Snowflake Breach Snowballs With More Victims

Infosec in brief The descending ball of trouble over at Snowflake keeps growing larger, with more victims – and even one of the alleged intruders – coming forward last week.

We know the list of Snowflake victims is long – at least 165 targets were caught up in the security failure, threat hunters at Mandiant reported recently – including, it’s believed after news broke this week, Australian ticketing provider Ticketek. According to local news sources, Tiketek has contacted customers about an incident that exposed their names, birthdates and email addresses – but hasn’t specified whether it attributes the incident to the Snowflake breach.

Ticketmaster, another major price gouging ticketing firm based in the US, was one of the first identified victims. US car part retailer Advance Auto Parts was also believed to be a Snowflake victim, which the company confirmed last week in a filing with the US Securities and Exchange Commission.

Advance Auto Parts said employee and applicant data, including social security numbers and other government identification infomation, were stolen during the breach.

Most interestingly, a hacker claiming to have been involved in the Snowflake breach told Wired that they and the rest of the ShinyHunters crew obtained access to Snowflake systems by first compromising third parties with which Snowflake did business.

Snowflake has continued to maintain that its systems were not directly penetrated by the cyber criminals – which appears to have been substantiated by the self-reported ShinyHunters member.

ShinyHunters, which recently took control of the notorious BreachForums cyber crime website, said that one of the contractors it broke into was US-based EPAM Systems, a software engineering firm and Snowflake elite partner. The developer has denied its systems were compromised as part of the Snowflake incident.

Snowflake has said that it believes the threat actors who compromised its systems were relying on finding customers who hadn’t enabled multifactor authentication, and is currently in the process of requiring all customers implement MFA and other security controls.

Will CDK cave to ransomware attack?

Car dealerships across the US are still without access to order management and registration software from software house CDK, and it looks like the afflicted biz may be ready to pay up.

Accord to a report, the extortionist behind the crippling of CDK’s systems is asking millions for the keys to fix the afflicted servers and claim CDK is negotiating but willing to pay up. With sales of new cars stalling because of the catastrophe – and the share price of CDK’s owners Brookfield Business Partners down over five percent – it’s not a stretch to believe CDK might pay to make this problem go away.

CDK has an estimated 15,000 dealerships on its books in North America, and they are currently either unable to perform some business processes or reverting to paper and pencil where possible. While it’s tempting to just pay up, the corp would be funding criminals who will, most likely, reinvest the proceeds and look to attack others.

Critical vulnerabilities of the week: Check your Junipers

We start this week with a security update for Juniper Secure Analytics that ought to be installed ASAP. Of the laundry list of issues fixed, several are critical – including five rated a 9.8 out of ten on the CVSS 3.1 scale.

Those include a use-after-free issue that could lead to DoS, RCE or info disclosure “by providing a crafted regular expression” and out-of-bounds read via crafted USB device traffic.

Elsewhere:

  • CVSS 9.3 – CVE-2023-3643: CAREL Boss-Mini local supervisor solution contains a path traversal bug that could be used to manipulate argument paths and disclose information.
  • CVSS 8.7 – Multiple CVEs: Westermo L210-F2G industrial ethernet switches are transmitting plain text credentials and session IDs. They’re also vulnerable to a denial of service triggered by too many incoming packets.
  • CVSS 8.7 – CVE-2019-6268: RAD Data Communications SecFlow-2 devices are vulnerable to path traversal, allowing an attacker to steal files using special requests.

IntelBroker leaks alleged stolen Apple tools

Criminals selling data allegedly stolen from high profile orgs like Europol and the Pentagon have a new high-value offering available: alleged internal tools used by Apple that security researchers claim are actually anything but.

News of the sale by IntelBroker – which is believed to act as a middleman for other cyber criminal gangs – was revealed last week. IT services firm AHCTS purchased the data, finding that “contrary to initial publications, the leaked data does not include internal Apple tools.”

Instead, the data AHCTS was sold included custom integrations for connecting Apple authentication systems to Jira and Confluence for SSO within Apple’s own network – valuable, sure, but nothing as serious as internal Apple tools.

“The leak of the custom plugins developed for Apple’s internal Confluence and Jira instances poses significant cyber security risks, but there is not an actively exploitable threat within the source code,” AHCTS explained. Additionally, “the source code does not include any tools which impact Apple end-user products or services.”

Five guys convicted of running illegal streaming site that pirated pirates

A quintet of American men have been found guilty of criminal copyright infringement for their parts in running illegal streaming site Jetflicks, which reportedly earned them millions.

According to the Department of Justice, the Jetflicks crew operated since 2007 and acquired a massive library of television episodes “larger than the combined catalogs of Netflix, Hulu, Vudu, and Amazon Prime,” by developing “sophisticated computer scripts and software to scour pirate websites for illegal copies of television episodes, which they then downloaded and hosted on Jetflicks.”

FBI Washington field office assistant director in charge, David Sundberg, added that when Jetflicks received copyright complaints it “tried to disguise Jetflicks as an aviation entertainment company” instead of facing its accusers.

Four of the five men involved face up to five years in prison, while the reported ringleader, Kristopher Dallman, faces up to 48. Dallman was found guilty of two counts of money laundering by concealment and three additional counts of misdemeanor criminal copyright infringement. ®

READ MORE HERE