Amazon AI coding agent hacked to inject data wiping commands Scattered.

Spider is running a VMware ESXI Hacking Spree Black Suit Ransomware.

Extortion Sites seized in Operation Checkmate and Insurance Giant says most US customer data stolen in recent cyber attack.

This is Cybersecurity today, and I'm your host, David Shipley.

Coming to you from beautiful Fredericton New Brunswick.

A security scare hit Amazon's generative AI powered coding tool Q developer extension for visual studio code.

After a hacker managed to inject rogue data wiping code into the project's GitHub repository.

Available on Microsoft's Visual Studio Code Marketplace.

Amazon Queue is racked up nearly 1 million installs.

It helps developers code debug and write documentation and set up configurations powered by generative ai.

But on July 13th, a GitHub user going by the alias L Key Manka 58, submitted a poll request that slipped past Amazon's defenses.

Due to what's believed to be a misconfigured workflow or weak permissions management, the malicious code was merged into the official project.

The hacker's code didn't execute successfully, thankfully, but it contained a prompt designed to wipe systems and cloud resources.

A message, it seems meant to highlight weaknesses in how AI development tools are secured.

Amazon was unaware of the breach and had published a compromised version, one point 84.0 to the VSC marketplace on July 17th, making it publicly available to its user base.

It wasn't until July 23rd that Amazon received word from security researchers that something was wrong.

The company launched an investigation and to its credit, released a clean update version one point 85.0, just 24 hours later.

An Amazon spokesperson confirmed the breach to bleeping computer stating quote, security is our top priority.

We quickly mitigated an attempt to exploit a known issue in two open source repositories.

No customer resources were impacted.

End quote.

A deeper forensic analysis by AWS Security revealed that the injected code was targeting Q developer, CLI command execution.

The company revoked credentials, removed the unauthorized code, and reissued the extension.

Amazon insists that because the code was improperly formatted, it posed no actual risk.

However, some researchers have said the code could run, though it still caused no damage.

Still all of this is the cyber equivalent of two planes getting way too close together in airspace.

It's a serious incident and needs to be avoided in the future at all.

Cost version one point 84.0 has been pulled from all distribution channels and users are urged to update to version one point 85.0 immediately.

one of the most sophisticated and rampant cyber crime groups Scattered Spider is once again making headlines.

This time for precision targeted attacks on VMware's ESXI hypervisors across US organizations in the retail, airline, transportation and insurance sectors.

According to a new report from the Google Threat Intelligence groups, these attackers are confirmed to not be relying on ero day exploits or software flaws.

Instead, as with previous reporting, they continue to lean on near flawless social engineering to get around even mature security programs.

Here's how Google broke it down.

First.

the attackers begin by impersonating an employee calling the IT help desk to request a password reset for the user's active directory account.

With credentials in hand, they move laterally across the target network, scanning for internal IT documentation to identify high value targets, particularly VMware, vSphere and domain administrators.

Step two escalation.

They then locate privilege access management, PAM systems, gaining intelligence on security policies and privilege credentials.

With that information they call back this time impersonating a privileged admin and ask for another password reset.

This gives them full control over sensitive systems.

Next, they target the VMware vCenter server appliance to control the company's entire virtual infrastructure, including the ESXI Hypervisors that run all virtual machines on physical servers.

At this level, attackers enable SSH.

On the ESXI hosts reset root passwords and execute a disc swap attack.

This technique allows 'em to extract the NTDs dot D active directory database by detaching virtual discs from domain controller VMs and attaching them to attacker controlled instances, copying the data before restoring the original setup.

Step four, and this is particularly awful backup destruction.

Scattered Spider doesn't stop there with the control of the hypervisor, they wipe backup systems, delete snapshots, and erase repositories, cutting off possible chances for recovery.

Step five, ransomware deployment.

Finally, using SSH Access, they deploy ransomware binaries across the infrastructure, encrypting all virtual machine files in the data store.

According to Google, a full attack chain from initial access to ransomware deployment can unfold in just a few hours.

They're gaining unprecedented control over entire virtualized environments.

Bypassing in guest security controls entirely.

Set a Google spokesperson.

To help defenders stay ahead.

Google's published technical guidance with three key defensive pillars.

Number one, lock down the hypervisor, harden vSphere with the exec installed only VM encryption and disabled SSH.

Avoid direct ad joins, delete orphan VMs and force Strong MFA.

Two, isolate and authenticate.

Use robust multi-factor authentication for all access points.

Isolate tier ero assets like domain controllers and backups from the systems they secure.

Lastly, detect and recover.

standard advice here.

Centralized logs in a sim and alert on key behaviors.

Maintain immutable air gap backups and test recovery against hypervisor level compromise.

In a major win for global cyber crime enforcement, law enforcement has seized the dark web infrastructure of the Black Suit ransomware operation.

A group linked to hundreds of ransomware attacks on organizations around the world.

The US Department of Justice confirmed the takedown late last week stating that authorities executed a court authorized seizure of black suits, domains The gang's.

Onion Dark Websites now display a seizure banner from the US Homeland Security Investigations revealing the operation code.

Name Operation Checkmate involved coordinated international law enforcement action.

Black Suit is the latest alias of a ransomware lineage that includes Royal and possibly even earlier ransomware families.

The group is known for data extortion and campaigns and leveraging remote management tools and living off the land techniques to gain and maintain access inside victim networks.

One of Black Suit's major hacks was the 2024 hit on CDK Global, a SaaS platform for car dealerships that caused weeks of havoc across North America.

Now researchers warn Black Suit may already be rebranding on Thursday.

Cisco Talos reported signs Black Suit is resurfacing as Chaos Ransomware.

Analysts noted similar tactics, encryption behaviors, and ransom note structure between chaos and the previous black suit campaigns.

Quote, Talos assesses with moderate confidence that the new Chaos Ransomware group is either a rebranding of black suit or operated by some of its former members.

Alliance Life Insurance Company of North America has confirmed a significant data breach impacting the personal information of a majority of its 1.4 million US customers, financial professionals, and select employees.

In a statement issued to the BBC alliance's, German parent company said that on July 16th, 2025, a malicious actor gained unauthorized access to a third party cloud-based customer relationship management system used by Alliance Life.

The attackers reportedly used social engineering techniques to compromise the system, bypassing technical defenses by targeting people.

According to Alliance, only Alliance Life systems were affected, and there is no evidence that their core corporate network or policy administration systems were accessed.

That's good news.

The company emphasized that the breach did not extend to its global customer base, which exceeds 125 million people.

The breach was disclosed in a legal filing with Maine's Attorney General's office in the US.

The company said it took immediate action to contain the incident.

Has notified the FBI and is actively contacting affected individuals to provide assistance.

this breach highlights the continued threat posed by social engineering in previous updates from law enforcement scattered Spider was known to be targeting insurance companies.

It's unknown if Alliance was one of the organizations hit by Scattered Spider, but it's likely.

This breach highlights the growing risk posed by third party cloud platforms, especially those integrated into critical customer facing systems.

It's critical that organizations look at access and identity and how those are gonna be secured, and in particular, given the wake of the Clorox lawsuit against it, giant cognizant that IT help desk processes are hardened against social engineering.

As investigations continue, this incident serves as a stark reminder for companies to scrutinize third party access, educate staff on social engineering, and implement robust multifactor authentication across all vendor platforms.

As always, stay skeptical and stay patched, and don't ever give AI agents or humans for that matter, direct access to prod ever.

We're always interested in your opinion, and you can contact us at editorial@technewsday.ca or leave a comment under the YouTube video.

As well, a small ask.

Help us spread the word about cybersecurity today.

Give us a like or subscribe.

Leave us a review on your favorite podcasting platform.

And if you like the show, please tell others.

We'd love to grow our audience even more, and we need your help.

I've been your host, David Shipley.

Jim Love will be back on Wednesday.

Thanks for listening.