Two students discovered a security flaw in over a million internet-connected laundry machines that could allow laundry for free.

CSC ServiceWorks is a company that provides laundry services and air vending solutions for multifamily housing, academic institutions, hospitality, and other commercial sectors. They manage and operate many internet-connected laundry machines and systems, offering services such as coin and card-operated laundry machines, mobile payment solutions, and maintenance support.

Two students, Alexander Sherbrooke and Iakov Taranenko, from UC Santa Cruz discovered a vulnerability impacting over a million internet-connected laundry machines used in residences and college campuses worldwide. A remote attacker can exploit this vulnerability to remotely send commands to the laundry machines, allowing laundry for free. The duo reported the flaw to the vendor earlier this year, but they claim the company has yet to fix it.

“UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to laundry machines run by CSC and operate laundry cycles for free.” reported TechCrunch.

Sherbrooke explained that he was sitting in his basement laundry room in January when he ran a script from his laptop that instructed the laundry machine to start a cycle despite having no funds in his account. The machine immediately responded with a loud beep and displayed “PUSH START,” indicating it was ready to wash a free load of laundry.

Sherbrooke and Taranenko were also able to add several million dollars to their laundry account which can be managed through the CSC Go mobile app.

The duo sent the company several messages through its online contact form, but the vendor never contacted them. 

Then the two students reported the issue to the CERT Coordination Center at Carnegie Mellon University.

The CERT notified affected vendors that addressed the issue. However, after the researchers reported their findings, CSC quietly reset their account balance of several million dollars.

The vulnerability resides in the API used by CSC’s mobile app, CSC Go. The two students discovered that the app lacks security checks and mutual authentication between the app and the CSC’s servers. The experts also discovered that it is possible to send commands to CSC’s servers that are unavailable through the app itself. 

The access to the API allowed the researchers to enumerate the list of commands supported by CSC’s servers. Another aspect to consider is that it is quite simple for remote attackers to locate laundry machines and send commands to them.

Taranenko was disappointed that CSC did not acknowledge the vulnerability.

“CSC quietly wiped out the researchers’ account balance of several million dollars after they reported their findings, but the researchers said the bug remains unfixed and it’s still possible for users to “freely” give themselves any amount of money.” concludes TechCrunch.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, laundry machines)

A new Grandoreiro banking trojan campaign has been ongoing since March 2024, following the disruption by law enforcement in January.

IBM X-Force warns of a new Grandoreiro banking trojan campaign that has been ongoing since March 2024. Operators behind the Grandoreiro banking trojan have resumed operations following a law enforcement takedown in January.

The recent campaign is targeting over 1,500 banks in more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific. The banking Trojan is likely operated as a Malware-as-a-Service (MaaS).

Grandoreiro is a modular backdoor that supports the following capabilities:

• Keylogging
• Auto-Updation for newer versions and modules
• Web-Injects and restricting access to specific websites
• Command execution
• Manipulating windows
• Guiding the victim’s browser to a certain URL
• C2 Domain Generation via DGA (Domain Generation Algorithm)
• Imitating mouse and keyboard movements

The latest version shows major updates within the string decryption and domain generating algorithm (DGA), it can also use Microsoft Outlook clients on infected hosts to spread further phishing emails.

Traditionally limited to Latin America, Spain, and Portugal, recent Grandoreiro campaigns have expanded their targets to include entities such as Mexico’s Tax Administration Service (SAT), Federal Electricity Commission (CFE), Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS). The recent campaign demonstrates that operators are expanding the malware’s deployment globally, starting with South Africa.

In each attack observed by the experts, threat actors instructed recipients to click on a link to view an invoice, fee, account statement, or make a payment, depending on the impersonated entity. If the user is in a targeted country (Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a PDF icon, while a ZIP file is downloaded in the background. These ZIP files contain a large executable disguised as a PDF icon, created the day before or the day of the email being sent.

The loader bloated to a size of more than 100MB to prevent automatic anti-virus scanning. To circumvent automated execution, it displays a small CAPTCHA pop-up imitating Adobe PDF reader, which requires a click to continue with the execution.

The loader prevents the execution in a sandbox by verifying if the client is a legitimate victim, it enumerates basic victim data and sends it back to its C2. Finally the loader downloads, decrypts and executes the Grandoreiro banking trojan.

The malware doesn’t continue execution if the public IP associated with infected systems was from Russia, Czechia, Poland, or the Netherlands. It also prevented infections on Windows 7 machines in the US without antivirus.

The banking Trojan establishes persistence via the Windows registry, then it uses a reworked DGA to connect with a C2 server awaiting further instructions.

“One of Grandoreiro’s most interesting features is its capability to spread by harvesting data from Outlook and using the victim’s account to send out spam emails. There are at least 3 mechanisms implemented in Grandoreiro to harvest and exfiltrate email addresses, with each using a different DGA seed.” states the report. “By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”

To interact with the local Outlook client, the malware relies on the Outlook Security Manager tool, preventing that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.

“The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, banking Trojan)

WebTPA, a third-party administrator that provides healthcare management and administrative services, disclosed a data breach.

WebTPA is a third-party administrator that provides healthcare management and administrative services. The US company disclosed a data breach that impacted almost 2.5 million people. According to the report sent by the WebTPA to the U.S. Department of Health and Human Services on May 8, the incident affected 2,429,175 individuals.

According to the notice published by the company, WebTPA acts as an administrative services provider to certain benefit plans and insurance companies whose information was impacted in this incident.

WebTPA discovered suspicious activity on its network on December 28, 2023 and launched an investigation with the help of third-party cybersecurity experts. The investigation revealed that an unauthorized actor may have obtained personal information between April 18 and April 23, 2023.

The company also notified federal law enforcement.

“On December 28, 2023, we detected evidence of suspicious activity on the WebTPA network that prompted us to launch an investigation. Upon detecting the incident, we promptly initiated measures to mitigate the threat and further secure our network.” reads the notice published by the company. “The investigation concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023.”

WebTPA promptly notified benefit plans and insurance companies about the incident and the potential exposure of personal information. They worked diligently to determine the extent of the impacted data and provided this information to the benefit plans and insurance companies on March 25, 2024.

Exposed information may include name, contact information, date of birth, date of death, Social Security number, and insurance information. The exposed data may vary for each individual. The company pointed out that financial account information, credit card numbers, and treatment or diagnostic information were not impacted.

WebTPA is offering individuals two years of complimentary identity monitoring services through Kroll. They have also implemented additional security measures to enhance their network’s security. The company added that it is not aware of any misuse of benefit plan member information due to this incident.

The company recommends the impacted individuals stay vigilant against identity theft or fraud and carefully review credit reports and Explanations of Benefits (EOBs) for suspicious activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)