Breach Update: Microsoft and Cloudflare Take Down RaccoonO365

Each week, Information Security Media Group compiles cybersecurity incidents worldwide. Recently, Microsoft dealt a significant blow to RaccoonO365, outages at Colt Technology Services continue, and a U.S. citizen has been charged in the Vastaamo psychotherapy center hack. In addition, AI is being leveraged by the RevengeHotels group, while Meta faces legal setbacks related to privacy violations. Recent data breaches have also impacted Prosper and major luxury fashion brands.

See Also: Why Cyberattackers Love ‘Living Off the Land’

Microsoft’s enforcement actions against RaccoonO365, a phishing-as-a-service operation, resulted in the seizure of 338 web domains through a federal court order. This platform had reportedly facilitated the theft of over 5,000 Microsoft credentials from users in 94 countries since its emergence in July 2024.

Microsoft, together with Health-ISAC, brought legal action against the platform’s operators. The group’s leader, identified as Joshua Ogundipe from Nigeria, allegedly caused Microsoft’s financial losses exceeding $650,000. The investigation revealed that their operations also included selling subscriptions through Telegram.

Cloudflare, contributing to the domain seizures, noted that operators utilized advanced tactics to evade detection, such as offering client features for enhanced security. Notably, the platform was known for impersonating trusted brands to collect sensitive information, enabling subsequent malware and ransomware attacks.

Colt Technology Services continues to face major operational challenges due to a cyber incident that began in mid-August. The company acknowledged the compromise of internal systems but assured that customer infrastructure remains secure, despite the claims of the WarLock ransomware group, which alleges to have stolen approximately one million internal documents.

Security experts have verified the legitimacy of leaked data and identified a possible attack vector linked to vulnerabilities in Microsoft SharePoint. Colt aims to restore its core operations over the next 8 to 10 weeks while managing the aftermath of this cyber event.

In a development related to the infamous Vastaamo psychotherapy center breach, Finnish authorities have charged U.S. national Daniel Lee Newhard with aiding and abetting attempted aggravated extortion. Newhard denies the charges, which follow closely on the heels of a conviction against the primary suspect in the hacking case.

Prosecutors revealed that Newhard’s case centers on the extortion of Vastaamo and does not extend to the patients. Evidence points to his possible involvement through a server used for the attack, with connectivity logs indicating a link to his residence in Estonia.

Kaspersky researchers report that the hacking group RevengeHotels, operational since 2015, is leveraging artificial intelligence to augment its cyberattacks on hotels. Their methods include phishing emails designed to deceive hotel staff into opening malicious attachments, ultimately deploying the VenomRAT Trojan to access sensitive systems.

The evolving sophistication of their malware, possibly generated by large language models, highlights the increasing integration of AI in cybercrime. Targeting primarily hotels in Brazil, the attacks are also extending to regions including Mexico, Argentina, and Europe.

A federal judge in San Francisco has upheld a jury’s verdict holding Meta accountable for illicit collection of reproductive health data via the Flo app. This decision reinforces the implications of user consent and data collection practices, especially in the context of California’s stringent privacy laws.

The judge dismissed Meta’s arguments for a retrial, emphasizing that the evidence demonstrated direct acquisition of user data in real-time, countering the company’s claims about the legality of its data handling methods.

The China-linked threat group TA415 has escalated its spear-phishing efforts against U.S. government bodies and academic institutions focused on U.S.-China relations. By impersonating respected organizations, TA415 aims to lure targets into executing malicious files.

The technical execution includes the use of deceptive emails employing password-protected attachments designed to deploy a malicious backdoor for persistent access to compromised systems, thereby allowing data exfiltration and remote command execution.

Prosper, a peer-to-peer lending platform, has confirmed that its databases were breached, leading to unauthorized access to sensitive customer information. The attack, identified on September 1, involved unauthorized queries against databases containing proprietary data.

While details about the extent of compromised information are still being assessed, Prosper has reassured customers that structural operations remain uninterrupted and that direct access to customer accounts appears to have been preserved.

The luxury fashion brands Gucci, Alexander McQueen, and Balenciaga recently experienced a significant data breach affecting approximately 7.4 million customer email addresses, attributed to the ShinyHunters hacking group. The attack reportedly occurred through their parent company Kering.

Kering confirmed that while limited customer data was accessed, no financial or sensitive personal information was compromised. The group has publicly claimed its exploitation of the brands and has sought ransom, underscoring the pervasive risks in the retail sector.

Additional Insights From the Week

Report compiled by Information Security Media Group’s Gregory Sirico in New Jersey and Mathew Schwartz in Scotland.