Security Roundup May 2024

Darren Kewley
Darren Kewley
Technical Director
31 May 2024

May 2024: Snowflake Data Breach Impacts Santander and Ticketmaster, REvil Hacker Fined $16m, Courtroom Software Backdoored, and More!

Snowflake Breach Impacts Santander and Ticketmaster

Leading cloud storage and analytics provider, Snowflake is at the centre of a cyber security news storm after news emerged that a breach of its platform had allegedly also led to breaches of Ticketmaster and Santander. Experts believe this may be the most significant data breach ever to occur.

Snowflake claims that the breach is not due to a vulnerability or misconfiguration in its platform but is a targeted campaign aimed at its users without multi-factor authentication (MFA) enabled, leveraging stolen, purchased, or previously breached passwords. In its update on the breach, the company has advised its customers to enforce MFA, set up policies to only allow access from trusted locations, and reset and rotate Snowflake credentials.

The incident, however, seems to have been the catalyst for breaches involving other organisations, including Ticketmaster. Live Nation, which owns Ticketmaster, confirmed the breach happened on 20th May in a filing with US government regulators. A spokesperson for Ticketmaster told TechCrunch that the breached database was hosted on Snowflake. The administrator of BreachForums claimed to be selling information on 560 million customers, including Ticketmaster customer information, such as ticket and credit card information.

European banking giant Santander was also impacted by a breach that is believed to be linked to the Snowflake breach. A hacking group called ShinyHunters posted an advert on the Dark Web saying they had data from Santander, including 30 million bank account details, 28 million credit card numbers, 6 million account numbers and balances, and HR information on Santander staff. The bank said it was contacting impacted customers but told the BBC that “UK customer data was not affected or lost in the hack”.

Snowflake has released Indicators of Compromise for threat activity on its platform.

Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million

A Ukrainian man has been convicted of more than 13 years in jail and ordered to pay $16 million in compensation after carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, and his co-conspirators from the REvil ransomware organisation coordinated over 2,500 ransomware assaults and demanded bitcoin payments totalling more than $700 million.

The co-conspirators sought bitcoin ransom payments and concealed their illegal profits via cryptocurrency exchangers and mixing services. To increase their ransom demands, Sodinokibi/REvil co-conspirators publicly published their victims’ data when they refused to pay the ransom.

After being detained in Poland in October 2021, Vasinskyi was extradited to the US in March 2022. Before it was formally shut down in late 2021, REvil was behind several well-publicised attacks on Kaseya and JBS. He earlier entered a guilty plea to an 11-count indictment in the Northern District of Texas, where he was accused of conspiring to commit money laundering, damage to protected systems, and fraud and related computer operations.

The US Justice Department also said in 2023 that the millions of dollars in ransom payments seized in two connected civil forfeiture cases would be forfeited entirely. Among these are 39.89138522 Bitcoin and $6.1 million in US dollars, linked to alleged ransom payments made by other scheme participants.

Courtroom Recording Software Compromised

Malware has been used to backdoor the installation of Justice AV Solutions (JAVS), a popular US courtroom video recording program. This allows attackers to gain control of infected systems. The digital recording technology, commonly called JAVS, is installed in over 10,000 courtrooms, law offices, penal facilities, and other entities worldwide.

JAVS has removed the compromised version from its official website, claiming that the malicious fffmpeg.exe component in the Trojan did not originate from JAVS or any third party associated with JAVS.

The virus transfers system information to its C2 server upon installation and launch. Two obfuscated PowerShell scripts are then run to disable Windows Event Tracing and circumvent the Anti-Malware Scan Interface. Subsequently, the system downloads a second malicious payload from its C2 server, which drops Python scripts to gather credentials saved in the system’s web browsers. This has been linked to Rustdoor/GateDoor malware.

JAVS customers have been advised to reimage any endpoints on which they installed the Trojan, reinstall the most recent safe version, and change all login credentials for possibly vulnerable endpoints.

Some of This Month’s Other Vulnerabilities

Microsoft Patch Tuesday

Our partners at CrowdStrike reported that Microsoft’s newest patch, Tuesday, May 2024, includes 61 security updates. Two zero-day vulnerabilities, affecting Windows MSHTML (CVE-2024-30040) and Desktop Window Manager (DWM) Core Library (CVE-2024-30051), and one Critical vulnerability, affecting Microsoft SharePoint Server (CVE-2024-30044), were patched.

Check Point Zero-Day Vulnerability

Check Point is the latest network security vendor to announce flaws in its software being actively exploited in the wild. The vulnerability, tracked as CVE-2024-24919, said that “an information disclosure vulnerability exists in Check Point VPN. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information.” 

The vulnerability impacts Check Point Quantum Gateway and CloudGuard Network versions R81.20, R81.10, R81, R80.40, and Check Point Spark versions R81.10 and R80.20. The vendor has released hotfixes to address the issue.

Fortinet Discloses Yet More Critical RCE Flaws

Critical vulnerabilities have been identified in Fortinet’s FortiSIEM product. The flaws, which are tacked as CVE-2024-23108 and CVE-2024-23109, were patched and disclosed in February. Exploitation of the vulnerability could allow for unauthenticated command injection. Security researchers at Horizon3AI released exploit code, which they called “NodeZero.” This disclosure comes in a long line of critical vulnerabilities disclosed by the network security vendor in recent years.

Need Advice?

If you need any advice on this issue or any other cyber security subjects, please contact Protos Networks.

Email: [email protected]
Tel: 0333 370 1353