Cybersecurity firm Cylance confirmed the legitimacy of information being bought on a hacking discussion board, stating that it’s previous knowledge stolen from a “third-party platform.”
A menace actor generally known as Sp1d3r is promoting this stolen knowledge for $750,000, as first noticed by Darkish Net Informer.
The information allegedly features a substantial quantity of knowledge, corresponding to 34,000,000 buyer and worker emails and personally identifiable data belonging to Cylance clients, companions, and workers.
Nonetheless, researchers have advised BleepingComputer that the leaked samples seem like previous advertising and marketing knowledge utilized by Cylance.
BlackBerry Cylance advised BleepingComputer that they are conscious of and investigating the menace actor’s claims however that no “BlackBerry data and systems related to [..] customers, products, and operations have been compromised.”
“Based on our initial reviews of the data in question, no current Cylance customers are impacted, and no sensitive information is involved,” the corporate added.
“The data in question was accessed from a third-party platform unrelated to BlackBerry and appears to be from 2015-2018, predating BlackBerry’s acquisition of the Cylance product portfolio.”
​Hyperlinks to Snowflake assaults
Whereas the corporate has but to answer to a follow-up request for extra particulars concerning the title of the third-party platform that was breached to steal what it claims to be previous knowledge, the identical menace actor can also be promoting 3TB of information from automotive aftermarket elements supplier Advance Auto Elements, stolen after breaching the corporate’s Snowflake account.
BleepingComputer confirmed that Cylance is a Snowflake buyer, with the online administration console situated at https://cylance.snowflakecomputing.com/.
Current breaches at Santander, Ticketmaster, and QuoteWizard/Lendingtree have additionally been linked to Snowflake assaults. Ticketmaster’s guardian firm, Stay Nation, additionally confirmed that an information breach had affected the ticketing agency after its Snowflake account was compromised on Might 20.
In a joint advisory with CrowdStrike and Mandiant, Snowflake stated that attackers had used stolen buyer credentials to focus on accounts with out multi-factor authentication safety.
At the moment, Mandiant printed a report linking the Snowflake assaults to a financially motivated menace actor it tracks as UNC5537. The actor gained entry to Snowflake buyer accounts utilizing buyer credentials stolen in infostealer malware infections from way back to 2020.
Mandiant has been monitoring the UNC5537 since Might 2024. The financially motivated menace actor has focused a whole bunch of organizations worldwide, extorting victims for monetary achieve.
Whereas Mandiant has not shared a lot details about UNC5537, BleepingComputer has realized they’re half of a bigger group of menace actors who frequent the identical web sites, Telegram, and Discord servers, the place they generally collaborate on assaults.​
“The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password,” Mandiant stated.
“Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations.”
Mandiant says it has recognized a whole bunch of buyer Snowflake credentials uncovered in Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer infostealer malware assaults since at the very least 2020.
To this point, Snowflake and Mandiant have notified round 165 organizations probably uncovered to those ongoing assaults.
