Saks Fifth Avenue Targeted by Clop Ransomware, Retailer Alleges No Genuine Data Compromised
- Written by Ari Denial Cybersecurity & Tech Writer
Luxury retailer Saks Fifth Avenue has reportedly been targeted by the Clop ransomware gang, according to information listed on their dark web leak site. However, the company has stated that the cyber attack did not impact any real customer data. The incident is just one example of Clop’s ongoing focus on exploiting vulnerabilities in GoAnywhere MFT servers that belong to established businesses.
Saks Fifth Avenue is a luxury brand retailer that was founded in 1867 by Andrew Saks and is currently headquartered in New York City. It serves customers in the United States, Canada, and parts of the Middle East and is considered one of the prominent names in the luxury retail industry.
The ongoing cyberattack on Saks Fifth Avenue by the Clop ransomware gang is believed to be linked to their larger campaign of targeting vulnerable GoAnywhere servers that have a security flaw.
A security flaw identified as CVE-2023-0669 is responsible for enabling the Clop ransomware gang to gain remote code execution on unpatched GoAnywhere MFT instances, particularly those with their administrative console exposed to the internet.
Fortra, the developer of GoAnywhere MFT, had informed its customers about the CVE-2023-0669 vulnerability being exploited as a zero-day in the wild and urged them to patch their systems. However, the official advisory has not been made public but was revealed by investigative journalist Brian Krebs.
According to a spokesperson from Saks Fifth Avenue, “Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks.”
The mock customer data that was taken during the security incident does not contain any actual customer or payment card information. The data is solely used for testing purposes to simulate customer orders, another spokesperson added.
Saks Fifth Avenue has confirmed that it is conducting an ongoing investigation into the cyber security incident and is working alongside outside experts and law enforcement. The company also stated that it takes information security very seriously and is committed to ensuring the safety of the information it holds.
Upgraded Xenomorph Android Banking Trojan Resurfaces with Greater Potency
- Written by Ari Denial Cybersecurity & Tech Writer
A recently released version of the Xenomorph Android malware has expanded its nefarious capabilities by introducing a sophisticated Automated Transfer System (ATS) framework, along with capable of stealing login credentials of 400+ financial institutions.
The latest version of the Android banking trojan, known as “Xenomorph 3rd generation” by the Hadoken Security Group, has been found to possess advanced features that allow malicious actors to conduct financial fraud with a high degree of ease and efficiency.
Originally targeting 56 European banks, the first version of the malware used overlay attacks through injection techniques and exploited accessibility services permissions to intercept notifications and steal one-time codes.
According to a report by the Dutch security firm, the latest version of the malware incorporates a multitude of additional features to an already multifaceted Android banking malware. The most noteworthy of these is a comprehensive runtime engine, bolstered by accessibility services, that enables malicious actors to seamlessly integrate a complete Automated Transfer System (ATS) framework.
The current version of Xenomorph, known as Xenomorph v3, is being spread through the ‘Zombinder’ platform, disguised as a currency converter app on the Google Play Store. Once the malware is installed, it hides itself by showing a Play Protect icon.
As explained by ThreatFabric, Xenomorph v3 is propagated through a Zombinder app that is paired with a bona fide currency converter application. The malware is then downloaded as an ‘update’, disguised as Google Protect.
The most recent version of Xenomorph is primarily aimed at 400 financial institutions across several countries including the United States, Turkey, Spain, Australia, Poland, Italy, Canada, France, Portugal, UAE, Germany, and India.
As banks are gradually shifting from SMS-based two-factor authentication (2FA) to authenticator apps, the Xenomorph trojan has incorporated an ATS module that permits it to launch the app and obtain the authenticator codes, thereby circumventing this security measure.
The Android malware also boasts of cookie-stealing functionalities, which allow threat actors to execute account takeover attacks.
