Welcome to Security Sunday – Week 38, our weekly recap of IT security (Sep 18 – Sep 24, 2023).

We’re collecting notable incident and vulnerability reports from the past week.

Hotels warn of scammers: beware of fake Booking.com sites

Cybersecurity specialists have uncovered a new form of attack where hackers are breaking into the systems of hotels and travel agencies to obtain sensitive customer financial information. These cybercriminals have created a sophisticated mechanism that involves creating a fake payment page similar to Booking.com.

This method starts with infecting the internal systems of the hotel or agency, which then allows the attacker to communicate with real clients under the brand name of the compromised company. This makes it easier to convince victims to click on fraudulent links. Although these attacks are more sophisticated and can more easily trick even tech-savvy users, the basic cybersecurity recommendations still apply: verify the authenticity of communications and avoid clicking on unknown links. If you find the link suspicious, it is advisable to contact the hotel directly to verify that it is a legitimate request.

Ethical hackers uncover 38TB of Microsoft data leaked via Azure Storage

Recently, a Microsoft data leak occurred due to improper sharing of open training data on GitHub by a team of AI researchers. Microsoft was quick to respond to this vulnerability, which exposed a staggering 38TB of private data from its AI research department.

The vulnerability was discovered by ethical hackers from security firm Wiz when 22. On June 2023, they discovered a shareable link using Azure Statistical Analysis System tokens. Within two days this token was deactivated and then replaced. The problem was caused by improper handling of Shared Access Signature (SAS) tokens in Azure, which are intended for file sharing.

Thanks to this flaw, hackers were able to access a repository containing disk backups of two former employees and internal communications on the Microsoft Teams platform. A total of 38TB of sensitive information was involved, including passwords, private keys and AI training data.

It is important to stress that no customer data was compromised and no other Microsoft services were compromised. In his blog post, Wiz highlights the need for secure data sharing in an era of widespread AI research and recommends close collaboration between security teams and developers.

Ami Luttwak, co-founder and CTO of Wiz, pointed out that as the use of AI grows, so does the amount of data and it is critical to ensure the security of this process.

Ransomware group BlackCat attacked Azure storage using Sphynx encryptor

Sophos X-Ops staff discovered that BlackCat attackers used a new variant of the Sphynx encryption tool with added support for using custom credentials.

After the attackers gained access to the victim’s account using a stolen one-time password (OTP), they disabled file tampering protection and modified security policies. These actions were made possible by stealing the OTP key from the victim’s LastPass vault using the LastPass Chrome extension.

The attackers then encrypted the Sophos customer’s systems and Azure remote cloud storage and appended the .zk09cvt extension to all locked files. In total, the ransomware operators were able to successfully encrypt 39 Azure storage accounts.

Microsoft also discovered last month that the new Sphynx encryption tool contains the Remcom hacking tool and the Impacket network framework for navigating compromised networks.

You may remember the BlackCat group from last week’s Security Sunday, where we reported on the attack on the MGM Resorts network, which was crippled for 10 days by a BlackCat ransomware attack.

Hackers breached the ICC’s systems last week

The International Criminal Court (ICC) on Tuesday reported on the cyber attack. “Late last week, the ICC’s security services detected an anomaly in network traffic that affected its information systems. Immediate action was taken in response to this cyber security incident and to mitigate its impact.” ICC said.

The ICC also outlined plans to step up efforts to strengthen its cybersecurity defences, including accelerating the deployment of cloud technologies.

There is currently no information available on the extent of the nature of the cyber-attack and its impact on the court’s systems, or whether the perpetrators were able to access or exfiltrate any data or files from its network.

The court merely advised that it was “continuing to analyze and mitigate the impact of this incident” and was focused on “ensuring that the core business of the court continues.”

APT36 hackers infect Android devices with YouTube clones

The hacker group APT36 aka “Transparent Tribe” infects Android devices with YouTube app clones. Once installed on a victim’s device, the CarpaRAT malware can collect data, record audio and video, or access sensitive communications information, essentially acting as a spying tool.

APT36 is a Pakistan-linked group known for using malicious or truncated Android apps to attack Indian defence and government entities and human rights activists in Pakistan.

This latest campaign has been spotted by SentinelLabs, which warns people and organisations associated with the military or diplomacy in India and Pakistan to be wary of YouTube Android apps hosted on third-party sites.

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday Series.