Robin’s Newsletter #337

1 December 2024. Volume 7, Issue 48
Blue Yonder causes supply chain disruption. Incidents at two UK hospitals. $17M stolen from Urgana's central bank.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Need to Know, 1st December 2024

  • 1,000 arrested in Operation Serengeti (Law Enforcement)
  • $17M stolen from Uganda’s central bank (Incidents)
  • Germany warns over Russia ‘hybrid warfare’ attacks (Interesting Reads)
  • Blue Yonder supply chain software attack (This Week)
  • Incidents at two UK hospitals (This Week)
  • First Linux UEFI bootkit discovered (Threat Intel)

Blue Yonder ransomware attack disrupts supply chains

  • Supply chain management firm Blue Yonder has suffered a ransomware attack. The US-based SaaS company informed customers of the incident on 21st November and has been “working around the clock” to restore its systems. However, its updates page has not provided any updates since 24th November. LINK, UPDATES
  • Blue Yonder counts large corporates like coffee chain Starbucks and UK supermarkets Sainsbury’s and Morrisons amongst its customers. Starbucks says that some staff rota and time booking processes have suffered disruption, while Morrisons says the attack affected warehouse operations for fresh produce. LINK
  • In some cases, customers posted photos of empty shelves as supplies of some chilled goods lines in particular fell by 50% to 70%, according to retail publication The Grocer. LINK

Incidents at hospitals in North West of England

  • Two incidents have affected hospitals in Liverpool and the Wirral in the North West of England this week. 
  • Wirral University Teaching Hospital NHS Trust declared a major incident “for cyber security reasons” and asked people to only come to Arrowe Park Hospital if they have a “genuine emergency”. The Trust says that systems were taken offline “as a precaution” after they detected suspicious activity and that paper-based business continuity measures are in place. LINK, MORE
  • Meanwhile, Alder Hey Children’s Hospital in Liverpool is working to establish if screenshots and data posted by the INC Ransomware group on the dark web were taken from its systems. The criminals claim to have “large scale data” from the hospital, including patient, donator, and procurement information dating between 2018 and 2024. Alder Hey is one of Europe’s largest children’s hospitals and treats over 450,000 young people each year. INC Ransomware is the samegroup that targeted NHS Dumfries and Galloway in March this year. LINK MORE, DUMFRIES

Interesting stats

29% year-on-year rise in Q3 revenue to $1.01 billion reported by Crowdstrike on an earnings call this week (though that is down from a 35% rate enjoyed this time last year). 97% gross retention rate, down “less than half a percentage point”, in the first full quarter since the firm’s update snafu brought businesses worldwide to a halt. LINK

Other newsy bits / in brief

🤓 Interesting reads:

  • Bruno Kahl, president of Germany’s Federal Intelligence Service (BND), has warned that continued Russian ‘hybrid warfare’ and acts of sabotage against Western targets may prompt them to invoke NATO’s Article 5 mutual defence clause. The UN, International Telecommunication Union (ITU) and International Cable Protection Committee (ICPC) have established an advisory body for submarine cable resilience following the recent suspected Russian sabotage of cables in the Baltic Sea. LINK, UN

⚠️ Incidents:

  • Uganda’s Minister of State Finance, Henry Musasizi, says the county’s central bank was compromised by financially motivated cybercriminals, who potentially stole $17 million. Musasizi told parliament, “It is true that our account was hacked, but not to the extent of what is being reported”. LINK
  • Cloudflare says it lost 55% of logs destined for customer data silos over a 3.5-hour period after a configuration error led a key component of its infrastructure to believe that there were no customers to whom it needed to forward logs. LINK
  • Data broker SL Data Services apparently left over 600,000 files containing criminal histories, background checks and other vehicle and property records on thousands of people in an unsecured Amazon S3 bucket, according to security researcher Jeremiah Fowler. In all, 644,869 PDF files, totalling 713.1GB, were exposed.  LINK
  • Zello is asking users to reset their passwords following a suspected data breach that appears to have happened prior to 2nd November. LINK
  • An independent review will examine the Transport for London cyber attack. LINK

🏴‍☠️ Ransomware:

  • Bologna Football Club has confirmed it has suffered a ransomware attack at the hands of the RansomHub cybercrime group. The club refused to pay the ransom, and the criminals have now published data on player and sponsor contracts, medical records, stadium plans, transfer and commercial strategies, youth team players, and other confidential player and fan data. LINK

🕵️ Threat Intel:

  • A write-up from Trend Micro on the tactics used by the Chinese Salt Typhoon group to breach telco networks around the world highlights vulnerabilities in products from Ivanti, Fortinet, Sophos, and Microsoft as central to their approach. T-Mobile said this week that the group did not gain access to any customer calls, text messages or voicemails. LINK, REPORT, TMOBILE
  • Cloudflare says that a financially motivated threat actor is using employment termination and tribunal notifications as lures to infect victims with malware. Target sectors include aerospace, insurance, state government, consumer electronics, travel, and education. LINK, REPORT
  • SentinelOne says that the CyberVolk hacktivist group may be deploying ransomware in supper of Russian interests. CyberVolk may have roots in India and formerly operated as ‘Gloriamist India’, though the identities and locations of all its members are unknown. SentinelOne says that CyberVolk’s use of info stealer and ransomware malware, in addition to more common DDOS tools, makes it stand out as a hacktivist group. Previous victims of the group include critical infrastructure and scientific organisations in Japan, France and the UK. LINK
  • ESET says it has discovered a Linux UEFI bootkit lurking on VirusTotal. The bootkitty malware is believed to be the first instance of a publicly known Linux UEFI boot kit, though it also appears to be in the early stages of development and unable to bypass Secure Boot. LINK
  • Researcher Kevin Beaumont says that some ransomware gangs are bombarding users with phone calls or Teams spam and then contacting them pretending to be IT support to help address the disruption. The threat actors use the built-in Microsoft Quick Assist software to connect to their devices and install malware. LINK

🪲 Vulnerabilities:

  • Zabbix has released a patch for a critical vulnerability in its open-source network and application monitoring software. CVE-2024-42327 (9.9/10) is an SQL injection bug that can be exploited by anyone with access to the system’s API. LINK, ADVISORY

🧑‍💻 End user and consumer:

  • An FTC report says that smart device manufacturers who do not supply clear support timeframes for their devices may be breaking the law. Citing the Magnuson Moss Warranty Act, the FTC says that the “law requires that written warranties on consumer products costing more than $15 be made available to prospective buyers prior to sale,” before going on to add that this should include “a clear description and identification of products, or parts, or characteristics, or components or properties covered by and where necessary for clarification, excluded from the warranty.” Support timeframes are a key part of so-called ‘security labels’ aimed at standardising key information for consumers to make informed choices. LINK

🧰 Guidance and tools:

  • NCSC has released a briefing pack for boards to communicate the important role of directors and trustees in keeping their organisations safe and secure online. The updated pack features a case study on the British Library cyber attack. LINK (Disclosure: I serve on a BL board committee)

🧿 Privacy:

  • New York State officials have fined Geico and Travelers a combined $11.3 million for poor security practices that led to the theft of 120,000 people’s data. LINK

📜 Policy & Regulation:

  • The UK is launching a new Cyber Incident Response Capability (CRIC) that will be available to support NATO allies. CRIC will bring “public and private sectors in the UK to offer their technical assistance” to help respond to attacks against CNI targets. LINK
  • India: New regulations published by the Department of Telecommunications (DoT) last week require notification of security incidents within six hours and for telcos to share user traffic data with authorities, sparking privacy concerns. LINK

👮 Law Enforcement:

  • Interpol and Afripol’s Operation Serengeti has resulted in the arrest of 1,006 suspected cybercriminals. The operation also “dismantled 134,089 malicious infrastructures and networks”. Those arrested are suspected of being behind ransomware, business email compromise (BEC), and other crimes resulting in more than $190 million in losses. LINK
  • A former Verizon employee has received a four-year sentence for sharing cyber secrets with the Chinese Ministry of State Security (MSS). LINK
  • Russian authorities have arrested Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin), a cybercriminal wanted by the FBI for his role in the Hive and Lockbit ransomware operations. LINK

💰 Investments, mergers and acquisitions:

  • Austin, TX, headquartered Halcyon has closed a $100 million Series C funding round led by Evolution Equity Partners. The investment secures the ransomware protection firm a $1 billion valuation. LINK

And finally

  • Golf clap: A Kansas City man allegedly compromised organisations and used his access to promote his security consultancy services. The FBI alleges that Nicholas Michael Kloster, 31, of Kansas City, Missouri, unlawfully accessed the premises and systems at three named and unnamed businesses and non-profits. One business, a gym at which Kloster was a member, he broke in after hours, sending an email to the owners claiming he’d broken in whilst also promoting his security services. He also reduced the price of his membership to $1 and deleted his profile picture from the membership system. LINK 
Robin

  Robin's Newsletter - Volume 7

  Blue Yonder Alder Hey National Health Service (NHS) Healthcare Ransomware INC Ransomware Uganda Central Bank Germany Russia Hybrid Warefare Sabotage NATO Linux UEFI Bootkit Operation Serengeti Afripol Crowdstrike Board