Large data breaches through a Snowflake account?

Last week’s massive breach in TicketMaster is the result of illicit access to Snowflake, the popular cloud data platform. The threat actor apparently used stolen credentials of a former Snowflake sales engineer to sign in its Salesforce account, bypassing Okta authentication. It then downloaded customers’ databases using infostealing malware. The Snowflake campaign has so far targeted six high profile victims, including Mitsubishi, Santander Bank and AllState – and it might impact another 500 organizations. Two different threat actors are claiming responsibility for the attacks: ShinyHunters and WhiteWarLock, a mysterious new Russian group composed of teenagers. In response, Snowflake admitted the compromise of a former employee’s demo account, but denied any responsibility for the attacks and affirmed that the incident is not related to them.

 

More Snowflake attacks

In the meantime, another group, naming itself Sp1d3r, claimed responsibility for a Snowflake-based attack on Advance Auto Parts, stealing 3TB of data including 380 million customers’ information. It also stole 2TB of compressed data of 190 million people from QuoteWizzard, a company servicing the insurance sector – although it isn’t clear whether the two events are connected. Sp1d3r is a threat group operating within BreachForums, the darkweb marketplace also used by other threat actors such as ShinyHunters and IntelBroker.

RansomHub and the ZeroLogon vulnerability

Ransomhub is exploiting the notorious ZeroLogon vulnerability for initial access (CVE-2020-1472) in its recent campaign. After last week’s attacks on Christie’s and American Clinical Solutions, the group took credit for a large operation on the telecom giant Frontier, from which it exfiltrated 5GB of information and led to some systems’ shutdown. RansomHub, which emerged last February, has rapidly become one of the most prolific ransomware groups, counting more than 60 victims in the last three months. It now appears that the group is a rebranding of the defunct Russian Knight ransomware, even though it also recruited hackers from the dismantled BlackCat/ALPHV gang.

Mitigate it

Modify the Netlogon Parameters registry key and enable Enforcement mode by setting the FullSecureChannelProtection data value to 1

Cisco Webex vulnerability used against Germany

The German government detected a vulnerability in its on prem version of Cisco Webex, a video conference software it uses for internal communications, including by military organizations. The insecure direct object reference (IDOR) flaw could lead attackers to obtain links to thousands of Webex meetings, which happened to be unprotected by passwords. Three months ago, the Russian government publicly disclosed the content of German military classified meetings about the war in Ukraine.

 

CheckPoint vulnerability used against Germany

A week before the European elections, the CDU, the leading German opposition party, has been targeted in a “serious attack” which exploited the CheckPoint VPN vulnerability disclosed last week (CVE-2024-24919),in combination with phishing techniques. The flaw is used to extract password hashes of local accounts connected to Active Directory, and consequently enables lateral movement. German political parties were recently targeted for espionage activities by the Russian APT29 state actor.

TikTok zero-day exploited

Attackers have exploited a zero-day in TikTok’s messaging feature to hijack high profile accounts, such as CNN’s and Sony’s. The exploit needs the victims to open the malicious message but didn’t require any downloads or clicks from their side.

Old Exchange flaws used by a new Chinese APT

A cyberespionage campaign, operated by a Chinese APT against governments in Asia, the Middle East and Africa, has been revealed. The campaign, nicknamed Diplomatic Specter, drops previously unknown malware backdoors and utilizes notorious Exchange vulnerabilities for gaining initial access, especially ProxyLogon (CVE-2021-26855)and ProxyShell (CVE-2021-34473).

Mitigate it

Activate CheckPoint’s IPS rule “Microsoft Exchange Server Remote Code Execution”

A new cyberespionage threat group

A newly discovered threat group named LilacSquid (aka UAT-4820), possibly linked with the North Korean Andariel, is leading a cyberespionage campaign against diverse targets worldwide. So far, it has compromised industrial IT companies in the US, energy organizations in Europe and the pharma sector in Asia. Together with bruteforce of RDP credentials, the group gains initial access through vulnerabilities in internet-facing web application servers.

Oracle WebLogic vulnerability exploited (again)

CISA found evidence of recent exploitation of an old Oracle WebLogic vulnerability (CVE-2017-3506), allowing attackers to run OS commands remotely through crafted HTTP requests. The flaw has been previously exploited in 2018 to obtain credit card information from American municipalities, and in 2023 when the Chinese 8220 Gang used it to deploy cryptominers on Windows and Linux systems.

Mitigate it

Enforce TrendMicro DPI Rules 1011716 and 1010550

Winrar vulnerability exploited (again)

The Russian APT FlyingYeti (aka UAC-0149) has used a Winrar vulnerability (CVE-2023-38831) in a large phishing espionage campaign against Ukrainian civilians. In 2023, the same flaw has been exploited by various threat actors, including the Russian cybercrime Water Hydra and state actors APT28 and APT29, the North Korean APT37 and the Pakistani SideCopy.

Mitigate it

Activate Tenable Plugin 180174

A new Linux Kernel flaw

A new Linux Kernel flaw (CVE-2024-1086) has been exploited in the wild. The vulnerability is a use-after-free flaw letting attackers to elevate privileges. It might lead to a kernel crash or eventually to arbitrary code execution.

 

Concerns around Telerik's vulnerability

A critical flaw in Telerik (CVE-2024-4358), Progress Software’s report server, is raising concerns following the publication of a POC. The vulnerability, which has yet to be patched, might be easily exploited to bypass authentication and access Telerik servers restricted functionality, eventually leading to arbitrary code execution. A flaw in another Progress’s product, MOVEit FTP, has been at the center of massive exploitations in 2023.

Mitigate it

in Telerik’s portal, download the URL Rewrite IIS module and add a blocking rule with the pattern “startup/register”

A vulnerability in Azure Service Tags

Tenable researchers alert about a severe vulnerability found in Azure Service Tags, which might allow attackers to craft SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules. Service Tags are basically groups of IP addresses used for firewall filtering and IP-based Access Control Lists (ACLs) when network isolation is needed. In response, Microsoft denied the existence of a flaw, claiming that ServiceTags are not intended to serve as a security device but for routing mechanisms. Consequently, the vulnerability won’t be patched.

 

Vulnerability exploitation as a main way to gain initial access

A new report shows that in 30% of analyzed ransomware incidents in 2023, vulnerabilities in internet facing systems were exploited for initial access – compared with 24% the previous year. For these cases, the mean Time-to-Ransom (TTR), i.e. the interval between the first compromise and the ransomware's execution, was less than 5 minutes.

Mitigate it

Mitigate it

Sources