This week on TCE Cyberwatch, we report on significant breaches affecting both prominent companies and universities, with thousands of individuals impacted. In addition, TCE Cyberwatch explores the evolving landscape of cybersecurity legality, highlighting Australia's ongoing court case against X. TCE Cyberwatch also delves into advancements in corporate cybersecurity, such as Apple’s upcoming announcement of their very own password management app. Keep reading to find out more!

Akira Ransomware Group Targets Panasonic Australia

The Akira ransomware group has reportedly compromised Panasonic Australia's data, claiming to have exfiltrated sensitive project information and business agreements. The authenticity and full impact of this breach are still unverified. In response, Singapore's Cyber Security Agency (CSA) and Personal Data Protection Commission (PDPC) have advised organizations to report such attacks rather than paying ransoms. This recommendation follows confirmation by law firm Shook Lin & Bok that they paid Akira $1.4 million in Bitcoin. The CSA has warned that paying ransoms does not guarantee data recovery and could potentially encourage further attacks. They recommend implementing robust security measures, including strong password policies, multi-factor authentication, reputable antivirus software, regular vulnerability scans, network segregation, routine backups, incident response exercises, and minimizing data collection. Additionally, the FBI and CISA had previously included Akira in their #StopRansomware campaign, emphasizing the importance of these preventive measures. Read More

Xbox One Kernel Exploit Discovered: Tinkering with Game Script App

An individual known as carrot_c4k3 has discovered a kernel-level exploit for Xbox One consoles using an app called ‘Game Script’ from the Microsoft Store. This exploit is not a jailbreak but allows users to gain control over virtual machine (vm) homebrews without enabling pirated software. The method involves two components: initial code execution in UWP applications and a kernel exploit granting full read/write permissions. A proof of concept has been shared on GitHub, currently limited to UWP apps. The exploit bypasses developer mode fees and modifies game save data but does not alter actual games. It may also allow running simple emulators. However, Microsoft could potentially detect this exploit, so using an offline console is recommended. It is also possible that the exploit has already been patched in the latest firmware update, version 10.0.25398.4478. Read More

Over 8,000 at VIT Bhopal University Potentially Exposed in Data Breach

VIT Bhopal University in India has reportedly experienced a major data breach, impacting more than 8,000 students and faculty members. The breach, first revealed on June 10, 2024, on BreachForums, involves the alleged leak of sensitive information, including unique identification numbers, usernames, full names, email addresses, passwords, and user activation keys. This compromised data could potentially allow unauthorized access to personal and university accounts, raising significant concerns about phishing attacks and other malicious activities. VIT Bhopal, established in 2017 and ranked 65th in India by the National Institutional Ranking Framework, offers programs in engineering, technology, management, and architecture. As of now, the university has not commented on the breach or disclosed the full extent of the compromised data. Read More

Energy Giant Potentially Breached: Hacker Selling Alleged SGCC Data

A hacker named Desec0x claims to have breached the State Grid Corporation of China (SGCC) and is selling the stolen data on BreachForums for $1,000. The data reportedly includes user account information, employee details, and department roles in SQL and XLSX formats. SGCC, the world's largest utility company, serves over 1.1 billion people in China and owns assets in several countries. If confirmed, this breach could have serious implications for SGCC and its stakeholders. Cyberattacks on the energy sector are increasing, with notable incidents in 2023 and 2024 targeting companies like Consol Energy and Petro-Canada. SGCC has not yet confirmed the breach, and its website appears to be unaffected. Read More

Deepfakes Target Australian Politicians in Investment Scams

Australian politicians, including Finance Minister Katy Gallagher and Foreign Minister Penny Wong, have been targeted in AI-generated deepfake investment scam videos. The scam also used images of Nationals senator Bridget McKenzie and former Prime Minister Scott Morrison, among others. These videos, promoted via Facebook ads, falsely depict the politicians endorsing fraudulent investment schemes. Federal Minister Stephen Jones warned that AI could amplify fraud and proposed reforms to make social media companies more accountable. Gallagher stressed that neither she nor other politicians would promote products online, urging people to report such scams. The government is considering measures like mandatory AI image watermarking to combat misuse. Read More

Get Ready to Switch? Apple Unveils Passwords Manager at WWDC

At Apple's Worldwide Developer Conference next week, the company is expected to unveil its own standalone password manager, named Passwords, which will rival apps like 1Password and LastPass. According to Bloomberg News, Passwords will offer features surpassing those of iCloud and Mac Keychain, enabling users to save Wi-Fi passwords, store passkeys, and categorize login credentials. The app is also anticipated to be compatible with Windows machines, though its availability for Android users remains uncertain. Read More

Monti Ransomware Targets West After Conti's Demise

The Monti ransomware group, which bears similarities to the defunct Conti ransomware, has recently changed ownership and shifted its focus towards Western targets. The new owners are revamping its infrastructure for future operations. Recent attacks in the South of France disrupted the Pau-Pyrénées airport, the Pau business school, and a digital campus, compromising sensitive data and raising significant cybersecurity concerns. Monti exploits vulnerabilities like Log4Shell to infiltrate networks, encrypt desktops, and disrupt servers. Analysts believe the group leverages Conti’s leaked data for its operations. The cybersecurity community emphasizes the need for strengthened defenses and collaboration to combat such evolving threats. The Monti group’s activities highlight the critical need for robust cybersecurity measures to protect essential infrastructures.Read More

TCE Cyberwatch: Wrap Up

. Recent events have shown that even large, well-protected companies can fall victim to cyberattacks. Therefore, it's always wise to stay proactive and ensure your defenses are up-to-date. Stay safe, stay informed, and take steps to safeguard your digital security.

A new wave of cyberattacks targeting Android users in the Middle East has surfaced, with a focus on both Palestine and Egypt. Dubbed AridSpy, this multistage Android malware is allegedly orchestrated by the notorious Arid Viper APT group, a name synonymous with cyber espionage in the region. The malicious software, discovered being distributed through five dedicated websites, is ingeniously disguised within seemingly legitimate applications, marking a dangerous evolution in cyber threats. The modus operandi of these campaigns, initiated as early as 2022 and persisting to this day, revolves around the deployment of trojanized apps designed to infiltrate unsuspecting users' devices. These applications, ranging from messaging platforms to job opportunity portals, harbor the insidious AridSpy spyware within their code, allowing the attackers to remotely control the infected devices and extract sensitive information with alarming efficiency.

Arid Viper APT group Leveraging AridSpy to Target Victims

A key element of AridSpy's strategy lies in its ability to camouflage itself within genuine apps, thus bypassing traditional security measures. By leveraging existing applications and injecting them with malicious code, the perpetrators exploit the trust users place in familiar software, amplifying the reach and impact of their cyber offensive. ESET's investigation into these activities uncovered various instances of AridSpy infiltration, with the majority of cases centered around the distribution of the malicious Palestinian Civil Registry app. This tactic, coupled with the impersonation of reputable messaging platforms like StealthChat and Voxer Walkie Talkie Messenger, underscores the group's sophisticated approach to cyber warfare. Lukáš Štefanko, a researcher at ESET, sheds light on the mechanics of AridSpy's infiltration, detailing how unsuspecting users are lured into installing the tainted applications. “In order to gain initial access to the device, the threat actors try to convince their potential victim to install a fake, but functional, app. Once the target clicks the site’s download button, myScript.js, hosted on the same server, is executed to generate the correct download path for the malicious file,” explains Štefanko. Through deceptive download buttons and carefully crafted scripts, the attackers exploit vulnerabilities in users' trust and familiarity with popular apps, paving the way for the silent installation of AridSpy on their devices.

Reverse-Engineering Apps 

Moreover, Arid Viper's ingenuity extends beyond mere app impersonation, as evidenced by their manipulation of legitimate app servers to facilitate data exfiltration. By reverse-engineering existing apps and utilizing their infrastructure, the group orchestrates a seamless data extraction process, further complicating detection and mitigation efforts. AridSpy's capabilities are not limited to data espionage alone; the spyware boasts a sophisticated feature set aimed at evading detection and maximizing information extraction. Through a combination of network evasion tactics and event-triggered data exfiltration mechanisms, AridSpy operates stealthily, siphoning off a plethora of sensitive data including call logs, text messages, media files, and even location information. As the online threats continue to target victims globally, users and organizations alike must remain vigilant against hackers groups and ransomware gangs. By staying informed and adopting robust security measures, individuals can mitigate the risks posed by malicious actors such as the Arid Viper group, safeguarding their digital assets and personal information from exploitation.

In today's cybersecurity world, the call for innovation and resilience has never been more urgent. Yet, amidst the pursuit of cutting-edge technologies and strategies, a critical aspect often overlooked is the power of neurodiversity. As organizations strive to cultivate inclusive environments and provide equal opportunities for neurodivergent individuals, questions abound on how this diverse talent pool can contribute to cybersecurity. This article aims to explore these questions comprehensively, shedding light on why embracing neurodiversity isn't just a moral imperative but a strategic advantage in safeguarding digital assets. By delving into the significance of neurodivergent individuals in the cybersecurity field readers will gain valuable insights into the importance of fostering inclusivity and understanding neurodiversity's role in shaping the future of cybersecurity.

What is Neurodiversity in Cybersecurity?

Neurodiversity in cybersecurity refers to the recognition and inclusion of individuals with diverse cognitive profiles, including conditions such as autism, ADHD, dyslexia, and others, within cybersecurity teams. These individuals bring unique perspectives, skills, and talents to the table, enhancing the overall effectiveness of cybersecurity operations. “Seeking out neurodiverse teammates in hiring and recognizing and building around their strengths can be a vital asset to anticipating an adversary’s moves and uncovering potential solutions to problems before they arise,” said Gunnar Peterson, CISO at Forter. Neurodiverse individuals often exhibit exceptional logical and methodical thinking, attention to detail, and cognitive pattern recognition skills. For example, they can hyperfocus on tasks, giving complete attention to specific issues for prolonged periods, which is invaluable in identifying and mitigating security threats. Their ability to engage deeply in their work ensures that even the smallest anomalies are detected and addressed swiftly. Moreover, many neurodiverse individuals thrive on repetitive tasks and routines, finding comfort and even excitement in long, monotonous processes. This makes them well-suited for roles that involve continuous monitoring and analysis of security data. Their high levels of concentration and persistence allow them to stay on task until solutions are found, ensuring thorough and effective problem-solving. Creativity is another significant benefit that neurodiverse individuals bring to cybersecurity. Their unique, nonlinear thinking enables them to approach problems from different angles and develop innovative solutions. This creativity is crucial for devising new methods to counteract evolving cyber threats. For instance, a neurodivergent team member might come up with an unconventional but highly effective way to secure a network that others might overlook. Furthermore, neurodiverse individuals often possess strong reasoning skills and keen awareness, contributing valuable insights into cybersecurity strategies. Their ability to think outside the box allows them to anticipate potential issues that others might miss, enhancing the overall security posture of an organization. In terms of teamwork, neurodiverse individuals respond well to inclusive environments. A diverse team, comprising various cognitive profiles, tends to react better to challenges and fosters a more innovative and productive atmosphere. When neurodivergent individuals are included and valued, team morale improves, leading to higher overall performance and productivity.

Challenges Faced by Neurodiverse Individuals in Cybersecurity

Neurodiverse individuals face several challenges in the workplace that can impact their ability to thrive, despite their unique strengths. For example, sensory sensitivities common in conditions like autism can make traditional office environments overwhelming due to bright lights, loud noises, or crowded spaces. This can lead to increased stress and decreased productivity. Communication barriers are another significant challenge, as some neurodivergent individuals may struggle with social cues and norms, making it difficult for them to participate effectively in team meetings or collaborative projects. For instance, someone with ADHD might find it challenging to maintain focus during long meetings, potentially missing critical information. Additionally, rigid workplace structures and a lack of flexibility can hinder neurodiverse employees, who may require different accommodations, such as varied working hours or remote work options, to perform optimally. These challenges highlight the need for inclusive workplace practices that recognize and support the diverse needs of neurodiverse individuals, enabling them to contribute their valuable skills more effectively.

How to Create Neurodiverse-Friendly Work Environments

Creating a neurodiverse-friendly work environment involves considering several key factors to support and accommodate the unique needs of neurodivergent individuals. Here are the steps to create such an environment: Sensory: Addressing the sensory environment is crucial. This means ensuring that the workplace is comfortable regarding lighting, noise, and overall ambiance. For example, providing noise-canceling headphones, adjustable lighting, or quiet workspaces can help neurodivergent employees focus better and reduce sensory overload. Timely: A timely environment means allowing sufficient time for tasks and avoiding unrealistic deadlines. Clearly communicating timeframes and allowing flexibility can reduce stress. For instance, giving employees enough time to complete tasks without last-minute rushes can improve their productivity and job satisfaction. Explicit: Communication should be clear and explicit. This involves providing detailed instructions and avoiding ambiguous language. For example, instead of saying, "Get this done soon," specify, "Please complete this task by 3 PM tomorrow." This clarity helps neurodivergent individuals understand expectations and reduces anxiety. Predictable: Creating a predictable environment can help reduce anxiety and improve focus. This includes having regular schedules and clear procedures. For instance, if meetings are scheduled at consistent times and agendas are shared in advance, neurodivergent employees can prepare better and feel more secure. Social: Fostering a supportive social environment means recognizing that not everyone may be comfortable with the same level of social interaction. Offering structured social activities and respecting individual preferences can create a more inclusive workplace. For example, providing clear invitations to social events with detailed information about what to expect can help neurodivergent employees feel more comfortable. Additionally, implementing a "traffic-light" system with colored cards or post-it notes (green for willing to interact, yellow for maybe, and red for needing to focus) can help manage social interactions effectively and respect individual boundaries. By incorporating these STEPS, organizations can create an inclusive and supportive work environment that leverages the unique strengths of neurodivergent employees, ultimately enhancing overall productivity and innovation. Training Programs: Providing specialized training and development programs can help neurodivergent individuals thrive in cybersecurity roles. This includes offering tailored training sessions that address their unique learning styles and strengths. For example, using visual aids and hands-on activities can enhance understanding and retention. Mentorship programs where experienced employees guide neurodivergent staff can also be beneficial, offering personalized support and career development advice. Moreover, continuous learning opportunities, such as workshops on the latest cybersecurity trends and technologies, can keep neurodivergent employees engaged and up-to-date with industry advancements.

Read Ahead

“Once we start to remove what those barriers are, the way that we do things, our culture of understanding and our bias of conditions, then we can start to be more inclusive and welcome a more diverse workforce,” said Foxcroft. By harnessing the unique strengths of neurodivergent individuals, organizations can unlock a wellspring of creativity, focus, and unconventional problem-solving. It's a future where cybersecurity teams aren't just well-equipped, but exceptionally prepared – a future where "thinking differently" becomes the key to defending against the unthinkable. So, what steps will you take to create a more inclusive cybersecurity workforce? The answers may well determine the future security of our digital world.

Imagine a team of brilliant detectives, each with their own quirks and talents. One might be a meticulous observer, another a whiz at puzzles, and the third a master of creative leaps. This diverse team is unstoppable, able to crack any case because their strengths complement each other. That's the power of neurodiversity in cybersecurity! People with autism, ADHD, dyslexia, and other conditions bring fresh and valuable perspectives to the fight against cybercrime, enhancing the ability to address complex challenges in innovative ways. They excel at spotting patterns, focusing intensely, and thinking outside the box - exactly what defenders need to outsmart hackers. Neurodiversity in cybersecurity is a concept that has gained significant traction over the past decade. The term "neurodiversity" originated in the late 1990s and has since evolved to encompass a range of conditions, not as limitations, but as strengths. Within the industry, this movement gained momentum around the mid-2010s. It stemmed from a critical need for diverse problem-solving skills and innovative thinking. Cybersecurity challenges are complex puzzles, requiring a variety of approaches to detect, analyze, and mitigate threats. By embracing neurodiversity, the industry doesn't just improve its capabilities, it sets a standard for inclusivity. It taps into a pool of untapped talent that perceives and interacts with the world in ways that benefit everyone. To celebrate this diversity, The Cyber Express hosted the "Inclusive Cyber" webinar. The event brought together experts to discuss how neurodiversity, with its wide range of cognitive styles and personalities, significantly enhances the field of cybersecurity. It's a space where innovation and diverse perspectives are not just beneficial, but essential.

Speakers' Insights on Neurodiversity in Cybersecurity

The webinar featured renowned cybersecurity champion Holly Foxcraft, recognized as one of the most influential women in the field. Alongside her was security wiz and advocate Jennifer Cox, Director for Ireland at Women in Cyber Security (WiCyS) UK & Ireland and a Security Engineering Manager at Tenable. The session was moderated by Jo Mikleus, Senior Vice President at Cyble, who skillfully facilitated the discussion, highlighting the critical role of inclusive practices in cybersecurity. Both speakers shared their personal and professional experiences with neurodiversity, providing valuable insights into the integration of neurodivergent professionals in the tech industry. Holly Foxcraft initiated the discussion by defining neurodiversity and its societal implications. She highlighted how societal norms often fail to accommodate the diverse ways individuals process information, which can lead to misunderstandings and underutilization of potential. Foxcraft explained, "Neurodiversity means that just like physical traits, our cognitive differences are natural. Society, however, has established certain expectations about how individuals should behave and process information. Deviations from these norms are termed as neurodivergence, encompassing recognized conditions such as autism and ADHD, and broader, undefined behaviors that diverge from what is considered typical." Following Holly’s introduction, Jennifer Cox discussed the common misconceptions about neurodivergent individuals, especially those with ADHD. She expressed, "There’s a prevalent myth that individuals with ADHD have boundless energy, which is far from reality. Managing everyday conversations can be as draining for us as physical exertion, leading to rapid burnout." Cox also shared her personal journey with ADHD, diagnosed in her forties, underscoring the challenges and late realizations many neurodivergent individuals face.

Challenges Faced by Neurodivergent Professionals

Jennifer Cox further addressed the managerial misconceptions surrounding the support needs of neurodivergent employees. She clarified that contrary to popular belief, neurodivergent individuals do not necessarily require extensive managerial time. Instead, they benefit significantly from targeted adjustments and understanding. "Simple changes like providing information in bullet points or understanding that lack of eye contact might indicate deeper concentration can make a substantial difference. These minor adaptations can greatly enhance workplace inclusivity and productivity," Cox explained. Both speakers emphasized the importance of tailored management strategies to effectively support neurodivergent employees. Implementing clear communication, recognizing the need for sensory accommodations, and allowing flexible work arrangements were discussed as key strategies that can enhance productivity and workplace satisfaction for all employees.

The Way Forward with Neurodiversity

The "Inclusive Cyber" webinar concluded by highlighting the indispensable link between neurodiversity and cybersecurity. By embracing neurodivergent capabilities, the cybersecurity industry not only enriches its pool of problem-solving strategies but also fosters a more inclusive and dynamic workforce capable of tackling complex security challenges. As the cybersecurity field continues to evolve, the insights shared by Jennifer Cox and Holly Foxcraft provide invaluable guidance for building diverse teams ready to face future challenges. The thoughtful integration of neurodivergent professionals into cybersecurity roles not only enhances the effectiveness of security measures but also contributes to a more inclusive and innovative workplace culture. This approach not only prepares organizations to better tackle emerging threats but also sets a precedent for the broader tech industry to follow.

Whenever people ask the best way to protect their accounts and devices, the answer is always to use a strong password. But how exactly does one do that? What constitutes a good password? In this article, we explain six ways to create a strong password that makes hackers give up trying to guess your details and steal your information. Keep reading to find out what your password should consist of to stay protected!

Steps to Create a Strong Password

1. Avoid Common Words

Avoid using easily guessable words or phrases. Examples include "123456," "password," or "qwerty." Instead, use phrases that may hold an unobvious personal meaning to you, such as a combination of words from a favorite book or a childhood memory. Hackers often use common password lists to guess and breach accounts, so avoid anything too predictable.

2. Avoid Personal Information

Refrain from including any personal information in your password, such as your name, birthday, or address. Hackers can easily obtain this information through social engineering or data breaches, making it relatively simple for them to guess your password. Keeping your password unrelated to your personal life adds an extra layer of security.

3. The Lengthier, the Better

The longer your password, the harder it is for hackers to crack through brute force attacks. A minimum of 12 characters is recommended, but going longer is better. For example, using a 16-character password significantly increases the number of possible combinations, making it more challenging for hackers to guess and increasing their likelihood of failing.

4. Use Complex Characters and Words

Passwords that use a variety of character types—such as uppercase letters, lowercase letters, numbers, and special characters—are better protected. For instance, a password like "P@ssw0rd123!" is much stronger than "password123." The complexity of using different forms of characters makes guessing much harder, especially if hackers use automated tools.

5. Randomize Passwords

Generating random passwords using browser-recommended ones or a password manager can be very effective in protecting your account. Password managers can store the randomized passwords after creating them. If you are worried about forgetting these randomly generated ones, you can create your own passphrase that makes sense only to you, such as "Green!Apple#Mountain*Sky." Ensure it's not easily guessable or uses common phrases.

6. Update and Change Regularly

Changing your passwords regularly is essential, especially if you have been warned of possible attempts at breaches or passwords being compromised. Regularly updating your passwords helps mitigate the risk of unauthorized access to your accounts, even if your current password is strong. It is important to create new ones instead of reusing old passwords, as hackers could use previously compromised credentials to gain access to other accounts.

Conclusion

When these six tips are combined, your password will keep your information secure. Repeating passwords or making variations of the same one fails to protect you. But with these tips, your first level of authentication is set to be almost impossible for hackers to penetrate. In a world where hacking and stealing information in cyberspace is becoming more common, it is essential for users to take the necessary steps to keep their passwords strong and their data protected. By following these guidelines, you can significantly reduce the risk of falling victim to cyberattacks and ensure your personal information remains safe.

Staying safe in the current climate of cyberattacks can be challenging and often frightening. With hacking and data theft becoming increasingly accessible and easier to execute, ensuring the safety of your personal information is essential. In this article, we will list the top ways to protect your identity on your devices and accounts from being stolen.

10 Easy Steps to Secure Your Identity

By following these 10 easy steps, you can secure your credentials, personal information, and more.

By Mohan Subrahmanya, Country Leader, Insight Enterprises In an era consistently besieged by data breaches and increased cyber threats, blockchain technology is emerging as a key tool for the enhancement of cybersecurity and the protection of data. It is a decentralized and secure way of recording critical data that brings forth innumerable benefits to many sectors through a sound framework for secure transactions and integrity of data.

Understanding Blockchain Technology

At its core, blockchain is a decentralized ledger that records transactions across a network of computers, ensuring that data remains transparent, secure, and immutable. Each block in the blockchain contains a timestamp, transaction data, and a cryptographic hash of the previous block, creating a chain of records that is nearly impossible to alter. The exponential growth of blockchain technology is fueled by the need to simplify business processes, increase transparency, improve traceability, and cut costs. According to ReportLinker, the global blockchain market is expected to increase by 80% between 2018 and 2023, from $1.2 billion to $23.3 billion.

Key Components of Blockchain That Ensure Data Security

Blockchain technology enhances data security by ensuring that data recorded once remains unalterable and undeletable without network consensus, thus maintaining integrity. One of the key features of blockchain technology is decentralization. Unlike traditional centralized databases, blockchain operates on a distributed network. This structure reduces the risk of a single point of failure and makes it much more difficult for malicious entities to compromise the entire system. By distributing data across multiple nodes, blockchain eliminates vulnerabilities associated with centralized servers, thereby enhancing overall security. Another feature is the Cryptographic hash function which plays a crucial role in blockchain security. These mathematical algorithms generate a unique identifier for each block, making it virtually impossible to alter any recorded data without detection. All the altered information on the blockchain is visible and immutable, which not only ensures data integrity but also provides a reliable mechanism to detect and prevent fraudulent activities. Blockchain also employs consensus mechanisms such as Proof of Work (PoW) and Proof of Stake (PoS) to validate transactions and ensure network consistency. By allowing only authentic transactions to be added to the blockchain, these mechanisms prevent double payments and other fraudulent practices. Digital signatures, which use a private key to sign transactions, further enhance this level of security. This ensures that only authorized individuals can initiate or modify data entries, while anyone with the public key can verify the authenticity of the transaction.

Applications Across Sectors

The use of blockchain technology could have a significant impact on cybersecurity across various sectors. Many organizations are recognizing the significant business benefits of blockchain technology and are increasingly adopting it across various sectors. Blockchain has a lot to offer, from manufacturing and healthcare to supply chains and beyond. Financial services, for instance, can benefit from blockchain's ability to secure transactions, reduce fraud, and improve transparency. The healthcare sector can utilize blockchain to secure storage and share patient information between authorized personnel, ensuring confidentiality and accuracy. In the manufacturing industry, blockchain is primarily used for the movement and management of digital assets and physical goods, enhancing transparency and traceability. In order to ensure a transparent and immutable record of the origin of products, supply chain management can use blockchain technology to prevent counterfeiting and ensure authenticity. Government services can also use blockchain to increase the security and efficiency of public records, voting systems as well as identity management.

Key Challenges and Considerations

There are certain challenges to the use of blockchain technology, despite its many benefits. Scalability is an important concern, as the number of transactions increases, the blockchain may become slow and costly to maintain. Furthermore, significant computational power is required for consensus mechanisms such as POW which could result in considerable energy consumption. Regulatory uncertainty is another issue, as the evolving legal landscape can obscure the widespread adoption of blockchain technology. Addressing these challenges is crucial for the continued growth and adoption of blockchain technology. Global efforts are being made to create scalable blockchain systems and more effective consensus methods. Additionally, regulatory frameworks are also evolving to offer more precise guidelines to implement blockchain technology.

Growth of Blockchain Technology in India

India is seeing a strong increase in the adoption of blockchain technology in many sectors. This growth is driven by government-backed projects and initiatives, such as the National Blockchain Framework, to improve transparency, security, and efficiency. The technology's potential to enhance data integrity and operational efficiency aligns well with India's digital transformation goals, making blockchain a key component in the nation's technological advancement. The use of blockchain technology has been much more of a game-changer in terms of data security and is supporting cybersecurity. It provides robust security against all cyber threats since it is decentralized, immutable, and fully transparent. Overcoming the challenges of scaling and regulatory uncertainty would enable blockchain's distributed ledger technology to emerge as the key player in secure digital infrastructures that drive innovation across all sectors. The more organizations study its potential applications, the more blockchain will change the face of data security and cybersecurity. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

By Siddharth Deshmukh, Chief Operating Officer, Clover Infotech With the advent of digital, large volumes of data flow into the organizations’ systems daily. However, it’s the value of the data that makes it special. This data is often used to generate insights and predictions which are important to enhance productivity and ROI. But to ensure that the desired results are achieved, the data needs to be stored and organized in databases that enable easy access, modification, and management. In such a scenario, open source database is a wise choice as they offer flexibility, cost savings, and community support. They allow users to access and modify the source code, enabling customization to meet specific needs and fostering innovation. Being free of licensing fees, they reduce financial barriers for organizations of all sizes. While community versions of open-source databases like MySQL, PostgreSQL, and MongoDB are popular for their zero-cost entry and extensive community support, enterprise editions often provide a more comprehensive and reliable solution for businesses with critical needs.

Superior Features of Enterprise Editions

Here’s why enterprise editions are generally considered superior to community versions in an enterprise setting:  Enhanced Support and Reliability - One of the most significant advantages of enterprise editions is the professional support provided by the OEM. Unlike community versions, which rely on community forums and public documentation for troubleshooting, enterprise editions offer dedicated, round-the-clock technical support. This support is crucial for enterprises that require immediate resolutions to any issues that may arise, thereby minimizing downtime, ensuring business continuity, and adherence to compliance mandates. Advanced Security Features - Security is paramount for any enterprise, and enterprise editions of open-source databases typically come with enhanced security features not available in community versions. These may include advanced authentication methods, transparent data encryption, auditing capabilities, and more granular access controls. With cyber threats constantly evolving, having these robust security measures in place helps protect sensitive data from breaches and ensures compliance with industry standards and regulations. Performance Optimization and Scalability - Enterprise editions often include performance optimization tools and features designed to handle large-scale operations efficiently. These enhancements can significantly improve database performance, supporting faster query processing and better resource management. For businesses experiencing rapid growth or those with high transaction volumes, the ability to scale seamlessly is critical. Comprehensive Management Tools - Managing a database effectively requires a suite of tools for monitoring, backup, recovery, and automation. Enterprise editions usually provide a range of advanced management tools that simplify these tasks, reducing the administrative burden on IT teams. Features like automated backups, performance monitoring dashboards, and easy-to-use management interfaces help ensure that databases run smoothly, and potential issues are promptly addressed. Long-Term Stability and Support - Community versions often follow rapid release cycles, which can lead to stability issues as new features are continuously added and older versions quickly become outdated. In contrast, enterprise editions typically offer long-term support (LTS) versions, ensuring stability and ongoing updates without the need for frequent major upgrades. This stability is vital for enterprises that require reliable, long-term operation of their database systems. Tailored Solutions and Customization - Vendors offering enterprise editions frequently provide customized solutions tailored to the specific needs of their clients. This level of customization can include optimizing the database for particular workloads, integrating with existing enterprise systems, and even developing new features upon request. Such tailored solutions ensure that the database aligns perfectly with the business’ operational requirements.

To Wrap Up

In conclusion, while community versions of open-source databases are an excellent starting point, especially for small to medium-sized businesses or for non-critical applications, enterprise editions offer a suite of enhanced features and services that address the complex needs of larger organizations. With superior support, advanced security, performance optimizations, comprehensive management tools, and tailored solutions, enterprise editions ensure businesses can rely on their database systems to support their operations effectively and securely. Enterprise editions are a prudent choice for enterprises where data integrity, performance, and security are paramount. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

Globe Life disclosed a recent cybersecurity incident that may have resulted in unauthorized access to its consumer and policyholder information. Globe Life is a Texas-based insurance holding company. It offers life, health, and worksite insurance products and services to consumers nationwide through its subsidiaries. The company has over 3,600 employees and also owns several insurance providers like Liberty National, United American and Family Heritage Life. The company had also been accused of shady financial tactics and business operations by short sellers Fuzzy Panda Research and Viceroy Research, allegations the company has denied.

Globe Life Breach Discovery and Containment

According to Globe Life's filing with the SEC, the company had conducted a security review on one of its web portals to discover potential vulnerabilities that may have affected its access permissions and user identity management. The investigation was prompted by a legal inquiry from a state insurance regulator on June 13, 2024. The review revealed that an unauthorized party may have accessed the company's web portal, compromising sensitive customer and policyholder data. The company stated that it had immediately revoked external access to the affected portal upon breach discovery. Globe Life said that at this stage, it believes the security issue is isolated to the one web portal. All other company systems remain fully operational. Globe Life added that it expected minimal impact to its business operations after the take down of the affected web portal. The company has activated its cybersecurity incident response plan and engaged external forensics experts to investigate the breach's scope. In its SEC filing, Globe Life disclosed that the investigation remains ongoing. The full impact and nature of the incident are unclear at the moment.

Incident Comes After Scrutiny Over Business Tactics

The company said it has yet to determine if the breach qualifies as a reportable cybersecurity incident under the SEC's disclosure rules. The disclosure comes amidst increasing scrutiny and financial setbacks suffered by the company. The Texas-based insurer has faced allegations of fraudulent sales tactics and other business and workplace improprieties. The short sellers Fuzzy Panda Research and Viceroy Research had made these allegations public in April 2024. While the company has continued to deny these claims, its share price has dropped by 24% since the publication of the Fuzzy Panda report. The reports claimed that Globe Life and its biggest subsidiary, American Income Life (AIL), had engaged in insurance fraud, framing of policies for dead and fictitious individuals, withdrawal of consumer funds without approval, unfair dismissal, misleading sales tactics and illegal kickbacks. They also alleged that some of AIL's most profitable agents had faced accusations of kidnapping, assault and child grooming from defendants, witnesses and plaintiffs. It remains unclear if the state insurance regulator contact that led to the breach discovery is related to these allegations. Insurers like Globe Life are regulated at the state level rather than federal level. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A 22-year-old British national, allegedly the leader of an organized cybercrime group that targeted nearly four dozen U.S. companies, was arrested in Palma de Mallorca at the behest of the FBI, said the Spanish National Police. The young man allegedly orchestrated attacks on 45 companies in the United States through phishing campaigns, and subsequently gained unauthorized access to sensitive company information and cryptocurrency wallets.

Cyber Scammer Used Familiar Playbook

The modus operandi of the cybercriminal was simple: use phishing techniques to obtain access credentials from individuals,; use these credentials to infiltrate corporate work systems; exfiltrate sensitive company data that was likely monetized and put up for sale on dark web forums; and also access victims' cryptocurrency wallets to siphon them off. This modus operandi allowed the scammer to amass a significant amount of bitcoins. The Spanish police said the young cyber scammer managed to gain control over 391 bitcoins - approximately valued at over $27 million - from his victims. The arrest occurred at Palma airport as the suspect was preparing to leave Spain on a charter flight to Naples. The operation was conducted by agents of the Spanish National Police in collaboration with the FBI. The investigation, led by the Central Cybercrime Unit and supported by the Balearic Superior Headquarters, began in late May when the FBI’s Los Angeles office requested information about the suspect that they believed was in Spain. The FBI reported that an International Arrest Warrant had been issued by a Federal Court of the Central District of California, prompting intensified efforts to locate the suspect.

Laptop, Phone Seized

The suspect was carrying a laptop and a mobile phone at the time of his arrest, which were seized. The judicial authority subsequently ordered the suspect to be placed in provisional prison. The FBI did not immediately provide a response on whether the young British man would be extradited to the U.S. to be tried, nor did they release details on an indictment, but many similar cases in the recent past show the possibility of that happening soon.

Linked to Scattered Spider?

The cybercrime-focused vx-underground X account (formerly known as Twitter) said the U.K. man arrested was a SIM-swapper who operated under the alias “Tyler.” Fraudster's transfer the target’s phone number in a sim swapping attack to a device they control and intercept any text messages or phone calls to the victim. This includes one-time passcodes for authentication or password reset links sent over an SMS. “He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground tweeted. The details, however, could not be confirmed but independent journalist Brian Krebs said the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

“Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.” - vx-underground

The initial access vector in the attack on MGM included targeting of a help desk executive with social engineering tactics. Mandiant in its latest report found Scattered Spider aka UNC3944 using the same modus operandi, and although no victim names were stated, it now suggests the possible linkage between them. *Update (June 17 5:45 AM EST): Added details on the 22-year old young cyber scammer's identity and possible links to Scattered Spider group.

The UK, US and Canada have accused Russia of an elaborate plot to interfere in Moldova’s upcoming presidential election and referendum on EU membership. The allegations came in a joint statement released on the opening day of the G7 summit, pointing to a far-reaching campaign of political meddling by Moscow. The three nations claim Russia is actively spreading disinformation to 'undermine Moldovan democratic institutions' and 'degrade public confidence' in the government ahead of the votes on October 20th. Specific targets include President Maia Sandu and her pro-Western administration, which has strongly backed Ukraine in the Russia-Ukraine conflict.

Kremlin Actors Seeking to Discredit Moldova's Leaders

According to a statement from the U.S. Embassy in Russia, Russian threat actors are aggressively distributing propaganda to “foment negative public perceptions” of President Sandu. This involves fabricating electoral irregularities while also aiming to incite protests if the incumbent president is re-elected. The plot dates back years, with the Kremlin providing support to fugitive Moldovan businessman Ilan Shor. Shor had previously been sentenced to 15 years in prison in connection with the disappearance of $1 billion from Moldovan banks in 2014. All three countries had issued sanctions on Shor for his connection to the incident. The statement singled out Russian state-television channel RT for providing several years of support to Shor. The UK, US and Canada claim they have already shared detailed evidence with Moldovan authorities to enable further investigation and disruption. They also state they will continue backing Moldova with a range of support measures as it deals with Russian interference and fallout from the Ukraine war.

All Three Countries Announce Support at G7 Summit

The three nations expressed confidence in Moldova's ability to manage these threats linked to Russian interference. They have taken several measures to support Moldova's efforts, including:

• The sharing of detailed information with Moldovan partners to investigate, thwart, and put a stop to the Kremlin's plans.
• Increasing accountability and punishment for individuals and entities involved in covertly financing political activities in Moldova through sanctions and potential further actions.
• Strongly supporting Moldova's democratic, economic, security, and anti-corruption reforms, as well as its deepening European integration.

The three nations affirmed their support deepening ties between Moldova and the EU. President Sandu is widely perceived as a firmly pro-Ukranian and pro-Western leader since her election in 2020. In reaction, the Kremlin appears intent on preventing her re-election in order to install a more Russia-friendly president. By publicizing the interference plot, the Western allies hope to deter Moscow while urging respect for Moldovan sovereignty and free, fair elections. However, with under five months until the votes, concerns remain high over Russia's determination to influence election results. "We will continue to stand with all of our friends, partners, and Allies in defense of our shared democratic values and freedoms," the statement read. The U.S. embassy's statement also highlighted the surrounding threat to elections in 2024, a year in which "hundreds of millions of people across Europe and North America go to the polls to select their leaders in European, national, regional, and local elections."

Russia Is a Threat to Election Security: Researchers

An earlier report from Mandiant in April suggested that Russia presented the biggest threat to election security in the United States, United Kingdom and European Union. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” the report stated. Experts also fear Russian attempts at spreading disinformation or influencing public opinion on non-election events such as the upcoming 2024 Summer Olympics in Paris. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

June 13, 2024 may go down as one of the tougher days in Microsoft’s long history. The day started with a report alleging that a vulnerability long neglected by Microsoft led to the SolarWinds software supply chain breach in 2021; was followed by a nearly three-hour hostile hearing on Capitol Hill over the software giant’s security failures that resulted in a massive hack by China of U.S. government email systems; and it ended late at night with the company’s announcement that it will delay the rollout of its Windows Recall screen recording feature that faced heavy criticism from cybersecurity researchers over the lack of security and data privacy controls built into Recall. Microsoft President Brad Smith struck a conciliatory tone in his hearing with U.S. lawmakers and he outlined plans to improve security at the company, but the bungled launch of Recall – coming after the company had already pledged at least twice to improve security – shows that the software and cloud technology giant has a long way to go to make good on those pledges.

Recall Controversy Took Off After a Report on The Cyber Express

Calls to overhaul Recall’s security and privacy features started with the work of security researcher Kevin Beaumont, who called the lack of controls the “dumbest cybersecurity move in a decade.” Beaumont’s work demonstrating Recall’s security holes was first reported in a Cyber Express article that landed on the front page of tech news aggregator Slashdot, where it received 140 comments, and the story took off from there, creating something of a PR nightmare for Microsoft. Further proofs supporting Beaumont’s work emerged, and Microsoft belatedly tried to address the security and privacy concerns, but apparently not in time for the release of Copilot+ PCs planned for June 18. In a blog post update late on June 13, Microsoft said Recall will now become “a preview available first in the Windows Insider Program (WIP) in the coming weeks. Following receiving feedback on Recall from our Windows Insider Community, as we typically do, we plan to make Recall (preview) available for all Copilot+ PCs coming soon. “We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security.”

Beaumont Welcomes Microsoft Recall Delay, Awaits Changes

In a post on a Mastodon cybersecurity instance, Beaumont welcomed the Microsoft Recall delay. “Good on Microsoft for finally reaching a sane conclusion,” he wrote. “When it does appear in preview channels, privacy and security researchers need to keep a close eye on what Microsoft are doing with the feature. “Microsoft tried developing this feature in secret in a way which tried to avoid scrutiny. Thank you to everyone who stood up.” Beaumont said it’s his understanding that Recall was developed without input from security and privacy staff. “I've also been told Microsoft security and privacy staff weren't provided Recall, as the feature wasn't made available broadly internally either,” he said.

Europol coordinated two separate operations this week to disrupt 13 websites used in spreading terrorist propaganda online. This action followed a year-long operation involving ten law enforcement authorities across Europe. The targeted websites were linked to Islamic State, al-Qaeda and its affiliates, and the Syria-based rebel group Hay’at Tahrir al-Sham.

“The disrupted terrorist operated websites worked as a node and an archive for terrorist propaganda produced by the different IS [Islamic State] media outlets using a multiplatform approach.” - Capt. Alberto Rodríguez Vázquez of Spain's Guardia Civil.

Servers Taken Down in Europe and U.S.

Europol reported that servers were taken down in Germany, the Netherlands, the United States and Iceland under Operation HOPPER II. The authorities in Spain also arrested nine “radicalized individuals” from different nationalities. Spain's Guardia Civil led a separate operation, dubbed ALMUASASA, against media linked to the Islamic State’s I’LAM Foundation. Europol said this organization ran global communication channels, including radio stations, a news agency, and social media content.

“The network was designed to be resilient and low profile and that explains its multi-server hosting strategy. It operated both on the surface web and the dark web.” – Vázquez.

Terrorist Propaganda in 30 Languages

The organization communicated Islamic State directives and slogans in over 30 languages, including Spanish, Arabic, English, French, German, Danish, Turkish, Russian, Indonesian, and Pashto. Investigations revealed several terabytes of information, which will help law enforcement in further investigations into the terror group. The overall terrorist threat to the European Union remains high, with jihadist terrorism being a principal concern. Europol's operations followed the seizure of four computer servers in Romania, Ukraine, and Iceland, as part of ongoing investigations into religious and politically motivated terrorist groups.

“The servers supported multiple media outlets linked to Islamic State. They were used to disseminate worldwide propaganda and messages capable of inciting terrorism.” - Europol

According to Europol, the targeted websites enabled terrorist organizations and violent extremists to bypass the enhanced moderation and content removal efforts of mainstream online service providers. This helped them maintain a persistent online presence. The sites were used for recruitment, fundraising, inciting violence, and spreading propaganda, including manuals for creating explosives and content designed to radicalize and mobilize individuals. [caption id="attachment_77383" align="aligncenter" width="1024"] Jode de la Mata Amaya, national member for Spain, Eurojust (Source: YouTube)[/caption] The investigation has also revealed important details on the financing of the terrorist networks, which will be pivotal in future combat of threats from these networks, said Jode de la Mata Amaya, national member for Spain, Eurojust. All the 13 websites were referred for removal under European Union laws that mandate all hosting service providers remove flagged content within an hour of receiving a removal order or face penalties determined by individual member states.

The Cyber Express, in collaboration with Cyble Research & Intelligence Labs (CRIL), is dedicated to providing the latest and most comprehensive information on security vulnerabilities. Each week, we deliver actionable insights for IT administrators and security professionals, crafted by highly skilled dark web and threat intelligence researchers at Cyble. Cyble has identified several important bugs in its Weekly Vulnerability Report that require urgent attention. The full report covers these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses. Cyble security analysts have also conducted scans of customer environments to alert them of any exposures.  These vulnerabilities, highlighted from June 05, 2024, to June 11, 2024, include critical issues that could be easily exploited. Failure to patch these vulnerabilities could result in unauthorized access, data breaches, and significant operational disruptions.  Cyble researchers found over 1 million internet-facing assets exposed to these vulnerabilities, highlighting the urgency of addressing these security flaws.

Critical Vulnerabilities and Their Impact

Here are details and analysis of five of the most critical vulnerabilities identified by Cyble.

GitHub Access Token (CVE-2024-37051)

Overview: Exposed access tokens have been identified, which could allow unauthorized individuals to access GitHub accounts. This can lead to the manipulation or theft of code, posing a severe threat to software integrity and security.  Impact: Unauthorized access to repositories can result in the leakage of sensitive information, insertion of malicious code, and potential compromise of projects dependent on the affected repositories. 

FortiOS SSL-VPN (CVE-2022-42475)

Overview: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN has been actively exploited in cyber-espionage campaigns. This vulnerability allows attackers to execute arbitrary code on the affected systems.  Impact: Successful exploitation can lead to full control over the compromised system, enabling data theft, network breaches, and service disruptions. 

PHP Remote Code Execution (CVE-2024-4577) 

Overview: Multiple versions of PHP have been found vulnerable to remote code execution. This vulnerability has been exploited to deploy ransomware, affecting web servers running the compromised PHP versions.  Impact: Exploitation can result in the complete compromise of web servers, data exfiltration, and file encryption for ransom. 

Netgear Authentication Bypass (CVE-2024-36787)

Overview: A vulnerability in Netgear routers allows attackers to bypass authentication mechanisms, granting unauthorized access to router settings.  Impact: Unauthorized access can modify network settings, intercept data, and further network compromises. 

Veeam Backup Enterprise Manager (CVE-2024-29849)

Overview: A critical vulnerability in Veeam Backup Enterprise Manager allows unauthenticated users to log in, posing a high risk of data theft and manipulation.  Impact: Unauthorized access to backup systems can result in data breaches, loss of critical backup data, and potential operational disruptions. 

Weekly Vulnerability Report: Highlights

CVE-2024-37051 

Impact Analysis: A critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories.  Internet Exposure: No  Patch: Available 

CVE-2022-42475 

Impact Analysis: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN and FortiProxy SSL-VPN allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. Reports suggest that Chinese TAs weaponized this vulnerability in cyber-espionage campaigns targeting government institutions for a few months between 2022 and 2023 to deploy malware on vulnerable Fortigate network security appliances.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4577 

Impact Analysis: A critical remote code execution (RCE) vulnerability affecting PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows. PHP is a widely used open-source scripting language designed for web development, and the vulnerability can reveal the source code of scripts and enable TAs to run arbitrary PHP code on the server. Recently, researchers observed that the TellYouThePass ransomware gang has been exploiting the vulnerability to deliver webshells and execute the encryptor payload on target systems.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4610 

Impact Analysis: A use-after-free vulnerability in Arm Ltd Bifrost GPU Kernel Driver and Arm Ltd Valhall GPU Kernel Driver allows local non-privileged users to gain access to already freed memory through improper GPU memory processing operations.  Internet Exposure: No  Patch: Available 

CVE-2024-36787 

Impact Analysis: This vulnerability in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface, posing a severe threat to network security and sensitive user data.  Internet Exposure: Yes  Patch: Not specified 

CVE-2024-29849 

Impact Analysis: A vulnerability in Veeam Backup Enterprise Manager (VBEM) allows unauthenticated attackers to log in as any user to the enterprise manager web interface. This poses a high risk due to the global use of Veeam products and the availability of publicly available proof-of-concept (PoC).  Internet Exposure: Yes  Patch: Available 

CVE-2019-9082 & CVE-2018-20062 

Impact Analysis: These vulnerabilities impact ThinkPHP, an open-source PHP framework with an MVC structure, leading to remote code execution (RCE). Chinese threat actors have leveraged these vulnerabilities to install a persistent web shell named Dama.  Internet Exposure: No  Patch: Not specified 

CVE-2024-24919 

Impact Analysis: This vulnerability impacts Check Point Remote Access VPN and allows attackers to read information from Internet-connected gateways with remote access VPN or mobile access enabled. It has been exploited in zero-day attacks since April 30, enabling lateral movement through victim networks by stealing Active Directory data.  Internet Exposure: Yes  Patch: Available 

CVE-2024-30080 

Impact Analysis: A critical remote code execution vulnerability in Microsoft’s Message Queuing (MSMQ) can be exploited by unauthenticated attackers via specially crafted malicious MSMQ packets. Microsoft addressed the flaw in its monthly Patch Tuesday update. Internet Exposure: Yes  Patch: Available 

Industrial Control Systems (ICS) Vulnerabilities 

The report also highlights vulnerabilities in Industrial Control Systems (ICS), which are critical to sectors such as healthcare, emergency services, and energy. The majority of these vulnerabilities are categorized as high and critical severity, emphasizing the importance of securing ICS environments. 

Recommended Mitigation Strategies 

To mitigate the risks associated with these vulnerabilities, the following strategies are recommended: 

• Regular Software and Hardware Updates: Ensure all systems and devices are up to date with the latest security patches and firmware updates. 
• Patch Management: Implement a comprehensive patch management process to promptly address and apply patches for known vulnerabilities. 
• Network Segmentation: Segment networks to limit the spread of attacks and reduce the attack surface. 
• Incident Response and Recovery Plans: Develop and regularly update incident response and recovery plans to ensure swift action in the event of a breach. 
• Monitoring and Logging Solutions: Deploy advanced monitoring and logging solutions to detect and respond to suspicious activities in real time. 
• Regular Vulnerability Assessments and Penetration Testing: Conduct regular vulnerability assessments and penetration tests to identify and remediate security weaknesses. 
• Strong Password Policies and Multi-Factor Authentication: Enforce strong password policies and implement multi-factor authentication to enhance access control.

The report also notes the active discussion and sharing of several vulnerabilities on underground forums. These include vulnerabilities affecting popular platforms such as WordPress and macOS, which cybercriminals are exploiting. 

Conclusion 

The findings of the Weekly Vulnerability Intelligence Report highlight the critical need for continuous vigilance and proactive cybersecurity measures. Organizations must prioritize patch management, conduct regular security audits, and maintain incident response plans to protect against emerging threats.  Stay ahead of cyber threats with the Weekly Vulnerability Intelligence Report by Cyble, brought to you by The Cyber Express. Subscribe now for the latest insights powered by Cyble's advanced AI-driven threat intelligence.

As anticipation builds for the upcoming Paris 2024 Summer Olympic Games, security researchers and officials have observed an uptick in scams abusing legitimate Olympics branding. French Gendarmerie officials discovered over 300 bogus ticketing sites aiming to steal money and personal information by deceiving individuals who are in a hurry to book tickets for the events. Recent research investigates a prominent example (paris24tickets[.]com) from these websites. The site appears among the top paid results in Google searches and promotes itself as a secondary marketplace for sports and live events tickets.

Website Incorporates Official Paris 2024 Summer Olympic Games Branding

The 'paris24tickets[.]com' website appeared professional and legitimate at first glance. The site advertised itself as a “secondary marketplace for sports and live events tickets,” and was displayed as the second result among sponsored Google search results for 'paris 2024 tickets.' It allowed visitors to navigate through upcoming Olympic events, select event specific tickets, and enter payment information. Its polished design resembled that of trusted ticketing platforms, along with the official Olympics ticket purchase site. Proofpoint researchers warned that the website was entirely fraudulent despite its authentic look and feel. The site was likely collecting users’ financial and personal information rather than actually processing ticket orders. The researchers acted swiftly to suspend the misleading domain upon its discovery. [caption id="attachment_77366" align="alignnone" width="2800"] Impersonating domain 'paris24tickets[.]com' (Source: archive.org)[/caption] [caption id="attachment_77365" align="alignnone" width="2800"] Official Olympics Ticketing Site (Source: https://tickets.paris2024.org)[/caption] The researchers noticed that in some cases, the scammers even sent emails promising "discounts" on coveted tickets to victims. This tactic was likely done to lure unsuspecting individuals, who may have been desperate to secure tickets at lower costs. Victims who have provided their personal or financial information on the fraudulent website risk having their identities and money stolen. The scammers behind these websites may also collect important personal data, such as names, contact information, and credit card details, for sale or further malicious campaigns.

French Gendarmerie Nationale Reported the Discovery of 338 Scam Sites

The 'paris24tickets[.]com' website represents just a tiny fraction of a much broader network of fraudulent Olympics domains. The French Gendarmerie Nationale had identified approximately 338 such websites since March 2023, and made subsequent efforts to shut them down; 51 of these sites were stated to have been closed while 140 of them were put on notice. The fraudsters behind these scams likely rely on sponsored search engine ads and targeted emails to drive traffic to impersonating websites. Offers of special deals and discounts are further lures to draw-in potential victims. [caption id="attachment_77367" align="alignnone" width="1000"] Source: Shutterstock[/caption] 200 French gendarmes had been mobilized as a distinct unit to monitor the internet and various different social networks for Olympics ticketing-related fraud and mass resales, under the direction of the Europol. These units work along with the DGCCRF (Directorate General for Consumer Affairs, Competition and Fraud Prevention) in France. Captain Etienne Lestrelin, director of operations at the unit, told France Info radio that social media such as Facebook, Leboncoin, Telegram and Instagram were often “the primary source of resale attempts.” He added, “This is an exchange from individual to individual. Except that the buyer does not know if the person really owns the tickets, since they are virtual tickets, not tickets paper. So people are selling you wind, we don't know what they're selling." Lestrelin advised that tickets sold at too low of a price can alert potential buyers: "You will never have a ticket below its original cost. The goal of people who were able to buy tickets in volume and with the intention of reselling them, it is to make a profit So it is an alert if you find a much cheaper ticket. The sentence to remember is that there is no. very good deals on the internet, it's not possible." He instructed that it was also not possible to own a ticket before the event begins and QR Codes are generated. Anyone who claims to be currently in possession of a ticket, or owns tickets that seem visually legitimate, is still a fraud. He warned buyers to be vigilant about buying such tickets outside of official sources because it can also be an offense. "You are associating yourself with the offense that the seller commits when he resells without going through the official website. This is a criminal offense," he stated. To validate purchases, buyers can cross-check provided references with the official Paris 2024 Summer Olympic Games application. Buyers who suspect that they may have been duped can report to a police station, a gendarmerie or the DGCCRF. Legitimate ticket purchases can be made through the official ticketing website or official sub-distributor network.

Ukraine’s Security Service (SBU) detained two individuals accused of aiding Russian intelligence in hacking the phones of Ukrainian soldiers and spreading pro-Kremlin propaganda. The suspects operated bot farms using servers and SIM cards to create fake social media accounts. One bot farm in the Zhytomyr Oblast was hosted in an apartment of a Ukrainian woman. She allegedly registered over 600 virtual mobile numbers and several anonymous Telegram accounts.

Russian Intelligence Installed Spyware in Campaign

The woman sold or rented these accounts in exchange for cryptocurrency on online Russian underground marketplaces. Russian intelligence used these accounts and numbers to hack phones of Ukrainian military personnel by sending phishing emails containing spyware that collected sensitive confidential data. Russian hackers were recently observed using legitimate remote monitoring and management (RMM) software to spy on Ukraine and its allies. [caption id="attachment_77338" align="aligncenter" width="1024"] Source: SBU[/caption] According to the SBU, the accounts hosted on this bot farm were also used to spread pro-Kremlin propaganda purporting as ordinary Ukrainian citizens. Another 30-year-old man from Dnipro allegedly registered nearly 15,000 fake accounts on various social networks and messaging platforms using Ukrainian SIM cards. He sold these accounts to Russian intelligence services on darknet forums. [caption id="attachment_77337" align="aligncenter" width="1024"] Source: SBU[/caption] Both suspects face up to three years in prison or a fine if found guilty. The investigation continues.

Russian Bot Farms Used Since Invasion Started

Russia has used bot farms to disseminate Kremlin propaganda, incite panic and manipulate narratives since the beginning of its Ukrainian invasion. The Ukrainian authorities have busted dozens of bot farms and arrested hundreds of people across the country who operate them. In December 2022, they dismantled more than a dozen bot farms. In September of that year, two bot farms were taken down, while in August a group that operated more than 1 million bots was also dismantled. Bot farm operators typically receive payments in Russian rubles, a prohibited currency in Ukraine. These activities continued in the second year of the war, where the Ukrainian Cyber Police raided 21 locations across the country and seized computer equipment, mobile phones and more than 250 GSM gateways. This included 150,000 SIM cards of different mobile operators used in the illicit activities to create fake social media profiles.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a comprehensive set of advisories to secure Industrial Control Systems (ICS) against exploitable vulnerabilities. Released today, the CISA advisories are aimed at equipping users and administrators with timely insights into prevalent security issues, vulnerabilities, and potential exploits within ICS infrastructure. The CISA advisories, 20 in all, offer in-depth technical details and mitigation strategies for identified vulnerabilities across various ICS components. CISA highlights the importance of promptly reviewing these advisories to enhance the resilience of industrial systems against online threats.

CISA Issues 20 Industrial Control Systems Advisories

One of the critical vulnerabilities highlighted is CVE-2024-33500, impacting Siemens Mendix Applications. This vulnerability, stemming from improper privilege management, presents a risk of remote exploitation. Siemens recommends immediate updates to affected versions and implementing additional mitigations to thwart potential attacks. Another significant concern involves vulnerabilities affecting Siemens SIMATIC S7-200 SMART devices. These vulnerabilities, attributed to insufficiently random values, may pave the way for denial-of-service attacks. Siemens advocates for network access restrictions and adherence to industrial security protocols to mitigate risks effectively. Additionally, Siemens TIA Administrator faces vulnerabilities due to insecure permissions in temporary file creation processes. While no known public exploits exist presently, Siemens advises users to update to the latest version and enforce stringent network security measures.

Multiple ICS Vulnerabilities Reported

The CISA advisories also shed light on vulnerabilities in Siemens SCALANCE XM-400 and XR-500 devices, Fuji Electric's Tellus Lite V-Simulator, and Rockwell Automation's FactoryTalk View SE, among others. These vulnerabilities, ranging from inadequate encryption strength to permission assignment flaws, highlights the diverse spectrum of risks facing industrial environments. Despite the absence of known public exploits targeting these vulnerabilities, CISA emphasizes the importance of proactive measures such as network segmentation, secure remote access methods, and heightened awareness of social engineering tactics. The CISA advisories also address vulnerabilities in Motorola Solutions' Vigilant License Plate Readers and Mitsubishi Electric's MELSEC-Q/L Series and Multiple Products. These vulnerabilities, discovered by security researchers, highlight the collaborative efforts needed to safeguard critical infrastructure against emerging cyber threats. As organizations navigate the complex landscape of industrial cybersecurity, the issuance of these CISA advisories serves as a crucial resource for bolstering defenses and fostering a resilient ICS ecosystem. By staying informed and implementing recommended mitigations, stakeholders can mitigate risks and uphold the integrity and reliability of critical industrial operations.

The Chinese University of Hong Kong (CUHK) has been confronted by a massive data breach that has compromised personal information of precisely 20,870 students, staff and past graduates. The CUHK data breach was initially identified on June 3, 2024, prompting swift action by the institution. An investigation is currently underway to trace the culprits and to take corrective measures.

Understanding the CUHK Data Breach

The CUHK is one of the premier institutes in China which was established in 1963 and is the first research university in Hong Kong. The cyberattack on CUHK reportedly took place on June 1 at its School of Continuing and Professional Studies (CUSCS). In a statement put out by the school on June 13, CUSCS said that it had undertaken an investigation into the breach on June 3. An information technology security consultant was appointed by the college to assess the breach. The investigation revealed that the school’s “Moodle learning management system” was hacked. Moodle is an open-source learning management system designed. It allows educators, administrators and learners to create personalized learning environments for online projects in schools, colleges and workplaces. Moodle can be used to create custom websites with online courses and allows for community-sourced plugins. [caption id="attachment_77266" align="alignnone" width="1196"] Source: CUSCS Website[/caption] According to the CUSCS, the leaked data included the names, email addresses, and student numbers of 20,870 Moodle accounts of tutors, students, graduates, and visitors. This personal data was reportedly stolen after a server at one of the institution’s schools was hacked. Despite the university management stating that the sensitive data was not leaked on any public platforms, the breached information was found to be readily available on the dark web domain BreachForums. A Threat Actor (TA), who goes by the alias “Valerie”, put up a post on dark web stating that the hacker was willing to sell the data. The TA noted that, “75 per cent of the stolen data was sold to a private party, which financed the breach.  The rest of the data was not shared. So upon multiple offers, we decided to make a public sell.” To claim that the data was credible, the TA provided samples, which included the username, first name, last name, institution, department, mobile number and city of the victims of the data breach.

Investigation Status of CUHK Data Breach

The CUSCS stated that as soon as its investigation revealed a massive data breach, it had deactivated the relevant account and reset the password. It added that, apart from the relevant server, the online learning platform has been moved, and security measures have been strengthened to block any account after three unsuccessful login attempts. “CUHK has also been notified of the incident. The college has also established a crisis management team composed of the dean, deputy dean, information technology services director, administrative director and communications and public relations director to assess the risks,” CUSCS said. The college also had filed a complaint over the data breach to the local police. The university, too, has notified the city’s privacy watchdog-Office of the Privacy Commissioner for Personal Data (PCPD), in accordance with established procedures. The PCPD acknowledged receipt of the complaint on June 13.

CUHK Data Breach: Institutions in Hong Kong Under Scanner

In what is becoming a trend, CUHK has become the third educational institute in Hong Kong this year to fall victim to cyberattacks. In May, the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, fell victim to a ransomware attack where the data of over 600 people was leaked. Similarly, in April, a private medical facility, Union Hospital, suffered a ransomware attack affecting its servers, which allegedly resulted in operational paralysis. The Hong Kong College of Technology too suffered a ransomware attack in February, which led to the data of around 8,100 students being breached.

Hacktivist group 177 Members Team has claimed a cyberattack on Malaysia's leading internet service provider, Unifi TV. The Unifi TV cyberattack was posted on a dark web leak site, highlighting crucial details about the organization with links shared to confirm the intrusion. Unifi TV, a subsidiary of Telekom Malaysia Berhad, offers a range of services including internet access, VoIP, and IPTV. The threat actor claimed this attack on June 12, 2024, and took responsibility for compromising Unifi TV's systems and launching multiple Distributed Denial of Service (DDoS) attacks against the company.

177 Members Team Claims Unifi TV Cyberattack

[caption id="attachment_77209" align="alignnone" width="525"] Source: Dark Web[/caption] The cyberattack on Unifi TV was aimed at disrupting the operation of the organization and highlighted the importance of robust cybersecurity measures in safeguarding critical digital infrastructure. Despite claims by the threat actor that the Unifi TV website was down, the web pages seem to be operational at the moment and don’t show any immediate sign of the cyberattack. The impact of the cyberattack extends beyond Unifi TV, affecting not only the telecommunications industry but also posing a threat to Malaysia's digital ecosystem as a whole. With the country witnessing over 3,000 cyber attacks daily, according to Defence Minister Datuk Seri Mohamed Khaled Nordin, the cyberattacks on Malaysia highlights the growing nature of ransomware groups and hacktivist collectives targeting the nation. 

Previous Cybersecurity Incidents

While Unifi TV has yet to release an official statement regarding the cyberattack, concerns about data breaches have been previously raised. In July 2023, Telekom Malaysia issued a data breach alert to Unifi users, stating that personal information, including names, identification numbers, and contact details, may have been compromised. The company assured users that measures had been taken to contain the breach and protect customer data. In light of these incidents, cybersecurity experts emphasize the need for proactive measures to mitigate future threats. Collaborative efforts between government agencies, law enforcement, and private sector entities are crucial in addressing online threats that target Asian nations. As for the current Unifi TV cyberattack claims, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. food chain giant Panera Bread has begun notifying its employees of a significant data breach that occurred as a result of a ransomware attack in March 2024. The company, along with its franchises, operates 2,160 cafes under the names Panera Bread or Saint Louis Bread Co, spread across 48 states in the U.S. and Ontario, Canada. The Panera Bread data breach was disclosed in notification letters filed with the Office of California's Attorney General, where Panera detailed its response to what it termed a "security incident." Upon detecting the Panera Bread data breach, the company acted swiftly to contain it, enlisting external cybersecurity experts to investigate and inform law enforcement of the situation. The files involved were reviewed, and on May 16, 2024, we determined that a file contained your name and Social Security number. Other information you provided in connection with your employment could have been in the files involved. As of the date of mailing of this letter, there is no indication that the information accessed has been made publicly available," reads Panera's official notification.

Panera Bread Data Breach: Impact on Employees and Operations

The ransomware attack has had substantial repercussions on Panera's operations and its employees. Many of Panera's virtual machine systems were reportedly encrypted during the attack, leading to a significant outage that crippled internal IT systems, phones, point of sale systems, the company’s website, and mobile apps. During this outage, employees were unable to access their shift details and had to contact their managers to obtain work schedules. The stores faced further disruption as they could only process cash transactions, with electronic payment systems down. Additionally, the rewards program system was inoperable, preventing members from redeeming their points. The most concerning aspect of the breach for employees is the compromise of sensitive personal information. Panera has confirmed that files containing employee names and Social Security numbers were accessed. There is also the potential that other employment-related information was compromised. However, the company has assured employees that, as of the notification date, there is no evidence that the accessed information has been publicly disseminated. To mitigate the potential impact on affected individuals, Panera is offering a one-year membership to CyEx's Identity Defense Total, which includes credit monitoring, identity detection, and identity theft resolution services. This proactive measure aims to help employees safeguard their identities and respond swiftly to any signs of fraudulent activity.

The Bigger Picture: Unanswered Questions

Despite the detailed notifications to employees, Panera has yet to publicly disclose the total number of individuals impacted by the breach. The identity of the threat actors behind the ransomware attack also remains unknown. No ransomware group has claimed responsibility, which raises speculation that the attackers might be awaiting a ransom payment or have already received it. Moreover, Panera has not responded to requests for comment from The Cyber Express regarding the outage and the ransomware attack. This lack of communication leaves several critical questions unanswered, particularly about the measures being taken to prevent future incidents and the ongoing efforts to recover from the current breach.

Implications for Panera Bread Data Breach

The implications of this ransomware attack extend beyond the immediate disruption and data breach. Panera Bread's reputation is at stake, as customers and employees alike may question the company's ability to protect sensitive information. The operational disruptions also highlight vulnerabilities in the company’s IT infrastructure that need to be addressed to prevent similar incidents in the future. In response to the data breach, Panera has committed to enhancing its existing security measures. The company is likely to conduct a thorough review of its cybersecurity policies and practices to identify and address any gaps. Additionally, ongoing communication with employees and stakeholders will be crucial in rebuilding trust and ensuring that all affected parties are adequately supported. As the investigation continues, further details may emerge about the nature of the breach and the steps Panera is taking to strengthen its defenses.

Dordt University, a distinguished private Christian liberal arts college renowned for its reformed Christian perspective on education, has encountered a cybersecurity incident carried out by the BianLian ransomware group. The Dordt University data breach has listed a substantial amount of sensitive information online, leaving both the institution and its stakeholders in a state of vulnerability. The ramifications of this Dordt University data leak are profound, with a staggering revenue of $36.2 million and a data cache of approximately 3 terabytes compromised. Among the trove of exposed data are intricate financial records, personnel files, vital databases, internal and external email correspondences, incident logs, as well as comprehensive student profiles encompassing both local and international enrollees. 

Unverified Claims of Dordt University Data Breach

[caption id="attachment_77186" align="alignnone" width="1240"] Source: Dark Web[/caption] According to the threat actors, even minors' data has reportedly fallen prey to this Dordt University breach, alongside personally identifiable information (PII) and protected health records (PHI). Despite the gravity of the situation, official responses from Dordt University have yet to materialize, leaving the authenticity of the claims surrounding the Dordt University data leak in a precarious limbo.  Notably, the BianLian ransomware group seems to have targeted the database infrastructure rather than executing a frontal assault on the university's website, suggesting a meticulously orchestrated campaign targeting the institution's digital backbone.

The Rise of BianLian Ransomware Group

The BianLian ransomware group has carried out similar cyberattacks in the past and this Dordt University data leak has prompted a collaborative effort from cybersecurity agencies, including the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC), to disseminate crucial intelligence on the modus operandi of the BianLian ransomware and data extortion group. Originating in June 2022, BianLian has brazenly targeted critical infrastructure sectors in both the United States and Australia, leveraging tactics such as exploiting valid Remote Desktop Protocol (RDP) credentials and employing open-source tools for reconnaissance and credential harvesting. The evolution of BianLian's extortion tactics, transitioning from double-extortion encryption schemes to data exfiltration-based coercion since January 2023, highlights the escalating sophistication of cyber threats faced by modern organizations. In response, FBI, CISA, and ACSC have issued a joint cybersecurity advisory, urging critical infrastructure entities and small- to medium-sized organizations to fortify their defenses against ransomware groups by implementing robust mitigation strategies outlined in the advisory. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Borrer Executive Search, an AESC-accredited boutique search and selection firm headquartered in Lausanne, Switzerland, has allegedly fallen victim to the Eraleig ransomware. The attackers have issued a deadline of June 24, 2024, threatening to release 2.5MB of internal documents and agreements if their demands are not met. As of now, the specifics regarding the data compromised, the motives behind the Borrer Executive Search ransomware attack, and the extent of the breach remain undisclosed by the attackers. Upon inspecting the official website of Borrer Executive Search, no signs of foul play were detected, and the website remains fully functional. To further investigate the validity of these claims, The Cyber Express Team reached out to Borrer Executive Search officials for a statement. However, at the time of writing this report, no response was received, leaving the allegations unverified. [caption id="attachment_77181" align="aligncenter" width="1024"] Source: X[/caption]

Potential Implications of Borrer Executive Search Ransomware Attack

Borrer Executive Search is a specialized firm that operates on a retained and exclusive mandate basis. The company partners with corporate clients to identify, attract, and integrate top leadership talent. Their operations are not confined to Switzerland alone; they have a significant international presence, focusing on director, VP, and C-level positions in Global Operations (Supply Chain & Procurement), Commercial Leadership (General Management, Sales & Marketing), Finance, and HR. Given the high-profile nature of their clientele, which spans across Europe and potentially beyond, the implications of a verified ransomware attack could be far-reaching and severe. Should the ransomware attack be confirmed, Borrer Executive Search could face several significant consequences:

1. Data Breach and Confidentiality: The release of internal documents and agreements could lead to a breach of confidentiality agreements with clients. This could result in legal ramifications and a loss of trust among their client base.
2. Operational Disruption: Ransomware attacks can severely disrupt business operations, leading to downtime and a loss of productivity. For a firm that specializes in executive search, any delay in operations could mean missing out on critical placement opportunities and damaging its reputation for reliability and efficiency.
3. Financial Impact: Beyond the immediate ransom demand, the financial impact of a ransomware attack can be substantial. Costs associated with recovery, potential legal fees, and lost business opportunities can accumulate rapidly.
4. Reputational Damage: The mere association with a ransomware attack can tarnish the reputation of a firm, especially one that deals with high-profile clients and sensitive information. Clients may question the firm’s ability to safeguard their data, leading to potential loss of business.
5. Regulatory Scrutiny: Depending on the nature of the data compromised, Borrer Executive Search could find itself under the scrutiny of data protection authorities, especially given the stringent data privacy laws in Europe, such as the General Data Protection Regulation (GDPR).

Understanding Eraleig Ransomware

Eraleig ransomware is known for its sophisticated encryption techniques and its ability to inflict significant damage on targeted organizations. Typically, ransomware attacks aim to lock users out of their systems or encrypt valuable data, demanding a ransom for its release. The Eraleig strain is no different, often leaving victims with a stark choice: pay the ransom or risk having sensitive data leaked publicly. The threat to release 2.5MB of internal documents and agreements indicates a targeted approach, aimed at exerting maximum pressure on Borrer Executive Search by leveraging the potential exposure of confidential client information. The alleged ransomware attack on Borrer Executive Search, if verified, highlights a growing trend of cyberattacks targeting firms that handle significant amounts of sensitive data. The executive search industry, by its nature, deals with highly confidential information related to top-level corporate executives. The alleged ransomware attack on Borrer Executive Search is a developing story with potentially serious implications for the firm and its extensive client base. As we await further confirmation and details, the incident brings to light the critical importance of cybersecurity in protecting sensitive information and maintaining trust in the executive search industry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A significant data breach has exposed the private information of more than 1,200 Baw Baw Shire residents who contacted customer service after-hours over a nearly two-year period, the Baw Baw Shire council revealed. The breach occurred at OracleCMS, a third-party call center contracted by the council to field inquiries outside normal business hours. It reportedly does not impact the council's own systems and databases.

Over 1,200 Baw Baw Shire Residents Affected

The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.

OracleCMS Provider Implicated in Other Breaches

Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:

OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.

The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.

OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.

As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The financially motivated UNC3944 threat group has shifted focus to data theft extortion from software-as-a-service applications but without the use of ransomware variants, which it is historically known for. UNC3944, also known as 0ktapus, Octo Tempest, Scatter Swine and Scattered Spider, is a financially motivated threat group that has demonstrated significant adaptability in its tactics since its inception in May 2022. According to Google-owned cybersecurity company Mandiant, the threat group has now evolved its strategies to include data theft from SaaS applications. It leverages cloud synchronization tools for data exfiltration, persistence mechanisms against virtualization platforms and lateral movement via SaaS permissions abuse, Mandiant said.

Data Theft Extortion Without Ransomware

UNC3944 initially focused on credential harvesting and SIM swapping attacks but over the years has transitioned to ransomware. Mandiant has now found evidence that shows the threat group has taken a further leap and now shifted primarily to data theft extortion without any ransomware deployment. UNC3944’s latest attack lifecycle often begins with social engineering techniques aimed at corporate help desks. Mandiant said the threat group gained initial access exploiting privileged accounts in multiple instances. The UNC3944 group used personally identifiable information (PII) such as Social Security numbers, birth dates and employment details likely scraped from social media profiles of the victims to bypass identity verification processes of help desks. They often claimed the need for a multi-factor authentication (MFA) reset due to receiving a new phone, enabling them to reset passwords and bypass MFA protections on privileged accounts.

“Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” - Mandiant

Phase I of UNC3944’s Attack Lifecycle

The first phase of the threat group’s attack lifecycle includes:

• Social Engineering: UNC3944 conducted sophisticated social engineering attacks, leveraging extensive research on victims to gain help desk access.
• Credential Harvesting: Used SMS phishing campaigns to harvest credentials.
• Internal Reconnaissance: After gaining access, conducted reconnaissance on Microsoft applications like SharePoint to gather internal documentation on VPNs, VDI and remote work utilities.
• Privilege Escalation: Abused Okta permissions to self-assign roles and gain broader access to SaaS applications.

[caption id="attachment_77144" align="aligncenter" width="1024"] UNC3944 attack lifecycle (Source: Mandiant)[/caption]

Phase II of the Attack Lifecycle

In the second phase of UNC3944’s attack lifecycle, the threat group employed aggressive persistence methods through the creation of new virtual machines in environments like vSphere and Azure. They use administrative privileges to create these machines and configure them to disable security policies, such as Microsoft Defender, to avoid detection. A lack of endpoint monitoring allowed the group to download tools like Mimikatz, ADRecon, and various covert tunneling utilities like NGROK, RSOCX and Localtonet to maintain access to the compromised device without needing VPN or MFA. UNC3944 has previously deployed Alphv ransomware on virtual machine file systems but Mandiant said since the turn of 2024, it has not observed ransomware deployment by this threat group.

Focus Shifts to SaaS Applications

The novel shift in UNC3944’s targeting is its exploitation of SaaS applications to gain further access and conduct reconnaissance.

“Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.”

Once the threat group gained access to any of the SaaS applications, they then used endpoint detection and response tooling to test access to the environment and further used tools like Airbyte and Fivetran to exfiltrate data to attacker-owned cloud storage.

Advanced Techniques of Phase II

Some of the advanced techniques demonstrated by UNC3944 in phase two of the attack lifecycle includes: ADFS Targeting: Exporting Active Directory Federated Services certificates to perform Golden SAML attacks for persistent cloud access. Data Exfiltration: Using cloud synchronization utilities to move data from SaaS platforms to external cloud storage. Endpoint Detection and Response (EDR): Creation of API keys in CrowdStrike’s console for executing commands and further testing access. Anti-Forensic Measures: UNC3944 employed anti-forensic techniques to obscure their activities. They use publicly available utilities to reconfigure virtual machines, disable logging, and remove endpoint protections. The attackers also used ISO files like PCUnlocker to reset local administrator passwords and bypass domain controls.

Abuse of M365 Delve Feature

Mandiant observed advanced M365 features like Microsoft Office Delve being used for data reconnaissance by UNC3944 for uncovering accessible data sources. Delve offers quick access to files based on group membership or direct sharing and shows personalized content recommendations from M365 sources and mapping organizational relationships. While this feature is useful for collaboration, UNC3944 exploited Delve for rapid reconnaissance, identifying active projects and sensitive information by recent modification. These resources typically lack sufficient security monitoring and logging. Traditional security controls, like firewalls and network flow sensors, are ineffective for detecting large data transfers from SaaS platforms. Identifying data theft with traditional logs is challenging, and real-time detection remains difficult with historical log analysis. The storage of sensitive data in SaaS applications poses significant risks that is often overlooked due to the perceived security of SaaS models. UNC3944 exploited these weaknesses and took advantage of inadequate logging and monitoring to perform data theft undetected.

Recommended Mitigation Steps

Mandiant researchers recommended a number of controls to protect against the threat group's tactics:

• Implement host-based certificates and MFA for VPN access to ensure secure connections.
• Have stricter conditional access policies and limit visibility and access within cloud tenants.
• Have enhanced monitoring through centralized logs from SaaS applications and virtual machine infrastructures to detect suspicious activities.
• Ensure comprehensive logging for SaaS applications to detect signs of malicious intent.

The Toronto District School Board is investigating a recent ransomware attack that affected its testing environment. The Toronto board is Canada's largest school board, serving approximately 238,000 students across 600 schools in the city of Toronto. The board stated that it had taken immediate action and launched an investigation upon becoming aware of possible intrusion.

Toronto District School Board's Investigation Underway

The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"] Source: www.tdsb.on.ca[/caption] In its letter of notification sent to parents and guardians, the Toronto District School Board stated that it had launched an investigation with the aid of third-party experts to fully assess the nature and scope of the incident. This includes potential compromise of its networks or breach of sensitive personal information. [caption id="attachment_77137" align="alignnone" width="1770"] Source: www.tdsb.on.ca[/caption] The letter added, "If it is determined that any personal information has been impacted, we will provide notice to all affected individuals. We understand that news of a cyber incident is concerning, but please know that we are doing everything possible to learn more about what occurred and address this situation.

Impact Unknown; More Details Expected Soon

Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the  City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft’s cybersecurity efforts have been roundly criticized in recent months, and despite pledges to do better, the company has compounded the problem with missteps like the Copilot+ Recall rollout. Microsoft security controls came under scrutiny in April with the release of a U.S. Cyber Safety Review Board (CSRB) report that detailed “a cascade of security failures at Microsoft” that allowed threat actors linked to China to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China” in a July 2023 attack. Rather than make good on pledges to make cybersecurity a top priority, Microsoft followed with the cybersecurity equivalent of an own goal when it pushed ahead with the new Windows Recall screen recording feature despite the concerns of security and privacy advocates that the company belatedly tried to address. Late today, Microsoft announced that it will delay the Recall feature for further testing. The House Committee on Homeland Security held a hearing today to address the CSRB report and Microsoft security in general, with Microsoft President Brad Smith the sole witness. The hearing, titled “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security,” came on the same day that Pro Publica published a report detailing years of Microsoft security failings that led up to the massive 2021 SolarWinds breach.

Congressional Leaders Call for ‘Responsibility’ and ‘Accountability’

In his opening remarks, House Homeland Security Chairman Mark Green (R-TN) called the CSRB report “extremely concerning,” and spoke of the need of “restoring the public trust” in the security of Microsoft products. “China and Russia, Beijing and Moscow, are watching us right now,” he cautioned, underscoring the stakes of the hearing while offering to move any sensitive questions to a secure environment. Ranking member Bennie Thompson (D-MS) stressed that “It is not the committee’s goal to shame or discredit” Smith and Microsoft, but to improve security and accountability at the vendor that supplies 85% of federal government productivity tools. Thompson noted the Recall rollout and Pro Publica article in his comments, calling “even more troubling” Smith’s 2021 claim before Congress that no Microsoft vulnerability was exploited in the SolarWinds attack. Green and Thompson weren’t the only committee members taking a firm tone with Microsoft, as almost every member did the same in their allotted time for questioning. Lou Correa (D-CA), for example, said he was “beyond shocked” at the security revelations in the CSRB report and elsewhere.

Microsoft President Smith Pledges Action

Perhaps anticipating a rough reception from lawmakers, Smith struck a conciliatory tone in his written and spoken testimony to the committee. “Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said. “Without equivocation or hesitation. And without any sense of defensiveness. But rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.” Smith said the company is making cybersecurity part of senior executive bonus calculations and employee reviews as part of the its goal of “empowering and rewarding every employee to find security issues, report them, help fix them, and encourage broader learning from the process and the results. This requires that we incorporate this security work as an indispensable and integrated element in every aspect of the company’s engineering processes.” [caption id="attachment_77142" align="alignnone" width="750"] Microsoft President Brad Smith testifying before House Homeland Security Committee[/caption] To that end, Smith said the company has added 1,600 more security engineers this fiscal year, “and we will add another 800 new security positions in our next fiscal year.” Senior-level Deputy CISOs at Microsoft have been tasked with expanding “oversight of the various engineering teams to assess and ensure that security is ‘baked into’ engineering decision-making and processes.” Smith said cyberattacks in general have become a massive problem: “the pace of attacks has increased to the point where there is now constant combat in cyberspace,” he said. “Not just every day, but literally every second. Microsoft alone detects almost 4,000 password-based attacks against our customers every second of every day.”

Microsoft Security Plans

Smith said Microsoft has mapped all 16 of the CSRB recommendations applicable to Microsoft “to ensure that we are addressing them” as part of the company’s Secure Future Initiative. The company is “actively in the process of transitioning both our consumer and enterprise identity systems to a new hardened key management system that leverages hardware security modules for the storage and generation of keys. We are rolling out proprietary data and corresponding detection signals at all places where tokens are validated. And we have made significant progress on Automated and Frequent Key Rotation, Common Auth Libraries, and Proprietary Data used in our token generation algorithm.” Smith’s written testimony outlined six “pillars” for improving security: Protect Identities and Secrets: Microsoft plans to implement and enforce “best-in-class standards across our infrastructure that manages identities and sensitive information such as passwords ('secrets'), to ensure that only the right people and applications access the right resources.” Protect Tenants and Isolate Production Systems: The company pledges to “continuously validate isolation of production systems – including those upon which we operate the Microsoft Cloud.” Protect Networks: Microsoft will “Continuously improve and implement best-in-class practices to protect Microsoft production networks.” Protect Engineering Systems: The company said it will work to “Continuously improve our software supply chain and the systems that enable Microsoft engineers to develop, build, test, and release software, thereby protecting software assets and improving code security.” Monitor and Detect Threats: This initiative calls for Microsoft to improve “coverage and automatic detection of ever evolving threats to Microsoft production infrastructure and services, accelerating actioning against those threats.” Accelerate Response and Remediation: Speeding incident response and remediation is the final pillar, so “when we learn of vulnerabilities in our offerings or our infrastructure, to be even more comprehensive and timely and better prevent exploitation of those vulnerabilities.” Updated to reflect the delay in the Recall rollout.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a recent impersonation scam in which scammers posed as its representatives and employees. Fraudsters in the campaign may extort money in various ways, such as bank transfers, gift cards or cryptocurrency payments.

CISA Impersonation Scam

The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:

• Unsolicited phone calls that claim to be from CISA.
• Callers requesting personal information, such as passwords, social security numbers, or financial information.
• Callers demanding payment or transfer of money to "protect" your account.
• Callers creating a sense of urgency or pressuring you to take immediate action.

If you're targeted by a CISA impersonation scam, here's what you should do:

• Do not pay the caller.
• Take record of  the numbers used.
• Hang up the phone immediately while ignoring further calls from suspicious numbers.
• Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).

FTC Observes Uptick in Impersonation Scams

The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:

1. Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
2. Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
3. Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
4. Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
5. Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.

To avoid such scams, the FTC has advised consumers to not click on unexpected links or messages, avoid scenarios where gift cards are offered as an option to fix problems, and scrutinize urgent offers and claims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In the aftermath of the Synnovis ransomware attack that struck last week, London hospitals continue to struggle to deliver patient care at an optimal level. The attack on the pathology services provider has brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day, according to Synnovis.

“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - Synnovis

Services including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.

Blood Testing Severely Impacted After Synnovis Ransomware Attack

The biggest challenge that Synnovis is currently facing is that all its automated end-to-end laboratory processes are offline since all IT systems have been locked down in response to the ransomware attack. “This means we are having to log all samples manually when they arrive, select each test manually on analyzers and, once tests have been processed, type in each result on the laboratory’s computer system (the Laboratory Information Management System - LIMS),” Synnovis said. And this is not the end of it. Synnovis then must manually deliver these results to the Trust’s IT system so that the results can be further electronically submitted back to the requester. But since the Synnovis’ LIMS is presently disconnected from the Trusts’ IT systems, “this extensive manual activity takes so much time that it severely limits the number of pathology tests we can process at the moment,” Synnovis explained. The pathology service provider normally processes around 10,000 primary care blood samples a day, but at the moment is managing only up to 400 from across all six boroughs. “Despite the measures we know colleagues are taking to prioritize the most urgent samples, we are receiving many more than we can process and we have an increasing backlog,” Synnovis said. The lab services provider last week was able to process around 3,000 Full Blood Count samples but could not export results due to the lack of IT connectivity. “Of those tests processed, we have phoned through all results that sit outside of critical limits, however, we have been unable to return any results electronically and are unlikely to be able to do so,” Synnovis said. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this week to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Will Process only 'Clinically Critical' Blood Samples

To manage the inadequacy of the services, the service provider is momentarily only accepting blood samples that the requesting clinician considers to be “clinically critical.” Clinicians need to consider a test as “critical” only if a test result is needed within 24 hours to determine a patient’s urgent treatment or care plan. “As experts, your clinical view of what is considered ‘critical’ will be accepted by the laboratory, but we urge you to apply this definition carefully, given the severe capacity limitations we are facing,” Synnovis recommended. [caption id="attachment_77097" align="aligncenter" width="1024"] Source: Synnovis[/caption] The pathology service provider is also working with NHS Trust to install laptops at the hub laboratory, which will give them access to the Trust IT systems to return test results electronically.

Caregivers Working Overtime

Doctors and caregivers at Guy's and St Thomas' Hospital and King's College Hospital have been putting in extra hours since the Synnovis ransomware attack disrupted services last week. But this is not enough, as KCH has already cancelled some of its operations and is working only at about 70% capacity. Three of its 17 operating theatres remain shut, BBC reported.

A threat actor on a dark web forum has listed data from Truist Bank for sale following a cyberattack on the banking institution. Meanwhile, Kulicke and Soffa Industries, Inc. (K&S) is also dealing with a data breach. Reports indicate that Truist Bank client data, including sensitive information such as employee details and bank transactions, has been put up for sale on the dark web. The alleged Truist Bank data leak is attributed to a threat actor known as Sp1d3r. The data, reportedly obtained via the Snowflake breach, raises questions about the security measures in place at Truist Bank.

Truist Bank Data Breach Allegedly Goes on Sale on Dark Web

According to the threat actor’s post, the Truist Bank data breach is now selling for $1 million. The compromised data includes details of 65,000 employees, bank transactions containing names, account numbers, balances, and the source code for IVR funds transfers. [caption id="attachment_77051" align="alignnone" width="595"] Source: Dark Web[/caption] The post by the threat actor provides specific information about the data for sale and contact details for purchase. Additionally, the post includes various usernames, threads, reputation points, and contact information such as XMPP handles and email addresses associated with the threat actor. Meanwhile, Kulicke and Soffa Industries, a renowned semiconductor and electronics manufacturing company, disclosed a breach compromising millions of files. Initially detected on May 12, 2024, the breach exposed critical data, including source codes, engineering information, and personally identifiable information.

Two Cybersecurity Incidents at Once

In response to the Kulicke and Soffa data breach, K&S swiftly initiated containment measures in collaboration with cybersecurity experts and law enforcement agencies. The company's cybersecurity team worked diligently to isolate affected servers and prevent further intrusion. Despite the breach, K&S remains committed to safeguarding its systems and data integrity. In a filing with the U.S. Securities and Exchange Commission (SEC), K&S detailed its efforts to mitigate the impact of the breach. The company assured stakeholders that, as of the filing date, the incident had not materially disrupted its operations. However, investigations are ongoing to ascertain the full extent of the breach and increase the cybersecurity measures in place. The Truist Bank data breach and the Kulicke and Soffa cyber incident highlight the persistent threat of cyberattacks faced by organizations worldwide. While both entities are actively addressing the breaches, the incidents highlight a broader case of cybersecurity measures and their impact in safeguarding sensitive information and maintaining trust in the digital age. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Life360 Inc., the parent company of Tile, has recently disclosed that it was the victim of a criminal extortion attempt involving stolen customer data. The incident, the Life360 data breach, which was communicated by CEO Chris Hulls, highlights the growing threat of cyberattacks targeting companies that handle large amounts of user information. Chris Hulls, CEO of Life360 Inc., provided details about the extortion attempt in an official release: "Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information." Upon receiving these emails, Life360 swiftly initiated an investigation. The company detected unauthorized access to a Tile customer support platform, though notably, the breach did not affect the Tile service platform itself. The compromised data includes customer names, addresses, email addresses, phone numbers, and Tile device identification numbers. Crucially, it does not include sensitive information such as credit card numbers, passwords, log-in credentials, location data, or government-issued identification numbers, as these were not stored on the affected support platform. "We believe this incident was limited to the specific Tile customer support data described above and is not more widespread," Hulls assured. We take this event and the security of customer information seriously. We have taken and will continue to take steps designed to further protect our systems from bad actors, and we have reported this event and the extortion attempt to law enforcement. We remain committed to keeping families safe online and in the real world."

About Tile and Life360

Tile, much like Apple's AirTag, produces small Bluetooth-enabled devices that help users locate and track items such as keys, wallets, and bags. These devices work in conjunction with a mobile app, allowing users to find lost items using sound alerts or by viewing the last known location of the Tile tracker on a map. Tile is a subsidiary of Life360, the leading connection and safety app used by one in nine U.S. families. With over 66 million members, Life360 offers driving, location, and digital safety features that keep loved ones connected. The app's extensive user base makes the implications of any data breach potentially far-reaching.

Implications of the Life360 Data Breach

While the Life360 data breach did not include highly sensitive data, the exposure of personal information such as names, addresses, and phone numbers can still have significant implications. Such data can be used for targeted phishing attacks, identity theft, and other malicious activities. The breach highlights the importance of cybersecurity measures, particularly for companies managing large databases of personal information. Life360's swift response to the incident and its cooperation with law enforcement demonstrates the company's commitment to transparency and user security.

Moving Forward

In response to the breach, Life360 has reiterated its commitment to enhancing its security infrastructure and safeguarding user information. The company is taking proactive steps to prevent future cybersecurity incidents, including strengthening its cybersecurity protocols and continuing to monitor its systems for potential vulnerabilities. "We remain committed to keeping families safe online and in the real world," Hulls emphasized. The company’s prompt action and transparent communication are crucial in maintaining user trust and addressing concerns related to the breach.

The city of Dubai, known for its affluence and wealthy residents, has allegedly been hit by a ransomware attack claimed by the cybercriminal group Daixin Team. The group announced the city of Dubai ransomware attack on its dark web leak site on Wednesday, claiming to have stolen between 60-80GB of data from the Government of Dubai’s network systems. According to the Daixin Team's post, the stolen data includes ID cards, passports, and other personally identifiable information (PII). Although the group noted that the 33,712 files have not been fully analyzed or dumped on the leak site, the potential exposure of such sensitive information is concerning. Dubai, a city with over three million residents and the highest concentration of millionaires globally, presents a rich target for cybercriminals. [caption id="attachment_77008" align="aligncenter" width="504"] Source: Dark Web[/caption]

Potential Impact City of Dubai Ransomware Attack

The stolen data reportedly contains extensive personal information, such as full names, dates of birth, nationalities, marital statuses, job descriptions, supervisor names, housing statuses, phone numbers, addresses, vehicle information, primary contacts, and language preferences. Additionally, the databases appear to include business records, hotel records, land ownership details, HR records, and corporate contacts. [caption id="attachment_77010" align="aligncenter" width="1024"] Source: Dark Web[/caption] Given that over 75% of Dubai's residents are expatriates, the stolen data provides a treasure of information that could be used for targeted spear phishing attacks, vishing attacks, identity theft, and other malicious activities. The city's status as a playground for the wealthy, including 212 centi-millionaires and 15 billionaires, further heightens the risk of targeted attacks.

Daixin Team: A Persistent Threat

The Daixin Team, a Russian-speaking ransomware and data extortion group, has been active since at least June 2022. Known primarily for its cyberattacks on the healthcare sector, Daixin has recently expanded its operations to other industries, employing sophisticated hacking techniques. A 2022 report by the US Cybersecurity and Infrastructure Security Agency (CISA) highlights Daixin Team's focus on the healthcare sector in the United States. However, the group has also targeted other sectors, including the hospitality industry. Recently, Daixin claimed responsibility for a cyberattack on Omni Hotels & Resorts, exfiltrating sensitive data, including records of all visitors dating back to 2017. In another notable case, Bluewater Health, a prominent hospital network in Ontario, Canada, fell victim to a cyberattack attributed to Daixin Team. The attack affected several hospitals, including Windsor Regional Hospital, Erie Shores Healthcare, Chatham-Kent Health, and Hôtel-Dieu Grace Healthcare. The Government of Dubai has yet to release an official statement regarding the ransomware attack. However, on accessing the official website of the Dubai government, no foul play was sensed as the websites were fully functional. This leaves the alleged ransomware attack unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A notorious Chinese hacking group has reportedly gone on a cyber offensive against South Korea and targeted most of the country’s Government and financial sites. The CyberDragon hacking group has a mixture of Chinese and Russian ties and has been critically targeting countries that have been condemning Russia for the ongoing war in Ukraine. South Korea President Yoon Suk Yeol had recently confirmed his country's participation in a Ukraine peace summit in Switzerland this weekend to rally support for the country ending its war with Russia. Last year, Seoul had increased its Ukraine Aid package to $394 Million For 2024.

Government, Financial Sites Attacked by CyberDragon Hacking Group

Irked by its support being garnered against Russia, CyberDragon launched an extensive cyberattack on key South Korean sites and criticized the country for its alleged promotion of Russophobia. In its post on darkweb, CyberDragon said, “We are joining the “South Korean Company”. This is a country that has long been promoting Russophobia by supporting the Kyiv regime.” The list of websites reportedly targetted by CyberDragon include: Shinhan Financial Group: It was founded in September 2001 and is one of South Korea's big five financial groups. Its subsidiaries provide a full range of financial services, including banking, securities, life insurance, and investment banking. State Korean Import-Export Bank KEXIM:  The Export-Import Bank of Korea, also commonly known as the Korea Eximbank (KEXIM), is the official export credit agency of South Korea. The bank was first established in 1976. Its primary purpose is to support South Korea's export-led economy by providing loans, financing mega projects and thereby facilitating economic cooperation with other countries. [caption id="attachment_77014" align="alignnone" width="1600"] Home Page of Korea Eximbank[/caption] Korea Customs Service: The Korea Customs Service was established in 1970 and is one of tax organizations in South Korea and is run under the Ministry of Economy and Finance. The headquarters is in Seo District, Daejeon. Korean National Police: The Korean National Police Agency (KNPA), also known as the Korean National Police (KNP), is one of the national police organizations in South Korea. It is run under the Ministry of the Interior and Safety and is headquartered in Seodaemun, Seoul. National Tax Service: It is the tax organization in South Korea and is run under the Ministry of Economy and Finance. Its headquarters is in Sejong City. Like many of the previous attacks carried out by the Cyberdragon hacking group, it is unclear if sensitive data of the organisations listed above was compromised. Prima Facie, it looks like the group carried out a DDoS attack meant to disrupt the platform’s services. None of the organizations have publicly responded to the alleged breach. Most of the organizations too seem to have restored the functioning of its websites, hours after the group claimed to have carried out a cyberattack.

Previous Operations by CyberDragon Hacking Group

The CyberDragon group gained popularity after it took down the website and app for almost 24 hours after a massive data breach in March 2024. CyberDragon had then posted evidence of the attack on its TOR platform but LinkedIn didn’t comment on the attack. The peculiar hacking actor has both Chinese and Russian ties. It carries out cyberattacks with many pro-Russian hackers and most of its statements are posted in Russian. Both China and Russia are global allies and the targets of CyberDragon indicate their ideological and political affiliations. This scenario is, however, not new in the cybercrime world. Organizations around the world must deal with the fallout of cyberattacks by groups like CyberDragon. Their attacks indicate why it is crucial to remain vigilant and implement stringent security measures against cyberattacks.

Grand Traverse County, Michigan, finds itself at the center of a cyber crisis as authorities investigate a ransomware attack that has disrupted operations in public offices across the county and the City of Traverse City. The Grand Traverse County cyberattack began when county officials noticed "network irregularities" at 6:06 a.m. on Wednesday, prompting swift action from the IT Department and county leadership.  As a precautionary measure, both county and city offices were taken offline to assess the situation and prevent further damage.

Decoding the Grand Traverse County Cyberattack

Subsequent investigations confirmed the severity of the cyberattack on Grand Traverse County, leading officials to label it as a ransomware attack. Collaboration between Grand Traverse County, Michigan State Police, FBI, and liability providers is underway to comprehend the scope of the attack and plan a strategic response. As of now, there's no confirmation of data transfer, but a thorough investigation is ongoing to safeguard the integrity of the system. While disruptions are inevitable, emergency services such as 911, law enforcement, and fire operations remain operational, ensuring public safety amid the crisis. Nate Alger, Grand Traverse County Administrator, assured the public of swift action, stating, "Our IT Department acted promptly to isolate the incident and shut down affected networks to contain the threat. We're working closely with our partners to minimize disruptions and resolve the situation efficiently."

The Aftermath of the Cyberattack Grand Traverse County 

The impact of the cyberattack on Grand Traverse County extends to in-person customer services at county and city offices, particularly those reliant on network connectivity. Citizens are urged to postpone non-urgent in-person payments at the treasurer's offices, although online payment services remain unaffected and secure. Despite the challenges posed by the attack, the county and city websites remain accessible, hosted on separate servers to ensure uninterrupted public access to essential information and services. While the situation unfolds, authorities are deploying alternative measures and collaborative efforts to mitigate the impact and restore services promptly. Grand Traverse County remains resilient in the face of adversity, prioritizing the safety and well-being of its residents throughout the recovery process. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Grand Traverse County cyberattack or any additional information from the county. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The St. Petersburg International Economic Forum (SPIEF 2024) was reportedly targeted by a siege from a prolonged cyberattack. The SPIEF 2024 cyberattack, orchestrated by the IT Army of Ukraine, unfolded over a four-day period, commencing on June 5 and culminating on June 8, 2024. This brazen act of digital aggression targeted not only the SPIEF but also its cybersecurity guardian, Solar SC, a state-owned enterprise specializing in safeguarding information assets. The modus operandi of the cyberattack on SPIEF 2024 primarily involved a barrage of Distributed Denial of Service (DDoS) assaults, with the intensity reaching a staggering 200,000 malicious requests per second. 

IT Army of Ukraine Claims SPIEF 2024 Cyberattack

[caption id="attachment_76981" align="alignnone" width="1000"] Source: Dark Web[/caption] The claim of responsibility was boldly asserted by the IT Army of Ukraine through their Telegram channel. Their message, accompanied by a tone of defiance, boasted of rattling the nerves of their adversaries, even if the anticipated "big bang" did not materialize. Meanwhile, amidst the chaos, there emerged reports of Samara students joining the ranks of cyber vigilantes, highlighting the growing complexity of cybersecurity challenges faced by nations worldwide. The impact of this SPIEF 2024 cyberattack beyond the St. Petersburg International Economic Forum itself, affecting Solar SC and its crucial role in fortifying the forum's digital infrastructure. The ramifications reverberated not only across the Russian Federation but also rippled through Europe and the UK, highlighting the interconnected nature of contemporary cyber warfare.

More Cyberattacks to Counter

In response to inquiries regarding the authenticity of these claims, Solar SC's General Director, Igor Lyapunov, reassured the public that despite the relentless onslaught, the forum's infrastructure remained resilient. The collaborative efforts of cybersecurity experts successfully repelled all attacks, safeguarding the integrity and functionality of SPIEF's digital ecosystem. However, concerns linger as to the broader implications of such cyber incursions, particularly in an era where economic forums serve as pivotal platforms for global cooperation and exchange. The sophistication and audacity demonstrated by threat actors underscore the pressing need for better cybersecurity measures and international collaboration to mitigate future risks. The Cyber Express reached out to SPIEF organizers for further insights into the incident and the authenticity of the IT Army of Ukraine's claims. As of the time of reporting, no official statement has been issued, leaving the allegations surrounding the SPIEF 2024 cyberattack unconfirmed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ascension, a leading healthcare provider, has made significant progress in its investigation and recovery efforts following a recent cyberattack. With the help of third-party cybersecurity experts, Ascension has identified the extent of the Ascension cyberattack and the steps needed to protect affected individuals. Ascension reports that attackers managed to steal files from a few servers within its network. Specifically, seven out of approximately 25,000 servers, primarily used by associates for daily tasks, were compromised. These servers might contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals. "We now have evidence that attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks. Though we are still investigating, we believe some of those files may contain PHI and PII for certain individuals, although the specific data may differ from individual to individual," said an Ascension spokesperson.

What Caused Ascension Cyberattack?

The cyberattack on Ascension was traced back to an innocent mistake by an employee who accidentally downloaded a malicious file, mistaking it for a legitimate one. "We have also identified how the attacker gained access to our systems. An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake," informed the spokesperson. This incident highlights the importance of continuous cybersecurity training and vigilance among all employees to prevent such occurrences in the future. Ascension has assured its patients and associates that there is no evidence suggesting any data was taken from the Electronic Health Records (EHR) system or other clinical systems where comprehensive patient records are securely stored. This means the most sensitive health information remains uncompromised, providing some relief amidst the ongoing investigation.

Ongoing Review and Protective Measures

Ascension is currently conducting a detailed review and analysis of the potentially impacted files to determine precisely what data was affected and identify the individuals involved. This meticulous process is expected to take considerable time due to the volume and complexity of the data. In the meantime, Ascension is taking proactive steps to protect its patients and associates. The healthcare provider is offering free credit monitoring and identity theft protection services to all patients and associates, regardless of whether their data is eventually found to be compromised. This service is intended to provide immediate peace of mind and mitigate potential risks from the Ascension data breach. Individuals who wish to enroll in these protective services are encouraged to contact Ascension's dedicated call center at 1-888-498-8066.

Commitment to Transparency and Legal Compliance

Ascension remains committed to transparency throughout this investigation. While specific details regarding whether an individual's data was affected cannot be provided, Ascension pledges to follow all applicable laws and regulations related to data breach notifications. "We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear that this offer does not mean we have determined that any specific individual patient’s data has been compromised. Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals’ data," the spokesperson explained. "Once our data analysis is complete, we are committed to following all applicable laws and regulations to notify affected individuals and the appropriate regulatory bodies. To our patients, associates, and the communities we serve, we regret any disruption or concern you may have experienced as a result of this incident," the spokesperson added.

Background and Impact of Cyberattack on Ascension

On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Due to the cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.

A threat actor that goes by the name “enlared” surfaced on a dark web forum, offering a hacked method for online advertising: a "New Click Fraud Software for Google ADS." Priced at $700 per license, this software is promoted as an aggressive marketing tool for online fraud and taking down competitors.  The new click fraud software, according to the threat actor, had a bunch of practical features that go beyond conventional marketing practices. Specifically, the threat actor claims that the software can drain the competitor's budget and release multiple attacks.  “Tired of your competitors beating you on Google ADS? Want to level the playing field and drain their advertising budget? We have the perfect solution for you!”, reads the threat actor post. 

Understanding the New Click Fraud Software for Google Ads

The new click fraud software offers a range of features aimed at fraudsters and creating a hack in the competitive realm of online marketing. Its functionalities include location search change, allowing users to simulate clicks from different geographical areas to bypass detection algorithms used by advertising platforms.  Additionally, the software utilizes a network of proxies to generate clicks from multiple IP addresses, ensuring user anonymity. Users can also target specific ad domains and customize campaigns by selecting keywords, maximizing their campaigns' impact and relevance.

How It Operates and Pricing

The software integrates a user-friendly interface, facilitating quick setup and configuration in a matter of minutes. Users have full control over the parameters of their campaigns, from defining target locations and domains to specifying keyword targets. The results are immediate, says the threat actor, with competitors witnessing a rapid depletion of their advertising budgets as the software executes its strategy with ruthless efficiency. Additionally, the new click fraud software offers remote desktop demonstrations, providing potential buyers with a glimpse into the tool's potency before making a purchase decision. Priced at USD 700 per license, the software offers a compelling hack proposition for businesses seeking to gain an edge in the world of online advertising. Escrow payments are accepted to ensure security for both parties involved in the transaction. With its arsenal of advanced features and promise of tangible results, the new click fraud software for Google Ads represents a darker method for competing in the online advertising game. As businesses vie for visibility and market share in an increasingly competitive online sphere, this dark web tool offers a means of cheating and targeting competitors for a very cheap price.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Monti ransomware has been sold to new owners. According to the actor's latest update, "This project was bought. It was bought because it suited our goals perfectly and did not have a bad reputation." The change in ownership and a shift in focus towards Western countries highlights a new approach towards ransomware. According to recent statements, the project has been acquired, with new owners expressing their intentions to revamp its infrastructure for future endeavors. In a cryptic post on their platform, the group hinted at upcoming developments, rallying for a collaborative effort to "build the future of the USA and Europe together."

Monti Ransomware Group and Change in Ownership

[caption id="attachment_76870" align="alignnone" width="938"] Source: Dark Web[/caption] This announcement follows a string of cyberattacks perpetrated by the Monti ransomware gang. Notably, a recent incident in the South of France targeted three prominent institutions simultaneously: the Pau-Pyrénées airport, the Pau business school, and the city's digital campus. These attacks, occurring overnight from May 12 to May 13, 2024, disrupted operations and raised concerns regarding cybersecurity vulnerabilities in critical sectors. While the affected institutions scrambled to mitigate the fallout, journalists uncovered insights from the Chamber of Commerce and Industry (CCI) shedding light on the situation. Despite assurances of minimal disruption to activities, the compromised digital infrastructure left a trail of compromised data, including sensitive documents and personal information of employees and students. The modus operandi of the Monti ransomware group draws parallels to its predecessors, notably the Conti ransomware, which ceased operations in May 2022. The emergence of Monti, with its similar tactics and techniques, suggests a strategic emulation aimed at exploiting the void left by Conti's absence.

A Deeper Dive into Monti Ransomware Group

A deeper dive into the Monti ransomware incident reveals a sophisticated operation orchestrated through the exploitation of vulnerabilities like the notorious Log4Shell. The attackers infiltrated networks, encrypted user desktops, and disrupted critical server clusters, leaving organizations grappling with the aftermath. Despite its relative obscurity, the Monti ransomware group has garnered attention within the cybersecurity community. Analysts speculate that the group's emulation of Conti's strategies may stem from the leaked trove of Conti's internal data, providing a blueprint for nefarious activities. As cybersecurity threats evolve, it becomes imperative for organizations to fortify their defenses and stay vigilant against threat actors like the Monti ransomware. Collaborative efforts between cybersecurity experts and stakeholders are essential to mitigate risks and safeguard critical infrastructures from malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Kaspersky researchers discovered widespread vulnerabilities in biometric terminals developed by ZKTeco, which are known to be deployed internationally. These flaws could be exploited by threat actors to bypass authentication, steal sensitive data, and even gain full control over affected terminals. The vulnerabilities pose a major risk, as these biometric terminals are often white-labeled to be sold under various brand names by multiple distributors. They are also widely used in high-security/sensitive environments, such as nuclear power plants, chemical plants or hospitals while storing thousands of facial templates.

Vulnerabilities in ZKTeco Biometric Terminals

Biometric terminals see multiple uses aside from their primary purpose of acquiring biometric data such as fingerprints, voices, facial features, or irises. They can be connected to other scanners to support alternative authentication methods, or be deployed as a means of ensuring employee productivity or to reduce fraud. These devices see increasing usage in confidential facilities such as power plants, executive suites or server rooms. ZKTeco biometric terminals support facial recognition(with the ability to store thousands of face templates), password entry, electronic pass, and QR codes. Researchers conducted several tests to assess the security and reliability of these devices, finding 24 different vulnerabilities that may be exploited by threat actors in real attack scenarios on confidential facilities:

• 6 SQL injection vulnerabilities
• 7 buffer stack overflow vulnerabilities
• 5 command injection vulnerabilities
• 4 arbitrary file write vulnerabilities
• 2 arbitrary file read vulnerabilities

The researchers grouped some of the more critical vulnerabilities present in these devices by their attack type:

• Physical Bypass via Fake QR Codes CVE-2023-3938 allows cybercriminals to perform a SQL injection attack by injecting malicious code into access strings. This could allow them to gain unauthorized entry to restricted areas.
• Biometric Data Theft and Backdoor Deployment The CVE-2023-3940 and CVE-2023-3942 vulnerabilities could give attackers access to sensitive user data and password hashes stored on the device. Additionally, CVE-2023-3941 could allow them to remotely alter device databases, allowing them to potentially add unauthorized individuals into systems or create a backdoor.
• Remote Code Execution The CVE-2023-3939 and CVE-2023-3943 flaws enable the execution of arbitrary commands or code on the device, effectively giving attackers full control and the ability to launch further attacks on the wider network.

Georgy Kiguradze, Senior Application Security Specialist at the cybersecurity firm, expressed concern over the risks posed by these vulnerabilities in real scenarios, risks posed by deepfake and social engineering tactics, and the urgency of immediately patching these vulnerabilities. He stated:

“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas.”

Mitigating Risks to Biometric Terminals

The researchers stated that they had disclosed all information about the discovered vulnerabilities to ZKTeco, but lacked accessible data on whether these vulnerabilities had been patched. The researchers have shared the following recommendations to protect these biometric terminals from attacks in the meanwhile:

• Isolate biometric reader usage into a separate network segment.
• Employ robust administrator passwords and change default ones.
• Audit and fortify the device's security settings, including enabling temperature detection.
• If feasible, minimize the use of QR code functionality.
• Regularly update the device's firmware.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests. Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix. Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said at the time of patching. The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.

Black Basta’s Privilege Escalation Bug Exploitation

The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,” Symantec said. These TTPs included the use of batch scripts disguised as software updates, the researchers added.

Black Basta Exploit Tool Analysis

The exploit tool leverages a flaw where the Windows file “werkernel.sys” uses a null security descriptor for creating registry keys. The tool exploits this by creating a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key, setting its “Debugger” value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained. Two variants of the tool analyzed:

• Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
• Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.

While time stamp values in executables can be modified, in this case the attackers likely had little motivation to alter them, suggesting genuine pre-patch compilation.

Indicators of Compromise

Symantec shared the following IoCs: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect

About Black Basta Ransomware

The latest attempts of exploiting a Windows privilege escalation bug comes a month after Microsoft revealed details of Black Basta ransomware operators abusing its Quick Assist application that enables a user to share their Windows or macOS device with another person over a remote connection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a May advisory said Black Basta's affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia since its launch in April 2022. An analysis from blockchain analytics firm Elliptic indicates that Black Basta has accumulated at least $107 million in ransom payments since early 2022, targeting more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million each. The average ransom payment was $1.2 million.

Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups. The 28-year-old cryptor developer was unnamed in Ukraine and Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to May’s massive “Operation Endgame” botnet takedown.

Cryptor Developer Worked with Conti, LockBit

Ukraine cyber ​​police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"] Items seized in Ukraine ransomware arrest[/caption] The Ukraine cyber police said the man “specialized in the development of cryptors,” or “special software for masking computer viruses under the guise of safe files” (quotes translated from the Ukraine statement). “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,” the Ukraine statement added.

LockBit Remains Active Despite Repeated Enforcement Activities

The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”

A resident of Moreton Bay, Australia was shocked to discover that the private information of several resident ratepayers in the region, including their friends and neighbors, had been accidentally published on the Moreton Bay council's official website. The leaked information included names, residential addresses, email addresses, and phone numbers, as well as resident complaints to the council and details about council investigations.

Data Breach Discovered By Local Resident

City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers,  complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."

City of Moreton Bay Responses to Data Breach

After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]

We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.

The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web hacker that goes by the name “Tombstone” has claimed and advertised multiple vulnerabilities affecting a subdomain affiliated with Google LLC. The hacker claimed these flaws on the Russian-language cybercrime forum Exploit and stressed the susceptibility of the domain to XSS-DOM and prototype pollution vulnerabilities. Screenshots shared by threat actor Tombstone showcased 'edu.google.com' as one of the allegedly impacted domains, raising concerns about potential exploits. Tombstone's post on Exploit lacked a specified price for the vulnerabilities, urging interested parties to initiate private communications for further details. The disclosed vulnerabilities pose significant risks to Google and its associated services, warranting immediate attention to mitigate potential cyber threats. "These vulnerabilities are in the software, not the source code Note that I only sell bugs with POC and full proof not exploits With a great price for long-term cooperation in other projects Exchange of Apple, FB, Meta, Microsoft banks", reads the threat actor post.

Dark Web Hacker Claims Prototype Pollution and XSS-DOM Vulnerability

[caption id="attachment_76830" align="alignnone" width="1108"] Source: Dark Web[/caption] The vulnerabilities advertised by Tombstone have direct implications for Google LLC, a prominent entity within the IT & ITES industry. Notably, domains such as google.com and edu.google.com have been identified as being at risk, primarily affecting users currently using the Google services.  The vulnerabilities disclosed by Tombstone encompass XSS-DOM and prototype pollution, both of which can serve as entry points for malicious cyber activities. XSS-DOM vulnerabilities, in particular, enable threat actors to inject client-side scripts into web pages viewed by other users, potentially leading to session hijacking, phishing attacks, malware distribution, and data theft. Prototype pollution vulnerabilities, however, involve manipulating a JavaScript object's prototype to achieve unintended behavior, often resulting in unauthorized data manipulation or code execution. The combination of these vulnerabilities within Google's subdomain highlights the critical need for robust cybersecurity measures to safeguard against potential cyberattacks.

Previous Incidents and Security Research

Prior to Tombstone's disclosure, security researcher Henry N. Caga had identified the XSS vulnerability within a Google subdomain, further emphasizing the susceptibility of Google's infrastructure to such exploits. Caga's research revealed the presence of a vulnerability within the URL associated with 'https://aihub.cloud.google.com,' prompting an in-depth investigation. Despite initial challenges in replicating the XSS pop-up, Caga's persistence ultimately led to the discovery of a double-encoded payload that triggered the vulnerability. Subsequent testing unveiled the widespread nature of the vulnerability across all URLs within the aihub.cloud.google.com domain, accentuating the severity of the issue. Following responsible disclosure protocols, Caga promptly reported the findings to Google's security team, accompanied by comprehensive documentation and proof of concept scripts. Google's swift response included an upgrade in the issue's priority and severity levels, acknowledging Caga's contributions with a reward of $4,133.70, along with a $1,000 bonus for the thoroughness of the report and proof of concept scripts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The MEDUSA ransomware group has reared its ugly head again and this time it has claimed to have targeted three new victims: GEMCO Constructors, Dynamo Electric and Farnell Packaging. The ransomware group’s dark web portal highlighted these additions, adding to their growing list of victims. Like many of its earlier attacks, the group has not disclosed crucial details, such as the type of compromised data. It has, however, demanded a bounty of US $900,000 from GEMCO and $100,000 each from Dynamo and Farnell Packaging to stop leaking its internal data.

MEDUSA Ransomware Attack: The Latest Victims

GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days. The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days. Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days. Despite the gigantic claims made by the ransomware group, the official websites of the targeted companies seem to be fully operational, with no signs of foul play. The organizations, however, have not yet responded to the alleged cyberattack, leaving the claims made by the ransomware group unverified.  The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen whether it is a tactic employed by MEDUSA to garner attention or if there are ulterior motives attached to their actions. Only an official statement by the affected companies can shed light on the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be far-reaching. The potential leak of sensitive data could pose a significant threat to the affected organizations and their employees.

Background of MEDUSA Ransomware Group

MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America. MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.

Previous Ransomware Attacks

Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services.  In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group. MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The United Kingdom and Canada privacy watchdogs announced a joint investigation this week to determine the security lapses in the genetic testing company 23andMe’s October data breach, which leaked ancestry data of 6.9 million individuals worldwide. The UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will lead the investigation, pooling the resources and expertise of their respective offices.

Focus of 23andMe Data Breach Investigation

The joint investigation will examine three key aspects:

• Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
• Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
• Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.

Edwards said the investigation was needed to garner the trust of people in organizations that handle sensitive personal data. He stated:

“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.

“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.

Genetic Testing Company 23andMe Data Breach Timeline

23andMe first disclosed details of the October data breach in an 8-K filing with the U.S. Securities and Exchange Commission. The genetic testing company said attackers scraped profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. This profiling feature connects users with genetic distant relatives - or other 23andMe users who share their bits of DNA. The attackers used credential stuffing attacks that affected 0.1% of user accounts, the company told SEC. Using these accounts as a launchpad, hackers were able to access “a significant number of files containing profile information about other users' ancestry.” Threat actors claimed on underground forums that they were able to siphon “20 million pieces of code” from 23andMe. The claimed data set included information DNA ancestry backgrounds belonging to more than 1.3 million Ashkenazi Jewish and Chinese users. By the end of October, another threat actor claimed compromise of 4 million genetic profiles, which the company also investigated. The genetic testing company 23andMe said it notified the affected 6.9 million users - 5.5 million DNA Relatives profiles and 1.4 million Family Tree profile – in December. The company told federal regulators that the data breach incident was set to incur between $1 million and $2 million in one-time expenses. The company faces at least 30 class action lawsuits in U.S.state and federal jurisdictions as well as in Canada. 23andMe blamed the customers’ poor security hygiene for the breach and has since made two-step verification a prerequisite for account logon. It also mandated customers to reset their passwords. *Update 1 (June 12 – 12:00 AM EST): Added response from the 23andMe spokesperson.

The notorious hacker group SN Blackmeta has allegedly claimed responsibility for a cyberattack on Snapchat's infrastructure. The Snapchat cyberattack has reportedly led to disruptions in service in specific regions and the disabling of login and account creation features within the app.  In a post attributed to SN Blackmeta, the threat actor outlined their motives for the cyberattack on Snapchat, citing reasons such as their opposition to the content promoted by the social media platform, which they claim includes pornography and undermines moral values.  Additionally, the group accuses the application of supporting Israel while opposing efforts in support of Palestine. These grievances, according to SN Blackmeta, prompted them to target Snapchat as a means to "test their strength."

Decoding the Snapchat Cyberattack by SN Blackmeta 

[caption id="attachment_76796" align="alignnone" width="379"] Source: X[/caption] The claimed Snapchat cyberattack has allegedly resulted in service disruptions in certain countries and the temporary incapacitation of key features within the Snapchat application. Despite SN Blackmeta's claims, Snapchat has not yet released an official statement about the incident, leaving the details of the cyberattack unconfirmed. The Cyber Express has reached out to the company, and we are currently awaiting their response.  [caption id="attachment_76798" align="alignnone" width="372"] Source: X[/caption] Interestingly, this isn't the first time SN Blackmeta has made headlines for their cyber activities. In the past few days alone, the group has launched attacks on various targets, including the Social Security Administration (SSA) website and Microsoft's OneDrive. These attacks aim to disrupt services and hinder user access, demonstrating the group's proficiency in executing cyber warfare. The recent surge in cyberattacks by SN Blackmeta comes amidst a backdrop of escalating tensions in the digital world. Other hacktivist groups have also been active, targeting prominent organizations and government entities with coordinated attacks.

Previous Cybersecurity Challenges

The current Snapchat cyberattack is not the first time that the Snap INC-owned platform has faced cybersecurity challenges. The most recent controversy with Snapchat was reported by Vice in May 2019 wherein researchers discovered that Snapchat employees were misusing their access privileges to spy on users. This breach of trust raised concerns about user privacy and data security within the platform. Between January 2014 and February 2018, Snapchat faced a series of cybersecurity challenges. In July 2017, a phishing attack compromised over 55,000 accounts by luring users to a fake login page. The attackers then published stolen credentials, granting unauthorized access.  In February 2016, a phishing scam targeted Snapchat employees, resulting in the disclosure of payroll information. The October 2014 incident involved a third-party app hack, leaking 200,000 explicit images. Though Snapchat denied system compromise, blame was placed on the app providers.  In January 2014, a security vulnerability led to the exposure of 4.6 million user details, despite Snapchat's claim of addressing the issue promptly. As for the current Snapchat cyberattack claim, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged cyberattack on the social media platform or any official confirmation from Snap INC.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Pure Storage, a provider of cloud storage systems and services, has confirmed and addressed a security incident involving unauthorized access to one of its Snowflake data analytics workspaces. This workspace contained telemetry information used by Pure Storage to provide proactive customer support services. The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number. Importantly, no sensitive information like credentials for array access or any other data stored on customer systems was compromised. "Such information is never and can never be communicated outside of the array itself, and is not part of any telemetry information. Telemetry information cannot be used to gain unauthorized access to customer systems," stated Pure Storage in an official statement.

Pure Storage Data Breach: Investigation Ongoing

Upon knowing about the cybersecurity incident, Pure Storage took immediate action to block any further unauthorized access to the workspace. The company emphasized that no unusual activity has been detected on other elements of its infrastructure. “We see no evidence of unusual activity on other elements of the Pure infrastructure. Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems,” reads the official statement. Preliminary findings from a cybersecurity firm engaged by Pure Storage support the company's conclusions about the nature of the exposed information. Pure Storage simplifies data storage with a cloud experience that empowers organizations to maximize their data while reducing the complexity and cost of managing the infrastructure behind it. Thousands of customers, including high-profile companies like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast, use Pure Storage's data storage platform.

Context of Recent Snowflake Cybersecurity Incidents

Before the Pure Storage data breach, Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, allegedly suffered a massive data breach. A threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of three terabytes of data from the company’s Snowflake cloud storage, which is reportedly being sold for $1.5 million. Live Nation, the parent company of Ticketmaster, also confirmed "unauthorized activity" on its database hosted by Snowflake, a Boston-based cloud storage and analytics company. In a joint advisory with Mandiant and CrowdStrike, Snowflake revealed that attackers used stolen customer credentials to target accounts lacking multi-factor authentication protection. Mandiant linked these attacks to a financially motivated threat actor tracked as UNC5537 since May 2024. This malicious actor gains access to Snowflake customer accounts using credentials stolen in historical infostealer malware infections dating back to 2020. These cyberattacks have targeted hundreds of organizations worldwide, extorting victims for financial gain. So far, the cybersecurity firm has identified hundreds of customer Snowflake credentials exposed in Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer malware attacks. Snowflake and Mandiant have notified around 165 organizations potentially exposed to these ongoing cyberattacks.

The City of Wichita has made significant progress in recovering from a cyberattack that disrupted many city services early last month. More than a month later, the City of Wichita cyberattack update has come up stating that most public-facing systems are back online, although some services are still being restored. The city reports that water metering, billing, and payment processing systems are gradually coming back online.

City of Wichita Cyberattack Update

Water Services Restored Customers can expect to receive updated statements this week. Auto-payments have resumed normal operations, and customers now have full access to their utility accounts online. Bills can be paid by credit card, cash, check, and money order at City Hall, online at City's payment portal, by calling (316) 265-1300, or through the mail. Due to the cyberattack on City of Wichita, some June bills may cover more than 60 days of service. Customers needing help with these bills are encouraged to contact a representative at (316) 265-1300 to arrange a payment plan. Library Services Update The Wichita Public Library has also seen progress, though some services remain affected. Public Wi-Fi is available at all locations, and patrons can access Libby for eBooks, audiobooks, and digital magazines. Additionally, materials can be checked in and out manually. However, hold requests and renewals, customer account information, the online catalog, the automated materials handler at the Advanced Learning Library, and online databases like Kanopy and LinkedIn Learning are still unavailable. Airport and Court Systems At the Wichita Dwight D. Eisenhower National Airport, public flight and gate display information is not yet available online but is expected to be restored soon. The Municipal Court has made strides in recovery, with most systems operational. The public search of warrants is anticipated to be online by Monday, June 10. The City’s Information Technology team is working to fix the remaining system outages. The city appreciates residents' patience as there may be occasional service interruptions during ongoing recovery efforts.

What Happened During the City of Wichita Cyberattack

The Cyber Express reported that the cyberattack occurred on May 5, leading to the shutdown of several online city services, including water bill payments, some city-building Wi-Fi, and electronic payments. LockBit, a known ransomware group, claimed responsibility for the cyberattack. This followed an earlier notification from the City of Wichita regarding a ransomware incident, although the responsible group was not initially disclosed. The ransomware attack has shown the vulnerabilities in the city's IT systems and the importance of strong cybersecurity measures. Despite the challenges, the city has worked hard to restore essential services to its residents. The City of Wichita urges residents to stay informed through official updates and to reach out to the provided contact points for help. The city remains committed to being transparent and providing the necessary support to its residents during this recovery period.

Microsoft has released the June 2024 Patch Tuesday updates, reinforcing security and enhancing functionality for Windows 11 and 10 users alike. Among these updates, the tech giant has also addressed 49 vulnerabilities affecting Microsoft environments and products. “Microsoft patched 49 CVEs in its June 2024 Patch Tuesday release, another sub-60 CVE release for the second month in a row. This month, Microsoft did not patch any zero-day vulnerabilities exploited in the wild. Typically, Microsoft Patch Tuesday releases skew towards being mostly remote code execution vulnerabilities," said Satnam Narang, Senior Staff Research Engineer at Tenable. For those using the Windows 11 operating systems with versions 23H2 and 22H2, the KB5039212 patch awaits in the Windows Update queue. This comprehensive Microsoft Patch Tuesday Update introduces several notable tweaks.

Microsoft Patch Tuesday Update: All the Major Developments and Fixes

With this June Microsoft Patch Tuesday update, the tech giant has introduced a slew of user-friendly updates, including the ability to generate QR codes directly from the Windows Share menu in Microsoft Edge, facilitating seamless sharing of webpages and cloud files. Enhancements to the Windows Share feature now allow users to easily email content to themselves using their linked email address from their Microsoft account, while a subtle but impactful change prevents the abrupt dismissal of the Windows Share window, requiring users to click the designated close button instead. File management is streamlined with the ability to drag files between breadcrumbs within the File Explorer address bar, simplifying the process of relocating files within the same file path. Additionally, a new "Linked devices" page in the Settings menu enables users logged in with a Microsoft account to seamlessly manage their PCs and Xbox consoles, while the Windows Backup app now integrates with Microsoft accounts, offering secure backup options for files, themes, settings, installed apps, and Wi-Fi credentials to the cloud. Microsoft has also addressed underlying issues with this June 2024 Patch Tuesday, including a fix for an issue causing the taskbar to briefly malfunction or become unresponsive, as well as resolving an issue hindering systems from resuming from hibernation post-BitLocker activation. “In 2023, remote code execution flaws accounted for over one-third (35.1%) of all CVEs patched. However, this Patch Tuesday release was dominated by elevation of privilege flaws, accounting for nearly half of the CVEs patched (49%) this month. Microsoft patched CVE-2024-30089, an elevation of privilege flaw in the Microsoft Streaming Service. Like many of the elevation of privilege flaws patched as part of Patch Tuesday, Microsoft labelled this one as “Exploitation More Likely,” said Narang. For Windows 11 users on the original iteration of the OS (21H2), the KB5039213 patch primarily focuses on bug fixes, with the added activation of the SMB over QUIC client certificate authentication feature, providing IT administrators with enhanced control over client access to SMB over QUIC servers.

Addressing 49 Vulnerabilities with Vigilance

With cyber threats looming large, Microsoft's June 2024 Patch Tuesday release stands as a protective measure against hackers and ransomware groups alike, addressing a total of 49 CVEs. Among these, one is rated critical, marking a concerted effort to shore up security defenses. Notably, there have been no reported zero-day or publicly disclosed vulnerabilities, underscoring Microsoft's proactive stance on security. Elevation of Privilege (EoP) vulnerabilities take center stage, constituting 49% of the patched vulnerabilities this month, followed closely by Remote Code Execution (RCE) at 36.7%. Several critical vulnerabilities have been identified, including CVE-2024-30080, a Remote Code Execution flaw in Microsoft Message Queuing (MSMQ) with a CVSSv3 score of 9.8, deemed highly exploitable by Microsoft. Additionally, CVE-2024-30082, CVE-2024-30087, and CVE-2024-30091 highlight the significance of patching critical components like the Win32k driver to prevent potential exploits. Similarly, attention is drawn to Windows Kernel vulnerabilities CVE-2024-30064, CVE-2024-30068, CVE-2024-30088, and CVE-2024-30099, emphasizing the necessity of comprehensive patch management. Moreover, CVE-2024-30085 highlights the varied attack vectors adversaries may exploit, necessitating swift remediation. “These types of flaws are notoriously useful for cybercriminals seeking to elevate privileges on a compromised system. When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat actors or as part of targeted attacks," said Narang. He added further, "This vulnerability was disclosed to Microsoft by the same security researcher that disclosed CVE-2023-36802, another Microsoft Streaming Service elevation of privilege flaw, which was patched in the September 2023 Patch Tuesday. Curiously, that flaw was disclosed by the researcher, but it was Microsoft themselves that noted it as being exploited in the wild. Another Microsoft Streaming Service flaw was patched this month (CVE-2024-30090), but unlike CVE-2024-30089, this one is labeled as “Exploitation Less Likely.” Concurrently, Microsoft's cessation of security updates for Windows 10 21H2 across several editions stresses the importance of timely upgrades to ensure ongoing protection against online threats.