Roblox Vendor Data Breach Affects Developer Conference Attendees
Roblox, the popular online gaming platform, recently revealed a data breach affecting attendees of its Developer Conferences from 2022 to 2024. The breach, attributed to unauthorized access of FNTech’s systems—the vendor managing conference registrations—exposed personal information, including full names, email addresses, and IP addresses of the attendees. This incident, reported on the social media platform X, has been included in the Have I Been Pwned (HIBP) database, revealing that 10,386 unique email addresses were compromised, with 63% being newly exposed. Roblox assured its community that measures are being taken to prevent future breaches. Despite no immediate risk to developers, the exposure heightens the possibility of phishing attacks, a concern for a platform with a vast user base and active economic interactions. This breach follows previous incidents, including a 2023 leak of 4,000 developer accounts and the 2022 SearchBlox malware affecting over 200,000 users.
CloudSorcerer Hackers Exploit Cloud Services to Steal Russian Government Data
A newly identified advanced persistent threat (APT) group, dubbed CloudSorcerer, has been targeting Russian government organizations in sophisticated cyberespionage attacks. Discovered by Kaspersky in May 2024, CloudSorcerer utilizes custom malware leveraging legitimate cloud services for command and control (C2) operations and data storage. This group’s tactics bear similarities to those of CloudWizard APT, though their malware differs significantly, indicating a new threat actor.
CloudSorcerer’s malware, manually executed, adapts its behavior based on the process it infiltrates, such as “mspaint.exe” or “msiexec.exe.” Initial communication involves a GitHub repository, guiding further C2 operations through services like Microsoft Graph, Yandex Cloud, or Dropbox. The backdoor collects extensive system information and supports various commands, including file manipulation and remote process control. Kaspersky highlights the malware’s dynamic adaptation and covert communication as hallmarks of its sophistication. Detection indicators and Yara rules are provided in Kaspersky’s detailed report.
Neiman Marcus Data Breach Exposes 31 Million Email Addresses
In May 2024, luxury retailer Neiman Marcus disclosed a significant data breach that exposed over 31 million customer email addresses. This revelation comes from Have I Been Pwned founder Troy Hunt, who analyzed the compromised data. The breach notification filed with the Office of the Maine Attorney General initially stated that 64,472 individuals were affected. However, Hunt discovered and verified the legitimacy of 30 million unique email addresses within the stolen database.
Neiman Marcus’s incident notification confirmed the exposure of sensitive information, including names, contact details, dates of birth, gift card info, transaction data, partial credit card numbers, Social Security numbers, and employee IDs. The breach is linked to unauthorized access to a cloud database platform provided by Snowflake. The threat actor, known as “Sp1d3r,” initially listed the stolen data for sale on a hacking forum but later removed the post, suggesting potential negotiations with Neiman Marcus. The incident highlights the critical need for robust security measures, such as multi-factor authentication, to protect cloud-based systems.
Hackers Leak 39,000 Print-at-Home Ticketmaster Tickets for 154 Events
In a recent extortion campaign against Ticketmaster, hackers have leaked nearly 39,000 print-at-home tickets for 154 upcoming concerts and events, including major acts like Pearl Jam, Foo Fighters, and Phish. The threat actor, known as ‘Sp1derHunters,’ accessed the tickets through stolen Snowflake account data, impacting at least 165 organizations.
This incident follows a broader pattern of data thefts involving Snowflake accounts, where the hackers initially demanded $500,000 from Ticketmaster to prevent data leaks. Despite Ticketmaster’s assurance that their SafeTix technology renders stolen mobile tickets useless by rotating barcodes, Sp1derHunters countered by releasing print-at-home tickets, which cannot be dynamically refreshed.
Evolve Bank Data Breach Affects 7.6 Million Americans
Evolve Bank & Trust recently disclosed a significant data breach impacting 7.6 million individuals. The breach occurred during a LockBit ransomware attack, initially misrepresented as targeting the U.S. Federal Reserve. Evolve confirmed the data belonged to them after an investigation revealed – as is often the case with different ransomware variants – an employee clicked a malicious link, granting the attacker unauthorized access to the bank’s database and file shares. Yet another example, why security awareness training and advice for employees is an important aspect for any business to consder.
While customer funds remained secure, the breach affected several fintech partners, including Affirm, Wise, and Bilt. Evolve has begun notifying affected individuals and is offering two years of credit monitoring and identity protection services. The breach, discovered on May 29, 2024, actually began on February 9, 2024, allowing attackers nearly four months of access.
The types of data exposed have not been specified. Impacted individuals are advised to monitor their accounts and credit histories closely. Evolve’s partners, including Shopify, Stripe, and Mercury, have not yet confirmed if they were affected by this incident.
Chinese APT40 Hackers Hijack SOHO Routers for Cyberespionage
A joint advisory from international cybersecurity agencies warns of the Chinese state-sponsored hacking group APT40, also known as Kryptonite Panda, which has been hijacking small-office/home-office (SOHO) routers to launch cyberespionage attacks. Active since 2011, APT40 targets government and key private entities in the US and Australia. The group exploits vulnerabilities in public-facing infrastructure and networking devices rather than relying on phishing or social engineering.
APT40 swiftly exploits newly disclosed vulnerabilities, including those in Log4J, Atlassian Confluence, and Microsoft Exchange. After breaching systems, they deploy web shells for persistence and use valid credentials captured via Kerberoasting along with Remote Desktop Protocol (RDP) for lateral movement within the network. Notably, APT40 hijacks EoL SOHO routers using N-day vulnerabilities, employing them as proxies to blend malicious traffic with legitimate network activity.
The advisory includes case studies highlighting APT40’s tactics, such as exploiting custom web applications and remote access login portals to gain network access and exfiltrate sensitive data. To mitigate these threats, cybersecurity agencies recommend timely patching, comprehensive logging, network segmentation, using multi-factor authentication, and replacing EoL equipment.
Windows MSHTML Zero-Day Exploited in Malware Attacks for Over a Year
Microsoft recently patched a critical zero-day exploit in Windows, CVE-2024-38112, which had been used for 18 months to deploy malicious scripts. Discovered by Haifei Li of Check Point Research, this high-severity MHTML spoofing flaw was addressed in the July 2024 Patch Tuesday updates.
Attackers exploited the zero-day vulnerability using Windows Internet Shortcut Files (.url) that appeared as legitimate PDFs but downloaded and executed HTA files via the mhtml: URI handler. This method forced URLs to open in Internet Explorer, bypassing security warnings and allowing malware installation.
The exploit enabled the Atlantida Stealer malware to extract sensitive data such as browser credentials and cryptocurrency wallets. Microsoft has now mitigated this issue by redirecting mhtml: URIs to open in Microsoft Edge, closing the exploit path.
GitLab: Critical Bug Allows Attackers to Run Pipelines as Other Users
GitLab has disclosed a critical vulnerability in its Community and Enterprise editions, identified as CVE-2024-6385, which allows attackers to run pipeline jobs as other users. This severe flaw, with a CVSS score of 9.6 out of 10, affects GitLab CE/EE versions 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. GitLab pipelines are a CI/CD system feature that automates tasks like building, testing, or deploying code changes.
The company has released updates—versions 17.1.2, 17.0.4, and 16.11.6—to address this issue and urges all administrators to upgrade their installations immediately. GitLab.com and GitLab Dedicated have already applied the patches.
This vulnerability follows similar issues: in June, GitLab patched CVE-2024-5655, another bug allowing pipeline exploitation, and in May, it addressed CVE-2024-4835, which enabled account takeovers via cross-site scripting (XSS) attacks. Additionally, a zero-click vulnerability (CVE-2023-7028) patched in January has been actively exploited.
Attackers target GitLab for its sensitive data, such as API keys and proprietary code, posing significant security risks, including potential supply chain attacks if malicious code is introduced into CI/CD environments. GitLab’s vast user base, including over 50% of Fortune 100 companies, underscores the importance of promptly addressing these vulnerabilities to protect critical data and infrastructure.
Dallas County: Data of 200,000 Exposed in 2023 Ransomware Attack
Dallas County is notifying over 200,000 individuals that their personal data was exposed in a Play ransomware attack that occurred in October 2023. The attack, which targeted the second largest county in Texas, affected residents, employees, and others who interacted with its public services.
The Play ransomware gang listed Dallas County on its dark web extortion portal, threatening to leak stolen data from various county departments. Following the attack, Dallas County acknowledged the incident and began reviewing the leaked data. To address concerns, they established a dedicated call center in January 2024.
On July 10, 2024, Dallas County posted an update and sent breach notices to 201,404 impacted individuals. Exposed data includes full names, Social Security numbers, dates of birth, driver’s licenses, state IDs, taxpayer identification numbers, medical information, and health insurance details. Those affected will receive two years of credit monitoring and identity theft protection.
In response to the breach, Dallas County has implemented enhanced security measures, including Endpoint Detection and Response (EDR) solutions, mandatory password resets, and blocking malicious IP addresses.
Dallas County and the City of Dallas have faced several cybersecurity incidents recently. In November 2023, a Dallas County employee fell victim to a business email compromise scam, resulting in a fraudulent payment of $2.4 million. Additionally, in May 2023, the City of Dallas suffered a Royal ransomware attack, disrupting IT infrastructure and compromising over 1 TB of data.
ARRL Finally Confirms Ransomware Gang Stole Data in Cyberattack
The American Radio Relay League (ARRL) has confirmed that employee data was stolen in a ransomware attack in May 2024. Initially described as a “serious incident,” the attack was identified on May 14, when attackers breached and encrypted ARRL’s computer systems.
In response, ARRL took the affected systems offline and engaged external forensic experts to assess the damage. By early June, they acknowledged the attack as a “sophisticated network attack” by an international cyber group. Data breach notifications sent to affected individuals revealed that the stolen data included names, addresses, and Social Security numbers.
ARRL informed the Office of Maine’s Attorney General that the breach impacted 150 employees. Despite no evidence of misuse, ARRL is providing 24 months of free identity monitoring through Kroll. Although ARRL has not attributed the attack to a specific ransomware gang, sources suggest the Embargo ransomware group was responsible. Embargo, which emerged in May 2024, has added only a few victims to its dark web leak site, excluding ARRL, hinting at a possible ransom payment to prevent data leakage.
ARRL has assured that they have taken all reasonable steps to prevent further distribution of the stolen data and are cooperating with federal law enforcement in the investigation.
Rite Aid Confirms Data Breach After June Ransomware Attack
Pharmacy giant Rite Aid has confirmed a data breach following a cyberattack in June 2024, claimed by the RansomHub ransomware operation. As the third-largest drugstore chain in the United States, Rite Aid employs over 6,000 pharmacists within its 1,700 retail pharmacy stores across 16 states.
The RansomHub ransomware gang claimed responsibility for the attack, stating on their dark web leak site that they accessed over 10 GB of customer information, including names, addresses, driver’s license numbers, dates of birth, and Rite Aid rewards numbers. They alleged to have obtained around 45 million lines of personal information.
RansomHub, a relatively new threat group, focuses on data-theft-based extortion rather than file encryption. They have previously targeted U.S. telecom provider Frontier Communications, compromising the information of 750,000 customers. In the case of Rite Aid, RansomHub added the company to its leak site after negotiations supposedly ceased and threatened to leak the data within two weeks.
Rite Aid is continuing its investigation and has yet to provide further details about the breach.
Hackers Use PoC Exploits in Attacks 22 Minutes After Release
Threat actors are increasingly quick to weaponize available proof-of-concept (PoC) exploits, sometimes deploying them in attacks as soon as 22 minutes after they are made public. This finding is highlighted in Cloudflare’s 2024 Application Security report, which covers activity between May 2023 and March 2024, revealing emerging threat trends.
Cloudflare, processing an average of 57 million HTTP requests per second, reports a surge in scanning activity for disclosed CVEs, followed by command injections and the rapid weaponization of available PoCs. Notable targeted flaws include CVE-2023-50164 and CVE-2022-33891 in Apache products, CVE-2023-29298, CVE-2023-38203, and CVE-2023-26360 in ColdFusion, and CVE-2023-35082 in MobileIron. A striking example is CVE-2024-27198, an authentication bypass flaw in JetBrains TeamCity, where an attacker deployed a PoC-based exploit just 22 minutes post-publication.
To combat this speed, Cloudflare advocates for AI assistance in developing effective detection rules swiftly. “The speed of exploitation of disclosed CVEs is often quicker than the speed at which humans can create WAF rules or deploy patches,” the report states.
Another significant finding in Cloudflare’s report is that 6.8% of all daily internet traffic is distributed denial of service (DDoS) traffic, aimed at disrupting online services. This marks an increase from 6% in the previous year, with malicious traffic surging to 12% during major global attack events. In Q1 2024 alone, Cloudflare blocked an average of 209 billion cyber threats daily, an 86.6% year-over-year increase.
Conclusion
In conclusion, the cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.