Flair Data Systems Cybersecurity News Update 6-05-2024

Good afternoon! 

Not a lot to report back on this week, as I have been out of pocket while working with some internal teams around our cybersecurity practice and today, I begin sitting in a 2-day class around Privileged Identity with BeyondTrust. 

So, let’s jump into this week's cybersecurity news update.... 

Checkpoint 0-Day  

CVE-2024-24919: Active Exploits target Check Point Security Gateway Zero-Day Information Disclosure flaw 

• This activity has been seen exploited in the wild, if running Checkpoint VPN make sure you to resolve this as soon as possible 
• Checkpointed noted that attempts to access these vulnerable systems that had old local accounts with unrecommended password-only authentication 
• Link 2 contains fixes for the vulnerability that was released by Checkpoint 

Link (1): https://blog.checkpoint.com/security/enhance-your-vpn-security-posture 

Link (2): https://support.checkpoint.com/results/sk/sk182336 

44,000 individuals are affected by the breach of a major U.S. title insurance company 

First American Financial Corporation, 2nd largest title insurance company in the U.S., experienced a data breach that affected 44,000 individuals in Dec 2023 

• In December 2023, First American took their systems down to contain the impact of the breach - however, they did not notify the SEC until May 28th (5 months later) once the investigation had concluded 
• No one has currently been notified of their information being compromised, but First American has stated that they will be providing appropriate notification 
• The concerning question here is 1) did it take them 5 months to determine a data breach actually occurred or 2) are they playing the rules against the SEC (material incident) as it is required that a 8-k is to be filed within 4 days of that determination 

Link (1): https://www.bleepingcomputer.com/news/security/first-american-december-data-breach-impacts-44-000-people/ 

Palo Alto firewalls found with crypto miner being deployed on them 

CVE-2024-3400: allows an unauthenticated attacker to execute arbitrary code with root privileges 

• RedTrail is a new cryptocurrency mining malware being used in the wild against Palo Alto Firewalls through the above CVE 
• The vulnerability has patched through the latest updates by Palo Alto 
• Palo is not the only one being affected by RedTrail: TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954) 
• This goes back to threat actors ever evolving attack techniques to continue to profit in one way or another 

Link (1): https://thehackernews.com/2024/05/redtail-crypto-mining-malware.html 

STAR test DDoS attack 

An 18 year old, Keontra Lamont Kenemore, from Klein ISD is wanted for by the police for a cyberattack that disrupted the STAAR testing for thousands of students in the district 

• The action, electronic access interference, is considered a third-degree felony 
• The ability to do these types of attacks are very easy with the fact there are many services on the dark web that provide the ability to do DDoS-as-a-Service 
• Due to the interruptions, students had to retake their STAAR testing over again - affecting over 24k students over two days 

Link (1): https://www.click2houston.com/news/local/2024/05/28/klein-isd-student-accused-of-orchestrating-cyber-attack-that-disrupted-staar-testing/ 

Ticketmaster hack affects 560 million customers, third-party denied liability 

ShinyHunters, Pokemon-themed hacker, has claimed responsibility for two high profile attacks - Ticketmaster and Santander Bank 

• Two US customers of Ticketmaster have filed claims against Ticketmaster, claiming the company was negligent in protecting their data 
• Snowflake has denied responsibility for either Ticketmaster or Santander Bank but has confirmed that a demo account for a former Snowflake employee was compromised, which did not contain sensitive data nor was it connected to production or corporate systems 
• Both Ticketmaster and Santander Bank are claiming their data breaches were through third-party systems, but neither are naming which vendor it is 

Link (1): https://www.informationweek.com/cyber-resilience/-it-wasn-t-me-snowflake-denies-attack-responsibility-admits-hack-of-former-worker 

Link (2): https://www.informationweek.com/cyber-resilience/shinyhunters-strikes-again-group-hacks-santander-bank-ticketmaster-customers-file-suit 

HHS changes tack, allows Change Healthcare to file breach notifications for others 

Department of Health and Human Services has announced on May 31st that hospitals and health systems affected by the Change Healthcare incident can require UnitedHealth Group to perform the notification process to patients 

• But to do so, the hospitals and health systems are to contact United Health directly   

Link (1): https://www.aha.org/news/headline/2024-05-31-hhs-says-hospitals-impacted-change-healthcare-cyberattack-can-delegate-breach-notifications#:~:text=%22Affected%20covered%20entities%20that%20want,be%20performed%20by%20Change%20Healthcare. 

3 billion records stolen from background check firm 

USDoD, cyber gang, has put the database of 2.9 billion records of US, Canada, and British citizens for $3.5 million 

• Supposedly the data was obtained from National Public Data, a small information broker out of Florida that offers API lookups to other companies for things like background checks 
• Interesting finding for this incident is that anyone that performed the Opt-Out option did not have their data in the breach - looks like the process has some benefits! 

Link (1): https://www.theregister.com/2024/06/03/usdod_data_dump/ 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!