Cyber Bakery Chronicles

Keeping Up with Cybersecurity News with CyberBakery.net....Your Weekly Update.

Cyber Bakery Chronicles

Your Weekly Cybersecurity Update (13 December 2024)

  • Gender Dimensions of the Australian Cyber Security Sector – A report from RMIT
  • Termite Ransomware: A New Supply Chain Threat, Analysed by Cyble
  • The Evolving Threat to Software Supply Chains
  • Cybercriminals Exploit Misconfigured AWS Environments to Steal Sensitive Data
  • US medical device giant Artivion says hackers stole files during a cybersecurity incident

Gender Dimensions of the Australian Cyber Security Sector – A Report from RMIT & AWSN

The Gender Dimensions of the Australian Cyber Security Sector Report – co-authored by CCSRI and the Australian Women in Security Network (AWSN) highlights the persistent gender imbalance within Australia’s cyber security workforce. While women make up 29% of the broader ICT sector, their representation in cyber security is much lower, reflecting systemic barriers and untapped potential.

Key Findings

1. Workplace Challenges:

Women face an exclusionary culture, lack of mentorship, and gender bias in recruitment and promotion processes. These challenges lead to low retention and slow career progression.

2. Skills and Pathways:

A significant gap exists in education and training programs targeting women for cyber security roles. Limited awareness of career opportunities also contributes to low participation.

3. The Data Void:

Inadequate sector-specific data hinders understanding of gender trends, making it difficult to measure progress or identify gaps effectively.

4. Benefits of Diversity:

Diverse teams improve decision-making, innovation, and performance—qualities crucial for solving complex cyber challenges. Increasing women’s participation can boost Australia’s cyber resilience.

Recommendations

Promote Inclusive Workplaces: Foster cultures of belonging and address biases in recruitment.

Enhance Career Pathways: Improve visibility of cyber security careers for women through education and targeted programs.

Collect and Use Better Data: Invest in tracking gender representation and workplace experiences to drive meaningful change.

Industry Collaboration: A unified effort is needed to challenge stereotypes and create lasting, positive shifts in workplace culture.

In summary, tackling these issues requires collective action from governments, educators, and industry leaders to build a more inclusive and equitable cybersecurity sector. 


Termite Ransomware: A New Supply Chain Threat, Analysed by Cyble

In November 2024, the supply chain management platform Blue Yonder suffered a ransomware attack attributed to a newly identified group known as Termite. Cyble Research and Intelligence Labs (CRIL) researchers have examined a Termite ransomware binary and determined that Termite is essentially a rebranding of the notorious Babuk ransomware.

This incident disrupted operations for several of Blue Yonder’s clients, including Starbucks and UK grocery chains like Sainsbury’s and Morrisons. Termite claims to have exfiltrated 680GB of data, encompassing over 16,000 email lists and more than 200,000 insurance documents.

Technical Analysis of Termite Ransomware

Termite ransomware is essentially a rebranded variant of the notorious Babuk ransomware. Upon execution, it employs several tactics to maximise its impact:

Process Shutdown Manipulation: Utilises the SetProcessShutdownParameters(0, 0) API to ensure its process is among the last terminated during system shutdown, allowing more time for encryption.

Service and Process Termination: Connects to the Service Control Manager using OpenSCManagerA() to enumerate and terminate specific services and processes, such as veeam, vmms, memtas, sql.exe, oracle.exe, and firefox.exe, to prevent interference during encryption.

Shadow Copies Deletion: Executes vssadmin.exe to delete all shadow copies, hindering system recovery post-encryption.

Recycle Bin Clearance: This function employs the SHEmptyRecycleBinA() API to empty the Recycle Bin, ensuring deleted files cannot be restored.

System Information Retrieval: Gathers system details using the GetSystemInfo() API, including the number of processors, to tailor its encryption strategy.

Impact on Businesses

The Termite ransomware attack on Blue Yonder underscores the significant risks ransomware poses to businesses:

Operational Disruptions: Clients like Starbucks had to resort to manual operations for employee scheduling and time-tracking tasks.

Data Breach Risks: The exfiltration of vast amounts of data, including sensitive information, exposes businesses to potential data breaches and subsequent legal and reputational repercussions.

Protection Strategies Against Termite Ransomware

To safeguard against Termite ransomware and similar threats, organisations should implement the following measures:

Regular Data Backups: Maintain up-to-date backups stored offline to ensure data recovery without yielding to ransom demands.

Employee Training: Educate staff on recognising phishing attempts and other common attack vectors to reduce the risk of initial compromise.

Endpoint Protection: Deploy advanced endpoint detection and response solutions to promptly identify and mitigate malicious activities.

Network Segmentation: Divide networks into segments to limit the lateral movement of ransomware and contain potential damage.

Patch Management: Regularly update software and systems to address vulnerabilities that ransomware might exploit.

By staying vigilant and implementing robust cybersecurity practices, organisations can mitigate the risks posed by ransomware threats like Termite.


The Evolving Threat to Software Supply Chains

The rapid pace of software development has led to an increased risk of software supply chain attacks. These attacks target vulnerabilities in software development, distribution, and deployment, potentially compromising sensitive data and disrupting critical systems.

Key Factors Driving the Rise of Software Supply Chain Attacks:

Increased Complexity: Modern software development relies on a complex network of third-party components, open-source libraries, and cloud services, creating numerous potential attack vectors.

Rapid Pace of Development: The pressure to release software quickly can lead to shortcuts in the development process, compromising security.

Termite Ransomware: A New Threat to Businesses and CybersecurityAdvanced Attack Techniques: Cybercriminals are constantly evolving their tactics, using sophisticated techniques like supply chain poisoning and software tampering.

Mitigating Risks in the Software Supply Chain:

To protect against software supply chain attacks, organizations should adopt a comprehensive approach:

Vendor Vetting: Thoroughly vet third-party vendors and regularly assess their security practices.

Open Source Security: Carefully evaluate open-source components for vulnerabilities and license compliance.

Secure Development Practices: Implement secure coding practices, code reviews, and automated testing to identify and fix vulnerabilities early in the development process.

Software Composition Analysis (SCA): Use SCA tools to identify and remediate vulnerabilities in open-source components.

Supply Chain Security Tools: Employ specialized tools to monitor and protect the software supply chain.

Employee Training: Train employees on security best practices, including recognising phishing attacks and avoiding malicious software.

Incident Response Plan: Develop a robust incident response plan to quickly detect and respond to security breaches.

Organisations can mitigate risks and protect their sensitive data and systems by prioritising software supply chain security.


 Cybercriminals Exploit Misconfigured AWS Environments to Steal Sensitive Data

A recent cyberattack, believed to be linked to the ShinyHunters group, has exposed the vulnerabilities of misconfigured AWS environments. The attackers exploited exposed AWS credentials to gain unauthorized access to a vast amount of sensitive data, including source code, database credentials, and API keys.

Key Findings:

  • Massive Data Breach: The attackers stole over 2TB of data from numerous AWS customers.
  • Misconfigured S3 Buckets: The stolen data was stored in an exposed S3 bucket, highlighting the risks of improper cloud configuration.
  • Targeted Attacks: The attackers used a combination of automated scanning and targeted attacks to identify vulnerable systems.
  • Sophisticated Techniques: The attackers employed advanced techniques, including exploiting known vulnerabilities and using custom tools to gain access to systems.

Recommendations for Protection:

  • Secure Credentials: Never store sensitive credentials in plain text or in easily accessible locations.
  • Implement Strong Access Controls: Enforce strong access controls and regularly review and update permissions.
  • Monitor Cloud Environments: Regularly monitor cloud environments for misconfigurations and unauthorized access.
  • Stay Updated: Keep software and systems up-to-date with the latest security patches.
  • Use Security Best Practices: Follow best practices for secure coding, data protection, and incident response.

By following these best practices, organizations can significantly reduce their risk of falling victim to similar attacks.


US medical device giant Artivion says hackers stole files during a cybersecurity incident

Artivion, Inc., a medical device company specializing in implantable tissues for cardiac and vascular applications, experienced a cybersecurity incident on November 21, 2024. The company reported that the incident involved unauthorized acquisition and encryption of files, leading to disruptions in order and shipping processes, as well as certain corporate operations. 

In response, Artivion took several measures:
• System Shutdown: Certain systems were taken offline to prevent further unauthorised access.
• Investigation Initiation: An investigation was launched with the assistance of external legal, cybersecurity, and forensic experts to assess, contain, and remediate the incident.
• Service Continuation: Despite the disruptions, Artivion continued to provide products and services to customers, with most operational issues largely mitigated.

Financially, Artivion stated that the incident did not have a material impact on the company’s overall financial condition or results of operations. However, the company anticipates incurring additional costs related to the incident that may not be covered by insurance.

No major ransomware group has claimed responsibility for the attack as of now, and Artivion has not confirmed the specific nature of the incident. 


Quick favour: Let’s spread the value! If you find this newsletter useful, don’t keep it to yourself. 👉 Share it with friends and colleagues who could benefit from it.

Remember, one share could spark insight, ignite inspiration, or lead to a breakthrough for someone else.

Let’s make 2024 the year of shared knowledge and community growth