A threat actor is selling the data belonging to BlackBerry’s Cylance cybersecurity unit, he demanded $750,000.

A threat actor, that goes online with the moniker Sp1d3r, is selling the stolen data for $750,000. The data includes 34 million customer and employee emails, customer / prospect email and PII, products used by organizations, sales prospect list with activity status, Cylance partners list and users list.

BlackBerry told several media outlets that it’s aware of the potential data breach and is investigating the alleged incident.

The company states that data was stolen from a third-party platform and appears to be old.

“Based on our initial reviews of the data in question, no current Cylance customers are impacted, and no sensitive information is involved,” BlackBerry told SecurityWeek. “The data in question was accessed from a third-party platform unrelated to BlackBerry and appears to be from 2015-2018, predating BlackBerry’s acquisition of the Cylance product portfolio.”

“We continue to monitor this situation closely and will take all necessary precautions to maintain the integrity of our products and systems and the trust of our customers,” it added

While several experts believe attackers may have obtained the data from the cloud data platform Snowflake, Cylance pointed out that it is currently not a Snowflake customer.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Semiconductor and software design company Arm warns of an actively exploited zero-day vulnerability in Mali GPU Kernel Driver.

Arm is warning of an actively exploited zero-day vulnerability, tracked as CVE-2024-4610, in Mali GPU Kernel Driver.

The vulnerability is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0).

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”

Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.

A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.

The company recommends users upgrade if this issue impacts them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mali GPU Kernel Driver)

A proof-of-concept (PoC) exploit code for a Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 is publicly available.

Researcher Sina Kheirkha analyzed the Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 and a proof of concept exploit for this issue.

The flaw CVE-2024-29849 is a critical vulnerability (CVSS score: 9.8) in Veeam Backup Enterprise Manager that could allow attackers to bypass authentication.

Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.

“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.” reads the advisory published by the vendor.

The vulnerability was addressed with the release of version 12.1.2.172. The company also provided the following mitigation:

• This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
  To do this, stop and disable the following services:
  • VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
  • VeeamRESTSvc (Veeam RESTful API Service)
    _{Note: Do not stop the ‘Veeam Backup Server RESTful API Service’.}
• Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
• Veeam Backup Enterprise Manager can be uninstalled if it is not in use.

Administrators are urged to apply the latest security updates as soon as possible due to the availability of the PoC.

Kheirkha explained that the issue resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service (vVeeamRESTSvc ), which is installed during the setup of the Veeam enterprise manager software.

“When I started to analyze this vulnerability, first I was kind of disappointed on how little information veeam provided, just saying the authentication can be bypassed and not much more, however, just knowing it’s something to do with Authentication and the mitigation suggesting the issue has something to do with the either “VeeamEnterpriseManagerSvc” or “VeeamRESTSvc” services, I began my patch diffing routine and realized the entry point, I’ll introduce VeeamRESTSvc also known as Veeam.Backup.Enterprise.RestAPIService.exe” reads the post published by the researcher.

The service listens on port TCP/9398 and operated as a REST API server, which is basically an API version of the main web application that listens on port TCP/9443

The exploit targets Veeam’s API by sending a specially crafted VMware single-sign-on (SSO) token to a vulnerable service. The expert used a token impersonating an administrator and used an SSO service URL that Veeam failed to verify. The token is initially base64-encoded, then decoded into XML and validated through a SOAP request to an attacker-controlled URL. Then a server under the control of the attack responds positively to the validation, granting the attacker administrator access.

To detect exploitation attempts, the researcher recommends to analyze the following log file:

C:\ProgramData\Veeam\Backup\Svc.VeeamRestAPI.log

searching for Validating Single Sign-On token. Service enpoint URL: 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PoC exploit)

The Japanese video-sharing platform, Niconico, was forced to suspend its services following a cybersecurity incident.

The Japanese video-sharing platform, Niconico, temporarily suspended its services following a large-scale cyberattack on June 8, 2024.

“Due to the effects of a large-scale cyber attack, Niconico has been unavailable since early morning on June 8th” reads the incident notice published by the company. “We sincerely apologize for the inconvenience.”

In response to the incident, the company temporarily suspended Niconico Family Services such as Niconico Video, Niconico Live Broadcast, Niconico Channel, etc. The company also suspended the Niconico Account login on external services.

“Beginning in the early hours of Saturday, June 8th, an issue occurred that prevented access to multiple servers in our group. In response to this incident, we immediately shut down the relevant servers to protect the data. Based on the scope of our internal analysis and investigation that was conducted on the same day, we have determined that there is a high possibility that we were the victim of a cyber attack.” reads a statement from the company.

The video-sharing platform also canceled/postponed programs scheduled from June 10th to June 16th.

The company is investigating the security incident with the help of law enforcement and external experts to determine the full extent of the damage.

The company has yet to determine if threat actors have stolen any information from its systems.

The Japanese firm did not reveal the type of cyberattack it suffered; however, the problems it is facing and the incident response procedure adopted suggest it was the victim of a ransomware attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyber attack)

The UK NHS issued an urgent call for O-type blood donations following the recent ransomware attack that hit several London hospitals.

The UK National Health Service (NHS) issued an urgent call for O-type blood donations due to the recent ransomware attack on Synnovis that disrupted operations at several healthcare organizations in London.

In early June, a ransomware attack on pathology and diagnostic services provider Synnovis severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases, patients were redirected to other hospitals.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.

In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.

“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”

Synnovis has yet to release a new update and hasn’t provided any information on the scope of the attack.

Law enforcement suspects that Qilin extortion gang is behind the attack.

The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.

“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement published by NHS London.

“All urgent and emergency services remain open as usual and the majority of outpatient services continue to operate as normal.” continues the NHS. “Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritised for the most urgent cases, meaning some patients have had phlebotomy appointments cancelled.”

The NHS confirmed that the ransomware attack has disrupted blood matching tests, for this reason, affected hospitals are using O Negative and O Positive blood for patients who can’t wait for alternative matching methods. For this reason, the NHS is calling for O-type blood donations.

“England’s top doctor has today (Monday 10 June) backed calls from NHS Blood and Transplant (NHSBT) for O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England, to boost stocks of O type blood following the cyber incident in London.” reads the announcement published by the NHS Blood and Transplant.

“The IT incident affecting a pathology provider means the affected hospitals cannot currently match patients’ blood at the same frequency as usual. For surgeries and procedures requiring blood to take place, hospitals need to use O type blood as this is safe to use for all patients and blood has a shelf life of 35 days, so stocks need to be continually replenished. That means more units of these types of blood than usual will be required over the coming weeks to support the wider efforts of frontline staff to keep services running safely for local patients.”

O Negative blood is a universal blood type, anyone can receive it, for this reason, it is crucial in emergencies or when a patient’s blood type is unknown. Despite only 8% of the population having O Negative, it accounts for about 15% of hospital orders. O Positive, the most common blood type, can be given to anyone with a positive blood type, benefiting 76% of the population. 35% of blood donors have O Positive blood.

“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.

“We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.”

“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.” said Dr Gail Miflin, Chief Medical Officer, NHS Blood and Transplant. “We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.””

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, London hospitals)