Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: Microsoft Deprecates NTLM Authentication
Also: Hacker Sells Data Obtained Through Snowflake AttackEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Microsoft deprecated NTLM authentication, a hacker put apparent Snowflake data up for sale, Ticketmaster confirmed its breach, the FBI disrupted LockBit, Cisco patched Webex flaws, pro-Russian hacktivists claimed a DDoS attack and Kaspersky launched a free virus removal tool for Linux.
See Also: 57 Tips to Secure Your Organization
Microsoft Deprecates NTLM Authentication
Microsoft on Monday officially deprecated the NTLM authentication protocol on Windows, 30 years after its introduction. NTLM will "continue to work in the next Windows Server and the next annual release of Windows," Redmond said.
Microsoft advised developers to transition to more secure alternatives such as Kerberos or Negotiate.
The New Technology LAN Manager authentication protocol is a suite of Microsoft security protocols introduced in 1993 as a replacement for the older LAN Manager protocol. Microsoft initially announced plans to phase out NTLM in October.
The decision to deprecate NTLM is driven by its extensive abuse in cyberattacks, including NTLM relay attacks in which hackers trick Windows domain controllers into authenticating them. Even with defensive measures such as SMB security signing, NTLM remains vulnerable to attacks such as "pass the hash."
Hackers Claim to Sell Data Stolen in Snowflake Attack
A threat actor is selling for $1.5 million data what it asserts is 380 million customer profiles stolen from Advance Auto Parts as part of a spree of attacks against artificial intelligence data platform provider Snowflake (see: Snowflake Clients Targeted With Credential Attacks). A hacker with the BreachForums moniker "Sp1d3r" said the stolen data includes Social Security numbers of employment candidates and other data. "Over 200 tables of data!" the hacker said.
Online criminal monitoring firm Hackmanac said on social media that a data sample from Sp1d3r shows numerous references to Snowflake. The Montana company said attackers targeted accounts for which multifactor authentication was not activated and that it found no vulnerabilities or misconfigurations in its technology. Recent major leaks at organizations including Spanish multinational bank Santander and Ticketmaster - see below - may have a connection to Snowflake breaches. Security firm Mandiant said Monday the attacks are due to info stealers on corporate computers grabbing Snowflake credentials.
Bleeping Computer reported talking with Sp1d3r, who said that some hacked Snowflake customers have paid criminals to get their data back.
Ticketmaster Confirms Breach
Live Nation, parent company of U.S. ticketing platform Ticketmaster, confirmed last Friday a data breach that compromised the information of 560 million customers. The ShinyHunters hacker group claimed to have data of over half a billion Ticketmaster customers for sale on the BreachForums underground market (see: Stolen Ticketmaster Data Advertised on Rebooted BreachForums)
Live Nation's data breach disclosure with the U.S. Securities and Exchange Commission revealed that there was "unauthorized activity within a third-party cloud database environment containing company data" starting on May 20. A week later, on May 27, a "criminal threat actor" offered the company "what it alleged to be company user data for sale via the dark web," it said.
FBI Says It Has 7,000 LockBit Decryptors
The FBI says an operation to disrupt the LockBit ransomware-as-as-service operation continues to pay dividends, specifically with the discovery of more than 7,000 decryption keys.
FBI Cyber Division Assistant Director Bryan Vorndran told a Boston conference audience Wednesday that the bureau is "reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov."
International law enforcement agencies acting under the banner of Operation Cronos earlier this year seized 35 LockBit servers and replaced the group's dark web leak page with a seizure notice and links touting the takedown. The group quickly reestablished itself, demanding $25 million from Canadian pharmacy retail chain London Drugs and claiming a cyberattack on the Kansas city of Wichita.
U.S. authorities in May indicted the Russian national who leads the operation, a previously elusive figure known as LockBitSupp. Prosecutors said LockBitSupp's real identity - a closely guarded secret for which he offered a $1 million bounty as inducement to not inform police - is Dmitry Yuryevich Khoroshev (see: LockBitSupp's Identity Revealed: Dmitry Yuryevich Khoroshev).
Cisco Patches Flaws That Exposed Meeting Data
Cisco released a security advisory after reports surfaced saying that vulnerabilities in the German government's implementation of Webex meetings could potentially expose highly sensitive information.
Russian Hackers Claim Cyberattack on Spanish Defense Contractor
Pro-Russia hacktivists Noname claimed responsibility for a DDoS attack on Santa Barbara Systems, a General Dynamics subsidiary in Spain. The company sends refurbished Leopard tanks to Ukraine. Spanish media reported Wednesday that the Tuesday attack had no effect on sensitive data and that Spanish intelligence agency CNI - National Intelligence Center in English - is investigating.
Kaspersky Launches Free Virus Removal Tool for Linux
Russian antivirus company Kaspersky unveiled a free virus removal tool designed to scan Linux platforms. The scanner reflects growing concern over malware targeting Linux environments.
The Kaspersky Virus Removal Tool scans computers running Linux-based operating systems and can identify malware, adware and legitimate programs that could be exploited for attacks. It does not offer real-time monitoring of incoming attacks.
KVRT is a portable application and doesn't require installation, which allows it to scan multiple PCs via a USB drive.
Other Coverage From Last Week
- SecurityScorecard Accuses Vendor of Stealing Trade Secrets
- Zyxel Releases Emergency Security Update for NAS Devices
- Cox Communications Patches Newly Discovered Critical API Bug
- Chinese South China Sea Cyberespionage Campaign Unearthed
- Russian Cyberthreat Looms Over Paris Olympics
With reporting from Information Security Media Group's David Perera in Washington, D.C.