A cyberattack targeting a Victorian company has resulted in the exposure of personal data belonging to thousands of victims of family violence and sexual assault, as well as about 60,000 current and former students at Melbourne Polytechnic.

Monash Health Data Breach

Monash Health, the state's largest health service, confirmed it was caught in the cross-hairs of a data breach, which also affected government entities that were clients of the company ZircoDATA.

The digital world continues to spin at breakneck speed, and this week's TCE Cyberwatch brings you the latest updates on the ever-present dance between innovation and security. We delve into the exciting possibilities of Artificial Intelligence (AI), from its role in boosting corporate profits to its potential for national security advancements. However, the path to progress is rarely smooth. In TCE Cyberwatch, we also explore the persistent threat of cybercrime, with recent data breaches and malicious hacking attempts serving as reminders of our vulnerabilities. Encouragingly, governments around the world are taking a more proactive stance, implementing stricter regulations and pursuing those who exploit weaknesses in our digital infrastructure. As you'll see, this week's TCE Cyberwatch offers a comprehensive look at the current cybersecurity landscape, highlighting both the challenges and the glimmers of hope for a more secure future.

TCE Cyberwatch: A Weekly Round-Up

Keep reading to ensure your safety and stay up to date with the cyber world.

U.S. Charges Four Iranians with Hacking Government Agencies and Defense Contractors

Four Iranians in the U.S. were accused of alleged allegiance with hacking operations which attacked entities like the U.S. Treasury and State departments, defence contractors, and two New York-based companies. The Treasury Department of the U.S. believes that all four individuals have ties to IRGC front companies. Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab can face up to five years in prison for computer fraud conspiracy charges and up to 20 years for each count of wire fraud and conspiracy to commit wire fraud. Speaking on the development, Attorney General Merrick Garland stated,“ Criminal activity originating from Iran poses a grave threat to America’s national security and economic stability… These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign.” Read More

Indian Telecom Giant BSNL Suffers Data Breach, Millions Potentially Affected

Bharat Sanchar Nigam Limited (BSNL), a major telecommunications provider owned by the Indian government, faced a data breach a while ago which has resurfaced and been claimed by threat actor ‘Perell’. They released a database which allegedly belongs to BSNL and contains more than 2.9 million records. Perell claims that the stolen data includes sensitive information from BSNL, and that although it claimed to be from BSNL in 2024, it actually comes from around 2023. However, it still raises concerns as it is of a large quantity and contains sensitive information. Read More 

Cybersecurity Giant Darktrace Acquired by Thoma Bravo for $4.6 Billion

Thoma Bravo, a U.S.-based private equity firm, recently acquired the British cybersecurity giant Darktrace for $4.6 billion. This acquisition carries significant implications for both companies and the cybersecurity industry at large. Following the announcement, Darktrace's shares surged by approximately 19%, demonstrating investor confidence in the deal.

Shareholders of Darktrace could now receive $7.75 for each share they hold, marking a 44.3% increase compared to recent stock prices. Darktrace, renowned for its AI-based cybersecurity solutions, has experienced a surge in demand for its services. Read More

Global Operation Shuts Down LabHost, Arrests 37

An online service called Lab Host, operating in 19 countries, which sells phishing kits to cybercriminals, has recently been shut down. It is alleged that they have made almost a million dollars from this activity and have directly and indirectly attacked thousands of people. Lab Host has been in operation since 2021 and provides tools for hackers to create fake websites that deceive people into revealing sensitive information such as email addresses, passwords, and bank details.

Following the shutdown, 37 people were arrested, and London’s police reported that 2,000 users were registered on the site, paying a monthly subscription fee. Lab Host is reported to have obtained 480,000 bank card numbers, 64,000 PIN numbers, and around 1 million passwords. Read More

Big Fines for AT&T, Verizon, T-Mobile in Privacy Scandal

Major phone carriers AT&T, Sprint, T-Mobile, and Verizon have been fined a total of $200 million for illegal data sharing of customer locations with third parties. T-Mobile, AT&T, and Verizon were fined approximately $80 million, $57 million, and $47 million, respectively. These companies sold customer location data to aggregators, who then resold it to third parties.

AT&T had connections with two aggregators, LocationSmart and Zumigo, which were then linked to third-party location-based service providers. According to the FCC, "In total, AT&T sold access to its customers’ location information (directly or indirectly) to 88 third-party entities." Informally, all three phone carriers stated that the program in question ended about five years ago. Read More

UK Cracks Down on Weak Passwords: "Admin123" No Longer an Option

The UK Government is banning weak passwords such as "admin" or "12345" to bolster cybersecurity. The initiative, named the 'UK Product Security and Telecoms Infrastructure (PSTI) Act 2022', mandates that manufacturers, distributors, and importers of products and services for UK consumers adhere to these new rules. Manufacturers and other vendors face significant fines for non-compliance. They could be fined up to £10 million, four percent of their global turnover, or £20,000 per day for ongoing violations. This move signals the government's commitment to tackling cybersecurity issues. Read More

ChatGPT Accused of Privacy Violations and Inaccurate Information

ChatGPT has recently faced criticism from a privacy advocacy group, along with the Austrian data protection authority (DSB), for generating inaccurate information that violates European Union privacy regulations. Noyb, the privacy advocacy group, pointed out that ChatGPT's method of guessing instead of providing accurate information poses problems. They also claim that OpenAI, the company behind the AI, refuses to correct inaccurate responses and is reluctant to share information about its data processing practices. Read More

 Okta Warns of Surge in Password Reuse Attacks

Okta recently issued a warning about a surge in credential stuffing attacks, in which usernames and passwords obtained from previous data breaches and attacks are used to target accounts.

According to Okta, they have "observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials, and scripting tools."

This spike in credential stuffing attacks is believed to be linked to brute force attacks, as warned by Cisco a few weeks earlier. Cisco had observed a rise in attacks on VPN services, web application authentication interfaces, and others since around March 18. To address this, Okta recommends blocking requests from suspicious services, ensuring the use of secure passwords, implementing multi-factor authentication (MFA), and remaining vigilant in monitoring any suspicious activity. Read More

To Wrap Up

This week's TCE Cyberwatch painted a vivid picture of the ever-evolving cybersecurity landscape. While advancements like AI offer exciting possibilities, they necessitate enhanced security measures to mitigate potential risks. The increasing focus on regulations and enforcement by governments worldwide signifies a collective effort to combat cybercrime.

Remember, staying informed and practicing safe online habits are crucial in protecting yourself from cyber threats.

TCE Cyberwatch remains committed to keeping you informed about the latest cybersecurity developments. By staying vigilant and taking proactive measures, we can navigate the digital age with greater confidence and security.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The F Society ransomware group has listed 4 additional new victims on its leak site. The group's alleged victims include: Bitfinex, Coinmoma, Rutgers University, and SBC Global Net. Bitfinex is a prominent crypto-exchange platform while Coinmoma offers cryptocurrency-related coin, chart and event data. Rutgers University is a public land-grant university operating four campuses in the state of New Jersey. It is one of the oldest operating universities in the United States. SBC Global Net was an email service provided by SBC Communications, which was later acquired by AT&T.

F Society Ransomware Group Shared Alleged Samples

While the attack remains unconfirmed, the ransomware group shared unique descriptions for each victim along with links of sample data obtained from the attacks. The description for each attack included a mention of the total file size of the stolen information and the type of data obtained in the attack. [caption id="attachment_66368" align="alignnone" width="414"] Source: X.com (@AlvieriD)[/caption] Each victim was given 7 days to pay a ransom or threatened with leak of the obtained data. No ransom amount was publicly mentioned. [caption id="attachment_66365" align="alignnone" width="353"] Source: X.com (@AlvieriD)[/caption] The following claim was made about each victim:

• Bitfinex: The post description stated that the group had stolen 2.5 TB of information and the personal details of 400K users.
• Rutgers University: The group claimed to have stolen 1 TB of data, while not stating what form of information it had acquired.
• Coinmoma: The group claimed to have obtained sensitive data including user information and transaction histories. The file was stated to be 2TB in size and consisting of 210k user records.
• SBC Global Net: The group claimed to have obtained unauthorized access to the victim's system and that they had obtained sensitive data such as personal details of users. The file size was stated at 1 TB in size.

No official responses have been made yet and the claims remain unconfirmed. The Cyber Express Team has reached out to Rutgers University for details about the alleged data breach, however at the time of writing no response was received.

BitFinex Was Previously Hacked

While the F Society ransomware group's claims are unverified, BiFinex had previously fallen victim to a major hacking incident in the past. In the earlier 2016 incident, about 119,754 in bitcoin was stolen from the Bitfinex platform after a hacker breached its systems and initiated about 2,000 unauthorized transactions. The stolen bitcoin was sent to a man, who along with his wife, attempted to launder the money across digital accounts. Law enforcement managed to track the couple after 6 years, and managed to recover more than 94,000 bitcoin that had been stolen from Bitfinex. The total value of the recovered bitcoin was stated at over $3.6 billion at the time of arrest, making it the single largest recovery in the history of the US Department of Justice. However, the perpetrator of the hack is still unknown but is known to have used a data destruction tool to cover their trail. A former FBI agent was quoted as stating that Bitfinex’s earlier security lapse was likely due to its desire to accelerate transactions and thereby raise profits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A multi-national police operation cracked opened a massive fraudulent call center network run across Europe. A coordinated effort involving law enforcement agencies from Germany, Albania, Bosnia-Herzegovina, Kosovo and Lebanon has successfully dismantled a criminal network responsible for orchestrating thousands of scam calls targeting individuals worldwide. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money.

"In December 2023 a customer asked to withdraw over EUR 100,000 in cash, the bank teller grew suspicious and quickly learned the customer had fallen victim to a ‘fake police officer scam’. He informed the real police, which prevented the victim from handing the money over to the fraudsters," said Europol, the law enforcement cooperation agency of the European Union.

This initial breakthrough led investigators to uncover a vast network of fraudulent activities spanning multiple countries. Thomas Strobl, interior minister in the southwestern German state of Baden-Württemberg, dubbed the operation as the takedown of "the largest call center fraud scheme in Europe." Strobl said such scams "are particularly perfidious and unscrupulous because they play on peoples' fears and needs." He vowed that authorities would for that reason seek legal recourse "with the utmost severity. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. In response, German authorities established a dedicated call center to monitor and intercept scam calls in real-time, with the aim of preventing further financial losses. More than 100 police personnel were tasked with listening in on the fraudulent call centre calls in real-time, working around the clock and monitoring up to 30 conversations at the same time. Over 1.3 million conversations were tracked, leading to the prevention of over EUR 10 million in potential damages, Europol said. [caption id="attachment_66315" align="aligncenter" width="300"] Assets seized in during police raids. (Credit: Europol)[/caption] During the raids, conducted across multiple countries, law enforcement officers arrested 21 individuals and seized extensive evidence, including cash, assets, and electronic devices. Total assets worth EUR 1 million were recovered in these raids. This operation marks a significant milestone in the fight against telephone fraud and demonstrates the effectiveness of international cooperation in combating transnational criminal networks. Last year, European law enforcement authorities dismantled several call centers across the continent under the control of a criminal syndicate engaged in online investment fraud, commonly referred to as 'pig butchering' cryptocurrency scams. At the time, investigators calculated that victims in Germany alone had suffered losses exceeding EUR 2 million, with individuals from various other countries, including Switzerland, Australia, and Canada, also falling prey to the fraudulent schemes. In March 2022, Europol disclosed the disruption of a large-scale call center operation perpetrating investment scams. The operation, which employed 200 "traders" to bilk victims of a minimum of EUR 3,000,000 monthly, was brought down following the arrest of 108 suspects in Latvia and Lithuania.

U.S. Target of Fraudulent Call Centers from India

The issue of fraudulent call centers is not limited to just Europe but Asian economic power house India too. Since 2022, the Department of Justice (DOJ), the FBI Legal Attaché in New Delhi, the Washington Field Office (WFO), and the Internet Crime Complaint Center (IC3) have been collaborating with Indian law enforcement agencies, including the Central Bureau of Investigation in New Delhi and local authorities in various Indian states, to combat cyber-enabled financial crimes and transnational call center fraud. In 2023, Indian law enforcement agencies conducted multiple raids on fraudulent call centers, leading to disruptions, seizures, and arrests of individuals suspected of involvement in these crimes. Through 13 joint operations with Indian authorities, the FBI facilitated 26 arrests. Additionally, the WFO conducted numerous interviews and continues to provide support to Indian law enforcement in their efforts to prosecute call centers engaged in fraudulent activities. As was seen in the case of Operation Pandora, fraudulent call centers overwhelmingly target older adults, with devastating effects. Almost half the complainants that reported to the IC3 were over 60 (40%), and experience 58% of the losses (over $770 million). Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recent investigation led by the German Foreign Office has unveiled startling revelations: Russian hackers, with alleged state support, have targeted the Social Democratic Party (SPD) within the German governing coalition.

The accusations, unveiled by German Foreign Minister Annalena Baerbock during a visit to Australia, shed light on a concerning escalation of cyber warfare between Russia and Western nations.

Baerbock is the first German foreign minister to visit Australia in 13 years. She's there to meet her Australian counterpart Penny Wong, who are together set to discuss the greater cooperation in the Indo-Pacific, as well as broader geopolitical challenges, including in Europe and the Middle East. "Our two countries are working together to tackle cyber threats and climate change, to embrace the green energy transition, build supply chain resilience and improve gender equality," Wong said. Baerbock's will further visit New Zealand and Fiji, with a prime focus on security policy as China pushes for influence in the Pacific region.

Russian Hackers on Radar

According to Baerbock, the cyberattack, which occurred in 2023, was orchestrated by the Russian military intelligence service, known as the GRU. This revelation points to a deliberate effort to infiltrate and disrupt the SPD, a key political player in Germany. The attackers, identified as the group APT28, also known as Fancy Bear, are believed to be under the direct control of the GRU. This group has been linked to numerous cyberattacks worldwide, indicating a pattern of state-sponsored cyber aggression. The cyberattack, attributed to Russia's military intelligence service - the GRU, occurred in 2023 and aimed at compromising email accounts belonging to SPD executives. Reportedly, an executive of the German party SPD became victim of a hacker attack in January 2023, resulting in possible data exposure. There were concrete indications of a Russian origin of the attack, at the time.

"We've seen severe cyberattacks on members of the Social Democrats of the SPD party in Germany and the Federal Government," German Foreign Minister Annalena Baerbock said at a Friday press conference in Adelaide.

This is absolutely intolerable and unacceptable and will have consequences," Baerbock emphasized during a news conference, hinting at forthcoming actions against Russia. While she did not specify the exact nature of these consequences, her firm stance suggests that Germany is prepared to respond robustly to the cyber threat.

Tensions Amid International Support for Ukraine

The accusations come at a time of heightened tensions between Russia and NATO member states, particularly Germany, which has been actively supporting Ukraine in its conflict against Russian aggression. NATO Allies have voiced deep concern over Russia's hybrid activities, including cyber interference, disinformation campaigns and acts of violence, targeting several member states. Allies stand united in addressing these threats and bolstering resilience against Russian hybrid actions, reaffirming their commitment to supporting Ukraine despite Russia's provocative behavior. "We will continue to boost our resilience and to apply and enhance the tools at our disposal to counter and contest Russian hybrid actions and will ensure that the Alliance and Allies are prepared to deter and defend against hybrid actions or attacks," NATO said. "We condemn Russia's behaviour, and we call on Russia to uphold its international obligations, as Allies do theirs. Russia's actions will not deter Allies from continuing to support Ukraine." The cyberattack on the SPD adds another layer to the complex web of hostilities between Russia and Western nations. In response to the revelations, Australian Foreign Minister Penny Wong expressed solidarity with Germany, condemning the cyber activities attributed to Russia. Australia stands in solidarity with Germany in calling out states that act contrary to the norms of responsible state behavior in cyberspace," Wong affirmed, echoing the global concern over state-sponsored cyber warfare. "Australia is deeply troubled by the new activity that Minister Baerbock has referenced today," Wong said. Backing her support, Wong added that Australia has previously joined the United States, UK, Canada and New Zealand in attributing malicious cyber activity to APT28 and shall continue calling out such instances in the future. APT28 has been implicated in numerous cyberattacks worldwide, operating as a tool of Russian state-sponsored cyber warfare. APT28 also has a history of targeting elections in the U.S. and Europe and in a recent Mandiant report, the cybersecurity firm said it expects the same forecast this election season. The implications of the latest cyberattack are profound, signaling a new era of digital conflict where political entities are increasingly vulnerable to sophisticated cyber intrusions. As Germany grapples with the aftermath of this cyberattack, the world watches closely, mindful of the broader implications for international cybersecurity and diplomatic relations. Updated on May 3, 4:45 PM IST to reflect additional official remarks from Annalena Baerbock, Penny Wong and NATO. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Passwords remain the most common instrument in securing our digital lives, yet they still serve as the basis of targeted attacks by cybercriminals. World Password Day on May 2nd serves as a obligatory reminder of the importance of robust password practices. In light of this day, experts have offered offer key insights and secure password recommendations to enhance password security, safeguarding personal data from malicious attacks.

Secure Password Recommendations for World Password Day

Weak passwords are enticing to attackers as they could grant access to various types of sensitive data – personal data, financial information, identity documents or other compromising details. According to research from Kaspersky, telemetry data in 2023 indicated that at least 32 million password-based attacks were attempted in 2023. While the number of attempts have dropped down from about 40 million incursions in 2022, these number still remain a cause of concern. Here are some expert-backed secure password recommendations to mitigate the risks of password-based cyber threats and maintain personal security online: Creating Strong and Memorable Passwords: Experts recommend the "association method" as an effective method to craft strong yet memorable passwords. The association method involves using personally significant word sequences or concepts while creating passwords. For example, the use of special quotes or events you have been fond of can be used to form a sequence that is easy to recall due to personal significance but remains a challenge for outsiders to guess. Embracing Non-Standard Options: Unique or uncommon password characters such as emojis present an alternative to commonly-known words. As Emojis are based on the Unicode standard, they offer a range of characters that would be difficult to crack through automation. By incorporating emojis into passwords, users can enhance security while adding a creative touch to their login credentials. Avoiding Common Pitfalls: It remains important to steer clear of common and easily guessable passwords like "1234" or "password." Cybercriminals often exploit these predictions through automated brute-forcing techniques. Users may find it hard to keep track of passwords as most platforms require passwords with a minimum strength of symbols, letters & numbers.  Password managers can be used to generate strong and unique passwords for safekeeping. One Account, One Password Strategy: Managing multiple accounts can be challenging but adopting a one-account-one-password strategy can enhance personal security by limiting the potential impact of a compromised password. Password managers can assist you with the creation and maintenance of different passwords. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have discovered that several popular Android applications in the Google Play Store with millions, even a billion downloads are susceptible to a path traversal-related vulnerability that is being referred to as the 'Dirty Stream Flaw'. In the recently-released report, the Microsoft Threat Intelligence team, stated, "The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation." Successful exploitation of this vulnerability could allow an attacker to take full control of the application's behavior and leverage the stolen tokens to gain unauthorized access to the victim's online accounts and other data.

Xiaomi File Manager and WPS Office Vulnerable to Dirty Stream Flaw

The bug stems from the Android FileProvider class, a subclass of the ContentProvider class which is used to facilitate file sharing or picking between different applications while still maintaining secure isolation between each other. A correct implementation would provide a reliably solution for file sharing between applications, while an improper implementation could be exploited to bypass typical read/write restrictions or overwrite critical files within Android. While the researchers identified several applications potentially vulnerable to the attack and representing over 4 billion downloads together, they suspect that the vulnerability may be present in other applications. The Xiaomi Inc.’s File Manager (com.mi. Android.globalFileexplorer) with a billion downloads and WPS Office (WPS Office (cn.wps.moffice_eng) with over 500 million downloads are two prominent examples among the identified applications. The vulnerabilities were reported by the researchers to the Xiaomi, Inc. and WPS Office security teams, who deployed fixes for these apps on February 2024 with Xiaomi published version V1-210593 of it's file manager application and version 17.0.0 of WPS Office. Users are advised to keep their device and installed applications up to date. The researcher stated that their motive behind the publication of the research was to prompt developers and publishers to check if their apps were affected and issue fixes accordingly.

Dirty Stream Flaw Could Permit Overwrite &  Data Exfiltration

If successfully exploited, the vulnerability could permit an attacker to overwrite the target app's configuration file and force it to communicate with an attacker-controlled server, potentially leading to the exfiltration sensitive information and arbitrary command execution. The researchers behind the findings also collaborated with Google to publish an official guidance on Android Developers website, stating appreciation for the partnership with the Google’s Android Application Security. The Android developer guidance issued by Google, urges developers to handle the filename provided by the server application properly while ignoring filenames provided by the server applications rather than internally generated unique filename identifier as the filename, stating that there should be a sanitization check if internally-provided identifiers were not possible. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The LockBit ransomware group, known for its disruptive cyberattacks, is back in the spotlight by claiming a cyberattack on Hooker Furniture. The US-based Hooker Furniture is a prominent player in the furniture industry, known for its designs catering to the hospitality and other sectors.

The LockBit alleges they have exfiltrated customer and business data, setting a deadline of May 08, 2024, to publish the compromised information.

Unverified Cyberattack on Hooker Furniture Claim

The Cyber Express team attempted to reach Hooker Furniture officials for comment, but as of now, there has been no response. The company's website also appears to be functioning normally, raising questions about the legitimacy of the Hooker Furniture cyberattack claim. However, considering LockBit's past activities, complete dismissal would be premature.

LockBit's history of targeting organizations with ransomware attacks further complicates the situation.

In March 2024, the group resurfaced with claims of adding eight new victims to their dark web portal, including prominent companies such as STOCK Development, Smulders, and United Notions Inc. This followed earlier claims of listing 12 new victims on their data leak page and engaging in discussions about seizing their websites.

The resurgence of LockBit comes in the wake of significant law enforcement actions aimed at disrupting the group's operations. In a coordinated effort involving the Department of Justice and international law enforcement agencies, authorities dealt a blow to LockBit's infrastructure. However, the recent claims suggest that the group has adapted and evolved, returning with enhanced techniques and capabilities.

LockBit Resurgence with Enhanced Techniques

In response to the takedown, LockBit administrators released a provocative message, offering insights into their activities and motivations. The message not only highlights the group's defiance but also highlights the challenges faced by law enforcement agencies in combating cybercrime. With attempts to discredit authorities and speculate on the methods of compromise, LockBit's message serves as a reminder of the ongoing battle between cybercriminals and those tasked with enforcing the law. The situation surrounding Hooker Furniture serves as a cautionary tale for businesses worldwide, highlighting the ever-present threat posed by ransomware attacks and the importance of enhanced cybersecurity measures. While the claims made by LockBit remain unverified, the incident highlights the need for vigilance and preparedness in the face of evolving cyber threats. As investigations continue and the deadline looms, all eyes are on Hooker Furniture and its response to the alleged breach. In the meantime, the cybersecurity community remains on high alert, closely monitoring developments and working tirelessly to combat the scourge of ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor group Stormous Ransomware, affiliated with the Five Families alliance, has claimed responsibility for alleged cyberattacks targeting several prominent UAE entities.

The list allegedly includes Bayanat, the sovereign wealth fund's analytics and geospatial intelligence arm; Kids.ae, the government's digital platform for children; the Telecommunications and Digital Regulatory Authority (TDRA); the Federal Authority for Nuclear Regulation (FANR); and the Sharik citizen portal.

[caption id="attachment_66225" align="aligncenter" width="1024"] Source: X[/caption]

While Stormous hasn't disclosed details about the nature of the attacks, the data types or size potentially compromised, they've left a message with a link to their blog on the Tor network, urging targets to "stay informed" and offering "more information.

These alleged cyberattacks on UAE entities have heightened anxieties as they suggest potential data leaks if ransom demands aren't met.

[caption id="attachment_66224" align="aligncenter" width="403"] Source: X[/caption]

Five Families Cyberattack Claims

This incident comes on the heels of a much larger cyberattack claim by the Five Families earlier, where they targeted a vast number of UAE entities across various sectors. Governmental and private entities like the Roads and Transport Authority (RTA), the Ministry of Cabinet Affairs, and several ministries were reportedly compromised.

In that alleged cyberattack claim, the group demanded a 150 BTC ransom (approximately $6.7 million USD at today's exchange rate) threatening to leak stolen data if the demands weren't met.

[caption id="attachment_66226" align="aligncenter" width="284"] Source: X[/caption]

Uncertainties and Potential Implications

The true motives behind these cyberattacks remain unclear. It's possible they're aiming for a significant financial payout, or they may seek to disrupt UAE government operations or damage the country's reputation for digital security. The targeted entities haven't yet released any official statements, leaving the situation shrouded in uncertainty.

If the claims of compromised data are true, this could be the biggest data breach ever witnessed in the UAE and potentially the entire Middle East. The leak of sensitive government or citizen data could have severe consequences, ranging from financial losses to identity theft and national security risks.

Heightened Cybersecurity Measures a Must

This incident highlights the critical need for enhanced cybersecurity measures across all UAE entities, both public and private. Investing in advanced security solutions, implementing stricter data protection protocols, and regularly educating employees on cyber threats are all essential steps to prevent future attacks.

Cybercrime transcends borders. International cooperation between governments and law enforcement agencies is vital to track down these cybercriminals and hold them accountable. Collaborative efforts are crucial for developing effective strategies to combat cyber threats and protect critical infrastructure across the globe.

The coming days will be crucial in understanding the true extent of these alleged cyberattacks on UAE claims and the UAE government's response. While the situation is concerning, a prompt and coordinated effort can help mitigate the damage and enhance the country's digital defenses.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cloud storage and file sharing company Dropbox disclosed a security breach that resulted in an unauthorized access to sensitive information, including passwords and other authentication information. Dropbox revealed that the breach targeted its production environment, specifically impacting Dropbox Sign, formerly known as HelloSign, a platform for digitally signing documents, in an 8-K filing with the U.S. Securities and Exchange Commission.

"The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.

The accessed information pertains to all Dropbox Sign users, encompassing account settings, names and emails. For some users, additional data such as phone numbers, hashed passwords and authentication information like API keys, OAuth tokens and multi-factor authentication were also compromised.

"From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products."

While forensic investigators are engaged and law enforcement notified, regulatory agencies are being informed based on the presumption of personal information access. Dropbox has initiated steps to mitigate the impact of the breach, including rotation of OAuth tokens and generating new API keys for customers with API access to Dropbox Sign. Certain functionalities will remain restricted until API keys are rotated, Dropbox said. User notifications are underway, with Dropbox reaching out to affected users and providing guidance on necessary actions. The company expects all notifications to be completed within the next week. Although Dropbox does not anticipate a significant impact on its operations or financial condition, it acknowledges potential risks, including litigation, changes in customer behavior and heightened regulatory scrutiny. This Dropbox data breach incident marks another security challenge for the file sharing giant, following a phishing campaign in 2022 that targeted its developers, resulting in unauthorized access to company GitHub accounts and sensitive information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In today's digital age, the necessity of strong and unique passwords has never been more critical. With cyber threats looming large, the importance of securing online accounts against unauthorized access cannot be overstated. According to Google Cloud’s 2023 Threat Horizons Report, a staggering 86% of breaches involve stolen credentials, making robust password management crucial in today's landscape. The 2023 Verizon Data Breach Investigations Report further emphasizes this point, revealing that 74% of all breaches involve human error or misuse, including the use of stolen credentials. Web application attacks, which account for a significant 25% of breaches, often exploit vulnerabilities and stolen credentials to gain unauthorized access to valuable assets. In a high-profile incident in 2023, the American Bar Association disclosed a hack affecting 1.5 million members, highlighting the widespread risk of compromised login credentials. As we observe World Password Day, it's imperative to explore solutions that enhance our digital security. One such solution is password managers. These tools offer a secure and convenient way to manage passwords, safeguarding accounts against unauthorized access and simplifying the login process.

Simplify & Secure Your Logins with Top Password Managers

This World Password Day, we present your ultimate defense – the top 10 best password managers to simplify logins and fortify your online safety.

1. Google Password Manager

Google Password Manager simplifies the process of managing passwords by enabling users to create and store strong, unique passwords for their online accounts. Passwords can be saved in the user's Google Account or on their device. An important feature of Google Password Manager is its ability to suggest strong passwords when saving them to the Google Account, enhancing overall security. Additionally, users can benefit from the following features:

Pros

• Free: Google Password Manager is completely free, making it accessible to all Google Chrome users.
• Integrated into Chrome: Chrome users have access to Google's password manager without needing to install additional software.
• Consistent support: Given Chrome's popularity, Google Password Manager is likely to receive regular updates and support.

Cons

• Uncertain security: Google doesn't provide detailed information about the encryption standards used to protect user data, leaving some uncertainty about its security measures.
• Limited to Chrome: Google Password Manager is only available in the Chrome browser, excluding users of other browsers from accessing its features.

Who Should Use Google Password Manager?

Google Password Manager is suitable for individual users, especially those who already use Chrome and prefer not to install third-party password management software. However, it may not be suitable for businesses or groups due to the lack of group password management options. Despite being free, Google Password Manager lacks certain features and flexibility offered by standalone services, which may make it less appealing to users seeking advanced functionality. This limitation prevents it from being considered one of the best free password managers on the market.

2. 1Password

1Password provides robust security features, including end-to-end encryption, a secret key for enhanced protection, and biometric logins. Its Travel Mode feature ensures sensitive data is removed from devices when crossing borders, while the Watchtower service regularly scans for website breaches and vulnerable passwords, maintaining the security of user credentials.

Pros

• 1Password offers a comprehensive tutorial, making it easy for new users to get started.
• The Watchtower feature alerts users to potential password vulnerabilities, helping them maintain strong password hygiene.
• The 1Password apps are well-designed and visually appealing, providing a seamless experience across mobile and desktop platforms.
• Users can easily organize their passwords and other sensitive information, enhancing usability.

Cons

• Unlike some competitors, 1Password doesn't offer a free tier for password management, which may deter budget-conscious users.
• Users may find the import options limited, especially when migrating from other password managers.
• 1Password lacks true password inheritance features, making it less convenient for sharing passwords among family or team members.

Who Should Use 1Password?

1Password is ideal for individuals and businesses seeking advanced security features and intuitive password management. Its comprehensive tutorial makes it suitable for users of all experience levels. However, the lack of a free tier may make it less appealing to users on a tight budget.

Pricing

1Password offers various pricing plans, including individual, family, Teams Starter Pack, and business options. Individual plans start at $2.99 per month when billed annually, while family plans start at $4.99 per month for up to five family members. Teams Starter Pack are available at $19.95 to protect upto 10 team members per month. Business plans are available starting at $7.99 per user per month.

3. Dashlane

Dashlane offers more than just password management, providing additional features like dark web monitoring and a VPN for secure browsing. Its one-click password changer can update passwords across numerous sites simultaneously, ensuring strong security with minimal effort. Dashlane's intuitive interface and strong security features make it suitable for both personal and organizational use.

Pros

• Includes VPN and phishing alerts
• Scans for compromised accounts
• Retains full password history
• Offers file storage

Cons

• Limited free version
• Expensive

Who Should Use Dashlane?

Dashlane is well-suited for individuals or organizations looking for comprehensive password management and additional security features. Its robust tools make it particularly appealing for those who prioritize security and are willing to invest in a premium solution.

Pricing

Dashlane offers various pricing tiers, including Personal and Professional plans. In the Personal Plan, options include Premium for individual protection plus VPN, starting at $4.99 per month billed annually, and Friends & Family for up to 10 accounts, starting at $7.49 per month for 10 members billed annually. For the Professional Plan, options include Business for advanced protection at $8 per seat per month billed annually, and Enterprise for large organizations, with pricing available upon request.

4. Bitwarden

Bitwarden stands out as an open-source password management tool, offering transparent, customizable, and secure solutions. It allows users to host their server, providing ultimate control over their data. Bitwarden's affordable plans, including a fully functional free version, make it a top choice for individuals and businesses seeking flexibility and transparency in their software.

Pros

• Free and open-source, ensuring transparency and flexibility
• Supports passkeys for added security
• Offers emergency access options for trusted contacts
• Provides data breach monitoring and password hygiene reports

Cons

• Business tiers are relatively expensive compared to competitors

Who Should Use Bitwarden?

• Individuals: Anyone who wants to securely manage passwords across devices.
• Families: For secure password sharing and family organization.
• Businesses: From startups to enterprises for secure team password management.
• Tech Enthusiasts: Open-source platform for customization and contribution.

Pricing

Bitwarden offers various pricing tiers, including Teams and Enterprise plans. The Teams plan provides resilient protection for growing teams, starting at $4 per month per user billed annually. For larger organizations, the Enterprise plan offers advanced capabilities, priced at $6 per month per user billed annually.

5. Keeper

Keeper offers security features, including high-level encryption, zero-knowledge architecture, and two-factor authentication. Its comprehensive approach extends to secure file storage and a private messaging service, making it a versatile security tool. With the ability to securely manage multiple passwords and digital information, Keeper is suitable for both personal and business use.

Pros

• Secure password-sharing, password hygiene, and emergency access options
• Attractive apps and browser extensions for ease of use
• Retains app access and credential history for reference

Cons

• A very restrictive free tier with limited features
• Some desirable features are only available as paid add-ons
• Importing credentials could be smoother

Who Should Use Keeper?

Keeper is an ideal choice for individuals and businesses looking for strong security solutions. It is suitable for:

• Individuals: Those who need a secure and user-friendly platform to manage their passwords and sensitive information.
• Families: Families looking for a secure way to share passwords and sensitive data among members while ensuring privacy and security.
• Businesses: Companies of all sizes seek a secure password management solution for their employees, with features like password sharing, team folders, and admin controls.

Pricing

Keeper's pricing varies depending on the plan chosen, which includes options for individuals, families, and businesses

6. NordPass

NordPass, developed by cybersecurity experts, provides a user-friendly interface and robust encryption technologies. Noteworthy features include an OCR scanner for digitizing information from physical documents and a built-in password health tool for maintaining strong passwords. With its zero-knowledge architecture, NordPass ensures that even it cannot access your stored data.

Pros

• Supports multiple forms of multi-factor authentication.
• Offers clipboard-clearing capabilities.
• Scans for compromised accounts.
• Secure password-sharing and inheritance options.

Cons

• Inconsistent credential creation process.
• Limited free tier.

Who Should Use NordPass?

NordPass is ideal for individuals and businesses seeking a secure and easy-to-use password management solution. It is best suited for:

• Individuals: Those looking for a reliable tool to manage and secure their passwords and sensitive information.
• Families: Families seeking a secure way to share passwords and ensure digital security among members.
• Businesses: Companies require a secure password management solution for their employees, with features like team collaboration and admin controls.

Pricing

NordPass offers three plans: Teams, Business, and Enterprise. Teams plan costs $1.99 per user per month, Business plan costs $3.99 per user per month, and Enterprise plan costs $5.99 per user per month.

7. RoboForm

RoboForm specializes in web form filling and password management, making it invaluable for professionals who frequently fill out online forms. It offers secure sharing, folder organization, and emergency access, a feature allowing trusted contacts access in critical situations. RoboForm’s versatility extends to businesses with full support for employee onboarding and offboarding.

Pros

• Good business-specific features.
• Full feature 14-day free trial available for business users.
• Great mobile apps.

Cons

• Unintuitive interface.
• Secured shared folder not available for free users.

Who Should Use RoboForm?

RoboForm is best suited for professionals, families, and businesses looking for an efficient solution for managing passwords and filling out online forms. It is particularly suitable for:

• Professionals: Individuals who frequently deal with online forms and require secure password management.
• Families: Families seeking a secure password management solution for multiple users.
• Businesses: Companies require robust password management and form-filling capabilities for employees, with features like secure sharing and emergency access.

Pricing

RoboForm offers two plans: Personal & Family and Team & Business. Pricing options vary depending on the user's needs.

8. Zoho Vault

Zoho Vault seamlessly integrates with other Zoho products and offers extensive features designed for team collaboration. Its direct integration with popular business tools like Microsoft Office and Google Workspace enhances productivity while maintaining security. Features like user access and permissions management make it ideal for managing team passwords.

Pros

• Offers MFA support and passkey logins.
• Easy password sharing and credential inheritance system.
• Password hygiene monitoring for all service tiers.
• Users can designate application-specific passwords.
• Robust free plan.

Cons

• Stores unencrypted user information.
• Awkward MFA adoption process.
• Clunky browser extension functionality.
• Cannot fill out web forms.
• Few personal data storage options.
• Confusing credential creation process on iOS.

Who Should Use Zoho Vault?

Zoho Vault is best suited for businesses and teams looking for a secure and collaborative password management solution. It is particularly suitable for:

• Businesses: Companies require a robust password management solution with features like user access management and seamless integration with business tools.
• Teams: Teams seeking an efficient way to manage passwords and securely share credentials among members.
• Professionals: Individuals looking for a secure password management solution with features like multi-factor authentication and credential inheritance.

Pricing

Apart from offering a free plan, Zoho Vault has three paid plans: Standard, Professional, and Enterprise. The Standard plan costs US$0.90 per user per month billed annually. The Professional plan costs US$4.50 per user per month billed annually (minimum 5 users), and the Enterprise plan costs US$7.20 per user per month billed annually (minimum 5 users).

9. LogMeOnce

LogMeOnce stands out for its rich feature set, offering innovative functionalities such as photo login, allowing users to log in by taking a photo with their device, adding both convenience and security. It boasts a comprehensive dashboard for security management and supports various two-factor authentication methods, catering to both individual and enterprise needs.

Pros

• Free version available.
• Diverse multi-factor authentication (MFA) options.
• Unique emergency access tool.
• High-quality onboarding tutorial.

Cons

• The credential filling didn't work with the Android app in testing.
• Awkward password-importing process.
• Cluttered web vault interface.

Who Should Use LogMeOnce?

LogMeOnce is suitable for individuals, families, and businesses seeking a feature-rich password management solution. It is particularly beneficial for:

• Individuals: Those who want a secure and convenient way to manage their passwords and ensure strong online security.
• Families: Families looking for a secure password management solution for multiple users with features like photo login and emergency access.
• Businesses/Enterprises: Companies requiring advanced password management and security features for their employees, with options for team collaboration and secure sharing.

Pricing

LogMeOnce offers two plans: Personal & Family and Team & Business/Enterprise. Pricing options vary depending on the user's needs.

10. Enpass

Enpass stands out for its offline capabilities, allowing users to store their data locally and sync across devices via their preferred cloud service. Its one-time fee model appeals to those seeking a cost-effective solution without ongoing subscriptions. Enpass supports a wide range of customizations and file attachments for each entry.

Pros

• Offline capabilities
• One-time fee option
• Extensive customization

Cons

• Not user-friendly
• No trial version for personal and family plans

Who Should Use Enpass?

Enpass is best suited for individuals and businesses looking for a secure and customizable password management solution. It is particularly suitable for:

• Individuals: Users who prioritize offline access to their password data and prefer a one-time payment model.
• Families: Families seeking a secure and cost-effective way to manage passwords across multiple devices.
• Businesses: Companies require robust password management and customization options for employees, with features like team sharing and data backups.

Pricing

Enpass offers two plans: Personal & Family and Business. Pricing options vary depending on the user's needs.

To Wrap Up

With a plethora of options available, there's a perfect password manager for everyone. Consider your needs, budget, and desired features when making your choice. Remember, World Password Day is a great reminder to prioritize your online security throughout the year. Implement a strong password manager today and take control of your digital safety! Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Over a million Australians who frequented pubs and clubs have likely had their critical information exposed in Outabox data breach, a third-party content management and data storage provider for the hospitality and gaming sectors in the New South Wales and the Australian Capital Territory. According to the Outabox official website, the company founded in 2017 provides several services to clients in the gaming and entertainment industry across Australia, Asia and the US. Outabox confirmed the breach and said it likely took place “from a sign in system used by our clients.” It did not respond to any further requests for details on what type of data was likely impacted. The company has a facial recognition kiosk called TriAgem, which is deployed at entry points of clubs to scan patrons’ temperatures (used in post-covid days) and verify their membership on entry. Outabox did not confirm if this data was also impacted in the data breach incident.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to,” Outabox said.

Australia’s National Cyber Security Coordinator said the government is coordinating a response in the Outabox data breach incident with local authorities in the NSW and ACT. “I know this will be distressing for those who have been impacted and we are working as quickly as we can, alongside Outabox, to ascertain the full scale of the breach,” said Lieutenant General Michelle McGuinness, who recently took over the role of the National Cyber Security Coordinator. The NSW government acknowledged that it was aware of the incident and was “concerned” of the potential impact on individuals. “We encourage clubs and hospitality venues to notify patrons whose information is affected,” it said.

NSW’s West Tradies Sends Breach Notifications

One such club, West Tradies, has issued a breach notification to its customers saying its external IT provider was “a target of a cyber extortion campaign.” It added that, “At this stage, we do not know if all patrons, or only some patrons, have been affected.”

“On the evening of 29 April 2024, we were formally notified by the external IT provider that it has been the target of a “cyber extortion campaign” and that an overseas third party is threatening to release personal information unless their demands are complied with,” West Tradies Club said.

All registered clubs in New South Wales are required to keep certain information about members and guests under the Registered Clubs Act. Clubs are also required to keep certain information to comply with their responsible gambling and Anti-Money Laundering and Counter-Terrorism Financing obligations. To comply with these norms, West Tradies, used an external IT provider that would assist in keeping these records and operate its systems, it clarified.

More than 1 million Impacted in Outabox Data Breach?

A website that claims to allow people to search their names in the leaked database appeared on the open internet recently. The domain haveibeenoutaboxed[.]com, appears to be similar to a service provided by another Australian data leak search provider but it does not claim any links to it. The information posted on this website claims that facial recognition biometric, driver license scans, signature, club membership data, address, birthday, phone number, club visit timestamps, and slot machine usage is included in this data set. There are allegedly 1,050,169 records in the leaked data set and a simple name search shows redacted details of the patrons of different clubs. Majority of personally identifiable information has been removed at this stage.

Unpaid Overseas Developers the Cyber Extortionists?

The data leak search website is allegedly controlled by an offshore development team in the Philippines. Outabox hired offshore developers from the Philippines to create software systems that are installed at casinos and nightclubs across several countries. However, after a year and a half of work, the developers were abruptly cut off and left unpaid by Outabox, the owner of the leak site claimed. “While this outsourcing strategy is common in the industry, what followed was far from standard practice. The developers were granted unrestricted access to the back-end systems of gaming venues, including access to raw data,“ the leak site stated. Douglas Kirkham, the chief executive officer of West Tradies said “the Club was unaware that any data held by the Club had been disclosed to any third parties or that it had been disclosed overseas. If the allegations are true, those actions were taken without the Club’s knowledge or consent.”

“The Club did not authorise, permit, or know that the external IT provider had provided any information obtained from the Club to third parties.”

The Office of the Australian Information Commissioner has advised it has been notified by some impacted entities and is expecting to receive further notifications. Nearly 20 clubs have been listed on the leak site. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CEO Andrew Witty testified before Congress on Wednesday, disclosing a significant cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group. UnitedHealth Group CEO revealed that hackers breached the company's computer system, releasing ransomware after stealing someone's password.

The cybercriminals exploited a portal lacking multifactor authentication (MFA), a basic cybersecurity safeguard.

During an hour-long congressional hearing, Witty informed lawmakers that the company has not yet determined how many patients and healthcare professionals were impacted by the cyberattack on Change Healthcare in February. The hearing, which focused on how hackers gained access to Change Healthcare, a separate division of UnitedHealth, raised questions about the lack of basic cybersecurity measures before the cyberattack. "Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition," Witty explained. But for some reason, which we continue to investigate, this particular server did not have MFA on it.

Multifactor Authentication and Cybersecurity

Multifactor authentication adds a second layer of security to password-protected accounts by requiring users to enter an auto-generated code sent to their phone or email. Despite being a common feature on apps, this safeguard was not in place on the compromised server. Witty assured that all logins for Change Healthcare now have multifactor authentication enabled. The cyberattack on Change Healthcare was attributed to the Russia-based ransomware gang ALPHV or BlackCat. The group claimed responsibility for the cyberattack, alleging it stole more than six terabytes of data, including "sensitive" medical records. The attack caused a disruption of payment and claims processing across the country, stressing doctor's offices and healthcare systems by interfering with their ability to file claims and get paid. UnitedHealth paid a $22 million ransom in Bitcoin to BlackCat, a decision made by Witty himself. However, despite the ransom payment, some sensitive records from patients were still posted by hackers on the dark web. The ransom payment was one of the hardest decisions I've ever had to make and I wouldn't wish it on anyone," Witty stated.

Scope of the Cyberattack on Change Healthcare and Financial Impact

Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association, meaning that even patients who weren't customers of UnitedHealth were potentially affected. The company revealed earlier this month that personal information covering a "substantial portion of people in America" may have been taken in the attack. The breach has cost UnitedHealth Group nearly $900 million, excluding the ransom paid, according to company officials in the first-quarter earnings report last week.

Rising Threat of Ransomware Attacks

Ransomware attacks have become increasingly common within the healthcare industry. According to a 2022 study published in JAMA Health Forum, the annual number of ransomware attacks against hospitals and other healthcare providers doubled from 2016 to 2021. This escalation in cyber threats highlights the urgent need for enhanced cybersecurity measures across the industry.

The breach at Change Healthcare echoes a similar incident in March 2024, where Refuah Health Center faced a cyberattack due to the lack of MFA. The New York Attorney General's office intervened, resulting in a $1.2 million investment by Refuah in enhancing cybersecurity measures. The health center also agreed to pay $450,000 in penalties and costs, resolving allegations of inadequate cybersecurity controls.

Prioritizing Cybersecurity in Healthcare Both incidents highlight the critical importance of implementing strong cybersecurity measures, especially in the healthcare sector. With patient data at stake, organizations must invest in multifactor authentication and other advanced security protocols to safeguard sensitive information. As cyber threats continue to evolve, proactive measures are essential to protect the privacy and security of patient data. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The CL0P ransomware group has listed 3 additional victims on its leak site. The mentioned victims include: McKinley Packing, Pilot and the Pinnacle Engineering Group. McKinley Packing is a firm that provides paper and packaging company across the United States of America, with its production and distribution network operating in multiple different states. The Pilot Corporation, founded in 1918, is a Japan-based manufacturer of writing instruments. The company has subsidiaries in Europe, Asia, South America and North America. The Pinnacle Engineering Group (P.E.G.) offers civil engineering, construction, land surveying, landscape architecture, and drone services to private developers and government agencies.

No Confirmation Yet of CL0P Ransomware Group's Claims

While the group has listed basic information and description about the firms, while linking to their official websites, the group has not provided larger context or details regarding the attack. However, along with their descriptions the group also claimed that these companies did not care about their victims and ignored security practices. These targets while unconfirmed, operate with millions of dollars in annual revenue and span across multiple territories. As CL0P listed the American branch of Pilot in its description of the attack, it is possible that the attack was likely focused on the American region and did not impact its main Japanese headquarters or other regional subsidiaries. It did not list headquarters nor physical address for its other victims, making details about the attack further unclear. [caption id="attachment_66039" align="alignnone" width="696"] Source: X.com (@ZephrFish)[/caption] The group shared no sample files or screenshots to further their claims, nor was their a mention of the scope or details stolen from the attacks, making it difficult to determine the extent of the alleged claims. The Cyber Express Team has reached out to both the American branch of Pilot Corporation as well as McKinley packaging for further details and confirmation about the attacks. However, no response has been received yet at the time of writing this article.

CL0P Ransomware Group Has a History of Striking Prominent Targets

The CL0P ransomware group, being one of the most prominent ransomware groups, is known for it's attacks on high-profile targets as well as the extent of data stolen in their operations. Last year in 2023, the group was responsible for massive data breach attacks on several different organizations through the exploitation of the MOVEit Vulnerability. This campaign prompted the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to issue a joint cybersecurity advisory (CSA) to disseminate the IOCs and TTPs associated in CL0P's operations through FBI investigations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Anonymous Arabia, a notorious group of hacktivists, has allegedly launched a cyberattack on Columbia University in response to the recent police crackdown on its students. The Columbia University cyberattack, purportedly initiated as retaliation for the police intervention, has sparked concerns and debates over the appropriate response to protests and the use of digital warfare.

The group, known for its activities in the dark corners of the internet, posted a message with the tagline "HUGE USA UNIVERSITY CYBERATTACK" on a dark web forum.

The Alleged Cyberattack on Columbia University

The message boldly declares, "We have now started an unprecedented cyberattack on the University of Columbia in the US in retaliation to the police raid on the student occupation of the university building. We took down the whole network of Columbia and most of the University websites and Eservices (including Email servers). [caption id="attachment_66004" align="aligncenter" width="557"] Source: X[/caption] This cyberattack comes in the wake of a recent incident where police forces intervened to dismantle protests staged by students who were occupying university premises as a form of demonstration.

Campus Tensions: Background and Response

The incident at Columbia University involved a group of protesters breaking into Hamilton Hall, barricading themselves inside, and occupying it throughout the day. The escalation prompted the university administration to call for police assistance, leading to the removal of the protesters. Minouche Shafik, President of Columbia University in the City of New York, expressed deep sadness over the events, stating that the university had been patient in tolerating unauthorized demonstrations for several months. Efforts were made to engage in dialogue with the protesters, including considerations for their demands, but a resolution could not be reached. Our efforts to find a solution went into Tuesday evening, but regrettably, we were unable to come to resolution. Because my first responsibility is safety, with the support of the University’s Trustees, I made the decision to ask the New York City Police Department to intervene to end the occupation of Hamilton Hall and dismantle the main encampment along with a new, smaller encampment," said Shafik. Shafik emphasized the university's commitment to free speech and activism but condemned the acts of violence and destruction carried out during the protests. The decision to involve law enforcement was made to ensure the safety of the campus community and to restore order. The aftermath of the police intervention has seen a wave of arrests and clashes on various university campuses across the United States. New York City Mayor Eric Adams reported 300 arrests at Columbia University and the City College of New York. Similar incidents occurred at the University of Texas at Dallas and Fordham University, among others. Former President Donald Trump, during a campaign rally in Wisconsin, applauded the police action at Columbia University, describing it as "a beautiful thing to watch." However, the response to the protests has not been without criticism. California Governor Gavin Newsom's office labeled the law enforcement response at the University of California, Los Angeles (UCLA), as "limited and delayed," with clashes between rival protesters resulting in numerous injuries.

Alleged Columbia University Cyberattack: Uncertainty and Verification

Amidst the chaos, the alleged cyberattack on Columbia University by Anonymous Arabia has raised further concerns. However, upon accessing the university's official website, no evidence of foul play was detected. The Cyber Express Team reached out to Columbia University for verification, but as of writing this report, no response has been received, leaving the claim unverified. Whether this cyberattack is a genuine act of hacktivism or a tactic to gain attention remains uncertain. Only an official statement from Columbia University can confirm the legitimacy of the claim. Meanwhile, the incident highlights the growing intersection between digital warfare and real-world activism, highlighting the complex dynamics of modern protests and their consequences. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The cybersecurity community is on edge after an unidentified threat actor operating under the username 'UAE', claimed responsibility for a massive data breach attack involving the United Arab Emirates government. In a BreachForums post, the threat actor threatened to leak the data from the alleged UAE attack, unless a ransom of 150 bitcoins (USD 9 million) was paid. The victims in the alleged UAE attack include major UAE government bodies such as the Telecommunications and Digital Government Regulatory Authority, the Federal Authority for Nuclear Regulation, and the Executive Council of Dubai, along with key government initiatives such as Sharik.ae and WorkinUAE.ae. Various ministries are also affected, including the UAE Ministry of Health and Prevention, Ministry of Finance, and the UAE Space Agency. In the post, the threat actor claimed to have access to the personally identifiable information (PII) of various government employees, and shared a few samples that included names, emails, phone numbers, roles, and genders of top officials.

Threat Actor Shared Alleged Samples from UAE Attack

[caption id="attachment_65993" align="alignnone" width="1237"] Source: Dark Web (BreachForums)[/caption] The sample screenshots shared by the threat actor allegedly display internal data from several major UAE government bodies. Additionally, the threat actor claimed to have acquired access to personally identifiable information (PII) of top government officials, displaying samples that list names, roles, and contact details. The possession alleged samples by the threat actor, raises concerns over the security of government personnel and the integrity of national operations. The abrupt emergence of the hacker adds complexity to the incident, casting doubt on the veracity of the claims but potentially indicating a high-stakes risk scenario. The implications of such a breach are severe, potentially affecting national security, public safety, and the economic stability of the UAE. The global cybersecurity community is closely watching the developments, emphasizing the need for a swift and decisive government investigation to confirm the extent of the intrusion and mitigate any potential damage.

Experts Advice Caution and Skepticism Regarding UAE Attack

The hacker's emergence from obscurity with no prior credibility or record of such activities, casts doubt over the legitimacy of the claims. Neither the UAE government nor the affected agencies have yet responded to these claims, nor has there been any independent confirmation of the breach. The Cyber Express team has reached out to the Telecommunications And Digital Government Regulatory Authority (TDRA) in Dubai for further information regarding the attacks. The extensive list of affected entities and the nature of the alleged stolen data would suggest a highly sophisticated and coordinated attack, which seems incongruent with the profile of a lone, unestablished hacker. As this story develops, it will be crucial to monitor responses from the UAE government and the cybersecurity community. It is critical for all stakeholders, including government officials and cybersecurity experts, to collaborate urgently to address this potential crisis, ensuring the protection of sensitive government data and maintaining public trust in national security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

National Supply Chain Day, which was recently observed on April 29, serves as a dedicated day to recognize the critical role supply chain networks play in our everyday lives. A supply chain is the intricate network of organizations, people, activities, information, and resources that work together to transform raw materials from the supplier to the finished end product required by the customer. Damage or disruption to supply chain operations could lead to uncontrolled costs, chaos within delivery schedules, and loss of intellectual property. As supply chains modernize, increased reliance on digital systems simultaneously raises surface risks of these chains to a variety of cyberattacks.

Securing Your Supply Chain

[caption id="attachment_65951" align="alignnone" width="1000"] Source: Shutterstock[/caption] Efforts at bolstering supply chain security require close collaboration and execution between involved parties, presenting its own set of challenges. Regular Security Assessments To assess supply chain risk and compliance, you need to evaluate existing security governance – including data privacy, third-party risk, and IT regulatory compliance needs and gaps – against business challenges, requirements, and objectives. Additionally, security training of involved personnel are necessary to meet regulatory standards and compliance. Vulnerability Mitigation and Penetration Testing Supply chain parties can identify basic security concerns by running comprehensive vulnerability scans. Fixing bad database configurations, poor password policies, eliminating default passwords, and securing endpoints and networks can immediately reduce risk with minimal impact on productivity or downtime. Employ penetration test specialists to attempt to find vulnerabilities in programs, IT infrastructure underlying the supply chain, and even people, through phishing simulation and red teaming. Maintaining Awareness of Compromised Credentials Maintaining awareness of compromised credentials is crucial for securing your supply chain. According to a report by Verizon, 80% of data breaches involve compromised credentials. In May 2021, the Colonial Pipeline, a major fuel pipeline in the United States, fell victim to a ransomware attack that disrupted fuel supplies along the East Coast. The attack was facilitated by a single compromised credential, allowing the attackers to gain unauthorized access to the company's systems and infrastructure. The Colonial Pipeline attack serves as a stark reminder of the importance of implementing measures such as multi-factor authentication and regular credential monitoring to detect and mitigate potential security threats. Secure Modernization of Supply Chain It’s hard to secure data while relying on outdated technology. Solutions such as encryption, tokenization, data loss prevention, file access monitoring and alerting that make it convenient to bring security, reliability, and data governance to exchanges within the enterprise as well as with clients and trading partners. Additionally, supply chains parties can expect other involved parties to meet a certain security threshold while bringing along teams and partners for joint security awareness and training. Data Identification and Encryption Data protection programs and policies should include the use of discovery and classification tools to pinpoint databases and files that contain protected customer information, financial data, and proprietary records. Once data is located, using the latest standards and encryption policies protects data of all types, at rest and in motion – customer, financial, order, inventory, Internet of Things (IoT), health, and more. Incoming connections are validated, and file content is scrutinized in real time. Digital signatures, multifactor authentication, and session breaks offer additional controls when transacting over the internet. Permissioned Controls for Data Exchange and Visibility Supply chain networks can ensure secure and reliable information exchange between strategic partners through privilege- and role-based access. Identity and access management security practices are critical to securely share proprietary and sensitive data across a broad ecosystem. Trust, Transparency, and Provenance Supply chain partners can take steps to ensure proper transparency from multiple enterprises to track and provide accountability for the flow of data and materials from source to end customer or consumer. Third-Party Risk Management As connections and interdependencies between companies and third parties grow across the supply chain ecosystem, organizations need to expand their definition of vendor risk management to include end-to-end security. This allows companies to assess, improve, monitor, and manage risk throughout the life of the relationship. Incident Response Planning and Orchestration Supply chain partners can prepare by having a robust incident response plan for data breach, shutdown/ disruption events. You can share incident response expectations and plans while provide metrics and learnings your organization to aid in decision-making to prevent disruptions between parties.

Conclusion

Ultimately, a strong focus on supply chain security not only protects sensitive data and intellectual property but also safeguards against disruptions that can impact operations and customer trust. Embracing best practices, continuous monitoring, and adaptation to evolving threats are key strategies for staying ahead in today's interconnected and dynamic supply chain landscape. By prioritizing security at every level, organizations can build resilience and confidence in their ability to navigate complex supply chain challenges securely. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor has claimed to have leaked the database of the Department of Social Welfare Ladakh, Government of India. However, crucial details such as the extent of the attack, data compromise, or the motive behind it remain undisclosed.

The alleged cyberattack on the Department of Social Welfare Ladakh has prompted concerns, yet the authenticity of the claim remains unverified.

Unverified Claim: Cyberattack on Department of Social Welfare Ladakh

Upon investigation of the official website, no signs of foul play were detected, as the website remained fully functional. However, to verify the credibility of the claim, The Cyber Express Team reached out to officials for comment. As of the time of this report, no official response has been received, leaving the claim unverified. Should the claim prove to be true, the implications could be significant, potentially affecting the security and privacy of individuals whose data is stored within the department's database. [caption id="attachment_65926" align="aligncenter" width="525"] Source: X[/caption]

Previous Cyberattacks

This incident follows previous cyberattacks targeting government entities in India. In a separate incident, the Rural Business Incubator (RBI) of the Indian state of Uttarakhand was reportedly targeted in a cyberattack linked to the threat actor ZALCYBER. Although the RBI data breach occurred in 2023, it has gained renewed attention due to claims made by the hacker collective on BreachForums. According to assertions made by ZALCYBER, two PDF files containing extensive data linked to the RBI were posted on BreachForums. One of these files includes applicant information, while the other encompasses administrative data. The nature and scale of the data breach raise concerns about the security measures in place to safeguard sensitive information within government entities. Furthermore, in December 2023, an unidentified individual operating under the pseudonym 'dawnofdevil' claimed to have compromised the security of the Income Tax Department of India. The infiltration of such a critical government department underscores the persistent threat posed by cybercriminals targeting governmental institutions. These incidents highlight the pressing need for strong cybersecurity measures within government agencies to mitigate the risk of data breaches and cyberattacks. As digital transformation accelerates and reliance on technology grows, ensuring the security and integrity of government databases and systems becomes paramount. As investigations into these alleged cyberattacks continue, government authorities and cybersecurity professionals must work together to strengthen the resilience of critical infrastructure and protect sensitive data from malicious actors. Timely detection, swift response, and proactive cybersecurity measures are crucial in safeguarding national security and maintaining public trust in government institutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Julius Kivimäki, one of Europe's most sought-after cyber criminals, has been sentenced to more than six years jail for attempting to blackmail more than 30,000 individuals whose confidential therapy notes he pilfered. Kivimäki, also known online under the moniker "Zeekill" obtained these notes by breaching the databases of Finland's largest psychotherapy company, Vastaamo in late 2018 and early 2019. Following a failed attempt to extort the company for 40 Bitcoins, which were equivalent to about 450,000 Euros at the time, Kivimäki resorted to directly reaching the patients via email and threatened them to expose the private information they had shared with their therapists. Vastaamo data breach is considered as the largest and one of the most disturbing breaches in Finnish history with regards to the sheer overall impact of the hacking incident. Despite maintaining his innocence throughout the proceedings, Kivimäki now aged 26, evaded authorities and was arrested in Paris under an assumed identity. Even during the trial, he absconded for over a week after refusing to return to prison as ordered by the court. The judges, upon rendering their verdict, found Kivimäki guilty on all counts, condemning his blackmail as "ruthlessly taking advantage of another person's vulnerability." The BBC first reported the conviction. The severity of Kivimäki’s sentence—six years and three months—marks the culmination of a cybercrime spree that commenced when he was merely 13 years old. Kivimäki was a prominent figure amongst teenage cyber gangs that operated between 2009 and 2015. He was arrested in 2013 at the age of 15, but received a juvenile non-custodial two-year suspended sentence. The lenient punishment likely failed to dissuade him, as Kivimäki was swiftly implicated in several other hacks carried out with adolescent cohorts before vanishing for years. Kivimäki’s name resurfaced in 2020, in connection to the Vastaamo hack, where after failed negotiations with the company he demanded $240 from the patients in exchange of deleting their sensitive information. Kivimäki himself led back law enforcement to him. Finnish investigators from the National Bureau of Investigation (KRP), in collaboration with Binance, followed the trail of payments to Kivimäki, who exchanged the funds for Monero and then exchanged them back to Bitcoin. The digital forensics and cryptocurrency tracing played pivotal roles in securing his conviction. Taking into account Vastaamo's position as a company producing mental health services, Kivimäki has caused great suffering or the risk of it to the interested parties," BBC cited the verdict document saying. Vastaamo's CEO, Ville Tapio, was also found guilty of failing to safeguard customers' confidential data. Investigations revealed that the company's databases were susceptible to exploitation due to inadequate safeguards. Tapio received a suspended three-month prison sentence last year, while the Office of the Data Protection Ombudsman imposed an administrative financial sanction of 608,000 euros on Vastaamo. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A complaint lodged by privacy advocacy group Noyb with the Austrian data protection authority (DSB) alleged that ChatGPT's generation of inaccurate information violates the European Union’s privacy regulations. The Vienna-based digital rights group Noyb, founded by known activist Max Schrems, said in its complaint that ChatGPT's failure to provide accurate personal data and instead guessing it, violates the GDPR requirements. Under GDPR, an individual's personal details, including date of birth, are considered personal data and are subject to stringent handling requirements. The complaint contends that ChatGPT breaches GDPR provisions on privacy, data accuracy, and the right to rectify inaccurate information. Noyb claimed that OpenAI, the company behind ChatGPT, refused to correct or delete erroneous responses and has withheld information about its data processing, sources, and recipients. Noyb's data protection lawyer, Maartje de Graaf said, "If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around." Citing a report from The New York Times, which found that "chatbots invent information at least 3% of the time - and as high as 27%," noyb emphasized the prevalence of inaccurate responses generated by AI systems like ChatGPT.

OpenAI’s ‘Privacy by Pressure’ Approach

Luiza Jarovsky, chief executive officer of Implement Privacy, has previously said that artificial intelligence-based large language models follow a "privacy by pressure" approach. Meaning: “only acting when something goes wrong, when there is a public backlash, or when it is legally told to do so,” Jarovsky said. She explained this further citing an incident involving ChatGPT in which people's chat histories were exposed to other users. Jarovsky immediately noticed a warning being displayed to everyone accessing ChatGPT, thereafter. Jarovsky at the beginning of 2023, prompted ChatGPT to give information about her and even shared the link to her LinkedIn profile. But the only correct information that the chat bot responded with was that she was Brazilian. [caption id="attachment_65919" align="aligncenter" width="1024"] Prompt given by Luiza Jarovsky to ChatGPT bot followed by the incorrect response. (Credit:Luiza Jarovsky)[/caption] Although the fake bio seems inoffensive, “showing wrong information about people can lead to various types of harm, including reputational harm,” Jarovsky said. “This is not acceptable,” she tweeted. She argued that if ChatGPT has "hallucinations," then prompts about individuals should come back empty, and there should be no output containing personal data. “This is especially important given that core data subjects' rights established by the GDPR, such as the right of access (Article 15), right to rectification (Article 16), and right to erasure (Article 17), don't seem feasible/applicable in the context of generative AI/LLMs, due to the way these systems are trained,” Jarovsky said.

Investigate ChatGPT’s GDPR Violations

The complaint urges the Austrian authority to investigate OpenAI's handling of personal data to ensure compliance with GDPR. It also demands that OpenAI disclose individuals' personal data upon request and seeks imposition of an "effective, proportionate, dissuasive, administrative fine. The potential consequences of GDPR violations are significant, with penalties amounting to up to 4% of a company's global revenue. OpenAI's response to the allegations remains pending, and the company faces scrutiny from other European regulators as well. Last year, Italy's data protection authority temporarily banned ChatGPT's operations in the country over similar GDPR concerns, following which the European Data Protection Board established a task force to coordinate efforts among national privacy regulators regarding ChatGPT. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The LockBit ransomware group has allegedly claimed responsibility for an earlier Cannes Hospital cyberattack impacting the Cannes Simone Veil Hospital Center (Centre Hospitalier de Cannes). The Cannes Simone Veil Hospital Center, also known as the Broussailles Hospital, was named after former French health minister Simone Veil. The hospital offers patient facilities such as anesthesia, surgery, ENT, ophthalmology, dentistry, mental health, and senior care. While the hospital was immediate in implementing stringent containment measures, ongoing investigations did not find evidence of data theft or direct ties to any threat actor groups.

Staff Forced to Degrade Services After Cannes Hospital Cyberattack

After the cyberattack, medical professionals were forced to switch to pen, paper, and manual processes to continue to provide essential healthcare services such as emergency care, surgery, obstetrics, and pediatrics to patients. Telephony services continue to work normally. Even weeks after the attack, the site still maintains a notice of the cybersecurity attack. The notice reads that the hospital staff is investigating the cyberattack in conjunction with experts (ANSSI, Cert Santé, Orange CyberDéfense, GHT06). Further, the notice stated that while the investigation remains ongoing, there have not yet been any ransom demands or identification of data theft operations. [caption id="attachment_65802" align="alignnone" width="683"] Source: ch-cannes.fr[/caption] Cybersecurity analyst Dominic Alvieri, on X(Twitter), shared an alleged LockBit claim of responsibility for the earlier incident. [caption id="attachment_65735" align="alignnone" width="1200"] (Source: Dominic Alvieri/ @AlvieriD / x.com)[/caption] If the claims are true, the Cannes Simone Veil Hospital Center would be one of the latest victims in a series of recent cyberattacks claimed by LockBit after the ransomware group's operations were disrupted following joint-effort action from the FBI, NCA the UK, and the Europol.

LockBit Ransomware Group Apologised for Earlier Cyberattack on Children's Hospital

Since healthcare targets remain a sensitive target for cyberattacks, many threat actor groups have made claims or suggested they would avoid such targets in their operations. During the Covid-19 pandemic, the Maze ransomware group announced that they would not target healthcare organizations. Later the group was found to continue targeting healthcare units in its operations. Last year in January 2023, LockBit apologized for an attack on Toronto's Hospital for Sick Children, blamed a partner for the attack, in its data leak site, claiming to have blocked the partner allegedly responsible for the attack, and offered code to restore the affected systems. The cyberattack had significant consequences for the pediatric firm such as delayed lab and imaging results, shut down of phone lines, and the staff payroll system. These incidents highlight that the healthcare system remains vulnerable to cyberattacks and can prove to have unwelcome effects on patient health, staff functioning, and morale. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Federal Communications Commission has fined the largest phone carriers in the country - AT&T, Sprint, T-Mobile and Verizon - $200 million over illegal data sharing of its customers location with third parties, and that with inadequate safeguards in place. Of the four, T-Mobile was fined the most with more than $80 million but it will pay another $12 million as Sprint, which was acquired by them in April 2020 was fined separately for its malpractices prior to the acquisition. AT&T was fined more than $57 million and Verizon nearly $47 million. The FCC Enforcement Bureau investigations of the four carriers found that each of them sold access to its customers’ location information to aggregators, who then resold access of such information to third-party location-based service providers. For example, AT&T had arrangements with two location information aggregators: LocationSmart and Zumigo, which in turn, had arrangements with location-based service providers.  “In total, AT&T sold access to its customers’ location information (directly or indirectly) to 88 third-party entities,” the FCC said.

“The largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors,” said FCC Chair Jessica Rosenworcel.

The agency stated, "Each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained." Furthermore, when the carriers became aware of the inadequacy of their procedures, they failed to halt the sale of access to location information or adequately safeguard it from unauthorized access. AT&T and Verizon revealed their intention to appeal the FCC's decision, citing legal and factual discrepancies in the agency's order, while T-Mobile planned to challenge the decision, emphasizing its commitment to safeguarding customer data and labeling the fine as excessive. All three companies highlighted that the program for which they were fined ended approximately five years ago.

Views of the Illegal Data Sharing Whistleblower

Senator Ron Wyden (D-OR), commenting on Monday's action praised the FCC for penalizing wireless carriers.

“No one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card ,” Wyden said. “I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk.”

The issue first came to light in 2018 when Wyden discovered the carriers' practices, revealing instances of abuse by government officials and others who obtained location data without proper authorization. The FCC found the telecom companies' practices in violation of section 222 of the Federal Communications Act, which mandates confidentiality of customer information and affirmative consent before sharing or accessing customer location data. FCC’s action comes weeks after the House of Representatives passed the Fourth Amendment Is Not For Sale Act, which would prohibit law enforcement agencies from buying location data and other sensitive information about Americans, without a court order. Privacy advocates cheered the bill’s passage but it now faces an uphill task in the Senate and the White House. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Retail and pharmacy chain London Drugs has announced the closure of its stores across Western Canada after falling victim to a cybersecurity incident. The company, headquartered in B.C., took the precautionary measure to temporarily close its doors until further notice following the discovery of the cyberattack on London Drugs.

London Drugs informed customers of the situation in a statement released on X, formerly known as Twitter. They stated, "On April 28, 2024, London Drugs discovered that it was a victim of a cybersecurity incident. Upon discovering the incident, London Drugs immediately undertook counter measures to protect its network and data, including retaining leading third-party cybersecurity experts to assist with containment, remediation and to conduct a forensic investigation. [caption id="attachment_65806" align="aligncenter" width="594"] Source: X[/caption]

Cyberattack on London Drugs: Immediate Response to Protect Data

The closure of stores is out of an abundance of caution, with the company assuring customers that it is taking all necessary steps to address the cyberattack on London Drugs swiftly and effectively. Out of an abundance of caution, London Drugs is temporarily closing stores across Western Canada until further notice," reads notice. London Drugs emphasized that, at this time, there is no reason to believe that customer or employee data has been impacted by the cyber incident. While we deal with this cybersecurity incident, we want to assure our customers that pharmacists are standing by to support any urgent pharmacy needs," London Drugs stated. We advise customers to phone their local store’s pharmacy to make arrangements.

Temporary Phone Line Shutdown

However, on April 30, London Drugs provided an update, informing customers that as part of its internal investigation, the company's phone lines have been temporarily taken down. This measure is expected to be in place until the investigation is complete. As a necessary part of its internal investigation, London Drugs phone lines have been temporary taken down and will be restored as soon as the investigation is complete," the notice reads. [caption id="attachment_65808" align="aligncenter" width="618"] Source: X[/caption] Despite the temporary closure of phone lines, London Drugs reassured customers that pharmacy staff are available on-site at all store locations to assist with urgent pharmacy needs. Customers are encouraged to visit their local store in-person for immediate support until the phone lines are restored. The cyberattack on London Drugs highlights the increasing threat of attacks facing businesses, including those in the retail and pharmacy sectors. As more and more transactions move online and data becomes increasingly valuable, organizations are increasingly targeted by malicious actors seeking to exploit vulnerabilities in their systems.

Proactive Response

London Drugs' proactive response to the incident highlights the importance of having strong cybersecurity measures in place and the need for swift action in the event of a breach. By immediately engaging third-party cybersecurity experts and conducting a forensic investigation, the company is taking the necessary steps to contain the incident and mitigate any potential damage. For customers, the closure of London Drugs stores may cause inconvenience, but the company's commitment to ensuring the security of its systems and the safety of customer data is paramount. In the meantime, customers with urgent pharmacy needs can still access support from London Drugs by visiting their local store in person and speaking directly with pharmacy staff. The company apologizes for any inconvenience caused by the closure and appreciates the patience and understanding of its customers during this challenging time. As the investigation into the cybersecurity incident continues, London Drugs will provide further updates to keep customers informed of any developments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Saline Water Conversion Corporation of Saudi Arabia became the target of a Distributed Denial of Service (DDoS) attack allegedly initiated by the hacktivist group ANON SEC BD on April 25 at 1119 hours UTC. The group claimed responsibility for the alleged cyberattack on SWCC, citing Saudi Arabia's diplomatic stance in the ongoing conflict in Gaza as their motive.

Verification of the alleged cyberattack on SWCC was provided by check host reports furnished by ANON SEC BD.

Despite the claims, upon inspection of the official website of the Saline Water Conversion Corporation, no signs of foul play were detected, as the website remained fully functional. To further verify the validity of ANON SEC BD's claims, The Cyber Express Team reached out to officials for comment. However, as of the time of writing this news report, no official response has been received, leaving the claim unverified.

Implication of Cyberattack on SWCC

If indeed proven true, the implications of such an attack could be far-reaching, especially considering the critical role of water treatment plants in ensuring public health and safety. A successful cyberattack on a facility of this nature could disrupt the water supply, leading to significant consequences for communities reliant on it.

Without access to clean water, communities would face numerous challenges, including difficulties in maintaining basic hygiene standards, ensuring the safety of food supplies, and providing adequate medical care.

Moreover, disruptions to the water supply could have cascading effects on various sectors, impacting industries, agriculture, and essential services. Industries reliant on water for manufacturing processes would face production delays or shutdowns, leading to economic losses and potential job layoffs. Furthermore, essential services such as firefighting and emergency response rely heavily on access to water. A compromised water supply could hinder the ability of emergency services to effectively respond to crises, putting lives and property at risk. Beyond immediate consequences, the long-term impacts of a cyberattack on a water treatment plant could be profound. Public trust in the safety and reliability of the water supply could be eroded, leading to social unrest and unrest.

Previous Targets Highlight Group's Actions

Prior to this incident, ANON SEC BD had also claimed responsibility for targeting the website of Alnassr F.C., a Saudi Arabian football club. These actions demonstrate the group's capability and willingness to target various entities online. [caption id="attachment_65694" align="aligncenter" width="453"] Source: X[/caption] DDoS attacks involve flooding a target server with overwhelming traffic, rendering it inaccessible to legitimate users. While DDoS attacks themselves don't typically involve data breaches or manipulation of systems, they can cause significant disruption to services and operations.

Complexity Amid International Tensions

The Saline Water Conversion Corporation plays a crucial role in Saudi Arabia's water infrastructure, particularly in desalination projects aimed at providing clean drinking water to its population. Any disruption to its operations could have serious repercussions, affecting not only domestic water supply but also industries reliant on desalinated water, such as agriculture and manufacturing. The timing of the attack, amid heightened tensions surrounding international conflicts, adds a layer of complexity to the situation. While ANON SEC BD has cited Saudi Arabia's diplomatic stance as their motive, it's essential to note that cyberattacks like these are not uncommon and often stem from a variety of motivations, including ideological, political, or simply seeking attention. For now, the Saline Water Conversion Corporation remains operational, but the incident serves as a reminder of the ever-present threat posed by cyber-attacks and the need for strong defenses against them. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Department of Homeland Security (DHS), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and the Countering Weapons of Mass Destruction Office (CWMD), has announced a suite of initiatives aimed at securing critical infrastructure and guarding against AI threats.

This announcement comes as the DHS marks the 180-day milestone of President Biden’s Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI)”.

Secretary of Homeland Security Alejandro N. Mayorkas emphasized the dual nature of AI, stating, “AI can present transformative solutions for U.S. critical infrastructure, and it also carries the risk of making those systems vulnerable in new ways to critical failures, physical attacks, and cyber attacks. Our Department is taking steps to identify and mitigate those threats."

Securing Critical Infrastructure from AI Threats

DHS, in partnership with CISA, released comprehensive safety and security guidelines designed to address AI threats to critical infrastructure. These guidelines categorize risks into three main areas:

• Attacks Using AI: This includes the use of AI to plan or execute physical or cyber attacks on critical infrastructure.
• Attacks Targeting AI Systems: Targeted attacks on AI systems supporting critical infrastructure.
• Failures in AI Design and Implementation: Deficiencies or inadequacies in AI systems leading to malfunctions or unintended consequences.

To tackle these risks, DHS proposes a four-part mitigation strategy:

• Govern: Establish an organizational culture prioritizing AI risk management.
• Map: Understand individual AI use contexts and risk profiles.
• Measure: Develop systems to assess, analyze, and track AI risks.
• Manage: Prioritize and act upon AI risks to safety and security.

CISA Director Jen Easterly emphasized the importance of these guidelines, stating, “Based on CISA’s expertise as National Coordinator for critical infrastructure security and resilience, DHS’ Guidelines are the agency’s first-of-its-kind cross-sector analysis of AI-specific risks to critical infrastructure sectors and will serve as a key tool to help owners and operators mitigate AI risk."

The CBRN Threat: Preparing for the Unthinkable

The DHS, working closely with its CWMD Office, has produced a report analyzing the potential misuse of AI in the development or production of chemical, biological, radiological, and nuclear (CBRN) threats. Assistant Secretary for CWMD Mary Ellen Callahan highlighted the importance of this report, stating, “The responsible use of AI holds great promise for advancing science, solving urgent and future challenges, and improving our national security, but AI also requires that we be prepared to rapidly mitigate the misuse of AI in the development of chemical and biological threats,

All Hands on Deck: Department Unites for Goal

In addition to these initiatives, Secretary Mayorkas has spearheaded various efforts to expand DHS’s leadership on AI:

• Artificial Intelligence Safety and Security Board (AISSB): Established to advise DHS and the critical infrastructure community on the safe and secure development and deployment of AI.
• AI Roadmap: A detailed plan for using AI technologies while protecting individuals’ privacy, civil rights, and civil liberties.
• AI Corps: An accelerated hiring initiative aimed at leveraging AI expertise across strategic areas of the homeland security enterprise.

These efforts highlight DHS’s commitment to advancing the responsible use of AI for homeland security missions while mitigating its associated risks. In the face of evolving threats, DHS remains steadfast in its dedication to safeguarding the nation’s critical infrastructure and ensuring the safe and secure integration of AI technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The UK government has taken steps to safeguard consumers from cyberattacks by prohibiting common and easily-guessable passwords such as "admin" or "12345". The UK government law comes into effect on 29 April 2024 and will mandate manufacturers, importers, and distributors of consumer connectable products in the UK to follow the obligations and standards set in the 'UK Product Security and Telecoms Infrastructure (PSTI) Act 2022' as well as the 2023 Regulations under the same act. The law aims at setting minimum security standards that must be followed before consumer devices can be sold in the UK, to protect UK homes.

Uk Government Law Was Passed in 2022; Will Come to Effect this Year

These measures are part of the Product Security and Telecommunications Infrastructure (PSTI) Act passed in 2022 as well as additional laws passed in 2023. These are designed to bolster the UK's resilience against cyber attacks and disruptive interference following growing concerns stemming from a series of incidents and proposed counter-legislation. A NordPass study in 2023 revealed that "123456, password, qwerty, Liverpool..." were among the most used passwords in the UK. The study highlights that default and weak passwords remain a relevant concern even today. Besides passwords, the new legislation also seeks to tackle inherent issues in existing incident reporting procedures and update periods. With regards to reporting, the law mandates manufacturers to provide consumers with details on reporting security issues within products, and timely updates until resolution, while the information should be made available without request and free of charge. The law mandated that such information should be "accessible, clear, and transparent." With regards to updates, the law mandates information on minimum update periods to be published and clearly accessible to the consumer in a transparent manner along with an end date. The updated information is required to be understandable for a reader without prior technical knowledge.

UK Government Law Could Fine Violators £10 Million or Up to £20,000 a Day

According to the law, the Office for Product Safety and Standards (OPSS) would be responsible for enforcing the relevant act operating from 29 April 2024. Manufacturers, vendors, or firms that fail to comply with the regulations could face fines of up to £10 million or four percent of their global turnover, as well as up to £20,000 a day in the case of an ongoing violation. This new UK law comes as the EU Cyber Resilience Act draft makes rounds for legislative discussion with the inclusion of recent amendments. The Act obliges manufacturers and retailers to follow minimum security requirements throughout the product lifecycle. Following the passing of the Cyber Resilience Act expected in Early 2024, internet-connected products and software would be required to receive independent assessments to check if they comply with the new standards. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hacktivists claimed breaching the network of Belarusian intelligence agency and allegedly leaked their data in response to the intelligence chief’s recent public remarks accusing the group of plotting attacks on the country’s critical infrastructure, including a nuclear power plant. The hacktivist group known as the Belarusian Cyber-Partisans, purportedly accessed personnel files of over 8,600 employees of the Belarusian Committee for State Security, also known as the Belarus KGB. To substantiate their claim, the Belarusian Cyber-Partisans published a list of the website's administrators, alongside its database and server logs, on their Telegram channel. Yuliana Shemetovets, the group's spokesperson based in New York, asserted that the attack on the KGB network was prompted by the agency chief Ivan Tertel's recent public accusation against the group. Tertel accused the Cyber-Partisans of plotting attacks on a nuclear power plant.

“We do not. We never have. Because we are working to save the lives of Belarusians, not to destroy them unlike the Lukashenko regime,” the Cyber-Partisans said.

More Details on the Belarusian Intelligence Agency Hack

Shemetovets told the Associated Press the group had gained access to the KGB network "several years ago" and was attempting to breach its website and database ever since. The hacktivists in a Sunday Telegram post shared more details from the Belarusian intelligence agency hack, publishing excerpts from the 40,000 contact forms filled by informants and whistle-blowers on the Belarus KGB website over the last nine years. The informants’ data published has come from several countries including Poland, Germany, Azerbaijan, Lithuania and Ukraine the hacktivists said. In one such instance a Ukrainian citizen said he had “information about the concept and some technical details of a fundamentally new rifle complex ... and the possibility of using a similar system as a modernization of tanks of the T-64, T-72, T-80, T-90 family." With the help of the data exfiltrated from the Belarusian intelligence agency hack, the Cyber-Partisans launched a Telegram chat bot called “facement_bot” that allows identification of KGB operatives. “Send a good quality photo with single face to the bot, and if there is a KGB officer in the image, the bot will return information on them,” the Cyber-Partisans said. Shemetovets emphasized that the group's objective is to unveil the truth about political repressions and hold those responsible accountable. While authorities have not issued any official statements regarding the hacktivist claims, the website of the Belarusian KGB said “THE SITE IS UNDER CONSTRUCTION.” The Cyber-Partisans last week claimed infiltration of computers at Belarus' largest fertilizer plant, Grodno Azot, as part of efforts to pressure the government into releasing political prisoners. The state-run plant has not commented on the claim, but its website has been inaccessible since April 17. The Cyber-Partisans claimed to have deliberately disrupted only the boiler unit of the plant, as there were backup sources for power generation.

“We had a good understanding of the internal processes of the plant and knew that this would not lead to dangerous consequences for people. But at the same time, we demonstrated our capabilities that we could really manage [with] the operation on Grodno Azot,” the Cyber-Partisans said.

Cyber-Partisans have previously also targeted Belarusian state media and, in 2022, launched attacks on Belarusian Railways, disrupting transit routes for Russian military equipment destined for Ukraine. Belarus has been a close ally of the Kremlin and has supported its eastern neighbour in the Russian invasion of Ukraine. Before the start of the offensive, Belarus allowed the Russian Armed Forces to perform weeks-long military drills on its territory. It also allowed Russian missile launchers to be stationed in its territory, which drew a lot of flak from its own people and Ukraine’s allies. "We're sending a clear message to the Belarusian authorities," Shemetovets said. "If they continue political repressions, the consequences will escalate. We will persist with our attacks to undermine the Lukashenko regime." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Okta reported an "unprecedented scale" of credential stuffing attacks targeting its identity and access management solutions, resulting in the breach of some customer accounts. Threat actors employ credential stuffing techniques like password-spraying and brute-forcing to compromise user accounts by systematically trying lists of usernames and passwords in an automated fashion. These lists are often obtained from other data leaks, phishing and infostealer campaigns, or from underground cybercriminal forums where it is sold from a few tens to thousands of dollars.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools,” Okta said in a Saturday advisory.

The identity and access management provider said the attacks appear to stem from the same infrastructure used in previously reported brute-force and password-spraying attacks targeting VPNs and SSH services identified by Cisco Talos.

Use of TOR in Credential Stuffing Attacks

Okta noted that in all observed attacks the requests originated from a TOR anonymization network and various residential proxies, such as NSOCKS, Luminati and DataImpulse. Residential proxies are a network of proxy servers that use IP addresses from residential users. They are useful for anonymous browsing, bypassing geo-restrictions and accessing secure websites. Providers rent access to real users' devices to anonymize traffic sources. They don't usually disclose how they build these networks, sometimes enrolling users knowingly or via malware, “what we would typically describe as a botnet,” Okta said. This results in traffic appearing to originate from everyday users' devices, not VPS providers. FBI had earlier warned of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks. Okta observed that the attacks were notably effective against organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, rather than Log and Enforce mode. Additionally, organizations failing to block access from anonymizing proxies experienced a higher success rate in these attacks. The attacks, however, succeeded for only a small percentage of Okta's customers, the IAM provider said. To counter these threats, Okta recommended:

• Enabling of ThreatInsight in Log and Enforce Mode to proactively block IP addresses associated with credential stuffing attempts before authentication is attempted.
• Denying access from anonymizing proxies to preemptively block requests originating from suspicious anonymizing services.
• Transition to enhanced security features such as CAPTCHA challenges for risky sign-ins and password-less authentication.
• Implementing Dynamic Zones to manage access based on criteria like geolocation and selectively block or allow certain IPs.

Why Credential Stuffing Attacks are Still Effective

Credential stuffing attacks traditionally have a very low success rate, which is estimated at around 0.1%, according to Cloudflare. Despite this, it remains profitable due to the vast number of credentials attackers possess. Collections contain millions or billions of credentials, with even a small fraction leading to profitable data. The prevalence of password or credential reuse, observed in up to 85% of digital users, also facilitates the recurrence and the effectiveness of these attacks. Adding to this the advancements in bot technology enables attackers to circumvent security measures like time delays and IP bans. Credential stuffing accounts for 24.3% of all login attempts in 2023, as per Okta. Retail and e-commerce companies account for more than half (51.3%) of all credential-stuffing incidents, the findings stated. It is likely due to the value associated with accounts in that industry, Okta said. Geographically, the Americas region has the highest rate of credential-stuffing attacks at 28%, which aligns with previous findings as some of the largest retail and media companies are based in the United States. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The threat actor USDoD claimed that they had published the Personally Identifiable Information (PII) of about 2 million members of the Communist Party of China on their new content delivery network (CDN). If the threat actors claims are true, the alleged China data leak might hold significant consequences for the party, given its reputation as being highly secretive and restrictive with regards to the flow of information to the outside world. The Chinese Communist Party (CCP) is the political party responsible for leading modern-day China, officially known as the People’s Republic of China since 1949. The leak is stated to include several bits of sensitive and identifiable data that could be used to facilitate identity theft, social engineering, or targeted attacks on individuals. However, the leak remains unconfirmed and it is difficult to ascertain the veracity of the claims. There have been no official statements or responses regarding the alleged leak.

USDoD Creates New CDN to Publish Alleged China Data Leak

The alleged publication of the Communist Party of China member data leak on the CDN site was accompanied by related posts on X (Twitter) and BreachForums. In the BreachForums post description, USDoD claimed to have held onto the leaked data for several months and cited the alleged leaked database as the first to be hosted on their new content delivery network (CDN). The threat actor further stated that they do not support any government, claiming the published alleged data leak as a wider message and as a gesture of good faith. The threat actor stated on an X(Twitter) post that their content delivery network (CDN) was 'ready and operational' and had been built through the help of a 'secret friend', while upload rights would be private and solely and for their own usage. The site was stated to have an upload limit of 500GB per file. [caption id="attachment_65515" align="aligncenter" width="1180"] Source: X(Twitter)[/caption] [caption id="attachment_65516" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] However, in a later post on their X account, they claimed the CDN was down after they messed with the files. While the goals of the threat actor remain unclear, the new CDN will likely be used to upload and link leaked files to be shared for posts on BreachForums (as suggested by this incident). [caption id="attachment_65518" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] While the breach remains unconfirmed, a Cyble researcher stated, "Our preliminary analysis indicates that this data has 2 million records from 2020 with the following data fields: ID, Name, Sex, Ethnicity, Hometown, Organization, ID card number, Address, Mobile number, Phone number and Education.

USDoD Recently Announced Retirement on BreachForums

The alleged Communist Party of China member data leak comes abruptly as just last week, the threat actor announced retirement on BreachForums in a post about an alleged attack on Bureau van Dijk, claiming to have stolen confidential company and consumer data from the firm. However, after being reached out for confirmation by The Cyber Express, a spokesman from the parent company (Moody's) seemingly refuted the threat actor's earlier claims. It is unknown what persuaded the threat actor to remain and continue making posts within BreachForums despite the stated intent towards retirement and suspension of activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor purports to be selling the database of the Central Bank of Argentina on a hackers' forum. The potential Central Bank of Argentina data breach, if proven true, poses serious implications for the financial security and privacy of countless individuals.

According to the dark web post, the database allegedly contains sensitive information, including full customer names, CUIL/DNI(ID) numbers, cities, and phone numbers. Such data, if compromised, could expose individuals to identity theft, financial fraud, and other malicious activities, leading to devastating consequences for both customers and the Central Bank of Argentina. However, amidst the claims, crucial details remain shrouded in mystery. The extent of the cyberattack on Central Bank of Argentina and the motive behind it have not been disclosed by the threat actor. Without clarity on these critical aspects, the true nature and severity of the Central Bank of Argentina data breach remains uncertain. [caption id="attachment_65538" align="aligncenter" width="1280"] Source: X[/caption] Adding to the uncertainty is the apparent functionality of the Central Bank of Argentina's official website. Despite the allegations made by the threat actor, the website remains operational, casting doubt on the authenticity of the claim. This discrepancy raises questions about the credibility of the purported database sale and highlights the complexity of navigating the murky waters of cyber threats and disinformation.

Potential Ramifications on Central Bank of Argentina Data Breach

If the claim of a database data breach at the Central Bank of Argentina is indeed verified, the ramifications could be far-reaching. Beyond the immediate financial and reputational damage to the bank itself, the fallout may extend to the broader economy and society at large. The compromised data, containing the personal and financial information of individuals, could be exploited by cybercriminals for various nefarious purposes. From identity theft and fraudulent transactions to targeted phishing scams and extortion attempts, the potential threats are manifold and alarming. Moreover, the integrity and trustworthiness of financial institutions, particularly central banks, are paramount for maintaining stability and confidence in the banking system. Any breach or perceived vulnerability could undermine public trust, erode investor confidence, and destabilize financial markets, with ripple effects reverberating across the economy. The absence of concrete evidence and corroborating details complicates efforts to assess the veracity of the threat actor's claims and formulate an effective response.

Other Cyberattack Claims on Argentina

This claim follows a series of cyber threats targeting Argentina's institutions. In April 2024, a dark web actor allegedly proposed the sale of Telecom Argentina access for $100 on a hacking forum. According to the threat actor’s post, interested buyers could acquire access enabling them to query personal information tied to individuals in Argentina. This included details on services registered under their names, such as routers, with access to data like Public IP and Private IP addresses.

Moreover, in February 2024, the Córdoba Judiciary in Argentina fell victim to the PLAY Ransomware attack. The ransomware impacted its websites and databases, making it one of the worst computer hacks on public institutions in the Argentine Republic. The hacker left the websites inaccessible, and to date, there have been no improvements on the compromised systems. Police and cybersecurity specialists are assisting with the investigation to identify the incident’s perpetrators. Local sources claim that the ransomware strain “PLAY” infected the government organization’s computers. This ransomware is a well-known threat actor (TA) specifically made to encrypt computer user data and demand ransom payments to unlock it.

Understanding Argentina's Vulnerability

Argentina's susceptibility to cyber threats stems from various factors. Firstly, the country's heavy reliance on digital infrastructure for its financial and administrative operations makes it a prime target for cybercriminals. Institutions like the Central Bank, with vast databases containing sensitive customer information, are particularly attractive to threat actors seeking to exploit vulnerabilities. Additionally, the emergence of dark web forums and marketplaces has facilitated the sale and exchange of stolen data, providing cybercriminals with an avenue to profit from their illicit activities. The recent claims regarding the sale of the Central Bank's database and Telecom Argentina access underscore the growing sophistication of cyber threats facing the country. In the absence of definitive information, vigilance and caution are imperative. Heightened cybersecurity measures, including enhanced monitoring, threat detection, and incident response protocols, are essential for mitigating risks and safeguarding critical infrastructure and sensitive data. Furthermore, collaboration and information sharing within the cybersecurity community, both domestically and internationally, are vital for staying abreast of emerging threats, sharing intelligence, and coordinating responses to cyber incidents effectively. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Hunters group has allegedly added two new victims to their dark web portal: Rocky Mountain Sales in the United States and SSS Australia. While the extent of the cyberattack, data compromise, and motive behind the attack remain undisclosed by the ransomware group, the implications of such an attack on these prominent organizations could be far-reaching.

Rocky Mountain Sales, Inc., with a revenue of US$5 million, is an outsourced sales and service organization committed to providing leading customer service, sales, and support to all strategic partners. Meanwhile, SSS Australia, boasting a revenue of US$17 million, has been synonymous with the highest standards of quality and value in medical supplies for over 45 years. Given the vastness of these organizations, if the cyberattack on Rocky Mountain Sales and cyberattack on SSS Australia claim is proven true, the consequences could be severe. Not only could it disrupt their operations, but it could also result in substantial financial losses, tarnishing their reputations and undermining customer trust. The potential compromise of sensitive data, such as customer information, financial records, and proprietary business data, could have long-lasting repercussions for both organizations. However, as of now, no foul play can be sensed upon accessing the official websites of both organizations, as they were fully functional. To verify the claim further, The Cyber Express team reached out to officials, but as of writing this news report, no official response has been received, leaving the claim unverified.

Hunters International Ransomware Group's Previous Claims

This recent incident follows a string of cyberattacks by the Hunters International group. In April, SpaceX, the aerospace manufacturer and space transport services company founded by Elon Musk, allegedly suffered a cybersecurity incident involving a data breach by the Hunters group, who reportedly posted samples of the breached data. Prior to that, Central Power Systems & Services, a major distributor of industrial and power generation products in Kansas, Western Missouri, and Northern Oklahoma, fell victim to the notorious ransomware group. Before these incidents, the group targeted various organizations across different sectors and countries. In 2024 alone, the Hunters International group claimed responsibility for cyberattacks on the Dalmahoy Hotel & Country Club in the UK, Double Eagle Energy Holdings IV, LLC in the US, and Gallup-McKinley County Schools in New Mexico, among others. The cyberattacks by the Hunters International group highlight the need for organizations to prioritize cybersecurity measures and invest in strong defense mechanisms to safeguard their digital assets. Moreover, international cooperation and information sharing among cybersecurity agencies are crucial in combating such threats effectively.

Unverified Hunters Group Claims

While the Hunters International group has claimed responsibility for the cyberattacks on Rocky Mountain Sales and SSS Australia, the lack of verified information about the extent of the attacks emphasizes the challenges in responding to such incidents. Without official confirmation or detailed information from the targeted organizations, the full impact of the cyberattacks remains uncertain. As cybersecurity threats continue to evolve and ransomware attacks become increasingly sophisticated, organizations must remain vigilant and proactive in protecting their networks and data. The recent incidents involving Hunters International serve as a reminder of the potential consequences of inadequate cybersecurity measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CRIL Researchers observed a new android banking trojan 'Brokewell,' being distributed through a phishing site disguised as the official Chrome update page. The malicious Android Banking Trojan comes equipped with various functionalities such as screen recording, keylogging and over 50 different remote commands. Upon further investigation, researchers were able to trace the trojan back to its developer, who described the trojan as capable of bypassing permission restrictions on the latest versions of the Android operating system.

Developer Behind Android Banking Trojan Found Distributing Other Spyware Tools

CRIL researchers identified the trojan being distributed through the domain “hxxp://makingitorut[.]com” which disguises itself as the official Chrome update website and bears several striking similarities. [caption id="attachment_65312" align="alignnone" width="1557"] Source: Cyble[/caption] The site deceives the user into thinking that an update is required, describing it as being necessary "to secure your browser and fix important vulnerabilities. A download button on the site leads users to download the malicious APK file “Chrome.apk” on to their systems. Upon examination, the downloaded APK file was discovered to be a new android banking trojan, incorporated with over 50 different remote commands such as collecting telephony data, collecting call history, waking the device screen, location gathering, call management, screen and audio recording. The trojan communicated through a remote command and control (C&C) server operating through the “mi6[.]operationanonrecoil[.]ru” domain and hosted on the IP address “91.92.247[.]182”. [caption id="attachment_65315" align="alignnone" width="1354"] Source: Cyble[/caption] The malware was further linked to a git repository, where it was described as being capable of circumventing permission-based restrictions on Android versions 13, 14, and 15. The git repository contained links to profiles on underground forums, a Tor page, and a Telegram channel. The Tor page directed to the malware developers’s personal page, where they took steps to introduce themselves and linked to a site listing various other projects they had developed such as checkers, validators, stealers, and ransomware. Since CRIL researchers did not observe any mentions of the android banking trojan on the site, it is assumed that the trojan is a very recent development which might be listed within the upcoming days.

Technical Capabilities of Android Banking Trojan "Brokewell"

[caption id="attachment_65324" align="alignnone" width="1501"] Source: Shutterstock[/caption] Researchers note that the Brokewll Banking Trojan is likely in its initial stages of development and thus possesses limited functionalities for the time period. The current attack techniques primarily involves the screen overlay attack, screen/audio capturing or keylogging techniques. However, researchers warn that future versions of the android banking trojan may incorporate additional features. The malware is observed conducting a pre-emptive check to determine whether the host system has been rooted. This stage involves checking for package names of a root check application, network traffic analysis tool and an .apk parsing tool. Once the device is detected to not be rooted, it proceeds with normal execution, first prompting the victim for accessibility permissions. The accessibility service is then abused to grant the application other permissions such as “Display over other apps” “Installation from unknown sources”. [caption id="attachment_65319" align="alignnone" width="385"] Source: Cyble[/caption] After obtaining permissions, the application prompts the user to enter the device pin through a fake PIN screen with German localization. The PIN is then stored to a text file for subsequent usage. The German localization along with several samples of the malware being uploaded to VirusTotal from the German region lead researchers to believe that it is primarily targeting Germany. In addition to German, several strings in Chinese, French, Finnish, Arabic, Indonesian, Swedish, Portuguese, and English were also spotted. These strings suggest that the malware could expand its targets with the emergence of subsequent iterations incorporating additional features. Researchers anticipate increased promotion of the tool on underground forums and through the malware developer’s product portal, underscoring the progressive stage of banking trojans and the need for continuous monitoring over such developments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers have honed in on a critical WP-Automatic plugin vulnerability, aiming to infiltrate WordPress websites by creating unauthorized admin accounts, according to recent reports. The flaw, identified in versions preceding 3.9.2.0 of the WP Automatic plugin, has prompted cybersecurity experts to issue urgent warnings to website owners and administrators. The vulnerability, flagged under the identifier "CVE-2024-27956," has been characterized as a high-severity issue with a CVSS score of 9.8. It pertains to a SQL injection flaw within the plugin's user authentication mechanism, which essentially enables threat actors to circumvent security measures and gain administrative privileges. 

Decoding WP-Automatic Plugin Vulnerability

[caption id="attachment_65416" align="alignnone" width="1172"] Source: WordPress[/caption] Exploiting this vulnerability grants hackers the ability to implant backdoors within websites, ensuring prolonged unauthorized access. Reports indicate that hackers have been actively exploiting this vulnerability, capitalizing on the widespread use of the WP Automatic plugin across more than 30,000 websites. The exploit allows them to execute various malicious activities, including the creation of admin accounts, uploading of corrupted files, and executing SQL injection attacks. Cybersecurity researchers have observed a surge in exploit attempts, with over 5.5 million recorded attacks since the vulnerability was publicly disclosed. The threat landscape escalated rapidly, peaking on March 31st, underscoring the urgency for website owners to take immediate action to secure their online assets.

The Technical Side of the WP-Automatic Plugin Vulnerabilities

The Automatic Plugin, developed by ValvePress, faces an challenge beyond comprehension since the vulnerability effects thousands of users who downloaded the plugin through WordPress and other WP plugin markets. The vulnerability stemmed from the inc/csv.php file, which allowed unauthenticated users to supply and execute arbitrary SQL queries. Despite initial checks using wp_automatic_trim() function, bypassing them was feasible by providing an empty string as the authentication parameter ($auth) and crafting the MD5 hash of the SQL query to subvert integrity checks. Furthermore, the vulnerability lied within the downloader.php file, where unauthenticated users could provide arbitrary URLs or even local files via the $_GET['link'] parameter for fetching through cURL. This flaw facilitated server-side request forgery (SSRF) attacks. To mitigate the vulnerabilities, the vendor enacted several measures. For the SQL Execution vulnerability, the entire inc/csv.php file was removed. For the File Download and SSRF vulnerability, a nonce check was implemented, coupled with validation checks on the $link variable.

Mitigation Against the WP-Automatic Plugin Vulnerability

To safeguard against potential compromises, cybersecurity analysts recommend the following measures, including regularly updating the WP-Automatic plugin to its latest version is crucial to patch known vulnerabilities and bolster security measures. Regular audits of WordPress user accounts help identify and remove unauthorized or suspicious admin users, reducing the risk of unauthorized access. Employing robust security monitoring tools aids in detecting and responding promptly to malicious activities, improving threat detection capabilities. It's essential to maintain up-to-date backups of website data to enable swift restoration in case of compromise, minimizing downtime and data loss. Website administrators should watch out for indicators of compromise, including admin accounts with names starting with "xtw," renamed vulnerable file paths, and dropped SHA1 hashed files in the site's filesystem. The exploitation of WP-Automatic plugin vulnerabilities highlights the ongoing cybersecurity threats within WordPress ecosystems. By promptly implementing suggested mitigations and staying alert for potential indicators of compromise, website owners can strengthen their defenses against malicious actors aiming to exploit these vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

By Lakshmi Mittra, SVP and Head, Clover Academy In the rapidly changing and dynamic tech environment of today, future-proofing the workforce is more essential than ever. With industries constantly innovating and adapting to new technologies, the demand for next-gen tech talent professionals capable of leading change and driving innovation is on the rise. This is where skilling steps in, acting as a key player in nurturing the next generation of tech talent. The concept of future-proofing the workforce revolves around equipping employees with the necessary skills and knowledge to adapt to new technologies and industry trends. With rapid advancements in technology, traditional job roles are evolving, and new roles are emerging. Therefore, it is essential for organizations to invest in continuous learning and development to ensure their workforce remains relevant and competitive.

The Role of Skilling in Cultivating Next-gen Tech Talent

Skilling plays a pivotal role in nurturing the next-gen tech talent through its tailored learning paths and hands-on experience. It offers industry-relevant courses and collaborates with experts to ensure up-to-date and practical training. Here’s how skilling equips learners to meet the demands of the evolving tech landscape and drive innovation:

Tailored Learning Paths

One of the key strengths of skilling is its ability to offer tailored learning paths that cater to the unique needs and aspirations of each learner. Whether it's data science, artificial intelligence, cybersecurity, or software development, skilling provides a range of courses and programs designed to develop the specific skills required in today's tech-driven world.

Hands-on Experience:

Skilling emphasizes hands-on learning, allowing learners to gain practical experience and apply their skills in real-world scenarios. Through projects, case studies, and practical assignments, learners not only acquire theoretical knowledge but also develop problem-solving and critical thinking skills essential for success in the tech industry.

Industry Collaboration

Skilling collaborates with industry leaders and experts to develop up-to-date and relevant content that is aligned with industry standards and practices.

Fostering Innovation and Growth

By empowering learners with hands-on and industry-relevant training, skilling promotes a culture of continuous learning. It provides learners with the tools and resources to explore and develop creative solutions, cultivating a workforce capable of driving innovation and sustainable growth.

Enhanced Employability

Skilling enhances the employability of learners by equipping them with industry-relevant skillsets and knowledge. This increased employability not only benefits the learners by opening up new career opportunities but also provides organizations with access to a pool of skilled and qualified talent.

Conclusion

Future-proofing your workforce is essential in today's rapidly evolving tech landscape. It benefits not only the employees but also provides organizations with a competitive edge by ensuring they have a skilled and adaptable workforce capable of driving innovation and growth. In this digital age, skilling is not just about acquiring new skills, but fostering a culture of continuous learning, adaptability, and achieving sustainable growth. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

By Roman Faithfull, Cyber Intelligence Lead, Cyjax 2024 will see more elections than any other year in history: the UK, the US, Russia, India, Taiwan and more. According to AP, at least 40 countries will go to the polls this year, and some of these contests will have ramifications way beyond their national borders. This will also make 2024 a year of misinformation, as groups both within and outside these countries look to exert their influence on the democratic process. As the US presidential election draws near, specialists caution that a combination of factors domestically and internationally, across conventional and digital media platforms, and amidst a backdrop of increasing authoritarianism, profound mistrust, and political and social turbulence, heightens the severity of the threats posed by propaganda, disinformation, and conspiracy theories. There are two terms that are frequently conflated. Disinformation is deliberately false content crafted to inflict harm, whereas misinformation is inaccurate or deceptive content shared by individuals who genuinely believe it to be true. It can be difficult to establish if people are acting in good faith or not, so the terms are often used interchangeably—and misinformation often starts out as carefully crafted disinformation. The overall outlook appears bleak, with governments already experiencing the effects of misinformation. The groundwork has been laid, evidenced by past initiatives that aimed to influence elections in favor of certain parties. In 2022, the BBC launched an investigative project, creating fake accounts to follow the spread of misinformation on platforms such as Facebook, Twitter, and TikTok, and its potential political impact. Despite attempts by social media platforms to tackle this problem, it was found that false information, particularly from far-right viewpoints, remains prevalent. Today, just two years on, the techniques and tools to manipulate information are even more advanced.

The Deceptive Side of Tech

AI is dominating every discussion of technology right now, as its uses are explored for good and ill. Spreading fake news and disinformation is one of those uses. In its 2024 Global Risks report, the World Economic Forum noted that the increasing worry regarding misinformation and disinformation primarily stems from the fear that AI, wielded by malicious individuals, could flood worldwide information networks with deceptive stories. And last year, the UK’s Cyber Security Center released a report exploring the potential for nations like China and Russia to employ AI for voter manipulation and meddling in electoral processes. Deepfakes have grabbed a lot of attention, but could they disrupt future elections? It’s not a future problem—we’re already here. Deepfake audio recordings mimicking Keir Starmer, the leader of the Labour Party, and Sadiq Khan, the mayor of London, have surfaced online. The latter of these was designed to inflame tensions ahead of a day of protest in London. One of those responsible for sharing the clip apologized but added that they believed the mayor held beliefs similar to the fake audio. Even when proven false, deepfakes can remain effective in getting their message across. Many would argue that the responsibility now falls on governments to implement measures ensuring the integrity of elections. It's a cat and mouse game—and unfortunately, the cat is not exactly known for its swiftness. There are myriad ways to exploit technology for electoral manipulation, and stopping all of it could simply be impossible. Regulation is out-of-date (the Computer Misuse Act was passed in 1990, though it has been updated a few times) and the wheels of government turn slowly. Creating and passing new laws is a long process involving consultation, amendment processes, and more. But is it solely the responsibility of governments, or do others need to step up?.

Is There a Solution?

Combating technology with technology is essential, there is simply too much misinformation out there for people to sift through. Some of the biggest tech companies are taking steps: Two weeks ago, a coalition of 20 tech firms including Microsoft, Meta, Google, Amazon, IBM, Adobe and chip designer Arm announced a collective pledge to tackle AI-generated disinformation during this year's elections, with a focus on combating deepfakes. Is this reassuring? It’s good to know that big tech firms have this problem on their radar, but tough to know how effective their efforts can be. Right now, they are just agreeing on technical standards and detection mechanisms—starting the work of detecting deepfakes is some way away. Also, while deepfakes are perhaps uniquely disturbing, they are just one method among many, they represent just a fraction of effective disinformation strategies. Sophistication is not always needed for fake news to spread—rumors can be spread on social media or apps like Telegraph, real photos can be put into new contexts and spread disinformation without clever editing, and even video game footage has been used to make claims about ongoing wars.

Fighting Misinformation During Election

Fighting against misinformation is extremely difficult, but it is possible. And the coalition of 20 big tech firms has the right idea—collaboration is vital.

Be proactive

A lie can travel halfway around the world while the truth is putting on its shoes, said… someone (it’s a quote attributed to many different people). By the time we react to disinformation, it’s already out there and debunking efforts are not always effective. As Brandolini’s Law states, the amount of energy needed to refute bullshit is an order of magnitude bigger than that needed to produce it. And often, when people read both the misinformation and the debunking, they only remember the lies. Warning people about what to look for in misinformation can help. Where did it originate? If it claims to be from an authoritative source, can you find the original? Is there a source at all?

Inoculate

Sander van der Linden, a professor of psychology and an expert on misinformation, recommends a similar approach to vaccinations—a weak dose of fake news to head off the incoming virus. By getting people to think about misinformation and evaluate it, and teaching people the tactics behind its creation, they can better deal with fake news stories they later encounter. Could we create a vaccine program for fake news? Perhaps, but it requires a big effort and a lot of collaboration between different groups.

Monitor

It’s not only governments and public figures that are attacked by fake news, corporations and businesses can find themselves the target or unwitting bystanders. Telecom companies have been the subject of 5G conspiracy theories, and pharmaceutical companies accused of being part of, rather than helping solve, the pandemic. But the problem can get weirder. A pizza restaurant in Washington DC and a furniture retailer have both had to react to being accused of child trafficking thanks to bizarre rumors circulating online. What are people saying about your business? Can you react before things get out of hand? Misinformation works for a number of reasons—people want to know “the story behind the story”, and it gives people a feeling of control when they have access to “facts” others do not—which is why misinformation spreads so fast during a pandemic that took away that feeling of control from so many of us. Those spreading misinformation know how to tap into these fears. In cybersecurity terms, they know the vulnerabilities and how to exploit them. We can’t distribute software patches to stop these attacks, but we can make them less effective by understanding them. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

This week's TCE Cyberwatch delves into a range of pressing cybersecurity issues impacting the world today. From the rise of malicious AI manipulation in elections to the ever-present threat of data breaches and ransomware attacks, no sector is immune. TCE Cyberwatch explores these concerns and more, along with groundbreaking advancements in the tech industry like Microsoft's new lightweight AI model. Whether you're a seasoned cybersecurity professional or simply someone navigating the digital world, staying informed is crucial.

TCE Cyberwatch Weekly Update

Let's dive into the latest developments and equip ourselves with the knowledge to stay safe online.

Samourai Wallet Founders Sentenced to Prison Over Money Laundering Charges

Samourai Wallet, a popular crypto app founders, Keonne Rodriguez and William Lonergan Hill, were recently arrested with serious charges regarding money laundering and unlicensed money transmitting. The allegations address over $2 billion in transactions and laundering more than $100 million in criminal proceeds. The transactions originated from dark web markets like Silk Road and Hydra Market, and the charges seem to be amounting to a maximum of 20 years in prison for Rodriguez and five years for Hill. Along with this, the company's web servers were seized, and prevention of further downloads of the Samourai mobile app in the U.S. was implemented. Read More

China Cracks Down on Messaging Apps: WhatsApp, Threads Removed from App Store

The Chinese government, pushed by concerns over censorship, recently ordered Apple to remove WhatsApp and Threads from their App Store in China. Reportedly, Telegram and Signal have also been removed. China’s Cyberspace Administration had asked Apple to remove the apps because they apparently contained political content that included negative comments and posts about President Xi Jinping. Apple is known to work alongside the Chinese government's wishes as in 2021, Apple had supposedly agreed to store the personal data of Chinese users in servers accessible by the government. Apple addressed in a statement that, “We are obligated to follow the laws in the countries where we operate, even when we disagree.” Read More

Cybersecurity Nonprofit MITRE Breached by Nation-State Actor

MITRE reports that they have recently been exposed to breaches and cyber threats despite working to safeguard themselves from them. A foreign nation-state threat actor was confirmed on their Networked Experimentation, Research, and Virtualization Environment, or NERVE, network. MITRE immediately took the network offline, making sure to start an investigation to find out the extent of the damages as well as contacting those affected. Jason Providakes, president and CEO, MITRE, shared his response to the incident stating that, “The threats and cyber-attacks are becoming more sophisticated and require increased vigilance and defence approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.” Read More

Google Fires Employees Over Pro-Palestine Protest Against Israeli Contract

Google recently terminated 28 staff members after they had protested against the company’s contract with the Israeli government. The pro-Palestine employees had protested by staging hour-long sit-ins at their offices. In a statement, Google employees’ part of the “No Tech for Apartheid” campaign, revealed that some employees who had not directly participated in the protests had also been fired. Gabriel Schubiner, an ex-Google employee, revealed that he knew of co-workers who had to provide training on how to use Google Cloud directly to Israel’s national intelligence agency and that the contracts were not primarily meant for t civil services and society as claimed, but rather the military. Furthermore, he says that Palestinian and Muslim employees faced “the most intense retaliation bias” when speaking out against the contracts. Read More

Paris Olympics Braces for Cyber Siege: Millions of Hacking Attempts Expected

Paris Olympic organizers are preparing for a hoard of cyberattacks during this year’s events, as officials expect millions of hacking attempts. These attacks could entail minor issues like inconveniencing processes, or major damages that could result in the event being stunted. The organizers are preparing themselves by offering bug bounties to those who can scope out vulnerabilities in systems; Additionally, they are training staff to be able to recognize and respond to phishing scams. While fans and spectators are potential victims, there are also issues with smart equipment like CCTV cameras, alarm systems, badges, etc. The 2021 Tokyo Olympics reportedly faced about 450 million hacking attempts, and this year is predicted to be almost 8 to 12 times that number. Read More

PayPal Appoints Shaun Khalfan as New CISO

PayPal, a famous digital payments company, has recently appointed Shaun Khalfan as their new Senior Vice President and Chief Information Security Officer. Khalfan has over 20 years of experience in information security and risk management, and his presence in the company cements their cybersecurity fields further. PayPal is one step closer to ensuring the security and defence of the company’s digital infrastructure and everyone involved digital assets, data and payments. Khalfan stated, “I am excited to embark on a new challenge as SVP, Chief Information Security Officer at PayPal! I am inspired by the leadership team, growth strategy, and look forward securing a digital company on a global scale.” Read More

AI Deepfakes and Foreign Interference: Challenges in India's Elections

With India currently holding general elections to select members of Parliament, there seem to be a plethora of cybersecurity challenges present. There seems to be a large amount of  AI-generated content and deepfakes by political entities and foreign agents against one another to manipulate the game and cause tensions amongst the public and the politicians. Cybersecurity experts and Industry leaders, such as IBM and McAfee have already predicted a treacherous voting season, but the use of AI generated content adds to the stilted integrity of the election. Foreign interference also seems to be an issue for the Indian voting process. Chinese hackers are an example of those identified to try to manipulate public opinion and influence election outcomes. Read More

Australia Fines Social Media Platform for Refusing to Remove Stabbing Videos

On April 15, a bishop and a priest were stabbed in Sydney, with the entire event being live-streamed.  Graphic footage of the attack has been circulating online, leading to riots and the government calling the stabbing an act of terrorism. Due to this, Australia eSafety Commissioner Julie Inman Grant asked social media companies X and Meta to take down the videos due to the country’s Online Safety Act. Meta abided but X argued that some posts “did not violate X’s rules on violent speech,” and are now being threatened with a fine of AUD 785,000 (USD 500,000) if the posts aren’t taken down. Anthony Albanese, the Australian Prime Minister showed disapproval of Elon Musk and X’s actions by stating, “This isn’t about freedom of expression… Social media has a social responsibility.” Read More

TikTok Faces US Ban: Bill Demands App Sale or Removal Over Security Concerns

Lawmakers in the U.S. recently passed a bill that will ban the app in the country if TikTok’s Chinese owner, ByteDance, refuses to sell their stake in the American business. TikTok’s head of public policy for the U.S. stated that the bill was unconstitutional, going against the First Amendment and that TikTok would fight it in the courts. TikTok has always denied any affiliation with Beijing authorities and them having any access to user data. They have also stated they would always refuse if asked to do so. Yet, TikTok still faces scrutiny and pressure from lawmakers in the US, and other Western politicians including in the UK, over suspicion that users’ data is accessible by the Chinese government. The Bill is now headed toward President Joe Biden, who has stated that “I will sign this bill into law and address the American people as soon as it reaches my desk.” Read More

Tesla Cybertruck Woes Mount with Recalls and Rust

Teslas Cybertrucks have started mass malfunctioning recently, with the company receiving many complaints regarding faulty loose accelerator pedestals. This has led to future orders of the Cybertrucks being canceled as the company asks for their product to be recalled by the US National Highway Traffic Safety Administration (NHTSA). Elon Musk’s claims of the car being bulletproof, and the “best off-road vehicle” are shown to be untrue as users are unable to drive them properly through sand or snow, windows are broken by balls and windshields by hailstorms, rust occurs, along with some peoples cars just stopping to work at all. This doesn’t help Tesla as they currently face low earnings, having to cut staff by 10% globally, amounting to around 14,000 jobs. Read More

U.K. Phone Maker "Nothing" Faces Data Breach

Nothing, a U.K.-based phone manufacturer recently admitted to facing a data breach where 2,250 peoples information and privacy was endangered.  While no sensitive information like passwords seemed to be accessed, user emails themselves being exposed caused concerns surrounding the security of the community members. Nothing traced the breach back to a vulnerability first known from December 2022, and immediately responded and took action against the vulnerability during this event. However, there seems to be no indication that the company reached out to the people affected regarding the situation which causes concerns surrounding communication and transparency. Read More

UnitedHealth Group Pays Ransom After Change Healthcare Data Breach 

After Change Healthcare recently experienced a data breach, UnitedHealth has admitted to paying the ransom to retrieve patient information. The company stated, "A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure." Wired magazine, analyzing forum posts and other sources, estimates that the company likely paid around $22 million.

The breached files, containing health information and personally identifiable information, have the potential to affect a large portion of the U.S. population if not reclaimed by the health group. Consequently, restoring pharmacy software, claims management, etc., along with financial assistance, has been a priority for the company. However, it seems that paying the ransom was the only way they could protect their members and their information from the hackers. Read More

Russian Malware "GooseEgg" Targets Government Networks: Microsoft Sounds Alarm

Microsoft recently discovered a new malware named GooseEgg being used by Russian hackers to gain elevated access, steal credentials, and facilitate lateral movement within compromised networks. The malware is attributed to a group called "Forest Blizzard," believed by the U.S. and U.K. governments to be associated with Unit 26165 of Russia’s military intelligence agency, the GRU.

According to Microsoft, Forest Blizzard has been using GooseEgg since around June 2020. The group has targeted various sectors including state, non-governmental, educational, and transportation institutions in Ukraine, Western Europe, and North America. GooseEgg is deployed after gaining access to a device, enhancing the hackers' capabilities within the network. Read More This week's TCE Cyberwatch has painted a sobering picture of the current cybersecurity landscape. From data breaches and ransomware attacks to government censorship and social media manipulation, no corner of the digital world seems immune. Yet, there's also reason for hope. Advancements in AI offer potential solutions, while increased awareness empowers individuals and organizations to fight back. Stay vigilant, stay informed, and remember – together, we can build a more secure digital future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

With more than 2 billion voters ready to cast a vote this year across 60 plus nations -including the U.S., U.K. and India - Russian state hackers are posing the biggest cyber threat to election security, researchers said. Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest.

“Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” Mandiant said.

Why Russia is the Biggest Cyber Threat to Election Security

Russia's approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. State-sponsored cyber threat actors, such as APT44, better known as the cyber sabotage unit Sandworm, and APT28 have a history of targeting elections in the U.S., and Europe. These actors employ hybrid operations, combining cyber espionage with hack-and-leak tactics to achieve their objectives. The 2016 U.S. presidential election is a prime example of Russia's cyber interference capabilities, as per Mandiant. APT28, linked to Russia intelligence unit - the GRU, compromised Democratic Party organizations and orchestrated a leak campaign to influence the election's outcome. Similarly, in Ukraine, APT44 conducted disruptive cyber operations during the 2014 presidential election, aiming to undermine trust in the electoral process. Jamie Collier, Mandiant senior threat intelligence advisor said, “One group to watch out for is UNC5101 that has conducted notable hybrid operations in the past.” Mandiant reports UNC5101 engaging in cyber espionage against political targets across Europe, Palestinian Territories, and the U.S. The actor has also used spoofed Ukrainian government domains to spread false narratives directly to government employees' inboxes. Before Russia's 2023 and 2024 elections, UNC5101 registered domains related to opposition figures like Alexei Navalny and conducted likely information operations to deceive voters. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia's national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said.

Beijing’s Interest in Information Operations

Collier noted that state threats to elections are far more than just a Russia problem.

“For instance, we have seen pro-China information operations campaigns carry out election-related activity in the US, Taiwan, and Hong Kong,” Collier said.

China's approach to election cybersecurity focuses on intelligence collection and influence operations that promote narratives favorable to the Chinese Communist Party (CCP). State-sponsored actors like TEMP.Hex have targeted elections in Taiwan, using cyberespionage to gather critical information and using information operations to shape public discourse, Mandiant’s analysis found. In the lead-up to Taiwan's 2024 presidential election, Chinese threat actors intensified cyber espionage activities, targeting government, technology, and media organizations. Concurrently, pro-PRC information operations sought to discredit candidates perceived as unfriendly to China, using fabricated leaks and disinformation campaigns to sway public opinion, which even the Taiwanese government confirmed.

Watch-Out for Iran’s Espionage and Influence Campaigns

Iranian state hackers are another group of threat actors to keep an eye on for their cyber espionage and influence campaigns, Mandiant noted.

“[Irans’s] campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza,” Mandiant said.

During the 2020 U.S. presidential election, Iran attempted to compromise state voter registration websites and disseminate false information. The U.S. Department of Justice charged two Iranian nationals in 2021 for their involvement in this campaign. Pro-Iranian influence campaigns, including Liberty Front Press and Roaming Mayfly, target global audiences with anti-U.S. and anti-Israeli propaganda, amplifying partisan divisions and fostering distrust in democracies, Mandiant said.

Diverse Targets Multiple Vectors

Securing elections requires protecting not only voting machines and voter registries but also a wide range of entities involved in the electoral process. Political parties, news media, and social media platforms are frequent targets of cyber operations, which also comes under the attack surface of elections. [caption id="attachment_65433" align="aligncenter" width="551"] Credit: Mandiant[/caption] Cyber threat actors are increasingly employing hybrid operations, combining multiple tactics to amplify their impact. Examples from past elections, such as the Ukrainian presidential election in 2014, illustrate how they are using a combination of cyber intrusions, data leaks, and DDoS attacks to disrupt electoral processes. Owing to this Mandiant detailed likely threat vectors that could be used in the upcoming election season: [caption id="attachment_65432" align="aligncenter" width="819"] Credit: Mandiant[/caption] The threats posed by Russian, Chinese, and Iranian state actors to election cybersecurity are complex and multifaceted. By understanding the tactics and objectives of these actors, election organizations can develop effective mitigation strategies to safeguard democratic processes. However, addressing these threats requires a concerted effort involving international cooperation and a commitment to upholding the integrity of democratic elections worldwide. In-line with this, the U.S. agencies recently released guidance to defending the integrity of democratic processes. The guidance extensively details common tactics seen in foreign malign influence operations, offering real-world instances and suggesting possible countermeasures for stakeholders in election infrastructure. Though many of these tactics aren't new, the widespread use of generative artificial intelligence (AI) has notably amplified adversaries' ability to produce and spread persuasive malicious content, the guidance said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CISA (Cybersecurity & Infrastructure Security Agency) has shared an ICS (Industrial Control Systems) advisory regarding several vulnerabilities present in Honeywell products, including Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC. The advisory outlines multiple vulnerabilities which could lead to remote code execution, privilege escalation, and sensitive information disclosure. The Honeywell product vulnerabilities are described as affecting the chemical, critical manufacturing, energy, water and wastewater systems critical-infrastructure industries worldwide. Honeywell has released updates addressing these vulnerabilities, and CISA advises users to upgrade to the recommended versions to mitigate risks.

CISA-Listed Honeywell Product Vulnerabilities of High Severity

The ICS (Industrial Control Systems) Advisory listed vulnerabilities of varying types of medium to high severity: Exposed Dangerous Method or Function (CWE-749): CVE-2023-5389 (CVSS v4 Base Score: 8.8) could be exploited to allow attackers to modify files on Experion controllers or SMSC S300, potentially leading to unexpected behavior or execution of malicious applications. Absolute Path Traversal (CWE-36): CVE-2023-5390 (CVSS v4 Base Score: 6.9) allows attackers to read files from Experion controllers or SMSC S300, exposing limited information from the device. Stack-based Buffer Overflow (CWE-121): CVE-2023-5407 (CVSS v4 Base Score: 8.3) could enable attackers to induce denial-of-service conditions or perform remote code execution on Experion controllers, ControlEdge PLC, Safety Manager, or SMSC S300 through crafted messages. CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403 (CVSS v4 Base Score: 9.2) could be used for similar attacks on Experion Servers and Stations. Binding to an Unrestricted IP Address (CWE-1327): CVE-2023-5398 (CVSS v4 Base Score: 8.7) in Experion Servers or Stations could attackers attacker to induce a denial-of-service condition using specially crafted messages over the host network. Debug Messages Revealing Unnecessary Information (CWE-1295): CVE-2023-5392 (CVSS v4 Base Score: 8.7) could be exploited to allow for further extraction of information than required from memory over the network. Out-of-bounds Write (CWE-787): CVE-2023-5406 (CVSS v4 Base Score: 8.2) could lead to attacker controlled manipulation of messages from controllers for denial-of-service or remote code execution over host networks. CVE-2023-5405 (CVSS v4 Base Score: 6.9) exploitation of this vulnerability in Experion Servers or Stations could result in information leaks during error generation. Heap-based Buffer Overflow (CWE-122): CVE-2023-5400, CVE-2023-5404 (CVSS v4 Base Score: 9.2) both vulnerabilities present in Experion Servers or Stations, could allow for denial-of-service attacks or remote code execution via crafted messages. Improper Input Validation (CWE-20): CVE-2023-5397 (CVSS v4 Base Score: 9.2) enables denial-of-service or remote code execution via specially crafted messages. Buffer Access with Incorrect Length Value (CWE-805): CVE-2023-5396 (CVSS v4 Base Score: 8.3) enables denial-of-service or remote code execution via specially crafted messages. Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119): CVE-2023-5394 (CVSS v4 Base Score: 8.3) in Experion servers or stations enables denial-of-service or remote code execution via specially crafted messages. Improper Handling of Length Parameter Inconsistency (CWE-130): CVE-2023-5393 (CVSS v4 Base Score: 9.2) in Experion servers or stations allows for denial-of-service or remote code execution via specially crafted messages.

CISA Shares Mitigations for Honeywell Product Vulnerabilities

CISA has advised affected Honeywell customers to immediately upgrade to the fixed versions of the software referenced in the official Security Notice. CISA additionally recommends users to take action to mitigate the risk of exploitation of the Honeywell product vulnerabilities, such as ensuring proper user privilege restrictions, minimizing network exposure or segmenting networks and remote devices behind firewalls to isolate them from enterprise networks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

American private equity firm Thoma Bravo has inked an agreement to acquire British cybersecurity giant Darktrace for $4.6bn. This all-cash transaction between Thoma Bravo and Darktrace, valued at $5.3bn, marks a pivotal moment for both companies and the cybersecurity sector at large. The Darktrace acquisition, though pending shareholder approval, has already received the green light from the boards of both Darktrace and Thoma Bravo, signaling a strong vote of confidence in the deal's potential. Immediately following the announcement, Darktrace's shares surged by over 19%, showcasing investor enthusiasm for the partnership.

Tech Titans Thoma Bravo and Darktrace Seal $4.6 Billion Cybersecurity Deal

Under the terms of the Darktrace acquisition, Darktrace shareholders stand to benefit substantially, receiving $7.75 (620p) for each share they hold. This represents a remarkable 44.3% premium compared to Darktrace's recent stock performance. Darktrace's board has expressed its belief that the company's operational and financial successes have not been adequately reflected in its valuation. Thus, the acquisition offer presents shareholders with an opportunity to realize fair value for their cash investments. Gordon Hurst, Chair of Darktrace, emphasized the attractiveness of the proposed offer, stating that it provides shareholders with certainty and fair value. Additionally, he highlighted the potential benefits of partnering with Thoma Bravo, a financial powerhouse with deep expertise in the software sector.

The proposed acquisition will provide Darktrace access to a strong financial partner in Thoma Bravo, with deep software sector expertise, who can enhance the Company's position as a best-in-class cyber AI business headquartered in the UK", says Gordon Hurst.

Darktrace, known for its cutting-edge artificial intelligence-driven cybersecurity solutions, has experienced a surge in demand for its services, leading to an upgrade in its revenue forecast for the fiscal year 2024.

Accelerating Cybersecurity Preparedness in the UK 

The potential takeover of Darktrace by Thoma Bravo has drawn attention to the state of the UK's tech industry. Analysts suggest that such acquisitions highlights the need for governmental action to retain tech companies within the UK market. If the Thoma Bravo and Darktrace deal is approved by shareholders, the acquisition is slated to be finalized in the third or fourth quarter of 2024. Andrew Almeida, Partner at Thoma Bravo, expressed admiration for the deal between Thoma Bravo and Darktrace, highlighting the cybersecurity technology, and emphasizing the firm's commitment to supporting Darktrace's growth and development as a global leader in the field. "Darktrace is driven by a culture of innovation and we are excited by the opportunity to work alongside Darktrace's team and accelerate its development into a scaled, global leader, further strengthening its capability and offer to customers. Thoma Bravo has been investing exclusively in software for over twenty years and we will bring to bear the full range of our platform, operational expertise and deep experience of cybersecurity in supporting Darktrace's growth", says Almeida. Thoma Bravo's extensive experience in software investment, coupled with its substantial financial resources, positions Darktrace for accelerated expansion and innovation in the cybersecurity domain. With Thoma Bravo's backing, Darktrace aims to reinforce its position as a pioneering cybersecurity firm while contributing to the UK's technological advancement. Thoma Bravo's acquisition of Darktrace represents not only a strategic move for both entities but also a significant development in the cybersecurity sector.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The FBI in a Thursday warning emphasized the financial risks associated with using unregistered cryptocurrency transfer services, especially considering potential law enforcement actions against these platforms. The focus of this public service announcement is on crypto transfer platforms that operate without proper registration as Money Services Businesses (MSB) and fail to comply with anti-money laundering regulations mandated by the U.S. federal law. Such platforms are frequent targets of law enforcement operations, particularly when criminals exploit them for transferring or laundering unlawfully acquired funds, like in the case of ransomware payments. FBI’s PSA, released on its Internet Crime Complaint Center, cautioned Americans that,

Using a service that does not comply with its legal obligations may put you at risk of losing access to funds after law enforcement operations target those businesses.

The FBI said it had recently conducted law enforcement operations against unregistered cryptocurrency transfer services “that purposely break the law or knowingly facilitate illegal transactions.” It added that these services will continue to be investigated by law enforcement.

Steps to Avoid Using Unregistered Cryptocurrency Transfer Services

For individuals considering the use of cryptocurrency transfer services, “a few simple steps can prevent unintentional use of non-compliant services,” the FBI said. The agency advised the following security tips:

• Checking the registration status as an MSB with the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN).
• Exercising caution with financial services that do not request KYC information (such as name, date of birth, address, and ID) before facilitating money or cryptocurrency transfers.
• Understanding that the presence of an app in an app store does not necessarily signify its legality or compliance with federal requirements.
• Refraining from using services that openly advertise themselves for illegal purposes.
• Exercising vigilance when using cryptocurrency services known to be utilized by criminals for money laundering.

Samourai Wallet’s Unlicensed Money Transmitting Business Busted

The FBI's warning comes in the wake of the recent crackdown on Samourai, an illicit cryptocurrency transfer platform that offered a crypto mixer service facilitating the laundering of funds obtained through criminal activities. The Icelandic law enforcement authorities seized Samourai's domains (samourai[.]io and samouraiwallet[.]com) and web servers. The Google Play Store also removed the Samourai Wallet Android mobile app that was downloaded over 100,000 times, before the seizure was initiated. The U.S. Department of Justice charged Keonne Rodriguez and William Lonergan Hill, the platform's founders and operators, with laundering over $100 million from various criminal enterprises through Samourai's crypto mixing services, accruing approximately $4.5 million in fees. According to the superseding indictment, "Since the start of the Whirlpool service in or about 2019 and of the Ricochet service in or about 2017, over 80,000 BTC (worth over $2 billion applying the BTC-USD conversion rates at the time of each transaction) has passed through these two services operated by Samourai." The DOJ stated, "While offering Samourai as a 'privacy' service, the defendants knew that it was a haven for criminals to engage in large-scale money laundering and sanctions evasion.

“Indeed, as the defendants intended and well knew, a substantial portion of the funds that Samourai processed were criminal proceeds passed through Samourai for purposes of concealment,” the unsealed indictment said.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Volkswagen, the automotive giant, finds itself at the center of a large-scale cyber operation, with suspicions pointing toward hackers operating from China. The Volkswagen cyberattack, which occurred over a decade ago but continues to reverberate today, sheds light on Chinese hackers and their espionage activities.  The stolen data from the multiple-year Volkswagen cyberattack, described as "explosive," includes sensitive information on Volkswagen's internal workings, ranging from development plans for gasoline engines to crucial details about e-mobility initiatives. Investigations led by ZDF frontal and "Der Spiegel" unveiled more than 40 internal documents implicating Chinese hackers in the sophisticated operation.

Multi-year Volkswagen Cyberattack by Chinese Hackers

The timeline of the cyberattacks on Volkswagen, spanning from 2010 to 2015, highlights the meticulous planning and execution by the perpetrators. Reports suggest that the hackers meticulously analyzed Volkswagen's IT infrastructure before breaching its networks, leading to the exfiltration of approximately 19,000 documents.  Among the stolen intellectual property were coveted insights into emerging technologies like electric and hydrogen cars, areas crucial for Volkswagen's competitiveness in the global market. While China is not directly accused, evidence points to its involvement, with IP addresses traced back to Beijing and the timing of the attacks aligning with the Chinese workday.  Moreover, the hacking tools employed, including the notorious "China Chopper," further implicate Chinese origins, though conclusive proof remains elusive.

The Implications of Volkswagen Data Breaches

The implications of these Volkswagen data breaches extend beyond corporate espionage, raising concerns about the integrity of fair competition in the automotive industry. Professor Helena Wisbert of Ostfalia University emphasizes the strategic advantage gained by those privy to competitors' plans, highlighting the significance of stolen data in shaping market dynamics. Volkswagen's acknowledgment of the incident highlights the gravity of the situation, with reassurances of bolstered IT security measures. However, the Federal Office for Information Security (BSI) warns of ongoing threats, stressing the attractiveness of German expertise as a target for espionage. As German companies gear up for the "Auto China" trade fair, the cyberattack on Volkswagen questions the intent of Chinese hackers and their targets in the automobile industry. The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the alleged attacks or any updates from Volkswagen. 

Cyberattacks on the Automotive Industry

As automotive technology advances, vehicles are increasingly vulnerable to cyberattacks, particularly with the rise of electronics, software, and internet connectivity. Experts warn that even electric vehicles (EVs) are at heightened risk due to their intricate electronic systems. Ransomware attacks could target critical functions like steering and braking systems, posing significant safety concerns.  The abundance of software codes in modern vehicles creates ample opportunities for cyber threats, not only affecting the cars themselves but also their entire ecosystem. While cybersecurity defenses are improving, the automotive industry faces challenges in managing software lifecycles and ensuring end-to-end risk management.  Collaboration between industry stakeholders, government, and private players is essential to address these challenges. As the global automotive cybersecurity market grows, the need for robust cybersecurity measures becomes increasingly critical, prompting software solution providers to offer localized and cost-effective solutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In response to this growing threat, the Cybersecurity and Infrastructure Security Agency (CISA) has launched the Ransomware Vulnerability Warning Pilot (RVWP). This initiative focuses on proactive risk reduction through direct communication with the federal government, state, local, tribal, territorial (SLTT) government, and critical infrastructure entities. The goal is to prevent threat actors from accessing and deploying ransomware on their networks.

Ransomware, a persistent threat to critical services, businesses, and communities worldwide, continues to evolve, causing costly and disruptive incidents. Recent industry reports estimate that businesses spend an average of $1.85 million to recover from a ransomware attack.

Moreover, a staggering 80% of victims who paid a ransom were targeted again by these criminals. The economic, technical, and reputational impacts of ransomware incidents pose significant challenges for organizations large and small.

CISA's Ransomware Vulnerability Warning Pilot 

Aligned with the Joint Ransomware Task Force, RVWP provides timely notifications to critical infrastructure organizations, allowing them to mitigate vulnerabilities and protect their networks and systems. By leveraging existing services, data sources, technologies, and authorities, CISA aims to reduce the attack surface and impact of ransomware attacks. A key component of Pilot is the Cyber Hygiene Vulnerability Scanning service, which monitors internet-connected devices for known vulnerabilities. This service, available to any organization, has proven highly effective in reducing risk and exposure. Organizations typically see a 40% reduction in risk within the first 12 months, with most experiencing improvements within the first 90 days. By identifying exposed assets and vulnerabilities, Cyber Hygiene Vulnerability Scanning helps organizations manage risks that would otherwise go unnoticed. Specifically for Pliot, this service notifies organizations of vulnerabilities commonly associated with ransomware exploitation.

The Success of RVWP in 2023

In Calendar Year (CY) 2023, RVWP completed 1,754 notifications to entities operating vulnerable internet-connected devices. Following these notifications, CISA conducted regular vulnerability scans to assess mitigation efforts. Of the 1,754 notifications, 49% of vulnerable devices were either patched, implemented compensating controls, or taken offline after CISA's intervention. CISA's regional teams collaborate closely with notified entities to ensure timely mitigation efforts, enhancing the overall effectiveness of the Ransomware Vulnerability Warning Pilot. RVWP enables organizations across critical infrastructure sectors to strengthen their networks against known ransomware vulnerabilities. By reducing the effectiveness of ransomware tools and procedures, Pliot increases operational costs for ransomware gangs and contributes to deterrence by denial.

Taking Action to #StopRansomware

CISA urges organizations to take proactive measures to protect against ransomware. These measures can include:

1. Enroll in CISA Cyber Hygiene Vulnerability Scanning: This no-cost service helps organizations raise their cybersecurity posture and reduce business risk by identifying and mitigating vulnerabilities.
2. Review the #StopRansomware Guide: Utilize the valuable checklist on how to respond to a ransomware incident and protect your organization.
3. Report Ransomware Activity: Always report observed ransomware activity, including indicators of compromise and tactics, techniques, and procedures (TTPs), to CISA and federal law enforcement partners.

By partnering with CISA and implementing these measures, organizations can effectively combat ransomware and safeguard their digital assets and future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

SpaceX, the aerospace manufacturer and space transport services company founded by Elon Musk, has allegedly met with a cybersecurity incident, involving a data breach with Hunters International, a notorious hacking group that reportedly posted samples of SpaceX data breach. The Space X data breach seems to involve relatively old data from SpaceX, with Hunters International employing name-dropping tactics to exert extortion pressure. Interestingly, these same samples were involved in an earlier data breach that SpaceX faced in early 2023, attributed to the LockBit ransomware group.

Hunters International shared samples and databases supposedly linked to SpaceX, including access to 149.9 GB of data. This database, originally associated with the initial SpaceX data breach linked to LockBit, was traced back to a third-party supplier within SpaceX's supply chain, specifically a manufacturing contractor based in Texas.

Through infiltration of the vendor's systems, LockBit allegedly gained control of 3,000 drawings or schematics verified by SpaceX engineers.

SpaceX Data Breach Resurfaces on the Dark Web

[caption id="attachment_65258" align="alignnone" width="1170"] Source: X[/caption] Interestingly, the threat actor sheds light on the SpaceX data breach's infiltration including an undisclosed GoPro development environment. Adding another layer to the intrigue, recent events in April 2024 reveal the Cactus ransomware group's purported targeting of Aero Dynamic Machining, Inc., a US-based aerospace equipment manufacturer.  The group alleges to have extracted a staggering 1.1 TB of data, encompassing confidential, employee, and customer information from industry giants like Boeing, SpaceX, and Airbus. Subsequently, the group leaked 5.8 MB of compressed data, containing agreements, passports, shipping orders, and engineering drawings, further intensifying the gravity of the situation. The Cyber Express has reached out to SpaceX to learn more about the data breach claims made by the Hunters International group. However, at the time of writing this, no official statement or response has been received, leaving the claims for the SpaceX data breach stand unverified.  Moreover, the website for SpaceX seems to be operational at the moment and doesn’t show any immediate sign of the attack or data breach suggesting a likelihood that the data shared by Hunters International may indeed stem from the breach of 2023.

How LockBit Ransomware Group Breached SpaceX?

In March 2023, the LockBit Ransomware group infiltrated a third-party manufacturing contractor in Texas, part of SpaceX's supply chain, seizing 3,000 certified drawings and schematics created by SpaceX engineers.  LockBit directly addressed SpaceX CEO Elon Musk, demanding ransom payment within a week under the threat of selling the stolen blueprints. The gang's audacious move aimed to profit from the sensitive data, regardless of the vendor's response. Despite concerns over compromised national security and the potential for identity theft, SpaceX has not confirmed the breach, leaving the claims unresolved.  This breach, along with the reappearance of leaked data from previous incidents, highlights the persistent threat of cyberattacks on critical infrastructure. It sheds light on the urgent need for robust cybersecurity measures to safeguard against such breaches, as the ramifications extend beyond financial loss to encompass broader security implications.  The reappearance of data from last year's SpaceX data breach is raising significant concerns. This recurrence poses a serious threat to the personal and financial security of millions, potentially exposing them to the risks of identity theft and fraud. Notably, despite the breach being initially reported last year and now resurfacing, SpaceX has yet to confirm the incident, leaving the claims unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The infamous Everest ransomware group has struck again, this time targeting Les Miroirs St-Antoine Inc., a longstanding company based in the St-Jérôme region. As of now, the extent of the data breach, the level of data compromise, and the motive behind the cyberattack on Les Miroirs St-Antoine remain undisclosed by the ransomware group.

Founded in 1956, Les Miroirs St-Antoine is a family-owned business specializing in the design, manufacturing, installation, and repair of glazing and aluminum products for commercial, industrial, and institutional sectors. However, the company is now facing allegedly the daunting challenge of navigating the aftermath of this Les Miroirs St-Antoine cyberattack.

Cyberattack on Les Miroirs St-Antoine Remains Unverified

The Everest ransomware group has issued a chilling ultimatum, stating that Les Miroirs St-Antoine Inc. has 24 hours to contact them using the provided instructions. Failure to comply will result in the publication of all stolen data. "Company has the last 24 hours to contact us using the instructions left. In case of silence, all data will be published here," reads the post by Everest ransomware group. This tactic, known as double extortion, is characteristic of the group's modus operandi. [caption id="attachment_65194" align="aligncenter" width="1024"] Source: X[/caption] To investigate further, The Cyber Express Team (TCE) attempted to access Les Miroirs St-Antoine's official website and found it fully functional, indicating no immediate visible signs of compromise. However, this does not discount the possibility of covert access to sensitive company data. TCE has reached out to company officials for clarification but has yet to receive an official response. The Everest ransomware group has been a prominent threat in the cybersecurity landscape since December 2020. Operating primarily in Russian-speaking circles, the group targets organizations across various industries and regions, with high-profile victims including NASA and the Brazilian Government.

The Persistent Threat of Everest Ransomware

Known for its sophisticated data exfiltration techniques, Everest ransomware often demands a ransom in exchange for not only decrypting the victim's files but also for refraining from releasing stolen information to the public. This approach maximizes pressure on victims to pay up, as the consequences of data exposure can be severe. Experts have linked Everest ransomware to other notorious cyber threats, such as the Everbe 2.0 and BlackByte families. The group employs a range of tactics, including leveraging compromised user accounts and exploiting Remote Desktop Protocol (RDP) for lateral movement within targeted networks. The Everest ransomware's reach extends beyond private corporations, as they have also targeted government offices in various countries, including Argentina, Peru, and Brazil. This demonstrates the group's audaciousness and their willingness to target entities regardless of their size or prominence. The cyberattack on Les Miroirs St-Antoine Inc. highlights the urgent need for organizations to enhance their cybersecurity defenses. This includes implementing strong security measures, conducting regular vulnerability assessments, and providing comprehensive employee training to mitigate the risk of human error. Furthermore, proactive monitoring and threat intelligence sharing among organizations can help identify and respond to potential cyber threats more effectively. Collaboration between the public and private sectors is essential in combating cybercriminals like the Everest ransomware group. In conclusion, the ransomware attack on Les Miroirs St-Antoine Inc. serves as a reminder of the ever-present threat posed by cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

TRUE Solicitors LLP, a prominent law firm based in the UK specializing in personal injury claims and employment law, has fallen victim to an alleged cyberattack by the notorious BlackBasta ransomware group. The ransomware group announced the cyberattack on TRUE Solicitors but provided no further details regarding the extent of the breach or the compromised data.

TRUE Solicitors LLP is renowned for its dedicated team of solicitors who provide high-quality legal representation to clients seeking compensation for personal injuries and assistance with various legal matters.

Cyberattack on TRUE Solicitors: Unverified

To verify the claim made by the BlackBasta ransomware group, The Cyber Express Team attempted to access the official website of TRUE Solicitors LLP. However, the website was found to be fully operational, casting uncertainty on the authenticity of the ransomware group's announcement. Until an official statement is released by the firm, the truth behind the TRUE Solicitors cyberattack claim remains elusive. This is not the first time the BlackBasta ransomware group has made headlines. In 2024, the group targeted Leonard’s Syrups, a cherished family-owned beverage company in Michigan. The cyberattack on Leonard’s Syrups, announced on a dark web forum, left many questions unanswered, with crucial details about the breach, compromised data, and motives withheld by the cybercriminals. In another incident, the BlackBasta ransomware group claimed two new victims: Southern Water and Asahi Glass Co. While details about the extent of the attacks, compromised data, and motives remain undisclosed, the urgency of the situation is highlighted by the ransomware group's ominous deadline for data exposure.

Implications of TRUE Solicitors Cyberattack

If the claim made by the BlackBasta ransomware group regarding the cyberattack is proven true, the implications could be significant. The compromise of sensitive legal information and client data could have far-reaching consequences, not only for the firm but also for its clients and partners. As investigations into the cyberattack on TRUE Solicitors LLP continue, stakeholders await an official statement from the firm regarding the breach and its impact. Until then, the industry remains on high alert, bracing for potential fallout from yet another audacious move by the BlackBasta ransomware group. Only time will tell whether the claim is true or if it is another attempt by cybercriminals to sow fear and uncertainty. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Networking giant Cisco warned that a group of state-sponsored hackers exploited zero-days in its firewall appliances to spy on government networks over the last several months. Cisco in a Wednesday warning said that two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls were exploited by a state-backed hacking group since November 2023 to infiltrate government networks globally. Identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, the hackers initiated their cyber-espionage campaign, dubbed “ArcaneDoor,” through targeting of vulnerable edge devices in early November 2023.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos said.

Discovery and Details of the Two Cisco Zero-Days

Despite the absence of an identified initial attack vector, Cisco detected and rectified two security flaws - CVE-2024-20353, a denial-of-service bug and CVE-2024-20359, a persistent local code execution bug - which the threat actors used as zero-days. Cisco became aware of the ArcaneDoor campaign earlier this year but said the attackers had been testing and developing exploits for the two zero-days since at least July 2023. “The investigation that followed identified additional victims, all of which involved government networks globally,” Cisco Talos added. [caption id="attachment_64982" align="aligncenter" width="997"] Cisco Zero-Days Exploitation Timeline. Credit: Cisco Talos[/caption] The exploited vulnerabilities facilitated the deployment of previously unknown malware, allowing threat actors to establish persistence on compromised ASA and FTD devices. One such malware implant dubbed “Line Dancer,” acted as an in-memory shellcode loader, enabling the execution of arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets. The second implant, a persistent backdoor known as “Line Runner,” included various defense evasion mechanisms to evade detection and enable the execution of arbitrary Lua code on compromised systems. Perimeter network devices like the ASA and FTD firewall appliances “are the perfect intrusion point for espionage-focused campaigns,” Cisco said. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.” The networking and security giant said it had observed a “dramatic and sustained” increase in the targeting of these devices in the past two years, especially those deployed in the telecommunications and energy sectors as “critical infrastructure entities are likely strategic targets of interest for many foreign governments,” Cisco explained.

What Cybersecurity Agencies Said

A joint advisory published today by the UK's National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Cyber Security Centre outlined additional activity undertaken by the threat actors: - They generated text versions of the device’s configuration file for exfiltration through web requests. - They controlled the enabling and disabling of the devices syslog service to obfuscate additional commands. - They modified the authentication, authorization, and accounting (AAA) configuration to provide access to specific actor-controlled devices within the impacted environment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the zero-day bugs to its Known Exploited Vulnerabilities Catalog and encouraged users to apply the necessary updates, hunt for malicious activity, and report any positive findings to the agency. Cisco released security updates on Wednesday to address the two zero-days and recommended all customers to upgrade their devices to the fixed software version to mitigate potential attacks. Cisco asked administrators to monitor system logs for signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity. The company also provided instructions on verifying the integrity of ASA or FTD devices in the advisory.

Espionage Actors Increasingly Using Edge Device Zero-Days

Although no attribution was made for the ArcaneDoor campaign a recent trends report from Google security firm Mandiant fingered Chinese hackers for increasingly targeting edge devices like VPN appliances, firewalls, routers, and IoT tools in espionage attacks. Mandiant observed a more than 50% growth in zero-day usage compared to 2022, both by espionage groups as well as financially motivated hackers.

“China-nexus attackers have gained access to edge devices via exploitation of vulnerabilities, particularly zero-days, and subsequently deployed custom malware ecosystems,“ Mandiant said.

The security firm added that it is likely to see continued deployment of custom malware ecosystems from Chinese espionage groups that are tailored for the device and operation at hand. “This approach provides several advantages such as the increased ability to remain undetected, reduced complexity and increased reliability, and a reduced malware footprint.“ Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In late 2023, concerns surfaced regarding a potential data breach at Bharat Sanchar Nigam Limited (BSNL), a major telecommunications provider owned by the Indian government. However, BSNL did not confirm these reports at the time. Recently, the issue has resurfaced after data purportedly from the unconfirmed BSNL data breach has again appeared on the dark web. On April 24, 2024, a known threat actor named 'Perell', who was previously linked to the alleged 2023 BSNL data breach, released a database that reportedly belongs to BSNL. This database contains more than 2.9 million records and was originally part of an extortion scheme. In December last year, Perell claimed to have obtained sensitive BSNL data and threatened to use it against the company on the now-defunct BreachForums. Despite the time elapsed, the threat to user privacy remains significant as Perell has made the supposedly stolen data publicly available, intensifying worries about the security of information and the potential implications for BSNL’s customers.

The 2024 BSNL Data Breach Claims Surfaces on BreachForums

[caption id="attachment_64986" align="alignnone" width="1747"] Source: Dark Web[/caption] The leaked data, according to Perell's post on the forum, includes sensitive information from BSNL, a major player in India's telecommunications sector. While the exact reason for the resurfacing of data from 2023 is unknown, Perell shared a link on BreachForums for the stolen data, stating that the "following list of databases would be exfiltrated.” Discussions on BreachForums suggest that the recently leaked data, claimed to be from BSNL in 2024, actually dates back to 2023. Despite its age, the data remains a significant concern due to its large volume and sensitive nature. The decision to leak the same data again in 2024 is puzzling and raises questions about the motives behind this move. [caption id="attachment_65015" align="alignnone" width="1701"] The earlier post shared by the threat actor in December 2023.[/caption] The seriousness of the situation is highlighted by the fact that the compromised data from 2023 was posted on the same forum without any clear evidence of communication between the hacker and Bharat Sanchar Nigam Limited (BSNL), and it's uncertain whether a ransom was demanded or paid. Like the current incident, the original post focused solely on revealing the data of 2.9 million users, indicating a deliberate effort to exploit and profit from the breach. The Cyber Express has reached out to the Indian telecommunication giant to learn more about the authenticity of the data being shared by the threat actor. However, at the time of writing this, no official statement or response has been shared, leaving the claims made by the threat actor stand unverified. 

The Far-reaching Consequences of the BSNL Database Leak

Following initial reports of the BSNL data leak in December last year, experts expressed concerns about the implications of the incident. Saket Modi, CEO of the cyber risk management startup Safe Security, commented to the Economic Times that the nature of the hack suggested it was likely carried out by an individual rather than an organization. Modi pointed out that the claim of approximately 2.9 million records being compromised suggested that the breach might involve a single website. Additionally, Kanishk Gaur, founder of India Future Foundation, spoke to the Indian media about the wider consequences of the breach, emphasizing its significant impact on both BSNL and its customers. The reappearance of data from last year's BSNL data breach raises serious concerns. This leak threatens the personal and financial security of millions, potentially leading to identity theft and fraud. Notably, despite the breach first surfacing last year and reemerging now, BSNL has yet to confirm the incident, leaving the claims unverified. The Cyber Express has contacted BSNL for comment and is currently awaiting their response. Updates to this story will be provided as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research & Intelligence Labs (CRIL) recently discovered evidence suggesting that the threat actors behind the DragonForce ransomware group might have leveraged a leaked LockBit 3.0 (Black) builder to craft their own ransomware builder. Detailed analysis revealed striking similarities between the binaries generated by the leaked LockBit 3.0 builder and DragonForce's own ransomware builder.  The findings come as part of a larger trend where newer threat actor groups are observed relying on previously-existing malware to form their own operational tools to deploy in campaigns.

DragonForce Ransomware Binary Likely Based on LockBit 3.0 Build

[caption id="attachment_64928" align="alignnone" width="660"] Source: Cyble[/caption] The DragonForce ransomware group began its operations on November 2023, employing double extortion tactics to target victims. The group is potentially linked to the Malaysian hacktivist group 'DragonForce' known for conducting campaigns against various government agencies and organizations present in the Middle East and Asia during 2021 and 2022.  While the group is known to have announced its intention to launch ransomware operations in 2022, proper attribution remains difficult due to limited information. CRIL Researchers recently came across a DragonForce ransomware binary based on a LockBit Black (third-known LockBit variant) binary. The LockBit ransomware builder was known to have been shared on X (Twitter) on September 2022. Ransomware builders allow ransomware operators specific options and customizability while generating ransomware payloads. The builder included a “config.json” file to customize payloads for functionalities such as encryption, filename encryption, impersonation, file/folder exclusion, exclusion based on languages spoken in CIS (Commonwealth of Independent States) countries, and ransom note templates. [caption id="attachment_64931" align="alignnone" width="938"] Source: Cyble[/caption] Comparison between a LockBit builder-generated ransomware binary to that of a DragonForce builder generated ransomware binary revealed several similarities in code structure, functions and process termination. These similarities suggest a strong likelihood that the DragonForce ransomware binary was developed based on the utilisation of the leaked LockBit binary file.

DragonForce Ransomware Operations

[caption id="attachment_64935" align="alignnone" width="936"] Source: Cyble[/caption] Earlier this year in February 2024, DragonForce listed two American companies, 'Westward360' and 'Compression Leasing Services' as victims on its leak site. Earlier in December 2023, the group claimed responsibility for an attack where over 600 GB of data was stolen from the Ohio Lottery. The stolen data consisted of both player and employee records with sensitive information such as names, addresses, winnings, dates of birth, and social security numbers. The Ohio Lottery confirmed the cyber-incident and stated that it involved significant data theft. In the same month, Yakult Australia fell victim to the DragonForce ransomware gang's operations impacting its Australia and New Zealand divisions with over 95GB of data being stolen in the attack. The Yakult Australia data breach is believed to contain business documents, spreadsheets, credit applications, employee records, and copies of identity documents, including passports. The company later acknowledged the incident and disclosed details relating to the incident to relevant authorities such as the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre. It is notable that in both attacks, the impacted systems continued to operate normally suggesting the group employs stealthy techniques. The discovery of DragonForce's use of a leaked LockBit builder underscores the general conduct of newer ransomware groups employing existing ransomware tools and the interconnected nature of cybercriminal operations. Last year in July 2023, researchers from VMware discovered similarities between the 8Base Ransomware and earlier ransomware groups such as RansomHouse and Phobos. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.