Blue Yonder ransomware termites claim credit – Source: go.theregister.com

Infosec in brief Still smarting over that grocery disruption caused by a ransomware attack on supply chain SaaS vendor Blue Yonder? Well, now you have someone to point a finger at: the Termite ransomware gang.

Termite shared news of the attack on its dark web portal, as reported on X, claiming it managed to snag 680GB of data from Blue Yonder – including email lists, documents, reports, and insurance documents. Termite wrote that it intends to use the email lists “for future attacks” – so anyone who has done business with the firm needs to alert users to potential forthcoming compromise attempts.

Blue Yonder – which reportedly counts Starbucks and UK grocery chains Morrisons and Sainsbury’s among its disrupted customers – has yet to reveal the cause of the attack. The biz has shared little beyond its ongoing recovery efforts on its incident update website. As of December 6, Blue Yonder reported that “worked with external cybersecurity firms and strengthened our defensive and forensic protocols”, notified customers impacted by operational disruptions and has worked with them “throughout the restoration process.”

“We are aware that an unauthorized third party claims to have taken certain information from our systems,” the company’s most recent update states. “We are working diligently with external cybersecurity experts to address these claims.”

The investigation into the incident continues.

The incident took place on November 21, according to Blue Yonder. It resulted in disruption to several systems that its customers relied on to do things like, in Starbucks’ case, paying its employees. The aforementioned UK grocery chains were forced to use alternative supply chain arrangements.

According to Broadcom, Termite used a modified version of the Babuk ransomware. Despite being a relative newcomer, it’s already claimed victims in France, Canada, Germany, Oman, and the US across a variety of industries.

“The full modus operandi is still unknown, but the actor is likely using generic TTPs that most ransomware actors leverage, such as gaining initial access via phishing, vulnerabilities, or purchased credentials and escalating privileges to take control of networks,” Broadcom noted.

Not-so-safe linking service exposed millions of records

If you’re going to put “safe” in your company’s name, it’s a good idea to make sure you practice good cyber security hygiene – like not exposing unsecured databases containing millions of records to the internet. It appears safe link website Safelinking did not do so.

Cybernews reported last week that its researchers turned up evidence that Safelinking was hit by a bot trolling the web for unsecured MongoDB databases. The bot discovered Safelinking’s database, which contained details on 30 million private secure links and account information on more than 156,000 users.

According to the report, after issuing a ransom request to pay up or else, a malicious bot destroyed the database, which is no longer publicly available. It’s not clear what was done with the data, but Cybernews suspects the records – which included usernames, email addresses, social media account IDs, and more – could be used to trigger additional attacks.

If you’ve ever used Safelinking, secure your accounts now, and maybe use a more mainstream source of safe link validation – like Microsoft or Google.

Former Polish spy chief arrested for refusing to testify about use of Pegasus

Poland’s former internal security agency chief has refused to testify about his agency’s alleged use of Pegasus spyware against opponents of the former president, leading to his being arrested and hauled before parliament last week.

Piotr Pogonowski refused three summons to testify in a parliamentary inquiry into the former right-wing Law and Justice (PiS) party government’s alleged purchase and use of Pegasus against nearly 600 people – politicians and other officials among them. Law enforcement detained the ex-spy-cum-bank-manager and dragged him in for testimony last week after finally getting sick of his stalling.

Not that his appearance did much good. According to The Financial Times, Pogonowski insisted he’d only ever heard of the use of Pegasus from media reports. Even if he had heard of it and signed off on its usage as the top spy in the country, it would have been for the good of the Polish people, he reportedly insisted.

While criminal cases against officials have been considered, Pogonowski hasn’t been charged. Neither Pegasus developer NSO nor the PiS party have confirmed the use of the snooping kit against domestic targets.

Nigerian scammer sentenced to eight years in US prison

The Nigerian national behind a business email compromise (BEC) ring extradited to the US in 2022 has been sentenced to eight years in prison for stealing millions from businesses and individuals.

Okechuckwu Valentine Osuji was arrested in Malaysia and found guilty in May of this year of duping businesses – including financial companies, lenders, a nonprofit performing arts organization, a food and beverage company “and many others” – by masquerading as “trustworthy entities in electronic communications” and making off with corporate funds, the US Department of Justice said last week.

Along with those crimes – aided by a co-conspirator sentenced to two years in prison in October and an indicted individual still awaiting extradition from Malaysia – Osuji also went after elderly individuals through romance scams that tricked them into handing over cash.

Osuji was ordered to pay restitution to his victims, whom he bilked for more than $6 million in his years-long scheme.

Large, unnamed US company hit by Chinese hackers

We have a mystery on our hands, folks: Symantec security researchers revealed last week that a “large US organization with a significant presence in China” was hit by what’s believed to be a Chinese threat actor, who spent months rooting around systems and likely stealing data. Symantec is keeping this one a tight secret, though, refusing to even divulge what industry the firm is in when The Register asked.

All that’s known is what was in Symantec’s report: The threat actor maintained network access for about four months, moved laterally across the victim’s network and compromised multiple machines including email servers, and deployed data exfiltration tools as part of the attack.

The security shop did disclose that the incident showed hallmarks of being instigated by a Chinese threat actor, thanks to the use of DLL sideloading – but also because the same victim was targeted by an attacker believed to be linked to the China-based Daggerfly group just last year.

Clearly someone didn’t get the message last time. ®