Ticketmaster owner Live Nation confirmed the Ticketmaster data breach that compromised the data of 560 million customers.

ShinyHunters, the current administrator of BreachForums, recently claimed the hack of Ticketmaster and offered for sale 1.3 TB of data, including full details of 560 million customers, for $500,000. Stolen data includes names, emails, addresses, phone numbers, ticket sales, and order details.

This week Ticketmaster owner Live Nation confirmed the data breach that compromised the data of 560 million customers.

On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.

Threat actors had access to a third-party cloud database environment containing company data. The company discovered the intrusion on May 20, 2024, and immediately launched an investigation with industry-leading forensic investigators.

The stolen data were offered for sale on the dark web a week later.

“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.” reads the form 8-K filing to the US Securities and Exchange Commission.

“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”

Live Nation notified regulatory authorities and impacted users.

Bleeping Computer reported that ShinyHunters told Hudson Rock Co-Founder Alon Gal that he breached both Santander and Ticketmaster. The threat actor revealed that the data was stolen from cloud storage company Snowflake by using credentials obtained through information-stealing malware to access a Snowflake employee’s ServiceNow account. The threat actors used to credential to exfiltrate data, including auth tokens for accessing customer accounts. The threat actor also claimed to have used this method to steal data from other companies.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShinyHunters)

The vulnerability CVE-2021-44832 is Apache Log4j2 library is still a serious problem for multiple industries, expert warns it threatens global Finance.

The independent cyber threat intelligence analyst Anis Haboubi warns of a severe logging configuration flaw that could dramatically impact the financial industry.

The vulnerability is CVE-2021-44832 and impacts Apache Log4j2, a remote attacker can exploit this vulnerability to execute malicious code on affected systems. The flaw received a CVSS score of 6.6 and impacts all log4j versions from 2.0-alpha7 to 2.17.0. Versions 2.3.2 and 2.12.4. are not impacted.

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.” reads the advisory.

The vulnerability was discovered by Checkmarx security researcher Yaniv Nizry who reported it to Apache on December 27, 2020. The Apache Software Foundation released Log4j 2.17.1 version to address the flaw a couple of days later.

The recent breaches at Sisense and Snowflake, both ISO/IEC 27001 certified companies, highlight a critical vulnerability that still threatens the entire finance industry. Despite adhering to stringent security standards, the flaws in their infrastructure have exposed sensitive financial data to unauthorized access, potentially leading to catastrophic consequences, Haboubi told SecurityAffairs.

Why does this old flaw still threaten the Finance industry?

The critical flaw in logging configurations allows attackers with write access to exploit a JDBC Appender with a JNDI URI, enabling remote code execution. This can lead to complete system compromise, allowing attackers to execute malicious code remotely and gain unauthorized access to sensitive financial data. Sisense and Snowflake are trusted by top international financial groups.

“These companies rely on their services for critical operations, including data analytics and cloud storage. A breach in these systems can disrupt financial activities on a global scale, causing significant financial and reputational damage.” said Haboubi.

“The breaches have resulted in the exfiltration of several terabytes of customer data, including access tokens, email account passwords, and SSL certificates. This data can be exploited by attackers to gain further access to financial systems and conduct fraudulent activities. Interconnected Financial Systems: The financial industry is highly interconnected. A vulnerability in one system can lead to a domino effect, compromising other systems and services. The potential for widespread disruption makes this flaw particularly dangerous.”

The breaches have raised questions about whether Sisense and Snowflake were doing enough to protect sensitive data. The stolen data, which was apparently not encrypted while at rest, underscores the need for more robust security measures.

In conclusion, the flaws in the infrastructure of Sisense and Snowflake, combined with their extensive use in the finance sector, pose a significant threat. Immediate action is required to mitigate these vulnerabilities and protect the integrity of financial operations globally. Enhanced security measures, such as the integration of PEM key-based authentication, are crucial to prevent future breaches and ensure the safety of sensitive financial data.

“It’s quite impressive. I believe the attackers breached the systems several months, or perhaps even years, ago. They likely waited for the right moment to exfiltrate the data, and Sisense only recently discovered the breach. One of the biggest issues for me is that Sisense allowed “Connecting to a Private Network with an SSH Tunnel” without a PEM key. This is what they discreetly fixed in the commit I shared with you. The attackers clearly exploited the Log4j vulnerability from the outset to gain privileged access to critical infrastructures. They then hid for months to see if they could maintain persistence” concludes the expert. “even today 30% of log4J installations are vulnerable to log4hell”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Log4j2)

Crooks stole approximately 48.2 billion yen ($304 million) worth of Bitcoin from the Japanese cryptocurrency exchange DMM Bitcoin.

The Japanese cryptocurrency exchange DMM Bitcoin announced that crooks stole 4,502.9 Bitcoin (BTC), approximately $304 million (48.2 billion yen), from the its wallets.

“At approximately 1:26 p.m. on Friday, May 31, 2024, we detected an unauthorized leak of Bitcoin (BTC) from our wallet. We are still investigating the details of the damage, but the following is what we know at this stage. We have already taken measures to prevent the unauthorized leak, but we have also implemented restrictions on the use of some services to ensure additional safety.

We deeply apologize for any inconvenience caused to our customers.” reads a message published by the exchange on its website. The page is currently unavailable.

The company assured that the customers’ Bitcoin (BTC) deposits will be fully guaranteed.

In response to the heist, DMM Bitcoin limited the following services:

・ Screening of new account openings
・ Processing of cryptocurrency withdrawals
・ Suspension of buying orders for spot trading (only selling orders accepted)
・ Suspension of new open positions for leveraged trading (only settlement orders accepted)

The company added that limit orders for spot trading and leveraged trading that have already been placed will not be canceled and that withdrawals of Japanese Yen may take longer than usual.

DMM Bitcoin has yet to provide details about the attack.

Cryptocurrency security firm Elliptic reported that this incident would be the eighth-largest crypto heist of all time, and the largest since the $477 million hack suffered by FTX, in November 2022. Elliptic also confirmed it has identified the wallets involved in the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bitcoin)