Cyber Security Headlines: November 13, 2024 Hosted by CISO Series

In the latest episode of Cyber Security Headlines by CISO Series, host Steve Prentice delves into several critical developments shaping the information security landscape. This comprehensive summary captures the key points, discussions, insights, and conclusions from the episode, providing valuable information for professionals and enthusiasts alike.

1. Dutch Cybersecurity Incident Impacts Giant Food and Hannaford

Timestamp: [00:00]

The episode opens with a significant cybersecurity incident involving the Dutch food company Achold Dulluis. The attack, which occurred on a Friday, compelled the company to take parts of its operations offline. This disruption has had a cascading effect, impacting various e-commerce and supermarket chains globally, including Food Lion, Giant Food, Hannaford, Stop and Shop, and The Giant Company.

Steve Prentice highlights the severity of the situation:
"The head office in Holland has not yet offered further details as of this recording, but its actions are suggestive of a ransomware attack" ([00:00]).

The lack of detailed information suggests that the company is likely grappling with a ransomware scenario, potentially affecting supply chains and customer data. The broader implications for the retail sector underline the vulnerability of critical infrastructure to sophisticated cyber threats.

2. Indictment Against Snowflake Breach Suspects

Timestamp: [02:45]

Following up on last week's coverage, an indictment related to the Snowflake breach is discussed. The U.S. District Court for the Western District of Washington has formally charged Conor Mooka, a Canadian citizen, and John Binns with orchestrating an international hacking and extortion scheme. This operation targeted over ten organizations, including major entities like AT&T, demanding ransom payments after exfiltrating sensitive data.

Prentice details the financial scale of the operation:
"They reportedly extorted digital currency as a ransom valued at approximately $2.5 million" ([02:45]).

Although the indictment does not disclose all victim companies, it aligns with previous reports linking Snowflake to breaches at prominent firms such as Ticketmaster and Santander. This case underscores the persistent threat posed by cybercriminals targeting data storage solutions to compromise multiple high-profile organizations.

3. Surge in Zero-Day Vulnerability Exploits: Five Eyes Warns of New Normal

Timestamp: [05:30]

The Five Eyes Intelligence Alliance—comprising the US, UK, Australia, Canada, and New Zealand—has issued a stark warning about the increasing prevalence of zero-day vulnerabilities. Contrary to previous years where attackers exploited older software flaws, there is now a noticeable shift towards leveraging newly discovered weaknesses.

Key points from the Five Eyes report include:

• Netscalers from Citrix are identified as the most widely exploited networking products.
• Critical vulnerabilities have been found in Cisco routers and Fortinet VPN equipment.
• The Move It file transfer tool was exploited by the Klop ransomware gang.

Prentice emphasizes the gravity of this trend:
"A surge in zero-day vulnerability exploits is the new normal," ([05:30]).

The report, also linked by CISA, highlights the evolving tactics of cyber adversaries who are increasingly targeting cutting-edge vulnerabilities to bypass traditional security measures, posing significant challenges for defenders.

4. Iranian Dream Job Campaign Delivers Malware to Aerospace Industry

Timestamp: [09:15]

A notable threat actor, TA455, linked to Iranian cyber operations, is orchestrating the Dream Job campaign targeting the aerospace sector. This campaign employs sophisticated spear-phishing techniques, presenting fake job offers complemented by a convincing LinkedIn presence to deceive targets into downloading malicious payloads.

Key attributes of the campaign:

• Malicious Files: The spear-phishing emails contain a zip file titled SignedConnection.zip, identified as malicious by five antivirus engines.
• Delivery Method: Victims receive a detailed PDF guide instructing them on safely downloading and opening the zip file, effectively steering them away from actions that could thwart the attack ([09:15]).

Steve Prentice notes the intricate nature of the attack:
"This campaign uses a spear phishing email containing fake job offers and supported by a convincing LinkedIn presence" ([09:15]).

The campaign's targeted approach within the aerospace industry underscores the sector's attractiveness to state-sponsored actors, aiming to infiltrate critical defense and commercial systems.

5. TSA Proposes New Rules for Cyber Incident Reporting at Pipelines and Railroads

Timestamp: [12:40]

The Transportation Security Administration (TSA) is advancing new regulations to formalize cyber incident reporting protocols for pipelines and railroads, as reported by The Record. These proposed rules aim to consolidate various security directives implemented since the Colonial Pipeline ransomware attack in 2021.

Key elements of the proposed TSA rules:

• Cyber Risk Management Plans: Organizations must develop comprehensive plans overseen by the TSA.
• Annual Cybersecurity Evaluations: These assessments must identify and address vulnerabilities, conducted by officials with no personal financial stake in the outcomes.
• Cybersecurity Operational Implementation Plan: A mandatory component detailing the execution of cybersecurity measures ([12:40]).

Prentice explains the scope of the impact:
"The TSA estimates that this proposed rule would impact about 300 surface transportation owners and operators, including 73 of the approximately 620 freight railroads currently operating in the U.S." ([12:40]).

These regulations are designed to enhance the resilience of critical transportation infrastructure against evolving cyber threats, ensuring consistent and effective security practices across the industry.

6. North Korean Hackers Develop Flutter Apps to Bypass macOS Security

Timestamp: [15:20]

North Korean threat actors have escalated their tactics by targeting Apple macOS systems with malicious applications crafted using Flutter, a popular open-source UI software development toolkit. These trojanized apps, masquerading as legitimate Notepad and Minesweeper games, are signed and notarized with genuine Apple Developer IDs.

Key insights:

• Security Bypass: The malicious apps successfully pass Apple's security checks, leading macOS systems to treat them as verified and allowing unrestricted execution ([15:20]).
• Campaign Nature: According to JAMF Threat Labs, the campaign appears experimental, focusing on bypassing security rather than executing highly targeted operations.

Prentice highlights the implications:
"This means that the malicious apps, even if temporarily, passed Apple's security checks, so macOS systems treat them as verified and allow them to execute without restrictions" ([15:20]).

This development signals a concerning evolution in the sophistication of North Korean cyber operations, leveraging legitimate development tools to facilitate undetected breaches on widely used platforms.

7. GitLocker’s GoIssue Tool Targets GitHub Developers and Supply Chains

Timestamp: [18:05]

A new tool called GoIssue has emerged from the threat actor known as Cyberluffy, purportedly a member of the GitLocker hacking group. This tool is designed for sale or rent on GitHub, offering capabilities to extract email addresses from repositories, thereby serving as a gateway for broader cyber threats.

Details of GoIssue:

• Functionality: Enables email harvesting from GitHub repositories, facilitating source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials.
• Origin: According to SlashNext, GoIssue was first developed for GitLocker’s internal use in early 2024 before being made available commercially ([18:05]).

Prentice comments on the threat:
"It makes it possible to extract email addresses from GitHub repositories, which next describes as a gateway to source code theft, supply chain attacks and corporate network breaches through compromised developer credentials" ([18:05]).

The proliferation of such tools underscores the importance of securing developer environments and repositories against exploitation by malicious actors seeking to undermine software supply chains.

8. Emergence of New Ransomware Family: Wimir

Timestamp: [20:50]

Researchers at Kaspersky have identified a new ransomware strain named Wimir. This malware is typically deployed following a breach via Rusty Stealer, a tool used to compromise systems through PowerShell commands.

Characteristics of Wimir:

• Operational Flow: After gaining remote access and installing auxiliary tools like Process Hacker and Advanced IP Scanner, Wimir encrypts files using the StreamCypher ChaCha20 algorithm.
• Detection Evasion: Incorporates features to avoid detection and maintain stealth within infected systems.
• Attribution: Currently, no specific threat group has been linked to Wimir ([20:50]).

Prentice outlines the threat:
"This includes detection, evasion features and is launched after a target system has been accessed remotely and after the installation of tools like Process Hacker and advanced IP scanner and rusty stealer" ([20:50]).

The advent of Wimir highlights the continuous evolution of ransomware tactics, emphasizing the need for robust endpoint security and proactive threat hunting to mitigate such emerging threats.

Additional Insights and Sponsor Message

Throughout the episode, Steve Prentice underscores the dynamic nature of cybersecurity threats and the necessity for organizations to remain vigilant and adaptive.

Sponsor Highlight: ThreatLocker Prentice introduces ThreatLocker as a solution for combating zero-day exploits and supply chain attacks. ThreatLocker advocates a proactive default deny approach, offering comprehensive auditing of allowed and blocked actions for effective risk management and compliance. The platform is supported by a US-based team, ensuring seamless onboarding and operation.

"To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com" ([Sponsor Section]).

Subscription Call-to-Action Prentice encourages listeners to subscribe to the CISO Series on YouTube for additional content, including week-in-review livestreams, original interviews, demos, and podcast snippets.

Conclusion

Steve Prentice wraps up the episode by reiterating the availability of detailed cybersecurity stories on the CISO Series website, csoseries.com. The episode serves as a crucial update on the latest cyber threats and regulatory developments, equipping listeners with the knowledge to better safeguard their organizations.

"Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines." ([Conclusion]).

Stay informed and secure by following CISO Series for daily updates on the evolving world of information security.