In today’s cybersecurity news…
Interpol takes down over 1,000 cybercrime suspects in Africa
Interpol announced Tuesday that authorities have arrested 1,006 cybercrime suspects in Africa during a massive joint operation called “Operation Serengeti.” The operation ran from September 2 to October 31 across 19 African countries targeting cybercriminals involved in ransomware, business email compromise, digital extortion and online scams. Interpol identified 35,000 victims linked to nearly $193 million in losses worldwide. Operation Serengeti is a huge upgrade from Interpol’s previous cybercrime efforts in Africa, which led to just 25 arrests over the last two years.
(SecurityWeek and Bleeping Computer)
Starbucks and UK grocers impacted by supply chain attack
A ransomware attack over the weekend on supply chain management software provider Blue Yonder (a division of Panasonic) has impacted operations at numerous companies in the U.S. and the UK. Starbucks reported difficulties managing employee schedules and processing payroll, causing some locations to resort to manually calculating employee pay. The attack also affected several major UK supermarket chains including Morrisons, who said its produce warehouse management systems were disrupted while Sainsbury’s acknowledged a temporary impact on its operations. Blue Yonder continues to grapple with restoring its services and it is unclear whether any customer data has been compromised.
Hacker in Snowflake extortions may be a U.S. soldier
Two weeks ago on Cyber Security Headlines we brought you news of indictments brought against two Snowflake breach suspects. A third, unidentified suspect and prolific hacker known as Kiberphant0m continues to publicly extort victims. Kiberphant0m posted a threatening message following the arrests of the two other Snowflake breach suspects, saying, “You don’t think we don’t have plans in the event of an arrest? Think again.” That same day, Kiberphant0m posted what they claimed was the “data schema” from the U.S. National Security Agency. The NSA has not yet responded to requests for comment. A careful review of Kiberphant0m’s identities on cybercrime forums and Telegram and Discord channels suggests the threat actor may be a U.S. Army soldier who is or was recently stationed in South Korea. However, Kiberphant0m told KrebsOnSecurity the U.S. Army persona was just a ruse and also stated, “I literally can’t get caught,” but declined to explain why.
RansomHub claims hacks in Texas and Minneapolis
On Monday, the notorious ransomware operation took credit for damaging attacks on the city of Coppell, Texas, and the Minneapolis Park and Recreation Board. Coppell reported back in October, that WiFi at city facilities was taken down by the attack alongside library services, platforms for permits and inspections, and Municipal Court operations. And last Wednesday, the Minneapolis Park and Recreation Board warned residents that they were “attacked by an unknown person or persons.” This resulted in a system-wide phone outage and the board advised residents that any calls requiring a Park Police or Minneapolis Police response, should be routed to 911. In addition to the Texas and Minnesota incidents, RansomHub said on Monday that it had attacked two U.S. schools.
Thanks to today’s episode sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Salt Typhoon bolsters arsenal with GhostSpider
A new report from Trend Micro has revealed that the Chinese advanced persistent threat (APT) actor, Salt Typhoon, recently debuted a fresh backdoor, dubbed GhostSpider. According to Trend Micro, GhostSpider is a highly modular backdoor, adjustable for any particular attack scenario. Salt Typhoon has been spying on high-value government and telecom organizations for several years. Two campaigns highlighted in the report targeted the Taiwanese government and chemical producers using malware called Demodex and SnappyBee, and long-term espionage against Southeast Asian telecom and government networks, employing GhostSpider and Demodex.
(Dark Reading and Bleeping Computer)
New attack uses rogue VPN servers to install malicious updates
On Tuesday, security researchers from AmberWolf detailed a delicious-sounding set of vulnerabilities dubbed “NachoVPN” that allows rogue VPN servers to install malicious updates. Threat actors are using malicious websites and social engineering tactics to trick victims into connecting their unpatched SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to attacker-controlled VPN servers. From there the miscreants use the rogue VPN endpoints to steal the victims’ login credentials, execute arbitrary code with elevated privileges, install malicious software via updates, and launch code-signing forgery or man-in-the-middle attacks by installing malicious root certificates. SonicWall released patches to address the NetExtender vulnerability (CVE-2024-29014) back in July while Palo Alto Networks released security updates for the GlobalProtect flaw (CVE-2024-5921) yesterday.
‘RomCom’ APT mounts zero-click browser escapes
The Russia-aligned threat actor known as ‘RomCom’ has been exploiting two zero-day security flaws, one in the Firefox browser and the other in Microsoft Windows, as part of attacks designed to deliver a Remote Access Trojan (RAT) on victim systems. The Firefox bug is a 9.8 (CVSS) severity use-after-free vulnerability in Firefox’s Animation component (CVE-2024-9680) was patched by Mozilla in October 2024. The Microsoft issue is a 8.8 (CVSS) severity privilege escalation vulnerability in Windows Task Scheduler (CVE-2024-49039) and was patched by Microsoft this month. Researchers said, “if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required (zero click).”
Don’t miss out on Black Friday deals for your favorite cyber products!
Cybersecurity vendors are getting in on the Black Friday frenzy as Malwarebytes’ Black Friday 2024 deals are now live, offering a 50% discount for one and two-year subscriptions to personal, family, and business subscriptions to its standalone anti-malware software, VPN, and Personal Data Remover services.
Meanwhile, NordVPN is now offering a 74% discount on its top-rated VPN as part of its Black Friday deal that runs until December 10.
It’s a perfect opportunity to fill your friends and family’s cyber stockings with the gift of security.