This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Jana Moore, CISO, Belron, also vice president, EmpoWer – Supporting women in infosec.
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Teenage MGM hacker arrested in England
Police in the UK apprehended the 17-year old, who has not been named, for his “alleged role in the cybercriminal group that brought MGM Resorts casinos to a standstill last year in a ransomware attack.” The arrest was made as part of an ongoing FBI investigation into the incident that occurred last September and which has been attributed to the Scattered Spider gang, also known as Octo Tempest and 0ktapus. It should be noted that in reviewing this hack “MGM Resorts praised its own response to the incident, saying that its refusal to pay a ransom and decision to shut down all of its systems, as well as its coordination with law enforcement — had sent the message to criminals that “it’s not worth it.”
Ransomware attack shuts down largest trial court in U.S.
All 36 of the Los Angeles County Superior Courts were forced to close their doors following a ransomware attack on Friday. The superior court released a statement saying that both internal and external systems, as well as every internet-connected device, were impacted, and that the malware was able to infiltrate “every electronic platform containing court data.” The court system plans to return to normal operations on Tuesday.
(The Register), (Superior Court of Los Angeles)
U.S. government looking for answers amidst CrowdStrike aftermath
In the wake of the defective CrowdStrike update that disrupted airlines, banks, hospitals and other critical services last Friday, U.S. House leaders are calling on CrowdStrike CEO George Kurtz to testify to Congress about the company’s role in the widespread outage. Republicans who lead the House Homeland Security committee said Monday, “While we appreciate CrowdStrike’s response and coordination with stakeholders, we cannot ignore the magnitude of this incident, which some have claimed is the largest IT outage in history.”
Meanwhile on Tuesday the U.S. Transportation Department said it was opening an investigation into Delta Air Lines after the carrier canceled more than 5,000 flights since Friday due to the CrowdStrike incident. While other carriers have been able to resume normal operations, Delta canceled 30% or more of its flights daily through Monday and axed or delayed over 1,000 more flights as of mid-day on Tuesday. Transportation secretary, Pete Buttigieg, said the department “will leverage the full extent” of its investigative and enforcement power “to ensure the rights of Delta’s passengers are upheld.”
(SecurityWeek and The Guardian)
Thanks to our show sponsor, Vanta
KnowBe4 hires fake North Korean IT worker
On Tuesday, security awareness training firm KnowBe4 said a North Korean operative posing as a software engineer slipped past its hiring background checks. The new hire spent the first 25 minutes on the job using their new Mac to download malware, manipulate session history files, and execute unauthorized software on company systems. KnowBe4 said its security team quickly detected the suspicious activity and contained the infected workstation. The worker’s identity was revealed as an AI deepfake and is one of hundreds of cases of North Korean nation-state operatives posing as an IT worker to infiltrate US companies.
A CrowdStrike apology and market reaction
In other CrowdStrike-related news, a TechCrunch’s source who was a CrowdStrike partner received a $10 Uber Eats gift card along with an apology message that seemed to come from the company’s chief business officer Daniel Bernard. Several people on social media also shared similar gifts. However several people reported issues redeeming the card, and CrowdStrike didn’t comment on the gift.
And Bloomberg’s sources say the Crowdcast outage became a large reason why the recent acquisition talks between Google and Wiz fell through this week. It seems the incident increased market interest in other cloud security solutions. Concerns about antitrust regulators stopping the deal also reportedly played a role.
Ransomware platforms feeling the impact of law enforcement
Europol published an assessment that found evidence that threat actors increasingly avoid larger ransomware-as-a-service platforms due to recent law enforcement takedowns, as well as the AlphV exit scam earlier this year. Instead more sophisticated threat actors have started developing their own ransomware variants. A more fragmented ransomware ecosystem doesn’t necessarily mean fewer attacks, as this could reflect that the overall barrier to entry for ransomware is getting lower with plenty of market incentive to keep justifying the attacks.