This is the Week in Review for the week ending Friday June 7th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
With me this week is guest commentator David Shipley of Beauceron Security. We’ll be talking about the data breaches at cloud storage and analytics provider Snowflake, an Auditor-General general report critical of Canada’s cybercrime-fighting agencies and the continuing debate on Microsoft’s new Recall tool.
But first a look at some headlines from the past seven days:
Application developers using the on-premise version of Kiuwan SAST for source code analysis should install the latest security update immediately. Researchers at SEC Consult say the application has multiple vulnerabilities. The cloud version was patched in February. What’s worrisome is that the vulnerabilities were identified and the vendor warned almost two years ago.
When the FBI and other law enforcement agencies struck the LockBit ransomware gang in February they got a bonus: Over 7,000 keys that can unscramble data the gang encrypted. According to Security Week, an FBI official told that to attendees at a Boston cybersecurity conference this week. If your firm has been hit by a ransomware strain, contact your local police department.
The U.S. Justice Department is trying to get back most of the $6.4 million a union was defrauded out of in an email scam. An employee fell for the spoofed email that appeared to come from the union’s investment manager. The message asked the union to change the bank it usually sent payments to. The account the money went to was controlled by a crook. The money allegedly was laundered and traced to seven accounts in Hong Kong, China, Singapore and Nigeria.
The gang distributing the new RansomHub ransomware strain has probably adapted the Knight ransomware code. That’s according to researchers at Symantec who note the two codes are very similar. The source code for Knight was offered for sale in February and could have been bought then. RansomHub emerged the same month. This gang has attracted some large former affiliates of the ALPHV/BlackCat gang, which closed earlier this year.
In another example of ‘there’s no honor among thieves,’ the Chinese online shopping platform PandaBuy has admitted it was recently hit twice by the same extortion gang. The Chinese firm told the Bleeping Computer news site the first time it paid a ransom to prevent stolen data from being leaked or sold on the dark web. However, this week the same threat actor put up for sale what they claimed was more data stolen from PandaBuy.
Finally, Panorama Eyecare, an American firm that provides management services to eye clinics, is notifying almost 378,000 Americans of a data theft. The company told Maine’s attorney general’s office that in lat May hacker got into its IT network and copied information including customer’s names, credit card numbers and more.
(The following transcript is an edited version of the first of three issues in the discussion. To get the full conversation play the podcast)
Howard: Topic One: A blizzard of controversy around Snowflake. Snowflake is an American-based cloud data storage and analytics service used by big companies including Mastercard, Honeywell and the Albertson’s supermarket chain. Last week it acknowledged a targeted threat campaign against some customer accounts. Australia’s cybersecurity agency said it is aware of successful compromises of several companies using Snowflake. At the same time Ticketmaster acknowledged a huge data theft from a third-party cloud database. Some news outlets think it was Snowflake, although one cybersecurity researcher said it spoke to the supposed hackers who said the data came from an AWS instance. Meanwhile the Spanish bank Santander said data of customers in Spain, Chile and Uruguay was stolen from what it called a cloud-based platform of its third-party supplier. Again, some cyber news media think this was a theft from Snowflake.
Regardless of who was hit, Snowflake and its investigation team, who include CrowdStrike and Mandiant, say any activity was NOT the result of a breach of its platform, a vulnerability, a misconfiguration or compromised staff credentials. Snowflake does say that threat actors are leveraging stolen credentials and are targeting users that only use single-factor authentication. So, David, it seems what we have is ‘Blame those who aren’t using multi-factor authentication.’
David Shipley: This story continues to get more and complicated and convoluted, with conflicting information from the company, a cybersecurity company commenting on the breach and then withdrawing it, posts by national cybersecurity agencies and more. This breach, if it is a single vendor that these multiple companies are all attached to, has the potential to blow the Move It breach of 2023 fame out of the water for sheer size of impacted users. And we’ll have to see if the “quality” of the breach data rises to the same level of harm as MoveIt.
Either way, this is not a milestone we particularly want to have for 2024. And I’m prepared today to call this year — five months in — as already significantly worse than 2023 because of this. When we think about [breaches at] UnitedHealth, Medisecure in Australia, London Drugs in Canada, and so much more all come at a time when many companies have cut cybersecurity spending and staffing.
Meanwhile, we have a third major confirmed breach that’s of the same scale as Ticketmaster announced this week, with up to 400 million customers potentially impacted. Advance Auto Parts, one of the world’s largest auto parts companies, was named in a breach posting according to reporting from Bleeping Computer. Now, Advance operates 4 ,777 stores and 320 WorldPak branches and also serves 1,152 independently owned CarQuest stores in the United States, Canada, Puerto Rico, the U .S. Virgin Islands, Mexico, and various Caribbean islands. The stolen data allegedly includes 380 million customer profiles, name, email, phone, address, and more, 140 million customer orders, 44 million loyalty gas card numbers — that could hurt — sales history, employment candidate with SSNs, driver’s license numbers and demographic details …
Howard: Security researcher Kevin Beaumont believes the Snowflake hackers are a teen crime wave group that’s been active on the Telegram messaging site.
David: Kevin’s a pretty smart guy. I follow a lot of what he posts and the involvement of a teenage crimeware group matches a disturbing pattern we’ve seen in the past few years with the rise of groups like Scattered Spider. It’s interesting to note that in the screenshot of the Advanced Auto Parts breach notice the criminal’s user profile icon is a spider. Now that’s hardly a smoking gun, but it’s, I would say, arguably interesting circumstantial evidence nonetheless.
I know this issue of teenagers getting involved in crime is a huge issue for global law enforcement and they’re deeply worried about it and they’re trying to combat it. And we saw that in the worldwide effort to target users of the Genesis [criminal] marketplace, including a successful door-knocking campaign here in Canada that was designed to steer folks away from a bad path in life, as well as to spread fear, uncertainty and doubt.
Howard: Interestingly, according to the Bleeping Computer news service, a cybersecurity company claimed that it spoke to the threat actor who is taking credit for the Santander and Ticketmaster thefts [by going] through a Snowflake employee’s account using stolen credentials. After Snowflake denied that an employee’s account with access to customer data was hacked, the cybersecurity company withdrew its report.
Snowflake did say that a hacker got credentials of a former employee and they accessed demo accounts. But those accounts didn’t have sensitive data, Snowflake said.
David: And apparently it wasn’t just that the company denied it to the other cybersecurity firm … They also had a legal threat [to the cybersecurity company for its blog]. And that’s interesting. And I do want to point out just for a second, Snowflake is having an absolute very bad, awful week because it’s damned if it did, it’s damned if it didn’t. Even if everything comes up Aces and they did everything right, their name is just getting drug through all of this. And I can only imagine how much this really sucks for their entire team. So I just want to take a moment of empathy and just say, this has got to be gut-wrenching for them.
Howard: One thing for sure, the Ticketmaster hack was huge. Data on over 500 million customers was copied. What does this say about this organization’s preparations for a data theft?
David: I think we’re really going to need to see what comes out of any future SEC filings, because Ticketmaster is a publicly-traded company. I deeply hope the U.S. Cybersecurity Review Board is girding up to dive into this with a report as thorough as it did for the Microsoft breach.
