0:00

From the CISO series, it's

0:02

Cybersecurity Headlines. These

0:07

are the Cybersecurity Headlines for Monday,

0:09

June 24, 2024. I'm

0:13

Steve Prentice. CDK

0:16

Global Outage Caused by Black

0:19

Suit Ransomware Attack In

0:21

an update to one of last week's

0:24

biggest stories, a bleeping computer has learned

0:26

that the operation behind CDK Global's massive

0:28

IT outage and disruption to car dealerships

0:30

across North America is Black Suit, an

0:32

operation launched in May 2023 and which

0:35

is believed to

0:37

be a rebrand of the Royal

0:39

Ransomware operation and therefore the direct

0:42

successor of the Conti Cybercrime Syndicate.

0:45

CDK is believed to be negotiating with the

0:47

gang to receive a decryptor and for the

0:49

gang to not leak the stolen data. Car

0:52

and truck dealerships and individual customers are

0:54

being forced into pen and paper transactions

0:56

if they are able to do anything

0:59

at all, and to make matters worse,

1:01

CDK is also warning that threat actors

1:03

are contacting dealerships posing as CDK agents

1:06

or affiliates in order to gain access

1:08

to their systems. BUG

1:11

Allows Microsoft Corporate Email Account

1:13

Spoofing A security

1:16

researcher by the name of Vesfelad

1:18

Kokorin claimed on X under the

1:20

handle at Slonser that

1:24

he has discovered a bug that

1:26

quote, allows anyone to impersonate Microsoft

1:28

corporate email accounts, end quote. This

1:31

of course comes in very handy for deploying

1:33

phishing attacks. He says that he had reported

1:35

the bug to Microsoft but that the company

1:37

replied that it could not reproduce his findings.

1:40

He explained that quote, the vulnerability works

1:42

when an attacker sends an email to

1:44

Outlook accounts, end quote. At

1:47

this time this vulnerability appears to

1:49

remain unaddressed. nuclear

2:00

site that is SELLA-FIELD

2:03

in Northern England has

2:05

pleaded guilty to three

2:07

criminal charges over cybersecurity

2:09

failings. Sellafield is no

2:11

longer a functioning nuclear plant but

2:13

currently houses more plutonium than any

2:16

other location on earth and also

2:18

has a number of facilities for

2:20

nuclear decommissioning and waste processing and

2:22

storage. As such it is

2:24

considered one of the most complex and

2:26

hazardous nuclear sites in the world. The

2:30

criminal charges focus on failures to comply

2:32

with approved security plans between 2019 and

2:34

early 2023. In admitting these failures, SELLA-FIELD

2:39

management is also denying stories placed

2:42

in the Guardian news outlet that

2:44

the facility might also have been

2:46

compromised by hacking groups linked to

2:48

both China and Russia. The

3:18

Ohio-based company, one of the

3:20

largest manufacturers of forklifts in the world and

3:22

a major player in the defense industry, in

3:24

a statement made on Wednesday attributed this

3:26

attack to quote,

3:44

an international cyber criminal organization

3:46

end quote. The

3:48

attack started on June 8th as a

3:50

ransomware operation and has brought operations to

3:52

a halt. According to

3:55

the record hourly workers have lost out

3:57

on pay due to the shutdown with

3:59

some reported reporting that they have been told

4:01

to file for unemployment insurance while the company

4:03

tries to restore its operations. An

4:06

email sent to employees, a copy

4:08

of which was obtained by Bleeping

4:10

Computer, claimed the attack originated from

4:12

an employee that, quote, failed to

4:14

adhere to our data security policies

4:17

by allowing unauthorized access to their

4:19

device. End quote. US

4:22

government bans Kaspersky and sanctions

4:25

twelve of its executives. These

4:28

sanctions were issued by the Treasury Department's

4:30

Office of Foreign Assets Control, OFAC,

4:33

and involve twelve senior executives

4:35

of the company. This

4:37

means that the OFAC has frozen

4:39

all property and interests in property

4:42

of the designated individuals and of

4:44

entities under US jurisdiction. These

4:46

actions come on the heels of

4:48

an announcement made by the Biden administration

4:51

on June 20th regarding a ban on

4:53

selling Kaspersky antivirus software due to it

4:55

being a Russian organization. The

4:58

ban itself starts on July 20th and

5:00

software updates to its US customers will

5:02

be prohibited as of September 29th. In

5:06

a briefing call with the media

5:08

held on Thursday of last week,

5:10

Commerce Secretary Gina Raimondo said, quote,

5:12

Russia linked actors can abuse the

5:14

software's privileged access to a computer's

5:16

systems to steal sensitive information from

5:18

American computers or to spread malware.

5:20

End quote. She added

5:22

that now would be a good time

5:25

for companies to find an alternative to

5:27

Kaspersky for their security needs, but that,

5:29

quote, US individuals and businesses that continue

5:31

to use or have existing Kaspersky products

5:33

and services are not in violation of

5:36

the law. End quote. Patch

5:39

alert. Solar winds serve

5:41

you a vulnerability under active attack.

5:45

A high severity flaw impacting

5:47

solar winds serve you file

5:49

transfer software that is S-E-R-V

5:52

and letter U file transfer software

5:54

is being actively exploited by malicious

5:56

actors in the wild. that

6:00

has a CVSS score of 8.6 affects

6:03

a directory transversal bug that could

6:05

allow attackers to read sensitive files

6:07

on the host machine. It

6:09

was patched earlier this month as serveu15.4.2.

6:15

Cybersecurity firm Rapid7 describes the vulnerability

6:18

as, quote, trivial to exploit, end

6:20

quote. It allows access to

6:22

any arbitrary file on disk, assuming the

6:24

path is known and that it is

6:26

not locked. Upgraded

6:30

Ghost Rat appears to be active. Researchers

6:33

at Cisco Talos are warning of

6:35

a customized version of the remote

6:37

access Trojan malware known as Ghost

6:39

Rat, that is GH0ST. They

6:43

have dubbed the upgraded version Sugar

6:45

Ghost, also GH0ST, and they say

6:47

it is delivered through scanned documents

6:50

that appear normal but are infected

6:52

with the malicious code. They

6:55

have also named the rat's operators Sneaky

6:57

Chef, and they say it has been

6:59

observed in the ministries of foreign affairs

7:01

and embassies in at least nine countries

7:03

across Africa, the Middle East, Europe, and

7:05

Asia. The scanned

7:07

documents currently take the form of

7:10

government-themed decoy documents as well as

7:12

malicious application forms to register for

7:14

a conference and research paper abstracts.

7:17

They believe this to be a

7:19

Chinese state-backed operation. Just

7:23

a reminder, we have no Super Cyber Friday

7:25

event coming up this week, but it is

7:28

never too early to register for our next

7:30

one on July 12th, all about hacking the

7:32

materiality of a data breach. With

7:35

the new SEC reporting requirements, it's a topic

7:37

that is on everyone's mind. So

7:39

be sure to head on over to cisoseries.com

7:42

and click on our events page to register.

7:45

And we still have our Week in Review show coming up

7:47

this Friday at 3.30pm Eastern. Be

7:49

sure you are subscribed to the CISO Series

7:51

YouTube channel to catch it every week and

7:53

to add your comments to the show. I'm

7:57

Steve Prentice, reporting for the CISO

7:59

Series. Cybersecurity

8:03

headlines are available every weekday.

8:05

Head to cisoseries.com for the

8:07

full stories behind the headlines.