Daily Brief

Threat actors are selling 3TB of data stolen from Advance Auto Parts through a breach of their Snowflake account. Data includes sensitive records of 358,000 employees, though current staff count is approximately 68,000, suggesting inclusion of former employee data. BleepingComputer confirmed the legitimacy of a substantial number of customer records involved in the breach. Advance Auto Parts has not yet publicly acknowledged the breach nor reported it to the U.S. Securities and Exchange Commission. The stolen data is being offered for $1.5 million on a cybercrime forum. The breach is part of broader attacks on various Snowflake customers. Snowflake and security firms like Mandiant and CrowdStrike are involved in investigations, suggesting no inherent vulnerabilities in Snowflake's product but rather an exploit of compromised credentials. Other major companies, including Santander and Ticketmaster, have also suffered breaches linked to compromised Snowflake accounts.

TikTok confirmed a cyberattack where CNN and other notable accounts were hijacked via a zero-day vulnerability in the app. The attack involved a unique zero-click malware transmitted through TikTok's private chat function, requiring no user interaction beyond opening a direct message. TikTok's security team has resolved the issue, enhancing security measures and collaborating with affected users to restore and secure their accounts. Although initial reports included other high-profile compromises like Paris Hilton's and Sony’s accounts, these were either denied or remained unverified. Past security incidents at TikTok include a significant vulnerability in August 2022 found by Microsoft, and another vulnerability spotted by Imperva's red team one year ago. These recurring security concerns add to existing apprehensions around TikTok's data practices and the influence of its parent company, ByteDance, located in China. American lawmakers continue to scrutinize ByteDance, concerned about potential espionage and misinformation due to its Chinese roots amidst ongoing legal challenges to TikTok’s operation in the U.S.

A security flaw in Ariane Systems self-check-in terminals, used by 3,000 hotels globally, allows bypassing kiosk mode to access personal guest information. Security researcher Martin Schobert discovered the vulnerability, which could lead to unauthorized access to the Windows desktop underlying the kiosk system. The exposed information includes guest reservation details, personally identifiable information (PII), invoices, and the ability to provision RFID room keys. Despite reporting the issue to Ariane Systems in March, there remains unclear communication regarding the resolution and the specific firmware update. The vulnerability also poses a potential risk of broader network attacks within affected hotels, escalating the impact of the breach. Hotels are advised to isolate self-check-in terminals from core hotel IT systems and verify the security status of their installed terminals with the vendor. The issue highlights ongoing security challenges in hospitality technology, impacting both privacy and operational security in small to medium-sized hotel establishments.

Club Penguin enthusiasts hacked into a Disney Confluence server, initially aiming to find game-specific data. The breach resulted in the unauthorized access and download of 2.5 GB of sensitive corporate Disney data. Data compromised includes internal corporate strategies, advertising plans, Disney+, and details on internal developer tools. The stolen data encompassed various business, software, and IT project documentation not intended for public release. Included within the data were credentials and API endpoints for crucial Disney operational tools and infrastructure. The theft emerged following a post on 4Chan sharing outdated Club Penguin data and subsequently revealed broader data theft on Disney servers. The newer documents contain current information dated up to June 2024, signifying recent unauthorized access to Disney's systems. Disney has not publicly responded to inquiries about the breach, highlighting potential ongoing internal investigations or containment efforts.

RansomHub, a recent cyber-criminal group, is likely a rebranded version of the Knight ransomware gang, involved in data theft from entities like Christie's. Symantec places RansomHub as the fourth most active ransomware group, engaging in sophisticated cyber-attacks and using auctioning victim’s data as a methodology. The group utilizes critical vulnerabilities such as ZeroLogon for gaining unauthorized access into corporate networks, followed by deploying legitimate remote tools for movement and gathering intel. Once in the network, RansomHub deploys ransomware that encrypts and exfiltrates data, threatening to leak or sell the data if ransoms are not paid. Symantec's analysis reveals substantial code similarities between RansomHub and Knight, suggesting the use of previously developed ransomware code, likely purchased and modified for new operations. Connections to former ALPHV affiliate “Notchy” and usage of tools linked to another ALPHV affiliate "Scattered Spider" suggest a complex web of affiliations contributing to RansomHub’s operations and success post-ALPHV disruption. Despite challenges, the adaptability of law enforcement is underscored, aiming to disrupt cybercriminal activities and sow discord among different groups.

Chinese state-sponsored hackers have been engaging in an extensive cyberespionage campaign against a Southeast Asian government since at least March 2023, as identified in Sophos' Crimson Palace report. The campaign features three distinct clusters (Alpha, Bravo, Charlie), showcasing specialized roles such as malware deployment, lateral movement, and reconnaissance, all believed to be directed by a central Chinese authority. Cluster Alpha focused on mapping network subnets and admin accounts, deploying malware like EAGERBEE, and using techniques like DLL side-loading to evade detection. Cluster Bravo was operational for three weeks, emphasizing credential dumping and obfuscating its malware deployment through renamed binaries and memory manipulation to avoid security detection. Cluster Charlie conducted mass credential harvesting and endpoint mapping, maintaining persistence in the network through advanced malware like PocoProxy and techniques like injecting a Cobalt Strike Beacon. The timing of the attacks, including activity spikes on holidays, suggests strategic planning to exploit periods of reduced security vigilance. Sophos has managed to block some of the command and control communications from the threat actors, but continuous monitoring indicates ongoing attempts to penetrate the network.

A ransomware attack by Qilin targeted Synnovis, disrupting multiple NHS hospitals in London. Synnovis, a provider of pathology services, faced system lockouts causing significant service disruptions at major medical facilities. The incident affected Guy's and St Thomas' NHS Foundation Trust, King's College Hospital NHS Foundation Trust, and primary care providers in southeast London. Emergency services remain operational, but some non-emergency procedures and pathology services have been postponed or redirected. NHS England's cyber incident response team is actively assessing the scope and potential data implications of the attack. Ransom demands observed in similar attacks range from $25,000 to several million dollars. Qilin has been linked to over 130 companies on its dark web leak site since its inception in 2022. The gang employs a double-extortion tactic by stealing sensitive data before deploying ransomware encryptors, targeting primarily VMware ESXi virtual machines.

Zyxel issued emergency security patches for two end-of-life NAS models, NAS326 and NAS542, due to critical vulnerabilities. Timothy Hjort, a vulnerability research intern, identified five critical flaws allowing remote code execution among other issues. The discovered vulnerabilities were reported in March and have CVSSv3 scores of 9.8, indicating high severity. CVE-2024-29972, one notable vulnerability, involves a backdoor named "NsaRescueAngel" which was supposed to be removed but is still active. Exploits for these vulnerabilities, detailed in Hjort’s report, increase the urgency for affected users to apply patches. Additional vulnerabilities uncovered include a Python code injection flaw and a persistent remote code execution bug. Zyxel has released updates for both impacted NAS models, urging customers with extended support to update immediately.

Kali Linux version 2024.2 has been launched as the first update of the year, featuring new tools and significant bug fixes. This release includes 18 new tools enhancing the capabilities for cybersecurity professionals and ethical hackers. Updates have been made to address the Y2038 issue, shifting critical systems to 64-bit time_t to avoid overflow errors after January 2038. Although the Linux Kernel 6.8 was not included in this update, it is scheduled for integration in the next release, version 2024.3. Visual updates in Kali Linux 2024.2 consist of new wallpapers, a refreshed boot menu, and an improved login display interface. The release supports new versions of desktop environments such as Gnome 46 and Xfce, with updated themes and stability enhancements. Users can upgrade their existing Kali installation or access new ISO images for full installs or live distributions. For WSL users, an upgrade to WSL2 is recommended.

Microsoft Active Directory is a prime target for attackers due to its central role in enterprise identity and access management. Compromising Active Directory allows attackers to access critical information, escalate privileges, and deploy ransomware. Attackers employ various methods including phishing, brute force, and password spraying to steal credentials. Common vulnerabilities include weak, reused passwords, complex infrastructure, and insufficient auditing of AD activities. Organizations often fail to maintain proper offboarding, leaving unused accounts vulnerable and putting excessive privileges at risk. Best practices for strengthening Active Directory security involve enhancing password policies, implementing rigorous configuration management, and improving lifecycle processes. Specops Software offers tools like Specops Password Policy to enhance default Active Directory password policies and detect breached passwords. Continuous security enhancements and expert consultations are recommended to mitigate risks and make Active Directory a less attractive target for hackers.

RansomHub, a ransomware-as-a-service (RaaS), evolved from the defunct Knight ransomware, according to security analysts. The gang is involved in data theft and extortion, selling stolen files to the highest bidder. In April, RansomHub leaked data from United Health's Change Healthcare following an attack in collaboration with BlackCat/ALPHV. Christie’s confirmed a security breach in May after RansomHub threatened to disclose its stolen data. Knight ransomware, launched in July 2023 as a rebrand of Cyclops, was known for breaching various operating systems and included an info-stealer component. The shutdown of Knight in early 2024 followed by the sale of its source code coincided with the emergence of RansomHub. Symantec suggests RansomHub was not founded by Knight’s creators but possibly by another actor using the purchased source code. RansomHub has quickly become a major player in the RaaS field, attracting affiliates from other notorious groups.

Four individuals were arrested for partaking in international corruption schemes allowing cybercriminals to travel without triggering INTERPOL alerts. Moldovan and possibly other nation's officials were bribed to either block or delete INTERPOL Red Notices, with bribes totaling into the millions. The schemes involved providing cybercriminals, notably ransomware experts, information on their Red Notice status, significantly impacting their ability to travel freely. An investigation by the National Crime Agency (NCA) along with collaboration from US, Spanish, French, and Moldovan authorities led to the discovery and arrests. These schemes have enabled some of the world's most dangerous criminals to evade law enforcement efforts and travel internationally. Over 70,000 individuals are currently listed under the INTERPOL Red Notice system, yet only a small number were involved in these corrupt activities. INTERPOL maintains confidence in their monitoring systems but recognizes the serious nature of any misuse. The ongoing joint international investigation emphasizes the importance of global cooperation in combating corruption and cybercrime.

A Southeast Asian government organization was targeted by a sophisticated Chinese state-sponsored cyber espionage campaign named Crimson Palace. The espionage operation aimed to infiltrate network systems to gather military and technical data for China's strategic interests. Sophos identified the use of complex malware tools including PocoProxy, EAGERBEE, and others for maintaining control over the infiltrated networks. Evasion tactics were notably sophisticated, including DLL side-loading and exploiting antivirus software to avoid detection. The campaign involved multiple clusters with specific roles, from server mapping and account enumeration to persistent access and lateral movement within networks. Researchers link the campaign's heightened activity to ongoing territorial disputes in the South China Sea, possibly implicating the Philippines as a target. Continuous advancements in malware and attack techniques highlight the need for enhanced cybersecurity measures in government and critical infrastructure sectors.

Wing Security's report on SaaS security threats for 2024 has accurately predicted several threats mid-year. Increasing frequency of SaaS breaches emphasizes the need for timely threat intelligence and enhanced security measures. Shadow AI usage has raised significant data security concerns due to the unauthorized training of AI with user data. A major cloud storage service breach in April 2024 exposed user credentials and essential integration data, highlighting the complexity of securing SaaS supply chains. A major healthcare provider was compromised in February 2024 due to stolen login credentials, underscoring the ongoing risk of compromised credentials in breaches. The emergence of "Tycoon 2FA," a phishing tool capable of bypassing MFA, signifies the evolving sophistication of cyber-attacks aimed at undermining multi-factor authentication. Interconnected threats were illustrated by a May 2025 incident at a fintech firm, demonstrating the complexity and cross-domain nature of current cyber threats. Automated SaaS Security Posture Management (SSPM) has become crucial in effectively addressing and mitigating these diverse and sophisticated threats.

The RansomHub ransomware, confirmed to be a rebranded version of the Knight (Cyclops 2.0) ransomware, targets several global industries, including healthcare. Initially detected in May 2023, Knight ransomware exploited double extortion tactics, where victims' data was stolen and encrypted to force ransom payments. RansomHub, emerging after Knight's source code sale in February 2024, avoids targeting entities in specific regions like CIS countries, Cuba, North Korea, and China. Activation methods for RansomHub include exploiting known vulnerabilities, such as ZeroLogon, and deploying remote desktop software like Atera and Splashtop before initiating the ransomware. Both Knight and RansomHub share significant similarities in code, ransom notes, and functionality, with minor differences in the command execution sequence. Industry reports from Symantec and Google-owned Mandiant highlight an increase in ransomware activity in 2023 and the recruitment of affiliates from other compromised networks. Legitimate remote desktop tools are increasingly utilized to conduct ransomware attacks, highlighting a shift in tactics to evade detection and streamline operations.