GlobalX breach, Google settles lawsuits, UK software security guidelines - Cybersecurity Headlines

Summary

Summary of "Cyber Security Headlines" – CISO Series Podcast Episode Released on May 13, 2025

Hosted by Rich Stroffelino, the "Cyber Security Headlines" episode from CISO Series delivers comprehensive updates on the latest developments in the information security landscape. This summary encapsulates the key topics discussed, enriched with notable quotes and structured for clarity.

1. GlobalX Breach: Cyberattack on Global Crossing Airlines Group

On May 5, 2025, Global Crossing Airlines Group, also known as Global X, experienced a significant cyberattack. According to a filing with the U.S. Securities and Exchange Commission:

Nature of the Attack: Attackers gained unauthorized access to systems supporting portions of Global X's business applications.
Extent of Compromise: Over the subsequent weekend, the attackers reportedly contacted 404 Media, offering sensitive information related to Global Crossing's ICE deportation flights, including flight records and passenger lists.
Impact on Operations: Despite the breach, Global X assured stakeholders that the attack did not disrupt operational activities and would not have a material financial effect on the company.

“The airline said the attack did not disrupt operations and would not create a material effect on its finances.” – Rich Stroffelino, [00:06]

2. Google Settles Privacy Lawsuits

Google has reached settlements in privacy-related lawsuits filed in 2022 by multiple states and the District of Columbia:

Legal Background: Attorneys General from Texas, Indiana, Washington State, and the District of Columbia accused Google of making it virtually impossible for users to opt out of location tracking. Additionally, Texas Attorney General Ken Paxton filed a lawsuit alleging unauthorized collection of biometric data.
Settlement Details: Google agreed to pay a combined total of $1.375 billion without admitting any liability. The company also committed to updating its products and practices to address the concerns raised.
Industry Context: This follows a precedent where Meta settled a similar case with Texas in July of the same year for unauthorized collection of biometric information.

“Google settled both cases, agreeing to pay a combined $1.375 billion and admitting no liability.” – Rich Stroffelino, [00:06]

3. UK Launches Software Security Guidelines

The UK's National Cybersecurity Center (NCSC) in collaboration with the Department for Science, Innovation and Technology has introduced a voluntary Software Security Code of Practice:

Scope of the Code: Comprising 14 principles, the guidelines cover secure design and development, building environments, deployment and maintenance, and customer communication.
Alignment with International Standards: The UK's guidelines mirror the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design principles.
Future Prospects: While the current program is voluntary with no regulatory enforcement, there is potential for the NCSC to develop a certification program based on these standards in the future.

4. Arrest in Dutch Ransomware Attacks

Moldovan authorities have apprehended a 45-year-old individual allegedly involved in ransomware attacks targeting Dutch companies in 2021:

Targets and Damage: Notably, the Netherlands Organization for Scientific Research was affected, resulting in damages amounting to €4.5 million. These attacks were linked to the notorious DoppelPammer group.
Legal Proceedings: The suspect, who is internationally wanted for blackmail and money laundering, is undergoing extradition to the Netherlands for trial.

5. Hacktivist Attacks in India: Overhyped Threats

Recent weeks have seen numerous hacktivist groups claim over 100 successful cyberattacks against prominent Indian entities, including:

Targets: Election Commission of India, National Informatics Centre, and the Prime Minister's Office.
Analysis by Cloudsec: Investigations revealed that many of these attacks were largely symbolic, involving:
- DDoS Attacks: Causing minor, barely noticeable website downtimes.
- Website Defacements: Brief alterations lasting mere minutes.
- Data Exfiltration Claims: Mostly involving public data rather than sensitive information.
Linked Activities: These attacks were primarily hyped by Pakistan-linked accounts on platform X (formerly Twitter), associating them with supposed ongoing operations.
Recommended Vigilance: Experts advise organizations to be more wary of sophisticated threats from groups like APT36, which has recently launched a phishing campaign targeting Indian government bodies using emotionally charged lures to deploy the Crimson RAT via malicious documents.

6. Andy Frane Discloses Data Breach

Andy Frane, a company providing physical security services to venues, businesses, and airports, has reported a significant data breach:

Breach Details: Discovered in October 2024, the cyberattack impacted over 100,000 individuals. The ransomware group Black Basta claimed responsibility in November, declaring the theft of approximately 750 GB of data.
Company Response: Andy Frane is offering affected individuals up to 24 months of credit and identity monitoring services. It remains unclear whether a ransom was paid.
Black Basta Status: Following the attack, Black Basta has largely ceased operations, possibly due to internal conflicts within the group.

7. IoT Devices Exploited as Proxies for Rental Services

Researchers from Lumens Black Lotus Labs, collaborating with the U.S. Department of Justice, FBI, and Dutch national police, uncovered a campaign leveraging Internet of Things (IoT) devices:

Campaign Origin: Based in Turkey, the operation targeted IoT and End-of-Life SOHO devices to build a botnet.
Botnet Scale: Initially claimed to comprise over 7,000 active proxies daily across more than 80 countries. However, actual active proxies were closer to 1,000, predominantly located in the U.S., Ecuador, and Canada.
Monetization: The botnet was rented out for activities such as ad fraud, DDoS attacks, and credential stuffing.
Mitigation Efforts: Lumens collaborated with law enforcement to disrupt the botnet by routing traffic through its backbone, complying with DNS blocking orders.

8. DNS Resolvers' Compliance with EU Court Orders

A report by TorrentFreak's Ernesto van der Saar examines how major DNS resolvers are responding to EU court-mandated blocks on piracy-related domains:

Actions by Specific Providers:
- Cisco's OpenDNS: In response to blocking orders in France and Belgium, OpenDNS withdrew its services from these markets entirely.
- Cloudflare: Asserted that it did not block content on its public 1.1.1.1 DNS resolver. Instead, it implemented alternative mechanisms to adhere to court orders, resulting in blocked sites displaying an HTTP 451 error.
- Google's DNS Resolver: Chose to refuse DNS queries entirely for blocked sites, without providing contextual information or redirecting to an explanation, which contradicts Belgian court directives requiring explanatory redirects.
Implications: These measures have sparked debate over transparency and adherence to court-mandated protocols, with concerns that some resolvers may be overstepping or not fully complying with legal expectations.

9. Reflections on Cybersecurity Best Practices

Rich Stroffelino concludes the episode by addressing a critical aspect of cybersecurity culture:

Observation: Professionals in the field often become overly fixated on perfecting every detail, potentially neglecting broader, meaningful improvements.
Challenge: The industry needs to balance the pursuit of best practices with practical implementation, avoiding the pitfalls of demanding absolute perfection which can stifle progress.
Encouragement: Emphasizing the importance of embracing incremental and impactful enhancements rather than holding out for unattainable purity in security measures.

“Too often professionals lose the forest for the trees, insisting on perfection instead of encouraging practices that are still a net positive for organizations.” – Rich Stroffelino, [07:36]

Conclusion

The episode of "Cyber Security Headlines" by CISO Series provides a thorough overview of recent cybersecurity incidents, legal developments, and industry responses. From major corporate breaches and legal settlements to governmental guidelines and sophisticated cyber threats, Rich Stroffelino delivers insights that are essential for professionals seeking to stay informed and adapt to the evolving digital threat landscape. The discussion culminates in a thoughtful reflection on fostering a balanced approach to cybersecurity practices, advocating for meaningful progress over unattainable ideals.

For more in-depth stories and updates, listeners are encouraged to visit CISOseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Tuesday, May 13, 2025. I'm Rich Stroffelino. Global Crossing Airlines Group confirmed Cyberattack According to a filing with the U.S. securities and Exchange Commission, the airline, also known as Global X, suffered a cyberattack on May 5, 2025, the attacker's access systems supporting portions of its business applications. Over the weekend, the attackers contacted 404 Media allegedly offering information about Global Crossing's ICE deportation flights, including flight records and passenger lists. The airline said the attack did not disrupt operations and would not create a material effect on its finances. Google settles privacy lawsuits back in 2022, Attorneys General for Texas, Indiana, Washington State and the District of Columbia filed lawsuits against Google a alleging that the search giant made it virtually impossible to opt out of location tracking. Texas Attorney General Ken Paxton followed this with an October 2022 lawsuit alleging Google collected biometric data without consent. Google settled both cases, agreeing to pay a combined $1.375 billion and admitting no liability. The company also said it updated its products and practices to resolve the concerns brought in the lawsuits. Meta paid out a similar settlement to Texas for collecting biometric information back in July. UK launches software security guidelines the UK's National Cybersecurity center and Department for Science, Innovation and Technology published a voluntary software security Code of practice last week. This code includes 14 principles across the themes like secure design and development, build environments, deployment and maintenance, and customer communication. This largely echoes CISA's Secure by Design principles in the US at launch. The program is entirely voluntary and has no regulatory oversight, but the NCSC could adopt a certification program based on the standards in the future. Suspect arrested for Dutch ransomware Attacks Moldovan Authorities arrested a 45 year old man allegedly involved in ransomware attacks against Dutch companies back in 2021. These attacks include one against the Netherlands Organization for Scientific research, which caused 4.5 million euros in damage and was tied to the doppelpamer group. Police say the suspect is internationally wanted for blackmail and money laundering. In other cybercrime related cases, Moldovan authorities began extraditing the individual to the Netherlands for trial and now thanks to our sponsor for today. Vanta, do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get your security questionnaires done five times faster with a a new way to GRC get started at vanta.com headlines that's v a n t a dot com headlines hacktivist attacks hide the Real Threat over the past several weeks, several hacktivist groups claimed over 100 successful attacks against prominent targets in India, including the Election Commission of India, the National Informatics center, and the Prime Minister's office. However, an investigation by Cloudsec found that most of these attacks seemed largely symbolic, with ddoses that led to barely noticed downtime website defacings that lasted mere minutes and supposedly exfiltrated data made up mostly of public data. These attacks appeared mostly hyped by Pakistan linked accounts on X, which linked them to supposed ongoing operations. The researchers instead say organizations should be on the lookout for attacks from the Pakistan linked APT36 or, which launched a sophisticated phishing campaign against Indian government targets. These use emotionally charged lures to deploy Crimson rat using malicious PDFs and PowerPoint attachments Physical security company discloses data Breach Andy Frane provides physical security services to venues, businesses and airports. In a notice to Maine's attorney general, the firm disclosed that it had discovered a cyberattack in October 2024 impacting over 100,000 people. The ransomware group Black Basta previously took credit for the attack back in November, claiming to have stolen about 750 GB of data. No word on what data was stolen, but the firm is offering victims up to 24 months of credit and identity monitoring. No word if Andy Frane paid a ransom. Since the attack, Black Basta has mostly gone dark, seemingly over internal conflicts. IoT devices turned into proxy for rent service. Researchers at Lumens Black Lotus Labs worked with the US doj, FBI and Dutch national police to track a campaign based out of Turkey that targeted Internet of Things and End of Life SOHO devices to create a botnet. The network spread to over 80 countries, with most botnet devices based in the U.S. ecuador and Canada. The operators claimed the network contained over 7,000 active proxies per day, but researchers found this number inflated and was actually closer to about 1,000. The operators sold out network access for ad fraud, DDoS attacks and credential stuffing. Lumen worked with law enforcement to disrupt the network by routing traffic through its backbone responses to DNS blocking orders. Torrent Freak's Ernesto van der Saar put together a look at how DNS Resolvers like OpenDNS, Google and Cloudflare responded to orders from EU courts to block DNS queries tied to piracy. In response to blockage orders in France and Belgium, Cisco's OpenDNS left those markets entirely. Cloudflare, meanwhile, maintained that it did not block content going through its public 1.1.1.1 DNS resolver, but instead identified alternate mechanisms to comply with relevant court orders. Court ordered sites now show an HTTP 451 error. As a result, Google's DNS resolver simply refuses the DNS query entirely, not linking to the lookup of any IP address. This doesn't give any context for why the lookup failed, and also appears to go against the advice of the Belgian court, which required a redirect to an explanation for the block when does passion for cybersecurity best practices turn into smugness for anything that falls short? Too often professionals lose the forest for the trees, insisting on perfection instead of encouraging practices that are still a net positive for organizations. So how can we do better about embracing meaningful improvements instead of demanding purity? That's one of the segments we dig into in our latest episode of the CISO Series podcast. Look for the episode I'm not looking down at you, I'm looking down at what you're doing. Wherever you get your podcasts. Reporting for the CISO series, I'm Rich Strofalino, reminding you to have a super sparkly day.