Daily Brief

A team of university researchers successfully tricked the sensor system of a Baidu autonomous vehicle using rudimentary materials like tinfoil and paint on cardboard. Their experiments demonstrated that these simple objects could continuously obscure a target vehicle from the autonomous system by manipulating mmWave signals and visual input. The attack strategy involves using drones or mounting the materials on the front of a vehicle, potentially allowing for covert operations. This method challenges the security of multi-sensor fusion systems used in autonomous vehicles, which combine Lidar, radar, and camera data to perceive surroundings. The vulnerability exposed by the researchers points to potential risks in the deployment of autonomous vehicles and the need for robust security measures against low-tech interferences. The findings were detailed at The 30th Annual International Conference on Mobile Computing and Networking, highlighting the escalating concerns around AV technology security. Baidu, using the compromised Apollo platform, operates expanding robo-taxi services across China, aiming for profitability in this division by next year despite these challenges.

Cybersecurity firm eSentire reported an increase in malware infections via fake browser updates, distributing BitRAT and Lumma Stealer. Attackers lure victims to compromised websites that redirect them to fraudulent update pages, initiating automatic malware downloads. The downloaded ZIP archive contains a JavaScript file that triggers PowerShell scripts to download more malware in PNG image files. The same .NET-based loader, likely a "malware delivery service", is used for deploying both BitRAT, a comprehensive remote access trojan, and Lumma Stealer, a commodity information stealer. BitRAT allows attackers to steal data, mine cryptocurrency, and gain remote access, while Lumma Stealer captures information from web browsers and crypto wallets. Lumma Stealer's popularity has surged due to its high success rate in infiltrating systems and stealing sensitive data without detection. ReliaQuest identified a new variant of the ClearFake campaign that deceives users into manually executing malicious code under the guise of browser updates. eSentire highlighted the persistent risk of malware attacks using trusted brands as lures to maximize impact and reach.

Hugging Face detected unauthorized access to its Spaces platform, compromising authentication tokens. Hackers potentially accessed authentication secrets of Hugging Face Spaces users, a platform for sharing AI apps. The company has revoked compromised secrets and advised users to refresh their tokens for enhanced security. External cybersecurity experts have been consulted to help investigate the breach, with law enforcement being notified. Implementations made post-breach include the removal of org tokens, integration of a Key Management Service, and improvements in token leak detection. Hugging Face is also moving towards deploying fine-grained access tokens for better control and security of AI models. The platform's growing popularity has made it a target for threat actors, evidenced by past incidents of malicious AI model exploitation.

Kaspersky has introduced a new tool, KVRT, designed to detect and remove malware on Linux systems for free. Despite the widespread belief in Linux's inherent security, Kaspersky emphasizes that threats persist, as demonstrated by recent incidents like the XZ Utils backdoor. KVRT is a standalone scanner, not offering real-time protection but capable of identifying and cleaning various known threats. The tool quarantines cleaned files in a secure directory and uses a continuously updated virus database, requiring fresh downloads for the latest definitions. KVRT scans system memory, start-up objects, boot sectors, and all file types, including archives, but only supports 64-bit systems and requires an internet connection. It has been successfully tested on several major Linux distributions, including Ubuntu and Debian, and offers both GUI and command-line interfaces. Kaspersky provides full instructions for setting up and running KVRT, although users are cautioned to use the tool at their own risk as its effectiveness and safety are not guaranteed by external testers.

Google will phase out Manifest V2 extensions in Chrome starting June 3, 2024, potentially weakening ad blocker functionalities. Warnings for users of V2 extensions will begin appearing on Chrome Beta, Dev, and Canary channels from June 3, 2024, with a gradual phase-out on stable releases. Enterprises have until June 2025 to transition to Manifest V3 under a special extension policy. Manifest V3, designed to enhance security and performance of extensions, poses challenges for ad-blockers which need deep browser control. Popular ad blocker uBlock Origin developed a simplified version, uBO Lite, compliant with Manifest V3, though it may require users to manually update rule sets. Google states that over 85% of active Chrome extensions, including major ad blockers, now support Manifest V3. Developers of V2 extensions are encouraged by Google to migrate to V3, with resources and guides provided to facilitate the transition.

Hugging Face, an AI company, reported unauthorized access to its Spaces platform. Suspicion arose that a subset of platform secrets, including HF tokens, might have been exposed. The company is revoking affected HF tokens and has started notifying affected users via email. Users are advised to refresh their security credentials and switch to more secure, fine-grained access tokens. Investigation is ongoing; neither the number of affected users nor the specifics of the data accessed have been disclosed. Law enforcement and data protection authorities have been informed about the security breach. Previous reports from other security firms highlighted potential vulnerabilities in Hugging Face that could allow harmful cross-tenant access and other malicious activities. The incident highlights growing security risks as the AI sector expands, making AI service providers attractive targets for cyber attacks.

Live Nation confirmed Ticketmaster suffered a data breach involving unauthorized access to a third-party cloud database managed by Snowflake. The breach was identified on May 20, 2024, and disclosed in a SEC filing by Live Nation. Data of over 560 million users was potentially compromised. A threat actor, identified as Shiny Hunters, advertised the stolen data for sale on the dark web for $500,000, claiming ownership of 1.3TB of user information. The stolen details include full names, addresses, email contacts, phone numbers, and event-related information tied to Ticketmaster customers. Investigations revealed that the hack was executed using information-stealing malware to access Snowflake, employing stolen credentials and auth tokens. Snowflake attributed the breach to inadequate security measures like disabled multi-factor authentication on customer accounts. Ticketmaster and authorities are taking steps to mitigate risks, including notifying affected users and regulatory bodies, while cooperating with law enforcement. Competing organizations mentioned in similar breach claims by the threat actor have refuted any breaches on their systems, challenging part of the claims.

Twitch has dismantled its Safety Advisory Council, established in 2020 for enhancing trust and safety, and plans to replace it with a new ambassador-led program. The council initially included a mix of four industry experts and five Twitch partners and moderators, contributing diverse perspectives on online safety. The new Twitch ambassadors, totaling 174, are selected for their positive contributions to the Twitch community, though their expertise in online safety policies is unclear. Twitch, affected by significant layoffs and cost-cutting measures including a retreat from the South Korean market, is transitioning from a formal safety council to a more informal ambassador model. Despite the transition, Twitch claims it remains committed to partnerships and community safety, expecting ambassadors to bring various experiences and feedback into safety discussions. Questions about the long-term role, selection process, and compensation for ambassadors remain unanswered, raising concerns regarding the effectiveness of the new structure. Comparisons are drawn to Twitter's dismantling of its Trust and Safety Council and the subsequent need to hire full-time moderators, pointing to potential future challenges for Twitch.

Hudson Rock claims massive data theft from Snowflake, affecting Ticketmaster, Santander, and possibly others; data includes personal and financial details. Snowflake denies breach, suggests theft occurred through individual cloud accounts with stolen credentials, not due to internal vulnerabilities. ShinyHunters, a cybercriminal group, allegedly selling stolen Ticketmaster and Santander data on underground forums; asking prices up to $2 million. Ticketmaster data breach confirmed, with over 560 million customer records reportedly stolen; Santander also confirms breach impacting several regions. Stolen data from Santander includes 30 million account holder details, credit card numbers, and internal files. Snowflake states theft linked to external cyber threats and misuse of exposed customer credentials, barring any compromise of its systems. Snowflake acknowledges unauthorized access to a former employee's demo account but insists no sensitive data was compromised. Snowflake in contact with affected customers and asserts ongoing investigations into suspicious activities across some client accounts.

Live Nation announced a significant data breach at Ticketmaster, involving unauthorized access to a third-party cloud database. The breach, identified on May 20, 2024, affected primarily data from Ticketmaster L.L.C., a subsidiary of Live Nation. An investigation with forensic experts was launched immediately after discovering the unauthorized activity. The exposed data, totaling over 500,000 Ticketmaster users, was subsequently offered for sale on the dark web on May 27, 2024. Despite the significant number of users affected, Live Nation assesses that the breach will not materially impact its business operations or financial stability. Live Nation has engaged with law enforcement, regulatory authorities, and has been notifying affected users to mitigate further risks.

U.S. Senator Ron Wyden criticized UnitedHealth Group (UHG) for appointing an "unqualified" Chief Information Security Officer (CISO), which he claims contributed to a major ransomware attack. Wyden addressed his concerns in an official letter to FTC and SEC chairs, urging a full investigation into UHG's cybersecurity practices and leadership decisions. The senator highlighted the lack of multi-factor authentication (MFA) on a pivotal remote access server, which enabled the initial attack, suggesting this represented severe negligence. Wyden stressed that the cybersecurity failures at UHG were systemic and exacerbated by not adhering to established best practices like server segmentation and threat detection mechanisms. He also noted historical precedents where companies faced sanctions for lesser security failures, urging similar accountability for UHG's executives for their role in the breach. Although not exclusively blaming the new CISO, Wyden's complaints mainly target UHG's senior leadership, including the CEO and board, for their decision-making and oversight failures. The call for a regulatory review by Wyden is meant to uncover potential violations of federal laws and to initiate possible sanctions against UHG's top officials responsible for cybersecurity deficiencies.

DMM Bitcoin announces theft of 4,502.9 BTC, valued at around $308 million, marking the largest crypto heist of 2024. The unauthorized transaction occurred on May 31, 2024, with the company detecting the leak at approximately 1:26 p.m. In response to the theft, DMM Bitcoin has restricted several services, including new account registrations and cryptocurrency withdrawals. The theft method remains undisclosed; however, historical crypto heists have involved breaches into corporate systems or exploitation of digital vulnerabilities. DMM Bitcoin has committed to fully compensating affected customers by securing replenishment from other group companies. Cryptocurrency intelligence firm Elliptic reports that the stolen Bitcoin has been dispersed across multiple new wallets, potentially to hide the trail and avoid detection. This incident ranks as the largest cryptocurrency heist of the year and the eighth-largest of all time.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) added a significant Linux kernel privilege elevation flaw, CVE-2024-1086, to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation. Originally detected in the Linux netfilter's nf_tables component, the high-severity flaw involves a use-after-free error introduced in a 2014 commit but disclosed in January 2024. Attackers exploiting this vulnerability can escalate privileges to root level on affected systems, especially utilizing a public proof-of-concept exploit available since late March 2024 by security researcher 'Notselwyn'. While many Linux distributions quickly responded with patches, Red Hat delayed its patch release, exposing systems longer to potential attacks. CISA has mandated federal agencies to update their systems by June 20, 2024, to mitigate the risk, paralleling the deadline for a newly reported CVE impacting VPN devices. Administrators unable to update immediately are advised to apply specific mitigations to limit exploit risks until patches can be applied.

The international law enforcement initiative, Operation Endgame, has issued a public plea for information about "Odd," the elusive operator behind the infamous Emotet botnet. Recent efforts by authorities resulted in multiple arrests and the dismantling of prominent malware operations, but Odd remains at large. Despite previous successful takedowns of the Emotet infrastructure, the botnet resurfaced using Trickbot infrastructure, indicating ongoing and evolving threats. Operation Endgame's strategy includes publicizing their investigations in a series-style release, increasing psychological pressure on targets and utilizing familiar cybercriminal tactics against them. Emotet, originally a banking trojan, evolved into a major botnet facilitating the spread of ransomware and other malware, showcasing the adaptability and scale of cyber threats. Authorities have some leads on Odd's identity, suggesting he is male and not working alone, but specific details about his current activities and associates remain unclear. The next major update from Operation Endgame is scheduled for June 5, as part of their ongoing campaign to apprehend cybercriminals and dismantle their networks.

A threat actor claimed responsibility for breaching Santander and Ticketmaster, attributing the attack to compromised Snowflake employee accounts. Snowflake countered this claim, stating that breaches resulted from customers' poorly secured accounts, not from a compromise of Snowflake's systems or a product vulnerability. The hacker alleged they accessed accounts of other prominent firms hosted on Snowflake by bypassing authentication safeguards using stolen credentials. Hudson Rock cyber firm reported that the same threat actor might have impacted up to 400 companies by exploiting a single set of credentials. The attacker allegedly attempted to extort Snowflake, demanding $20 million for the return of the stolen data, which Snowflake did not respond to. Snowflake issued a security advisory to all customers advising the implementation of multi-factor authentication and detailed security measures post-discovery of the breaches. An indicator of compromise included a custom tool called 'RapeFlake', utilized by the attackers to extract data from Snowflake databases.