Blackberry Sells Cylance To Arctic Wolf At Huge Loss: Cyber Security Today for Wednesday, December 18, 2024

Wed Dec 18 2024

BlackBerry's Cylance Sale, Major AWS Breach, Klopp Ransomware Strikes Again, and Russian Cyber Attacks In this episode of Cybersecurity Today, host Jim Love discusses BlackBerry's sale of Cylance to Arctic Wolf for significantly less than its purchase...

Summary

Cybersecurity Today: BlackBerry’s Exit, AWS Breach, Clop Ransomware, and Russian Cyber Escalation

In the December 18, 2024 episode of Cybersecurity Today, host Jim Love delves into a series of critical cybersecurity developments impacting businesses worldwide. This detailed summary captures the key discussions, insights, and conclusions from the episode, providing a comprehensive overview for those who haven’t listened.

1. BlackBerry’s Sale of Silence to Arctic Wolf at a Significant Loss

The episode opens with a compelling analogy likening BlackBerry’s recent financial decision to the infamous “Curse of the Bambino” that plagued the Boston Red Sox. Jim Love explains how BlackBerry’s acquisition and subsequent sale of its endpoint security division, Silence, reflects a similar downturn.

Acquisition and Sale Details:
- Initial Investment: BlackBerry acquired Silence in 2018 for $1.4 billion, aiming to integrate AI-driven endpoint security with its Internet of Things and embedded systems.
- Sale to Arctic Wolf: The company sold Silence for a mere $160 million, marking a substantial loss.
Impact and Reasoning:
- BlackBerry’s CEO, John Chen, had hailed the acquisition as a “game-changing move indispensable to realizing the enterprise of things.” However, the integration failed to meet expectations, with Silence’s revenue declining and the anticipated synergies not materializing.
Arctic Wolf’s Strategic Move:
- Arctic Wolf has structured the deal with $80 million upfront, $40 million over the next year, and 5.5 million shares.
- Nick Schneider, Arctic Wolf CEO, stated at [05:30]: “By incorporating Silence's Endpoint capabilities, we can deliver better outcomes for customers.” The acquisition aims to enhance Arctic Wolf's OpenXDR Aurora platform by simplifying security operations, reducing alert fatigue, and improving risk management.
Market Reaction:
- BlackBerry’s stock experienced a 15% surge following the announcement, indicating investor approval despite the substantial financial loss.

2. AWS Faces Massive Data Breach Linked to Shiny Hunters’ Resurgence

A significant portion of the episode is dedicated to a major data breach affecting Amazon Web Services (AWS) customers, attributed to the reemergent hacking group Shiny Hunters, now operating under the name Nemesis.

Details of the Breach:
- Method of Attack: Hackers exploited misconfigurations in public-facing websites, enabling unauthorized access to AWS credentials, proprietary source code, and database secrets.
- Techniques Used: The attackers scanned AWS IP ranges, utilized open-source tools like Shodan, and deployed custom scripts to harvest credentials and infiltrate AWS services.
- Consequences: This breach allowed the perpetrators to send phishing emails, access systems, and extract valuable data.
AWS’s Response:
- AWS acted swiftly to quarantine compromised credentials and notify affected customers.
- Emphasis was placed on the shared responsibility model for cloud security, highlighting the importance of customers securing their credentials properly.
Jim Love’s Commentary:
- At [12:45], Jim shares a personal anecdote: “I have to provision a server recently using AWS and I have to tell you, if you've ever seen that backend where you look at the security assignments and how they work, it's a dog's breakfast.”
- He critiques the complexity of AWS’s interface, suggesting that widespread configuration mistakes point to potential design flaws. Jim muses, “Maybe AWS needs to step up and get a UX designer in there.”
Implications:
- The breach underscores the recurring theme of misconfigurations being a significant vulnerability for cloud providers and their clients.
- Analysts link the operation to former members of Shiny Hunters, indicating a continuation of their malicious activities under the new guise of Nemesis.

3. Clop Ransomware Claims Responsibility for Data Theft from Clio’s Managed File Transfer Platforms

The episode highlights a severe incident involving the Clop ransomware group, which has claimed responsibility for a data theft targeting Clio’s managed file transfer platforms.

Attack Details:
- Vulnerabilities Exploited:
  - CVE-2024-50623: Disclosed in October, this vulnerability allowed unrestricted file uploads leading to remote code execution.
  - CVE-2024-555956: A more recent zero-day exploit used in the attack.
- Targets: Clio’s platforms, including Harmony, VlTrader, and Lexicon, are extensively used by businesses for secure file exchanges.
Clop’s Actions:
- The group used these zero-day vulnerabilities to breach corporate networks and steal sensitive data.
- In an interview with Bleeping Computer, the Clop spokesperson, Klopp, stated at [22:10]: “We are now deleting data from past breaches to focus on new companies compromised in these CLIO attacks.”
Previous Incidents:
- Clop has a history of targeting organizations through similar managed file transfer vulnerabilities, including past attacks on MoveIt and Accelium.
Implications for Clio Users and the Industry:
- The attack serves as a stark reminder of the ongoing risks posed by zero-day exploits in third-party software.
- Recommendations: Immediate patching of vulnerabilities and ensuring robust system security are crucial for preventing similar breaches.
- For companies using Clio’s services, this incident is a significant cause for concern, potentially leading to operational disruptions and data privacy issues.

4. Russian-Aligned Hacker Groups Escalate Attacks on Western Critical Infrastructure

The episode concludes with an in-depth analysis of the increasing cyber threats from Russian-aligned hacker groups targeting critical infrastructure in the West.

Key Groups:
- People’s Cyber Army
- Zed Pentest (Z Pentest): Emerged in October, focusing on industrial control systems.
Targets and Methods:
- Sectors Attacked: Energy, water, and utility systems across Canada, the U.S., Romania, Germany, and other Ukrainian allies.
- Notable Incidents:
  - Electricia in Romania: Ransomware attacks disrupted power supply to 4 million users.
  - U.S. Water Treatment Plants and Oil Wells: Z Pentest tampered with operations, causing downtime and environmental risks.
- Techniques: Tampering with operational technology controls and posting exploits on platforms like Telegram.
Analyst Insights:
- Siebel Research: Highlights that these attacks expose persistent vulnerabilities in critical systems that remain accessible to threat actors.
- Potential Motives: Analysts suspect alignment with Russian government interests, suggesting these cyberattacks could precede larger espionage operations amid mounting pressures from the ongoing war in Ukraine.
- Comparative Sophistication: While Russian hackers are becoming more sophisticated, they still lag behind Chinese actors like Volt Typhoon in capabilities related to utilities and critical infrastructure.
Recommendations:
- Enhanced cybersecurity defenses are imperative to safeguard against such persistent and evolving threats.
- Organizations managing critical infrastructure must prioritize securing their operational technologies to mitigate the risk of severe disruptions and potential environmental hazards.

Conclusion

Jim Love’s Cybersecurity Today episode provides a thorough examination of pivotal cybersecurity incidents and trends shaping the landscape in late 2024. From BlackBerry’s strategic missteps and AWS’s significant breach to the relentless tactics of Clop ransomware and Russian hacker groups, the episode underscores the critical need for robust security measures and proactive risk management in an increasingly perilous digital environment.

For further details and ongoing updates, listeners are encouraged to visit the show’s website at technewsday.com or technewsday.ca, and to reach out with comments, questions, or tips via email.

Loading summary...

Transcript

Jim Love (0:01)

This episode of Cybersecurity Today is brought to you by Elisa A Tale of Quantum Kisses, a new novel from host Jim Love. You can find this exciting sci fi adventure romance, a vision of a near term AI future at Amazon. In the Book section search for Elissa E L I S a that's Elissa E L I S A and Jim Love. Or check out the book's website at alyssabook. Now back to our regularly scheduled programming BlackBerry Offload Silences endpoint security products to Arctic Wolf AWS customers face a massive breach amid Shiny Hunter's alleged regroup Clop Ransomware claims responsibility for Clio data theft attacks and Russia increases cyber attacks on critical infrastructure. Welcome to Cybersecurity Today. I'm your host Jim Love. They called it the Curse of the Bambino when Babe Ruth was sold to the New York Yankees in 1919, with the Boston Red Sox supposedly condemned to lose the World Series year after year because of that, this next story might be called the curse of BlackBerry, where the company paid $1.4 billion for what was regarded as the core of their new security offering, Silence, only to sell it for a meager $160 million. BlackBerry acquired Silence in 2018, hoping to combine AI driven endpoint security with its Internet of Things and embedded systems businesses. Then CEO John Chen called it a game changing move indispensable to realizing the enterprise of things, he said, but instead of a home run, it's been a strikeout. Silance's revenue declined and the integration never delivered the results BlackBerry promised. Now Arctic Wolf has stepped in to acquire Silance's Endpoint products. The deal is structured as $80 million upfront, $40 million over the next year and 5.5 million shares. Arctic Wolf CEO Nick Schneider said Silence will be folded into the OpenXDR Aurora platform to simplify security operations, reduce alert fatigue and improve risk management. In his words, security has an operations and effectiveness problem. By incorporating Silance's Endpoint capabilities, we can deliver better outcomes for customers. BlackBerry, meanwhile, remains a strategic reseller of Sylance products and a shareholder in Arctic Wolf. But there may be a win in this after all because investors seem to approve. With BlackBerry's stock jumping nearly 15% on the news, AWS customers are reeling from a massive data breach after vulnerabilities in public facing websites allowed hackers to access sensitive customer data. The attack has been linked to the reemergence of Shiny Hunters, a notorious hacking group operating under a new name Nemesis. Cybersecurity researchers Noam Rotem and Rand Lokar, working with VPN Mentor uncovered the operation. Hackers exploited misconfigurations across websites, gaining access to AWS credentials, proprietary source code, and even database secrets. The attackers scanned AWS IP ranges, used open source tools like Shodan, and deployed custom scripts to harvest credentials and infiltrate AWS services. This gave them the ability to send phishing emails, access systems, and extract valuable data. AWS quickly acted to mitigate the breach, quarantining compromised credentials and notifying affected customers. Now AWS emphasized the importance of customers securing credentials, properly, pointing to its shared responsibility model for cloud security. The breach highlights, though, how easily misconfigurations can be exploited, a recurring theme for the cloud providers and their customers alike. For AWS the Breach the Breach highlights how easily misconfigurations can be exploited, a recurring theme for cloud providers and their customers alike. Evidence suggested that the operation was orchestrated by former members of Shiny Hunters, who ran the breach forum site before its takedown earlier this year. I have to say something about this story, and I know AWS always points to the shared responsibility model, but and I'm not an infrastructure guy, but I had to provision a server recently using aws and I have to tell you, if you've ever seen that backend where you look at the security assignments and how they work, it's a dog's breakfast. I have no wonder at all why there are so many mistakes made in configuring those servers. Just a thought. Maybe AWS needs to step up and get a UX designer in there. If everybody's making the mistake, maybe there's something wrong with the interface. The CLOP ransomware gang has taken responsibility for a recent data theft, attacking a company named Clio's Managed File Transfer Platforms. The group used zero day vulnerabilities tracked as CVE2024 50623 and CVE2024 555956 to breach corporate networks and steal sensitive data. Now Clio's platforms, including Harmony, Vltrader and Lexicon, are widely used by businesses to securely exchange files. The first vulnerability, CVE202450623, was disclosed in October and allowed unrestricted file uploads leading to remote code execution. Clio released a patch soon after, but hackers continued to exploit the flaw. And more recently, cybersecurity firm Huntress warned of further zero day exploits leading to widespread data theft. In an interview with Bleeping Computer, Klopp couldn't say how much data they had stolen, but described it as quite a lot. The group claimed they were now deleting data from past breaches to focus on new companies compromised in these CLIO attacks. Klopp is no stranger to high profile attacks. They've previously targeted organizations through similar managed file transfer vulnerabilities, including MoveIt and Accelium. This latest incident underscores the ongoing risks posed by zero day exploits in third party software. For Clio users. It's another wake up call to patch vulnerabilities immediately and ensure systems are properly secured. And for those companies that Klopp says they're going to be targeting who were customers of Clio, this has got to be keeping you up at night. Russian aligned hacker groups are ramping up attacks on Western critical infrastructure targeting energy, water and utility systems. The two main groups, known as the People's Cyber army and Zed Pentest, have escalated their operations, tampering with operational technology controls and posting their exploits on Telegram. Siebel Research reports that groups have targeted critical infrastructure across Canada, the U.S. romania, Germany and other Ukrainian allies. Notable incidents include ransomware attacks on Romanian utility provider Electricia, which supplies power to 4 million users, and attacks on U.S. oil and water systems in the U.S. pCA claims to have disrupted water treatment plants and oil well operations, causing downtime and environmental risks. Z Pentest or for my American listener, Z Pentest, which emerged in October, has focused on industrial control systems tampering with water pumping, gas flaring and oil collection operations. Seibel warned that these attacks expose vulnerabilities in critical systems that remain accessible to threat actors. While the groups claim to operate independently, analysts suspect alignment with Russian government interests. Analysts believe these cyberattacks could be a precursor to larger espionage operations as Moscow faces mounting pressure over the war in Ukraine. Seibel noted that while Russian hackers have shown increasing sophistication, they remain behind Chinese actors like Volt Typhoon in capability for utilities and critical infrastructure operators. This surge in attacks is a stark reminder of the need for enhanced cybersecurity defenses. The consequences of operational disruptions are severe and adversaries like Russia appear determined to exploit any weakness. That's our show for today. You can find links in the show notes@technewsday.com or CA. Take your pick. You can reach me with comments, questions or tips@editorialechnewsday.ca I'm your host Jim Love. Thanks for listening.