A

A Red Hat breach of their consulting GitLab server means that network maps and tokens may be in play. The CLOP gang targets Oracle E Business Suite clients with extortion. Surveys show that Canadian firms feel overconfident in their cyber defenses, and CISA pulls critical support at the start of Cybersecurity Awareness Month. This is Cybersecurity Today. I'm your host Jim Love. Red Hat says that an internal GitLab server used by its consulting team was breached. The company cut off access, isolated the instance and says there's no evidence the incident impacts other Red Hat services or its software supply chain. An extortion crew calling itself Crimson Collective claims It stole about 3, 570 GB across 28,000 internal repos, including some 800 customer engagement reports, documents that could contain network information, configuration data, authentication tokens and even full database URLs. They also shared a directory listing on Telegram. Belgium's cybersecurity agency is warning organizations that used Red Hat consulting to assume tokens and keys may be exposed and rotate credentials immediately, check integrations and step up monitoring for suspicious authentication and API activity. But a quick but important distinction. This was GitLab, not GitHub. GitHub says there was no breach of its managed cloud. This involved Red Hat's self managed GitLab community edition instance, which customers themselves must patch and lock down. If those CERs and embedded secrets are real, attackers could walk in using working tokens and network maps, skipping the front door entirely. So today's action item if you've engaged Red Hat Consulting since 2020, revoke and rotate tokens and database credentials and hunt for unusual token use in your logs. Oracle is warning customers after the CLOP extortion group started sending emails directly to Oracle E Business Suite clients claiming it had stolen sensitive data. Now, E Business Suite, not to be confused with PeopleSoft, which Oracle acquired and still operates separately, is Oracle's long standing ERP system. It's used by tens of thousands of large enterprises and government agencies to run core financials, hr, payroll, supply chain and customer management. Just for context, in 2024 Oracle overtook SAP as the number one ERP vendor by revenue, pulling in 8.7 billion versus SAP's 8.6 klops. Messages threaten to leak financial records, HR data, customer lists and supply chain files unless ransom demands are paid. Oracle says its networks and software supply chain weren't breached, but if Klopp's claims are correct, logic dictates this isn't random. It suggests a weakness in E Business Suite deployments that affect a broad set of customers. Experts say there is strong evidence this really is clop, and history shows why that matters. This gang pulled off some of the most damaging enterprise attacks of the past five years, including Asalon's FTA platform, a zero day in Solar Winds, a zero day in Go Anywhere mft, and the dreaded Move It Transfer campaign, which became the largest ever zero day that enabled data theft from 2,773 organizations worldwide. That track record explains why this extortion should be taken seriously, and it raises the bar for Oracle simply denying involvement isn't going to be enough. Customers are going to need clear guidance on what kind of data could be realistically exposed in these EBS deployments and what defensive steps they need to take immediately. And a new survey suggests that Canadian businesses are far too confident in their cyber readiness. KPMG in Canada polled 500 executives 86% said they were confident their firms could withstand an attack. But more than half, 55%, admitted they'd already suffered at least one breach in the past two years. And the report highlights a dangerous confidence gap. Despite over half of them having faced attacks, only 38% of companies say they've adopted Zero Trust Security. Fewer than half regularly test their incident response plans, and just over half have invested in advanced detection tools like continuous monitoring, Sami Khoury, head of the federal government's cybersecurity program, told BNN Bloomberg. The first thing I would say is don't underestimate the threat. Don't assume that because you're an SME that you're not going to be a victim of a cyber incident. He warned that small and medium businesses are often part of larger supply chains, making them attractive entry points for attackers. They're also frequent targets for ransomware, phishing and credential theft because of weak passwords and limited defenses. Now a second survey by the Insurance Bureau of Canada makes this point even clearer. Only half of SMEs believe they're vulnerable, but of that, only 6% think an incident will actually happen to them. That's complacency, and it leaves firms exposed. The bottom line is whether you're a large enterprise or an SME, confidence isn't resilience. The numbers suggest that Canadian firms need to make plans, test those plans, and take the these threats seriously, because the attackers already do. In Washington, most of the headlines are about government shutdown and the agencies being forced to scale back as a result. But while that's grabbed attention, a separate and equally damaging closure has slipped under the radar The US Cybersecurity and Infrastructure Security Agency CISA has ended its agreement with the center for Internet Security, or cis. That agreement gave state and local governments across the US access to free cybersecurity tools and resources. There were the ALBERT intrusion detection sensors, threat intelligence feeds, and incident response support. The ALBERT sensors are one of the only intrusion detection tools many small towns can afford. And without the CISA CIS deal, they'll go dark. Losing this support is not part of the shutdown that's going on in the us. It's a separate decision. And it couldn't come at a worse time. We're seeing ransomware gangs, foreign backed actors, supply chain breaches, all of them hitting government networks almost weekly. Local governments and small agencies are among the weakest links. Taking away one of their most trusted sources of defense in the middle of a shutdown is like pulling firefighters off duty while the forest is already burning. Yes, there may be some duplication, and yes, CESA's federal mission is stretched, but the reality is simple. Cybersecurity is only as strong as the weakest link. State and local governments are where attackers often start. And removing CIS support now doesn't just weaken them, it weakens the entire US Security ecosystem. And the irony. This announcement comes at the very start of Cybersecurity Awareness Month. Instead of reinforcing support, CISA is cutting it back. In the middle of a shutdown, the US has managed to create a second shutdown in cybersecurity support. Exactly the wrong move at the wrong time. And that's our show. As a reminder, on Saturday, our Month in Review panel will be here with a look back at the issues we've covered and some deeper discussion on the themes for Cybersecurity Awareness Month. I'm your host, Jim Love. Thanks for listening.