MSP cybersecurity news digest, September 9, 2024

DICK'S Sporting Goods, the largest sporting goods retailer in the U.S., revealed that confidential information was compromised in a cyberattack.

The company operates 857 stores nationwide and reported $12.98 billion of revenue in 2023. It employs over 55,500 people. The company has engaged outside cybersecurity experts to manage the breach and assess the damage, according to an SEC filing.

Employees have been instructed not to discuss the breach publicly, and email systems are down as IT staff manually verify identities. The company has notified law enforcement and stated that so far, the breach has not affected operations.

The Seattle-Tacoma International Airport (SEA-TAC) has confirmed that a cyberattack likely caused an ongoing IT systems outage that disrupted check ins and delayed flights.

SEA-TAC, the busiest airport in the Pacific Northwest, served nearly 51 million passengers in 2023 and is a major hub for Alaska Airlines and Delta Air Lines. The Port of Seattle reported an outage affecting airport systems and isolated critical systems to contain the damage.

The airport's website is offline, and passengers are advised to check airline apps for flight information and to allow extra time to reach the airport. Although flights are still operating, there are multi-hour delays and baggage sorting issues. Alaska Airlines has warned passengers to minimize checked luggage and tag bags with contact information. The FBI is investigating the incident, but no ransomware groups have claimed yet responsibility.

A sophisticated attack campaign, dubbed "SLOW#TEMPEST," is targeting Chinese-speaking users using phishing emails to infect Windows systems with Cobalt Strike payloads.

The attack begins with a malicious ZIP file containing a Windows shortcut (LNK) file, disguised as a Word document, which leads to the deployment of Cobalt Strike via DLL side loading using the LicensingUI.exe binary. The attackers remained undetected in the victims’ systems for over two weeks, leveraging a variety of tactics, including privilege escalation of a guest user account and lateral movement via remote desktop protocol (RDP).

Further post-exploitation activities included deploying additional payloads, conducting reconnaissance with tools like BloodHound, and exfiltrating data to command-and-control (C2) servers hosted in China. The campaign's complexity and use of advanced tools suggest it was likely orchestrated by a seasoned threat actor, although there is no definitive link to any known APT groups.

Park'N Fly has revealed that a data breach exposed the personal and account information of one million Canadian customers after attackers accessed its network using stolen VPN credentials.

The compromised data includes full names, email addresses, physical addresses, Aeroplan numbers, and CAA numbers, but reportedly no financial or payment card information was affected. The company, which provides off-airport parking and related services, has restored the impacted systems within five days and is implementing additional security measures.

Customers have expressed frustration online, particularly regarding the potential misuse of Aeroplan numbers.

A massive QR code phishing campaign exploited Microsoft Sway, a cloud tool for presentations, tricking Microsoft 365 users into revealing their credentials.

Researchers detected a 2,000-fold increase in phishing attacks using Sway to host malicious landing pages. The attacks primarily targeted users in Asia and North America, focusing on technology, manufacturing, and finance sectors.

Emails led victims to phishing pages on sway.cloud.microsoft, encouraging them to scan QR codes that redirected to malicious sites. The use of QR codes on mobile devices, which often have weaker security, increased the success of these attacks.