Transcript
Catalyn Kimpanu (0:04)
The Banshee Stealer malware shuts down after its source code Leaks Online New York finds Geico over a 2020 security breach, a new pro Kremlin group emerges out of India and a Russian espionage group is behind recent Firefox and Windows 0 days. This is Risky Business News, prepared by Catalyn Kimpanu and read by me, Claire airdrop. Today is the 27th of November and this podcast episode is brought to you by Stairwell. Stairwell lets you know if, when and where malware has ever been on your systems by collecting, storing and continuously reassessing every executable file and indicator of compromise in your environment. Find them@stairwell.com in today's top story, Banshee Stealer has shut down after someone breached its malware as a service portal and leaked the group's source code. The incident took place earlier this week and was announced via hacking forums and telegram channels. The Banshee group launched its operation in August and was one of the several new Mac OS infostealers this year. Its most memorable feature was its price of over $3,000 per month, which is 10 times more than most infostealer gangs charge. In other news, A ransomware attack on Arizona supply chain software company Blue Yonder is impacting some of the world's largest retailers. Sainsbury and Morrisons in the UK and Starbucks in the US said the incident impacted their operations. The Blue Yonder attack took place Thursday last week, and so far no ransomware gang has taken credit. Another ransomware attack has temporarily stopped production lines at Vosko, one of Germany's largest producers of frozen food. The company restarted activity over the weekend after spending 10 days recovering from the attack. No ransomware gang has taken credit for the attack, and it's unclear if the company paid the attackers. The state of New York has fined auto insurance company Geico $9.75 million for a 2020 security breach that exposed customer data. Hackers accessed Geico's online quoting tool and stole the personal data of millions of users, including 120,000 New Yorkers. The stolen data was later used to file fraudulent unemployment claims during the COVID 19 pandemic. Besides Geico, New York officials also fined auto insurer Travellers 1.5 for a similar security breach. The two companies have agreed to set up cybersecurity programs and deploy reasonable authentication, logging and monitoring systems. The Canadian government has won a legal battle to publish a report on the 2019 breach of medical testing company LifeLabs. The company has sought to block the report's publication since 2020 citing legal privilege. The now public government report found that LifeLabs fail to take reasonable steps to protect its patients, personal information and health. The company is currently facing a class action lawsuit over the breach. Almost a million Canadians have filed claims. The Australian government passed the Cybersecurity act on Monday. The act will require businesses to report ransomware payments to the government and will create a Cyber Incident Review Board to conduct no fault post incident reviews of significant cybersecurity events. It will also empower the government to mandate cybersecurity standards and allow Australian cyber and intelligence agencies to share data more easily during cyber security incidents. The Romanian government will ask the EU to start an inquiry into TikTok after a pro Kremlin far right candidate won the first round of the country's presidential election. Officials claim the candidate came out of nowhere in the last month and got a massive boost on TikTok to the detriment of other candidates. Government officials say the social network had a massive impact on its elections and have asked the EU to investigate TikTok's risk to EU democracies and fair elections. Law enforcement agencies in Africa have arrested over 1000 people on cybercrime charges. The suspects were allegedly involved with ransomware, BEC digital extortion and online scams. The arrests took place across 19 countries as part of Interpol's Operation Serengeti earlier this month. Interpol also took down over 1,000 servers used for illegal cyber activities. A new hacktivist group named Cybervolk emerged in May this year and is launching cyber attacks in support of the Kremlin. According to Sentinel 1, Rapid7 and Threatmon, the group appears to be based in India. Initially, Cybervolk carried out DDoS attacks, but the group launched a ransomware as a service portal in June. The ransomware appears to have been cobbled together using leaked code from other groups. Cybervolk was banned from Telegram this month as part of the company's mass ban of hacktivus groups. A new threat actor named Matrix has assembled a massive DDoS botnet over the past year. Cloud security firm Aqua says the group built the botnet through brute force attacks and by exploiting vulnerabilities in unpatched devices. The majority of compromised systems appear to be hosted on the IP ranges of major cloud service providers. Access to the Matrix DDoS botnet is sold online using a Telegram bot named Kraken auto buy. Besides DDoS attacks, some of the Matrix bots have also been seen mining cryptocurrency. A Russian cyber espionage group named Romcom is behind two recently patched Windows and Firefox zero days. The group lured victims to malicious sites where they exploited a Firefox and then a Windows task scheduler zero day to plant backdoors on its targets systems. According to security firm Eset, the group targeted espionage targets in Ukraine and Europe as well as doing regular cybercrime threat Actors are exploiting a vulnerability in the project sendfile sharing server. The attackers are targeting a vulnerability that was patched in May last year but was not assigned a CVE identifier due to an oversight. Security firm Vonchek spotted the attacks after noticing over 200 project send servers with randomised characters for their login page title. Voncheck says that based on shoden data, only 1% of publicly exposed Project Send servers are running a patched version. The flaw has now been allocated a cve. And finally, Google has developed a new feature for the Android operating system that will automatically log users back into apps when they migrate to a new device. The new Restore Credentials feature will work by encrypting and syncing credentials to a cloud backup from where they can be restored during migration. Google says the feature is safe and works using Android's native backup and restore mechanism. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Stairwell. Find them@stairwell.com thanks for your company.