In this episode of Cybersecurity Today, host David Shipley covers several key incidents impacting the cybersecurity landscape. Amazon's generative AI coding assistant 'Q' was compromised by a hacker who injected data-wiping code into the tool's GitHub repository. Scattered Spider, a notorious cybercrime group, continues its malware attacks on VMware ESXI hypervisors using advanced social engineering techniques. In a significant enforcement action, global law enforcement dismantled the Black Suit ransomware infrastructure under Operation Checkmate. Lastly, Insurance Giant Allianz Life revealed a data breach affecting its US customer base. Stay tuned to understand the latest threats and protective measures in cybersecurity.
00:00 Introduction and Headlines
00:30 Amazon AI Coding Tool Breach
03:07 Scattered Spider's VMware ESXI Attacks
06:44 Operation Checkmate: Black Suit Ransomware Takedown
08:16 Alliance Life Insurance Data Breach
10:25 Conclusion and Call to Action
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Amazon AI coding agent hacked toinject data wiping commands Scattered.
Spider is running a VMware ESXIHacking Spree Black Suit Ransomware.
Extortion Sites seized inOperation Checkmate and Insurance
Giant says most US customer datastolen in recent cyber attack.
(00:22):
This is Cybersecurity today, andI'm your host, David Shipley.
Coming to you from beautifulFredericton New Brunswick.
A security scare hit Amazon's generativeAI powered coding tool Q developer
extension for visual studio code.
After a hacker managed to injectrogue data wiping code into the
(00:42):
project's GitHub repository.
Available on Microsoft'sVisual Studio Code Marketplace.
Amazon Queue is racked upnearly 1 million installs.
It helps developers code debugand write documentation and set up
configurations powered by generative ai.
But on July 13th, a GitHub usergoing by the alias L Key Manka
(01:04):
58, submitted a poll request thatslipped past Amazon's defenses.
Due to what's believed to be amisconfigured workflow or weak permissions
management, the malicious code wasmerged into the official project.
The hacker's code didn't executesuccessfully, thankfully, but it
contained a prompt designed towipe systems and cloud resources.
(01:26):
A message, it seems meant tohighlight weaknesses in how AI
development tools are secured.
Amazon was unaware of the breachand had published a compromised
version, one point 84.0 to the VSCmarketplace on July 17th, making it
publicly available to its user base.
It wasn't until July 23rd thatAmazon received word from security
(01:49):
researchers that something was wrong.
The company launched an investigationand to its credit, released a
clean update version one point85.0, just 24 hours later.
An Amazon spokesperson confirmed thebreach to bleeping computer stating
quote, security is our top priority.
We quickly mitigated an attemptto exploit a known issue in
(02:10):
two open source repositories.
No customer resources were impacted.
End quote.
A deeper forensic analysis byAWS Security revealed that the
injected code was targeting Qdeveloper, CLI command execution.
The company revoked credentials,removed the unauthorized code,
and reissued the extension.
(02:30):
Amazon insists that because thecode was improperly formatted,
it posed no actual risk.
However, some researchers havesaid the code could run, though
it still caused no damage.
Still all of this is the cyberequivalent of two planes getting
way too close together in airspace.
It's a serious incident and needsto be avoided in the future at all.
(02:53):
Cost version one point 84.0 has beenpulled from all distribution channels
and users are urged to update toversion one point 85.0 immediately.
one of the most sophisticated andrampant cyber crime groups Scattered
Spider is once again making headlines.
(03:14):
This time for precision targeted attackson VMware's ESXI hypervisors across US
organizations in the retail, airline,transportation and insurance sectors.
According to a new report from theGoogle Threat Intelligence groups, these
attackers are confirmed to not be relyingon zero day exploits or software flaws.
(03:34):
Instead, as with previous reporting,they continue to lean on near
flawless social engineering to getaround even mature security programs.
Here's how Google broke it down.
First.
the attackers begin by impersonatingan employee calling the IT help desk
to request a password reset for theuser's active directory account.
(03:55):
With credentials in hand, they movelaterally across the target network,
scanning for internal IT documentation toidentify high value targets, particularly
VMware, vSphere and domain administrators.
Step two escalation.
They then locate privilege accessmanagement, PAM systems, gaining
intelligence on security policiesand privilege credentials.
(04:17):
With that information they call backthis time impersonating a privileged
admin and ask for another password reset.
This gives them full controlover sensitive systems.
Next, they target the VMware vCenterserver appliance to control the company's
entire virtual infrastructure, includingthe ESXI Hypervisors that run all
(04:39):
virtual machines on physical servers.
At this level, attackers enable SSH.
On the ESXI hosts reset root passwordsand execute a disc swap attack.
This technique allows 'em to extractthe NTDs dot D active directory database
by detaching virtual discs from domaincontroller VMs and attaching them to
(05:00):
attacker controlled instances, copying thedata before restoring the original setup.
Step four, and this is particularlyawful backup destruction.
Scattered Spider doesn't stop therewith the control of the hypervisor, they
wipe backup systems, delete snapshots,and erase repositories, cutting
off possible chances for recovery.
(05:23):
Step five, ransomware deployment.
Finally, using SSH Access, theydeploy ransomware binaries across the
infrastructure, encrypting all virtualmachine files in the data store.
According to Google, a full attackchain from initial access to ransomware
deployment can unfold in just a few hours.
(05:44):
They're gaining unprecedented controlover entire virtualized environments.
Bypassing in guestsecurity controls entirely.
Set a Google spokesperson.
To help defenders stay ahead.
Google's published technical guidancewith three key defensive pillars.
Number one, lock down the hypervisor,harden vSphere with the exec installed
(06:06):
only VM encryption and disabled SSH.
Avoid direct ad joins, deleteorphan VMs and force Strong MFA.
Two, isolate and authenticate.
Use robust multi-factorauthentication for all access points.
Isolate tier zero assets likedomain controllers and backups
from the systems they secure.
(06:27):
Lastly, detect and recover.
standard advice here.
Centralized logs in a simand alert on key behaviors.
Maintain immutable air gapbackups and test recovery against
hypervisor level compromise.
In a major win for global cyber crimeenforcement, law enforcement has
(06:47):
seized the dark web infrastructure ofthe Black Suit ransomware operation.
A group linked to hundreds of ransomwareattacks on organizations around the world.
The US Department of Justiceconfirmed the takedown late last
week stating that authoritiesexecuted a court authorized seizure
of black suits, domains The gang's.
Onion Dark Websites now displaya seizure banner from the US
(07:11):
Homeland Security Investigationsrevealing the operation code.
Name Operation Checkmate involvedcoordinated international
law enforcement action.
Black Suit is the latest alias of aransomware lineage that includes Royal and
possibly even earlier ransomware families.
The group is known for data extortionand campaigns and leveraging remote
(07:31):
management tools and living off theland techniques to gain and maintain
access inside victim networks.
One of Black Suit's major hacks wasthe 2024 hit on CDK Global, a SaaS
platform for car dealerships that causedweeks of havoc across North America.
Now researchers warn Black Suit mayalready be rebranding on Thursday.
(07:55):
Cisco Talos reported signs Black Suitis resurfacing as Chaos Ransomware.
Analysts noted similar tactics,encryption behaviors, and ransom
note structure between chaos andthe previous black suit campaigns.
Quote, Talos assesses with moderateconfidence that the new Chaos Ransomware
group is either a rebranding of black suitor operated by some of its former members.
(08:18):
Alliance Life Insurance Company of NorthAmerica has confirmed a significant
data breach impacting the personalinformation of a majority of its
1.4 million US customers, financialprofessionals, and select employees.
In a statement issued to the BBCalliance's, German parent company said
that on July 16th, 2025, a malicious actorgained unauthorized access to a third
(08:41):
party cloud-based customer relationshipmanagement system used by Alliance Life.
The attackers reportedly used socialengineering techniques to compromise
the system, bypassing technicaldefenses by targeting people.
According to Alliance, only AllianceLife systems were affected, and
there is no evidence that theircore corporate network or policy
administration systems were accessed.
(09:03):
That's good news.
The company emphasized that the breachdid not extend to its global customer
base, which exceeds 125 million people.
The breach was disclosed in alegal filing with Maine's Attorney
General's office in the US.
The company said it took immediateaction to contain the incident.
Has notified the FBI and isactively contacting affected
(09:23):
individuals to provide assistance.
this breach highlights the continuedthreat posed by social engineering in
previous updates from law enforcementscattered Spider was known to be
targeting insurance companies.
It's unknown if Alliance wasone of the organizations hit by
Scattered Spider, but it's likely.
(09:45):
This breach highlights the growing riskposed by third party cloud platforms,
especially those integrated intocritical customer facing systems.
It's critical that organizationslook at access and identity and how
those are gonna be secured, and inparticular, given the wake of the
Clorox lawsuit against it, giantcognizant that IT help desk processes
(10:08):
are hardened against social engineering.
As investigations continue, this incidentserves as a stark reminder for companies
to scrutinize third party access, educatestaff on social engineering, and implement
robust multifactor authenticationacross all vendor platforms.
As always, stay skeptical and staypatched, and don't ever give AI
(10:31):
agents or humans for that matter,direct access to prod ever.
We're always interested in youropinion, and you can contact us at
editorial@technewsday.ca or leavea comment under the YouTube video.
As well, a small ask.
Help us spread the wordabout cybersecurity today.
Give us a like or subscribe.
Leave us a review on yourfavorite podcasting platform.
(10:53):
And if you like theshow, please tell others.
We'd love to grow our audienceeven more, and we need your help.
I've been your host, David Shipley.
Jim Love will be back on Wednesday.
Thanks for listening.
Amazon AI coding agent hacked toinject data wiping commands Scattered.
Spider is running a VMware ESXIHacking Spree Black Suit Ransomware.
Extortion Sites seized inOperation Checkmate and Insurance
Giant says most US customer datastolen in recent cyber attack.
(00:22):
This is Cybersecurity today, andI'm your host, David Shipley.
Coming to you from beautifulFredericton New Brunswick.
A security scare hit Amazon's generativeAI powered coding tool Q developer
extension for visual studio code.
After a hacker managed to injectrogue data wiping code into the
(00:42):
project's GitHub repository.
Available on Microsoft'sVisual Studio Code Marketplace.
Amazon Queue is racked upnearly 1 million installs.
It helps developers code debugand write documentation and set up
configurations powered by generative ai.
But on July 13th, a GitHub usergoing by the alias L Key Manka
(01:04):
58, submitted a poll request thatslipped past Amazon's defenses.
Due to what's believed to be amisconfigured workflow or weak permissions
management, the malicious code wasmerged into the official project.
The hacker's code didn't executesuccessfully, thankfully, but it
contained a prompt designed towipe systems and cloud resources.
(01:26):
A message, it seems meant tohighlight weaknesses in how AI
development tools are secured.
Amazon was unaware of the breachand had published a compromised
version, one point 84.0 to the VSCmarketplace on July 17th, making it
publicly available to its user base.
It wasn't until July 23rd thatAmazon received word from security
(01:49):
researchers that something was wrong.
The company launched an investigationand to its credit, released a
clean update version one point85.0, just 24 hours later.
An Amazon spokesperson confirmed thebreach to bleeping computer stating
quote, security is our top priority.
We quickly mitigated an attemptto exploit a known issue in
(02:10):
two open source repositories.
No customer resources were impacted.
End quote.
A deeper forensic analysis byAWS Security revealed that the
injected code was targeting Qdeveloper, CLI command execution.
The company revoked credentials,removed the unauthorized code,
and reissued the extension.
(02:30):
Amazon insists that because thecode was improperly formatted,
it posed no actual risk.
However, some researchers havesaid the code could run, though
it still caused no damage.
Still all of this is the cyberequivalent of two planes getting
way too close together in airspace.
It's a serious incident and needsto be avoided in the future at all.
(02:53):
Cost version one point 84.0 has beenpulled from all distribution channels
and users are urged to update toversion one point 85.0 immediately.
one of the most sophisticated andrampant cyber crime groups Scattered
Spider is once again making headlines.
(03:14):
This time for precision targeted attackson VMware's ESXI hypervisors across US
organizations in the retail, airline,transportation and insurance sectors.
According to a new report from theGoogle Threat Intelligence groups, these
attackers are confirmed to not be relyingon zero day exploits or software flaws.
(03:34):
Instead, as with previous reporting,they continue to lean on near
flawless social engineering to getaround even mature security programs.
Here's how Google broke it down.
First.
the attackers begin by impersonatingan employee calling the IT help desk
to request a password reset for theuser's active directory account.
(03:55):
With credentials in hand, they movelaterally across the target network,
scanning for internal IT documentation toidentify high value targets, particularly
VMware, vSphere and domain administrators.
Step two escalation.
They then locate privilege accessmanagement, PAM systems, gaining
intelligence on security policiesand privilege credentials.
(04:17):
With that information they call backthis time impersonating a privileged
admin and ask for another password reset.
This gives them full controlover sensitive systems.
Next, they target the VMware vCenterserver appliance to control the company's
entire virtual infrastructure, includingthe ESXI Hypervisors that run all
(04:39):
virtual machines on physical servers.
At this level, attackers enable SSH.
On the ESXI hosts reset root passwordsand execute a disc swap attack.
This technique allows 'em to extractthe NTDs dot D active directory database
by detaching virtual discs from domaincontroller VMs and attaching them to
(05:00):
attacker controlled instances, copying thedata before restoring the original setup.
Step four, and this is particularlyawful backup destruction.
Scattered Spider doesn't stop therewith the control of the hypervisor, they
wipe backup systems, delete snapshots,and erase repositories, cutting
off possible chances for recovery.
(05:23):
Step five, ransomware deployment.
Finally, using SSH Access, theydeploy ransomware binaries across the
infrastructure, encrypting all virtualmachine files in the data store.
According to Google, a full attackchain from initial access to ransomware
deployment can unfold in just a few hours.
(05:44):
They're gaining unprecedented controlover entire virtualized environments.
Bypassing in guestsecurity controls entirely.
Set a Google spokesperson.
To help defenders stay ahead.
Google's published technical guidancewith three key defensive pillars.
Number one, lock down the hypervisor,harden vSphere with the exec installed
(06:06):
only VM encryption and disabled SSH.
Avoid direct ad joins, deleteorphan VMs and force Strong MFA.
Two, isolate and authenticate.
Use robust multi-factorauthentication for all access points.
Isolate tier zero assets likedomain controllers and backups
from the systems they secure.
(06:27):
Lastly, detect and recover.
standard advice here.
Centralized logs in a simand alert on key behaviors.
Maintain immutable air gapbackups and test recovery against
hypervisor level compromise.
In a major win for global cyber crimeenforcement, law enforcement has
(06:47):
seized the dark web infrastructure ofthe Black Suit ransomware operation.
A group linked to hundreds of ransomwareattacks on organizations around the world.
The US Department of Justiceconfirmed the takedown late last
week stating that authoritiesexecuted a court authorized seizure
of black suits, domains The gang's.
Onion Dark Websites now displaya seizure banner from the US
(07:11):
Homeland Security Investigationsrevealing the operation code.
Name Operation Checkmate involvedcoordinated international
law enforcement action.
Black Suit is the latest alias of aransomware lineage that includes Royal and
possibly even earlier ransomware families.
The group is known for data extortionand campaigns and leveraging remote
(07:31):
management tools and living off theland techniques to gain and maintain
access inside victim networks.
One of Black Suit's major hacks wasthe 2024 hit on CDK Global, a SaaS
platform for car dealerships that causedweeks of havoc across North America.
Now researchers warn Black Suit mayalready be rebranding on Thursday.
(07:55):
Cisco Talos reported signs Black Suitis resurfacing as Chaos Ransomware.
Analysts noted similar tactics,encryption behaviors, and ransom
note structure between chaos andthe previous black suit campaigns.
Quote, Talos assesses with moderateconfidence that the new Chaos Ransomware
group is either a rebranding of black suitor operated by some of its former members.
(08:18):
Alliance Life Insurance Company of NorthAmerica has confirmed a significant
data breach impacting the personalinformation of a majority of its
1.4 million US customers, financialprofessionals, and select employees.
In a statement issued to the BBCalliance's, German parent company said
that on July 16th, 2025, a malicious actorgained unauthorized access to a third
(08:41):
party cloud-based customer relationshipmanagement system used by Alliance Life.
The attackers reportedly used socialengineering techniques to compromise
the system, bypassing technicaldefenses by targeting people.
According to Alliance, only AllianceLife systems were affected, and
there is no evidence that theircore corporate network or policy
administration systems were accessed.
(09:03):
That's good news.
The company emphasized that the breachdid not extend to its global customer
base, which exceeds 125 million people.
The breach was disclosed in alegal filing with Maine's Attorney
General's office in the US.
The company said it took immediateaction to contain the incident.
Has notified the FBI and isactively contacting affected
(09:23):
individuals to provide assistance.
this breach highlights the continuedthreat posed by social engineering in
previous updates from law enforcementscattered Spider was known to be
targeting insurance companies.
It's unknown if Alliance wasone of the organizations hit by
Scattered Spider, but it's likely.
(09:45):
This breach highlights the growing riskposed by third party cloud platforms,
especially those integrated intocritical customer facing systems.
It's critical that organizationslook at access and identity and how
those are gonna be secured, and inparticular, given the wake of the
Clorox lawsuit against it, giantcognizant that IT help desk processes
(10:08):
are hardened against social engineering.
As investigations continue, this incidentserves as a stark reminder for companies
to scrutinize third party access, educatestaff on social engineering, and implement
robust multifactor authenticationacross all vendor platforms.
As always, stay skeptical and staypatched, and don't ever give AI
(10:31):
agents or humans for that matter,direct access to prod ever.
We're always interested in youropinion, and you can contact us at
editorial@technewsday.ca or leavea comment under the YouTube video.
As well, a small ask.
Help us spread the wordabout cybersecurity today.
Give us a like or subscribe.
Leave us a review on yourfavorite podcasting platform.
(10:53):
And if you like theshow, please tell others.
We'd love to grow our audienceeven more, and we need your help.
I've been your host, David Shipley.
Jim Love will be back on Wednesday.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.