Good morning! 

Over the past week, it has been quite a whirlwind to say the least. For one, I was part of a Podcast by Security Studio CvCISO this past Friday (set to release this coming Friday) and that led to an interesting conversation around the use of terminology. Cybersecurity vs Information Security was one of the topics and the differences between those two words. At the end of the day people are using them quite interchangeably and adding to more of the confusion. For one, Cybersecurity falls underneath Information Security, yet the industry continues to call them one in the same. This is not something to get worked up about and honestly, I do not see it changing (as I had this conversation with someone 5 years ago, and yet we are still having it). 

Another enjoyable conversation that occurred in the past week was with a friend about the state of cybersecurity (see, I just did it) and what they should be doing to continue to increase their controls and awareness.  One of the biggest areas is education of users, whether it's about how to spot malicious intent emails/texts/instant messages, to why it's important to use longer passwords over simple to remember passwords (I am not referring to making them overly complicated - you can use simplicity with length), and lastly making sure users understand the importance of Multifactor Authentication being enabled and why.   Yet, if we want to focus on areas we CAN control (well, because people are not a variable that can be controlled) would be implementing tools to help educate them on creating proper passwords effectively. 

Are these measures 100% stopping threats? By no means, but they do implement a solid deterrent. 

So, with that, let’s dive into this week’s cybersecurity news update... 

Advance Auto Parts reveals damage from Snowflake breach 

This appears to be yet another company being affected by the Snowflake incident, which has affected 2.3 million people 

• The attacker had access to the environment from April 14 until May 24 
• Compromised data potentially included names, Social Security numbers, driver’s license or other government issued ID numbers and dates of birth 
• One thing is for certain, the Snowflake breach has caused a large limelight to be placed on SaaS providers and MFA not being enabled – where does the responsibility lie? On the Customer or the Vendor? Both? 

Link (1): https://www.cybersecuritydive.com/news/advance-auto-parts-snowflake-data-breach/721353/ 

 The personal security implications of the AT&T breach, and the laundering of the ransom paid 

AT&T revealed threat actors have gained access to their Snowflake instance to obtain records of customer call and text interactions from May 2022 through Oct 2022 

• The data included interacted phone numbers, including call or text counts and call durations – this did NOT include the content of the calls or texts, timestamps, and other sensitive personal information (i.e., customer names – but let’s be honest, finding the correlation between a phone number and name is simple) 
• AT&T paid roughly $370,000 in bitcoin in May 2024 to prevent the data from getting leaked 
• The threat actor involved has started taking the bitcoin paid by AT&T and because laundering it through cryptocurrency mixing platforms and gambling services 

Link (1): https://www.securityweek.com/att-breach-linked-to-american-hacker-telecom-giant-paid-370k-ransom-reports/ 

Link (2): https://therecord.media/att-ransom-laundered-mixers-research  

 Patch or Peril: A Veeam Vulnerability Incident 

CVE-2023-27532 was made public in March of 2023, and has already had patches released by Veeam 

• The above blog is based on the findings from Group IB, the DFIR team that found this vulnerability and reported it 
• The Threat Actor, Estate Ransomware, initially accessed the environment through a dormant account to gain VPN access from a FortiGate SSL VPN connection 
• They then gained persistence through a backdoor (svchost.exe) on the failover server, and conducted lateral movement through RDP 
• The CVE in question for Veeam was exploited by activation of xp_cmdshell and a rogue user account was created 
• Using known tools by NirSoft they were able to conduct discovery, enumeration, and credential harvesting (i.e., NetScan, AdFind, and others) 
• Windows Defender was disabled using DC.exe, which then allowed the threat actor to deploy and execute their ransomware software by using PSExec.exe 
• Sadly, I have seen these tactics personally within other organizations and the TTP’s listed above are not shocking but more worrisome due to some of these are basics that should be handled – dormant accounts, blocking of certain types of tools (psexec.exe), monitoring/response of activities to gain persistence by pivoting to different services already running. 

Link (1): https://www.group-ib.com/blog/estate-ransomware/ 

 Palo Alto patches critical vulnerability within Expedition Migration Tool 

The Expedition Migration Tool is used to take configurations from other Firewall config’s and convert them into Palo’s config, to help speed up migration processes 

• CVE-2024-5910 (score of 9.3): missing authentication in the migration tool that could lead to an admin account takeover 
• This impacts all versions of Expedition prior to version 1.2.92 
• No evidence of exploitation in the wild, but users are advised to update to the latest version 
• If not able to patch, the work around is to isolate the tool to authorized users, hosts, or networks 

Link (1): https://thehackernews.com/2024/07/palo-alto-networks-patches-critical.html?m=1 

 Rite Aid announces data breach following June cyberattack and updates 

Interesting finding, the “Limited” cyber incident reported by Rite Aid has not exposed more than 2 million records of sensitive information 

• The attack began on June 6, where a hacker impersonated a company employee to compromise their business account and gain access to certain systems 
• Unfortunately, this is not the first incident that Rite Aid has faced recently, they have reported other incidents to regulators in California in 2015, 2017, and 2018; and are facing lawsuits from a data breach in 2023 that exposed PHI 

Link (1): https://therecord.media/rite-aid-data-breach-2-million-people 

CDK Global paid ransom 

To add more color to the CDK Global incident, it has been reported that they paid $25 million ransom in bitcoin 

• The threat actor’s bitcoin wallet showed a transaction of $25 million (387 bitcoin) but it is to note that this transaction did not come from CDK Global directly, which is common in these situations 
• What is interesting, the ransom was paid 2 days after the attack, but even with the decryption keys in hand it does take quite a bit of time to restore the systems and get things back online 

Link (1): https://www.theregister.com/2024/07/12/cdk_ransom_payout/ 

Indiana county files declaration of emergency after ransomware attack (Clay County) 

During a cyber incident this month, Clay County Indiana, filed a local disaster declaration 

• This was due to the inability to provide critical services required for the daily operation of all offices of the Clay County Courthouse, Community Corrections, and Clay County Probation 
• The incident occurred on July 9th and the declaration was issued on July 11th 
• Clay County houses roughly 25,000 people in southern Indiana 
• 911 services were not affected by the incident, but non-emergency lines were disrupted (and since been restored) 

Link (1): https://therecord.media/indiana-county-disaster-declaration-ransomware-attack-dallas 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!