Flair Data Systems Cybersecurity News Update 6-12-2024

Good afternoon! 

Let's take a moment to reflect on some of the most significant cyber issues we've faced. Remember last year’s MOVEit fiasco? It felt like every day brought news of another data compromise. This year, it seems Snowflake is taking on that role, with more and more organizations reporting data compromises. 

It’s frustrating that many vendors still don't require Multi-Factor Authentication (MFA) by default. Equally concerning is that organizations often don't enable this essential security feature right away. Sure, MFA isn't foolproof—there are methods like session theft, where the threat actor can gain the actual session cookie after someone uses their correct credentials.  But by enabling MFA, it complicates things for a threat actor - as they must get creative on their attack vector instead of just spraying passwords at a login portal.  

It's essential to ensure your critical applications are secured with MFA. Whether your organization uses platforms like Facebook, X (formerly Twitter), or LinkedIn, make sure MFA is enabled. Compromised accounts can lead to significant reputational damage and can be incredibly challenging to recover. 

Now, let’s dive into this week’s cybersecurity news update... 



LockBit ransomware gang victims get lifeline from FBI 

Due to the FBI takedown of LockBit systems, they have been able to obtain more than 7,000 decryption keys 

• Victims of LockBit have been advised to submit a request through the IC3 and the FBI will reach out to assist 

Link (1): https://www.securityweek.com/fbi-says-it-has-7000-lockbit-ransomware-decryption-keys/ 

Microsoft resets Recall plans 

Microsoft has announced the release of a new AI feature, Recall, that will allow Copilot+ PCs to take screenshots of the desktop every 5 seconds, and then analyze and parse to surface relevant information 

• Originally, this was planned to be enabled by default and has since been changed to be disabled by default (opt-in) 
• Consider recorded information of documents, emails, or messages containing sensitive information 
• The other add-on that Microsoft has made a requirement is the use of Windows Hello to access the data, proof you are actively at the system which would then allow for the data to be decrypted (originally unencrypted at rest in an SQLite database) 

Link (1): https://thehackernews.com/2024/06/microsoft-revamps-controversial-ai.html 

LastPass says outage caused by bad Chrome extension update 

LastPass experienced a roughly 12-hour outage on June 6th due to a bad update to its Google Chrome extension 

• This update inadvertently caused load issues on the backend infrastructure - which has since become stable and operational 

Link (1): https://www.bleepingcomputer.com/news/security/lastpass-says-12-hour-outage-caused-by-bad-chrome-extension-update/ 

New York Times source code stolen using exposed GitHub token 

The New York Times internal source code and data was leaked on the 4chan message boards after being stolen from the company's GitHub repo in January this year 

• The amount of data that has been released amounted to 273GB of data 
• The data included IT documentation, infrastructure tools, and source code 
• It appears this happened due to a credential exposure for a cloud-based third-party code platform (GitHub) 

Link (1): https://www.bleepingcomputer.com/news/security/new-york-times-source-code-stolen-using-exposed-github-token/ 

Mandiant and Snowflake sending out breach notices 

Last week I brought up how a couple of large organizations data were exposed, and at the same time Snowflakes announced that a demo system was compromised 

• Ticketmaster and LendingTree have both confirmed that data thefts were hosted on Snowflake 
• Mandiant is attributing this attack to UNC5537, and the attacks were relying on the use of "stolen credentials " 
• Majority of the stolen credentials used by UNC5537 were "available from historical infostealer infections" going as far back as 2020 
• Pre incident, Snowflake did not require its customers to use MFA by default or enforce the security features 
• Post incident, it is currently under development to enforce the use of MFA on its customers' accounts, no timeline has been provided as of yet 

Link (1); https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/?guccounter=1 

Pure Storage hacked via Snowflake workspace 

Pure is another organization that was recently hit by the Snowflake incident 

• Data exposed included customer names, usernames, and email addresses 
• Pure has stated they have addressed the security incident, and they are in contact with customers that were in the database 

Link (1): https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/ 

Local government cyber-attacks (Wichita & Cleveland) 

This week, Cleaveland City Hall was closed on Monday due to an active investigation of a "cyber incident" affecting some of the city's computer systems 

• The city did state that City and Emergency Services (Department of Public Safety, Department of Port Control, and Department of Public Utilities) were not affected 
• Early May, the City of Wichita (Kansas) was offline due to a ransomware attack and after a month, some systems are coming back online 
• The attack took down several online city services (online water bill payments, some city building Wi-Fi, electronic payments, etc.) 

Link (1): https://www.cleveland.com/cityhall/2024/06/cyber-incident-shuts-down-cleveland-city-hall.html 

Link (2): https://www.kansas.com/news/local/article289148999.html 

Cyber assistance coming to rural hospitals 

A new initiative from Microsoft, Google, and the White House was used to reduce prices for cybersecurity services 

• Google has stated it will provide endpoint security advice to rural hospitals and nonprofit organizations at no cost and a pool of funding to support software migrations 
• Microsoft has announced a program that will provide non-profit pricing and other discounts up to 75% for security products used by independent critical access hospitals and rural emergency hospitals 
• Microsoft has also stated that will provide free Win 10 security updates for up to 1 year or free cybersecurity assessments to "evaluate risks and gaps" 

Link (1): https://therecord.media/microsoft-google-rural-hospital-cybersecurity 

BlackBerry Cylance data up for sale 

A threat actor has put up for sale on the dark web data of Cylance and requesting an amount of $750,000 that allegedly belongs to customers, partners, and employees of BlackBerry's Cylance cybersecurity unit 

• The data supposedly includes 34 million customer and employee emails, which contains customer emails, personally identifiable information, sales prospects, and user and partner lists 
• BlackBerry is stating that based on their investigation it was obtained through a third-party platform (not core infrastructure of Blackberry) and appears to be from 2015-2018 
• BlackBerry did not specifically confirm or deny that the data came from Snowflake, but stated they are not a current customer of Snowflake 

Link (1): https://www.securityweek.com/blackberry-cylance-data-offered-for-sale-on-dark-web/ 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!