There’s never a dull day in cybersecurity…Below, we round-up some of top stories that hit the headlines this week!
A Rough Day for Colonel Sanders
While many of us in the UK hit send on our final work email and tucked away our laptops to enjoy a well-deserved long weekend break, Yum! Brands – owner of the world-renown fast food triad of KFC, Pizza Hut, and Taco Bell – were in the midst of sending out a flurry of data breach notification letters to an undisclosed number of people.
The company revealed that some individuals’ personal information, including names, driver’s license numbers, and other ID card numbers, had been stolen during its publicly-announced January 13th ransomware attack.
Commenting on the story, Israel Barak, CISO at Cybereason said:
“The recently disclosed ransomware attack on Yum! Brands that led to a day-long closure of 300 KFC, Pizza Hut and Taco Bell restaurants in the UK is significant and resulted in revenue losses and inconvenienced a significant number of customers. Only time will tell if the stolen customer data finds its way onto the dark web. Ransomware gangs have created a lucrative, multi-billion-dollar economy across the globe and are in a sense start-ups with their own venture capital and business models, but they must continue to be treated like the criminals they are and not glorified for breaking the law and causing disruptions around the world.”
“Companies can’t pay their way out of ransomware and the only time organisations should consider paying a ransom is in life and death situations. If more companies refuse to pay, the criminals will move onto softer targets. Over time, intelligent attackers will tune their attacks to move to targets that yield the most return for the least cost and risk. It’s as true of the dark side as it is of traditional business. I advise organisations to prepare for attacks in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. Practice good security hygiene and regularly update and patch operating systems and other software. Also, conduct periodic table-top exercises and drills including people beyond the security team all the way to the Executive Suite. Organisations should also ensure clear isolation practices are in place to stop ingress on the network and the spreading of ransomware.”
Thomas Richards, principal security consultant, Synopsys Software Integrity Group, added:
“Ransomware attacks continue to be a threat to any organisation. What stands out with this attack is the compromise of employee personal information, whereas other recent attacks have focused on stored customer data such as credit card information. The breach of personal identification documents is more troubling for those affected since it is difficult to get the document numbers changed; much unlike a credit card, where the bank will simply just issue the customer a new number. The documents compromised would allow someone to impersonate those affected for a long time; the standard “one year of credit monitoring” will not go far enough to protect those who have been affected by this breach. While we do not know the details of how the information was compromised, it is concerning this sensitive information might not have been stored securely. Organisations should treat information such as this with the highest level of sensitivity to ensure the data is encrypted both at rest and in transit. Additionally, the principle of least privilege—which specifies that only the minimum level of access should be granted when interfacing with sensitive data—should be followed to reduce the risk of the data being compromised.”
Javvad Malik, lead security awareness advocate at KnowBe4 also shared:
Driving on to Hyundai’s Breach
Yum! group were not the only ones to fall victim to a breach either; just a few days later, the multinational car manufacturer, Hyundai, disclosed a breach impacting its French and Italian customers. Although it’s believed financial data and identification numbers remain safe, email addresses, physical addresses, telephone numbers and vehicle chassis numbers were exposed.
In response, Chris Hauk, Consumer Privacy Champion at Pixel Privacy warned customers “to be wary of any text, email, or other communications appearing to be from Hyundai or its partners.”
He elaborated: “Bad actors may use the information taken in the breach to attempt to glean additional information from Hyundai customers. At this point, it has not been announced when the breach occurred, so we don’t know how long hackers have had access to the info.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech concurred: “Although the breach is unfortunate, it didn’t leak any particularly sensitive information that could lead directly to theft. Phone numbers, addresses, and email addresses might be used by cybercriminals to craft targeted phishing messages. Hyundai owners in France and Italy should be on the lookout for text messages and emails from scammers posing as Hyundai or a related company. For example, you might get more car warranty scam calls. Never click on links in unsolicited messages or emails.”
I Spy with my Little Eye
We also received a warning this week from security researchers at Citizen Lab about the emergence of a previously undiscovered spyware, similar to NSO Group’s Pegasus, that has been used against journalists, political figures as well as an NGO employee. Alarmingly, hackers leveraged previously logged calendar invites to deploy the malware in a “zero-click” attack.
Asaf Ashkenazi, CEO at Verimatrix, explained:
“Zero-click attacks on mobile devices are highly efficient hacking method that allows a remote attacker to silently take control over a victim’s phone. Unlike common phishing attacks, where the victim is tricked to open an infected file or click on a malicious weblink, zero-click attacks are “silent”, and do not require any user interaction.
Zero-click attacks take advantage of the same mechanism most attacks use: A vulnerability in the attacked software, or in other words, a “mistake” or error the software developer left in the attacked application. These “mistakes” are more common than we think. The traditional security method calls for finding all these errors before the software is released, however this method has proven to be impractical. This is why new security technologies take a different approach, assuming any software will have vulnerabilities. These innovative technologies make it extremely difficult for hackers to find vulnerabilities, and even if they are found, it makes it difficult for hackers to take advantage of a vulnerability without being detected.”
Brian Higgins, Security Specialist at Comparitech, observed:
“This kind of Spyware is very targeted. The Citizen Lab report stated they have only found ‘more than five victims’ and it hasn’t apparently been successfully deployed since 2021.
That said, the types of customers for this manner of product have deep pockets and very specific targets so it’s more than likely we will see similar revelations every few months or so.
The small community who think they might be vulnerable should have regular alerts to new exploits and patches set, as well as be vigilant when dealing with jurisdictions of risk, but they already know that.
At the moment, for the vast majority of iOS users this is just a scary story.”
Securing Software by Design
It’s not all bad news though. We also had a win for the good guys, as the US’ Biden administration took its first big step towards making software more secure by design with the release of its “principles and approaches” document.
Commenting on this, Ray Kelly, fellow at Synopsys Software Integrity Group, shared:
“CISA is making great progress with providing guidance to help keep organisations safe from cyberattacks. Building security into the design process is not only good practice, it’s also very effective in mitigating flaws in software before they reach the consumer. The challenge, however, is for organisations to adopt these practices without affecting the business, as this process takes time and requires resources that can impact the bottom line. The ‘design stage’ is a critical component of the software development lifecycle (SDLC) and organisations continue to struggle adopting security as part of this process. Hopefully, CISA’s latest recommendations will help bring more visibility on importance of building security into the SDLC from the start.”