April cyber news round-up

Our threat intelligence team is always on the lookout for wider cyber events that could impact our clients. Below is our April recap of recent stories that have hit the headlines.

1. Ransomware gangs contact victims’ customers as pressure tactic

Some of the top ransomware gangs are deploying a new tactic to pressure victim organizations into paying an extortion demand – they’ve begun emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up.

KrebsOnSecurity reported that the Clop ransomware group sent one such email to a customer of RaceTrac Petroleum, an Atlanta company that operates more than 650 retail gasoline convenience stores in 12 states. RaceTrac was impacted by the recently reported Accellion security incident, which also affected dozens of other major companies including oil giant Shell and security firm Qualys.

Clop is one of several ransom gangs that will demand two ransoms: one for a digital key needed to unlock computers and data from file encryption, and a second to avoid having stolen data published or sold online.

2. 30 million Americans affected by Astoria Company data breach

Data from Astoria Company’s data breach in January 2021 has now been added to Have I Been Pwned, and analysis of the database shows 30 million Americans may be affected.

In late January 2021, a dump of a 300 million user database from Astoria Company was found being sold on the Dark0de market.

The exposed data included names, email addresses and phone numbers, but other data types exposed in the leak included social security numbers, full bank account information, and medical history. The leaked data contained email transaction logs showing sensitive user information being transferred unencrypted.

3. Android malware with a range of spying capabilities discovered

New malware has been discovered on Android devices which has extensive spyware and data-stealing capabilities and is designed to automatically trigger whenever new info is ready for exfiltration.

The malware lacks a method to infect other Android devices on its own, but the remote access trojan (RAT) has an extensive range of data theft capabilities. Some of these include stealing instant messenger messages, recording audio and phone calls, periodically taking pictures, stealing images and videos and exfiltrating device information.

Once installed on an Android device, the malware will display fake "Searching for update..." system update notifications when it receives new commands to camouflage its malicious activity and conceals its presence on infected Android devices by hiding the icon from the menu.

4. Booking.com fined $560,000 for GDPR violation

Travel services website Booking.com has been fined €475,000 (around $560,000) under General Data Protection Regulation (GDPR) laws after failing to report a data breach within the required timeframe.

The Netherlands-based company suffered a data leak back in 2018 when the personal and financial details of more than 4,100 customers were exposed online. Threat actors targeted hotels in the United Arab Emirates through phishing phone calls to gain the Booking.com login details of 40 employees which enabled the fraudsters to access to the system. They then stole the data of thousands of users, including the credit card details of 283 customers – 97 of whom also had their card security number stolen.

Booking.com discovered the breach on January 13, 2019 but reported the incident to regulators on February 7, 2019, failing to meet GDPR requirements to report all breaches within 72 hours of discovery. The Dutch Data Protection Authority imposed the fine, after calling the incident a “serious violation” of the EU’s data protection regulation.

Want to learn more about CFC’s cyber policy? Visit our product page or check out our other great cyber-related resources.