850 Wawa Stores Affected by Card-skimming
Nearly every one of Wawa’s 850 stores in the US were found to be infected with a payment card-skimming malware for roughly 8 months before the company discovered it. It appears that Wawa only found out about the problem after Visa issued a warning about card fraud at gas pumps using the less-secure magnetic strips and has since begun offering credit monitoring to anyone affected. In Wawa’s statement, they mention skimming occurring from in-store transactions as well, so using a card chip would only be effective if the malware had been at the device level, rather than the actual transaction point. Nearly a month later, a data dump titled “BIGBADABOOM-III” was found with roughly 30 million payment card records was discovered for sale on a major dark marketplace. With the massive impact of this attack, over 850 individual stores, this could very well be the largest payment card breaches in recent memory.
Ryuk Adds New Features to Increase Devastation
The latest variant of the devastating Ryuk ransomware has been spotted with a new feature that allows it to turn on devices that are connected to the infected network. Taking advantage of the Wake-on-Lan functionality by grabbing any cached MAC addresses, Ryuk can easily mount additional remote devices to further its encryption protocols, as long as they have recently been put to sleep. While it is possible to only allow such commands from an administrator’s machine, those are the most likely to be compromised, as they have the largest access base. Alongside WOL, Ryuk has displayed the ability to use ARP ping scanning to help it find hosts that uses specific IP addresses, which it also has a list that it checks for. By doing these extra checks, this variant is able to identify any hosts that it can then mount as a network drive and begin encrypting it as well.
International Law Enforcement Take Down Breach Dealer Site
In a combined effort of multiple law enforcement agencies in the US and Europe, two individuals who operated a site that sold login credentials from thousands of data breaches were arrested. Immediately following the arrests, the domain for WeLeakInfo was taken down and all related computers were seized by police, who then promptly put up an official press release and placed multiple seizure notices on the site’s homepage, leaving many of their users confused or wondering if it was a hoax. WeLeakInfo, which boasted access to over 12 billion records, was originally hosted by a Canadian company back in 2016 but was quick to employ Cloudflare to continue their nefarious dealings privately. While WeLeakInfo claimed to be a leading site for companies to verify if they had been breached by using the provided “bulk check” search option, simply holding that data, and offering a paid subscription to access it is still highly illegal and lead to a just fate for the site’s owners.
Point-of-Sale Breach Targets US Cannabis Industry
Late last month, researchers discovered a database that appeared to contain data belonging to roughly 30,000 cannabis users in the US and owned by THSuite. With no authentication, the researchers were able to find contact information as well as cannabis purchase receipts including price and quantity, and even scanned copies of employee and government IDs. Even though many of the records were for recreational users, medical patients were also bundled into the breach, which opens up additional investigations over potential HIPAA violations. With a total of over 85,000 unique records in the database, dispensaries as well as customers/patients, should be concerned over the exposure of their industry-sensitive information that included monthly sales figures, supplier lists, and employee identifiable data. Unfortunately, it took the efforts of the researchers and Amazon AWS to take down the database, as THSuite was not receptive to any contact to properly secure it from their end.
Snake Ransomware Slithers Through Networks
A new ransomware variant dubbed ‘Snake’ has been found using a more sophisticated level of obfuscation while targeting an entire network, rather than just one machine. In addition, Snake will append any encrypted file extensions with 5 random characters following the file type itself. Finally, the infection will also modify a specific file marker and replace it with EKANS, or “SNAKE” backwards. A free decryptor hasn’t been released yet, and the malware authors have specified that any decryption will be for the entire network only. By implementing a high level of obfuscation, Snake can quickly shutdown many locally running processes that are used for network or remote management, in order to reduce any attempts to block it’s travel through the networks. In an unusual turn, Snake took significantly longer to encrypt a typical test box than most other ransomware variants in the past, though this is likely due to the attacker being able to trigger the encryption at their leisure, rather than going for the most damage possible before being detected.
