MSP cybersecurity news digest, June 26, 2024

Snowflake attacks hit at least 165 organizations

At least 165 Snowflake customers may have had their information exposed in a data theft and extortion campaign. Recent breaches at Santander, Ticketmaster, QuoteWizard / LendingTree and Advance Auto Parts, where 3 TB of data, including 380 million customer profiles and 44 million loyalty card numbers were stolen, have all been linked to ongoing Snowflake attacks. Researchers, assisting Snowflake with incident response, tracked the activity under the name UNC5537, a financially motivated threat actor.

UNC5537 systematically compromises Snowflake customer instances using stolen credentials, sells victim data on cybercrime forums and extorts victims. Evidence suggests the hacking group operates from North America and collaborates with a party in Turkey. Previously, Snowflake, a cloud data platform that lets you store, analyze and share data in a fast and flexible way, serving over 9,820 global customers, reported a "limited number" of customers were affected. Snowflake stated they are closely working with their customers to strengthen security measures.

The campaign, which started in April 2024, exploits compromised credentials obtained through info-stealing malware. Additionally, Pure Storage confirmed that attackers breached its Snowflake workspace, gaining access to telemetry information, including customer names, usernames, and email addresses, but not sensitive customer data. Pure Storage has reported that it addressed the incident, has taken preventive measures, and is in contact with affected customers, who have not detected any unusual activity targeting their systems.

Microsoft Patch Tuesday, June 2024

Microsoft's Patch Tuesday for June 2024 addressed 49 vulnerabilities, with only one being a publicly disclosed zero-day flaw.

These updates were applied to Windows and its components, Office, Azure, Dynamics Business Central and Visual Studio, with eight bugs reported through the ZDI program. Only one issue was rated “critical,” while the remaining 48 were rated “important.” The most severe vulnerability, CVE-2024-30080, is a Microsoft Message Queuing (MSMQ) remote code execution flaw with a CVSS score of 9.8, allowing remote, unauthenticated attackers to execute arbitrary code.

Another notable vulnerability is a Windows Wi-Fi driver remote code execution flaw, CVE-2024-30078, which requires the attacker to be within Wi-Fi range of the target system.

New ValleyRAT campaign uncovered

Researchers have identified an updated version of the ValleyRAT malware being distributed in a new campaign.

The latest version introduces new commands such as capturing screenshots, process filtering, forced shutdown and clearing Windows event logs. Previously, ValleyRAT had been linked to phishing campaigns targeting Chinese-speaking users and Japanese organizations, but has lately been targeting Spanish-speaking users as well. The malware, attributed to a China-based threat actor, is capable of harvesting sensitive information and deploying additional payloads on compromised hosts.

The infection process involves a multistage approach using a downloader that fetches and decodes files, ultimately injecting shellcode into system processes to establish persistence and evade security solutions.

City of Cleveland shuts down IT systems after cyberattack

The City of Cleveland, Ohio, is grappling with a cyberattack that has taken citizen-facing services offline, including those at Erieview and City Hall.

As a major economic center in Ohio, Cleveland's disruption affected vital sectors like health care, manufacturing and education. The city first disclosed the incident on June 10, indicating that public services would be limited to essential operations. An update the next day mentioned that the attack was still under investigation with third-party experts, and essential services like 911, police, fire and utilities remained unaffected.

Authorities confirmed that taxpayer and public utility information was not accessed and promised further updates, advising concerned citizens to call 311 for more information.

Warmcookie Windows backdoor pushed via fake job offers

Windows malware named 'Warmcookie' is being distributed through fake job offer phishing campaigns to breach corporate networks.

Researchers discovered that Warmcookie performs extensive machine fingerprinting, captures screenshots and deploys additional payloads. The ongoing campaign involves threat actors creating new domains weekly, using compromised infrastructure to send phishing emails.

These emails, masquerading as job and recruitment offers, redirect users to fake landing pages and prompt them to download a heavily obfuscated JavaScript file. Once executed, the script downloads the Warmcookie DLL, which establishes communication with its command and control server and begins collecting data from the victim's machine.