I’m on vacation, so of course, there’s lots to report on 🤦♂️
While sunning myself in the South of France, Niall and David will hold the Cydea fort at Infosec. We’re sponsoring the Cyber 100 Club at the Novotel (60s from ExCel). Enjoy some hospitality and networking in a more relaxed setting when it all gets a bit much.
This week
ShinyHunters breach Santander, Ticket Master; probably not Snowflake?
- Ticket Master and Santander confirmed data breaches affecting 560 million and 30 million customers, respectively. The ShinyHunters threat group is selling data from both on the dark web: TicketMaster for £400,00 and Santander — allegedly including 6 million account details and balances and 28 million credit card numbers — for a one-time $2 million. Send hugs to the teams at TM and Santander.
- Early on threat intel outfit Hudson Rock published a blog post suggesting this was a much more significant breach. Hudson Rock said they’d spoken to a member of ShinyHunters, who claimed they’d obtained credentials from a Snowflake staffer, affected many customers of Snowflake, a data-as-a-service cloud provider. If true, many household names — and a handful of security vendors — may have been impacted. That’s a big if, though, and we know that cybercriminals are hardly the most reliable bunch. Snowflake has engaged Mandiant and Crowdstrike and disputes the claims. Meanwhile, Hudson Rock has conspicuously removed its blog post, which now just redirects to its homepage. While much is still unknown at the time of writing, I’d reckon this may turn out to be a common technique against customers of the same vendor and that the value of data held in Snowflake’s platform was not commensurate with customer security defaults. A cybercriminals dream.
- Snowflake has published some indicators of compromise and hardening guides. It’s not apparent if they’re running them for their customers as part of their IR or if they expect customers to check for themselves. That latter wouldn’t be a great look. If you’re a customer, better safe than sorry, run them. If you’re not, it’s probably still worth looking at the access and authentication controls around your data lakes.
- TICKETMASTER, SANTANDER, SNOWFLAKE, STATEMENT, IOCs & HARDENING
Operation Endgame strikes at malware delivery platforms
- An international group of law enforcement agencies has shut down over 100 malware servers in its “largest ever operational against botnets.” Authorities say the servers were used to disseminate a variety of malware droppers, including IcedID, Pikabot, and Tricot, and are associated with ransomware gangs like BlackBasta, REvil, and Conti. Operation Endgame also saw hundreds of officers seize over 2,000 malicious domains.
- Police arrested four suspects and added eight more individuals to Europol’s ‘most wanted’ list.
- Law enforcement has been having a good time recently, with multiple high-profile takedowns accompanied by a good level of sass. On a website for Operation Endgame, they taunt criminals by saying, “This is Season 1,” before inviting them to “Stay tuned. It sure will be exciting.” LINK, MORE
Interesting stats
0.3% of accounts in a 2017 study sample were responsible for sharing 80% of the misinformation on Twitter. Old Republican women are misinformation “superspreaders”. LINK, PAPER
+24.4% compound annual growth rate projected by CrowdStrike over the next five years… but mostly in new categories rather than new customers. Most large customers now have EDR, and cloud security, identity security, and logging will account for most of the growth. Data from Morgan Stanley. LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Google has written a blog post following its internal review into how it deleted the cloud tenant of an Australian pension company. The TL;DR, an internal tool defaulted to a fixed term, and automatic deletion, if a parameter was not set. Oops. POST, MORE
⚠️ Incidents:
- More breaches affecting pharmacies: This one was from October last year at Sav-Rx, a US company affecting 3 million people. Cybercriminals are working their way through the healthcare ecosystem. It’s not just about hospitals any more. LINK
- Auntie has lost her pension details. Over 25,000 current and former BBC employees are affected in this breach, which the Beeb says resulted when records were “copied from an online data storage service”. Sounds like an open S3 bucket. Name, DOB, sex, home address, and national insurance number are affected. LINK
- AI company Hugging Face has disclosed “unauthorised access” to ‘Spaces’, which customers use to host and share AI models. LINK
🕵️ Threat Intel:
- Okta is warning customers that its cross-origin resource sharing (CORS) feature is being targeted by threat actors in credential stuffing attacks. LINK
- Microsoft says a North Korean group called ‘Moonstone Sleet’ is behind a ransomware variant called FakePenny and a fake tank game called “DeTankWar”. LINK
- Cybercriminals are pushing malware-laden Python packages on Stack Overflow to infect victims. LINK
🪲 Vulnerabilities:
- Check Point’s security gateways have a zero-day vulnerability that may have been exploited since the end of April. CVE-2024-24919 (8.6/10) is an information disclosure issue that may allow attackers to steal Active Directory data. LINK, ADVISORY
- TP-Link has fixed a critical RCE bug in its popular C5400X gaming router. CVE-2024-5035 (10/10). LINK, MORE
- CISA adds Linux kernel bug to KEV. CVE-2024-1086 (7.8/10) is a use-after-free bug that can result in remote code execution or privilege escalation. LINK
👮 Law Enforcement:
- US authorities announced that they have dismantled the “world’s largest botnet” used to perpetrate almost $6 billion in Covid insurance fraud. Chinese national YunHe Wang has been arrested, and more than 20 properties and a Ferrari have been seized for operating the “911 S5” botnet. Wang personally amassed a fortune of $99 million through his botnet, which he sold to consumers as a VPN service, but that also contained backdoor components to reroute criminal traffic via its residential proxy network. LINK, BACKGROUND.
🏭 Industry news:
- Senator Ron Wyden says UnitedHealth’s CEO and board of directors should be held accountable for appointing an “unqualified” CISO and the company’s “failure to adopt basic cyber defences”. LINK
- A Sophos survey of managed service providers shows they struggle to stay on top of new security technologies and staff services to meet customer growth and keep abreast of the latest threats. Many small and medium-sized businesses use their IT provider as their security team. LINK
- IBM spinout Kyndryl is facing charges that it discriminated against employees based on age, race, and disability. LINK
- Analygence, a Maryland-based company founded by US military veterans in 2010, has been appointed to help NIST address the backlog of vulnerabilities waiting to be added to the National Vulnerability Database (NVD). It’s part of a five-year, $125 million contract. LINK
And finally
- Researchers managed to crack an 11-year-old password to recover $3 million in Bitcoin because of a flaw in the password manager. LINK