Smashing Security podcast #436: The €600,000 gold heist, powered by ransomware

Well, actually, I haven't got a pick of the week. What? No. That's rubbish. I've got... Excuse me. It's my podcast, not yours. Smashing Security, Episode 436. The 600,000 euros gold heist powered by ransomware with Graham Cluley. Hello, hello, and welcome to Smashing Security episode 436. My name's Graham Cluley. And I'm Zoe Rose. Zoe, welcome back to the show. It's been a while, lovely to have you back on.

Yeah, every time I'm on, something new happens in my life. Now I've got a cat, so.

Oh, fantastic. You know, you don't have to go out and buy a cat just to come on the podcast. You could just say, hey, Graham, can I come on the podcast? What

now you tell me? I've got a bloody cat, though.

Oh, well, that's your problem, isn't it? Well, before we kick off, let's thank this week's wonderful sponsors, 1Password and Vanta. We'll be hearing more about them later on the show. This week on Smashing Security. We're not going to be talking about how flights were cancelled or delayed across Europe after a cyber attack targeted Collins Aerospace's Muse software. You'll hear no discussion of how two UK teenagers have been charged for a cyber attack on Transport for London that resulted in £39 million worth of losses. And we won't even mention how a US teenager has surrendered to police in Las Vegas and been charged with hacking into casinos as part of the Scattered Spider Gang. So Zoe, what are you going to talk about this week?

Well, I'm going to talk about Shea Haloud, the supply chain attack.

Terrific. And I'll be discussing hackers and heists. All this and much more coming up on this episode of Smashing Security. Now, chums, if you've been following the cyber security headlines lately, you'll know, this isn't news to any of you, that ransomware continues to be a big problem. We've had JLR. You know, when I first heard the headline that JLR had been hit by a ransomware attack, I mixed them up with that pop group, JLS. And I thought maybe they'd been hit instead. But it turns out JLR is completely different. It's Jaguar Land Rover. They look like they're going to be shut down for weeks. They're bleeding £72 million every day while its production lines are gathering dust. Meanwhile, their suppliers, they've been disrupted. They've been telling their staff, stay at home, or they've been laid off amid fears that some of these companies may go bust or won't survive. So that was JLR, pretty nasty stuff.

Yeah. That makes sense, though, because some suppliers might only supply to them. Absolutely, totally relevant, though.

It'd be a huge customer. Yeah. And if that customer isn't ordering new parts, because your production line isn't moving,

you're no longer making money. Do they also have a just-in-time production line? I don't know, so it would make even a bigger impact. They're just creating as demand.

I don't know. Anyway, so that's been going on. And we've had this European airports fiasco just this last weekend. Heathrow, Brussels, Berlin, all brought to their knees because someone decided to attack Collins Aerospace's check-in systems. It caused flight cancellations, delays. Staff were forced to manually write out boarding passes like it was 1975. It's remarkable how everything grinds to a halt when you're so reliant on technology and that technology is suddenly sort of scooped away from you.

Do you know what? It's funny because I was thinking back to when I worked in retail many, many years ago, I had to write credit card things on paper because the systems were down. And it's like, I'm using technology that's older than me.

Did you have to use one of those things? Yeah, I did. Where you just have to pull it over and make the copy of it.

Yeah, yeah. And I was just like, what is this thing? And they had to teach me how to use it. I'd never seen one before.

Well, anyway, there is one attack that many people listening to this podcast will not have heard about. You've heard about JLR, you've heard about the airports. But this one hasn't really made the headlines very much outside of France. Because in late July, the Museum National d'Histoire Naturelle, which is the Natural History Museum, en Paris, in Paris. I'm translating all of this for those people who don't speak baguette. It was hit by what officials diplomatically described as a massive ransomware attack, a massive attack, as it is known. And if you thought that dinosaurs were wiped out quickly by a meteorite 65 million years ago, that is nothing compared to how rapidly the museum's computer network got knocked for six when it got hit by this ransomware. So this attack affected all of the museum sites. Apparently it has marine research stations as part of the museum. I have no idea why.

So I never had them as a client, but I did chat with a museum when I was a consultant and they were talking about their needs. And it's interesting because a museum, you don't realise how many people actually work there. Because you also have visiting scientists and you're visiting people that do restoration. You have all these different things. And then you've got such data because if you're scanning something because you're trying to figure out what's inside of it, the images are just massive. So actually, the amount of data in a museum and the amount of people affected is insane. You would never have guessed it.

Well, I was surprised as well because when I was reading this report, it said that this attack had disrupted the work of 600 scientists attached to the museum. They've lost access to between 30,000 euros to 50,000 euros in research funding. So it has this knock-on effect. And, well, look, I don't know about you, Zoe, I don't know how much you love a museum.

I love museums, especially natural history museums. They're so lovely.

Well, I had really been looking forward to the Natural History Museum in Paris, its upcoming Tropical Autumn Palms, Treasures and Secrets exhibition. And I know what you're thinking. Oh, no, not the palm exhibition. And I'm afraid, yes, the palm exhibition was disrupted. It has been delayed because of this attack. So you won't be able to go there and check out the beautiful palms and the treasures and the secrets of tropical autumn anymore. Now, an exhibition, even a palm one, is a big deal for a museum.

Yeah. Well, I mean, museums, as far as I'm aware, they're not these big profit machines. They generally meet what they can and then, you know, need support to do research and everything. And it's critical, I think, to society to know all of this information, historic, current events, record things happening in our society. So loss of funds, that's quite concerning because generally, if you get money from the government, if you don't use it, you don't get more. It doesn't come back the next year, right? So I don't know what they're going to do.

And if you can't show people coming through the doors, you're not going to get as much funding, obviously. Because if you don't prove that you're popular. And also, the thing with museums, there's loads of old stuff in there. So if you've been to see it once, you're not necessarily going to think, oh, they'll have added lots more stuff in the last year. That's why they have regular exhibitions. Because if you go to Le Louvre, for instance, and you see the Mona Lisa there and everything else, but you look at the Mona Lisa and you say, well, that's very impressive. You know, a good painting, many people would say, even though it doesn't have eyebrows.

No complaining about the lack of eyebrows.

Well, all right. Look, there's nothing wrong with not having eyebrows. But if you are a painter and you're painting somebody. What if the

person he painted didn't have eyebrows? I don't have eyebrows. I've got mine tattooed on.

Oh really? Yeah this is fascinating. You are cyber security's equivalent to the Mona Lisa is what you're saying basically. But the thing is an exhibition is a big deal for a museum. It's what draws people in. For a museum cancelling an exhibition this Palm Exhibition which got cancelled, it's a bit McDonald's running out of chips. It's humiliating, it costs money, people start asking uncomfortable questions about your competence.

I imagine researchers are not going to want to go there.

Right. Because, well, we haven't got anything for us to have a look at.

Well, no, I meant more because they would want to do that to collaborate and build their research.

Ah, yes, yes. Because they just think, oh, they would say. They are clearly, I don't know why I laughed in a French fashion, but you are clearly amateurs, you would say. And it's not as if French museums haven't been hit by ransomware before. Last year, cyber criminals struck during the Paris Olympics. They hit a computer system that centralised the financial data from stores located within 40 museums in France, including the Louvre, and they demanded a ransom. So, museums in France getting hit by cyber criminals. And the thing is, when it comes to a ransomware attack, the damage rarely stops where you expect it to, right? There is the immediate impact and, oh dear, our files are encrypted. Are we going to recover from a backup? What are we going to do about the extortion? Let's close any security holes, which maybe the cyber criminals are coming through. There can be serious repercussions on a ransomware attack. A couple of months ago, a German phone repair and insurance company, they filed for bankruptcy after being hit by ransomware.

And how many businesses couldn't run without any income for a certain amount of time, or even just run paying employees, essentially, for a certain amount of time. There's a limit to everybody's capability. Budgets are very limited.

There's a limit to what people and what firms can put up with. Let's go to Belgium. In 2024, a Belgian brewery suffered what was considered a genuine national emergency. Yes, Belgium suffered an attack on its critical national infrastructure when it found out its beer supply had been hit. I mean, attacking a country's water supply is one thing. And so, basically, what I'm saying, Zoe, is that ransomware is a serious problem. And there can be repercussions beyond the actual data encryption.

Well, also the people. I mean, the person that probably, was it phishing related? I don't know, but it could very well have been. That's a very common approach. How did they feel knowing that they caused this probably big outage? The responding team, the technical team, they're probably overwhelmed and exhausted. The stress on the employees not knowing what's going to happen to their job, especially in a time right now, the mental load as well for the employees, for the people responding, all of that together, on top of the business just trying to sustain itself, those are all going to have a massive impact. And not just an impact for the next couple of months, for the next couple of years.

Could well do. And this is what the impact has been for this Museum of Natural History in Paris, because there has been a repercussion. Last week, Tuesday morning, cleaners went to work as normal to make sure that the Natural History Museum building in the heart of the Jardin de Plante, Plante Garden, in the fifth arrondissement of Paris, fifth bit of Paris, was spick and span. And I guess they were dusting the brontosaurus. You know, that's their kind of job. And imagine, quel horror, that they must have felt in scenes akin to a heist movie. I don't know what your favorite heist movie is, Ocean's Eleven, Ocean's Twelve, Ocean's Thirteen, One of Our Dinosaurs Is Missing, one of the great movies. Anyway, in scenes akin to that, a robbery had taken place. Bad guys had broken in. They'd headed to the geology and mineralogy gallery. They attacked a reinforced display case containing several gold nuggets.

Ah, okay. I was like, what, are they going to steal a dinosaur?

No, no, no. With an angle grinder and a blowtorch. They broke in. They took the collection worth 600,000 euros. Oh, bloody hell. Gold, of course.

Is only going to get more valuable.

Right. And gold is easier to resell than precious stones.

You could just melt it.

Exactly. You just put it in a George Foreman grill. Just put it in something that hot. There's nothing quite, nothing can withstand the heat of molten cheese. So you just put it in one of those, a piece of gold. You can melt it down as it probably already has been. And these apparently were scientific specimens. I know. With a measurable heritage value. I think from all kinds of places around the world, which have been dug up or old examples. They're now probably in some criminal's mouth, you know, as gold fillings.

Oh, I heard about another bracelet, a really ancient bracelet that was essentially melted down and sold for 4K or something. But it was worth insane amounts. That's so depressing.

It is. And here's the cybersecurity link. According to a police source, this criminal team were apparently really well informed because the alarm and video surveillance systems had been out of service for several weeks due to, and yes, you guessed correctly, due to the ransomware attack.

I bet you they're doing an internal audit now as well. Can you imagine? Oh, that's so sad.

So ransomware attacking your computer systems may have knock-on effects, which you wouldn't have possibly imagined.

Well, I have to say, this is a negative, but it is more positive than I thought you were going to say when I was talking about mental health of employees. So I'm happy it was... I know it's sad, but I'm happy this was the result versus something else being gruesome scenes.

So it sounds like this wasn't some opportunistic burglar who just stumbled upon a vulnerability while looking for a place to relieve themselves and thought, I'll just go into the museum for a pee and oh, there's some gold which I'll pinch. This appears to be someone who did their homework, realized the ransomware attack and effectively turned their museum into a barn with the door left swinging open in the wind, you know, because systems which normally they would have had there to determine that a burglary was happening there and then and set off the alarms and informed the police, but only actually got spotted by the cleaners the following morning. So this is what I'm wondering. We've spoken many times in the past about how conventional criminal gangs have turned to cybercrime, maybe because of the vast amount of money they can make or because it's less risky than getting personally involved. You don't have to drive your Ford Transit van up to the sub post office and mug an old lady and, you know, pinch the money from there. Instead, you can do it all via computers. Could we now see more traditional thieves thinking, you know what? The hackers could help us in our traditional thievery. So I'm not suggesting necessarily that the ransomware gang behind the July attack were necessarily WhatsApp in the gold thieves with updates like, hey guys, the cameras are down and now's your chance. Go, go, go. Yeah, allons-y. But what's worrying is the possibility that different criminal enterprises are monitoring each other's activities or just simply reading the newspapers and thinking, oh, I wonder how their security is right now.

But let's be honest, in my opinion, likelihood is for companies, HIPAA ransomware, okay, a lot of organizations separate CCTV cameras with their internal infrastructure. They're two separate infrastructures not everyone but I assume most I could be wrong but I wouldn't assume if your hit was ransomware your camera system is I also feel like it's more likely that somebody internal is hey well look what's going on here

I the way your mind works sorry I think that suddenly will be something which the police will be investigating isn't it? Well, they'd have to. Whether it could have been someone internal who knew that the systems were down and had not been replaced by a couple of webcams, which is the other thing that they could have done. They could have.

I'm shocked that they didn't. I'm not going to lie. I am absolutely shocked.

You just thought you could have Heath Robinson some devices up. You could use an old

Android phone because isn't there an app you can put on it? Somebody's got one in their basement.

A baby monitor. That's all you'd need. You could? Just have a baby monitor. God, you could do so many things. There's actually a lot of

Yeah, my daughter, my youngest, she is a proficient climber. So she could very much steal so many things from a museum without any cameras. Granted, she probably wouldn't go for gold. She'd probably go for the dinosaurs.

Zoe, what have you got for us this week?

Well, mine is not as exciting.

Oh, I'm sure it is.

No, I'm just talking about the supply chain attack. Let's see if I say it right. Shai Haloud, I think. Shai

Haloud, I think. Shai Haloud?

I don't know. Apologies to everyone that I'm butchering the name. But it's the attack where essentially the threat actors were able to compromise over 40 developer accounts and publish more than 700 malicious package versions of the NPM registry.

So this is what's called an NPM supply chain attack, isn't it? An NPM or Node Package Manager. That's used by developers to download pre-built code so they don't have to write everything from scratch. And if that pre-built code is compromised, then hackers can compromise the code that developers are using to build their apps rather than attacking applications directly.

Yes. So essentially, your account is compromised. I then see what registries you have. I then deploy under your name malicious things and attack more people, which is great. I mean, if I'm a threat actor, I want to return on my investment, right? So I want to get it in. I want to automate my attack. I want to spread it as far as possible. So if the original author changes something, you won't know, but you'll still be using it. So you have to validate it's doing what you expect of it. But as we know, we're not so good at that. Integrity checks is not something we're the most robust at. Yeah. We've had many attacks where if you remember when the ICO, I think it was ICO that had CryptoMiner on its own website. It was a script that they had called from a third party, but didn't validate. And so it installed a crypto miner on their website, which if you don't know who the ICO is, that's pretty funny because essentially they're the people that will get mad at you and give you fines if you don't do something you're supposed to be doing.

If you come into a bit of a pickle when it comes to people's privacy and controlling their data, for instance, you may well find yourself knowing who the ICO are rather more than you wanted to.

Exactly. So it was hilarious when a few years ago they got a Cripsomider installed. So this is not a new thing, right? But the thing that stood out to me is if you read about it, they say, you know, it's a self-propagating worm. But the thing I liked is there was many versions of it. And the researchers found that throughout the versions, there were slight changes. So actually, the threat actor is basically doing a live testing, deploy it, and then slowly add it a little bit to make it more effective. You know, so they're doing what my dream analyst would do is creating something and then learning, improving the automation, reducing the amount of workload that they have to have the best return on the effort they're putting in. So, you know, maybe this person is professional.

So this is really quite nasty, isn't it? Because this is a worm which is infecting lots of different packages is being used by lots and lots of different developers. It's stealing information from them, passwords, special keys, tokens, stuff that lets you get into other places your computer or cloud storage or GitHub accounts. And then it is publishing those things openly on GitHub where more mischief can be made from those credentials.

Yeah, and anybody that's compromised could then ultimately be restarting their attack because their account is now the initial source, right? It's a third party. Maybe you have an existing relationship with a school or a lawyer and they get compromised and they send you a phishing email, which happens and is very common, actually. It's the same idea. You know, I'm the victim and now I'm enabling the attack to go on. One thing I thought was interesting that I read in one of the articles is the worm targets Linux and macOS. and deliberately skips Windows machines. So that's interesting to me because the person knows their target audience. They're going for developers and the likelihood is they're more to be on a Linux or Mac OS machine.

There's certainly a lot less malware which is written for Mac and Linux, isn't there, than there is for Windows. If you look at the millions and millions of pieces of malware which are being written. And so I think you are more likely to encounter antivirus software, for instance, on a Windows computer than you are on a non-Windows computer. I wonder if that was also a reason why maybe Windows was ignored.

It could be. I kind of feel it's probably because the target audience is these developers because they're targeting repos that the people have. So, they're going into their account. They're seeing, okay, what repositories do we have? What secrets do you have here? What can I republish? What can I then compromise and cause further issue to other people or other systems. So the target audience are probably more likely to have Linux and Mac. But you're also right in the sense that how many Mac users have you said, do you have antivirus? And they're well, now I have a Mac.

So what should developers be doing to counter this, to make sure that they're not spreading on the infection or if they have found it to clean themselves up? What should the steps be?

Yeah, well, I'm going to push it on the company not just the developers. I mean the one thing I flagged is automation is super useful but it's also for actors so don't count on it being like oh well I'll know and I can stop it in time no you know expect that if your system is compromised you need to react very quickly. Supply chain attacks again are not going away to actors want in return on investment so I think integrity checks is very important making sure that you know where your dependencies are, what they're doing, and what they're supposed to be doing. You need to know your baselines, right? And also, that point that everybody says is, oh, keep things up to date, always update. Well, okay, I'm going to have an asterisk there. It is important to keep things up to date. But when it comes to dependencies, you need to be very careful there. Because what happened here is these packages were compromised, and they were auto-updating to wherever people were making use of them. And so they were auto updating a compromised package. So yes, update, but validate first. If you have dependencies, maybe do a couple of versions, like a version behind or something, or have a robust process to validate that it isn't doing something naughty before installing it into production. So I can't remember how long these packages were live, but it wasn't an excessive amount of time, if I remember correctly. So having that approach would have theoretically stopped it from being successful for you to install that compromise package. And then to detect possible compromise, they said users are advised to check for new repos or branches. So you know what you're doing. You know what actions you've taken. If you don't remember it, it probably wasn't you. So make sure in this specific case, make sure that you recognize all the actions that were taken. Additionally, they also say you should check for public repositories called, oh, for goodness sake, I'm going to say this wrong, Shaihaloud or Shai... Shaihaloud, I think. Shaihaloud.

That's my guess. Listeners, don't at us if we got it wrong.

I apologise. Shaihaloud Migration, I think, was the other one. That also contained your organisation's name. Review your audit logs. Look for any suspicious API calls. That's what the researchers specifically recommended. Right, cybersecurity. Bit of a faff, isn't it? Everyone nods along in the board meeting and quietly hopes someone else is dealing with it while they go and put the kettle on. I already know where this is going.

People have been paying thousands and thousands of dollars for Samsung smart fridges. And these fridges have been updated, and the update has meant that you are no longer able to opt out of adverts on your flipping smart fridge. I'm not sure why anyone would ever buy a Samsung device in the first place. Their TVs can be just as bad at trying to inject ads to you. But yes, so someone up on Reddit posted an image of what is actually appearing on people's screen, warning them that they're now going to be having ads playing inside their kitchen all the time and not being able to stop them. And I just don't know why firms are doing this. I mean, can the meager amount of money which Samsung is making from these ads be worth the damage which is done to their reputation and customers who will go out into the streets and start screaming to the top of their lungs, never ever buy a Samsung smart device because at some point they will make it display ads. By the way, I'm sure this isn't just a Samsung problem, but they will do for today. So I think it's awful.

I think it's normalised. Prime also started showing ads and you have to pay more to not get ads on Prime.

Well, you know, that's fair enough, you know. No, not fair enough. That's rubbish. I think, excuse me, I think it is fair enough. You can decide whether you want to fill Geoff Bezos's pockets every month or Walt Disney. It's not Walt Disney anymore. There you are paying month to month, right? I am not surprised though. I'm not surprised because everything is moving towards adverts. Anyway, Samsung, you and your smart fridges. Oh, rubbish. You are awarded my nitpick of the week. Zoe, what's your pick of the week?

Well, mine is a pick and a nitpick, actually, at the same time. Oh, well, hello. I like that word. So my pick of the week is a Bosch cordless multifunction tool.

Hang on, what is a Bosch cordless multifunction tool? Is it like a Swiss Army knife? What is it?

It is like a power tool that you can put on so many different heads that it can do so many different things. Like it has a little tiny sander if you want to get in the really tight corners. It's got things you can cut wood with, things you can cut metal with, all these different attachments. It is small as well. So if you're someone like me who, I mean, I have a house, so I've got little renovations I've got to do here or there, but I'm not a professional, well, I'm not a professional, but I'm also not a professional trades person. So I don't really need a million different tools, right? I can get by with small things here and there. This one was actually quite useful for me because I'm currently trying to get carpet glue off my stairs and that is a bloody nightmare. And so this tool was really good for basically scraping it off and then I could sand it down and then I also can sand down the tight corners. I could cut in the garden. I have to do some gardening. So it's cutting the very thick branches because I like not a tree, but like a big, big bush. So it's been really helpful. My nitpick of it is it is Bosch, so it does not have the greatest battery. But I think they have the standard battery so you can use other branded batteries, I'm pretty sure.

Does it display adverts to you while you're cleaning up the wound?

It does not. It is not intelligent, which bring in the whole, if you're clumsy, don't use it because it does not have a safety.

Oh. Yeah. It's not for me. I'm quite clumsy. Fair enough. I would not recommend it if you have young children around. I wouldn't recommend it if you've got an annoying pet. I wouldn't recommend it if you are clumsy because you turn it on and it does not turn off until you turn it off or the battery runs out. Some serious damage could be done with it.

Yes, but it is super useful.

All right, but it's the Bosch cordless multifunction tool. Yeah, I loved it. I loved it. Come on Zoe.

I know, I know, judge me all you want. I am that is a fair point, but you know.

Never mind, it's still your pick of the week and that just about wraps up the show for this week. Thank you so much Zoe for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?

Check out my website rosesec.com or I'm most frequent on Blue Sky or LinkedIn, but I'm not that frequent, to be fair. So my website's probably the best.

Okay. And of course, we are on social media as well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Blue Sky. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts for episode show notes, sponsorship info, guest lists and the entire back catalogue of 436 or so episodes, check out smashingsecurity.com. Until next time, from me, cheerio. Bye-bye. Bye. You've been listening to Smashing Security with me, Graham Cluley, and I'm grateful to Zoe Rose for joining us this week. And of course to this episode's sponsors, 1Password and Vanta. And to all of the chums who've signed up for the Smashing Security Plus over on Patreon. They include Elbow, Orberus, Godone, Bobby Hendrix, Jamie Forster, Nate M, Nigel Scott, Roy Tate, Steve Lupton, Jay, Kajetan, Kazimini, Ask Leo, Sean, Dr. Herbalist. If you'd like your name to be read out from time to time on the credits at the end of the show, well, that is just one of the pleasures of signing up for Smashing Security Plus for as little as $5 a month. You get your name read out every now and then, as well as early access to Smashing Security episodes and your episodes of Smashing Security won't come with any adverts. So you may well like that. Now, I realise that times are tough for many people. So don't feel too bad about not being able to support the show financially. You can support us in other ways. So like, subscribe, give five star reviews, all of that stuff, which social media people are always saying to you. Or just, you know, be really old fashioned and go up to someone and say, hey, I say, old fellow, have you tried the Smashing Security podcast? Maybe grab their phone from their hands and subscribe to the podcast on their behalf. Actually, maybe you should ask permission first. Whatever it is that you do, it's all really, really appreciated. I'm very, very grateful indeed that anybody listens to these podcasts, let alone supports them. So thanks very much. Well, I will catch you again next week when we'll have yet another guest. So until then, cheerio. Bye-bye. Thank you.