Interpol's African operation, Blue Yonder ransomwared, Snowflake suspect update - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines - November 27, 2024

Host: Sean Kelly
Podcast: Cyber Security Headlines
Series: CISO Series

1. Interpol's Operation Serengeti Takes Down Over 1,000 Cybercrime Suspects in Africa

Sean Kelly opens the episode by highlighting a significant global law enforcement achievement:

Sean Kelly [00:00]: "Interpol announced Tuesday that authorities have arrested 1,006 cybercrime suspects in Africa during a massive joint operation called Operation Serengeti."

Operation Serengeti was conducted from September 2 to October 31 across 19 African countries, targeting criminals involved in:

Ransomware Business
Email Compromise
Digital Extortion
Online Scams

Key statistics from the operation include:

35,000 victims identified
$193 million in global losses

This operation marks a substantial escalation compared to Interpol's previous efforts in Africa, which resulted in only 25 arrests over two years. Kelly emphasizes the scale and impact of this operation, underscoring the increased focus on combating cybercrime on the continent.

2. Blue Yonder Ransomware Attack Disrupts Major Companies in the US and UK

The discussion shifts to a recent ransomware attack affecting the supply chain management software provider Blue Yonder, a division of Panasonic.

Sean Kelly [00:00]: "A ransomware attack over the weekend on supply chain management software provider Blue Yonder has impacted operations at numerous companies in the US and the UK."

Impacted Companies:

Starbucks: Experienced difficulties in managing employee schedules and processing payroll, leading some locations to manually calculate employee pay.
UK Supermarket Chains:
- Morrison's: Disrupted produce warehouse management systems.
- Sainsbury's: Temporary operational impacts acknowledged.

Current Status:

Blue Yonder is actively working to restore services.
It remains unclear if customer data was compromised, raising ongoing concerns about data security and potential breaches.

3. Snowflake Breach Suspects and the Mysterious Kyber Phantom

Sean Kelly revisits recent developments concerning the Snowflake breach:

Sean Kelly [00:00]: "Two weeks ago on cybersecurity headlines, we brought to you news of indictments brought against two Snowflake breach suspects."

Key Points:

Indictments: Two suspects from the Snowflake breach have been indicted.
Kyber Phantom: A third, unidentified suspect continues to extort victims.
- Quoted Statement:
  
  Kyber Phantom [Timestamp not provided]: "You don't think we have plans in the event of an arrest? Think again."
Alleged Link to NSA: Kyber Phantom posted what they claimed was a data schema from the US National Security Agency. The NSA has not yet commented on this claim.
Speculation on Identity: Investigators suggest Kyber Phantom may be a US Soldier recently stationed in South Korea. However, Kyber Phantom has countered this by claiming the US army persona is a ruse, stating:

Kyber Phantom [00:00]: "I literally can't get caught," but declined to elaborate.

This ongoing saga raises questions about the true identity of the threat actor and the broader implications for national security.

4. Ransom Hub Claims Multiple Attacks in Texas and Minneapolis

The episode covers recent activities by the ransomware group Ransom Hub:

Sean Kelly [00:00]: "On Monday, the notorious ransomware operation took credit for damaging attacks on the city of Coppell, Texas, and the Minneapolis Park and Recreation Board."

Affected Entities:

Coppell, Texas:
- Impact: Wifi at city facilities, library services, platforms for permits and inspections, and municipal court operations were taken down.
Minneapolis Park and Recreation Board:
- Impact: System-wide phone outage; residents advised to route emergency calls to 911.
Additional Targets:
- Two U.S. Schools: Attacked by Ransom Hub, details remain limited.

Consequences:

These attacks disrupted essential municipal services and posed significant challenges to local authorities in maintaining public safety and operational continuity.

5. Salt Typhoon Enhances Arsenal with New Ghost Spider Backdoor

A report from Trend Micro reveals updates from the Chinese Advanced Persistent Threat (APT) group Salt Typhoon:

Sean Kelly [00:00]: "A new report from Trend Micro has revealed that the Chinese advanced persistent threat actor Salt Typhoon recently debuted a fresh backdoor dubbed Ghost Spider."

Ghost Spider Features:

Highly Modular: Designed to be adjustable for various attack scenarios.
Target Focus: High-value government and telecom organizations.

Notable Campaigns:

Taiwanese Government and Chemical Producers:
- Utilized malware variants Demodex and Snappybee.
Long-Term Espionage:
- Targeting Southeast Asian telecom and government networks using Ghost Spider and Demodex.

This development underscores the evolving sophistication of state-sponsored cyber threats and the ongoing need for robust defensive measures.

6. NACHO VPN Vulnerabilities Exploited to Install Malicious Updates

Security researchers from Amberwolf have identified vulnerabilities known as NACHO VPN:

Sean Kelly [00:00]: "Security researchers from Amberwolf detailed a delicious sounding set of vulnerabilities dubbed NACHO VPN that allows rogue VPN servers to install malicious updates."

Attack Methodology:

Rogue VPN Servers: Malicious actors set up fake VPN servers.
Victim Interaction: Victims are tricked into connecting their SonicWall, NetExtender, and Palo Alto Networks' GlobalProtect VPN clients to these rogue servers via:
- Malicious Websites
- Social Engineering Tactics
Post-Connection Exploitation:
- Stealing login credentials
- Executing arbitrary code with elevated privileges
- Installing malicious software
- Launching code signing forgery or Man-in-the-Middle (MITM) attacks by installing malicious root certificates

Mitigations:

SonicWall: Released patches for the NetExtender vulnerability in July.
Palo Alto Networks: Released security updates for the GlobalProtect flaw yesterday (relative to the podcast date).

This vulnerability highlights the critical importance of keeping VPN clients updated and educating users about the risks of connecting to unknown VPN servers.

7. Romcom APT Exploits Zero-Day Vulnerabilities in Browsers and Windows

The Romcom APT, aligned with Russian interests, has been active in exploiting zero-day vulnerabilities:

Sean Kelly [00:00]: "The Russia aligned threat actor known as Romcom has been exploiting two zero day security flaws... as part of attacks designed to deliver a Remote Access Trojan on victim systems."

Exploited Vulnerabilities:

Firefox Bug:
- Severity: 9.8
- Type: Use-after-free vulnerability in Firefox's animation component.
- Patch: Released by Mozilla in October.
Microsoft Windows Bug:
- Severity: 8.8
- Type: Privilege escalation vulnerability in Windows Task Scheduler.
- Patch: Released by Microsoft this month.

Attack Mechanism:

If a victim browses a compromised web page containing the exploit, the adversary can:
- Run arbitrary code without any user interaction.

This activity underscores the ongoing threat posed by state-aligned APT groups exploiting software vulnerabilities to gain unauthorized access and control over target systems.

8. Black Friday Cybersecurity Deals

The podcast concludes with information on cybersecurity-related Black Friday promotions:

Sean Kelly [00:00]: "Cybersecurity vendors are getting it on the Black Friday frenzy as Malwarebytes Black Friday 2024 deals are now live..."

Featured Deals:

Malwarebytes:
- Discount: 50% off for one and two-year subscriptions.
- Products: Personal, family, and business subscriptions, including standalone anti-malware software, VPN, and personal data remover services.
NordVPN:
- Discount: 74% off on its top-rated VPN.
- Promotion Period: Through December 10th.

Additional Information:

These deals present an opportunity for individuals and organizations to enhance their cybersecurity posture at a reduced cost, making it an ideal time to invest in essential security tools.

9. Upcoming Events and Content

Sean Kelly provides a preview of future content and events:

Sean Kelly [00:00]: "We'll be back on Friday, December 6, with a Super Cyber Friday all about hacking AI supply chain..."

Upcoming Highlights:

Super Cyber Friday Event:
- Topic: Securing the foundations of AI applications.
- Schedule:
  - 1 PM Eastern / 10 AM Pacific: Critical discussion on AI supply chain security.
  - 3:30 PM Eastern / 12:30 PM Pacific: Week in Review show featuring guest Edward Fry, Head of Security at Luminary Cloud.

Registration:

Interested listeners are encouraged to register via the events page at cisoseries.com to join the live discussions and gain expert insights.

Conclusion

Sean Kelly wraps up the episode by reaffirming the podcast's commitment to delivering the latest and most relevant cybersecurity news:

Sean Kelly [00:00]: "Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell."

Availability:

Daily Updates: Cybersecurity headlines are available every weekday.
Full Stories: Accessible at csoseries.com for listeners seeking in-depth information beyond the summarized headlines.

Note: This summary excludes advertisements, intros, outros, and non-content sections as per the guidelines, focusing solely on the substantive cybersecurity news and discussions presented in the episode.

Loading summary

Transcript1 lines

[00:00]
Sean Kelly
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Wednesday, November 27, 2024. I'm Sean Kelly. Interpol takes down over 1,000 cybercrime suspects in Africa Interpol announced Tuesday that Authorities have arrested 1,006 cybercrime suspects in Africa during a massive joint operation called Operation Serengeti. The operation ran from September 2 to October 31 across 19 African countries, targeting cybercriminals involved in ransomware business, email compromise, digital extortion and online scams. Interpol identified 35,000 victims linked to nearly $193 million in losses worldwide. Operation Serengeti is a huge upgrade from Interpol's previous cybercrime efforts in Africa, which led to just 25 arrests over the past two years. Starbucks and UK grocers impacted by Supply Chain Attack A ransomware attack over the weekend on supply chain management software provider Blue Yonder, a division of Panasonic, has impacted operations at numerous companies in the US and the UK Starbucks reported difficulties managing employee schedules and processing payroll, causing some locations to resort to manually calculating employee pay. The attack also affected several major UK supermarket chains, including Morrison's, who said its produce warehouse management system were disrupted, while Sainsbury's acknowledged a temporary impact on its operations. Blue Yonder continues to grapple with restoring its services, and it's unclear whether any customer data has been compromised. Hacker and Snowflake extortions may be a US Soldier Two weeks ago on cybersecurity headlines, we brought to you news of indictments brought against two Snowflake breach suspects. A third unidentified suspect and prolific hacker known as Kyber Phantom continues to publicly extort victims. Kyber Phantom posted a threatening message following the arrests of the other two Snowflake breach suspects, saying, quote, you don't think we have plans in the event of an arrest? Think again. End quote. The same day, Khyber Phantom posted what they claimed was a data schema from the US National Security Agency. The NSA has not yet responded to requests for comment. A careful review of Khyber Phantom's identities on cybercrime forums and Telegram and Discord channels suggest the threat actor may be a US Soldier who is or was recently stationed in South Korea. However, Kyber Phantom told Krebs on security that the US army Persona was just a ruse, and also stated I literally can't get caught, but declined to say why. Ransom Hub claims hacks in Texas and Minneapolis On Monday, the notorious ransomware operation took credit for damaging attacks on the city of Coppell, Texas, and the Minneapolis park and Recreation Board. Koppel reported back in October that wifi at city facilities was taken down by the attack alongside library services, platforms for permits and inspections and municipal court operations. And last Wednesday, the Minneapolis park and Recreation Board warned residents that they were attacked by an unknown person or persons. This resulted in a system wide phone outage and the board advised residents that any calls requiring park police or Minneapolis police response should be routed to 911. In addition to the Texas and Minnesota incidents, Ranch Ransomhub also said Monday that it attacked two U.S. schools. And now we'd like to thank today's episode Sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with threat locker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com Salt typhoon bolsters Arsenal with Ghost Spider A new report from Trend Micro has revealed that the Chinese advanced persistent threat actor Salt Typhoon recently debuted a fresh backdoor dubbed Ghost Spider. According to Trend Micro, Ghost Spider is a highly modular backdoor adjustable for any particular attack scenario. Salt Typhoon has been spying on high value government and telecom organizations for several years. Two campaigns highlighted in the report target the Taiwanese government and chemical producers using malware called Demodex and snappybee and long term espionage against Southeast Asian telecom and government networks employing Ghost Spider and demodex. New Attack Uses Rogue VPN Servers to install malicious updates On Tuesday, security researchers from Amberwolf detailed a delicious sounding set of vulnerabilities dubbed NACHO VPN that allows rogue VPN servers to install malicious updates. Threat actors are using malicious websites and social engineering tactics to trick victims into connecting their unpatched sonic wall, Net Extender and Palo Alto Network's Global Protect VPN clients to attacker controlled VPN servers. From there, the miscreants use the rogue VPN endpoints to steal victims login credentials, execute arbitrary code with elevated privile, install malicious software and launch code signing forgery or man in the Middle attacks by installing malicious root certificates. SonicWall released patches to address the Net Extender vulnerability back in July, while Palo Alto Networks released security updates for the global Protect flaw yesterday. Romcom APT mounts 0 click Browser Escapes. The Russia aligned threat actor known as Romcom has been exploiting two zero day security flaws, one in the Firefox browser and the other in Microsoft Windows as as part of attacks designed to deliver a Remote Access Trojan on victim systems. The Firefox bug is a 9.8 severity used after free vulnerability in Firefox's animation component and was patched by Mozilla in October. The Microsoft issue is an 8.8 severity privilege escalation vulnerability in Windows Task Scheduler and was patched by Microsoft this month. Researchers said if a victim browses a web page containing the exploit, an adversary can run arbitrary code without user interaction required. End quote don't miss out on Black Friday deals for your favorite cyber products Cybersecurity vendors are getting it on the Black Friday frenzy as Malwarebytes Black Friday 2024 deals are now live, offering a 50% discount for one and two year subscriptions to personal, family and business subscriptions to its standalone anti malware software, VPN and personal data remover services. Meanwhile, NordVPN is now offering a 74% discount on its top rated VPN as part of Black Friday deal that runs through December 10th. It's a perfect opportunity to fill your friends and family's cyber stockings with the gift of security. And that does it for today's Cybersecurity headlines. Just a reminder, there will be no cybersecurity headlines tomorrow for the Thanksgiving holiday, but we'll have all the fresh cybersecurity headlines to you on Friday morning. We'll also be shutting down the engines on our usual slate of Friday live stream content this week, but we'll be back on Friday, December 6, with a Super Cyber Friday all about hacking AI supply chain. An hour of critical thinking about what's new and familiar about securing the foundations of your AI applications. This lively discussion will begin at 1pm Eastern, 10am Pacific. Then later that Friday at 3:30pm Eastern, 12:30 Pacific, we'll be running down the top cyber news stories of the week. During our Week in Review show, we'll get expert insights from our guest, Edward Fry, head of Security at Luminary Cloud. Just head over to the events page@cisoseries.com to register and join us live. Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell. I'm Sean Kelly. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.