Cyber Security Headlines – CISO Series Podcast Summary

Episode: Romanian Energy Attack, Medical Device Disruption, Deloitte Responds to Data Theft Claims
Release Date: December 10, 2024
Host: Lauren Verno

Romanian Energy Giant Faces Ongoing Cyber Attack

At the outset of the episode, Lauren Verno discusses a significant cybersecurity incident involving Romania's Electrica Group. On Monday, investors were alerted that the company, which supplies energy to over 3.8 million customers, is under a cyber attack. Although Electrica has provided limited details, their CEO assured stakeholders that they are actively working to mitigate the issue and identify the attack's origin.

"We are working to resolve the issue and identify the source of the attack now." (00:07)

Believed to be a ransomware attack, the disruption has led to intentional service interruptions to safeguard critical internal infrastructure. Speculation arises that Russia may be implicated, following recent accusations where Romania attributed electoral interference to pro-Russian hackers, resulting in the annulment of presidential election results.

Ransomware Disrupts Medical Device Manufacturer Artivian

Next, Verno highlights a ransomware incident affecting Artivian, a prominent medical device maker specializing in cardiac and vascular products distributed globally. The November attack resulted in encrypted files and hindered order processing and shipping operations. Despite these challenges, Artivian has successfully mitigated most disruptions, ensuring that critical systems remain unaffected.

"The attack has caused disruptions to some order and shipping processes, though the company has largely mitigated most disruptions." (00:07)

As of the podcast's recording, no ransomware group has claimed responsibility for this breach.

Deloitte Responds to Data Theft Allegations by Braincypher

Deloitte is currently under scrutiny following claims from the ransomware group Braincypher, which alleges the theft of over one terabyte of data. Verno explains that Deloitte has countered these allegations by stating that the compromised data pertains to a single client system external to their main network.

"The incident involves a single client system outside of Deloitte's network." (00:07)

Braincypher, known for utilizing LockBit-based malware, has demanded a ransom within five days, threatening to release the stolen data otherwise. This incident marks the second recent hacking claim against Deloitte, the first being allegations from an intel broker in September, which Deloitte asserted had minimal impact.

OpenWRT Urges Immediate Firmware Upgrades Due to Critical Vulnerabilities

OpenWRT has issued a warning to its user base regarding critical vulnerabilities discovered in its attended sys upgrade service. The identified flaws include a command injection bug and truncated SHA256 hashes, which could enable attackers to deploy malicious firmware signed with legitimate keys.

"OpenWRT is urging users to upgrade their firmware immediately following the discovery of critical vulnerabilities." (00:07)

While no official OpenWRT images or verified custom builds have been compromised, older firmware versions remain at risk, prompting immediate action to maintain security integrity.

Salt Typhoon Campaign Details Unveiled

Verno proceeds to discuss the ongoing Salt Typhoon campaign, emphasizing recent statements from Ann Neuberger, White House Cyber and Emerging Tech Lead. Neuberger revealed that Chinese cyber spies have infiltrated and recorded communications of high-level US political figures, in addition to stealing private communications.

"Chinese cyber spies recorded, quote, very senior US Political figures as well as stealing private communications." (00:07)

Although specific officials were not named, Neuberger confirmed that eight US telecom providers were breached, along with organizations across numerous countries. These developments are timely, coinciding with upcoming Senate hearings focused on safeguarding American telecom networks against such sophisticated threats.

Evolution of the Black Bosta Ransomware Group's Strategy

The episode then shifts focus to the Black Bosta ransomware group, which has recently adapted its tactics to include enhanced social engineering methods. Verno outlines their new approach, which involves:

• Email Bombing: Sending large volumes of emails to overwhelm targets.
• Impersonating IT Staff: Gaining trust by posing as technical support personnel.
• Malicious Payloads: Distributing malware like Z Bot and Darkgate to facilitate initial access.

Once inside, attackers deploy remote access tools such as AnyDesk or TeamViewer to install malware that harvests credentials, steals VPN configurations, and bypasses multi-factor authentication (MFA). This hybrid model demonstrates Black Bosta's shift from solely relying on botnets to integrating more sophisticated social engineering techniques.

"The shift showcases the ransomware group's move from purely botnet reliant approaches to a hybrid model that integrates social engineering." (00:07)

International Arrests Targeting Airbnb-Operated Fraud Centers

Verno reports on significant law enforcement actions in Belgium and the Netherlands, where eight members of an international cybercrime network were apprehended. These suspects operated fraud centers out of Airbnbs, conducting phishing schemes, online fraud, and money laundering across Europe.

"Operating out of Airbnbs in Belgium and the Netherlands, the suspects targeted victims across Europe stealing millions of euros through fake bank schemes and fraudulent door to door approaches." (00:07)

Authorities confiscated luxury items, substantial cash reserves, and various electronic devices during their operations, highlighting the pervasive nature of cybercrime facilitated through unconventional means like short-term rentals.

New Report Highlights Vulnerabilities in US Critical Infrastructure

A report from Fortress is discussed, revealing thousands of vulnerabilities within software that powers US critical infrastructure. Notably, 25% of software components and 90% of products contain code developed by China, which is more prone to vulnerabilities. The researchers identified over 9,000 unique vulnerabilities, including 855 that are highly exploitable. Furthermore, 20 software components were found to account for 80% of the critical risks, with the most common dependencies being the Linux kernel, Zlib, and OpenSSL.

"Researchers identified over 9,000 unique vulnerabilities, including 855 highly exploitable ones." (00:07)

This alarming data underscores the urgent need for robust cybersecurity measures to protect essential services from potential exploitation.

Managing Excessive Privileges: A Persistent Challenge

In the concluding segment, Verno touches upon the ongoing issue of excessive privileges within organizations. Drawing from years of data in Verizon’s Data Breach Investigations Report (DBIR), she highlights the high rates at which employees abuse privileges to steal company data. Despite the availability of effective tools to manage and monitor privileges, the problem persists.

"If we have the right tools, why is this still a problem? That's what we're trying to answer in one of our segments in our latest CISO Series podcast." (00:07)

Listeners are encouraged to explore this topic further by tuning into the related segment titled "Can Our Employees Just Go Back to Stealing Pens" available on their preferred podcast platforms or at CISOseries.com.

Conclusion

Lauren Verno's comprehensive coverage in this episode of Cyber Security Headlines provides listeners with in-depth analysis and updates on critical cybersecurity threats and incidents. From ransomware attacks on major energy and medical companies to sophisticated espionage campaigns and vulnerabilities in critical infrastructure, the episode underscores the ever-evolving landscape of information security. Additionally, discussions on persistent challenges like excessive privilege management offer valuable insights for cybersecurity professionals aiming to bolster their defenses.

For more detailed stories and daily updates, visit CISOseries.com.