Starbucks Issues Manual Pay To Employees During Ransomware Attack: Cyber Security Today for Wednesday, November 27th, 2024 - Cybersecurity Today

Summary5 min read

Cybersecurity Today: Episode Summary – "Starbucks Issues Manual Pay To Employees During Ransomware Attack"

Hosted by Jim Love

On the November 27th, 2024 episode of Cybersecurity Today, host Jim Love delves into pressing cybersecurity threats impacting businesses, with a particular focus on AI-powered bot attacks during the holiday shopping season, the emergence of sophisticated malware, and a significant ransomware incident affecting Starbucks. This comprehensive summary captures the key discussions, insights, and conclusions presented in the episode.

1. Surge in AI-Powered Bot Attacks Targeting Retailers

As the holiday season commences, retailers are on high alert for an anticipated increase in AI-driven bot attacks. These sophisticated bots are disrupting online shopping experiences by executing fraudulent transactions, exploiting security vulnerabilities, and stealing sensitive customer information.

Types of AI-Driven Bots:

Fraudulent Purchase Bots: These bots rapidly purchase high-demand items like sneakers and electronics, often for resale purposes, leading to consumer frustration.
Security Exploit Bots: They scan retail networks for vulnerabilities, creating entry points for ransomware or other destructive attacks.
Account Takeover Bots: Utilizing stolen credentials, these bots gain control of customer accounts, frequently bypassing standard security measures.

Jim Love highlights, “AI has significantly advanced the capabilities of these malicious bots, enabling attackers to automate and scale their operations.”

2. Statistics and Research Insights

Research from Imperva reveals alarming statistics about the prevalence of AI-driven attacks:

Daily Attacks: Over 560,000 AI-driven attacks were recorded daily between April and September.
Attack Types: A third of these attacks involved business logic abuses, manipulating prices and discount codes, while another third were Distributed Denial of Service (DDoS) attacks aimed at overwhelming websites to cause outages.

Jim Love cites, “The Retail and Hospitality Information Sharing and Analysis Center reports a sharp increase in bot activity during the holiday season, as cybercriminals exploit the high traffic and reduced visibility of their activities (00:05).”

Additionally, a survey by Viking Cloud found that 52% of retailers feel more vulnerable to cyberattacks during the holidays, with threats extending beyond their websites to include third-party vendors. Kevin Pierce, Viking Cloud's Chief Product Officer, emphasizes, “If key suppliers are vulnerable, the fulfillment of orders may be more challenging” (00:10).

3. Balancing Security and User Experience

Retailers face the challenge of implementing robust security measures without compromising the user experience. Measures such as multifactor authentication and purchase limits can deter bots but may also frustrate customers.

Jim Love notes, “Information sharing across the retail sector is crucial to identifying and blocking malicious domains and IP addresses used in attacks” (00:12). However, only 20% of companies express confidence in their defenses against high-volume AI bot attacks, underscoring the urgent need for improved security strategies.

4. Emergence of the Killfloor Malware

Cybersecurity researchers at Trellix have identified a new type of Windows malware named Killfloor, which exploits an old Avast anti-rootkit driver to infiltrate PCs. This malware operates at the kernel level, granting it the highest level of system access.

Mechanism of Killfloor:

Exploitation of Avast Driver: The malware deploys a legitimate Avast driver copy to obtain kernel-level permissions.
Bypassing Security Defenses: By leveraging a trusted driver, Killfloor evades traditional security measures, making detection more difficult.
System Control: Once installed, the malware disables key security features and executes malicious processes, granting attackers near-total control over the affected system.

Jim Love explains, “Kernel level software, while useful for legitimate system operations, poses significant risks when compromised, as it can provide attackers with near total control over a system” (00:18).

This incident echoes previous issues, such as a faulty kernel-level update from CrowdStrike that caused widespread outages earlier in the summer, prompting companies like Microsoft to reassess their kernel access policies.

5. Starbucks Ransomware Attack and Response

In a significant ransomware incident, Starbucks is reverting to manual payroll processes following an attack on Blue Yonder, the third-party scheduling software provider used to manage employee schedules.

Impact of the Ransomware Attack:

Operational Disruption: The ransomware attack on Blue Yonder has disrupted operations for multiple companies, including two of the UK's largest grocery chains and automaker Ford, which is investigating potential impacts.
Manual Payroll Processes: To ensure accurate compensation, Starbucks is manually managing employee schedules and payments. Jassy Anderson, a Starbucks spokesperson, states, “Store leadership have advised their employees on how to work around the outage” (00:28).

Blue Yonder's Response:

Blue Yonder has engaged cybersecurity firm CrowdStrike to assist in recovery efforts but has not disclosed the affected clients. The company is committed to working around the clock to address the incident.

Jim Love remarks, “Ransomware attacks are increasingly targeting large organizations during critical periods like the holiday season” (00:34). This disruption adds to the challenges faced by Starbucks' new CEO, Brian Niccol, as the company deals with declining sales over three consecutive quarters.

6. Broader Context of Ransomware Trends

Ransomware continues to be a formidable threat to large organizations, especially during peak periods. In 2023, ransomware attacks resulted in $1.1 billion in global extortion, according to crypto tracking firm Chain Analysis.

A study by Simparis found that 86% of surveyed organizations facing ransomware were attacked during holidays or weekends, times when defenses are typically weaker. This trend emphasizes the strategic timing of ransomware attacks to maximize disruption and the likelihood of successful extortion.

Jim Love concludes, “This disruption highlights the vulnerabilities in relying on third-party providers, especially during peak periods like the holiday shopping season” (00:40), underscoring the critical need for robust cybersecurity measures and contingency planning.

Conclusion

The November 27th episode of Cybersecurity Today provides a comprehensive overview of the evolving cybersecurity landscape, highlighting the rise of AI-powered bot attacks, the sophistication of new malware like Killfloor, and the significant impacts of ransomware incidents on major corporations such as Starbucks. Jim Love emphasizes the importance of collaboration, proactive defenses, and information sharing within the retail sector to safeguard operations during high-risk periods like the holiday season.

For further details and access to reports mentioned in this summary, listeners are encouraged to visit the show notes at technewsday.com and engage with the community through comments and tips at editorial@technewsday.com.

Loading summary

Transcript1 lines

[00:03]
Jim Love
Retailers brace for AI powered bot attacks during holiday season shopping Hackers exploit old Avast driver to deliver Windows malware and Starbucks turns to manual pay after ransomware attacks on a scheduling software. This is Cybersecurity today. I'm your host Jim Love. Retailers are gearing up for a surge in AI enabled bot attacks. As the holiday shopping season begins, these sophisticated bots begin to disrupt online shopping by making fraudulent purchases, exploiting security vulnerabilities and stealing customer information. AI has significantly advanced the capabilities of these malicious bots, enabling attackers to automate and scale their operations. There are fraudulent purchases bots that quickly buy up high demand items like sneakers and electronics, often for resale, frustrating consumers. There are security exploits bots scanning retailers networks for vulnerabilities, creating entry points for ransomware or other destructive attacks. And there are account takeovers, automated bots that use stolen credentials to gain control of customer accounts, often bypassing the traditional defenses. Research from a firm called Imperva found retail websites experienced over 560,000 AI driven attacks daily between April and September. A third of these were business logic abuses, manipulating prices, discount codes or bypassing security protocols, while another third were distributed denial of service or DDoS attacks Overwhelming websites with spikes to cause outages. The Retail and Hospitality Information Sharing and Analysis center reports a sharp increase in bot activity during the holiday season as cybercriminals exploit the high traffic and reduced visibility of their activities. A Viking Cloud survey revealed 52% of retailers feel more vulnerable to cyberattacks during the holidays, with threats extending beyond websites to third party vendors. If key suppliers are vulnerable, the fulfillment of orders may be more challenging, said Viking Cloud's Chief Product Officer Kevin Pierce. Retailers are facing a delicate balance between security and user experience. Measures like multifactor authentication or purchase limits can deter bots but risk frustrating customers. Information sharing across the retail sector is crucial to identifying and blocking malicious domains and IP addresses used in attacks. But with just 20% of companies reporting confidence in their defenses against high volume AI bot attacks, the retail industry is racing to adapt as AI driven threats evolve. Collaboration and proactive defenses are critical to safeguarding this year's holiday season shopping Cybersecurity researchers at Trellix have uncovered a new type of Windows malware dubbed Killfloor that leverages an old Avast anti rootkit driver to infiltrate PCs. This kernel level malware disables critical security systems, allowing attackers to take over the computer and execute malicious processes. The malware begins by deploying a copy of the legitimate Avasta driver, which grants it kernel level permissions, the highest level of access within the operating system. By exploiting this trusted driver, hackers bypass many of the usual security defenses, making their malware harder to detect. Once installed, the malware disables key security features and runs processes to gain control of the machine. Kernel level software, while useful for legitimate systems operations, poses significant risks when compromised. It can provide attackers with near total control over a system, as seen in this case. Similar issues arose this summer when a faulty kernel level update from CrowdStrike caused widespread outages, prompting Microsoft to review its policies on kernel access. As hackers continue to exploit legitimate tools for malicious purposes, companies like Microsoft and others are reviewing how kernel access is granted to prevent similar issues in the future. Starbucks is manually paying its baristas following a ransomware attack on Blue Yonder, the third party software provider it uses to manage employee schedules. The outage forced the coffee chain to revert to manual processes to ensure workers are compensated accurately, according to Starbucks spokesperson Jassy Anderson. Bluyonder, an Arizona based cloud services provider for major corporations, was hit by ransomware last week. The attack has disrupted operations for Multiple companies, including two of the UK's largest grocery chains and automaker Ford, which is investigating potential impacts. Blue Yonder services are critical for supply chain and workforce management, leaving affected companies scrambling for workarounds. Starbucks assured employees they would be paid for all hours worked, with local managers stepping in to handle schedules manually. Store leadership have advised their employees on how to work around the outage, Anderson said. Blue Yonder has engaged cybersecurity firm CrowdStrike to assist in recovery, but has not disclosed which clients were affected. In a statement, the company says that it's working around the clock to respond to this incident. Ransomware attacks are increasingly targeting large organizations during critical periods like the holiday season. In 2023, ransomware extorted a record $1.1 billion globally, according to crypto tracking firm Chain Analysis. A study by Simparis found that 86% of surveyed organizations facing ransomware were attacked during holidays or on weekends, when defenses are often weaker. This disruption adds to the challenges faced by Starbucks new CEO Brian Niccol as the company grapples with declining sales across three consecutive quarters. The attack also highlights the vulnerabilities in relying on third party providers, especially during peak periods like the holiday shopping season. And that's our show for today. You can find links to reports and other details in our show notes@technewsday.com we welcome your comments, tips and the occasional bit of constructive criticism at editorialchnewsday Ca I'M your host, Jim Love. Thanks for listening.