Cyber Security Headlines - November 27, 2024

Host: Sean Kelly
Podcast: Cyber Security Headlines
Series: CISO Series

1. Interpol's Operation Serengeti Takes Down Over 1,000 Cybercrime Suspects in Africa

Sean Kelly opens the episode by highlighting a significant global law enforcement achievement:

Sean Kelly [00:00]: "Interpol announced Tuesday that authorities have arrested 1,006 cybercrime suspects in Africa during a massive joint operation called Operation Serengeti."

Operation Serengeti was conducted from September 2 to October 31 across 19 African countries, targeting criminals involved in:

• Ransomware Business
• Email Compromise
• Digital Extortion
• Online Scams

Key statistics from the operation include:

• 35,000 victims identified
• $193 million in global losses

This operation marks a substantial escalation compared to Interpol's previous efforts in Africa, which resulted in only 25 arrests over two years. Kelly emphasizes the scale and impact of this operation, underscoring the increased focus on combating cybercrime on the continent.

2. Blue Yonder Ransomware Attack Disrupts Major Companies in the US and UK

The discussion shifts to a recent ransomware attack affecting the supply chain management software provider Blue Yonder, a division of Panasonic.

Sean Kelly [00:00]: "A ransomware attack over the weekend on supply chain management software provider Blue Yonder has impacted operations at numerous companies in the US and the UK."

Impacted Companies:

• Starbucks: Experienced difficulties in managing employee schedules and processing payroll, leading some locations to manually calculate employee pay.

• UK Supermarket Chains:

  • Morrison's: Disrupted produce warehouse management systems.
  • Sainsbury's: Temporary operational impacts acknowledged.

Current Status:

• Blue Yonder is actively working to restore services.
• It remains unclear if customer data was compromised, raising ongoing concerns about data security and potential breaches.

3. Snowflake Breach Suspects and the Mysterious Kyber Phantom

Sean Kelly revisits recent developments concerning the Snowflake breach:

Sean Kelly [00:00]: "Two weeks ago on cybersecurity headlines, we brought to you news of indictments brought against two Snowflake breach suspects."

Key Points:

• Indictments: Two suspects from the Snowflake breach have been indicted.

• Kyber Phantom: A third, unidentified suspect continues to extort victims.

  • Quoted Statement:

    Kyber Phantom [Timestamp not provided]: "You don't think we have plans in the event of an arrest? Think again."

• Alleged Link to NSA: Kyber Phantom posted what they claimed was a data schema from the US National Security Agency. The NSA has not yet commented on this claim.

• Speculation on Identity: Investigators suggest Kyber Phantom may be a US Soldier recently stationed in South Korea. However, Kyber Phantom has countered this by claiming the US army persona is a ruse, stating:

  Kyber Phantom [00:00]: "I literally can't get caught," but declined to elaborate.

This ongoing saga raises questions about the true identity of the threat actor and the broader implications for national security.

4. Ransom Hub Claims Multiple Attacks in Texas and Minneapolis

The episode covers recent activities by the ransomware group Ransom Hub:

Sean Kelly [00:00]: "On Monday, the notorious ransomware operation took credit for damaging attacks on the city of Coppell, Texas, and the Minneapolis Park and Recreation Board."

Affected Entities:

• Coppell, Texas:

  • Impact: Wifi at city facilities, library services, platforms for permits and inspections, and municipal court operations were taken down.

• Minneapolis Park and Recreation Board:

  • Impact: System-wide phone outage; residents advised to route emergency calls to 911.

• Additional Targets:

  • Two U.S. Schools: Attacked by Ransom Hub, details remain limited.

Consequences:

These attacks disrupted essential municipal services and posed significant challenges to local authorities in maintaining public safety and operational continuity.

5. Salt Typhoon Enhances Arsenal with New Ghost Spider Backdoor

A report from Trend Micro reveals updates from the Chinese Advanced Persistent Threat (APT) group Salt Typhoon:

Sean Kelly [00:00]: "A new report from Trend Micro has revealed that the Chinese advanced persistent threat actor Salt Typhoon recently debuted a fresh backdoor dubbed Ghost Spider."

Ghost Spider Features:

• Highly Modular: Designed to be adjustable for various attack scenarios.

• Target Focus: High-value government and telecom organizations.

Notable Campaigns:

• Taiwanese Government and Chemical Producers:

  • Utilized malware variants Demodex and Snappybee.

• Long-Term Espionage:

  • Targeting Southeast Asian telecom and government networks using Ghost Spider and Demodex.

This development underscores the evolving sophistication of state-sponsored cyber threats and the ongoing need for robust defensive measures.

6. NACHO VPN Vulnerabilities Exploited to Install Malicious Updates

Security researchers from Amberwolf have identified vulnerabilities known as NACHO VPN:

Sean Kelly [00:00]: "Security researchers from Amberwolf detailed a delicious sounding set of vulnerabilities dubbed NACHO VPN that allows rogue VPN servers to install malicious updates."

Attack Methodology:

• Rogue VPN Servers: Malicious actors set up fake VPN servers.

• Victim Interaction: Victims are tricked into connecting their SonicWall, NetExtender, and Palo Alto Networks' GlobalProtect VPN clients to these rogue servers via:

  • Malicious Websites
  • Social Engineering Tactics

• Post-Connection Exploitation:

  • Stealing login credentials
  • Executing arbitrary code with elevated privileges
  • Installing malicious software
  • Launching code signing forgery or Man-in-the-Middle (MITM) attacks by installing malicious root certificates

Mitigations:

• SonicWall: Released patches for the NetExtender vulnerability in July.

• Palo Alto Networks: Released security updates for the GlobalProtect flaw yesterday (relative to the podcast date).

This vulnerability highlights the critical importance of keeping VPN clients updated and educating users about the risks of connecting to unknown VPN servers.

7. Romcom APT Exploits Zero-Day Vulnerabilities in Browsers and Windows

The Romcom APT, aligned with Russian interests, has been active in exploiting zero-day vulnerabilities:

Sean Kelly [00:00]: "The Russia aligned threat actor known as Romcom has been exploiting two zero day security flaws... as part of attacks designed to deliver a Remote Access Trojan on victim systems."

Exploited Vulnerabilities:

1. Firefox Bug:

   • Severity: 9.8
   • Type: Use-after-free vulnerability in Firefox's animation component.
   • Patch: Released by Mozilla in October.

2. Microsoft Windows Bug:

   • Severity: 8.8
   • Type: Privilege escalation vulnerability in Windows Task Scheduler.
   • Patch: Released by Microsoft this month.

Attack Mechanism:

• If a victim browses a compromised web page containing the exploit, the adversary can:
  • Run arbitrary code without any user interaction.

This activity underscores the ongoing threat posed by state-aligned APT groups exploiting software vulnerabilities to gain unauthorized access and control over target systems.

8. Black Friday Cybersecurity Deals

The podcast concludes with information on cybersecurity-related Black Friday promotions:

Sean Kelly [00:00]: "Cybersecurity vendors are getting it on the Black Friday frenzy as Malwarebytes Black Friday 2024 deals are now live..."

Featured Deals:

• Malwarebytes:

  • Discount: 50% off for one and two-year subscriptions.
  • Products: Personal, family, and business subscriptions, including standalone anti-malware software, VPN, and personal data remover services.

• NordVPN:

  • Discount: 74% off on its top-rated VPN.
  • Promotion Period: Through December 10th.

Additional Information:

• These deals present an opportunity for individuals and organizations to enhance their cybersecurity posture at a reduced cost, making it an ideal time to invest in essential security tools.

9. Upcoming Events and Content

Sean Kelly provides a preview of future content and events:

Sean Kelly [00:00]: "We'll be back on Friday, December 6, with a Super Cyber Friday all about hacking AI supply chain..."

Upcoming Highlights:

• Super Cyber Friday Event:
  • Topic: Securing the foundations of AI applications.
  • Schedule:
    • 1 PM Eastern / 10 AM Pacific: Critical discussion on AI supply chain security.
    • 3:30 PM Eastern / 12:30 PM Pacific: Week in Review show featuring guest Edward Fry, Head of Security at Luminary Cloud.

Registration:

• Interested listeners are encouraged to register via the events page at cisoseries.com to join the live discussions and gain expert insights.

Conclusion

Sean Kelly wraps up the episode by reaffirming the podcast's commitment to delivering the latest and most relevant cybersecurity news:

Sean Kelly [00:00]: "Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell."

Availability:

• Daily Updates: Cybersecurity headlines are available every weekday.
• Full Stories: Accessible at csoseries.com for listeners seeking in-depth information beyond the summarized headlines.

Note: This summary excludes advertisements, intros, outros, and non-content sections as per the guidelines, focusing solely on the substantive cybersecurity news and discussions presented in the episode.