Cybersecurity Today: Red Hat Breach, CLOP Targets Oracle, and CISA Cuts Critical Support
In this episode of Cybersecurity Today, host Jim Love covers a recent breach of Red Hat's consulting GitLab server, highlighting concerns over exposed network maps and tokens. The CLOP extortion gang targets Oracle E-Business Suite clients, demanding ransom for sensitive data. Surveys show Canadian businesses are overconfident in their cyber defenses despite frequent attacks. Finally, CISA has ended a crucial cybersecurity support agreement, impacting state and local governments amidst a federal shutdown. Tune in for detailed analysis and urgent action items.
00:00 Red Hat GitLab Server Breach
02:21 CLOP Gang Targets Oracle E-Business Suite
04:29 Canadian Firms' Overconfidence in Cybersecurity
06:31 CISA Ends Critical Support Amid Shutdown
08:38 Conclusion and Upcoming Month in Review
Episode Transcript
A Red Hat breach of their consultingGitLab server means that network
maps and tokens may be in play.
The CLOP gang targetsOracle E-Business Suite.
Clients with extortion, surveysshow that Canadian firms feel
overconfident in their cyber defenses,
And CISA pulls critical support at thestart of Cybersecurity Awareness Month.
(00:25):
This is Cybersecurity Today.
I'm your host, Jim Love.
Red Hat says that an internalGitLab server used by its
consulting team was breached.
The company cut off access, isolated theinstance, and says there's no evidence
the incident impacts other Red Hatservices or its software supply chain.
(00:48):
An extortion crew calling itselfCrimson Collective claims.
It stole about 570 gigabytes across28,000 internal repos, including some 800
customer engagement reports, documentsthat could contain network information,
configuration, data, authenticationtokens, and even full database URLs.
(01:13):
They also shared a directorylisting on Telegram.
Belgium's Cybersecurity Agency is warningorganizations that used Red Hat Consulting
to assume tokens and keys may be exposedand rotate credentials immediately.
Check integrations and step up.
Monitoring for suspiciousauthentication and API activity but
(01:36):
a quick but important distinction.
This was GitLab, not GitHub.
GitHub says there was nobreach of its managed cloud.
This involved Red Hat self-managedGitLab Community edition instance,
which customers themselvesmust patch and lock down.
if those CERs and embedded secretsare real attackers could walk in
(02:00):
using working tokens and network maps,skipping the front door entirely.
So today's action item, if you'veengaged Red Hat Consulting since
2020, revoke and rotate tokens anddatabase credentials, and hunt for
unusual token use in your logs.
(02:21):
Oracle is warning customers.
After the CLOP Extortion groupstarted sending emails directly
to Oracle eBusiness Suite clientsclaiming it had stolen sensitive data.
Now,
eBusiness Suite, not to be confusedwith PeopleSoft, which Oracle acquired
and still operates separately, isOracle's longstanding ERP system.
(02:42):
It's used by tens of thousands of largeenterprises and government agencies
to run core financials, HR, payroll,supply chain, and customer management.
Just for context, in 2024, OracleOvertook SAP as the number one ERP
vendor by revenue pulling in 8.7billion versus SAP's 8.6 CLOP's
(03:09):
Messages threaten to leak financialrecords, HR data, customer
lists, and supply chain filesunless ransom demands are paid.
Oracle says its networks and softwaresupply chain weren't breached.
But if lops claims are correct,logic dictates this isn't random.
It suggests a weakness inE-Business Suite deployments that
(03:32):
affect a broad set of customers.
Experts say there is strong evidence.
This really is CLOP andhistory shows why that matters.
This gang pulled off some ofthe most damaging enterprise
attacks of the past five years,including Assillon's, FDA platform.
A zero day in SolarWinds, A zero dayin Go Anywhere MFT and the dreaded Move
(03:55):
It Transfer campaign, which became thelargest ever zero day that enabled data
theft from 2,773 organizations worldwide.
That track record explains why thisextortion should be taken seriously
and it raises the bar for Oracle.
Simply denying involvementisn't going to be enough.
(04:18):
Customers are going to need clearguidance on what kind of data could
be realistically exposed in theseEBS deployments and what defensive
steps they need to take immediately.
And a new survey suggests thatCanadian businesses are far too
confident in their cyber readiness.
KPMG in Canada polled 500 executives.
(04:40):
86% said they were confident their firmscould withstand an attack, but more than
half, 55% admitted they'd already sufferedat least one breach in the past two years.
And the report highlightsa dangerous confidence gap.
despite over half of them having facedattacks, only 38% of companies say
(05:04):
they've adopted zero trust security,fewer than half regularly test their
incident response plans, and just overhalf have invested in advanced detection
tools like continuous monitoring.
Sammy Curry, head of theFederal Government Cybersecurity
Program, told BNN Bloomberg.
The first thing I would say isdon't underestimate the threat.
(05:27):
Don't assume that because you'rean SME that you're not going to
be a victim of a cyber incident.
He warned that small and mediumbusinesses are often part of
larger supply chains, making themattractive entry points for attackers.
They're also frequent targetsfor ransomware, phishing and
credential theft because of weakpasswords and limited defenses.
(05:50):
Now, a second survey by theInsurance Bureau of Canada
makes this point even clearer.
only half of SMEs believe they'revulnerable, but of that only 6% think an
incident will actually happen to them.
That's complacency andit leaves firms exposed.
(06:13):
The bottom line is whether you'rea large enterprise or an SME,
confidence isn't resilience.
The numbers suggest that Canadian firmsneed to make plans, test those plans,
and take these threats seriously,because the attackers already do.
In Washington, most of the headlines areabout government shutdown and the agencies
(06:35):
being forced to scale back as a result.
But while that's grabbed attention,a separate and equally damaging
closure has slipped under the radar.
The US Cybersecurity and InfrastructureSecurity Agency, CIS A, has ended
its agreement with the Centerfor Internet Security or CIS.
(06:57):
That agreement gave state and localgovernments across the US access to
free cybersecurity tools and resources.
There were the Albert intrusiondetection sensors, threat intelligence
feeds, and incident response support.
The Albert sensors are one of theonly intrusion detection tools many
small towns can afford, and withoutthe CISA CIS deal, they'll go dark.
(07:23):
losing this support is not part of theshutdown that's going on in the US.
It's a separate decision, and itcouldn't come at a worst time.
We're seeing ransomware, gangs,foreign backed actors, supply
chain breaches, all of them hittinggovernment networks almost weekly.
Local governments and small agenciesare among the weakest links.
(07:45):
Taking away one of the most trustedsources of defense in the middle of a
shutdown is like pulling firefighters offduty while the forest is already burning.
Yes, there may be some duplication,and yes, CISA's Federal mission is
stretched, but the reality is simple.
Cybersecurity is only as strong asthe weakest link state and local
(08:07):
governments are where attackersoften start and removing CIS support
now doesn't just weaken them.
It weakens the entireUS security ecosystem.
And the irony.
This announcement comes at the verystart of cybersecurity awareness month.
Instead of reinforcing support,CSA is cutting it back in
(08:29):
the middle of a shutdown.
The US has managed to create asecond shutdown in cybersecurity
support, exactly the wrong move.
At the wrong time, and that's our show.
As a reminder, on Saturday, our monthin review panel will be here with a look
back at the issues we've covered andsome deeper discussion on the themes
(08:51):
for Cybersecurity Awareness Month.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.