CISA's calls for a JCDC makeover.

CSAC recommends key changes to the Joint Cyber Defense Collaborative. Cloud vendor Snowflake says single-factor authentication is to blame in their recent breach. Publishers sue Google over pirated ebooks. The FBI shares LockBit decryption keys. V3B is a phishing as a service campaign targeting banking customers. Commando Cat targets Docker servers to deploy crypto miners. Our guest is Danny Allan, Snyk's CTO, discussing how in the rush to implement GenAI, some companies are bypassing best practices and security policies. Club Penguin fans stumble upon a cache of secrets in the house of mouse.

Today is Thursday June 6th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CSAC recommends key changes to the Joint Cyber Defense Collaborative. 

Yesterday, The U.S. Cybersecurity and Infrastructure Security Agency (CISA) convened its second quarter 2024 Cybersecurity Advisory Committee (CSAC) meeting, and recommended key changes to the Joint Cyber Defense Collaborative (JCDC) to address member complaints about mismanagement and inefficiency. The JCDC, launched by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021, allows private companies to share threat information with the government. The CSAC’s recommendations include refining the JCDC’s goals, membership criteria, and operations.

In February, some JCDC members criticized the initiative for slow responses and insufficient technical expertise. The JCDC includes over 300 organizations, such as Google, Microsoft, and Amazon. The CSAC met at West Point, New York, and unanimously approved three recommendations:

1 - Focus JCDC activities on operational collaboration and incident response, rather than policy.

2 - Establish clear membership criteria and provide information on membership requirements within 60 days. Members also requested a physical space for collaboration.

3 - Develop better coordination structures for identifying appropriate partners and responding to active and future threats.

CISA Director Jen Easterly acknowledged the challenges of the JCDC, emphasizing the need for companies to collaborate and share information despite being competitors. She expressed support for the recommendations to optimize the initiative. The JCDC has been praised for its role in addressing crises like the Log4Shell vulnerability and the cybersecurity impacts of Russia’s invasion of Ukraine.

The changes will be implemented or responded to by Easterly ahead of the next CSAC meeting in September.

Unrelated to yesterday’s meeting, a seven-year-old Oracle WebLogic Server vulnerability (CVE-2017-3506) has been added to CISA's Known Exploited Vulnerability catalog. This flaw, allowing remote command execution, is now being exploited by Chinese cybercriminal group Water Sigbin for cryptomining. Despite patches released in 2017, the vulnerability remains a significant threat, highlighting the need for timely updates. Water Sigbin's sophisticated obfuscation techniques complicate detection and prevention. Oracle may release a new patch soon to address the issue.

Cloud vendor Snowflake says single-factor authentication is to blame in their recent breach. 

In a follow-up report, cloud vendor Snowflake claims to have been targeted in a campaign exploiting single-factor authentication. They say hackers used stolen credentials from a former employee to access demo account data, including clients like Ticketmaster. Contrary to claims by "ShinyHunters" of leaking 600 million accounts from Ticketmaster and Santander Bank, Snowflake's investigation found no such breach. The attackers demanded $500,000 for the data. Security firms CrowdStrike and Mandiant corroborate Snowflake's findings. The U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert, urging vigilance against phishing and recommending two-factor authentication to mitigate such threats.

Threat actors claim to have stolen 3TB of data from Advance Auto Parts' Snowflake account, including 380 million customer profiles, 140 million orders, and 44 million loyalty card numbers. The data, being sold for $1.5 million, also includes sensitive employee information. Advance Auto Parts operates 4,777 stores and serves numerous locations across North America and the Caribbean. The breach has not yet been publicly acknowledged by the company. 

TechCrunch reports that hundreds of Snowflake customer credentials are available online. 

Publishers sue Google over pirated ebooks. 

Four major educational publishers, Elsevier, Cengage Learning, Macmillan Learning, and McGraw Hill, have filed a lawsuit against Google. The lawsuit accuses Google of promoting pirated ebook versions of textbooks while ignoring infringement notices from the publishers. The complaint claims Google's actions violate the Copyright Act, the Lanham Act, and New York’s General Business Law, causing significant harm to the publishers. The publishers argue that Google’s policies support piracy, adversely affecting students who often end up with stolen credit cards, incomplete materials, and no refunds. The lawsuit highlights Google’s failure to remove thousands of infringing ads and its restriction of ads from legitimate sellers. The case could significantly impact how tech companies handle copyright infringement and the $8.3 billion U.S. textbook market.

The FBI shares LockBit decryption keys. 

The FBI has announced it possesses over 7,000 decryption keys to aid victims of the LockBit ransomware gang. These keys were obtained during an international law enforcement operation earlier this year that disrupted LockBit’s activities. LockBit, which offers ransomware-as-a-service, has inflicted billions of dollars in damages. Although the gang remains active, its capacity has been significantly reduced. The FBI is urging potential victims to contact its Internet Crime Complaint Center. The operation also exposed LockBit's mastermind, Dmitry Khoroshev, who attempted to negotiate leniency by betraying competitors. The release of these decryption keys is seen as a major victory for law enforcement, further undermining LockBit's operations.

V3B is a phishing as a service campaign targeting banking customers. 

A cybercriminal group is selling and distributing a sophisticated phishing kit called "V3B" through Phishing-as-a-Service (PhaaS) and self-hosting methods. Launched in March 2023 by "Vssrtje," the kit targets EU banking customers, stealing login credentials and one-time codes (OTPs) using social engineering tactics. The group has over 1,255 members on Telegram and has caused millions of euros in losses. V3B mimics legitimate banking processes across several EU countries and supports advanced features like localization, MFA, anti-bot measures, and live chat. Sold for $130-$450/month, it uses obfuscated JavaScript to evade detection. Fraudsters use real-time interaction and QR code manipulation to steal sessions.

Commando Cat targets Docker servers to deploy crypto miners. 

Researchers at Trend Micro describe Commando Cat, a campaign that exploits exposed Docker remote API servers to deploy cryptocurrency miners. Active since early 2024, attackers use the cmd.cat/chattr Docker image to gain access to the host system. They create containers that bind the host's root directory, allowing unrestricted access. The attackers download and execute a malicious binary, often employing sophisticated techniques to evade detection. This campaign underscores the importance of securing Docker configurations, using trusted images, and performing regular security audits to prevent such attacks.

Coming up, I speak with Snyk's CTO Danny Allan about how as companies rush to implement GenAI, they are bypassing best practices and security policies. We’ll be right back

Welcome back. Thanks to Danny for joining us. There’s a link in our show notes to find out more about their GenAI findings. 

Club Penguin fans stumble upon a cache of Disney secrets. 

And finally,  if your kids are of a certain age, there’s a good chance they were obsessed with Club Penguin. Well, some nostalgic fans of the MMO took their love to a whole new level by hacking Disney's Confluence server. They aimed to snag some Club Penguin secrets but ended up with 2.5 GB of Disney's internal data. These digital mischief-makers initially found 137 PDFs about the game, including old emails, design docs, and character sheets. But in a twist, they also accessed corporate strategies, advertising plans, and developer tools like Helios and Communicore. Disney's infrastructure and internal projects were exposed due to previously leaked credentials. While the Club Penguin files were ancient, the rest of the haul was fresh, dated as recent as June 2024. Despite repeated inquiries from BleepingComputer and others, Disney has yet to comment on the breach. Who knew the path to Disney’s secrets was paved with nostalgia for virtual snowball fights?

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.