Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In a week packed with cybersecurity incidents, threat actors have been busy deploying the open-source Rafel RAT to target Android devices, while major brands like Levi’s grapple with data breaches exposing sensitive information. LockBit claims responsibility for breaching the US Federal Reserve, underscoring ongoing vulnerabilities in critical infrastructure. Meanwhile, a Facebook PrestaShop module exploit has been used to steal credit card details, highlighting the risks of e-commerce platforms. Despite the rise in cyber defenses like multifactor authentication, recent breaches, including the LA County Health Department’s due to push notification fatigue, emphasize that stronger measures are needed. Additionally, a cyberattack has left thousands of car dealerships in North America reeling, disrupting operations and sales.

  • Multiple Threat Actors Deploying Open Source Rafel RAT to Target Android Devices

Multiple threat actors, including cyber espionage groups, are exploiting an open-source Android remote administration tool known as Rafel RAT. This tool, highlighted in a recent analysis by Check Point, serves as a robust toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation. Disguised as popular apps like Instagram, WhatsApp, and various e-commerce and antivirus apps, Rafel RAT offers extensive features, including wiping SD cards, deleting call logs, siphoning notifications, and even functioning as ransomware. One prominent user of Rafel RAT is the DoNot Team (also known as APT-C-35, Brainworm, and Origami Elephant), which has utilized it in cyber attacks exploiting a design flaw in Foxit PDF Reader to deliver malicious payloads through military-themed PDF lures. This campaign, which took place in April 2024, is part of a larger trend involving approximately 120 different malicious campaigns targeting high-profile entities across countries such as: Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S.

The majority of victims had Samsung phones, with Xiaomi, Vivo, and Huawei users also significantly affected. Notably, 87.5% of the infected devices were running outdated Android versions lacking security updates. Typical attack chains involve social engineering tactics that manipulate victims into granting intrusive permissions to malware-laden apps, allowing the extraction of sensitive data such as contact information, SMS messages (including 2FA codes), location, call logs, and the list of installed applications.

Rafel RAT primarily utilizes HTTP(S) for command-and-control (C2) communications, with the capability to use Discord APIs to contact threat actors. It also features a PHP-based C2 panel that registered users can leverage to issue commands to compromised devices. The tool’s effectiveness is underscored by its deployment in a ransomware operation conducted by an attacker likely from Iran, who sent a ransom note in Arabic via SMS to a victim in Pakistan, urging contact through Telegram.

Check Point emphasizes that Rafel RAT exemplifies the evolving landscape of Android malware, marked by its open-source nature, extensive feature set, and widespread use across various illicit activities. The prevalence of Rafel RAT underscores the necessity for continuous vigilance and proactive security measures to protect Android devices from malicious exploitation.

  • Levi’s and More Affected in Shocking Week of Data Breaches

Levi’s, the iconic denim brand, revealed a breach impacting over 72,000 customers due to an automated credential stuffing attack on June 13. Cybercriminals accessed Levi’s online accounts, potentially compromising names, email addresses, delivery addresses, order histories, and partial payment details, including the last four digits of card numbers, card types, and expiry dates. Although there is no evidence of misuse, Levi’s assured customers that its systems were not compromised and suggested the attackers obtained credentials from other breaches. Affected customers received password resets and were advised to change passwords on other sites as a precaution.

The situation worsened for debt collector Financial Business and Consumer Solutions (FBCS). Initially, FBCS informed around two million individuals in April about a breach exposing names, social security numbers, birth dates, account information, and ID numbers. However, a recent update to US attorneys general revealed the number of affected individuals increased to approximately 3.2 million. CFO Henry Stoughton disclosed another 200,000 people were impacted, raising the total to 3,435,640. This escalation highlights significant flaws in FBCS’s initial breach assessment and response.

Healthcare breaches continued to be a significant concern, with medical device manufacturer LivaNova disclosing a breach affecting 129,219 individuals. Despite informing state attorneys general more than six months after the October 2023 attack, LivaNova did not mention ransomware. However, the ransomware group LockBit claimed responsibility. Compromised data included names, phone numbers, email addresses, postal addresses, social security numbers, birth dates, health insurance information, and extensive medical data such as treatments, conditions, diagnoses, prescriptions, physician details, medical record numbers, and device serial numbers.

  • LockBit Claims the Hack of US Federal Reserve

Last week, several significant data breaches were reported in the US, with major incidents disclosed to state attorneys general. The LockBit ransomware group has announced that it breached the US Federal Reserve and exfiltrated 33 terabytes of sensitive data, claiming to possess “Americans’ banking secrets.” This significant breach has led the group to list the Federal Reserve as a victim on its Tor data leak site, threatening to release the stolen data on June 25, 2024. LockBit’s announcement described the Federal Reserve’s role in distributing money across its twelve banking districts in cities including Boston, New York City, and San Francisco. The group has not released any samples of the stolen data but has issued a provocative statement urging the hiring of a new negotiator and criticizing the current one.

In a related development, the FBI has informed victims of LockBit ransomware that it has obtained over 7,000 decryption keys, which can help some victims recover their encrypted data for free. Bryan Vorndran, Assistant Director at the FBI Cyber Division, made this announcement at the 2024 Boston Conference on Cyber Security. He encouraged victims of LockBit ransomware to reach out to the FBI through the Internet Crime Complaint Center ( to potentially reclaim their data and get back online.

This breach and the subsequent FBI intervention highlight the ongoing cyber threat landscape and the critical need for robust cybersecurity measures and timely response strategies to protect sensitive information and infrastructure.

  • Facebook PrestaShop Module Exploited to Steal Credit Cards

Hackers are exploiting a flaw in the PrestaShop module pkfacebook to deploy a card skimmer on vulnerable e-commerce sites, stealing customers’ credit card details. PrestaShop, an open-source e-commerce platform, powers about 300,000 online stores globally. The pkfacebook module, developed by Promokit, enables shop visitors to log in using Facebook, comment on shop pages, and communicate via Messenger. 

The flaw, CVE-2024-36680, is an SQL injection vulnerability in the facebookConnect.php Ajax script, allowing remote attackers to use HTTP requests to execute SQL injection. Discovered on March 30, 2024, by TouchWeb analysts, Promokit claims to have fixed the flaw long ago, though they haven’t provided proof. Friends-of-Presta recently published a proof-of-concept exploit for the vulnerability, warning of its active exploitation to deploy web skimmers, massively stealing credit card information. The developers have not shared an updated release with Friends-of-Presta to confirm the fix, prompting concerns that all versions are potentially impacted.

To mitigate risks, Friends-of-Presta recommends:

  1. Upgrading to the latest pkfacebook version, which disables multi query executions.
  2. Ensuring the use of pSQL to avoid Stored XSS vulnerabilities.
  3. Modifying the default “ps_” prefix to a longer, arbitrary one.
  4. Activating OWASP 942 rules on the Web Application Firewall (WAF).

NVD lists versions 1.0.1 and older as vulnerable, with the latest version on Promokit’s site being 1.0.0, leaving the patch status unclear. Hackers target SQL injection flaws to gain administrative privileges, access or modify site data, extract database contents, and hijack emails by rewriting SMTP settings. Approximately two years ago, PrestaShop issued an urgent warning and hotfix for SQL injection vulnerabilities in modules to prevent code execution attacks.

  • Multifactor Authentication Essential for Protecting Cloud Data

Ticketmaster, Santander Bank, and several other prominent firms have experienced significant data breaches through a large cloud-based service, highlighting the crucial need for robust authentication practices. 

The cybercriminal group UNC5537, possibly linked to ShinyHunters or Scattered Spider, has been aggressively targeting high-profile companies. Over the past month, they have stolen over 560 million customer records from Ticketmaster, listing them for sale on their leak site BreachForums for $500,000. Shortly after, they claimed to have stolen 30 million account records from Santander Bank, demanding $2 million. Both companies have acknowledged these breaches.

The breaches did not result from a vulnerability in the cloud service itself but were due to compromised customer credentials and insufficient multifactor authentication (MFA) controls. An analysis by Mandiant, an incident-response firm part of Google, confirmed that all incidents were traced back to compromised credentials, not a breach of the cloud provider’s enterprise environment.

MFA adoption is crucial, but many organizations still have gaps. While many employees and administrators use MFA, a significant number of root users or administrators do not. Companies must enforce MFA universally and consider additional security measures like device-based authentication for sensitive infrastructure. Additionally, organizations should implement ACLs to limit authorized IP addresses and review access logs daily to detect anomalies. Restricting IP addresses can significantly reduce the attack surface. Another valuable step to improve an organization’s security posture is to continuously monitor applications. Log data, and access activity is essential. Security platforms should quickly identify and alert on anomalous behaviors, such as unusual logins or suspicious application connections. Furthermore, a shared responsibility model should be implemented by organizations. This means customers must ensure their security measures. Cloud providers often prioritize usability, which can lead to security gaps. Companies should not rely on default settings but should enforce strong security controls like MFA from the start. Lastly, companies should review their providers and third-parties cloud service use which might expose its data to potential risks. Organizations should ensure that all service providers with access to their data follow best security practices.

To mitigate such risks, businesses must prioritize security measures, including universal MFA adoption, strict access control policies, and continuous monitoring of cloud services. They should also ensure third-party providers adhere to stringent security standards. These steps are crucial in protecting sensitive data and maintaining robust cybersecurity in today’s complex threat landscape.

  • Push Notification Fatigue Leads to LA County Health Department Data Breach

The Los Angeles County Department of Health Services (DHS) recently disclosed a data breach resulting from an employee falling victim to a push notification spamming attack. This technique, also known as push notification fatigue, targets multi-factor authentication (MFA) systems that rely on push notifications sent to users’ devices.

In this incident, attackers bombarded the employee’s device with MFA push notifications, leading the user to mistakenly approve a login attempt, thinking it was a glitch. This allowed the attacker to bypass MFA safeguards and gain access to the employee’s Microsoft 365 account.

The DHS has informed potentially impacted individuals that the breach may have exposed their personal information, including names, dates of birth, home addresses, phone numbers, email addresses, government IDs, Social Security numbers, health insurance details, and medical information. Upon discovering the breach, DHS acted quickly to mitigate the damage. They disabled the compromised email account, reset and reimaged the affected device(s), blocked identified phishing websites, and quarantined suspicious incoming emails. Additionally, the health agency is offering one year of free identity monitoring services to those potentially affected.

The number of individuals impacted by this latest breach remains unclear. It is also uncertain if this incident is related to a previous breach disclosed by LA County DHS in April 2024, which occurred between February 19 and 20. In that breach, hackers accessed the email accounts of 23 DHS employees, compromising the personal information of 6,085 individuals. The Department of Public Health (DPH) and Department of Mental Health were also affected by the earlier incident.

  • Absolute Nightmare: Cyberattack Leaves Thousands of Car Dealers in Turmoil

A recent cyberattack has severely disrupted operations at thousands of car dealerships across North America, crippling sales and creating chaos.

The attack targeted CDK Global, a key provider of software services essential for car sales and dealership management. As a result, CDK’s systems have been offline for several days, affecting over 15,000 auto dealerships in Canada and the United States.

“The day-to-day is an absolute nightmare,” said Brian Matsumoto, a local car sales manager. “CDK is our main database tool, and all of our information filters through it,” he added. Matsumoto explained that the system handles critical tasks such as finalizing deals, generating bills of sale, and processing necessary legal documents.

The disruption is significantly slowing down transactions and deterring potential customers from making purchases. “What used to take ten to fifteen minutes is now taking upwards of over an hour,” Matsumoto noted. “Customers are getting scared off; they’re used to digitized copies, and this creates a huge insecurity for them.” CDK Global initially fell victim to the cyberattack on Tuesday, according to cybersecurity news site Bleeping Computer. By Wednesday, a company spokesperson confirmed they were “actively investigating a cyber incident” and decided to shut down all systems as a precautionary measure. The situation escalated further when another cyber incident occurred later on Wednesday evening. As of Friday morning, a recorded message on CDK’s customer hotline stated, “We do not have an estimated timeframe for resolution,” indicating that dealer systems could remain unavailable “for several days.”

The identity of the attackers remains unknown. However, Bloomberg News reported on Friday that a group believed to be based in Eastern Europe is claiming responsibility. The group is reportedly demanding millions of dollars in ransom to halt the ongoing hack.



Share post: