Information Security News 6-3-2024

Snowflake Data Breach Impacts Ticketmaster, Other Organizations

Article Link: https://www.securityweek.com/snowflake-hack-impacts-ticketmaster-other-organizations/

• Recently, the organization Snowflake reported that hackers gained unauthorized system access to certain customer accounts. Snowflake was made aware of the incident on May 23, 2024; however, increased threat activity began in mid-April 2024.
• In addition to various other companies, the parent company of Ticketmaster, Live Nation Entertainment, sent an 8-K filing with the SEC regarding a third-party security incident within the third-party’s cloud environment.
• While information is still limited, many industry professionals suggest that the third-party referenced by Live Nation Entertainment is Snowflake. Likewise, malicious hackers recently claimed to have exfiltrated the data of 560 million users from Ticketmaster.
• Link to Snowflake’s Report: https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access

2.8 Million Impacted by Data Breach at Prescription Services Firm Sav-Rx

Article Link: https://www.securityweek.com/2-8-million-impacted-by-data-breach-at-prescription-services-firm-sav-rx/

• Sav-Rx, operated as A&A Services, experienced a disruption to their computer network on October 8^th, 2023, which is reported to have been resolved by the following business day.
• Non-clinical systems were breached by attackers, leaking personal information such as addresses, names, birth dates, phone numbers, Social Security Numbers, and insurance identification numbers. There is no evidence that suggests the exfiltration of financial or clinical data.
• Breach notifications were sent to the Maine Attorney General’s office, notifying them of the breach’s impact on approximately 2.8 million individuals, along with those with impacted health plans.
• While it remains unclear whether ransomware was involved in the cyberattack, and the identity of the attackers remains unknown, indications suggest a potential ransom payment.
• Link to Sav-Rx’s Breach FAQ: https://faq.savrx.com/

LastPass Launches LastPass Compliance Center

Article Link: https://www.businesswire.com/news/home/20240529683155/en/LastPass-Launches-LastPass-Compliance-Center

• LastPass launched the Compliance Center in collaboration with Drata, pushing to provide partners and customers with up-to-date security assurance information.
• The integration of Drata’s platform with LastPass Trust Center will allow the Compliance Center to display status indicators for various security systems.
• The Compliance Center will offer policies, reports, documentation, and certifications for public view.
• Link to LastPass’ Compliance Center: https://compliance.lastpass.com/

Hackers Target Check Point VPNs to Breach Enterprise Networks

Article Link: https://www.bleepingcomputer.com/news/security/hackers-target-check-point-vpns-to-breach-enterprise-networks/

• Attackers are exploiting old local accounts with insecure password-only authentication through Check Point Remote Access VPN devices attempting to breach enterprise networks.
• Check Point has also discovered a vulnerability within their Security Gateways, potentially granting attackers access to data on Internet-connected Check Point gateways featuring remote access VPN or mobile access functionality.
• Check Point is pushing customers to check for vulnerable accounts and move to more secure authentication methods or remove vulnerable accounts. Check Point also released a hotfix to block local accounts from authenticating solely with a password.
• Link to Check Point’s Announcement: https://blog.checkpoint.com/security/enhance-your-vpn-security-posture?campaign=checkpoint&eid=guvrs&advisory=1

Microsoft Links North Korean Hackers to New FakePenny Ransomware

Article Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-links-moonstone-sleet-north-korean-hackers-to-new-fakepenny-ransomware/

• Microsoft attributed FakePenny ransomware attacks to North Korean hacking group Moonstone Sleet. This group leverages unique tactics, techniques, and procedures (TTPs) as well as common attack methods attributed to North Korean hacking groups.
• Moonstone Sleet, previously known as Storm-17, targets various organizations using a variety of methods including trojan software, fake companies, and malware disguised as games. While Moonstone Slate’s primary motive is financial gain, they have engaged in cyber espionage as well.
• It was noted by Microsoft that Moonstone Sleet’s advancement in tactics and adoption of ransomware suggest an expansion of capabilities for disruptive operations. Some targets of Moonstone Sleet include education, software and IT, and defense sectors.

New Research Warns About Weak Offboarding Management and Insider Risks

Article Link: https://thehackernews.com/2024/05/new-research-warns-about-weak.html

• Wing Security Research shows that 63% of companies may have ex-employees who still have access to company data, and implementing an automated SaaS security could help address offboarding issues.
• Poorly managed offboarding of employees can lead to serious security threats, including data breaches, failure to comply with regulations, and theft of intellectual property.
• Mass layoffs in early 2024, impacting over 80,000 tech workers, emphasize the importance and challenges of immediately and effectively removing access during offboarding.

FHA Enacts New Cybersecurity Reporting Requirements

Article Link: https://nationalmortgageprofessional.com/news/fha-enacts-new-cybersecurity-reporting-requirements

• New Cybersecurity Incident Reporting Requirements have been introduced by the Federal Housing Administration (FHA). The Mortgagee Letter (ML) 2024-10 outlines the requirement for FHA-approved mortgagees to report cyber incidents to the Department of Housing and Urban Development (HUD).
• Notification to HUD must occur within 12 hours of detection of a cyber incident. Mortgagees must report suspected incidents to HUD’s FHA Resource Center at answers@hud.gov and HUD’s SOC at cirt@hud.gov . According to the announcement, the requirements are effective immediately.
• The FHA defines a significant cybersecurity incident as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”
• Link to FHA’s Announcement: https://www.hud.gov/sites/dfiles/OCHCO/documents/2024-10hsgml.pdf
• Link to Additional Information: https://www.debevoise.com/insights/publications/2024/05/very-broad-and-very-fast-the-new-federal-housing

New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI

Article Link: https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html

• Experts have issued warnings about phishing campaigns exploiting Cloudflare Workers to create fake login sites aimed at stealing credentials for Gmail, Microsoft, Yahoo, and cPanel Webmail.
• These attacks utilize a method known as adversary-in-the-middle (AitM) phishing, which acts as a reverse proxy that will intercept and capture login credentials, session tokens, and cookies.
• Users are deceived into signing in through fake Microsoft service pages to access a malicious PDF, resulting in the theft of their multi-factor authentication (MFA) codes and credentials.
• Cybercriminals are employing generative AI to design phishing emails to distribute large, compressed malware files to bypass antivirus systems. This results in the spread of malware such as Agent Tesla, AsyncRAT, Remcos RAT, and Quasar RAT.
• Link to Netskope’s Report: https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling