Giant Food cyberattack, Snowflake suspects indicted, zero-day vulnerability surge - Cybersecurity Headlines

Summary

Cyber Security Headlines: November 13, 2024 Hosted by CISO Series

In the latest episode of Cyber Security Headlines by CISO Series, host Steve Prentice delves into several critical developments shaping the information security landscape. This comprehensive summary captures the key points, discussions, insights, and conclusions from the episode, providing valuable information for professionals and enthusiasts alike.

1. Dutch Cybersecurity Incident Impacts Giant Food and Hannaford

Timestamp: [00:00]

The episode opens with a significant cybersecurity incident involving the Dutch food company Achold Dulluis. The attack, which occurred on a Friday, compelled the company to take parts of its operations offline. This disruption has had a cascading effect, impacting various e-commerce and supermarket chains globally, including Food Lion, Giant Food, Hannaford, Stop and Shop, and The Giant Company.

Steve Prentice highlights the severity of the situation:
"The head office in Holland has not yet offered further details as of this recording, but its actions are suggestive of a ransomware attack" ([00:00]).

The lack of detailed information suggests that the company is likely grappling with a ransomware scenario, potentially affecting supply chains and customer data. The broader implications for the retail sector underline the vulnerability of critical infrastructure to sophisticated cyber threats.

2. Indictment Against Snowflake Breach Suspects

Timestamp: [02:45]

Following up on last week's coverage, an indictment related to the Snowflake breach is discussed. The U.S. District Court for the Western District of Washington has formally charged Conor Mooka, a Canadian citizen, and John Binns with orchestrating an international hacking and extortion scheme. This operation targeted over ten organizations, including major entities like AT&T, demanding ransom payments after exfiltrating sensitive data.

Prentice details the financial scale of the operation:
"They reportedly extorted digital currency as a ransom valued at approximately $2.5 million" ([02:45]).

Although the indictment does not disclose all victim companies, it aligns with previous reports linking Snowflake to breaches at prominent firms such as Ticketmaster and Santander. This case underscores the persistent threat posed by cybercriminals targeting data storage solutions to compromise multiple high-profile organizations.

3. Surge in Zero-Day Vulnerability Exploits: Five Eyes Warns of New Normal

Timestamp: [05:30]

The Five Eyes Intelligence Alliance—comprising the US, UK, Australia, Canada, and New Zealand—has issued a stark warning about the increasing prevalence of zero-day vulnerabilities. Contrary to previous years where attackers exploited older software flaws, there is now a noticeable shift towards leveraging newly discovered weaknesses.

Key points from the Five Eyes report include:

Netscalers from Citrix are identified as the most widely exploited networking products.
Critical vulnerabilities have been found in Cisco routers and Fortinet VPN equipment.
The Move It file transfer tool was exploited by the Klop ransomware gang.

Prentice emphasizes the gravity of this trend:
"A surge in zero-day vulnerability exploits is the new normal," ([05:30]).

The report, also linked by CISA, highlights the evolving tactics of cyber adversaries who are increasingly targeting cutting-edge vulnerabilities to bypass traditional security measures, posing significant challenges for defenders.

4. Iranian Dream Job Campaign Delivers Malware to Aerospace Industry

Timestamp: [09:15]

A notable threat actor, TA455, linked to Iranian cyber operations, is orchestrating the Dream Job campaign targeting the aerospace sector. This campaign employs sophisticated spear-phishing techniques, presenting fake job offers complemented by a convincing LinkedIn presence to deceive targets into downloading malicious payloads.

Key attributes of the campaign:

Malicious Files: The spear-phishing emails contain a zip file titled SignedConnection.zip, identified as malicious by five antivirus engines.
Delivery Method: Victims receive a detailed PDF guide instructing them on safely downloading and opening the zip file, effectively steering them away from actions that could thwart the attack ([09:15]).

Steve Prentice notes the intricate nature of the attack:
"This campaign uses a spear phishing email containing fake job offers and supported by a convincing LinkedIn presence" ([09:15]).

The campaign's targeted approach within the aerospace industry underscores the sector's attractiveness to state-sponsored actors, aiming to infiltrate critical defense and commercial systems.

5. TSA Proposes New Rules for Cyber Incident Reporting at Pipelines and Railroads

Timestamp: [12:40]

The Transportation Security Administration (TSA) is advancing new regulations to formalize cyber incident reporting protocols for pipelines and railroads, as reported by The Record. These proposed rules aim to consolidate various security directives implemented since the Colonial Pipeline ransomware attack in 2021.

Key elements of the proposed TSA rules:

Cyber Risk Management Plans: Organizations must develop comprehensive plans overseen by the TSA.
Annual Cybersecurity Evaluations: These assessments must identify and address vulnerabilities, conducted by officials with no personal financial stake in the outcomes.
Cybersecurity Operational Implementation Plan: A mandatory component detailing the execution of cybersecurity measures ([12:40]).

Prentice explains the scope of the impact:
"The TSA estimates that this proposed rule would impact about 300 surface transportation owners and operators, including 73 of the approximately 620 freight railroads currently operating in the U.S." ([12:40]).

These regulations are designed to enhance the resilience of critical transportation infrastructure against evolving cyber threats, ensuring consistent and effective security practices across the industry.

6. North Korean Hackers Develop Flutter Apps to Bypass macOS Security

Timestamp: [15:20]

North Korean threat actors have escalated their tactics by targeting Apple macOS systems with malicious applications crafted using Flutter, a popular open-source UI software development toolkit. These trojanized apps, masquerading as legitimate Notepad and Minesweeper games, are signed and notarized with genuine Apple Developer IDs.

Key insights:

Security Bypass: The malicious apps successfully pass Apple's security checks, leading macOS systems to treat them as verified and allowing unrestricted execution ([15:20]).
Campaign Nature: According to JAMF Threat Labs, the campaign appears experimental, focusing on bypassing security rather than executing highly targeted operations.

Prentice highlights the implications:
"This means that the malicious apps, even if temporarily, passed Apple's security checks, so macOS systems treat them as verified and allow them to execute without restrictions" ([15:20]).

This development signals a concerning evolution in the sophistication of North Korean cyber operations, leveraging legitimate development tools to facilitate undetected breaches on widely used platforms.

7. GitLocker’s GoIssue Tool Targets GitHub Developers and Supply Chains

Timestamp: [18:05]

A new tool called GoIssue has emerged from the threat actor known as Cyberluffy, purportedly a member of the GitLocker hacking group. This tool is designed for sale or rent on GitHub, offering capabilities to extract email addresses from repositories, thereby serving as a gateway for broader cyber threats.

Details of GoIssue:

Functionality: Enables email harvesting from GitHub repositories, facilitating source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials.
Origin: According to SlashNext, GoIssue was first developed for GitLocker’s internal use in early 2024 before being made available commercially ([18:05]).

Prentice comments on the threat:
"It makes it possible to extract email addresses from GitHub repositories, which next describes as a gateway to source code theft, supply chain attacks and corporate network breaches through compromised developer credentials" ([18:05]).

The proliferation of such tools underscores the importance of securing developer environments and repositories against exploitation by malicious actors seeking to undermine software supply chains.

8. Emergence of New Ransomware Family: Wimir

Timestamp: [20:50]

Researchers at Kaspersky have identified a new ransomware strain named Wimir. This malware is typically deployed following a breach via Rusty Stealer, a tool used to compromise systems through PowerShell commands.

Characteristics of Wimir:

Operational Flow: After gaining remote access and installing auxiliary tools like Process Hacker and Advanced IP Scanner, Wimir encrypts files using the StreamCypher ChaCha20 algorithm.
Detection Evasion: Incorporates features to avoid detection and maintain stealth within infected systems.
Attribution: Currently, no specific threat group has been linked to Wimir ([20:50]).

Prentice outlines the threat:
"This includes detection, evasion features and is launched after a target system has been accessed remotely and after the installation of tools like Process Hacker and advanced IP scanner and rusty stealer" ([20:50]).

The advent of Wimir highlights the continuous evolution of ransomware tactics, emphasizing the need for robust endpoint security and proactive threat hunting to mitigate such emerging threats.

Additional Insights and Sponsor Message

Throughout the episode, Steve Prentice underscores the dynamic nature of cybersecurity threats and the necessity for organizations to remain vigilant and adaptive.

Sponsor Highlight: ThreatLocker Prentice introduces ThreatLocker as a solution for combating zero-day exploits and supply chain attacks. ThreatLocker advocates a proactive default deny approach, offering comprehensive auditing of allowed and blocked actions for effective risk management and compliance. The platform is supported by a US-based team, ensuring seamless onboarding and operation.

"To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com" ([Sponsor Section]).

Subscription Call-to-Action Prentice encourages listeners to subscribe to the CISO Series on YouTube for additional content, including week-in-review livestreams, original interviews, demos, and podcast snippets.

Conclusion

Steve Prentice wraps up the episode by reiterating the availability of detailed cybersecurity stories on the CISO Series website, csoseries.com. The episode serves as a crucial update on the latest cyber threats and regulatory developments, equipping listeners with the knowledge to better safeguard their organizations.

"Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines." ([Conclusion]).

Stay informed and secure by following CISO Series for daily updates on the evolving world of information security.

Transcript

Steve Prentice (0:00)

From the CISO series it's Cybersecurity Headlines these are the cybersecurity headlines for Wednesday, November 13, 2024. I'm Steve Prentice. Dutch cybersecurity incident affects Giant Food and Hanaford A cybersecurity incident hit the Dutch food company Achold Dulluis on Friday, forcing the company to take some of its operations offline. This has subsequently impacted a number of e commerce and supermarket sites around the world, including Food Lion, Giant Food, Hannaford, Stop and Shop and the Giant Company. The head office in Holland has not yet offered further details as of this recording, but its actions are suggestive of a ransomware attack Indictment against Snowflake Breach suspects is released following up on coverage we delivered last week regarding Snowflake. This indictment was filed in the U.S. district Court of Western Washing and identifies Conor Mooka, who is a Canadian citizen, and John Binns as accused of executing an international hacking and extortion scheme targeting more than 10 organizations, including AT&T, with demands for ransom following the theft of sensitive data. They reportedly extorted digital currency as a ransom valued at approximately $2.5 million. The indictment itself does not specify the victim's companies, but it does align with previous reports linking the breaches to prominent firms that were customers of the daily data storage firm Snowflake, such as Ticketmaster and Santander. Surge in zero day vulnerability exploits is the new normal, says Five Eyes. This warning comes from the Five Eyes Intelligence alliance, which is the us, the uk, Australia, Canada and New Zealand, and states that contrary to previous years in which malicious cyber attacks were exploiting older software vulnerabilities, the tide has turned with the networking product netscalers from Citrix being the most widely used. Their report also mentions a critical vulnerability affecting Cisco routers and another in FortinetVPN equipment and one affecting the Move it file transfer tool that was of course exploited by the Klopp ransomware gang. A link to the report published by CISA is available in the show. Notes to this episode Iranian Dream Job campaign delivers malware to aerospace industry this campaign, attributed to the Iranian linked threat actor TA455, uses a spear phishing email containing fake job offers and supported by a convincing LinkedIn presence to get victims to download a zip file titled signedconnection zip, which has been flagged as malicious by five antivirus engines, according to a report from Clear Sky Cybersecurity. The download instructions provide a detailed PDF guide to instruct the victim on how to safely download and open the zip file, warning against actions that might prevent the attack from succeeding thanks to Today's episode's sponsor, ThreatLocker. Do zero day exploits and supply chain attacks keep you up at night? Well, worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that is T H R E A T L O c k e r.com TSA proposes new rules for cyber incident reporting at pipelines and railroads as reported in the Record, the rule would formalize several security directives issued by TSA since the ransomware attack on colonial pipeline in 2021. They would require cyber risk management plans overseen by the TSA and would need to include annual cybersecurity evaluations assessment plans to identify unaddressed vulnerabilities and to be run by officials who do not have a personal financial interest in the results of the assessment. This also requires a Cybersecurity Operational Implementation Plan. The TSA estimates that this proposed rule would impact about 300 surface transportation owners and operators, including 73 of the approximately 620 freight railroads currently operating in the U.S. north Korean hackers create flutter apps to bypass macOS security North Korean threat actors are now targeting Apple macOS systems using trojanized notepad apps and Minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer id. According to Bleeping Computer, this means that the malicious apps, even if temporarily, passed Apple's security checks, so macOS systems treat them as verified and allow them to execute without restrictions. According to JAMF Threat Labs, that is jamf the lab that discovered the activity. The campaign appears more like an experiment on how to bypass macOS security rather than a fully fledged and highly targeted operation. End Quote GitLocker's Go issue tool focuses on GitHub developers and supply chains. A threat actor going by the name of Cyberluffy and claiming to be a member of the Gitlocker hacking group, and that is spelled G I T L is now offering a new GitHub publishing tool for sale or rent named GoIssue. It makes it possible to extract email addresses from GitHub repositories, which next describes as a gateway to source code theft, supply chain attacks and corporate network breaches through compromised developer credentials. Slash Next describes it as the sale or the rental of the tool that Gitlocker first developed for itself for email harvesting in early 2024. New ransomware Wimir delivered after a Rusty Stealer breach Researchers at Kaspersky have identified a new ransomware family called Wimir, which attackers use after breaching systems through PowerShell commands. It includes detection, evasion features and is launched after a target system has been accessed remotely and after the installation of tools like Process hacker and advanced IP scanner and rusty stealer. The ransomware uses the StreamCypher ChaCha20 algorithm to encrypt the files. No group has yet been associated with this product. Are you subscribed to the ciso series on YouTube? If not, you're missing out on a lot of great content. We host our Week in Review livestreams there, as well as posting original content, interviews, demos and podcast snippets. If that sounds like what you want to be watching, search for ciso series on YouTube and subscribe. I'm Steve Prentice reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.