Alleged Snowflake attacker gets busted by Canadians – politely, we assume

in brief One of the suspected masterminds behind the widespread Snowflake breach has been arrested in Canada – but the saga isn’t over, eh. 

Alexander “Connor” Moucka was apprehended last week at the request of the United States, the Canadian Department of Justice told The Register, with his extradition case due to be heard this past week. The outcome of that hearing is unknown. 

Moucka’s arrest, first reported by Bloomberg and 404 Media, is over his purported connection to the compromise of at least 165 Snowflake customers – including names like AT&T, Ticketmaster, and Advance Auto Parts. Snowflake provides data storage and analytics to enterprises around the world, and it’s believed the miscreants were able to steal mountains of data from victims because of a lack of two-factor authentication on accounts. 

A threat actor going by the name ShinyHunters claimed to have stolen more than a terabyte of data from Ticketmaster and put it online for sale. It’s not immediately clear if Moucka – who reportedly went by the handles Judische and Waifu on underground forums – is also ShinyHunters, though he isn’t believed to have acted alone. 

According to threat hunters at Google subsidiary Mandiant – which has tracked Moucka as UNC5537 and been part of the investigation into the breach – one of Moucka’s co-conspirators, John Binns, was reportedly arrested in Turkey earlier this year. Binns was also allegedly behind the 2021 breach of T-Mobile, and is reportedly still being held in a Turkish prison. 

“Moucka has proven to be one of the most consequential threat actors of 2024,” Mandiant declared. “The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”

It’s not known when Moucka may be extradited, what charges he’s facing, or how long he might end up behind bars if convicted. 

One thing’s for sure: If you go big on a hack, expect people to notice and be on the hunt for the culprit. 

“This arrest serves as a deterrent to cyber criminals and reinforces that their actions have serious consequences,” Mandiant senior threat analyst Austin Larsen told us. 

Critical vulnerabilities: PTZOptics cameras get hit

You’d expect critical security vulnerabilities in a $20 webcam, but not in one that costs just shy of $2,000. Unfortunately for owners of the PTZOptics PT30X-SDI, that’s right where they find themselves. 

Two vulnerabilities in the PT30X-SDI (CVE-2024-8956, CVSS 9.1; CVE-2024-8957, CVSS 9.8) can, when chained together, give a remote, unauthenticated attacker the ability to execute arbitrary OS commands on vulnerable devices. Firmware updates are available – so if you’re not on version 6.3.40 or newer, get patching.

But wait, there’s more! And these are all under active exploit:

  • CVSS 10.0, CVE-2024-51567 – Hosting control dashboard software CyberPanel contains a vulnerability that allows an attacker to bypass authentication and execute arbitrary commands.
  • CVSS 9.8, CVE-2019-16278 – It’s not new, but Nostromo nhttpd up to version 1.9.6 contains a critical directory traversal vulnerability that’s being actively abused, though we know you’ve patched this by now. 
  • CVSS 9.3, CVE-2024-5910 – Palo Alto Networks Expedition network migration tool is missing authentication for a critical function, allowing an attacker to take over an admin account.
  • CVSS ?, CVE-2024-43093 – Google hasn’t given a score for this privilege escalation vulnerability in the Android Framework, but said it could give an attacker access to Android data, obb and sandbox directories and anything nested beneath.

Expect crypto-themed attacks like these to just keep growing

With Bitcoiners and other cryptocurrency advocates celebrating president-elect Donald Trump’s win, expect attacks like this latest macOS-targeting campaign spotted by SentinelLabs to just get more common.

Dubbing the campaign Hidden Risk, SentinelLabs said this week that it believes the suspected North Korean-based hackers targeting crypto-related businesses in this latest campaign are the same that have been doing it for some time

The state-backed miscreants behind Hidden Risk are reportedly using emails containing fake news about crypto trends to con people into opening a malicious application masquerading as a PDF file – not exactly a new tactic, but especially worth pointing out since the US presidential election.

Trump made a number of promises to the crypto industry during his campaign. Those promises have been linked to the Bitcoin price surge this week, with prices above $77,000 as of writing. As the appetite to get in while the getting’s good grows, fraud and cyber crime will likely continue apace – be warned.

Call of Duty hacker gets thousands banned by abusing anti-cheat bug

“I could have done this for years and as long as I target random players and no one famous it would have gone without notice,” a hacker going by Vizor told TechCrunch this week when he revealed the secret he used to get “thousands upon thousands” of Call of Duty players banned from the game.

The exploit Vizor claimed to have used against CoD players playing fairly involved a discovery in Ricochet – an anti-cheat application that runs when CoD players are in multiplayer mode. Ricochet allegedly uses a list of hard-coded strings to detect known cheats, Vizor claimed, and by sending an in-game “whisper” direct message to a target containing one of those strings, Ricochet would act immediately to ban them.

Luckily for CoD players scared of being trapped in a whisper, Vizor isn’t a threat anymore. 

“The same day I found this, I got myself banned by sending a whisper message on Call of Duty to myself with one of the strings in the message contents,” Vizor told TechCrunch. Oops. 

Navy information warfare commander removed

The US Navy has relieved commander Cayanne McFarlane, commanding officer of the Naval Information Warfare Training Group, of her position on account of a “loss of confidence in her ability to command” – though it won’t say more than that. 

McFarlane, who has served in the Navy for 18 years as an information warfare and electronic warfare officer, was in charge of the San Diego branch of the training group, working on cyber and intelligence warfare.

It’s the second firing in as many days – captain Shawn Bailey, commander of the Naval Ethics and Leadership Center in San Diego, was relieved a day prior. It is unknown if the two dismissals are related. 

Mozi botnet rises from the dead with new identity

The prolific Mozi botnet – once responsible for an estimated 90 percent of malicious IoT traffic globally – vanished late last year in mysterious circumstances, but research from CloudSEK suggests it never really went away.

While tracking the Androxgh0st botnet that emerged in January 2024, CloudSEK threat researchers observed that Androxgh0st wasn’t only targeting web servers – it had the capacity to deploy IoT-focused Mozi payloads as well. 

The Androxgh0st/Mozi hybrid is targeting known vulnerabilities in Laravel, Apache, and PHP, CloudSEK warned, as well as vulnerabilities in Cisco ASA and Atlassian JIRA. It’s also reportedly targeting network gateway devices and WordPress setups – converting compromised systems into nodes for further scanning, exploitation and the like. 

Given the vulnerabilities Androxgh0st relies on are well known, old and have already been patched, we suggest ensuring you read over the full blog post to ensure you’re not at risk – and then patching potential targets ASAP. ®

READ MORE HERE