In today’s episode, we cover the critical Linux vulnerability CVE-2024-1086 being actively exploited and urge users to patch immediately (https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/). We also discuss the Ticketmaster data breach by the ShinyHunters group, impacting 560 million customers and demanding a £400,000 ransom (https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit). Lastly, we delve into potential Snowflake compromises involving stolen customer credentials, with conflicting reports on whether Snowflake itself or its customers were breached (https://www.helpnetsecurity.com/2024/05/31/snowflake-compromised-data-theft/).
Tags:
Linux, Exploited, Kernel, Vulnerability, CVE, Cybersecurity, CISA, ShinyHunters, Ticketmaster, Cybercrime, Data breach, Cybercriminals, Snowflake, Credentials, Security, Privilege escalation
Search Phrases:
- How to protect against CVE-2024-1086
- Linux kernel vulnerability CVE-2024-1086
- ShinyHunters Ticketmaster data breach
- Snowflake stolen credentials breach
- Cybersecurity measures for Linux vulnerabilities
- Protecting against data breaches in Ticketmaster
- Cybercrime groups targeting big companies
- Escalating privileges in Linux kernel
- Preventing credential-based attacks in Snowflake
- Recent exploits in cybersecurity 2024
Linux vulnerability being actively exploited
https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/
—`Sure thing! Here’s a flash briefing on the Linux vulnerability actively exploited:
- Critical Linux Vulnerability Alert:
- The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical Linux vulnerability (CVE-2024-1086) to its known exploited vulnerabilities list. [Source: Dan Goodin, Ars Technica]
- Severity and Impact:
- Severity rating: 7.8 out of 10.
- Affected Linux kernel versions: 5.14 through 6.6.
- The vulnerability allows privilege escalation, enabling attackers to gain higher system privileges.
- Technical Details:
- It’s a use-after-free error in the NF_tables component of the Linux kernel.
- Use-after-free errors can result in remote code execution or privilege escalation.
- The bug was patched in January, but many systems remain unpatched.
- Exploitation Details:
- Exploits allow for a “powerful double-free primitive” when the correct code paths are hit.
- Techniques include arbitrary code execution in the kernel and potentially dropping a universal root shell.
- Action Required:
- CISA mandates federal agencies to patch by June 20.
- All affected organizations should update their systems immediately.
Engagement Tips:
- Question for Listeners: Have you checked if your systems are running the affected Linux kernel versions?
- Call to Action: Update your systems now to prevent potential exploitation.
- Feedback Request: Share your experiences with patching critical vulnerabilities on our social media channels.
By keeping these points in mind, you’ll ensure your systems are secure and you’re up-to-date with the latest cybersecurity threats. Stay safe out there!`
Ticketmaster hit by data hack that may affect 560m customers
https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit
—`- Ticketmaster Cyber-Attack: Ticketmaster has experienced a significant data breach, with hackers offering to sell customer data on the dark web. Live Nation, Ticketmaster’s parent company, confirmed the breach and is working with forensic investigators and law enforcement to mitigate the risks. [Source: The Guardian]
Ticketmaster hit by data hack that may affect 560m customers
Snowflake compromised? Attackers exploit stolen credentials
https://www.helpnetsecurity.com/2024/05/31/snowflake-compromised-data-theft/
—`- Snowflake Compromise Overview:
- Attackers exploited stolen customer credentials to access Snowflake accounts, leveraging a tool called “rapeflake”.
- Snowflake itself denies a direct breach, attributing unauthorized access to compromised customer credentials.
- Sources: Help Net Security, Mitiga, Hudson Rock.
- What is Snowflake?
- A cloud-based data storage and analytics platform with around 9,500 global customers.
- Enterprises use Snowflake for data warehousing solutions, choosing a cloud provider like AWS, Azure, or Google Cloud.
- Key Security Practices: Role-based access control (RBAC), single sign-on (SSO), IP whitelisting, and network policies.
- Nature of the Attack:
- Threat actor UNC5537 used stolen credentials and VPNs to bypass security measures, focusing on environments lacking two-factor authentication.
- They used credential stuffing techniques and Snowflake’s built-in features to exfiltrate data.
- The attackers aim to extort organizations by offering the stolen data on hacker forums.
- Snowflake’s Response:
- Snowflake observed increased threat activity starting mid-April 2024, linked to certain IP addresses and suspicious clients.
- Investigation revealed unauthorized access caused by exposed user credentials from unrelated cyber activities.
- Snowflake maintains no internal vulnerabilities or misconfigurations were exploited.
- Conflicting Claims:
- While Snowflake denies a direct breach, Hudson Rock reports that attackers accessed Snowflake’s servers via an infected employee device.
- The attackers claim to have bypassed security measures like OKTA and exfiltrated data, demanding a $20 million ransom.
- Impact on Customers:
- Confirmed data theft from organizations like Ticketmaster and Santander Bank.
- Mass data scraping has reportedly occurred, affecting multiple organizations.
- Steps for Snowflake Admins:
- Use Snowflake’s compiled document to identify indicators of`
Snowflake compromised? Attackers exploit stolen credentials
https://www.helpnetsecurity.com/2024/05/31/snowflake-compromised-data-theft/
—`compromise and perform investigative queries.
- Remediate by disabling suspected users and resetting credentials.
- Enforce strong security measures: Ensure SSO and MFA are enabled, and restrict database access to authorized IP addresses.
- Leverage Snowflake’s logs for threat hunting using the ‘ACCOUNT_USAGE’ schema to detect anomalous activities.
Engagement Tip:
Sources: Help Net Security, Mitiga, Hudson Rock.
Leave a Reply