Pure Storage hacked via Snowflake workspace
On Monday, cybersecurity firm Mandiant warned that the threat actor named UNC5537 is “systematically” compromising victim organization data through Snowflake and attempting to extort them. Snowflake is a multi-cloud data warehousing platform and, to date, 165 orgs who use it have potentially been exposed. Mandiant said the three primary factors causing compromises are lack of Multi-factor authentication (MFA), failure to rotate credentials, and lack of network allow lists to limit incoming Snowflake traffic to trusted sources.
Data storage solutions provider, Pure Storage, reported Tuesday that it too has become a victim of the mounting Snowflake-related breaches. The company said analytics data was affected but strongly emphasized that no customer data was compromised.
(Infosecurity and The Register)
BreachForums down again and official Telegram channels deleted
Following up on a story we’ve been following on Cyber Security Headlines, the infamous BreachForums hacking forum is again down and now returns a ‘502- Bad Gateway’ error. Shortly after the domains went down, the site’s official Telegram accounts were deleted. Last month, ‘ShinyHunters’ recovered BreachForums domains which had been seized by authorities. Security researcher Vinny Troia reported that ShinyHunters direct messaged via Telegram that he was retiring from the forum due to getting ‘too much heat.’ Though reports have not been confirmed, some researchers are attributing the latest takedown to the FBI, even congratulating the agency on X and LinkedIn.
BlackBerry Cylance data up for sale
Dark Web Informer reported last week that a threat actor is hoping to sell data allegedly belonging to BlackBerry’s Cylance cybersecurity unit for $750,000. The cybercriminals are claiming the data includes customer and employee PII, including 34,000,000 email addresses, as well as sales prospect and customer lists. BlackBerry said the data was stolen from a third-party platform and appears to be from 2015-2018. Cylance was acquired by BlackBerry in 2019 for $1.4 billion.
Chinese hackers breached 20,000 FortiGate systems
Dutch authorities (MIVD) disclosed back in February that Chinese hackers exploited a critical code execution flaw in FortiOS/FortiProxy (CVE-2022-42475) to infect 14,000 devices between 2022 and 2023. The Coathanger remote access trojan (RAT) malware was used in the attacks and was also found on a Dutch Ministry of Defence’s research and development (R&D) network. Dutch authorities indicate that since February, the number of compromised FortiGate devices has ballooned to 20,000. They believe Chinese hackers still have access to many victims because the Coathanger malware survives firmware upgrades and is difficult to detect as it intercepts system calls to avoid revealing its presence.
And now a word from our sponsor, Vanta
JetBrains warns of bug exposing GitHub access tokens
JetBrains is warning customers to patch a critical vulnerability (CVE-2024-37051) that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens. JetBrains has released security updates for all affected IDEs and GitHub plugins. JetBrains advised customers who used GitHub pull request functionality in IntelliJ IDEs to revoke any GitHub tokens. The tokens could be used to access GitHub accounts, even those protected by two-factor authentication.
WarmCookie gives criminals a tasty backdoor for initial access
According to Elastic Security Labs, new malware, dubbed “Warmcookie,” is capable of extensive machine fingerprinting, screenshot capturing, and the deployment of additional payloads. Threat actors are spreading the malware through phishing campaigns featuring fake job and recruitment offers that are personalized with their names and those of their current employers. The researchers note that while Warmcookie still has plenty of room for improvement but is already capable of inflicting significant damage to its targets.
You should probably patch that (Patch Tuesday edition)
Yesterday, Microsoft fixed a total of 51 vulnerabilities as part of its June 2024 Patch Tuesday release. The fixes address one publicly-disclosed zero-day flaw (CVE-2023-508680) vulnerable to ‘Keytrap’ attacks in the DNS protocol. Additionally, Microsoft fixed a critical remote code execution vulnerability in Microsoft Message Queuing (MSMQ) (CVE-2024-30080) which carries a CVSS severity score of 9.8 out of 10. Finally, the release fixed a bug introduced by Microsoft’s April 2024 security updates that caused the local security service (LSASS) to crash and reboot servers.
Adobe joined in the Patch Tuesday fun, releasing six security fixes of its own affecting Photoshop, After Effects and Illustrator which could lead to arbitrary code execution and memory leaks. Adobe emphasized the After Effects updates, which cover at least four critical vulnerabilities. Adobe said it’s not aware of any exploits in the wild for any of these issues.
(Bleeping Computer and SecurityWeek [1][2])
Duo arrested for smishing campaign using rogue antenna
In May, authorities in the UK arrested two suspects who allegedly used a homemade mobile antenna to send thousands of SMS phishing (“smishing”) messages to unsuspecting individuals. The illegal SMS blaster allowed the perpetrators to bypass mobile phone network protections that block suspicious text messages. SMS blasting becomes illegal if used to deliver messages to individuals who did not consent, especially if used for malicious purposes. One of the suspects, 32-year-old Huayong Xu, remains in custody, while the other suspect has been released on bail. Consumers in the UK are urged to forward suspicious text messages for free to 7726, so that mobile network providers can investigate and take any necessary actions.