of the data was shared publicly, with access to the full database available for purchase on a hacking forum. Dell acknowledged the claims and confirmed that their security team is investigating the situation. The threat actor "grep" had previously claimed responsibility for a similar breach involving Capgemini earlier this month.

Earlier in 2024, Dell faced another breach where 49 million customer records were stolen through an API abuse.

MoneyGram, with a reported revenue of €1.2 billion, confirmed it suffered a cyberattack following system outages and customer complaints.

The company identified the issue and took systems offline as a protective measure, which caused widespread service disruptions. MoneyGram reported a "network outage" and confirmed the outage was due to a cybersecurity incident. They have since assured customers that they are working with external experts and law enforcement to investigate and resolve the issue.

Despite these efforts, no timeline has been given for when services will be fully restored. The extended outage and loss of connectivity suggest the possibility of a ransomware attack, though MoneyGram has not confirmed this. With millions of users and over 120 million annual transactions, a potential data breach could have significant consequences.

A cybercriminal group called "Marko Polo" is behind a large-scale malware operation involving 30 different campaigns targeting a wide range of people and platforms.

They use methods like malvertising, spearphishing, and brand impersonation in gaming, cryptocurrency, and software to spread 50 malware strains, including AMOS, StealC, and Rhadamanthys. According to researchers, these campaigns have likely compromised tens of thousands of devices globally, leading to significant financial losses and data breaches. Marko Polo primarily targets high-value individuals, such as cryptocurrency influencers and software developers, through fake job offers or collaborations.

The group impersonates well-known brands like Fortnite and Zoom, while also creating fake brands to trick victims into downloading malware. Their toolkit includes HijackLoader for Windows, which installs data-stealing malware, and AMOS for macOS, which targets browser data and passwords. To avoid falling victim, users should only download software from official websites and ensure antivirus software is up to date.

Recently, North American transportation and logistics companies have become targets of a phishing campaign delivering malware like information stealers and remote access trojans (RATs).

The attackers compromise legitimate email accounts from shipping companies and inject malicious content into ongoing email threads. Between May and July 2024, malware such as Lumma Stealer and NetSupport were primarily used, but in August, the tactics changed to include DanaBot and Arechclient2. The phishing emails often contain .URL attachments or Google Drive links, tricking recipients into running malware scripts.

These campaigns impersonate software providers used in fleet management, showing the attackers' research into their targets. The recent attacks also coincide with the rise of new stealer malware and the RomCom RAT, signaling a possible shift toward espionage over financial gain.

Researchers reported that Vanilla Tempest, a ransomware affiliate, is now targeting U.S. health care organizations using INC ransomware.

INC Ransom, a ransomware as a service (RaaS), has been active since July 2023, with attacks on companies like Yamaha Motor Philippines and Scotland’s NHS. Vanilla Tempest used Gootloader malware to gain access, followed by Supper malware and tools like AnyDesk and MEGA to move laterally and deploy INC ransomware.

In August 2024, this ransomware disrupted Michigan's McLaren Health Care systems. Vanilla Tempest, active since 2021, has targeted sectors like health care and education using various ransomware strains. Formerly known as Vice Society, it was linked to Rhysida, another ransomware group targeting health care.