Vercara’s Open-Source Intelligence (OSINT) Report – May 31 – June 6, 2024

Ticketmaster confirms massive breach after stolen data for sale online. 

(TLP: CLEAR) Live Nation has confirmed that Ticketmaster experienced a data breach involving data stolen from a third-party cloud database provider, believed to be Snowflake. The breach was identified on May 20, 2024, and a criminal threat actor began offering the stolen data on the dark web by May 27. The stolen data purportedly includes information on 560 million Ticketmaster users, comprising 1.3TB of customer details and ticket sales information. The threat actor behind the breach, known as ShinyHunters, is attempting to sell the data for $500,000. ShinyHunters claims to have accessed the data by using stolen credentials from a Snowflake employee’s ServiceNow account, which provided access to customer accounts and data. This method was reportedly used to breach other companies as well, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. However, Progressive and Mitsubishi have denied any breach of their systems. Snowflake attributed the breaches to poorly secured customer accounts lacking multi-factor authentication and provided indicators of compromise (IOCs) to help customers assess if they were affected. The attacks began in mid-April, with data first stolen on May 23. Snowflake did not dispute the threat actor’s claims but had no further comments. Mandiant Consulting has been investigating these incidents and confirmed the use of stolen credentials in the breaches. Despite the significant data exposure, Live Nation does not anticipate a material impact on its operations or financial condition. The company is working with law enforcement and regulatory authorities and has notified affected users. 

(TLP: CLEAR) Comments: The ShinyHunters group is a notorious cybercriminal organization known for its involvement in various high-profile data breaches and for selling stolen data on underground forums. Over the years, ShinyHunters has targeted a wide range of organizations, including technology companies, social media platforms, financial institutions, and healthcare providers, among others. The group gained significant attention for selling large databases of user information, including personal details such as names, email addresses, passwords, and other sensitive data. ShinyHunters has been linked to multiple data breaches and is often involved in selling stolen data for profit, making them a significant concern for cybersecurity professionals and organizations worldwide. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”  

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers. 

Source: https://www.bleepingcomputer.com/news/security/ticketmaster-confirms-massive-breach-after-stolen-data-for-sale-online/  

ShinyHunters claims Santander breach, selling data for 30M customers. 

(TLP: CLEAR) A threat actor known as ShinyHunters is reportedly selling a massive trove of data from Santander Bank two weeks after the bank disclosed a data breach. The claimed data includes information on 30 million customers and employees, 28 million credit card numbers, and 6 million account numbers and balances, allegedly from Santander’s operations in Chile, Spain, and Uruguay. This contrasts with Santander’s report of 19.5 million customers in those countries. Santander reported a breach involving a third-party provider, affecting data from employees and customers in Chile, Spain, and Uruguay. Despite the breach, they confirmed no other markets were affected. The FBI recently seized BreachForums, operated by ShinyHunters and another actor, Baphomet. Although Baphomet was reportedly arrested, the forum was quickly restored under a new domain. 

(TLP: CLEAR) Comments: ShinyHunters, notorious for previous data breaches, including a recent Ticketmaster breach affecting 560 million people, is also associated with BreachForums, an online community dealing in stolen data. This site has withstood multiple law enforcement takedowns. Data from Santander was first listed on the Russian-speaking Exploit forum before appearing on BreachForums, leading to skepticism about the authenticity of the BreachForums listing. Despite this, ShinyHunters has a history of selling legitimate data breaches, such as the AT&T breach, which the company initially denied but later confirmed. ShinyHunters has previously breached numerous companies, including Wattpad, Tokopedia, Microsoft, BigBasket, Nitro PDF, Pixlr, TeeSpring, Promo.com, and Mathway. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/  

Confluence data center & server flaw allows remote code execution. 

(TLP: CLEAR) Atlassian has disclosed a high-severity vulnerability (CVE-2024-21683) in multiple versions of their Confluence Data Center and Server rated 8.3 on the severity scale. This vulnerability allows an authenticated threat actor with specific privileges to execute arbitrary commands on affected systems. The exploit involves using the “Add a new language” function in the “Configure Code Macro” section to upload a malicious JavaScript file that injects harmful Java code, resulting in remote code execution. The technical analysis reveals that the malicious Java code is evaluated by the “parseLanguage” method of the “RhinoLanguageParser” class, which processes and executes the code through the “evaluateString” and “doTopCall” methods. This exploitation is possible due to insufficient validation of uploaded files. The affected versions span various releases from 7.17.0 to 8.9.0, including several long-term support (LTS) versions. Confluence has addressed this vulnerability in the latest versions, urging users to upgrade to the recommended versions to mitigate the risk. Users are advised to implement these patches promptly to secure their systems against potential exploits. 

(TLP: CLEAR) Comments: Malicious actors look for vulnerabilities to inject malicious code to gain unauthorized access to a targeted system. Once the malicious actor gains access, they will look to transverse the file directory or conduct privilege escalation to find sensitive information/data that they will look to exfiltrate. Once the malicious actor has exfiltrated the data, they will look to sell the information/data on the dark web for a profit. This vulnerability reinforces the requirement to validate user input and file upload on web applications. The  

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Security Top 10 A03:2021 – Injection: “An application is vulnerable to attack when:  

• “User-supplied data is not validated, filtered, or sanitized by the application.  
• “Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.  
• “Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.  
• “Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.”  

One way to validate input on the server side is through a Web Application Firewall. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 

Source: https://cybersecuritynews.com/confluence-data-center-server-flaw/  

Hackers actively exploiting checkpoint 0-Day flaw. 

(TLP: CLEAR) Cybersecurity experts have discovered a critical zero-day vulnerability (CVE-2024-24919) in Checkpoint’s security software, which attackers are actively exploiting. This flaw allows remote execution of arbitrary code, potentially giving attackers full control over affected systems. Researchers reported the vulnerability to Checkpoint, but exploitation began before a patch was released. The ShadowServer Foundation highlighted that sophisticated attacks leveraging this zero-day vulnerability have targeted large enterprises and government agencies using Checkpoint’s security solutions. Checkpoint has acknowledged the issue and is working to develop and distribute a patch. Meanwhile, the company advises customers to stay vigilant, apply available mitigations, monitor network traffic for unusual activity, update security policies, and educate employees about recognizing phishing attempts and other common attack vectors. 

To mitigate the risk while awaiting the official patch, experts recommend: 

• Applying temporary fixes and workarounds provided by Checkpoint. 
• Closely monitoring network traffic for signs of unusual activity. 
• Reviewing and updating security policies. 
• Training employees on recognizing phishing and other attack vectors. 

This situation underscores the persistent threat of cyberattacks and the need for organizations to be proactive in their cybersecurity efforts, ensuring they apply patches and mitigations promptly to minimize the impact of such vulnerabilities. 

(TLP: CLEAR) Comments:  

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that conclude the system components are not at risk from malware.”  

Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://cybersecuritynews.com/hackers-actively-exploiting-0-day/  

Vidar stealer employs advanced tactics to evade defense solutions. 

(TLP: CLEAR) Vidar Stealer is a sophisticated information-stealing malware operating as malware-as-a-service (MaaS), posing significant risks to organizations and individuals. Analyzed by CYFIRMA, it targets a wide range of data, including personal, financial, and application data, using advanced evasion techniques such as code obfuscation and process injection. Vidar Stealer leverages social media platforms for its command-and-control (C2) infrastructure and collaborates with other malware strains to maximize its impact. Sold on the dark web, it highlights the importance of robust cybersecurity measures, vigilant monitoring, and comprehensive security practices to mitigate its threats. 

(TLP: CLEAR) Comments: Cyber criminals are adjusting their Tactics, Techniques and Procedures (TTPs) to try to stay ahead of the current cyber defence solutions. With the advancement of AI/ML it enables cyber criminals with an easy and low-cost mechanism to create new malware that have the ability to evade detection. Organizations must have a good understanding of their asset inventory to include latest operating systems and last patch applied. Organizations should be conducting risk assessments at least once a month to identify any potential vulnerabilities and develop compensative controls to mitigate risk. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 24 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://cybersecuritynews.com/vidar-stealer-employs-tactics/  

Ransomware rises despite law enforcement takedowns.  

(TLP: CLEAR) In 2023, ransomware activity surged significantly compared to 2022, as reported by Google-owned Mandiant. Despite extensive law enforcement efforts against major ransomware groups like ALPHV/BlackCat, there was a 75% increase in posts on ransomware groups’ data leak sites (DLS), with victims spanning over 110 countries. The third quarter of 2023 saw the highest number of listed victims, nearly 1,400. This rise in ransomware activity, which included over $1 billion in ransom payments, was driven by new entrants, partnerships between groups, and ransomware services offered by actors from disrupted groups. While established ransomware families like ALPHV/BlackCat and LockBit remained prevalent, there was also a notable increase in the diversity of ransomware, with 50 new variants emerging. Additionally, threat actors increasingly used remote management tools, which were involved in 41% of intrusions in 2023, up from 23% in 2022. 

(TLP: CLEAR) Comments: It is assessed that sophisticated cyber-criminal organizations have several backup infrastructures that they could easily pivot to if their primary gets taken during law enforcement activities. Once a cyber-criminal organization shifts to one of its backup infrastructures, it will take not only law enforcement but also security professionals to identify the new infrastructure and new Indicators of Compromise (IoC), which reinforces the need for a security in-depth posture to place as many security walls between internal networks and the open internet. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”  

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website category feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://www.infosecurity-magazine.com/news/ransomware-rise-2023-mandiant/  

Critical incident declared as ransomware attack disrupts multiple London hospitals. 

(TLP: CLEAR) A ransomware attack on Synnovis, a pathology services provider, has led to the cancellation of operations and the declaration of a critical incident emergency at several major London hospitals. The attack has disrupted pathology services, particularly blood tests for transfusions, affecting hospitals such as Guy’s and St Thomas’ NHS Foundation Trust and Royal Brompton and Harefield hospitals. The impact is significant, with patients being redirected and some appointments canceled. The incident is affecting the entire healthcare system in South East London, creating a strain on resources and potentially leading to further critical incidents. The Department of Health and Social Care, NHS England, and the National Cyber Security Centre are investigating. This attack is part of a broader trend, with 215 ransomware incidents reported in the UK’s health sector since January 2019. Despite efforts to bolster cybersecurity, this incident highlights the persistent vulnerability of healthcare systems to cyberattacks. 

(TLP: CLEAR) Comments: The healthcare industry continues to be a primary target for ransomware attacks due to the amount of sensitive information/data that is maintained on their systems. It is assessed that a Russian based ransomware group was behind this attack and used the Agenda (Qilin) ransomware. The Agenda (Qilin) ransomware is written in the Goland language that supports multiple encryption modes and was first observed in the summer of 2022. The Agenda (Qilin) ransomware is primarily delivered using social engineering attacks such as phishing and spear phishing emails.  

(TLP: CLEAR) Recommended best practices/regulations: The Health Insurance Portability and Accountability Act (HIPAA) addresses protection from malware and data breaches primarily through the HIPAA Security Rule. This rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form (e-PHI). The relevant provisions of the HIPAA Security Rule include: 

• Security Awareness and Training (§ 164.308(a)(5)): Requires covered entities to implement a security awareness and training program for all workforce members, which includes periodic security updates and training on protecting against malicious software. 

• Access Control (§ 164.312(a)(1)): Requires policies and procedures to ensure that only authorized individuals have access to e-PHI. This includes implementing technical policies and procedures for electronic information systems that maintain e-PHI to allow access only to those persons or software programs that have been granted access rights. 
• Transmission Security (§ 164.312(e)(1)): Requires policies and procedures to protect e-PHI when it is transmitted over an electronic communications network. This includes implementing technical security measures to guard against unauthorized access to e-PHI that is being transmitted over a network. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://therecord.media/london-hospitals-ransomware-attack-critical-incident-declared