Romanian energy attack, medical device disruption, Deloitte responds to data theft claims - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – CISO Series Podcast Summary

Episode: Romanian Energy Attack, Medical Device Disruption, Deloitte Responds to Data Theft Claims
Release Date: December 10, 2024
Host: Lauren Verno

Romanian Energy Giant Faces Ongoing Cyber Attack

At the outset of the episode, Lauren Verno discusses a significant cybersecurity incident involving Romania's Electrica Group. On Monday, investors were alerted that the company, which supplies energy to over 3.8 million customers, is under a cyber attack. Although Electrica has provided limited details, their CEO assured stakeholders that they are actively working to mitigate the issue and identify the attack's origin.

"We are working to resolve the issue and identify the source of the attack now." (00:07)

Believed to be a ransomware attack, the disruption has led to intentional service interruptions to safeguard critical internal infrastructure. Speculation arises that Russia may be implicated, following recent accusations where Romania attributed electoral interference to pro-Russian hackers, resulting in the annulment of presidential election results.

Ransomware Disrupts Medical Device Manufacturer Artivian

Next, Verno highlights a ransomware incident affecting Artivian, a prominent medical device maker specializing in cardiac and vascular products distributed globally. The November attack resulted in encrypted files and hindered order processing and shipping operations. Despite these challenges, Artivian has successfully mitigated most disruptions, ensuring that critical systems remain unaffected.

"The attack has caused disruptions to some order and shipping processes, though the company has largely mitigated most disruptions." (00:07)

As of the podcast's recording, no ransomware group has claimed responsibility for this breach.

Deloitte Responds to Data Theft Allegations by Braincypher

Deloitte is currently under scrutiny following claims from the ransomware group Braincypher, which alleges the theft of over one terabyte of data. Verno explains that Deloitte has countered these allegations by stating that the compromised data pertains to a single client system external to their main network.

"The incident involves a single client system outside of Deloitte's network." (00:07)

Braincypher, known for utilizing LockBit-based malware, has demanded a ransom within five days, threatening to release the stolen data otherwise. This incident marks the second recent hacking claim against Deloitte, the first being allegations from an intel broker in September, which Deloitte asserted had minimal impact.

OpenWRT Urges Immediate Firmware Upgrades Due to Critical Vulnerabilities

OpenWRT has issued a warning to its user base regarding critical vulnerabilities discovered in its attended sys upgrade service. The identified flaws include a command injection bug and truncated SHA256 hashes, which could enable attackers to deploy malicious firmware signed with legitimate keys.

"OpenWRT is urging users to upgrade their firmware immediately following the discovery of critical vulnerabilities." (00:07)

While no official OpenWRT images or verified custom builds have been compromised, older firmware versions remain at risk, prompting immediate action to maintain security integrity.

Salt Typhoon Campaign Details Unveiled

Verno proceeds to discuss the ongoing Salt Typhoon campaign, emphasizing recent statements from Ann Neuberger, White House Cyber and Emerging Tech Lead. Neuberger revealed that Chinese cyber spies have infiltrated and recorded communications of high-level US political figures, in addition to stealing private communications.

"Chinese cyber spies recorded, quote, very senior US Political figures as well as stealing private communications." (00:07)

Although specific officials were not named, Neuberger confirmed that eight US telecom providers were breached, along with organizations across numerous countries. These developments are timely, coinciding with upcoming Senate hearings focused on safeguarding American telecom networks against such sophisticated threats.

Evolution of the Black Bosta Ransomware Group's Strategy

The episode then shifts focus to the Black Bosta ransomware group, which has recently adapted its tactics to include enhanced social engineering methods. Verno outlines their new approach, which involves:

Email Bombing: Sending large volumes of emails to overwhelm targets.
Impersonating IT Staff: Gaining trust by posing as technical support personnel.
Malicious Payloads: Distributing malware like Z Bot and Darkgate to facilitate initial access.

Once inside, attackers deploy remote access tools such as AnyDesk or TeamViewer to install malware that harvests credentials, steals VPN configurations, and bypasses multi-factor authentication (MFA). This hybrid model demonstrates Black Bosta's shift from solely relying on botnets to integrating more sophisticated social engineering techniques.

"The shift showcases the ransomware group's move from purely botnet reliant approaches to a hybrid model that integrates social engineering." (00:07)

International Arrests Targeting Airbnb-Operated Fraud Centers

Verno reports on significant law enforcement actions in Belgium and the Netherlands, where eight members of an international cybercrime network were apprehended. These suspects operated fraud centers out of Airbnbs, conducting phishing schemes, online fraud, and money laundering across Europe.

"Operating out of Airbnbs in Belgium and the Netherlands, the suspects targeted victims across Europe stealing millions of euros through fake bank schemes and fraudulent door to door approaches." (00:07)

Authorities confiscated luxury items, substantial cash reserves, and various electronic devices during their operations, highlighting the pervasive nature of cybercrime facilitated through unconventional means like short-term rentals.

New Report Highlights Vulnerabilities in US Critical Infrastructure

A report from Fortress is discussed, revealing thousands of vulnerabilities within software that powers US critical infrastructure. Notably, 25% of software components and 90% of products contain code developed by China, which is more prone to vulnerabilities. The researchers identified over 9,000 unique vulnerabilities, including 855 that are highly exploitable. Furthermore, 20 software components were found to account for 80% of the critical risks, with the most common dependencies being the Linux kernel, Zlib, and OpenSSL.

"Researchers identified over 9,000 unique vulnerabilities, including 855 highly exploitable ones." (00:07)

This alarming data underscores the urgent need for robust cybersecurity measures to protect essential services from potential exploitation.

Managing Excessive Privileges: A Persistent Challenge

In the concluding segment, Verno touches upon the ongoing issue of excessive privileges within organizations. Drawing from years of data in Verizon’s Data Breach Investigations Report (DBIR), she highlights the high rates at which employees abuse privileges to steal company data. Despite the availability of effective tools to manage and monitor privileges, the problem persists.

"If we have the right tools, why is this still a problem? That's what we're trying to answer in one of our segments in our latest CISO Series podcast." (00:07)

Listeners are encouraged to explore this topic further by tuning into the related segment titled "Can Our Employees Just Go Back to Stealing Pens" available on their preferred podcast platforms or at CISOseries.com.

Conclusion

Lauren Verno's comprehensive coverage in this episode of Cyber Security Headlines provides listeners with in-depth analysis and updates on critical cybersecurity threats and incidents. From ransomware attacks on major energy and medical companies to sophisticated espionage campaigns and vulnerabilities in critical infrastructure, the episode underscores the ever-evolving landscape of information security. Additionally, discussions on persistent challenges like excessive privilege management offer valuable insights for cybersecurity professionals aiming to bolster their defenses.

For more detailed stories and daily updates, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, December 10, 2024. I'm Lauren Verno. Romanian energy giant battles ongoing attack A cyber attack is in progress. That's the note investors for the Electrica Group received on Monday. The Electrica Group provides energy to more than 3.8 million customers in Romania and is considered one of the most important energy service companies in the country. Providing limited details, a statement from the company CEO said they are working to resolve the issue and identify the source of the attack now. While not confirmed, the attack is believed to be tied to ransomware. The statement went on to say that critical systems have not been affected, but customers may notice disruptions in service that were purposely implemented to protect internal infrastructure. Now, some are speculating Russia may have had a hand in the attack after Romania blamed pro Russian hackers last week for interfering in their presidential election, ultimately forcing the country to annul the results. Ransomware disrupts medical device maker Medical device maker Artivian reports they are still working to restore systems following a November ransomware attack that encrypted files and disrupted order, shipping and corporate operations. The medical device company, which makes and distributes aortic centric cardiac and vascular medical products, think mechanical human heart valves and stent grafts to over 100 countries, said the attack has caused disruptions to some order and shipping processes, though the company has largely mitigated most disruptions. As of this recording, no ransomware group has claimed responsibility for the attack. Deloitte responds to data theft claims Deloitte has responded to Ransomware group Braincypher's claims of stealing over one terabyte of data, stating the incident involves a single client system outside of Deloitte's network. Braincypher, known for using lockbit based malware, is threatening to release the data in five days unless a ransom is paid. This marks the second hacking claim against Deloitte recently, following the intel broker's allegations in September, which the company said had limited impact. Open WRT warns of critical vulnerabilities OpenWRT is urging users to upgrade their firmware immediately following the discovery of critical vulnerabilities in its attended sys upgrade service. The flaws involve a command injection bug and truncated SHA256 hashes, potentially allowing attackers to deliver compromised firmware images signed with legitimate keys. While no official open WRT images or verified custom builds were found to be affected, the project warned that older builds could remain vulnerable. Thanks to today's episode sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night. Worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive, default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O CK er New Salt Typhoon Details Emerge the Salt Typhoon campaign saga continues as White House cyber and emerging tech lead Ann Neuberger spoke at a conference over the weekend saying the Chinese cyber spies recorded, quote, very senior US Political figures as well as stealing private communications. While Neuberger did not disclose who exactly those very senior officials may be, she did confirm that eight US Telecom providers were compromised in the attack, along with organizations in dozens of other countries. These revelations come as the Senate prepares to scrutinize threats to American telecom networks in an upcoming hearing, with Salt Typhoon and China's broader cyber agenda expected to dominate discussions. Black Bosta Evolved Strategy the Black Bosta ransomware group has shifted tactics, using social engineering methods like email bombing, impersonating IT staff and distributing malicious payloads such as Z Bot and darkgate to gain initial access. Once victims install remote Access tools like AnyDesk or TeamViewer, attackers deploy malware to harvest credentials, steal VPN configurations and bypass MFA protections, facilitating deeper infiltration. The shift showcases the ransomware group's move from purely botnet reliant approaches to a hybrid model that integrates social engineering. Airbnb Fraud center arrest Putting Airbnbs to a new use as fraud centers, Belgian and Dutch authorities arrested eight members of an international cybercrime network involved in phishing, online fraud and money laundering. Operating out of Airbnbs in Belgium and the Netherlands, the suspects targeted victims across Europe stealing millions of euros through fake bank schemes and fraudulent door to door approaches. During searches, authorities seized luxury items, cash and electronic devices. New report showcases risks to US Critical infrastructure A report from Fortress reveals thousands of vulnerabilities in software powering US critical infrastructure with 25% of components and 90% of products containing. China developed code which is more likely to have vulnerabilities. Researchers identified over 9,000 unique vulnerabilities, including 855 highly exploitable ones, and found 20 components responsible for 80% of critical risk. According to the report, the most common dependencies were the Linux kernel, Zlib and openssl Asiso can't shake a stick without finding a solution for managing excessive privileges. Yet years of data in Verizon DBIR show remarkably high rates of employees abusing privileges to steal company data. If we have the right tools, why is this still a problem? That's what we're trying to answer in one of our segments in our latest CISO Series podcast, look for can our employees just go back to stealing pens in your favorite podcast app? Or head on over to the CISO series.com I'm Lauren Verno reporting for the CISO Series.
[08:24]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories. Behind the headlines lines.