Giant Food cyberattack, Snowflake suspects indicted, zero-day vulnerability surge
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts , RSS link , add as an Alexa Skill , or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Dutch cybersecurity incident affects Giant Food and Hannaford
A cybersecurity incident hit the Dutch food company Ahold Delhaize on Friday, forcing the company to take some of its operations offline. This has subsequently impacted U.S. based supermarkets and ecommerce sites such as Food Lion, Giant Food, Hannaford, Stop & Shop, and The Giant Company. The company has not offered further details as of this recording, but its actions are suggestive of a ransomware attack.
Indictment against Snowflake breach suspects is released
Following up on coverage we delivered last week regarding Snowflake, this indictment was filed in the U.S. District Court of Western Washington, and identifies Connor Moucka, who is a Canadian citizen, and John Binns as accused of “executing an international hacking and extortion scheme targeting over 10 organizations, including AT&T with demands for ransom following the theft of sensitive data. They reportedly extorted digital currency as a ransom, valued at approximately $2.5 million.” The indictment does not specify the victim companies, but it “aligns with previous reports linking the breaches to prominent firms that were customers of the data storage firm Snowflake, such as Ticketmaster and Santander.”
(Cyberscoop )
Surge in zero-day vulnerability exploits is new normal, says Five Eyes
This warning comes from the Five Eyes intelligence alliance (the U.S., U.K., Australia, Canada and New Zealand), stating that, contrary to previous years in which malicious cyber actors were exploiting older software vulnerabilities, the tide has turned to zero-days with Citrix’s networking product NetScalers being the most widely used. Their report also mentions a critical vulnerability affecting Cisco routers, another in Fortinet VPN equipment and one affecting the MOVEit file transfer tool that was widely exploited by the Clop ransomware gang. A link to the report, published by CISA, is available in the show notes to this episode.
(The Record and CISA )
Iranian Dream Job campaign delivers malware to aerospace industry
This campaign, attributed to the Iranian-linked threat actor TA455, uses a spearfishing email containing fake job offers and supported by a convincing LinkedIn presence, to convince victims to download a ZIP file titled “SignedConnection.zip ,” which has been flagged as malicious by five antivirus engines. According to a report from ClearSky Cyber Security, the download instructions provide a detailed PDF guide to “instruct the victim on how to safely download and open the ZIP file, warning against actions that might prevent the attack from succeeding.”
Huge thanks to our sponsor, ThreatLocker
TSA proposes new rules for cyber incident reporting at pipelines and railroads
As reported in The Record, “The rule would formalize several security directives issued by TSA since the ransomware attack on Colonial Pipeline in 2021. They would require cyber risk management plans overseen by the TSA, and would need to include annual cybersecurity evaluations, assessment plans to identify unaddressed vulnerabilities, to be run by officials who do not have “a personal, financial interest in the results of the assessment,” and a cybersecurity operational implementation plan. The TSA estimates that this proposed rule would impact about 300 surface transportation owners and operators, including 73 of the approximately 620 freight railroads currently operating in the U.S.
(The Record )
North Korean hackers create Flutter apps to bypass macOS security
North Korean threat actors are now targeting Apple macOS systems “using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.” According to BleepingComputer, this means that “the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.” According to Jamf Threat Labs, who discovered the activity, “the campaign appears more like an experiment on how to bypass macOS security rather than a fully-fledged and highly targeted operation.”
GitLoker’s Goissue tool focuses on GitHub developers and supply chains
A threat actor, going by the name of Cyber Luffy, and claiming to be a member of the Gitloker hacking group is now offering a new GitHub phishing tool for sale or rent. Named Goissue, it makes it possible to extract email addresses from GitHub repositories, which SlashNext describes as “a gateway to source code theft, supply chain attacks, and corporate network breaches through compromised developer credentials.” SlashNext describes it as the sale – or rental – of the tool that Gitloker first developed for email harvesting, in early 2024.
New ransomware Ymir delivered after RustyStealer breach? ?
Kaspersky researchers have identified a new ransomware family, called Ymir, which attackers use after breaching systems through PowerShell commands. It includes detection-evasion features and is launched after a target system has been accessed remotely and after the installation of tools like Process Hacker and Advanced IP Scanner and RustyStealer. The ransomware uses the stream cipher ChaCha20 algorithm to encrypt files. No group has yet been associated with this product.