Daily Brief

ShinyHunters, a known threat group, is allegedly selling data from 560 million Ticketmaster customers for $500,000 on hacking forums. The data purportedly includes personal and financial details such as names, addresses, phone numbers, hashed credit card numbers, and transaction histories from 2012-2024. The breach potentially exposed 1.3TB of data including ticket sales, event information, and full financial transactions. ShinyHunters claimed the data might have been extracted from Ticketmaster's AWS instances via a Managed Service Provider pivot. Ticketmaster has not confirmed the breach and has not responded to inquiries; the FBI has also not commented on the investigation. The U.S. Department of Justice and attorneys general sued Ticketmaster's parent company recently for anti-competitive practices. A class action lawsuit has been filed against Ticketmaster over the breach, seeking damages and credit-monitoring services for U.S. residents affected. Ticketmaster previously faced legal action and fines for data breaches and unauthorized access to competitor systems.

Black Lotus Labs identified that a malware botnet named 'Pumpkin Eclipse' bricked 600,000 routers across the Midwest, specifically targeting a single ISP. The attack occurred over a 72-hour period from October 25 to October 27, 2023, necessitating hardware replacements for all affected devices. Affected router models included ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380, indicating a model-specific attack vector. Initial malware infiltration tactics are unclear; possibilities include the exploitation of zero-day vulnerabilities or weak credentials. The primary malware payload, Chalubo, operates directly from memory and uses ChaCha20 encryption to secure its communications with control servers. Despite the malware's DDoS capabilities, there were no observed DDoS attacks during this incident. The specificity of the attack to one ISP's ASN and particular router models suggests a deliberately targeted and possibly purchased attack. This incident is one of few where a botnet was specifically commanded to render its host systems inoperable, highlighting a shift in cyberattack strategies to more destructive outcomes.

Europol initiated Operation Endgame, targeting malware distribution networks like IcedID and Bumblebee, marking the largest ever botnet-centric law enforcement operation. In its first phase, the international task force coordinated raids and digital takedowns across Europe, the US, and the UK. Law enforcement arrested four individuals, searched 16 locations, seized over 100 servers, and took down more than 2,000 domains involved in cybercrime. The arrested suspects had reportedly earned at least €69 million in cryptocurrency from renting their botnet infrastructure for ransomware attacks. German authorities added eight individuals to the EU’s most wanted list for involvement in the cybersecurity breaches addressed by Operation Endgame. The operation's impact overlaps with a separate US Department of Justice operation that dismantled the 911 S5 botnet, described as possibly the largest botnet, leading to significant seizures and an arrest. Europol has promised that Operation Endgame is just the start of ongoing efforts to combat malware distribution and cybercrime, with further actions and updates to be announced on their new dedicated website.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has observed active exploitation of a critical flaw in the Linux kernel, coded CVE-2024-1086. This high-severity vulnerability in the netfilter component allows attackers to escalate privileges from regular user to root, enhancing their capability to execute arbitrary code. The vulnerability, specifically a use-after-free bug, was reportedly patched in January 2024. Additionally, a new vulnerability in Check Point network gateway security products (CVE-2024-24919) has been identified and added to the KEV catalog, which also poses significant risks. Federal agencies have been directed to implement the latest security patches by June 20, 2024, to mitigate against these and other potential threats. Details regarding the nature of the attacks exploiting the Linux kernel flaw remain unspecified at this time.

Cloudflare disrupted a phishing campaign by Russia-aligned FlyingYeti targeting Ukraine, exploiting WinRAR vulnerabilities to deliver COOKBOX malware. The campaign used debt-themed lures via emails, urging victims to download manipulated files allegedly related to utility debts, which led to malware infection. FlyingYeti, tracked by CERT-UA under UAC-0149, has previously used similar tactics for infecting systems via malicious attachments through Signal messaging. This specific operation used GitHub and Cloudflare Workers for hosting and command-and-control tactics, showing sophisticated use of cloud platforms for malware deployment. The malware, upon activation, establishes persistence on the infected device, awaiting further commands from a dynamic DNS domain controlled by the attackers. Recent alerts from CERT-UA also highlight increased phishing activities from another group, UAC-0006, focusing on financial sectors in Europe and the U.S., deploying different types of malware. Concurrent reports indicate that Russian APT groups are escalating their cyber espionage activities, utilizing advanced spear-phishing tactics to steal data and credentials.

Everbridge, a crisis management software provider, disclosed a breach affecting business and user data after attackers infiltrated their corporate systems. The attackers gained access by utilizing information from a previous phishing attack on Everbridge employees. No evidence suggests a ransomware component to the attack; focus remains on the illicit access to files containing administrative and other user data. Affected data includes contact details, Everbridge service subscriptions, and access configurations for over 6,500 clients globally, including the U.S. Army and major international airports and governments. Representatives from Everbridge emphasized ongoing investigation and collaboration with law enforcement and incident response firms Mandiant and Stroz Friedberg to mitigate and understand the full scope of the incident. In response to the attack, Everbridge is expediting the enforcement of multi-factor authentication (MFA) for all user accounts by June 3, 2024, and strongly recommends enabling Single Sign-On (SSO) for enhanced security. The company has communicated directly with account administrators about potential phishing threats and steps for increased security measures.

LilacSquid, an elusive cyber-espionage group, has conducted targeted attacks in the IT, energy, and pharmaceutical sectors across the U.S., Europe, and Asia since at least 2021. Cisco Talos has identified that these attacks aim to establish prolonged access to victim networks, allowing ongoing data exfiltration to attacker-controlled servers. Attack vectors include exploiting known vulnerabilities in internet-facing servers or using compromised Remote Desktop Protocol (RDP) credentials. The campaign utilizes a mix of open-source tools and sophisticated malware, notably a custom version of the remote access tool Quasar RAT, renamed PurpleInk. PurpleInk enables file manipulation, system monitoring, and remote command execution; it has been actively maintained and updated by LilacSquid. Two methods were observed for initial breaches, either by pushing a .NET-based loader called InkLoader through RDP or deploying MeshAgent, an open-source remote management tool. Notably, the campaign’s use of MeshAgent and several other tactics overlap with those used by North Korean APT groups like Andariel associated with the Lazarus Group. Cisco Talos also noted the use of Secure Socket Funneling (SSF) by LilacSquid to maintain secondary access channels back to their command and control infrastructure.

Cooler Master confirmed a significant data breach on May 19, compromising customer's personal information. Hackers infiltrated Cooler Master's Fanzone website on May 18, downloading 103 GB of sensitive data including over 500,000 customer records. Stolen data included names, email addresses, home addresses, phone numbers, birth dates, and details of customer service interactions. A hacker going by 'Ghostr' claimed responsibility, also hinting at possessing partial credit card details, although these were not verified in the exposed samples. BleepingComputer validated the breach by confirming leaked details with several affected customers. Cooler Master has engaged security experts to fortify their systems and has notified law enforcement and customers regarding the breach. Cooler Master is actively advising impacted users, suggesting vigilance against potential phishing and social engineering attacks.

The RedTail crypto-mining malware has started exploiting a recent security vulnerability in Palo Alto Networks firewalls, specifically PAN-OS tracked as CVE-2024-3400, which allows code execution with root access. Security updates to RedTail include new anti-analysis methods and use of private crypto-mining pools to enhance control over mining efforts, despite higher costs. The malware downloads a specialized payload after exploiting firewall vulnerabilities, automatically adjusting to the target's CPU architecture. Besides Palo Alto Networks, RedTail exploits vulnerabilities in systems such as TP-Link routers, ThinkPHP, Ivanti, and VMWare, showing a wide targeting scope. This version introduces encrypted mining configurations and omits direct cryptocurrency wallets, suggesting a shift to private pool mining for increased earnings secrecy. Advanced evasion techniques in the latest RedTail variant involve process forking to avoid detection and killing any instance of debugging tools like GNU Debugger. Akamai suggests the heightened complexity and investment in RedTail might imply involvement of a nation-state actor due to the sophistication and resources required.

More than 25,000 current and former BBC employees impacted by unauthorized access to pension scheme database. Personal data including names, national insurance numbers, and addresses were stolen; no financial details or login credentials taken. Incident detected on May 21; security team engaged external expertise to investigate and secure the affected database. All affected members offered two years of credit monitoring services via Experian to protect against potential identity theft. BBC has reported the breach to the Information Commissioner's Office and the Pensions Regulator, implementing additional security precautions. This breach marks the second significant data security incident at the BBC within a year, following a previous issue involving a third-party payroll service provider. BBC advises affected individuals to remain vigilant for any unusual activity following the incident.

The BBC disclosed a security incident on May 21 involving unauthorized access to pension scheme data of current and former employees. Approximately 25,000 individuals were affected, but critical data such as bank details, financial information, and login credentials were not exposed. The security breach was limited to a cloud-based service; the main pension scheme portal remains secure and operational. Impacted individuals are being notified through their registered email or postal mail, with instructions to remain vigilant but no immediate action required. The UK's Information Commissioner's Office (ICO) and the Pensions Regulator have been notified of the incident. The BBC has apologized for the breach and continues to monitor the situation, with no evidence of misuse of the data so far. A FAQ page and additional resources including a 24-month credit and web monitoring service by Experian have been made available to assist affected individuals.

Multiple high-severity vulnerabilities in WordPress plugins are being actively exploited to create rogue administrator accounts and follow-on exploitations. The vulnerabilities allow attackers to perform unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping. Attackers inject payloads that link to obfuscated JavaScript files externally hosted, facilitating unauthorized admin account creation, backdoor insertions, and tracking script setups. The PHP backdoors and tracking scripts are injected into both plugin and theme files of WordPress sites. Fastly researchers have traced a significant proportion of these attacks to IP addresses from the Netherlands, specifically linked to the Autonomous System (AS) IP Volume Inc. (AS202425). A similar security threat involving rogue admin accounts was previously identified and disclosed by WPScan under CVE-2023-40000. WordPress site owners are advised to review and update their installed plugins, apply the latest security patches, and conduct thorough audits for malware and any suspicious administrator accounts.

IT worker John Christopher Spatafore sued for orchestrating an extensive cyber harassment campaign against a police officer who had issued him a jaywalking ticket. Pursuit included false police reports, password reset attempts on the officer’s accounts, and suspected proximity-based hacking attempts into his home network. Spatafore's role in a healthcare institution implicated him in potential unauthorized access to medical records, leading to increased scrutiny and allegations of sextortion. After his aggressive tactics escalated, Spatafore was arrested, confessed to many allegations, and expressed remorse; his criminal charges were dismissed following his successful completion of a mental health diversion program. Spatafore’s employer, Community Hospitals of Regional Central California (CHCC), also faces a lawsuit for alleged negligence in failing to prevent his actions sooner and not adequately safeguarding against misuse of its systems.

International police operation led to the seizure of over 100 servers used in major malware campaigns. Four individuals were arrested in Armenia and Ukraine during the operation which took place from May 27-29, 2024. The servers supported operations like IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. The infrastructure encompassed more than 2,000 domains spanning Europe and North America. Collaborative effort from police forces of Germany, the U.S., the U.K., France, Denmark, and the Netherlands, supported by numerous cybersecurity entities. Malware loaders involved were used primarily for dropping more dangerous payloads like info stealers and ransomware. Suspects were found to have made significant profit, with one earning over 69 million Euros from renting malware infrastructure. Additional details on the suspects and the full scope of the operations are expected to be released soon.

Security leaders are debating how AI-driven tools can enhance their Security Operations Centers (SOCs) amidst a backdrop of hype around generative AI. An autonomous SOC strategy aims to automate the alert triage process from start to finish to minimize human intervention, but not to replace the human workforce entirely. Key processes proposed for automation in SOCs include repetitive, time-intensive tasks that currently cause bottlenecks. The strategy involves integrating various AI and automation tools that can be adapted to different environments, requiring careful selection to ensure compatibility and effectiveness. Real-world examples highlight the implementation of autonomous SOC strategies in different settings, including internal security teams and Managed Detection and Response (MDR) providers. Benefits of employing an autonomous SOC include handling high volumes of alerts, reducing false positives, improving response times, and easing the talent shortage in cybersecurity teams. Intezer, the company behind the Autonomous SOC Platform, targets its services at diverse organizations, from Fortune 500 companies to mid-sized firms and MSSPs, offering AI-powered technology to automate tier 1 SOC processes.