Daily Brief

Pizza Hut Australia has issued data breach notifications to 193,000 customers following a cyberattack that allowed hackers unauthorised access to their personal information. Amongst the data breached were customer records and online transactions data stored on the Pizza Hut Australia customer database, potentially including partial financial information and encrypted account passwords. Although the company stated that account passwords underwent "one-way encryption", affected customers are advised to update their passwords and stay vigilant for potential phishing attacks and suspicious links sent via unsolicited communications. The company reported that the incident affected only a small number of customers and the Office of the Australian Information Commissioner (OAIC) has been fully informed about the situation. In unrelated events, there were earlier claims by notorious data broker 'ShinyHunters' of stealing the data of 1 million customers from Pizza Hut Australia via an unprotected Amazon Web Services (AWS) endpoint between July and August 2023; however, it's unclear whether the recent breach is related to these allegations. Earlier in 2023, Pizza Hut's parent company, Yum! Brands was targeted by a ransomware attack which led to the theft of employee information from its networks but there was no evidence to suggest customer data was impacted in this incident.

Cisco announces its most expensive acquisition, purchasing software firm Splunk for approximately $28 billion. The deal is expected to be finalized by Q3 of 2024. Once completed, Splunk CEO Gary Steele will join Cisco's exec team, reporting directly to Cisco's CEO Chuck Robbins. The deal is projected to be cash flow positive and add to Cisco's gross margins this year. It is also expected to enhance the company's earnings per share by next year. Cisco is set to incorporate Splunk's analytics into its operations, creating a cybersecurity model geared towards threat prediction and prevention over threat detection and response. This acquisition aims to strengthen Cisco's security analytics and security coverage from devices to applications to clouds. Robbins claims that this merger supports the application of generative AI in transforming industries and creating new opportunities, thereby providing customers with visibility into their data. Post-acquisition, the future of Splunk's employees and the Splunk brand remains unclear, with coherent plans expected to be laid out upon closer to the closure of the deal. Regulatory approvals and shareholder consent may still pose potential obstacles to the acquisition process.

The P2PInfect malware has seen a surge in activity since the end of August 2023, with a 600x jump between the 12th and 19th of September. The proliferation has coincided with the emergence of multiple variants of the virus, suggesting fast-paced development by the malware's creators, primarily impacting China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. Initially discovered in July 2023, P2PInfect focused on attacking poorly secured Redis instances, but has now included the abuse of the database's replication feature to deliver the malware. The malware employs a persistence mechanism, leveraging a cron job to start the malware every 30 minutes. It also supports a secondary method to retrieve and execute a copy of the malware binary if it's deleted or the main process is terminated. The malware has been found to overwrite SSH authorized_keys files with an attacker-controlled SSH key, effectively keeping existing users from logging in over SSH, a step that requires the malware to have root access. The exact goals of the P2PInfect malware are unclear, as while the code fetches a crypto miner payload, there's no evidence of cryptomining to date. It is speculated those behind the botnet may be waiting to roll out additional functionalities or looking to sell access to the botnet.

Malicious apps are becoming a growing threat in Software-as-a-Service (SaaS) environments, often integrated by employees to augment productivity. These apps connect to "hub" apps such as Salesforce, Google Workspace, or Microsoft 365, but unlike traditional third-party apps, they perform unauthorized activities with the data. The threat lies in the apps' request for a range of permissions, which once granted, can enable them to read, update, create, and delete content. Threat actors get these apps connected through sophisticated phishing attacks or by publishing them in app stores with malign functionalities hidden within. Identifying and mitigating these risks requires SaaS Security Posture Management (SSPM) solutions that provide visibility into third-party apps connected to hub apps and their respective permissions. Proper security settings, preventive measures like admin approval for app connections, as well as SSPMs with AI capabilities can help detect and prevent malicious attacks from these apps. Identifying too high permission sets or using AI to detect anomalies that indicate an app's malicious nature can help secure the SaaS environment.

The UK Information Commissioner’s Office (ICO) has fined a total of £590,000 (~$726,000) to five businesses for making illegal cold calls, violating data laws. The penalized companies include SGS Home Protect, Cover Appliance Ltd, F12 Management, HouseHold Appliance 247, and RHAP; evidenced to have made a collective 1.9 million cold calls to individuals registered with the Telephone Preference Service (TPS), against their consent. Since October 2021, the ICO has fined 16 companies for disregarding the Privacy and Electronic Regulations legislation and infringing privacy norms, a total amounting to £1.45 million. Two commercial operations Crown Glazing and Maxen Power Supply, were fined in June for making majority of the illegal calls. In April, recruitment business Join The Tribe Ltd was fined £130,000 (~$160,000) for sending 107 million spam emails. ICO continues the crackdown against such practices to protect individuals registered with TPS from cold callers and unsolicited marketing attempts.

Signal has transitioned from the X3DH key agreement protocol to the new PQXDH, providing additional security against potential future threat of quantum computers. Quantum computers currently available do not have enough qubits to pose a threat to public-key cryptography, but should a sufficiently powerful quantum computer be developed, it could potentially decipher private keys from public ones. Researchers worldwide, including those in countries identified as adversaries by the US, are actively working toward this goal. Most recently, Oded Regev, a computer science professor at New York University, has proposed a new quantum factoring algorithm that may be more efficient than Peter Shor’s algorithm. The US National Institute for Standards and Technology (NIST) has selected four algorithms, including CRYSTALS-Kyber, for its post-quantum cryptographic standard, and private sector firms are starting to implement technology to keep data secure after the expected quantum leap. Signal’s new PQXDH protocol uses X25519 and CRYSTALS-Kyber, and combines the two secrets, creating a situation where an attacker would need to break both in order to derive the shared secret key. The client software for Signal now supports PQXDH, and older X3DH protocols will be disabled within a few months, to better protect current and past data against future quantum computers. Further mitigations against the threat from an active quantum computer intercepting and eavesdropping on chat communications are anticipated.

The International Criminal Court (ICC) has experienced a breach of its IT systems, with the cybersecurity attack still ongoing. Additional security measures are being applied to mitigate the impact, according to a statement from the ICC. The statement did not provide details on who was behind the attack, how it happened, data theft, or whether the breach had been fully contained. The ICC has said it is enhancing its cybersecurity framework in response. The ICC is currently investigating alleged war crimes committed by Russia during the invasion of Ukraine. In March, arrest warrants were issued by the ICC against Russian President Vladimir Putin and Commissioner for Children's Rights Maria Lvova-Belova, related to claims of transporting children from occupied areas in Ukraine to Russia. Security expert, Jelle Wieringa, stated that the ICC’s holding of criminal case data makes it a “prime target for cyberattacks” as it offers bad actors the potential to disrupt international criminal justice proceedings. The ICC attack follows a series of recent high-profile ransomware attacks on organizations including the Greater Manchester Police in the UK, the US-Canada International Joint Commission, and two Las Vegas casino and hotel chains.

Pizza Hut's Australian branch experienced a data breach, exposing the personal details of around 190,000 customers. Information accessed included names, delivery addresses, email addresses, phone numbers, and order histories. The company discovered the data breached in early September and quickly secured their systems and enlisted forensic and cyber security experts to investigate the nature and impact of the breach. This is not the first cyber security issue for the popular pizza chain. Its UK and US operations were subject to a ransomware attack in January 2023, while its customer loyalty accounts were compromised in 2019. In 2017, customer credit card numbers were leaked due to a temporary security intrusion. The incident underlines the apparent lack of effective information security measures among fast food chains, with previous breaches reported at chains including KFC, McDonald's South Korea, and White Castle. Pizza Hut now faces potential reputation damage and the need for additional cybersecurity enhancements, reflecting the increasing importance of data protection in the fast food business sector.

The Snatch ransomware crew has claimed the Florida Department of Veterans Affairs as one of its most recent victims. However, due to a lack of confirmation from the department, it remains unclear if any veteran data was actually stolen. Snatch is a ransomware-as-a-service operation known for compromising a variety of critical infrastructure sectors, including defense companies, food and agriculture, and IT firms. The group is notorious for data theft and double extortion tactics whereby stolen data is posted on the Snatch extortion blog if ransoms are not paid. The FBI and CISA have issued a joint advisory warning against the expanding threat and provided ways to detect compromise through Snatch's activity methods. Snatch affiliates primarily gain access by brute forcing Remote Desktop Protocol (RDP) deployments, obtaining admin credentials and often buying stolen or leaked RDP credentials to sneak into organizations' networks. The criminals are known to establish a lasting presence on the network, using various tactics to move laterally, and find and steal information, spending as long as three months on some victim networks. Finally, organizations are advised to closely monitor their use of remote access tools to minimize the risk of a Snatch invasion.

India is facing a significant increase in cybercrime rates, with technology centers such as Bengaluru and Gurgaon recognised as focal points for this criminal activity, according to a report from the Future Crime Research Foundation (FCRF). Despite housing less than 0.2 percent of India's population, Gurgaon district accounted for 8.1 percent of reported cybercrime, which FCRF attributes to its status as a prominent corporate and IT hub, viewed as an attractive target by cybercriminals. Global tech companies such as Google, Microsoft, IBM India, Accenture, Cognizant, Infosys, and Wipro all have offices in Gurgaon, with disparities in digital literacy and cybersecurity awareness potentially driving criminal activity. Bangalore, known as India's "Silicon Valley", with its multitude of IT companies, has also been identified as an emerging hotspot for cybercrime. The report found that Bharatpur topped the list, accounting for 18 percent of cybercrime across India. The limited employment opportunities, lack of digital literacy, and presence of major urban centers were noted as contributing factors. The study also revealed that of all reported cybercrimes in India, nearly half (47.25 percent) involved Unified Payments Interface (UPI) fraud, while financially motivated crime accounted for 77.41 percent of all incidents.

Free Download Manager (FDM), a cross-platform download manager, was the target of a supply chain attack that caused some Linux users to be redirected to a malicious site when they tried to download the software. The malicious site installed a Bash information stealer and a backdoor on the users' computers, enabling a reverse shell from the attacker's server. FDM's site was compromised by a Ukrainian hacker group in 2020, but the vulnerability was inadvertently fixed during a routine site update in 2022. However, the malware remained undetected for three years. FDM has now released a script that can scan Linux systems for the presence of the info-stealing malware. The script will identify whether the malware is installed but will not remove it. Users will need to manually remove detected malware or use additional security tools. FDM recommends a system reinstallation as the best action for users affected by this security breach.

TransUnion, a credit reporting firm, repudiates claims of a data breach following the leak of data by a threat actor named USDoD. TransUnion's services are procured by millions of consumers and more than 65,000 businesses from 30 countries. Upon learning of the alleged breach, TransUnion engaged with external cybersecurity and forensic experts to carry out a thorough investigation. The experts found no evidence of a breach in TransUnion's systems, neither did they find any data exfiltrated from their environment. It was determined that the leaked data was likely obtained from another organization's systems because the data and formatting are inconsistent with TransUnion's data. USDoD had previously made claims of having sensitive data of about 59,000 people worldwide from TransUnion's systems. The threat actor, USDoD, who was previously a member of the infamous BreachForums, was also linked with the attempted sale of InfraGard's user database in December 2023 and was seized by US law enforcement in June. InfraGard is an FBI initiative designed for the sharing of intelligence between state, local law enforcement agencies, and private sector organizations.

A glitch in T-Mobile's official mobile application reportedly allowed customers to gain access to other users' account and billing data. Customers claim to have viewed personally identifiable information (PII), including names, phone numbers, account balances, and partial credit card details, of other people. The issue was raised on social media platforms Reddit and Twitter, with some customers noticing the problem two weeks prior to the influx of reports. The number of people impacted is disputed. While some reports suggest a wide-scale exposure, T-Mobile claims that less than 100 individuals were affected. According to a company spokesperson, the incident was not a result of a cyberattack or system breach, but rather a temporary glitch linked to a planned system update. The company has rectified the problem. T-Mobile has experienced a series of data breaches since 2018. In May, T-Mobile disclosed its second data breach of the year, after hundreds of customers' personal information was exposed between late February and March due to a system hack. Prior to that, in January, data belonging to 37 million customers was stolen via a compromised API.

The P2PInfect botnet worm has witnessed a significant surge in activity since late August 2023, featuring new and improved samples that underscore its continuous evolution. Cado Security researchers report that although the majority of the breaches have impacted systems in China, the U.S, Germany, Singapore, Hong Kong, the U.K, and Japan, the botnet activity is now global. Observations show a steady rise in the number of malware's initial access attempts; during the week of September 12-19, 2023, Cado noted a 600x increase in such attempts. The variants have increasingly sophisticated features such as a cron-based persistence mechanism, communication between the main and secondary payloads via a local server socket, an SSH key to block legitimate users from SSH login, and an auto-generated password change mechanism to lock users out. Despite attempts to fetch a miner payload, Cado hasn't observed any actual crypto-mining activity. The final objective of the botnet's operators remains unclear; however, they could be improving the miner component or seeking subscribers.

Free Download Manager (FDM), a popular download manager service, confirmed a security incident from 2020 that saw its site used to distribute malicious Linux software. The breach is thought to have been orchestrated by a Ukrainian hacker group that compromised a specific web page on the FDM site to distribute malware. A small subset of FDM users, specifically those attempting to download FDM for Linux from 2020 to 2022, were potentially exposed to the malicious software. The perpetrators used a vulnerability in a script on the FDM site to modify the download page and guide visitors to a false domain hosting the malicious .deb file. The issue remained undetected as the hackers had included an "exception list" of IP addresses, including those associated with Bing and Google, ensuring visitors from these sources were given the correct download link. The vulnerability was inadvertently resolved during a site update in 2022. FDM has now launched a shell script for users to verify the existence of the malware in their systems, but the users are required to reinstall the system if the backdoor and information stealer are found in their machines.