Thursday 20th June 2024

Good morning everyone, thank you for joining me for the latest installment of Cyber Daily! Today's edition is all about digital intrigue and international cooperation. From the latest cybercrime busts in Southeast Asia and crucial updates on software vulnerabilities, we've got the stories that matter. Here’s what you need to know:

• Mailcow in Hot Water: Discover how two moderate-severity vulnerabilities could spell trouble for your favorite open-source mail server.
• Singapore Strikes Back: Read about the impressive collaboration between Singapore, Hong Kong, and Malaysia that led to the dismantling of a major cybercrime syndicate.
• Amtrak's Data Breach: Find out how Amtrak's Guest Rewards accounts were compromised and what steps you need to take to protect your own information.

Stay tuned, stay informed, and as always, keep your digital world secure.

Mailcow Open-Source Mail Server Exposed to Critical Vulnerabilities

Two newly disclosed vulnerabilities in the Mailcow open-source mail server suite pose a significant risk, potentially allowing malicious actors to execute arbitrary code on affected instances.

The issues, affecting all versions before 2024-04, were responsibly disclosed by SonarSource on March 22, 2024, and addressed in the version released on April 4, 2024. Both flaws, rated as moderate in severity, can be exploited for significant damage:

• CVE-2024-30270 (CVSS score: 6.7): This path traversal vulnerability in the "rspamd_maps()" function allows threat actors to overwrite files modifiable by the "www-data" user, potentially leading to arbitrary command execution on the server.
• CVE-2024-31204 (CVSS score: 6.8): A cross-site scripting (XSS) vulnerability in the exception handling mechanism when not in DEV_MODE. This flaw lets attackers inject malicious scripts into the admin panel, hijacking sessions and enabling privileged actions.

Combining these flaws could allow attackers to gain full control of a Mailcow server, access sensitive data, and execute commands. For example, an attacker could send an HTML email with a CSS background image linked to a remote URL, triggering an XSS payload when an admin user views the email while logged into the admin panel.

SonarSource researcher Paul Gerste emphasised the risk: "An attacker can execute arbitrary code on the admin panel server of a vulnerable Mailcow instance if an admin user views a malicious email while logged into the admin panel, without needing to click any links or interact further."

Ensure your Mailcow instance is updated to the latest version to mitigate these vulnerabilities.

Singapore Police Strike Major Blow Against Cybercrime Syndicate

Singaporean authorities scored a significant victory with the arrests of two men accused of operating servers that facilitated cybercrimes against Singaporeans, leading to the dismantling of their criminal infrastructure.

In 2023, almost 2,000 victims in Singapore were affected by malicious Android applications that allowed scammers to steal sensitive device data, including bank information, according to a statement from the Singapore police.

A collaborative analysis of the malware by cybersecurity officials from Singapore, Hong Kong, and Malaysia led to tracking the entire organisation behind the attacks. This network included a syndicate running a fraudulent customer service center in Taiwan.

"In addition, the HKPF (Hong Kong Police Force) successfully took down 52 malware-controlling servers in Hong Kong and arrested 14 money mules who had allegedly facilitated the malware-enabled scam cases by relinquishing the use of their bank accounts to the scammers for monetary reward," the Singapore police noted.

The arrested individuals include a 26-year-old man who faces up to seven years in prison. The other, a 47-year-old man, will stand trial for the same crimes, with an additional charge carrying up to 10 years in prison, police said.

This operation underscores the importance of cybersecurity vigilance and international cooperation in combating digital threats.

Amtrak Discloses Data Breach Impacting Guest Rewards Accounts

Amtrak has reported a data breach affecting its Guest Rewards accounts, compromising travelers' personal information. The breach occurred between May 15-18, during which an unknown third party gained unauthorised access using previously compromised usernames and passwords, though Amtrak's systems were not directly hacked.

The accessed information includes a wealth of data valuable for social engineering:

• Names
• Contact details
• Amtrak Guest Rewards account numbers
• Dates of birth
• Partial credit card numbers and expiration dates
• Gift card numbers and PINs
• Transaction and trip information

In some instances, hackers took over accounts, changing emails and passwords to lock out legitimate users. Amtrak has since reversed these changes and reset account passwords.

While the exact number of affected users remains undisclosed, Amtrak urges all riders to change their passwords and enable multifactor authentication to prevent future breaches.

"Threat actors have realised the high rewards of stealing from travel loyalty programs, which can easily be sold on the Dark Web or converted to tickets that they later sell," said Stuart Wells, CTO of Jumio. This breach is not Amtrak's first; a similar incident occurred in 2020, emphasising the need for improved security measures.

To better protect consumer accounts, businesses are encouraged to adopt advanced verification technologies. "Implementing a robust identity verification system is crucial to effectively combat fraud in all forms," Wells added. Biometric verification methods, in particular, can prevent unauthorised access by requiring more than just credentials.

Rotate your passwords regularly and enable multifactor authentication to enhance account security.