Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.

Source: Kundra via Shutterstock

A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.

In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption.

**Matrix Unleashed**

The attacker, whom researchers at Aqua Nautilus are tracking as "Matrix" after spotting the campaign recently, has established a store of sorts on Telegram, where customers can buy different DDoS plans and services. These include plans ranging from "Basic" to "Enterprise" that allow purchasers to unleash DDoS attacks of different durations at the transport and applications layers of targets of their choice.

"Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software," said Assaf Morag, lead data analyst at Aqua in a blog post this week. "The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

DDoS attacks have been a standard item in attacker playbooks for a long time. Though organizations have generally gotten better at dealing with them over the years, DDoS attacks remain hard to protect against entirely. Threat actors have continuously increased the volume and duration of DDoS attacks while developing techniques to target different layers of the network to maximize their disruptive impact. A Gcore study released earlier this year showed a 46% increase in DDoS attacks in the first half of 2024 compared with the same period last year. Some attacks peaked in excess of multiple terabits of attack traffic per second.

Matrix's campaign appears to have launched in November 2023 with the creation of a GitHub account. The attacker has been using the account primarily as a repository for various publicly available malware tools downloaded from different sources and which, in some cases, Matrix then modified for use in the DDoS campaign.

**Off-the-Shelf Attack Tools**

Aqua's analysis of Matrix's GitHub account showed a collection of commonly available DDoS botnet tools, including perennial favorite Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. Most of these tools are publicly available and open source; what distinguishes Matrix is how it's been able to integrate and use these tools effectively in assembling a DDoS botnet. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Morag said.

Matrix has been using the tools to scan the Internet for IoT devices with known vulnerabilities in them that the owners have left unpatched. Many of the vulnerabilities that the threat actor's attack scripts scan for are older flaws, including one from 2014 (CVE-2014-8361) a remote code execution (RCE) vulnerability in Realtek Software Development Kit.

Aqua listed vulnerabilities the attacker is targeting, including three from 2017 (CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106); another three targeted vulnerabilities are from 2018 (CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995). The vulnerabilities affect a range of Internet-connected devices including network routers, DVRs, cameras, and telecom equipment.

And in something of a departure from typical DDoS campaigns, the threat actor is scanning the IP ranges of several cloud service providers for vulnerabilities and misconfigurations in telnet, SSH, Hadoop YARN, and other enterprise servers. One of the vulnerabilities that Matrix has targeted is CVE-2024-27348, a critical RCE vulnerability in Apache HugeGraph servers. Nearly half (48%) the scanning activity that Aqua observed targeted servers in AWS environments, 34% were in Microsoft Azure, and 16% on Google's cloud platform. For the moment at least, Matrix's primary focus appears to be China and Japan, likely due to the high density of IoT devices in those countries, Morag said.

**Brute-Force Attacks**

As is common in most such campaigns, Matrix has also been taking advantage of default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers and making them part of the DDoS botnet. Aqua found Matrix using a brute-force script against 167 username and password pairs that organizations had used to secure access to their IoT and server environments. A startling 134 of the pairs granted root or admin level access on affected devices.

Aqua's analysis showed there are 35 million systems running the software that the attacker appears to be targeting. Not all of them are vulnerable. But if even if just 1% are exploitable, that would give the attacker a botnet of around 350,000 devices.

In comments to Dark Reading, Morag says only content delivery networks and organizations with visibility into Internet traffic logs can really say what the actual size of the botnet that Matrix has assembled. But indications are that it is large. "We have hundreds of honeypots, and we usually see an attack/campaign on one or two types of honeypots. But in this case, we saw attacks on our SSH, Telnet, Jupytar Lab, Jupytar Notebook, Hadoop, HugeGraph, and a few simulators of IoT devices," which is unusual, he says. "In addition, the attacker utilized some of our honeypots to attack Telnet and SSH, with a 95% success rate."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Script Kiddie Assembles Massive DDoS Botnet

The preview version now includes multiple security-focused additions Microsoft had promised to add, such as SecureBoot, BitLocker, and Windows Hello.

Source: Mundissima via Shutterstock

Six months after announcing (and modifying and delaying) Windows Recall, Microsoft has released a first-look preview of a reworked version for Windows Insiders via its Dev Channel. 

The preview is available only to Windows Insiders with Qualcomm Snapdragon X Elite and Plus Copilot+ PCs. The build of Windows that includes Recall (preview) with Click to Do (Preview) is Windows 11 Insider Preview Build 26120.2415 (KB5046723), Microsoft said. Support for Intel- and AMD-powered Copilot+ PCs will be available at a later date.

Recall takes "snapshots" of a user's PC that can be searched at anytime, thus allowing users to "recall" any application action, website visited, or image or document previously accessed on the system. Recall uses optical character recognition (OCR) to extract the text in screenshots and saves both of the images and text into a searchable database. When users describe what they are looking for, Recall searches the database to help them find it. The built-in neural processing unit is capable of running artificial intelligence (AI) and machine learning workloads locally and does not store anything in the cloud. This means Microsoft doesn't have access to any Recall snapshots, and none of the snapshots will be used to train Microsoft's AI models.

Recall was initially scheduled to be released last summer, but Microsoft had repeatedly delayed it to address privacy concerns. In September, the company explained how it was working to secure Recall snapshots.

Several of the new security-focused additions are available in the preview. Those who download the preview must opt in to saving snapshots, which is a change from the original plan to make it an opt-out feature. Recall now requires BitLocker disk encryption and Secure Boot to be enabled. Users must also be enrolled in Windows Hello because they must reauthenticate with Hello each time they access Recall's database. Users have the ability to delete any snapshot they want, and the system can detect sensitive personal data, like credit card numbers, passwords, and PINs, and won’t save them.

Users can also opt out of using Recall on specific apps and websites or just uninstall it altogether. For enterprise and education users, Recall will be managed by IT administrators. Administrators can also completely uninstall Recall if they are concerned about data exposure. 

The purpose of the Windows Insider preview is to give users the ability to try out the feature in real-world scenarios and help Microsoft identify issues that need to be addressed. Users can submit their feedback of the preview versions of Recall and Click to Do (recognize text and images in Recall snapshots and then copy the text or save images out of the snapshots) via the Feedback Hub. Insiders are asked to provide feedback on Recall's "updated security and privacy architecture" through the Windows Insider Preview Bug Bounty Program. 

Microsoft did not say how long it plans to keep Recall in preview before it would be considered ready for general release.

Microsoft Finally Releases Recall as Part of Windows Insider Preview

With a focus on creating technologies for other markets, Israel continues to be a valued destination for venture capital in cybersecurity outside the US and Europe.

Source: thinkhubstudio via Shutterstock

Though funding for cybersecurity startups began slowing globally in late 2022, Israeli startups continue to win significant cybersecurity investments, even with the nation's ongoing military operation in Gaza and escalating regional tensions.

The continued investment shows that Israel continues to be one of the strongest hubs for tech innovation in the US outside of Silicon Valley, says Or Shoshani, CEO and co-founder of Tel Aviv-based Stream.Security. His company, a cloud detection and response firm, garnered its first round of funding — a $26 million Series A — in March 2022 at the tail end of the boom. Earlier this month, the company was awarded a Series B round for $30 million.

"I've been traveling more than I've been doing in the last four years. Why? Just to show that we are here to support our customers, and we have built a business that is truly resilient, regardless of where we are and regardless of the state \[of affairs\] Israel is experiencing."

Following a two-year drought, cybersecurity startup companies are seeing an uptick in investment internationally, with the value of deals expected to grow by 45% in 2024 — a reversal of fortunes compared to the 40% decrease in 2022 and 49% drop in 2023, according to data from cybersecurity investment-advisory firm Altitude Cyber.

Related:Microsoft VS Code Undermined in Asian Spy Attack

Following a peak in Q4 2021, investment in cybersecurity firms tapered off for two years. It's starting to return. Top: Number of deals. Bottom: Value of deals in billions of US$. Source: Altitude Cyber

The investment focus of Altitude Cyber's clients, for example, remains the US, Israel, and Europe, followed by the rest of the world, says Dino Boukouris, founder and managing partner at the firm.

"We don't anticipate that trend will change any time soon," he says. "Even with the geopolitical climate we're in, Israel has continued to deliver, the US cyber market remains as strong as ever, and Europe \[and the\] UK continue to innovate and produce really great cyber companies."

**Cybersecurity Springs Back**

Israel's research and development centers took off during the US regulatory assault on encryption in the 1990s and the migration of chip design to many of the technology parks around Tel Aviv and Haifa during the past two decades. On the cybersecurity side, the nation has developed "outsized" capabilities, according to a recent history of Israel's evolution in cybersecurity.

Similar to Silicon Valley, going out for a cup of coffee often means running into two or three entrepreneurs that are going to tell you about their latest idea, says Jacques Benkoski, general partner at US Venture Partners, an investor in Stream.Security.

With the country's focus on cybersecurity and the density of talent and education available in a small area, innovation naturally follows, he says. 

Related:Under-Resourced Maintainers Pose Risk to Africa's Open Source Push

"When you look at the history of venture capital, you have nodes of innovation that are characterized by a catalytic density of talent — you look at places like Silicon Valley, you look at places like Tel Aviv, and you just have a lot of people that are focused on the same thing," he says. "And from the acceleration through dialogues and the collisions \[of ideas\] between those people comes more innovation" than other parts of the world.

Yet, one aspect of Israel's venture-capital scene is that investors do not want to fund companies solving local problems. Instead, the focus is on creating technologies and businesses that address issues in the US, Europe, and worldwide, Benkoski say.

"We typically invest in companies that see the US as their primary market — it's actually an investment condition," he says. Second rounds of venture capital for companies like Stream.Security are often to develop a stronger presence in their primary market, he adds.

**Broadening Out Cybersecurity Investment**

While the country's cybersecurity ecosystem certainly has its adherents, other investors see a focus on local ecosystems to be desirable. Ukraine has historically had a strong cybersecurity community — albeit mixed with its share of cybercriminal groups — and that could see a resurgence if Russia ends its war, says Ron Gula, president of Gula Tech Adventures, an investment firm.

Related:Software Productivity Tools Hijacked to Deliver Infostealers

"I'm hopeful that the Ukraine war will end soon, and believe the tech ecosystem there will emerge as a rival to the Israeli ecosystem," he says.

Other areas of the world also offer substantial benefits for investment. In addition to expanding its investment into Israel, Forgepoint Capital plans to focus on Latin America and the Asia-Pacific regions, where the mobile-first ecosystem requires a tailored approach to cybersecurity, managing director J. Alberto Yépez says.

"Other geographies have more of a built-in enterprise industry infrastructure to support local innovation, with established institutions taking an active role to drive collaboration and better anticipate and address their customers' needs," he says, adding that the firm has partnered with global financial institutions to help innovate. "We aim to address a critical gap in growth funding for startups in Europe while expanding our purview into Latin America and Israel," he says.

One overhyped technology for investors? AI. While artificial intelligence has technology giants spending heavily — and nearly every cybersecurity firm boasts of AI features — the impact of AI startups on cybersecurity remains modest, says Altitude's Boukouris. But there have been some significant financing deals for AI-cybersecurity companies in past few years, including Protect AI ($60 million in Series B funding, HiddenLayer ($50 million, Series A), Witness AI ($28 million, Series A), and Cranium ($25 million, Series A), he says.

"Vendors specifically focused on security for AI/ML are still primarily in the early stages in terms of funding," he says. "We've only seen one significant M&A event so far, with Robust Intelligence being acquired by Cisco for around $300 million, which indicates that we are still in the early stages of security for AI."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Israel Defies VC Downturn With More Cybersecurity Investments

Microsoft connected experiences have been the subject of heated online discussions. So what are they, and do they train AI with my data?

Recently we’ve seen some heated discussion about Microsoft’s connected experiences feature. As in many discussions lately there seems to be no room for middle ground, but we’re going to try and provide it anyway.

First of all, it’s important to understand what the “connected experiences” are.

Microsoft describes it like this:

> “Connected experiences that analyze your content are experiences that use your Office content to provide you with design recommendations, editing suggestions, data insights, and similar features.”

If that sounds like auto-correct on steroids, you’re close. You like it or you don’t.

But I found that there are two types of connected experiences.

Let’s start with a locally saved document created in Microsoft 365 (Word). To find the connected experiences settings, you’ll need to

*   Click on **File** > **Options**

Options

*   Select **Trust Center** and click on **Trust Center Settings**

Trust Center Settings

*   Select **Privacy Options** and click on **Privacy Settings**

Privacy Options > Privacy Settings

Then you’ll see three entries for Connected experiences:

*   Experiences that analyze your content
*   Experiences that download online content
*   All connected experiences

My tinfoil hat warns me that the second one is bound to show up in some vulnerability, but nowhere does it say that anything you produce will be shared with anyone, let alone train an AI model. If anything is worrying in there, it’s the fact that it uses content in your documents to find online information that might be of interest to you.

Connected experiences

Feel free to turn these options off.

For **online** documents created with Microsoft 365 apps it’s a different topic, and depends on what the administrator of the organization that provided it has decided to make available to you.

The overview of optional connected services provided by Microsoft says:

> “If you have a work or school account, your organization’s admin may have provided you with the ability to use one or more cloud-backed services (also referred to as “optional connected experiences”) while using the Office apps, like Word or Excel, that are included with Microsoft 365 Apps for enterprise.”

It then goes on to list all the possible optional connected experiences. The settings for these are of the type  “all or nothing.”

You can find these settings if you have a document open in your browser by following the path **File > About > Privacy Settings > Optional connected experiences**.

Optional connected experiences

The official Microsoft 365 account on X tweeted to say it didn’t use customer data to train large language models (LLMs)—a type of artificial intelligence (AI) program—in M365 apps:

> “In the M365 apps, we do not use customer data to train LLMs. This setting only enables features requiring internet access like co-authoring a document.”

So, turning that option off might result in some lost functionality if you’re working on the same document with other people in your organization.

If you want to turn these settings off for reasons of privacy and you don’t use them much anyway, by all means, do so. The settings can all be found under **Privacy Settings** for a reason. But nowhere could I find any indication that these connected experiences were used to train AI models.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Explained: the Microsoft connected experiences controversy 

The APT, aka Earth Estries, is one of China's most effective threat actors, performing espionage for sometimes years on end against telcos, ISPs, and governments before being detected.

Source: 3D generator via Alamy Stock Photo

The Chinese threat actor known as Salt Typhoon has been spying on some high-value government and telecommunications organizations for several years now, recently debuting fresh backdoor malware, dubbed GhostSpider.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) is among the People's Republic's most cutting advanced persistent threats (APT). In a campaign stretching back to 2023, it has compromised more than 20 organizations. Those organizations tend to be of the highest order, from all corners of the globe, and their breaches have in some cases remained undetected for years. Most recently, it's been known for targeting US telcos, including T-Mobile USA, and ISPs in North America.

**Salt Typhoon's Arsenal of Malware**

With access to a targeted network, the APT that Trend Micro calls Earth Estries can deploy any one of its varied and powerful payloads, which it is consistently building out, according to a new analysis from the firm.

There's Masol RAT — a cross-platform tool it's used against Linux servers from Southeast Asian governments — and the modular SnappyBee (aka Deed RAT). The newly discovered GhostSpider, meanwhile, is a highly modular backdoor, adjustable for any particular attack scenario, according to Jon Clay, Trend Micro's vice president of threat intelligence.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

"So, I can enact a specific module to do one specific thing, and it only does that one thing, and then if I need something else, I enact another module. And this does make it much more difficult for defenders and researchers to identify what's what," Clay says, because one instance of GhostSpider might look entirely different from another.

Besides its backdoors, the group also possesses a rootkit called Demodex, and Trend Micro has speculated that it might even have used Inc ransomware in some of its operations.

The diversity of Salt Typhoon's malware may be connected to the very nature of how it operates. According to the researchers, it is a structured organization of distinct, specialized teams. Its various backdoors, for example, are managed by different "infrastructure teams." The tactics, techniques, and procedures (TTPs) utilized in different attacks might vary significantly, with unique teams focusing in different geographic regions and industries — another reason why pinning down the Chinese APT has been so difficult over the years. "They are very sophisticated \[at\] gaining access, maintaining access, maintaining persistence, and wiping their tracks when they have done something to make it look like they were never there," Clay says.

Related:News Desk 2024: Can GenAI Write Secure Code?

**How Estries Gains Entry**

Earth Estries had been conducting long-term espionage attacks against governments and other targets since 2020. Around the middle of 2022, though, a switch flipped.

"In the past, they were doing a lot of phishing of employees," Clay recalls. "Now they're targeting Internet-facing devices using n-day vulnerabilities, finding any open ports \[or\] protocols, or applications that are running that they can exploit in order to gain access."

"N-day" refers to recently disclosed bugs that organizations might not have had a chance to patch yet. The group's favorite vulnerabilities have been dangerous (but now well-documented), including: 

*   The SQL injection bug CVE-2024-48788, which affects the Fortinet Enterprise Management Server (EMS)
    
*   CVE-2022-3236, a code injection issue in Sophos Firewalls
    

*   The four Microsoft Exchange vulnerabilities involved in ProxyLogon
    

"And we see this across the board," Clay notes. "Certainly, emails are still a big way to gain access to organizations, but it used to be 80%-plus \[of cases\]. I think now you're looking at a much smaller percentage of these attacks beginning with a phishing campaign."

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Chinese Island Hopping to Gov't Cyberattack Victims**

Often, Salt Typhoon doesn't exploit vulnerabilities directly in its target's network. Instead, it opts for a more tactful approach.

Since 2023, its victims have spanned no fewer than four continents — from countries as diverse as Afghanistan, India, Eswatini, and the US — with the greatest concentration being in Southeast Asia. These organizations have come from the telecommunications, technology, consulting, chemical, transportation, and nonprofit sectors, with a special emphasis on government agencies.

Not all of these organizations are necessarily the hackers' final destination, though. A nongovernmental organization (NGO), for example, may house interesting data worth stealing, or it might just provide a covert springboard for attacking a more important government agency. In 2023, for instance, researchers observed Salt Typhoon compromising consulting firms and NGOs that work with the US government and military, with the goal of more quickly and effectively breaching the latter.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Salt Typhoon Builds Out Malware Arsenal With GhostSpider

Protection ranged from 0.38% to 50.57% for security effectiveness.

PRESS RELEASE

AUSTIN, Texas, Nov. 26, 2024 /PRNewswire/ -- CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent "Mini-Test" of Cloud Service Provider (CSP) Native Firewalls from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Security effectiveness protection ranged from 0.38% to 50.57%.

In today's cloud-centric environment, businesses often face a critical choice regarding the security of their cloud infrastructure. They can rely on firewalls offered directly by Cloud Service Providers (CSPs) or use independent security vendor firewall offerings typically available through the respective CSP's marketplace. Security effectiveness is a crucial factor in selecting the right firewall solution, as it directly impacts the organization's ability to protect against cyber threats.

The CSP firewalls were tested against 522 exploits using Keysight's CyPerf v5.0 software testing platform, offering an evidence-based look at how well these native solutions withstand real-world security threats. Only known Common Vulnerabilities and Exposures (CVEs) from the last ten years with a severity of medium or higher were used to assess security effectiveness, usability, and protection. The exploit (CVE) types targeted servers and are typically relevant to cloud workload deployments.

"This was designed to be an entry level test," said Vikram Phatak, CEO of CyberRatings.org. "The exploits were straightforward; we didn't apply any evasions which is normally how attackers bypass security products. The number of missed exploits is concerning. Until cloud native firewalls demonstrate they have a higher level of security effectiveness to protect against cyber threats, we strongly recommend that customers consider third-party providers with a proven track record."

This test is part one of a two-part test. Part two will include a higher number of exploits, along with evasions and malware. The second part of the test will also compare cloud service provider native solutions against market leading third-party cloud network firewall providers.

The native firewalls were tested using Keysight's CyPerf v5.0 software testing platform. Enterprises can easily replicate the results with a 2-week free trial from Keysight. Further details of the strike library can be found here: https://www.keysight.com/us/en/products/network-test/cloud-test/cyperf.html

The test report is available for free at cyberratings.org.

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

SOURCE  CyberRatings.org

CyberRatings.org Announces Test Results for Cloud Service Provider Native Firewalls

Ransomware attack cripples Starbucks operations, forcing the coffee giant to rely on manual processes for employee scheduling and…

Ransomware attack cripples Starbucks operations, forcing the coffee giant to rely on manual processes for employee scheduling and payroll. Learn how this cyberattack is impacting businesses worldwide and the steps being taken to mitigate the damage.

As the holiday season kicks off, a ransomware attack on Blue Yonder, the world’s leading supply chain management software provider, has disrupted operations for Starbucks and other retailers worldwide.

The attack, reportedly, affected the private cloud computing service Blue Yonder provided to some customers including Starbucks, but not the company’s public cloud environment.

It is worth noting that the Arizona-based Blue Yonder boasts an extensive client base comprising most Fortune 500 firms. It offers food services to 46 of the world’s top 100 manufacturers, 64 of the leading 100 consumer product goods makers, and overall 76 of the top 100 global retail giants. 

The cyberattack, which struck on November 21st, crippled one of its clients, Starbucks’ back-end systems, specifically those responsible for employee scheduling and payroll. As a result, store managers have been forced to rely on manual processes for tracking employee hours and payments.

The collateral damage of the attack extends beyond Starbucks, impacting major retailers and supermarket chains. According to the Wall Street Journal report, UK’s Morrisons and Sainsbury’s have experienced disruptions to their warehouse management systems and were forced to implement backup systems to mitigate the impact. 

Blue Yonder, which was acquired by Panasonic in September 2021, has been working tirelessly to address the issue. The company has engaged external cybersecurity firm CrowdStrike to assist in recovery efforts and has implemented defensive measures to prevent future attacks. However, a specific timeline for full-service restoration is not yet provided.

“We are working around the clock to respond to this incident and continue to make progress. There are no additional updates to share at this time with regard to our restoration timeline following our post yesterday,” the company’s statement read.

Starbucks’ new CEO, Brian Niccol is implementing measures to address this setback as soon as possible. The company’s spokesperson Jaci Anderson states that they remain committed to ensuring their employees are paid accurately for their hours worked.

The coffee chain is actively working to minimize disruptions and inconsistencies in the payroll process, despite the limitations imposed by the ransomware attack and has advised employees to work around the outage manually.

Nonetheless, the attack adds to a growing list of cybersecurity incidents affecting major food service companies, including McDonald’s and Panera, which experienced technical glitches earlier this year and Panera potentially facing a class action lawsuit resultantly. 

The timing of this attack is also crucial because as per the latest research, around 86% of ransomware attacks occur during holidays or weekends with cybercriminals minting a whopping $1.1 billion in ransom payments last year.

James McQuiggan, security awareness advocate at KnowBe4 weighed in on the situation stating, “Ransomware attacks show cybercriminals have been in the network for some time. Organizations must prepare with a tested Incident Response plan, backup processes, and recovery systems to minimize damage and downtime.”

1.  Homeland Security Spent $30K on Starbucks Coffee
2.  Nespresso Domain Hijacked, Targeting Microsoft Logins
3.  Starbucks mobile app got hacked, credit card data stolen
4.  White hat hacker infects smart coffee machine with ransowmare
5.  How A Coffee Machine Infected Factory Computers with Ransomware

Starbucks Shifts to Manual Processes After Contractor Ransomware Attack

The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems.
"In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user

RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

**Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?**

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. This purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.

Tag

#microsoft