Welcome to Security Sunday – Week 37, our weekly IT Security Recap (11. 9. — 17. 9. 2023)

We compile noteworthy news incidents and vulnerabilities from the past week, shedding light on the ongoing challenges in maintaining digital security.

MGM casinos completely paralyzed by ransomware attack

The known ransomware gang ALPHV (aka BlackCat) has claimed responsibility for a highly destructive cyber attack on MGM Resorts. The hospitality and entertainment giant has not yet recovered most of the affected systems.

The incident affected MGM’s website, casino and systems used for email, restaurant reservations, hotel bookings and even digital hotel room keys.

Hackers gained initial access to MGM Resorts’ systems through social engineering.

Last year, the security of BetMGM, which is owned by MGM Resorts, was breached, and hackers reportedly stole the information of 1.5 million customers.

It seems that MGM wasn’t the only casino chain to be hit by a cyberattack recently. Caesars Entertainment paid millions of dollars to hackers who breached its systems at the same time as MGM, and was able to resume normal operations. Caesars admitted to the breach in a Thursday filing with the Securities and Exchange Commission, saying that an “outside IT support vendor” was the victim of a “social engineering attack” that resulted in the theft of sensitive data about members of its loyalty program.


Critical GitHub vulnerability exposes more than 4,000 repositories to a Repojacking attack

According to new findings, a vulnerability in GitHub could expose thousands of repositories to repojacking attacks.

Repojacking is a technique in which an attacker takes control of a GitHub repository by exploiting a logic flaw that makes renamed users vulnerable.

Namespaces on GitHub become vulnerable to repojacking when the original username is changed using the “user rename” function. When a GitHub user renames themselves, GitHub does not set up a redirect for their old profile page or Pages, but it does create a redirect for their repositories. Unfortunately, this makes the old username available to anyone else, so once a user is successfully renamed, an attacker can appropriate their old username, open the repository under the appropriate name, and hijack the namespace.

The flaw was discovered by researchers at Checkmarx and, if exploited, could be used to take control of the repository and distribute malicious code.

The bug was reported to Microsoft, as the maintainer of the Github platform, on March 1, 2023 and fixed on September 1, 2023.


Retool blames Google Authenticator MFA cloud sync for security breach

Software company Retool claims that the accounts of 27 cloud service customers were compromised as a result of a targeted and multi-stage social engineering attack. Retool’s development platform is used to create enterprise software by companies ranging from startups to Fortune 500 enterprises, including Amazon, Mercedes-Benz, DoorDash, NBC, Stripe and Lyft.

The breach occurred on August 27 after attackers bypassed several security controls through SMS phishing and social engineering and compromised an IT employee’s account. The attack used a URL masquerading as Retool’s internal identity portal and was launched during a previously announced Okta login migration.

While most employees ignored the phishing text message, one clicked on an embedded phishing link that redirected him to a fake login portal with a multi-factor authentication (MFA) form.

Retool blames the success of the hacking attack on a new feature in Google Authenticator that allows users to sync 2FA codes with their Google account. This feature has been long requested because you can now use Google Authenticator 2FA codes on multiple devices as long as they are all logged into the same account.

However, according to Retool, this feature is also responsible for the severity of the August breach, as it allowed a hacker who successfully extorted an employee’s Google account to gain access to all 2FA codes used for internal services. “With these codes, the attacker gained access to our VPN, and crucially, to our internal admin systems,” Retool said.


Mirai ‘Pandora’ botnet variant attacks Android TVs

A variant of the Mirai Pandora botnet has been identified that targets affordable Android TVs and TV boxes. It uses these devices as part of a botnet to carry out DDoS attacks. Mirai is a type of malware that goes after everyday devices such as smart cameras and home routers. It takes control of them and makes them part of a group of bots that can be controlled remotely.

Mirai is different because it mainly attacks connected smart home devices such as routers, thermostats, baby monitors, and even refrigerators. It does this by targeting the simple Linux operating system that many of these IoT devices run on. Mirai exploits the weaknesses of these smart devices and connects them into a botnet.

Once a device is compromised, a service called “GoMediaService” runs in the background. This service is then used to deploy Pandora.

Affordable Android TV boxes, such as the Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3, are the central target of this campaign. These devices are equipped with quad-core processors from Allwinner and Amlogic, making them suitable for DDoS attacks.


Interested in cyber security? Check out other episodes of our weekly Security Sunday series.