Amazon AI Tool Hacked, Scattered Spider Attacks VMware, and Major Ransomware Takedown | Cybersecurity Today

David Shipley

Amazon AI coding agent hacked to inject data wiping commands Scattered Spider is running a VMware ESXi hacking spree. Black suit, ransomware extortion sites seized in Operation Checkmate and insurance Giant says most U.S. customer data stolen in recent cyber attack this is Cybersecurity Today, and I'm your host David Shipley, coming to you from beautiful Fredericton, New Brunswick. A security scare hit Amazon's Generative AI powered coding tool Q developer extension for Visual Studio code after a hacker managed to inject rogue data wiping code into the project's GitHub repository, available on Microsoft's Visual Studio Code Marketplace. Amazon Q has racked up nearly 1 million installs. It helps developers code, debug and write documentation and set up configurations powered by generative AI. But on July 13, a GitHub user going by the alias lkeymanca58 submitted a pull request that slipped past Amazon's defenses. Due to what's believed to be a misconfigured workflow or weak permissions management, the malicious code was merged into the official project. The hacker's code didn't execute successfully, thankfully, but it contained a prompt designed to wipe systems and cloud resources, a message, it seems, meant to highlight weaknesses in how AI development tools are secured. Amazon was unaware of the breach and had published the compromised version 1.84.0 to the VSC Marketplace on July 17, making it publicly available to its user base. It wasn't until July 23 that Amazon received word from security researchers that something was wrong. The company launched an investigation and to its credit, released a clean update, version 1.85.0. Just 24 hours later, an Amazon spokesperson confirmed the breach to bleeping computer stating, security is our top priority. We quickly mitigated an attempt to exploit a known issue in two open source repositories. No customer resources were impacted, end quote. A deeper forensic analysis by AWS Security revealed that the injected code was targeting Q developer CLI command execution. The company revoked credentials, removed the unauthorized code and reissued the extension. Amazon insists that because the code was improperly formatted, it posed no actual risk. However, some researchers have said the code could run, though it still caused no damage. Still, all of this is the cyber equivalent of two planes getting way too close together in airspace. It's a serious incident and needs to be avoided in the future at all cost. Version 1.84.0 has been pulled from all distribution channels, and users are urged to Update to version 1.85.0 immediately. One of the most sophisticated and rampant cybercrime groups scattered Spider is once again making headlines, this time for precision targeted attacks on VMware's ESXi hypervisors across US organizations in the retail, airline, transportation and insurance sectors. According to a new report from the Google Threat Intelligence Group, these attackers are confirmed to not be relying on zero day exploits or software flaws, and instead, as with previous reporting, they continue to lean on near flawless social engineering to get around even mature security programs. Here's how Google broke it down first, the attackers begin by impersonating an employee calling the IT help desk to request a password reset for the user's active directory account. With credentials in hand, they move laterally across the target network, scanning for internal IT documentation to identify high value targets, particularly VMware vSphere and domain administrators. Step 2 Escalation they then locate privileged access management PAM systems, gaining intelligence on security policies and privileged credentials. With that information, they call back, this time impersonating a privileged admin and ask for another password reset. This gives them full control over sensitive systems. Next, they target the VMware VCenter server appliance to control the company's entire virtual infrastructure, including the ESXi hypervisors that run all virtual machines on physical servers. At this level, attackers enable SSH on the ESXI hosts, reset root passwords, and execute a disk swap attack. This technique allows them to extract the NTDS DIT active directory database by detaching virtual disks From Domain Controller VMs and attaching them to attacker controlled instances, copying the data before restoring the original setup. STEP 4 and this is particularly awful backup destruction Scattered spider doesn't stop there. With the control of the hypervisor, they wipe backup systems, delete snapshots, and erase repositories, cutting off possible chances for recovery. Step 5 ransomware deployment finally, using SSH access, they deploy ransomware binaries across the infrastructure, encrypting all virtual machine files in the data store. According to Google, a full ATT and CK chain from initial access to ransomware deployment can unfold in just a few hours. Quote they're gaining unprecedented control over entire virtualized environments, bypassing ingest security controls entirely, said a Google spokesperson. To help defenders stay ahead, Google's published technical guidance with three key defensive pillars number one lock down the hypervisor, harden vSphere with the exec, installed only VM encryption and disabled SSH. Avoid direct ad joins, delete orphan VMs, and force strong MFA. 2 isolate and authenticate Use robust multi factor authentication for all access points. Isolate tier 0 assets like domain controllers and backups from the systems they secure. Lastly, detect and recover. Standard advice here Centralize logs in a SIEM and alert on key behaviors. Maintain immutable error gap backups and test recovery against hypervisor level compromise In a major win for global cybercrime enforcement, law enforcement has seized the dark web infrastructure of the Black Suit ransomware operation, a group linked to hundreds of ransomware attacks on organizations around the world. The U.S. department of justice confirmed the takedown late last week, stating that authorities executed a court authorized seizure of Black Suits domains. The gang's Onion Dark websites now display a seizure banner from the U.S. homeland Security Investigations revealing the operation codename Operation Checkmate involve coordinated international law enforcement action. Black Suit is the latest alias of a ransomware lineage that includes royal and possibly even earlier ransomware families. The group is known for data extortioning campaigns and leveraging remote management tools and living off the land techniques to gain and maintain access inside victim networks. One of Black Suit's major hacks was the 2024 hit on CDK Global, a SaaS platform for car dealerships that caused weeks of havoc across North America. Now, researchers warn Black Suit may already be rebranding. On Thursday, Cisco, Talos reported, signs Black Suit is resurfacing as Chaos. Ransomware analysts noted similar tactics, encryption behaviors and ransom node structure between Chaos and the previous Black Suit campaigns. Quote Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of Black Suit or operated by some of its former members. Alliance Life Insurance company of North America has confirmed a significant data breach impacting the personal information of a majority of its 1.4 million US customers, financial professionals and select employees. In a statement issued to the BBC, Alliance's German parent company said that in July 16, 2025, a malicious actor gained unauthorized access to a third party cloud based customer relationship management system used by Alliance Life. The attackers reportedly used social engineering techniques to compromise the system, bypassing technical defenses by targeting people. According to alliance, only Alliance Life systems were affected and there is no evidence that their core corporate network or policy administration systems were accessed. That's good news. The company emphasized that the breach did not extend to its global customer base, which exceeds 125 million people. The breach was disclosed in a legal filing with Maine's Attorney General's office in the U.S. the company said it took immediate action to contain the incident, has notified the FBI and is actively contacting affected individuals to provide assistance. This breach highlights the continued threat posed by social Engineering. In previous updates from law enforcement, Scattered Spider was known to be targeting insurance companies. It's unknown if alliance was one of the organizations hit by Scattered Spider, but it's likely. And this breach highlights the growing risk posed by third party cloud platforms, especially those integrated into critical customer facing systems. It's critical that organizations look at access and identity and how those are going to be secured, and in particular, given the wake of the Clorox lawsuit against IT giant cognizant that IT help desk processes are hardened against social engineering as investigations continue, this incident serves as a stark reminder for companies to scrutinize third party access, educate staff on social engineering, and implement robust multi factor authentication across all vendor platforms. As always stay skeptical and stay patched. And don't ever give AI agents, or humans for that matter, direct access to prod. Ever. We're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video as well. A small ask Help us spread the word about cybersecurity today. Give us a Like or subscribe. Leave us a review on your favorite podcasting platform, and if you like the show, please tell others. We'd love to grow our audience even more. And we need your help. I've been your host David Shipley, Jim Love will be back on Wednesday. Thanks for listening.