By the CyberWire staff
At a glance.
- Shiny Hunters claims to have breached Ticketmaster and Santander through Snowflake accounts.
- London hospitals disrupted by ransomware attack.
- More cyberespionage in the South China Sea region.
- Fog ransomware targets the US education sector.
- Exploit code released for Progress Telerik Report Server vulnerability.
- Hugging Face says Spaces platform was breached.
- CISA adds two vulnerabilities to the KEV catalog.
- Microsoft's Recall criticized for security shortcomings.
- British Columbia continues investigating cyberattack.
- Cryptojacking campaign is exploiting exposed Docker servers.
Shiny Hunters claims to have breached Ticketmaster and Santander through Snowflake accounts.
Ticketmaster's parent company Live Nation confirmed on Friday that it sustained a data breach through a "third-party cloud database environment," BleepingComputer reports. The cybercriminal threat actor Shiny Hunters is selling the data on a hacking forum, claiming to have stolen personal information belonging to 560 million customers.
Shiny Hunters is also selling data allegedly stolen from Santander Bank, the BBC reports. The gang says it has 30 million people’s bank account details, 6 million account numbers and balances, and 28 million credit card numbers.
BleepingComputer, citing a report from cybersecurity firm Hudson Rock, says Shiny Hunters claims to have gained access to the Ticketmaster and Santander data after hacking an employee's account at cloud storage company Snowflake. Snowflake disputed the claim that the breach originated on their end, and Hudson Rock has since taken down its report. Snowflake said in a statement last night that "this appears to be a targeted campaign directed at users with single-factor authentication," and that "we have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform." The company believes the threat actor is using credentials "previously purchased or obtained through infostealing malware." Snowflake says its investigation is ongoing, and WIRED notes that more companies may have been affected.
The Australian Cyber Security Centre on Saturday issued an alert warning of "increased cyber threat activity regarding Snowflake customers."
What’s your back-up plan if your IDP goes down?
Join the next Identity Orchestration workshop and see exactly how you can build the right failover into every app. During an outage, your team needs access to mission-critical apps to keep getting the job done until order is restored. Strata helps you build the appropriate failover into every app — without a dedicated IDP or a complex process — so your essential apps stay on, no matter what. Don’t miss out!
London hospitals disrupted by ransomware attack.
The UK's National Health Service (NHS) has declared a critical incident after a ransomware attack yesterday disrupted operations at several London hospitals, Sky News reports. The attack appears to have hit Synnovis, a contractor that provides NHS pathology services. The incident has affected King's College Hospital, Guy’s and St Thomas', Royal Brompton and Harefield, and others. The BBC says the attack "has had a major impact on the delivery of services, especially blood transfusions and test results." A senior source told the Health Service Journal that accessing pathology results could take "weeks, not days."
The Qilin ransomware gang was likely responsible for the attack, according to Ciaran Martin, former head of the UK's National Cyber Security Centre (NCSC). Martin told BBC Radio 4, "We believe it is a Russian group of cyber criminals who call themselves Qilin. They're simply looking for money. It's unlikely they would have known that they would have caused such serious primary healthcare disruption when they set out to attack the company."
More cyberespionage in the South China Sea region.
Sophos describes a Chinese state-sponsored cyberespionage operation that targeted a "high-profile government organization in Southeast Asia." Sophos observed three China-linked activity clusters within the government's networks between March 2023 and December 2023, with evidence of additional compromises dating back to early 2022.
The researchers state, "Based on our investigation, Sophos asserts with high confidence the overall goal behind the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests. This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications."
Skill up for today’s top IT & cyber roles.
Want to dive deep into trending topics like AI, machine learning, or cloud? Or looking to reinforce concepts for top certifications from AWS, CompTIA, or ISC2? Explore N2K’s expansive learning library of on-demand training courses to help supplement your studies and accelerate your career journey. Get started today.
Fog ransomware targets the US education sector.
Arctic Wolf is tracking a new ransomware variant called "Fog" that surfaced in early May 2024. The ransomware has been used to target organizations in the education and recreation sectors in the United States. Arctic Wolf states, "In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials. Notably, the remote access occurred through two separate VPN gateway vendors."
The researchers add, "Considering the short duration between initial intrusion and encryption, the threat actors appear more interested in a quick payout as opposed to exacting a more complex attack involving data exfiltration and a high-profile leak site."
Exploit code released for Progress Telerik Report Server vulnerability.
Tenable warns that exploit code is available for a remote code execution vulnerability affecting unpatched instances of Progress Telerik Report Server. Security researchers from Summoning Team published the code yesterday after chaining together two vulnerabilities to achieve full unauthenticated remote code execution. Tenable explains, "By combining the authentication bypass flaw (CVE-2024-4358) with the previously disclosed insecure deserialization vulnerability (CVE-2024-1800) as part of an exploit chain to create a malicious report, an attacker could execute arbitrary code on a vulnerable Progress Telerik Report Server."
Users are urged to update Telerik Report Server to version 2024 Q1 as soon as possible.
Hugging Face says Spaces platform was breached.
AI development company Hugging Face says it detected unauthorized access to its Spaces platform, leading to "suspicions that a subset of Spaces’ secrets could have been accessed without authorization," TechCrunch reports. The company stated, "As a first step of remediation, we have revoked a number of HF tokens present in those secrets. Users whose tokens have been revoked already received an email notice. We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default. We are working with outside cyber security forensic specialists, to investigate the issue as well as review our security policies and procedures."
CISA adds two vulnerabilities to the KEV catalog.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux privilege elevation flaw (CVE-2024-1086) to its Known Exploited Vulnerabilities (KEV) catalog, Ars Technica reports. Federal agencies are required to apply patches by June 20th, 2024.
CISA also highlighted CVE-2024-24919, an information disclosure vulnerability affecting Check Point Security Gateways that could allow "an attacker to access information on Gateways connected to the internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
Microsoft's Recall criticized for security shortcomings.
WIRED offers a summary of security concerns associated with Microsoft's upcoming Recall feature. Recall is an AI-powered tool that allows Windows to save snapshots of the screen every five seconds in order to allow users to search through their past activity using natural language. Microsoft insisted that a hacker would need physical access to a device to access this information, but security researcher Kevin Beaumont found that malware can easily exfiltrate the data from a compromised device. Beaumont says he's "deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something." Additionally, James Forshaw, a researcher with Google's Project Zero, found that a threat actor could access a PC's Recall data without administrative privileges.
Microsoft acknowledged the backlash to the feature, announcing yesterday that Recall will be turned off by default during the setup process of Copilot Plus PCs. Users will need to authenticate with Windows Hello in order to enable it.
British Columbia continues investigating cyberattack.
The Canadian province of British Columbia has disclosed that a suspected state-sponsored cyberattack in April targeted twenty-two email accounts belonging to government employees, the CBC reports. The email inboxes contained sensitive information belonging to nineteen government workers. The province's public safety minister Mike Farnworth said in a press briefing on Monday, "At this time, we have no indication that the general public's information was accessed. We have not identified any misuse of this information or found evidence that the actor accessed specific files."
FBCS discloses data breach.
US debt collection agency Financial Business and Consumer Solutions (FBCS) has disclosed a data breach affecting more than 3.2 million people, Malwarebytes reports. The agency says an unauthorized actor gained access to its network and was able to view "consumer name, address, date of birth, Social Security number, driver’s license number, other state identification number, medical claims information, provider information, and clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information."
Cryptojacking campaign is exploiting exposed Docker servers.
Trend Micro says a new cryptojacking campaign is exploiting exposed Docker remote API servers using Docker images from the open-source Commando project. The researchers explain, "To gain initial access, the attacker deploys a docker image named cmd.cat/chattr, a harmless docker image. Once deployed, the malicious actor creates a docker container based on this image and uses chroot to break out of the container and gain access to the host operating system. It also uses curl/wget to download the malicious binary into the host."
Patch news.
The Register warns that a proof-of-concept exploit has been released for a critical remote code execution flaw (CVE-2024-27348) affecting Apache HugeGraph. Apache issued a patch for the vulnerability in April. Users are urged to ensure Apache HugeGraph is updated to version 1.3.0.
Crime and punishment.
The US Federal Bureau of Investigation (FBI) has obtained more than 7,000 LockBit ransomware decryption keys, SecurityWeek reports. LockBit victims can fill out a form with the FBI’s Internet Crime Complaint Center (IC3) to see if they can recover their encrypted data. The keys were recovered as part of an international law enforcement operation against LockBit earlier this year.