In today’s episode, we delve into the latest cybersecurity incidents, including Cylance confirming old data sold by Sp1d3r for $750,000, ongoing disruptions in the NHS due to a Russian Qilin ransomware attack, and Google’s takedown of coordinated influence campaigns linked to China, Russia, and Indonesia. We also highlight Snowflake account breaches connected to recent data compromises at Advance Auto Parts, Santander, and Ticketmaster. Join us as we explore the implications of these attacks and the latest reports from BleepingComputer, The Guardian, and The Hacker News.
References:
- https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/
- https://thehackernews.com/2024/06/google-takes-down-influence-campaigns.html
- https://www.theguardian.com/society/article/2024/jun/11/cyber-attack-on-london-hospitals-to-take-many-months-to-resolve
- Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/
Tags: Sp1d3r, Cylance, Snowflake, UNC5537, Google, YouTube, Blogger, Propaganda, Russian hackers, NHS, Disruption, Mitigate
Search Phrases:
- Notorious hacker Sp1d3r data breach
- Cylance marketing data dark web
- Snowflake cybersecurity vulnerabilities
- UNC5537 Snowflake account security
- Google influence operation crackdown
- YouTube channel shutdown China propaganda
- Blogger blog purge misinformation Russia
- Russian hackers NHS disruption
- NHS cybersecurity breach recovery
- Mitigating hacker impact on NHS
Cylance confirms data breach linked to ‘third-party’ platform
https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/ —`Flash Briefing:
- Data Breach Disclosure: Cylance confirmed that data being sold on a hacking forum is legitimate but old, stolen from a third-party platform. The data allegedly includes 34 million customer and employee emails and personally identifiable information. Source: BleepingComputer.
- Threat Actor Activity: A hacker known as Sp1d3r is selling the stolen data for $750,000. Researchers indicated this data seems to be old marketing information. BlackBerry Cylance stated no current customers or sensitive data are impacted. Source: Dark Web Informer.
- Snowflake Links: The same threat actor, Sp1d3r, is also selling 3TB of data from Advance Auto Parts, allegedly breached through a Snowflake account. Other recent breaches at Santander, Ticketmaster, and QuoteWizard also link to Snowflake attacks. Source: BleepingComputer.
- Credential Theft: Attackers used stolen customer credentials to target Snowflake accounts without multi-factor authentication (MFA). Mandiant linked these attacks to a financially motivated threat actor, UNC5537, who has been active since at least 2020. Source: Mandiant.
- Recommendations: Ensure all accounts, particularly those related to third-party platforms, have MFA enabled. Regularly update and rotate credentials, and implement network allow lists to restrict access to trusted locations. Source: CrowdStrike, Mandiant.
- Ongoing Notifications: Snowflake and Mandiant have notified around 165 organizations about potential exposure to these attacks, emphasizing the importance of cybersecurity hygiene and proactive measures. Source: Snowflake.
Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia
https://thehackernews.com/2024/06/google-takes-down-influence-campaigns.html —`- Google Takes Down Inauthentic Channels: Google dismantled a coordinated influence operation connected to the People’s Republic of China, removing 1,320 YouTube channels and 1,177 Blogger blogs spreading content about China and U.S. foreign affairs. (Source: Google Threat Analysis Group)
- Influence Operations Linked to Indonesia: Google also terminated accounts linked to two influence operations from Indonesia that supported the ruling party, further showcasing the global nature of these coordinated efforts. (Source: Google Threat Analysis Group)
- Russian Influence Network Dismantled: Google removed 378 YouTube channels operated by a Russian consulting firm that spread pro-Russia and anti-Ukraine content, highlighting the ongoing digital battlegrounds. (Source: Google Threat Analysis Group)
- Monetary Motives Behind Fake Content: Financial incentives drove a network linked to individuals from the Philippines and India, spreading English and Norwegian content about food, sports, and lifestyle topics. (Source: Google Threat Analysis Group)
- Global Influence Campaigns: Networks from Pakistan, France, Russia, and Myanmar also faced shutdowns for spreading politically charged and nationalistic content, illustrating the diverse sources of disinformation. (Source: Google Threat Analysis Group)
- Meta and OpenAI Disrupt Tel Aviv-Based Operation: Meta and OpenAI disrupted a Tel Aviv-based influence operation dubbed Storm-1099, which targeted U.S. and Canadian audiences with content regarding the Israel-Hamas conflict. (Source: Meta via CyberScoop)
- Israel’s Ministry of Diaspora Affairs Linked: The New York Times reported Israel’s Ministry of Diaspora Affairs funded the covert influence campaign with around $2 million, marking another instance of state-sponsored disinformation. (Source: The New York Times)
- Microsoft Warns of Russian Disinformation: Microsoft warned of increasing Russian disinformation campaigns targeting the 2024 Summer Olympics in Paris, using AI-generated content to undermine the event and spread fear. (Source: Microsoft Threat Analysis Center)
- Olympics as a Cyber Threat Target: Google-owned Mandiant and Recorded Future identified the Paris Olympics as a high-risk target for cyber threats, including ransomware, espionage, and hacktivist attacks, emphasizing the need for robust cybersecurity measures. (Source: Mandiant and Recorded Future)
Cyber-attack on London hospitals to take ‘many months’ to resolve
https://www.theguardian.com/society/article/2024/jun/11/cyber-attack-on-london-hospitals-to-take-many-months-to-resolve —
- Cyber-attack Impact Duration:
- A senior NHS source warned that the cyber-attack disrupting hospitals and GP surgeries in London may take “many months” to resolve.
- Key recovery factors: understanding hacker access, affected records, and data retrievability.
- Scope and Perpetrators:
- Six NHS trusts and numerous GP practices in south-east London, serving 2 million patients, are affected.
- Russian Qilin gang believed responsible, using ransomware to lock systems and demand money for decryption keys.
- Service Disruptions:
- Critical incident declared due to inability to perform non-urgent operations, including cancer procedures and planned C-sections.
- Blood test analysis severely restricted, forcing rationing and cancellation of many medical procedures.
- Recovery Challenges:
- IT systems encrypted by attackers force victims to rebuild infrastructure, even if decrypted.
- Former NCSC head, Ciaran Martin, noted that recovery from such attacks often takes weeks or months.
- Mitigation Efforts:
- NHS London region employs “mutual aid” by redistributing tasks to unaffected trusts to mitigate care delivery impact.
- Example: Patients with heart issues transferred from affected hospitals to St George’s hospital.
- Leadership Insights:
- NHS England’s chief executive, Amanda Pritchard, emphasized the vulnerability to international events and the critical, often unseen, role of pathology services.
- Ongoing Threats:
- Qilin gang typically also steals data, posting it on the dark web for extortion if ransom isn’t paid. No data has been posted yet.