Cybersecurity Today: Episode Summary – "Starbucks Issues Manual Pay To Employees During Ransomware Attack"

Hosted by Jim Love

On the November 27th, 2024 episode of Cybersecurity Today, host Jim Love delves into pressing cybersecurity threats impacting businesses, with a particular focus on AI-powered bot attacks during the holiday shopping season, the emergence of sophisticated malware, and a significant ransomware incident affecting Starbucks. This comprehensive summary captures the key discussions, insights, and conclusions presented in the episode.

1. Surge in AI-Powered Bot Attacks Targeting Retailers

As the holiday season commences, retailers are on high alert for an anticipated increase in AI-driven bot attacks. These sophisticated bots are disrupting online shopping experiences by executing fraudulent transactions, exploiting security vulnerabilities, and stealing sensitive customer information.

Types of AI-Driven Bots:

• Fraudulent Purchase Bots: These bots rapidly purchase high-demand items like sneakers and electronics, often for resale purposes, leading to consumer frustration.
• Security Exploit Bots: They scan retail networks for vulnerabilities, creating entry points for ransomware or other destructive attacks.
• Account Takeover Bots: Utilizing stolen credentials, these bots gain control of customer accounts, frequently bypassing standard security measures.

Jim Love highlights, “AI has significantly advanced the capabilities of these malicious bots, enabling attackers to automate and scale their operations.”

2. Statistics and Research Insights

Research from Imperva reveals alarming statistics about the prevalence of AI-driven attacks:

• Daily Attacks: Over 560,000 AI-driven attacks were recorded daily between April and September.
• Attack Types: A third of these attacks involved business logic abuses, manipulating prices and discount codes, while another third were Distributed Denial of Service (DDoS) attacks aimed at overwhelming websites to cause outages.

Jim Love cites, “The Retail and Hospitality Information Sharing and Analysis Center reports a sharp increase in bot activity during the holiday season, as cybercriminals exploit the high traffic and reduced visibility of their activities (00:05).”

Additionally, a survey by Viking Cloud found that 52% of retailers feel more vulnerable to cyberattacks during the holidays, with threats extending beyond their websites to include third-party vendors. Kevin Pierce, Viking Cloud's Chief Product Officer, emphasizes, “If key suppliers are vulnerable, the fulfillment of orders may be more challenging” (00:10).

3. Balancing Security and User Experience

Retailers face the challenge of implementing robust security measures without compromising the user experience. Measures such as multifactor authentication and purchase limits can deter bots but may also frustrate customers.

Jim Love notes, “Information sharing across the retail sector is crucial to identifying and blocking malicious domains and IP addresses used in attacks” (00:12). However, only 20% of companies express confidence in their defenses against high-volume AI bot attacks, underscoring the urgent need for improved security strategies.

4. Emergence of the Killfloor Malware

Cybersecurity researchers at Trellix have identified a new type of Windows malware named Killfloor, which exploits an old Avast anti-rootkit driver to infiltrate PCs. This malware operates at the kernel level, granting it the highest level of system access.

Mechanism of Killfloor:

• Exploitation of Avast Driver: The malware deploys a legitimate Avast driver copy to obtain kernel-level permissions.
• Bypassing Security Defenses: By leveraging a trusted driver, Killfloor evades traditional security measures, making detection more difficult.
• System Control: Once installed, the malware disables key security features and executes malicious processes, granting attackers near-total control over the affected system.

Jim Love explains, “Kernel level software, while useful for legitimate system operations, poses significant risks when compromised, as it can provide attackers with near total control over a system” (00:18).

This incident echoes previous issues, such as a faulty kernel-level update from CrowdStrike that caused widespread outages earlier in the summer, prompting companies like Microsoft to reassess their kernel access policies.

5. Starbucks Ransomware Attack and Response

In a significant ransomware incident, Starbucks is reverting to manual payroll processes following an attack on Blue Yonder, the third-party scheduling software provider used to manage employee schedules.

Impact of the Ransomware Attack:

• Operational Disruption: The ransomware attack on Blue Yonder has disrupted operations for multiple companies, including two of the UK's largest grocery chains and automaker Ford, which is investigating potential impacts.
• Manual Payroll Processes: To ensure accurate compensation, Starbucks is manually managing employee schedules and payments. Jassy Anderson, a Starbucks spokesperson, states, “Store leadership have advised their employees on how to work around the outage” (00:28).

Blue Yonder's Response:

• Blue Yonder has engaged cybersecurity firm CrowdStrike to assist in recovery efforts but has not disclosed the affected clients. The company is committed to working around the clock to address the incident.

Jim Love remarks, “Ransomware attacks are increasingly targeting large organizations during critical periods like the holiday season” (00:34). This disruption adds to the challenges faced by Starbucks' new CEO, Brian Niccol, as the company deals with declining sales over three consecutive quarters.

6. Broader Context of Ransomware Trends

Ransomware continues to be a formidable threat to large organizations, especially during peak periods. In 2023, ransomware attacks resulted in $1.1 billion in global extortion, according to crypto tracking firm Chain Analysis.

A study by Simparis found that 86% of surveyed organizations facing ransomware were attacked during holidays or weekends, times when defenses are typically weaker. This trend emphasizes the strategic timing of ransomware attacks to maximize disruption and the likelihood of successful extortion.

Jim Love concludes, “This disruption highlights the vulnerabilities in relying on third-party providers, especially during peak periods like the holiday shopping season” (00:40), underscoring the critical need for robust cybersecurity measures and contingency planning.

Conclusion

The November 27th episode of Cybersecurity Today provides a comprehensive overview of the evolving cybersecurity landscape, highlighting the rise of AI-powered bot attacks, the sophistication of new malware like Killfloor, and the significant impacts of ransomware incidents on major corporations such as Starbucks. Jim Love emphasizes the importance of collaboration, proactive defenses, and information sharing within the retail sector to safeguard operations during high-risk periods like the holiday season.

For further details and access to reports mentioned in this summary, listeners are encouraged to visit the show notes at technewsday.com and engage with the community through comments and tips at editorial@technewsday.com.