More Snowflake storage victims found, Microsoft issues new Windows patches, and more.
Welcome to Cyber Security Today. It’s Wednesday, June 12th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
More companies that use the Snowflake cloud store and analytics service are admitting their data has been compromised. As of Monday Mandiant and Snowflake had notified about 165 potentially exposed organizations. How were they hit? Victimized firms hadn’t enabled multifactor authentication login protection. So a hacking group that researchers call UNC5537 that was able to steal the usernames and passwords of Snowflake users had easy access. Note that the credentials weren’t stolen from Snowflake, they were stolen from customers. Victim firms not only didn’t have MFA enabled, they didn’t have network allow lists that would only allow access from trusted locations. Mandiant estimates hundreds of Snowflake access credentials have been stolen since 2020. Some firms were compromised through the PCs of contractors the organizations hired to help employees use Snowflake. Those consultants also used their PCs or risky personal activities such as downloading pirated software that included credential-stealing malware.
Yesterday was Patch Tuesday, when Microsoft released security fixes. According to Action1, one plugs a critical Windows server vulnerability in Microsoft Message Queuing. If MSMQ is enabled and not patched an attacker could do nasty things. IT departments that use MSMQ should disable it until the patch is installed. There are also several holes in Microsoft Office that need patching. And Windows Server and Win11 have an issue in the Event Trace Log File Parsing feature that needs to be patched. The Microsoft patches also help close a vulnerability in the DNSSec protocol that can lead to denial of service attacks. Fortra notes network administrators should watch for updates from DNS servers like bind, powerdns, dnsmasq and others to also close this hole.
More on patching: If your organization uses Veeam Backup Enterprise Manager, make sure the latest version is installed. Researchers at Summoning Team have published a proof of concept exploit of a critical authentication bypass vulnerability that Veeam announced last month.
IT departments and individuals using graphic cards with Nvidia processors should install the latest display drivers. They close several major vulnerabilities.
JetBrains warned IT departments using its IntelliJ integrated application development platform with the JetBrains GitHub plugin to update the environment and the plugin. Any GitHub tokens used by the plugin should also be revoked.
And ARM warned IT departments and individuals using graphic cards with its processors that their Mali drivers need updating.
Researchers at Trustwave have discovered a sophisticated phishing campaign spreading malware with a zip file that hides an infected HTML attachment. Targets are asked to open a document under a number of pretexts, such as an invoice that needs to be paid. The HTML attachment triggers a chain that leads to downloading malware by abusing Windows’ search capability. The report offers a mitigation. One of the best preventions are regular warnings to employees to not click on unexpected attachments.
The privacy commissioners of the United Kingdom and Canada have opened a joint investigation into the huge data breach at the consumer genetics testing service 23andMe. That October 2023 attack saw personal data of almost 7 million people copied. The investigation will look into whether 23andMe had adequate safeguards.
Separately, the Canadian privacy commissioner opened an exploratory consultation on how online services wanting to restrict young people from accessing certain content — like porn — should confirm the age of someone logging in. This comes as Parliament debates proposed legislation that would restrict young people’s online access to sexually explicit material. The proposed legislation leaves it up to the government to approve age verification methods in regulations. Privacy commissioner Philippe Dufresne has said any method of verifying ages has to protect personal data. Several U.S. states including Texas and Utah already have online age verification regulations.
Attention American listeners: Do you want Congress to pass federal privacy law? Time’s getting short for your voice to be heard. The proposed American Privacy Rights Act is currently before the House of Representatives. As an article in The Record notes, the proposed law would override the 18 state data privacy laws, some of which are seen as weak. But there would be exemptions for Illinois’ biometric data law and Washington state’s health data privacy law.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.