By: Abhilash R., Head of Cybersecurity at OQ Trading In a progressively digital world, small and medium sized enterprises (SMEs) are not immune to cyber threats. Despite their size, SMEs are prime targets for cyberattacks due to their limited resources and perceived vulnerability. Therefore, implementing robust cybersecurity strategies is imperative to safeguard sensitive data, maintain customer trust, and ensure business continuity. This article delves into five essential cybersecurity strategies tailored to SMEs, emphasizing their importance, and providing cost effective solutions.

Employee Education and Training

One of the most critical cybersecurity strategies for SMEs is ensuring that employees are educated and trained in cybersecurity best practices. Human error remains a significant factor in cyber incidents, making cybersecurity awareness training indispensable. Employees should be educated on recognizing phishing attempts, creating strong passwords, and understanding the importance of software updates. Importance: Employees serve as the first line of defence against cyber threats, they are also the weakest links in cybersecurity. By educating them, SMEs can significantly reduce the risk of successful cyberattacks. Solutions: Implement regular cybersecurity training sessions for all employees, covering topics such as identifying suspicious emails, safe internet browsing practices, and responding to security incidents. Utilize online training resources and simulations to reinforce learning effectively. You can develop internal cybersecurity awareness materials using free or low cost presentation tools such as Google Slides or Microsoft PowerPoint. Create engaging presentations covering topics like identifying phishing emails, password best practices, and responding to security incidents. Additionally, leverage free online resources such as cybersecurity blogs, webinars, and tutorials to supplement employee training efforts. Encourage participation in online courses offered by reputable cybersecurity organizations, some of which may be available at no cost.

Implementing Multi-Factor Authentication (MFA)

Multifactor authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive data or systems. This strategy helps mitigate the risk of unauthorized access, even if passwords are compromised. Importance: Passwords alone are no longer sufficient to protect against cyber threats. MFA significantly enhances security by requiring additional authentication factors, such as biometric data or one-time codes. Solutions: Implement MFA for all accounts with access to sensitive information or critical systems. Many cloud-based services and software applications offer built-in MFA capabilities, making implementation relatively straightforward and cost effective. Utilize built-in MFA features provided by cloud-based services and software applications, many of which offer MFA functionality at no additional cost. Implement open source MFA solutions that can be customized to fit the organization's specific needs without incurring licensing fees. Alternatively, explore low-cost MFA options offered by third-party providers, ensuring compatibility with existing systems and scalability as the business grows.

Regular Data Backups

Data loss can have devastating consequences for SMEs, ranging from financial losses to reputational damage. Regularly backing up data is essential for mitigating the impact of ransomware attacks, hardware failures, or accidental deletions. Importance: Data backups serve as a safety net, allowing SMEs to recover quickly in the event of a cyber incident. Without backups, businesses risk permanent loss of valuable information. Solutions: Automate regular backups of critical data to secure cloud storage or offline storage devices. Utilize backup solutions that offer versioning capabilities, allowing businesses to restore data to previous states if necessary. Utilize cloud based backup solutions that offer affordable storage options and automated backup scheduling. Leverage free or low cost backup software with basic features for backing up critical data to secure cloud storage or external hard drives. Implement a combination of full and incremental backups to optimize storage space and minimize backup times. Explore open source backup solutions that provide flexibility and customization options without the need for expensive proprietary software.

Network Security Measures

Securing the network infrastructure is crucial for protecting against external threats and unauthorized access. SMEs should implement robust network security measures, such as firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs). Importance: Networks are prime targets for cyberattacks, making network security measures essential for preventing unauthorized access and data breaches. Solutions: Deploy firewalls to monitor and control incoming and outgoing network traffic. Implement IDS to detect and respond to suspicious activities within the network. Utilize VPNs to encrypt data transmissions and establish secure connections for remote workers. Implement open source firewall solutions that provide robust network protection without the high cost associated with commercial firewalls. Utilize free or low cost intrusion detection system (IDS) software that offers essential features such as real time monitoring and threat detection. Explore cost effective virtual private network (VPN) solutions tailored to SMEs' needs, such as subscription based services with affordable pricing plans and easy deployment for remote workers.

Regular Security Assessments and Updates

Cyber threats are constantly evolving, requiring SMEs to stay vigilant and proactive in their cybersecurity efforts. Regular security assessments and updates help identify vulnerabilities and ensure that systems and software are up to date with the latest security patches. Importance: Cyber threats are continuously evolving, making regular security assessments and updates essential for maintaining strong cybersecurity posture. Solutions: Conduct regular security assessments to identify potential vulnerabilities in systems, networks, and applications. Develop and implement a patch management strategy to ensure that software and firmware updates are applied promptly. Conduct internal security assessments using free or low cost vulnerability scanning tools to identify potential weaknesses in systems and networks. Utilize open source penetration testing frameworks to simulate cyberattacks and assess the effectiveness of existing security measures. Implement a systematic approach to applying security patches and updates, leveraging free tools provided by software vendors or community driven initiatives. Additionally, establish internal processes for monitoring security advisories and alerts issued by relevant authorities to stay informed about emerging threats and vulnerabilities. In conclusion, cybersecurity is a critical concern for SMEs in today's digital landscape. By implementing the strategies explained above, SMEs can significantly enhance their cybersecurity posture without breaking the bank. Investing in cybersecurity is not only essential for protecting sensitive data and maintaining business operations but also for safeguarding the long-term viability and reputation of SMEs in an increasingly interconnected world. About Author: Abhilash Radhadevi, a seasoned cybersecurity leader, serves as the Head of Cybersecurity at OQ Trading, bringing over two decades of comprehensive experience in the Banking, Financial, Oil and Energy sectors. Widely recognized for his adept leadership, Abhilash has effectively steered international organizations through intricate security challenges. His illustrious career includes spearheading pioneering cybersecurity strategies, resulting in prestigious awards and acclaim. Beyond his professional achievements, Abhilash maintains a global influence and demonstrates unwavering commitment to mentoring, showcasing his dedication to shaping the future landscape of cybersecurity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

By Hoda Alkhzaimi The technological prowess of small nations is increasingly recognized as a significant driver of global economic power. This is because technology is a great equalizer; it can enable small nations to leapfrog development stages and compete on a global scale. For instance, the UNCTAD Technology and Innovation Report 2021 highlights that frontier technologies like AI, robotics, and biotechnology have the potential to significantly boost sustainable development, while also posing the risk of widening the digital divide. Small nations, by embracing these technologies, can foster innovation, improve productivity, and create high-value industries that contribute to global trade and economic growth. Moreover, the digital transformation allows for the democratization of information and resources, enabling smaller economies to participate in markets traditionally dominated by larger countries. The OECD also emphasizes the role of SMEs in adapting to a more open and digitalized environment, which is essential for inclusive globalization. Therefore, the technological development of small nations is not just about national progress; it's about contributing to and shaping the global economic landscape. By investing in technology and innovation, small nations can assert their presence on the world stage, influencing global trends and economic policies. Cyber conflicts have emerged as a significant factor in international relations, influencing the dynamics of power in the digital age. The Atlantic Council's Cyber Statecraft Initiative highlights the shift from traditional deterrence strategies to more proactive measures like Defend Forward and Persistent Engagement, reflecting the evolving nature of cyber threats. Research published in Armed Forces & Society suggests that cyber conflicts, termed 'cool wars', are reshaping interactions between states, with denial-of-service attacks and behaviour-changing tactics significantly affecting state relations. Moreover, the ICRC has raised concerns about the protection of civilians from cyber threats during armed conflicts, emphasizing the need for legal and policy frameworks to address the digital risks in warfare. The CyberPeace Institute's analysis of cyberattacks in the context of the Ukraine conflict provides valuable data on the harm to civilians and the evolution of cyber threats. Additionally, the European Repository of Cyber Incidents offers an extensive database of cyber incidents, which can serve as a resource for understanding the scope and impact of cyber warfare. These insights underscore the importance of cyber capabilities in asserting influence and the need for robust cyber defence mechanisms to safeguard national security and civilian welfare in the face of digital threats. The interplay between cyber operations and political power is complex, and as technology continues to advance, the implications for international stability and power hierarchies will likely become even more pronounced

The Role of Misinformation and Disinformation in Cyberconflict

Misinformation and disinformation play a critical role in the landscape of cyberconflict, shaping public perception and influencing the dynamics of geopolitical tensions. A report by Full Fact highlights the detrimental impact of false information on democratic societies, emphasizing the need for informed citizenship to combat the spread of such information. Similarly, data from UNESCO underscores the pervasive risk of encountering disinformation across various media platforms, with statistics indicating a significant trust deficit in media and an increase in the manipulation of news consumption. The cybersecurity sector also recognizes disinformation as a substantial threat, with a study by the Institute for Public Relations revealing that 63% of Americans view disinformation as a major societal issue, and nearly half of cybersecurity professionals consider it a significant threat to security. These concerns are echoed globally, as a survey found that over 85% of people worry about the impact of online disinformation on their country's politics. The intertwining of misinformation, disinformation, and cyberconflict presents a complex challenge that requires a multifaceted approach, including media literacy, regulatory frameworks, and international cooperation to mitigate its effects and safeguard information integrity.

The Role of Big Tech in Cyberconflict Interplay

The role of big tech companies in cyber conflict is a complex and evolving issue. These companies often find themselves at the forefront of cyber conflict, whether as targets, mediators, or sometimes even participants. For instance, during civil conflicts, digital technologies have been used to recruit followers, finance activities, and control narratives, posing additional challenges for peacemakers. The explosive growth of digital technologies has also opened new potential domains for conflict, with state and non-state actors capable of carrying out attacks across international borders, affecting critical infrastructure and diminishing trust among states. In response to the invasion of Ukraine, big tech companies played crucial roles in addressing information warfare and cyber-attacks, showcasing their significant influence during times of conflict. Moreover, the technological competition between major powers like the United States and China further highlights the geopolitical dimension of big tech's involvement in cyber conflict. These instances underscore the need for a robust framework to manage the participation of big tech in cyber conflict, ensuring that their capabilities are harnessed for peace and security rather than exacerbating tensions.

Hedging the Risks of Using AI and Emerging Tech To Scaleup Misinformation and Global Cyberconflicts

In response to the growing threat of election misinformation, various initiatives have been undertaken globally. The World Economic Forum has identified misinformation as a top societal threat and emphasized the need for a concerted effort to combat it, especially in an election year with a significant global population going to the polls. The European Union has implemented a voluntary code of practice for online platforms to take proactive measures against disinformation, including the establishment of a Rapid Alert System and the promotion of fact-checking and media literacy programs. In the United States, the Brennan Center for Justice advocates for active monitoring of false election information and collaboration with internet companies to curb digital disinformation. Additionally, the North Carolina State Board of Elections (NCSBE) provides guidelines for the public to critically assess the credibility of election news sources and encourages the use of reputable outlets. These initiatives represent a multifaceted approach to safeguarding the integrity of elections by enhancing public awareness, improving digital literacy, and fostering collaboration between governments, tech companies, and civil society. In the ongoing battle against election misinformation, several key alliances and actions have been formed. Notably, the AI Elections Accord was proposed for public signature at the Munich Security Conference on February 16, 2024. This accord represents a commitment by technology companies to combat deceptive AI content in elections. In a similar vein, Meta established a dedicated team on February 26, 2024, to address disinformation and the misuse of AI leading up to the European Parliament elections. Furthermore, the Federal Communications Commission (FCC) in the United States took a decisive step by making AI-generated voices in robocalls illegal on February 8, 2024, to prevent their use in misleading voters. These measures reflect a growing recognition of the need for collaborative efforts to safeguard the integrity of elections in the digital age. The alliances and regulations are pivotal in ensuring that the democratic process remains transparent and trustworthy amidst the challenges posed by advanced technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age. Here's everything to know about the Snowflake breach; we'll update this page as new information becomes available.

Why the Snowflake Breach Matters

Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.

Ongoing Investigation and Preliminary Results in Snowflake Breach

On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.

Compromised Employee Account

Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.

Test Environments Targeted

Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.

Attack Path

The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.

Possible Reasons for the Breach

Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.

Unconfirmed Threat Actor Claims

The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.

Affected Customers from Snowflake Breach

The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:

• Santander Group: The company confirmed a compromise without mentioning Snowflake.
• Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.

• TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
• Impact: 560 Million TicketMaster user details and card info potentially at risk.

• LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
• Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.

• Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
• Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.

• Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
• Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.

Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels.

Security Measures and Customer Support

Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.

Key Recommendations for Snowflake Customers:

1. Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
2. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
3. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
4. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.

Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here. Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence. Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.

The on-again, off-again saga of BreachForums took another twist in recent days with the news that the data leak forum apparently has a new owner. ShinyHunters – who had reportedly retired after tiring of the pressure of running a notorious hacker forum – returned on June 14 to announce that the forum is now under the ownership of a threat actor operating under the new handle name “Anastasia.” It’s not yet clear if the move will quell concerns that the forum has been taken over by law enforcement after a May 15 FBI-led takeover, but for now, BreachForums is up and running under its .st domain.

ShinyHunters Alludes to BreachForums Issues

ShinyHunters alluded to those issues in a post announcing the forum’s new owner (screenshot below). “It's hard to maintain motivation when you're constantly getting accused of being a honeypot and at this point I'm burned out, hollow is burned out and we just want to move on to bigger things rather than the constant onslaught of users complaining about how we ran our forum,” ShinyHunters wrote. “Baphomet has done an incredible job of building new features for everyone, keeping everything together and maintaining the forum. Couldn't have done it without him. We hope the forum can live on without us for a long time. Thank you all for your support. Goodbye.” [caption id="attachment_77484" align="alignnone" width="750"] The announcement of a new BreachForums owner[/caption] While “User-Anastasia” is a new account, ShinyHunters referred to the new owner as “an OG some of you may remember.” Cyble threat researchers reported that Anastasia also goes by “Anastasia Belshaw.”

BreachForums Returns, Hackers Raise Suspicions

BreachForums was seized by the FBI and the U.S. Department of Justice in mid-May, with help from international law enforcement agencies, and Baphomet was allegedly arrested in that action. However, just two weeks later, the forum returned, leading to suspicion among some threat actors that the site was operating as a “honeypot” or a sting operation under the control of the FBI. To further complicate matters, the site went down again last week, possibly due to technical issues, and its associated Telegram channels disappeared too amid reports that ShinyHunters was retiring. A few days later came the announcement that Anastasia would take over the forum. It remains to be seen what direction the forum will take under new ownership, but given the site’s volatile history, whatever is in store is certain to be eventful.

This week on TCE Cyberwatch, we report on significant breaches affecting both prominent companies and universities, with thousands of individuals impacted. In addition, TCE Cyberwatch explores the evolving landscape of cybersecurity legality, highlighting Australia's ongoing court case against X. TCE Cyberwatch also delves into advancements in corporate cybersecurity, such as Apple’s upcoming announcement of their very own password management app. Keep reading to find out more!

Akira Ransomware Group Targets Panasonic Australia

The Akira ransomware group has reportedly compromised Panasonic Australia's data, claiming to have exfiltrated sensitive project information and business agreements. The authenticity and full impact of this breach are still unverified. In response, Singapore's Cyber Security Agency (CSA) and Personal Data Protection Commission (PDPC) have advised organizations to report such attacks rather than paying ransoms. This recommendation follows confirmation by law firm Shook Lin & Bok that they paid Akira $1.4 million in Bitcoin. The CSA has warned that paying ransoms does not guarantee data recovery and could potentially encourage further attacks. They recommend implementing robust security measures, including strong password policies, multi-factor authentication, reputable antivirus software, regular vulnerability scans, network segregation, routine backups, incident response exercises, and minimizing data collection. Additionally, the FBI and CISA had previously included Akira in their #StopRansomware campaign, emphasizing the importance of these preventive measures. Read More

Xbox One Kernel Exploit Discovered: Tinkering with Game Script App

An individual known as carrot_c4k3 has discovered a kernel-level exploit for Xbox One consoles using an app called ‘Game Script’ from the Microsoft Store. This exploit is not a jailbreak but allows users to gain control over virtual machine (vm) homebrews without enabling pirated software. The method involves two components: initial code execution in UWP applications and a kernel exploit granting full read/write permissions. A proof of concept has been shared on GitHub, currently limited to UWP apps. The exploit bypasses developer mode fees and modifies game save data but does not alter actual games. It may also allow running simple emulators. However, Microsoft could potentially detect this exploit, so using an offline console is recommended. It is also possible that the exploit has already been patched in the latest firmware update, version 10.0.25398.4478. Read More

Over 8,000 at VIT Bhopal University Potentially Exposed in Data Breach

VIT Bhopal University in India has reportedly experienced a major data breach, impacting more than 8,000 students and faculty members. The breach, first revealed on June 10, 2024, on BreachForums, involves the alleged leak of sensitive information, including unique identification numbers, usernames, full names, email addresses, passwords, and user activation keys. This compromised data could potentially allow unauthorized access to personal and university accounts, raising significant concerns about phishing attacks and other malicious activities. VIT Bhopal, established in 2017 and ranked 65th in India by the National Institutional Ranking Framework, offers programs in engineering, technology, management, and architecture. As of now, the university has not commented on the breach or disclosed the full extent of the compromised data. Read More

Energy Giant Potentially Breached: Hacker Selling Alleged SGCC Data

A hacker named Desec0x claims to have breached the State Grid Corporation of China (SGCC) and is selling the stolen data on BreachForums for $1,000. The data reportedly includes user account information, employee details, and department roles in SQL and XLSX formats. SGCC, the world's largest utility company, serves over 1.1 billion people in China and owns assets in several countries. If confirmed, this breach could have serious implications for SGCC and its stakeholders. Cyberattacks on the energy sector are increasing, with notable incidents in 2023 and 2024 targeting companies like Consol Energy and Petro-Canada. SGCC has not yet confirmed the breach, and its website appears to be unaffected. Read More

Deepfakes Target Australian Politicians in Investment Scams

Australian politicians, including Finance Minister Katy Gallagher and Foreign Minister Penny Wong, have been targeted in AI-generated deepfake investment scam videos. The scam also used images of Nationals senator Bridget McKenzie and former Prime Minister Scott Morrison, among others. These videos, promoted via Facebook ads, falsely depict the politicians endorsing fraudulent investment schemes. Federal Minister Stephen Jones warned that AI could amplify fraud and proposed reforms to make social media companies more accountable. Gallagher stressed that neither she nor other politicians would promote products online, urging people to report such scams. The government is considering measures like mandatory AI image watermarking to combat misuse. Read More

Get Ready to Switch? Apple Unveils Passwords Manager at WWDC

At Apple's Worldwide Developer Conference next week, the company is expected to unveil its own standalone password manager, named Passwords, which will rival apps like 1Password and LastPass. According to Bloomberg News, Passwords will offer features surpassing those of iCloud and Mac Keychain, enabling users to save Wi-Fi passwords, store passkeys, and categorize login credentials. The app is also anticipated to be compatible with Windows machines, though its availability for Android users remains uncertain. Read More

Monti Ransomware Targets West After Conti's Demise

The Monti ransomware group, which bears similarities to the defunct Conti ransomware, has recently changed ownership and shifted its focus towards Western targets. The new owners are revamping its infrastructure for future operations. Recent attacks in the South of France disrupted the Pau-Pyrénées airport, the Pau business school, and a digital campus, compromising sensitive data and raising significant cybersecurity concerns. Monti exploits vulnerabilities like Log4Shell to infiltrate networks, encrypt desktops, and disrupt servers. Analysts believe the group leverages Conti’s leaked data for its operations. The cybersecurity community emphasizes the need for strengthened defenses and collaboration to combat such evolving threats. The Monti group’s activities highlight the critical need for robust cybersecurity measures to protect essential infrastructures.Read More

TCE Cyberwatch: Wrap Up

. Recent events have shown that even large, well-protected companies can fall victim to cyberattacks. Therefore, it's always wise to stay proactive and ensure your defenses are up-to-date. Stay safe, stay informed, and take steps to safeguard your digital security.

A new wave of cyberattacks targeting Android users in the Middle East has surfaced, with a focus on both Palestine and Egypt. Dubbed AridSpy, this multistage Android malware is allegedly orchestrated by the notorious Arid Viper APT group, a name synonymous with cyber espionage in the region. The malicious software, discovered being distributed through five dedicated websites, is ingeniously disguised within seemingly legitimate applications, marking a dangerous evolution in cyber threats. The modus operandi of these campaigns, initiated as early as 2022 and persisting to this day, revolves around the deployment of trojanized apps designed to infiltrate unsuspecting users' devices. These applications, ranging from messaging platforms to job opportunity portals, harbor the insidious AridSpy spyware within their code, allowing the attackers to remotely control the infected devices and extract sensitive information with alarming efficiency.

Arid Viper APT group Leveraging AridSpy to Target Victims

A key element of AridSpy's strategy lies in its ability to camouflage itself within genuine apps, thus bypassing traditional security measures. By leveraging existing applications and injecting them with malicious code, the perpetrators exploit the trust users place in familiar software, amplifying the reach and impact of their cyber offensive. ESET's investigation into these activities uncovered various instances of AridSpy infiltration, with the majority of cases centered around the distribution of the malicious Palestinian Civil Registry app. This tactic, coupled with the impersonation of reputable messaging platforms like StealthChat and Voxer Walkie Talkie Messenger, underscores the group's sophisticated approach to cyber warfare. Lukáš Štefanko, a researcher at ESET, sheds light on the mechanics of AridSpy's infiltration, detailing how unsuspecting users are lured into installing the tainted applications. “In order to gain initial access to the device, the threat actors try to convince their potential victim to install a fake, but functional, app. Once the target clicks the site’s download button, myScript.js, hosted on the same server, is executed to generate the correct download path for the malicious file,” explains Štefanko. Through deceptive download buttons and carefully crafted scripts, the attackers exploit vulnerabilities in users' trust and familiarity with popular apps, paving the way for the silent installation of AridSpy on their devices.

Reverse-Engineering Apps 

Moreover, Arid Viper's ingenuity extends beyond mere app impersonation, as evidenced by their manipulation of legitimate app servers to facilitate data exfiltration. By reverse-engineering existing apps and utilizing their infrastructure, the group orchestrates a seamless data extraction process, further complicating detection and mitigation efforts. AridSpy's capabilities are not limited to data espionage alone; the spyware boasts a sophisticated feature set aimed at evading detection and maximizing information extraction. Through a combination of network evasion tactics and event-triggered data exfiltration mechanisms, AridSpy operates stealthily, siphoning off a plethora of sensitive data including call logs, text messages, media files, and even location information. As the online threats continue to target victims globally, users and organizations alike must remain vigilant against hackers groups and ransomware gangs. By staying informed and adopting robust security measures, individuals can mitigate the risks posed by malicious actors such as the Arid Viper group, safeguarding their digital assets and personal information from exploitation.

In today's cybersecurity world, the call for innovation and resilience has never been more urgent. Yet, amidst the pursuit of cutting-edge technologies and strategies, a critical aspect often overlooked is the power of neurodiversity. As organizations strive to cultivate inclusive environments and provide equal opportunities for neurodivergent individuals, questions abound on how this diverse talent pool can contribute to cybersecurity. This article aims to explore these questions comprehensively, shedding light on why embracing neurodiversity isn't just a moral imperative but a strategic advantage in safeguarding digital assets. By delving into the significance of neurodivergent individuals in the cybersecurity field readers will gain valuable insights into the importance of fostering inclusivity and understanding neurodiversity's role in shaping the future of cybersecurity.

What is Neurodiversity in Cybersecurity?

Neurodiversity in cybersecurity refers to the recognition and inclusion of individuals with diverse cognitive profiles, including conditions such as autism, ADHD, dyslexia, and others, within cybersecurity teams. These individuals bring unique perspectives, skills, and talents to the table, enhancing the overall effectiveness of cybersecurity operations. “Seeking out neurodiverse teammates in hiring and recognizing and building around their strengths can be a vital asset to anticipating an adversary’s moves and uncovering potential solutions to problems before they arise,” said Gunnar Peterson, CISO at Forter. Neurodiverse individuals often exhibit exceptional logical and methodical thinking, attention to detail, and cognitive pattern recognition skills. For example, they can hyperfocus on tasks, giving complete attention to specific issues for prolonged periods, which is invaluable in identifying and mitigating security threats. Their ability to engage deeply in their work ensures that even the smallest anomalies are detected and addressed swiftly. Moreover, many neurodiverse individuals thrive on repetitive tasks and routines, finding comfort and even excitement in long, monotonous processes. This makes them well-suited for roles that involve continuous monitoring and analysis of security data. Their high levels of concentration and persistence allow them to stay on task until solutions are found, ensuring thorough and effective problem-solving. Creativity is another significant benefit that neurodiverse individuals bring to cybersecurity. Their unique, nonlinear thinking enables them to approach problems from different angles and develop innovative solutions. This creativity is crucial for devising new methods to counteract evolving cyber threats. For instance, a neurodivergent team member might come up with an unconventional but highly effective way to secure a network that others might overlook. Furthermore, neurodiverse individuals often possess strong reasoning skills and keen awareness, contributing valuable insights into cybersecurity strategies. Their ability to think outside the box allows them to anticipate potential issues that others might miss, enhancing the overall security posture of an organization. In terms of teamwork, neurodiverse individuals respond well to inclusive environments. A diverse team, comprising various cognitive profiles, tends to react better to challenges and fosters a more innovative and productive atmosphere. When neurodivergent individuals are included and valued, team morale improves, leading to higher overall performance and productivity.

Challenges Faced by Neurodiverse Individuals in Cybersecurity

Neurodiverse individuals face several challenges in the workplace that can impact their ability to thrive, despite their unique strengths. For example, sensory sensitivities common in conditions like autism can make traditional office environments overwhelming due to bright lights, loud noises, or crowded spaces. This can lead to increased stress and decreased productivity. Communication barriers are another significant challenge, as some neurodivergent individuals may struggle with social cues and norms, making it difficult for them to participate effectively in team meetings or collaborative projects. For instance, someone with ADHD might find it challenging to maintain focus during long meetings, potentially missing critical information. Additionally, rigid workplace structures and a lack of flexibility can hinder neurodiverse employees, who may require different accommodations, such as varied working hours or remote work options, to perform optimally. These challenges highlight the need for inclusive workplace practices that recognize and support the diverse needs of neurodiverse individuals, enabling them to contribute their valuable skills more effectively.

How to Create Neurodiverse-Friendly Work Environments

Creating a neurodiverse-friendly work environment involves considering several key factors to support and accommodate the unique needs of neurodivergent individuals. Here are the steps to create such an environment: Sensory: Addressing the sensory environment is crucial. This means ensuring that the workplace is comfortable regarding lighting, noise, and overall ambiance. For example, providing noise-canceling headphones, adjustable lighting, or quiet workspaces can help neurodivergent employees focus better and reduce sensory overload. Timely: A timely environment means allowing sufficient time for tasks and avoiding unrealistic deadlines. Clearly communicating timeframes and allowing flexibility can reduce stress. For instance, giving employees enough time to complete tasks without last-minute rushes can improve their productivity and job satisfaction. Explicit: Communication should be clear and explicit. This involves providing detailed instructions and avoiding ambiguous language. For example, instead of saying, "Get this done soon," specify, "Please complete this task by 3 PM tomorrow." This clarity helps neurodivergent individuals understand expectations and reduces anxiety. Predictable: Creating a predictable environment can help reduce anxiety and improve focus. This includes having regular schedules and clear procedures. For instance, if meetings are scheduled at consistent times and agendas are shared in advance, neurodivergent employees can prepare better and feel more secure. Social: Fostering a supportive social environment means recognizing that not everyone may be comfortable with the same level of social interaction. Offering structured social activities and respecting individual preferences can create a more inclusive workplace. For example, providing clear invitations to social events with detailed information about what to expect can help neurodivergent employees feel more comfortable. Additionally, implementing a "traffic-light" system with colored cards or post-it notes (green for willing to interact, yellow for maybe, and red for needing to focus) can help manage social interactions effectively and respect individual boundaries. By incorporating these STEPS, organizations can create an inclusive and supportive work environment that leverages the unique strengths of neurodivergent employees, ultimately enhancing overall productivity and innovation. Training Programs: Providing specialized training and development programs can help neurodivergent individuals thrive in cybersecurity roles. This includes offering tailored training sessions that address their unique learning styles and strengths. For example, using visual aids and hands-on activities can enhance understanding and retention. Mentorship programs where experienced employees guide neurodivergent staff can also be beneficial, offering personalized support and career development advice. Moreover, continuous learning opportunities, such as workshops on the latest cybersecurity trends and technologies, can keep neurodivergent employees engaged and up-to-date with industry advancements.

Read Ahead

“Once we start to remove what those barriers are, the way that we do things, our culture of understanding and our bias of conditions, then we can start to be more inclusive and welcome a more diverse workforce,” said Foxcroft. By harnessing the unique strengths of neurodivergent individuals, organizations can unlock a wellspring of creativity, focus, and unconventional problem-solving. It's a future where cybersecurity teams aren't just well-equipped, but exceptionally prepared – a future where "thinking differently" becomes the key to defending against the unthinkable. So, what steps will you take to create a more inclusive cybersecurity workforce? The answers may well determine the future security of our digital world.

Imagine a team of brilliant detectives, each with their own quirks and talents. One might be a meticulous observer, another a whiz at puzzles, and the third a master of creative leaps. This diverse team is unstoppable, able to crack any case because their strengths complement each other. That's the power of neurodiversity in cybersecurity! People with autism, ADHD, dyslexia, and other conditions bring fresh and valuable perspectives to the fight against cybercrime, enhancing the ability to address complex challenges in innovative ways. They excel at spotting patterns, focusing intensely, and thinking outside the box - exactly what defenders need to outsmart hackers. Neurodiversity in cybersecurity is a concept that has gained significant traction over the past decade. The term "neurodiversity" originated in the late 1990s and has since evolved to encompass a range of conditions, not as limitations, but as strengths. Within the industry, this movement gained momentum around the mid-2010s. It stemmed from a critical need for diverse problem-solving skills and innovative thinking. Cybersecurity challenges are complex puzzles, requiring a variety of approaches to detect, analyze, and mitigate threats. By embracing neurodiversity, the industry doesn't just improve its capabilities, it sets a standard for inclusivity. It taps into a pool of untapped talent that perceives and interacts with the world in ways that benefit everyone. To celebrate this diversity, The Cyber Express hosted the "Inclusive Cyber" webinar. The event brought together experts to discuss how neurodiversity, with its wide range of cognitive styles and personalities, significantly enhances the field of cybersecurity. It's a space where innovation and diverse perspectives are not just beneficial, but essential.

Speakers' Insights on Neurodiversity in Cybersecurity

The webinar featured renowned cybersecurity champion Holly Foxcraft, recognized as one of the most influential women in the field. Alongside her was security wiz and advocate Jennifer Cox, Director for Ireland at Women in Cyber Security (WiCyS) UK & Ireland and a Security Engineering Manager at Tenable. The session was moderated by Jo Mikleus, Senior Vice President at Cyble, who skillfully facilitated the discussion, highlighting the critical role of inclusive practices in cybersecurity. Both speakers shared their personal and professional experiences with neurodiversity, providing valuable insights into the integration of neurodivergent professionals in the tech industry. Holly Foxcraft initiated the discussion by defining neurodiversity and its societal implications. She highlighted how societal norms often fail to accommodate the diverse ways individuals process information, which can lead to misunderstandings and underutilization of potential. Foxcraft explained, "Neurodiversity means that just like physical traits, our cognitive differences are natural. Society, however, has established certain expectations about how individuals should behave and process information. Deviations from these norms are termed as neurodivergence, encompassing recognized conditions such as autism and ADHD, and broader, undefined behaviors that diverge from what is considered typical." Following Holly’s introduction, Jennifer Cox discussed the common misconceptions about neurodivergent individuals, especially those with ADHD. She expressed, "There’s a prevalent myth that individuals with ADHD have boundless energy, which is far from reality. Managing everyday conversations can be as draining for us as physical exertion, leading to rapid burnout." Cox also shared her personal journey with ADHD, diagnosed in her forties, underscoring the challenges and late realizations many neurodivergent individuals face.

Challenges Faced by Neurodivergent Professionals

Jennifer Cox further addressed the managerial misconceptions surrounding the support needs of neurodivergent employees. She clarified that contrary to popular belief, neurodivergent individuals do not necessarily require extensive managerial time. Instead, they benefit significantly from targeted adjustments and understanding. "Simple changes like providing information in bullet points or understanding that lack of eye contact might indicate deeper concentration can make a substantial difference. These minor adaptations can greatly enhance workplace inclusivity and productivity," Cox explained. Both speakers emphasized the importance of tailored management strategies to effectively support neurodivergent employees. Implementing clear communication, recognizing the need for sensory accommodations, and allowing flexible work arrangements were discussed as key strategies that can enhance productivity and workplace satisfaction for all employees.

The Way Forward with Neurodiversity

The "Inclusive Cyber" webinar concluded by highlighting the indispensable link between neurodiversity and cybersecurity. By embracing neurodivergent capabilities, the cybersecurity industry not only enriches its pool of problem-solving strategies but also fosters a more inclusive and dynamic workforce capable of tackling complex security challenges. As the cybersecurity field continues to evolve, the insights shared by Jennifer Cox and Holly Foxcraft provide invaluable guidance for building diverse teams ready to face future challenges. The thoughtful integration of neurodivergent professionals into cybersecurity roles not only enhances the effectiveness of security measures but also contributes to a more inclusive and innovative workplace culture. This approach not only prepares organizations to better tackle emerging threats but also sets a precedent for the broader tech industry to follow.

Whenever people ask the best way to protect their accounts and devices, the answer is always to use a strong password. But how exactly does one do that? What constitutes a good password? In this article, we explain six ways to create a strong password that makes hackers give up trying to guess your details and steal your information. Keep reading to find out what your password should consist of to stay protected!

Steps to Create a Strong Password

1. Avoid Common Words

Avoid using easily guessable words or phrases. Examples include "123456," "password," or "qwerty." Instead, use phrases that may hold an unobvious personal meaning to you, such as a combination of words from a favorite book or a childhood memory. Hackers often use common password lists to guess and breach accounts, so avoid anything too predictable.

2. Avoid Personal Information

Refrain from including any personal information in your password, such as your name, birthday, or address. Hackers can easily obtain this information through social engineering or data breaches, making it relatively simple for them to guess your password. Keeping your password unrelated to your personal life adds an extra layer of security.

3. The Lengthier, the Better

The longer your password, the harder it is for hackers to crack through brute force attacks. A minimum of 12 characters is recommended, but going longer is better. For example, using a 16-character password significantly increases the number of possible combinations, making it more challenging for hackers to guess and increasing their likelihood of failing.

4. Use Complex Characters and Words

Passwords that use a variety of character types—such as uppercase letters, lowercase letters, numbers, and special characters—are better protected. For instance, a password like "P@ssw0rd123!" is much stronger than "password123." The complexity of using different forms of characters makes guessing much harder, especially if hackers use automated tools.

5. Randomize Passwords

Generating random passwords using browser-recommended ones or a password manager can be very effective in protecting your account. Password managers can store the randomized passwords after creating them. If you are worried about forgetting these randomly generated ones, you can create your own passphrase that makes sense only to you, such as "Green!Apple#Mountain*Sky." Ensure it's not easily guessable or uses common phrases.

6. Update and Change Regularly

Changing your passwords regularly is essential, especially if you have been warned of possible attempts at breaches or passwords being compromised. Regularly updating your passwords helps mitigate the risk of unauthorized access to your accounts, even if your current password is strong. It is important to create new ones instead of reusing old passwords, as hackers could use previously compromised credentials to gain access to other accounts.

Conclusion

When these six tips are combined, your password will keep your information secure. Repeating passwords or making variations of the same one fails to protect you. But with these tips, your first level of authentication is set to be almost impossible for hackers to penetrate. In a world where hacking and stealing information in cyberspace is becoming more common, it is essential for users to take the necessary steps to keep their passwords strong and their data protected. By following these guidelines, you can significantly reduce the risk of falling victim to cyberattacks and ensure your personal information remains safe.

Staying safe in the current climate of cyberattacks can be challenging and often frightening. With hacking and data theft becoming increasingly accessible and easier to execute, ensuring the safety of your personal information is essential. In this article, we will list the top ways to protect your identity on your devices and accounts from being stolen.

10 Easy Steps to Secure Your Identity

By following these 10 easy steps, you can secure your credentials, personal information, and more.

By Mohan Subrahmanya, Country Leader, Insight Enterprises In an era consistently besieged by data breaches and increased cyber threats, blockchain technology is emerging as a key tool for the enhancement of cybersecurity and the protection of data. It is a decentralized and secure way of recording critical data that brings forth innumerable benefits to many sectors through a sound framework for secure transactions and integrity of data.

Understanding Blockchain Technology

At its core, blockchain is a decentralized ledger that records transactions across a network of computers, ensuring that data remains transparent, secure, and immutable. Each block in the blockchain contains a timestamp, transaction data, and a cryptographic hash of the previous block, creating a chain of records that is nearly impossible to alter. The exponential growth of blockchain technology is fueled by the need to simplify business processes, increase transparency, improve traceability, and cut costs. According to ReportLinker, the global blockchain market is expected to increase by 80% between 2018 and 2023, from $1.2 billion to $23.3 billion.

Key Components of Blockchain That Ensure Data Security

Blockchain technology enhances data security by ensuring that data recorded once remains unalterable and undeletable without network consensus, thus maintaining integrity. One of the key features of blockchain technology is decentralization. Unlike traditional centralized databases, blockchain operates on a distributed network. This structure reduces the risk of a single point of failure and makes it much more difficult for malicious entities to compromise the entire system. By distributing data across multiple nodes, blockchain eliminates vulnerabilities associated with centralized servers, thereby enhancing overall security. Another feature is the Cryptographic hash function which plays a crucial role in blockchain security. These mathematical algorithms generate a unique identifier for each block, making it virtually impossible to alter any recorded data without detection. All the altered information on the blockchain is visible and immutable, which not only ensures data integrity but also provides a reliable mechanism to detect and prevent fraudulent activities. Blockchain also employs consensus mechanisms such as Proof of Work (PoW) and Proof of Stake (PoS) to validate transactions and ensure network consistency. By allowing only authentic transactions to be added to the blockchain, these mechanisms prevent double payments and other fraudulent practices. Digital signatures, which use a private key to sign transactions, further enhance this level of security. This ensures that only authorized individuals can initiate or modify data entries, while anyone with the public key can verify the authenticity of the transaction.

Applications Across Sectors

The use of blockchain technology could have a significant impact on cybersecurity across various sectors. Many organizations are recognizing the significant business benefits of blockchain technology and are increasingly adopting it across various sectors. Blockchain has a lot to offer, from manufacturing and healthcare to supply chains and beyond. Financial services, for instance, can benefit from blockchain's ability to secure transactions, reduce fraud, and improve transparency. The healthcare sector can utilize blockchain to secure storage and share patient information between authorized personnel, ensuring confidentiality and accuracy. In the manufacturing industry, blockchain is primarily used for the movement and management of digital assets and physical goods, enhancing transparency and traceability. In order to ensure a transparent and immutable record of the origin of products, supply chain management can use blockchain technology to prevent counterfeiting and ensure authenticity. Government services can also use blockchain to increase the security and efficiency of public records, voting systems as well as identity management.

Key Challenges and Considerations

There are certain challenges to the use of blockchain technology, despite its many benefits. Scalability is an important concern, as the number of transactions increases, the blockchain may become slow and costly to maintain. Furthermore, significant computational power is required for consensus mechanisms such as POW which could result in considerable energy consumption. Regulatory uncertainty is another issue, as the evolving legal landscape can obscure the widespread adoption of blockchain technology. Addressing these challenges is crucial for the continued growth and adoption of blockchain technology. Global efforts are being made to create scalable blockchain systems and more effective consensus methods. Additionally, regulatory frameworks are also evolving to offer more precise guidelines to implement blockchain technology.

Growth of Blockchain Technology in India

India is seeing a strong increase in the adoption of blockchain technology in many sectors. This growth is driven by government-backed projects and initiatives, such as the National Blockchain Framework, to improve transparency, security, and efficiency. The technology's potential to enhance data integrity and operational efficiency aligns well with India's digital transformation goals, making blockchain a key component in the nation's technological advancement. The use of blockchain technology has been much more of a game-changer in terms of data security and is supporting cybersecurity. It provides robust security against all cyber threats since it is decentralized, immutable, and fully transparent. Overcoming the challenges of scaling and regulatory uncertainty would enable blockchain's distributed ledger technology to emerge as the key player in secure digital infrastructures that drive innovation across all sectors. The more organizations study its potential applications, the more blockchain will change the face of data security and cybersecurity. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

By Siddharth Deshmukh, Chief Operating Officer, Clover Infotech With the advent of digital, large volumes of data flow into the organizations’ systems daily. However, it’s the value of the data that makes it special. This data is often used to generate insights and predictions which are important to enhance productivity and ROI. But to ensure that the desired results are achieved, the data needs to be stored and organized in databases that enable easy access, modification, and management. In such a scenario, open source database is a wise choice as they offer flexibility, cost savings, and community support. They allow users to access and modify the source code, enabling customization to meet specific needs and fostering innovation. Being free of licensing fees, they reduce financial barriers for organizations of all sizes. While community versions of open-source databases like MySQL, PostgreSQL, and MongoDB are popular for their zero-cost entry and extensive community support, enterprise editions often provide a more comprehensive and reliable solution for businesses with critical needs.

Superior Features of Enterprise Editions

Here’s why enterprise editions are generally considered superior to community versions in an enterprise setting:  Enhanced Support and Reliability - One of the most significant advantages of enterprise editions is the professional support provided by the OEM. Unlike community versions, which rely on community forums and public documentation for troubleshooting, enterprise editions offer dedicated, round-the-clock technical support. This support is crucial for enterprises that require immediate resolutions to any issues that may arise, thereby minimizing downtime, ensuring business continuity, and adherence to compliance mandates. Advanced Security Features - Security is paramount for any enterprise, and enterprise editions of open-source databases typically come with enhanced security features not available in community versions. These may include advanced authentication methods, transparent data encryption, auditing capabilities, and more granular access controls. With cyber threats constantly evolving, having these robust security measures in place helps protect sensitive data from breaches and ensures compliance with industry standards and regulations. Performance Optimization and Scalability - Enterprise editions often include performance optimization tools and features designed to handle large-scale operations efficiently. These enhancements can significantly improve database performance, supporting faster query processing and better resource management. For businesses experiencing rapid growth or those with high transaction volumes, the ability to scale seamlessly is critical. Comprehensive Management Tools - Managing a database effectively requires a suite of tools for monitoring, backup, recovery, and automation. Enterprise editions usually provide a range of advanced management tools that simplify these tasks, reducing the administrative burden on IT teams. Features like automated backups, performance monitoring dashboards, and easy-to-use management interfaces help ensure that databases run smoothly, and potential issues are promptly addressed. Long-Term Stability and Support - Community versions often follow rapid release cycles, which can lead to stability issues as new features are continuously added and older versions quickly become outdated. In contrast, enterprise editions typically offer long-term support (LTS) versions, ensuring stability and ongoing updates without the need for frequent major upgrades. This stability is vital for enterprises that require reliable, long-term operation of their database systems. Tailored Solutions and Customization - Vendors offering enterprise editions frequently provide customized solutions tailored to the specific needs of their clients. This level of customization can include optimizing the database for particular workloads, integrating with existing enterprise systems, and even developing new features upon request. Such tailored solutions ensure that the database aligns perfectly with the business’ operational requirements.

To Wrap Up

In conclusion, while community versions of open-source databases are an excellent starting point, especially for small to medium-sized businesses or for non-critical applications, enterprise editions offer a suite of enhanced features and services that address the complex needs of larger organizations. With superior support, advanced security, performance optimizations, comprehensive management tools, and tailored solutions, enterprise editions ensure businesses can rely on their database systems to support their operations effectively and securely. Enterprise editions are a prudent choice for enterprises where data integrity, performance, and security are paramount. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

Globe Life disclosed a recent cybersecurity incident that may have resulted in unauthorized access to its consumer and policyholder information. Globe Life is a Texas-based insurance holding company. It offers life, health, and worksite insurance products and services to consumers nationwide through its subsidiaries. The company has over 3,600 employees and also owns several insurance providers like Liberty National, United American and Family Heritage Life. The company had also been accused of shady financial tactics and business operations by short sellers Fuzzy Panda Research and Viceroy Research, allegations the company has denied.

Globe Life Breach Discovery and Containment

According to Globe Life's filing with the SEC, the company had conducted a security review on one of its web portals to discover potential vulnerabilities that may have affected its access permissions and user identity management. The investigation was prompted by a legal inquiry from a state insurance regulator on June 13, 2024. The review revealed that an unauthorized party may have accessed the company's web portal, compromising sensitive customer and policyholder data. The company stated that it had immediately revoked external access to the affected portal upon breach discovery. Globe Life said that at this stage, it believes the security issue is isolated to the one web portal. All other company systems remain fully operational. Globe Life added that it expected minimal impact to its business operations after the take down of the affected web portal. The company has activated its cybersecurity incident response plan and engaged external forensics experts to investigate the breach's scope. In its SEC filing, Globe Life disclosed that the investigation remains ongoing. The full impact and nature of the incident are unclear at the moment.

Incident Comes After Scrutiny Over Business Tactics

The company said it has yet to determine if the breach qualifies as a reportable cybersecurity incident under the SEC's disclosure rules. The disclosure comes amidst increasing scrutiny and financial setbacks suffered by the company. The Texas-based insurer has faced allegations of fraudulent sales tactics and other business and workplace improprieties. The short sellers Fuzzy Panda Research and Viceroy Research had made these allegations public in April 2024. While the company has continued to deny these claims, its share price has dropped by 24% since the publication of the Fuzzy Panda report. The reports claimed that Globe Life and its biggest subsidiary, American Income Life (AIL), had engaged in insurance fraud, framing of policies for dead and fictitious individuals, withdrawal of consumer funds without approval, unfair dismissal, misleading sales tactics and illegal kickbacks. They also alleged that some of AIL's most profitable agents had faced accusations of kidnapping, assault and child grooming from defendants, witnesses and plaintiffs. It remains unclear if the state insurance regulator contact that led to the breach discovery is related to these allegations. Insurers like Globe Life are regulated at the state level rather than federal level. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A 22-year-old British national, allegedly the leader of an organized cybercrime group that targeted nearly four dozen U.S. companies, was arrested in Palma de Mallorca at the behest of the FBI, said the Spanish National Police. The young man allegedly orchestrated attacks on 45 companies in the United States through phishing campaigns, and subsequently gained unauthorized access to sensitive company information and cryptocurrency wallets.

Cyber Scammer Used Familiar Playbook

The modus operandi of the cybercriminal was simple: use phishing techniques to obtain access credentials from individuals,; use these credentials to infiltrate corporate work systems; exfiltrate sensitive company data that was likely monetized and put up for sale on dark web forums; and also access victims' cryptocurrency wallets to siphon them off. This modus operandi allowed the scammer to amass a significant amount of bitcoins. The Spanish police said the young cyber scammer managed to gain control over 391 bitcoins - approximately valued at over $27 million - from his victims. The arrest occurred at Palma airport as the suspect was preparing to leave Spain on a charter flight to Naples. The operation was conducted by agents of the Spanish National Police in collaboration with the FBI. The investigation, led by the Central Cybercrime Unit and supported by the Balearic Superior Headquarters, began in late May when the FBI’s Los Angeles office requested information about the suspect that they believed was in Spain. The FBI reported that an International Arrest Warrant had been issued by a Federal Court of the Central District of California, prompting intensified efforts to locate the suspect.

Laptop, Phone Seized

The suspect was carrying a laptop and a mobile phone at the time of his arrest, which were seized. The judicial authority subsequently ordered the suspect to be placed in provisional prison. The FBI did not immediately provide a response on whether the young British man would be extradited to the U.S. to be tried, nor did they release details on an indictment, but many similar cases in the recent past show the possibility of that happening soon.

Linked to Scattered Spider?

The cybercrime-focused vx-underground X account (formerly known as Twitter) said the U.K. man arrested was a SIM-swapper who operated under the alias “Tyler.” Fraudster's transfer the target’s phone number in a sim swapping attack to a device they control and intercept any text messages or phone calls to the victim. This includes one-time passcodes for authentication or password reset links sent over an SMS. “He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground tweeted. The details, however, could not be confirmed but independent journalist Brian Krebs said the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

“Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.” - vx-underground

The initial access vector in the attack on MGM included targeting of a help desk executive with social engineering tactics. Mandiant in its latest report found Scattered Spider aka UNC3944 using the same modus operandi, and although no victim names were stated, it now suggests the possible linkage between them. *Update (June 17 5:45 AM EST): Added details on the 22-year old young cyber scammer's identity and possible links to Scattered Spider group.

The UK, US and Canada have accused Russia of an elaborate plot to interfere in Moldova’s upcoming presidential election and referendum on EU membership. The allegations came in a joint statement released on the opening day of the G7 summit, pointing to a far-reaching campaign of political meddling by Moscow. The three nations claim Russia is actively spreading disinformation to 'undermine Moldovan democratic institutions' and 'degrade public confidence' in the government ahead of the votes on October 20th. Specific targets include President Maia Sandu and her pro-Western administration, which has strongly backed Ukraine in the Russia-Ukraine conflict.

Kremlin Actors Seeking to Discredit Moldova's Leaders

According to a statement from the U.S. Embassy in Russia, Russian threat actors are aggressively distributing propaganda to “foment negative public perceptions” of President Sandu. This involves fabricating electoral irregularities while also aiming to incite protests if the incumbent president is re-elected. The plot dates back years, with the Kremlin providing support to fugitive Moldovan businessman Ilan Shor. Shor had previously been sentenced to 15 years in prison in connection with the disappearance of $1 billion from Moldovan banks in 2014. All three countries had issued sanctions on Shor for his connection to the incident. The statement singled out Russian state-television channel RT for providing several years of support to Shor. The UK, US and Canada claim they have already shared detailed evidence with Moldovan authorities to enable further investigation and disruption. They also state they will continue backing Moldova with a range of support measures as it deals with Russian interference and fallout from the Ukraine war.

All Three Countries Announce Support at G7 Summit

The three nations expressed confidence in Moldova's ability to manage these threats linked to Russian interference. They have taken several measures to support Moldova's efforts, including:

• The sharing of detailed information with Moldovan partners to investigate, thwart, and put a stop to the Kremlin's plans.
• Increasing accountability and punishment for individuals and entities involved in covertly financing political activities in Moldova through sanctions and potential further actions.
• Strongly supporting Moldova's democratic, economic, security, and anti-corruption reforms, as well as its deepening European integration.

The three nations affirmed their support deepening ties between Moldova and the EU. President Sandu is widely perceived as a firmly pro-Ukranian and pro-Western leader since her election in 2020. In reaction, the Kremlin appears intent on preventing her re-election in order to install a more Russia-friendly president. By publicizing the interference plot, the Western allies hope to deter Moscow while urging respect for Moldovan sovereignty and free, fair elections. However, with under five months until the votes, concerns remain high over Russia's determination to influence election results. "We will continue to stand with all of our friends, partners, and Allies in defense of our shared democratic values and freedoms," the statement read. The U.S. embassy's statement also highlighted the surrounding threat to elections in 2024, a year in which "hundreds of millions of people across Europe and North America go to the polls to select their leaders in European, national, regional, and local elections."

Russia Is a Threat to Election Security: Researchers

An earlier report from Mandiant in April suggested that Russia presented the biggest threat to election security in the United States, United Kingdom and European Union. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” the report stated. Experts also fear Russian attempts at spreading disinformation or influencing public opinion on non-election events such as the upcoming 2024 Summer Olympics in Paris. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

June 13, 2024 may go down as one of the tougher days in Microsoft’s long history. The day started with a report alleging that a vulnerability long neglected by Microsoft led to the SolarWinds software supply chain breach in 2021; was followed by a nearly three-hour hostile hearing on Capitol Hill over the software giant’s security failures that resulted in a massive hack by China of U.S. government email systems; and it ended late at night with the company’s announcement that it will delay the rollout of its Windows Recall screen recording feature that faced heavy criticism from cybersecurity researchers over the lack of security and data privacy controls built into Recall. Microsoft President Brad Smith struck a conciliatory tone in his hearing with U.S. lawmakers and he outlined plans to improve security at the company, but the bungled launch of Recall – coming after the company had already pledged at least twice to improve security – shows that the software and cloud technology giant has a long way to go to make good on those pledges.

Recall Controversy Took Off After a Report on The Cyber Express

Calls to overhaul Recall’s security and privacy features started with the work of security researcher Kevin Beaumont, who called the lack of controls the “dumbest cybersecurity move in a decade.” Beaumont’s work demonstrating Recall’s security holes was first reported in a Cyber Express article that landed on the front page of tech news aggregator Slashdot, where it received 140 comments, and the story took off from there, creating something of a PR nightmare for Microsoft. Further proofs supporting Beaumont’s work emerged, and Microsoft belatedly tried to address the security and privacy concerns, but apparently not in time for the release of Copilot+ PCs planned for June 18. In a blog post update late on June 13, Microsoft said Recall will now become “a preview available first in the Windows Insider Program (WIP) in the coming weeks. Following receiving feedback on Recall from our Windows Insider Community, as we typically do, we plan to make Recall (preview) available for all Copilot+ PCs coming soon. “We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security.”

Beaumont Welcomes Microsoft Recall Delay, Awaits Changes

In a post on a Mastodon cybersecurity instance, Beaumont welcomed the Microsoft Recall delay. “Good on Microsoft for finally reaching a sane conclusion,” he wrote. “When it does appear in preview channels, privacy and security researchers need to keep a close eye on what Microsoft are doing with the feature. “Microsoft tried developing this feature in secret in a way which tried to avoid scrutiny. Thank you to everyone who stood up.” Beaumont said it’s his understanding that Recall was developed without input from security and privacy staff. “I've also been told Microsoft security and privacy staff weren't provided Recall, as the feature wasn't made available broadly internally either,” he said.

Europol coordinated two separate operations this week to disrupt 13 websites used in spreading terrorist propaganda online. This action followed a year-long operation involving ten law enforcement authorities across Europe. The targeted websites were linked to Islamic State, al-Qaeda and its affiliates, and the Syria-based rebel group Hay’at Tahrir al-Sham.

“The disrupted terrorist operated websites worked as a node and an archive for terrorist propaganda produced by the different IS [Islamic State] media outlets using a multiplatform approach.” - Capt. Alberto Rodríguez Vázquez of Spain's Guardia Civil.

Servers Taken Down in Europe and U.S.

Europol reported that servers were taken down in Germany, the Netherlands, the United States and Iceland under Operation HOPPER II. The authorities in Spain also arrested nine “radicalized individuals” from different nationalities. Spain's Guardia Civil led a separate operation, dubbed ALMUASASA, against media linked to the Islamic State’s I’LAM Foundation. Europol said this organization ran global communication channels, including radio stations, a news agency, and social media content.

“The network was designed to be resilient and low profile and that explains its multi-server hosting strategy. It operated both on the surface web and the dark web.” – Vázquez.

Terrorist Propaganda in 30 Languages

The organization communicated Islamic State directives and slogans in over 30 languages, including Spanish, Arabic, English, French, German, Danish, Turkish, Russian, Indonesian, and Pashto. Investigations revealed several terabytes of information, which will help law enforcement in further investigations into the terror group. The overall terrorist threat to the European Union remains high, with jihadist terrorism being a principal concern. Europol's operations followed the seizure of four computer servers in Romania, Ukraine, and Iceland, as part of ongoing investigations into religious and politically motivated terrorist groups.

“The servers supported multiple media outlets linked to Islamic State. They were used to disseminate worldwide propaganda and messages capable of inciting terrorism.” - Europol

According to Europol, the targeted websites enabled terrorist organizations and violent extremists to bypass the enhanced moderation and content removal efforts of mainstream online service providers. This helped them maintain a persistent online presence. The sites were used for recruitment, fundraising, inciting violence, and spreading propaganda, including manuals for creating explosives and content designed to radicalize and mobilize individuals. [caption id="attachment_77383" align="aligncenter" width="1024"] Jode de la Mata Amaya, national member for Spain, Eurojust (Source: YouTube)[/caption] The investigation has also revealed important details on the financing of the terrorist networks, which will be pivotal in future combat of threats from these networks, said Jode de la Mata Amaya, national member for Spain, Eurojust. All the 13 websites were referred for removal under European Union laws that mandate all hosting service providers remove flagged content within an hour of receiving a removal order or face penalties determined by individual member states.

The Cyber Express, in collaboration with Cyble Research & Intelligence Labs (CRIL), is dedicated to providing the latest and most comprehensive information on security vulnerabilities. Each week, we deliver actionable insights for IT administrators and security professionals, crafted by highly skilled dark web and threat intelligence researchers at Cyble. Cyble has identified several important bugs in its Weekly Vulnerability Report that require urgent attention. The full report covers these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses. Cyble security analysts have also conducted scans of customer environments to alert them of any exposures.  These vulnerabilities, highlighted from June 05, 2024, to June 11, 2024, include critical issues that could be easily exploited. Failure to patch these vulnerabilities could result in unauthorized access, data breaches, and significant operational disruptions.  Cyble researchers found over 1 million internet-facing assets exposed to these vulnerabilities, highlighting the urgency of addressing these security flaws.

Critical Vulnerabilities and Their Impact

Here are details and analysis of five of the most critical vulnerabilities identified by Cyble.

GitHub Access Token (CVE-2024-37051)

Overview: Exposed access tokens have been identified, which could allow unauthorized individuals to access GitHub accounts. This can lead to the manipulation or theft of code, posing a severe threat to software integrity and security.  Impact: Unauthorized access to repositories can result in the leakage of sensitive information, insertion of malicious code, and potential compromise of projects dependent on the affected repositories. 

FortiOS SSL-VPN (CVE-2022-42475)

Overview: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN has been actively exploited in cyber-espionage campaigns. This vulnerability allows attackers to execute arbitrary code on the affected systems.  Impact: Successful exploitation can lead to full control over the compromised system, enabling data theft, network breaches, and service disruptions. 

PHP Remote Code Execution (CVE-2024-4577) 

Overview: Multiple versions of PHP have been found vulnerable to remote code execution. This vulnerability has been exploited to deploy ransomware, affecting web servers running the compromised PHP versions.  Impact: Exploitation can result in the complete compromise of web servers, data exfiltration, and file encryption for ransom. 

Netgear Authentication Bypass (CVE-2024-36787)

Overview: A vulnerability in Netgear routers allows attackers to bypass authentication mechanisms, granting unauthorized access to router settings.  Impact: Unauthorized access can modify network settings, intercept data, and further network compromises. 

Veeam Backup Enterprise Manager (CVE-2024-29849)

Overview: A critical vulnerability in Veeam Backup Enterprise Manager allows unauthenticated users to log in, posing a high risk of data theft and manipulation.  Impact: Unauthorized access to backup systems can result in data breaches, loss of critical backup data, and potential operational disruptions. 

Weekly Vulnerability Report: Highlights

CVE-2024-37051 

Impact Analysis: A critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories.  Internet Exposure: No  Patch: Available 

CVE-2022-42475 

Impact Analysis: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN and FortiProxy SSL-VPN allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. Reports suggest that Chinese TAs weaponized this vulnerability in cyber-espionage campaigns targeting government institutions for a few months between 2022 and 2023 to deploy malware on vulnerable Fortigate network security appliances.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4577 

Impact Analysis: A critical remote code execution (RCE) vulnerability affecting PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows. PHP is a widely used open-source scripting language designed for web development, and the vulnerability can reveal the source code of scripts and enable TAs to run arbitrary PHP code on the server. Recently, researchers observed that the TellYouThePass ransomware gang has been exploiting the vulnerability to deliver webshells and execute the encryptor payload on target systems.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4610 

Impact Analysis: A use-after-free vulnerability in Arm Ltd Bifrost GPU Kernel Driver and Arm Ltd Valhall GPU Kernel Driver allows local non-privileged users to gain access to already freed memory through improper GPU memory processing operations.  Internet Exposure: No  Patch: Available 

CVE-2024-36787 

Impact Analysis: This vulnerability in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface, posing a severe threat to network security and sensitive user data.  Internet Exposure: Yes  Patch: Not specified 

CVE-2024-29849 

Impact Analysis: A vulnerability in Veeam Backup Enterprise Manager (VBEM) allows unauthenticated attackers to log in as any user to the enterprise manager web interface. This poses a high risk due to the global use of Veeam products and the availability of publicly available proof-of-concept (PoC).  Internet Exposure: Yes  Patch: Available 

CVE-2019-9082 & CVE-2018-20062 

Impact Analysis: These vulnerabilities impact ThinkPHP, an open-source PHP framework with an MVC structure, leading to remote code execution (RCE). Chinese threat actors have leveraged these vulnerabilities to install a persistent web shell named Dama.  Internet Exposure: No  Patch: Not specified 

CVE-2024-24919 

Impact Analysis: This vulnerability impacts Check Point Remote Access VPN and allows attackers to read information from Internet-connected gateways with remote access VPN or mobile access enabled. It has been exploited in zero-day attacks since April 30, enabling lateral movement through victim networks by stealing Active Directory data.  Internet Exposure: Yes  Patch: Available 

CVE-2024-30080 

Impact Analysis: A critical remote code execution vulnerability in Microsoft’s Message Queuing (MSMQ) can be exploited by unauthenticated attackers via specially crafted malicious MSMQ packets. Microsoft addressed the flaw in its monthly Patch Tuesday update. Internet Exposure: Yes  Patch: Available 

Industrial Control Systems (ICS) Vulnerabilities 

The report also highlights vulnerabilities in Industrial Control Systems (ICS), which are critical to sectors such as healthcare, emergency services, and energy. The majority of these vulnerabilities are categorized as high and critical severity, emphasizing the importance of securing ICS environments. 

Recommended Mitigation Strategies 

To mitigate the risks associated with these vulnerabilities, the following strategies are recommended: 

• Regular Software and Hardware Updates: Ensure all systems and devices are up to date with the latest security patches and firmware updates. 
• Patch Management: Implement a comprehensive patch management process to promptly address and apply patches for known vulnerabilities. 
• Network Segmentation: Segment networks to limit the spread of attacks and reduce the attack surface. 
• Incident Response and Recovery Plans: Develop and regularly update incident response and recovery plans to ensure swift action in the event of a breach. 
• Monitoring and Logging Solutions: Deploy advanced monitoring and logging solutions to detect and respond to suspicious activities in real time. 
• Regular Vulnerability Assessments and Penetration Testing: Conduct regular vulnerability assessments and penetration tests to identify and remediate security weaknesses. 
• Strong Password Policies and Multi-Factor Authentication: Enforce strong password policies and implement multi-factor authentication to enhance access control.

The report also notes the active discussion and sharing of several vulnerabilities on underground forums. These include vulnerabilities affecting popular platforms such as WordPress and macOS, which cybercriminals are exploiting. 

Conclusion 

The findings of the Weekly Vulnerability Intelligence Report highlight the critical need for continuous vigilance and proactive cybersecurity measures. Organizations must prioritize patch management, conduct regular security audits, and maintain incident response plans to protect against emerging threats.  Stay ahead of cyber threats with the Weekly Vulnerability Intelligence Report by Cyble, brought to you by The Cyber Express. Subscribe now for the latest insights powered by Cyble's advanced AI-driven threat intelligence.

As anticipation builds for the upcoming Paris 2024 Summer Olympic Games, security researchers and officials have observed an uptick in scams abusing legitimate Olympics branding. French Gendarmerie officials discovered over 300 bogus ticketing sites aiming to steal money and personal information by deceiving individuals who are in a hurry to book tickets for the events. Recent research investigates a prominent example (paris24tickets[.]com) from these websites. The site appears among the top paid results in Google searches and promotes itself as a secondary marketplace for sports and live events tickets.

Website Incorporates Official Paris 2024 Summer Olympic Games Branding

The 'paris24tickets[.]com' website appeared professional and legitimate at first glance. The site advertised itself as a “secondary marketplace for sports and live events tickets,” and was displayed as the second result among sponsored Google search results for 'paris 2024 tickets.' It allowed visitors to navigate through upcoming Olympic events, select event specific tickets, and enter payment information. Its polished design resembled that of trusted ticketing platforms, along with the official Olympics ticket purchase site. Proofpoint researchers warned that the website was entirely fraudulent despite its authentic look and feel. The site was likely collecting users’ financial and personal information rather than actually processing ticket orders. The researchers acted swiftly to suspend the misleading domain upon its discovery. [caption id="attachment_77366" align="alignnone" width="2800"] Impersonating domain 'paris24tickets[.]com' (Source: archive.org)[/caption] [caption id="attachment_77365" align="alignnone" width="2800"] Official Olympics Ticketing Site (Source: https://tickets.paris2024.org)[/caption] The researchers noticed that in some cases, the scammers even sent emails promising "discounts" on coveted tickets to victims. This tactic was likely done to lure unsuspecting individuals, who may have been desperate to secure tickets at lower costs. Victims who have provided their personal or financial information on the fraudulent website risk having their identities and money stolen. The scammers behind these websites may also collect important personal data, such as names, contact information, and credit card details, for sale or further malicious campaigns.

French Gendarmerie Nationale Reported the Discovery of 338 Scam Sites

The 'paris24tickets[.]com' website represents just a tiny fraction of a much broader network of fraudulent Olympics domains. The French Gendarmerie Nationale had identified approximately 338 such websites since March 2023, and made subsequent efforts to shut them down; 51 of these sites were stated to have been closed while 140 of them were put on notice. The fraudsters behind these scams likely rely on sponsored search engine ads and targeted emails to drive traffic to impersonating websites. Offers of special deals and discounts are further lures to draw-in potential victims. [caption id="attachment_77367" align="alignnone" width="1000"] Source: Shutterstock[/caption] 200 French gendarmes had been mobilized as a distinct unit to monitor the internet and various different social networks for Olympics ticketing-related fraud and mass resales, under the direction of the Europol. These units work along with the DGCCRF (Directorate General for Consumer Affairs, Competition and Fraud Prevention) in France. Captain Etienne Lestrelin, director of operations at the unit, told France Info radio that social media such as Facebook, Leboncoin, Telegram and Instagram were often “the primary source of resale attempts.” He added, “This is an exchange from individual to individual. Except that the buyer does not know if the person really owns the tickets, since they are virtual tickets, not tickets paper. So people are selling you wind, we don't know what they're selling." Lestrelin advised that tickets sold at too low of a price can alert potential buyers: "You will never have a ticket below its original cost. The goal of people who were able to buy tickets in volume and with the intention of reselling them, it is to make a profit So it is an alert if you find a much cheaper ticket. The sentence to remember is that there is no. very good deals on the internet, it's not possible." He instructed that it was also not possible to own a ticket before the event begins and QR Codes are generated. Anyone who claims to be currently in possession of a ticket, or owns tickets that seem visually legitimate, is still a fraud. He warned buyers to be vigilant about buying such tickets outside of official sources because it can also be an offense. "You are associating yourself with the offense that the seller commits when he resells without going through the official website. This is a criminal offense," he stated. To validate purchases, buyers can cross-check provided references with the official Paris 2024 Summer Olympic Games application. Buyers who suspect that they may have been duped can report to a police station, a gendarmerie or the DGCCRF. Legitimate ticket purchases can be made through the official ticketing website or official sub-distributor network.

Ukraine’s Security Service (SBU) detained two individuals accused of aiding Russian intelligence in hacking the phones of Ukrainian soldiers and spreading pro-Kremlin propaganda. The suspects operated bot farms using servers and SIM cards to create fake social media accounts. One bot farm in the Zhytomyr Oblast was hosted in an apartment of a Ukrainian woman. She allegedly registered over 600 virtual mobile numbers and several anonymous Telegram accounts.

Russian Intelligence Installed Spyware in Campaign

The woman sold or rented these accounts in exchange for cryptocurrency on online Russian underground marketplaces. Russian intelligence used these accounts and numbers to hack phones of Ukrainian military personnel by sending phishing emails containing spyware that collected sensitive confidential data. Russian hackers were recently observed using legitimate remote monitoring and management (RMM) software to spy on Ukraine and its allies. [caption id="attachment_77338" align="aligncenter" width="1024"] Source: SBU[/caption] According to the SBU, the accounts hosted on this bot farm were also used to spread pro-Kremlin propaganda purporting as ordinary Ukrainian citizens. Another 30-year-old man from Dnipro allegedly registered nearly 15,000 fake accounts on various social networks and messaging platforms using Ukrainian SIM cards. He sold these accounts to Russian intelligence services on darknet forums. [caption id="attachment_77337" align="aligncenter" width="1024"] Source: SBU[/caption] Both suspects face up to three years in prison or a fine if found guilty. The investigation continues.

Russian Bot Farms Used Since Invasion Started

Russia has used bot farms to disseminate Kremlin propaganda, incite panic and manipulate narratives since the beginning of its Ukrainian invasion. The Ukrainian authorities have busted dozens of bot farms and arrested hundreds of people across the country who operate them. In December 2022, they dismantled more than a dozen bot farms. In September of that year, two bot farms were taken down, while in August a group that operated more than 1 million bots was also dismantled. Bot farm operators typically receive payments in Russian rubles, a prohibited currency in Ukraine. These activities continued in the second year of the war, where the Ukrainian Cyber Police raided 21 locations across the country and seized computer equipment, mobile phones and more than 250 GSM gateways. This included 150,000 SIM cards of different mobile operators used in the illicit activities to create fake social media profiles.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a comprehensive set of advisories to secure Industrial Control Systems (ICS) against exploitable vulnerabilities. Released today, the CISA advisories are aimed at equipping users and administrators with timely insights into prevalent security issues, vulnerabilities, and potential exploits within ICS infrastructure. The CISA advisories, 20 in all, offer in-depth technical details and mitigation strategies for identified vulnerabilities across various ICS components. CISA highlights the importance of promptly reviewing these advisories to enhance the resilience of industrial systems against online threats.

CISA Issues 20 Industrial Control Systems Advisories

One of the critical vulnerabilities highlighted is CVE-2024-33500, impacting Siemens Mendix Applications. This vulnerability, stemming from improper privilege management, presents a risk of remote exploitation. Siemens recommends immediate updates to affected versions and implementing additional mitigations to thwart potential attacks. Another significant concern involves vulnerabilities affecting Siemens SIMATIC S7-200 SMART devices. These vulnerabilities, attributed to insufficiently random values, may pave the way for denial-of-service attacks. Siemens advocates for network access restrictions and adherence to industrial security protocols to mitigate risks effectively. Additionally, Siemens TIA Administrator faces vulnerabilities due to insecure permissions in temporary file creation processes. While no known public exploits exist presently, Siemens advises users to update to the latest version and enforce stringent network security measures.

Multiple ICS Vulnerabilities Reported

The CISA advisories also shed light on vulnerabilities in Siemens SCALANCE XM-400 and XR-500 devices, Fuji Electric's Tellus Lite V-Simulator, and Rockwell Automation's FactoryTalk View SE, among others. These vulnerabilities, ranging from inadequate encryption strength to permission assignment flaws, highlights the diverse spectrum of risks facing industrial environments. Despite the absence of known public exploits targeting these vulnerabilities, CISA emphasizes the importance of proactive measures such as network segmentation, secure remote access methods, and heightened awareness of social engineering tactics. The CISA advisories also address vulnerabilities in Motorola Solutions' Vigilant License Plate Readers and Mitsubishi Electric's MELSEC-Q/L Series and Multiple Products. These vulnerabilities, discovered by security researchers, highlight the collaborative efforts needed to safeguard critical infrastructure against emerging cyber threats. As organizations navigate the complex landscape of industrial cybersecurity, the issuance of these CISA advisories serves as a crucial resource for bolstering defenses and fostering a resilient ICS ecosystem. By staying informed and implementing recommended mitigations, stakeholders can mitigate risks and uphold the integrity and reliability of critical industrial operations.

The Chinese University of Hong Kong (CUHK) has been confronted by a massive data breach that has compromised personal information of precisely 20,870 students, staff and past graduates. The CUHK data breach was initially identified on June 3, 2024, prompting swift action by the institution. An investigation is currently underway to trace the culprits and to take corrective measures.

Understanding the CUHK Data Breach

The CUHK is one of the premier institutes in China which was established in 1963 and is the first research university in Hong Kong. The cyberattack on CUHK reportedly took place on June 1 at its School of Continuing and Professional Studies (CUSCS). In a statement put out by the school on June 13, CUSCS said that it had undertaken an investigation into the breach on June 3. An information technology security consultant was appointed by the college to assess the breach. The investigation revealed that the school’s “Moodle learning management system” was hacked. Moodle is an open-source learning management system designed. It allows educators, administrators and learners to create personalized learning environments for online projects in schools, colleges and workplaces. Moodle can be used to create custom websites with online courses and allows for community-sourced plugins. [caption id="attachment_77266" align="alignnone" width="1196"] Source: CUSCS Website[/caption] According to the CUSCS, the leaked data included the names, email addresses, and student numbers of 20,870 Moodle accounts of tutors, students, graduates, and visitors. This personal data was reportedly stolen after a server at one of the institution’s schools was hacked. Despite the university management stating that the sensitive data was not leaked on any public platforms, the breached information was found to be readily available on the dark web domain BreachForums. A Threat Actor (TA), who goes by the alias “Valerie”, put up a post on dark web stating that the hacker was willing to sell the data. The TA noted that, “75 per cent of the stolen data was sold to a private party, which financed the breach.  The rest of the data was not shared. So upon multiple offers, we decided to make a public sell.” To claim that the data was credible, the TA provided samples, which included the username, first name, last name, institution, department, mobile number and city of the victims of the data breach.

Investigation Status of CUHK Data Breach

The CUSCS stated that as soon as its investigation revealed a massive data breach, it had deactivated the relevant account and reset the password. It added that, apart from the relevant server, the online learning platform has been moved, and security measures have been strengthened to block any account after three unsuccessful login attempts. “CUHK has also been notified of the incident. The college has also established a crisis management team composed of the dean, deputy dean, information technology services director, administrative director and communications and public relations director to assess the risks,” CUSCS said. The college also had filed a complaint over the data breach to the local police. The university, too, has notified the city’s privacy watchdog-Office of the Privacy Commissioner for Personal Data (PCPD), in accordance with established procedures. The PCPD acknowledged receipt of the complaint on June 13.

CUHK Data Breach: Institutions in Hong Kong Under Scanner

In what is becoming a trend, CUHK has become the third educational institute in Hong Kong this year to fall victim to cyberattacks. In May, the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, fell victim to a ransomware attack where the data of over 600 people was leaked. Similarly, in April, a private medical facility, Union Hospital, suffered a ransomware attack affecting its servers, which allegedly resulted in operational paralysis. The Hong Kong College of Technology too suffered a ransomware attack in February, which led to the data of around 8,100 students being breached.

Hacktivist group 177 Members Team has claimed a cyberattack on Malaysia's leading internet service provider, Unifi TV. The Unifi TV cyberattack was posted on a dark web leak site, highlighting crucial details about the organization with links shared to confirm the intrusion. Unifi TV, a subsidiary of Telekom Malaysia Berhad, offers a range of services including internet access, VoIP, and IPTV. The threat actor claimed this attack on June 12, 2024, and took responsibility for compromising Unifi TV's systems and launching multiple Distributed Denial of Service (DDoS) attacks against the company.

177 Members Team Claims Unifi TV Cyberattack

[caption id="attachment_77209" align="alignnone" width="525"] Source: Dark Web[/caption] The cyberattack on Unifi TV was aimed at disrupting the operation of the organization and highlighted the importance of robust cybersecurity measures in safeguarding critical digital infrastructure. Despite claims by the threat actor that the Unifi TV website was down, the web pages seem to be operational at the moment and don’t show any immediate sign of the cyberattack. The impact of the cyberattack extends beyond Unifi TV, affecting not only the telecommunications industry but also posing a threat to Malaysia's digital ecosystem as a whole. With the country witnessing over 3,000 cyber attacks daily, according to Defence Minister Datuk Seri Mohamed Khaled Nordin, the cyberattacks on Malaysia highlights the growing nature of ransomware groups and hacktivist collectives targeting the nation. 

Previous Cybersecurity Incidents

While Unifi TV has yet to release an official statement regarding the cyberattack, concerns about data breaches have been previously raised. In July 2023, Telekom Malaysia issued a data breach alert to Unifi users, stating that personal information, including names, identification numbers, and contact details, may have been compromised. The company assured users that measures had been taken to contain the breach and protect customer data. In light of these incidents, cybersecurity experts emphasize the need for proactive measures to mitigate future threats. Collaborative efforts between government agencies, law enforcement, and private sector entities are crucial in addressing online threats that target Asian nations. As for the current Unifi TV cyberattack claims, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. food chain giant Panera Bread has begun notifying its employees of a significant data breach that occurred as a result of a ransomware attack in March 2024. The company, along with its franchises, operates 2,160 cafes under the names Panera Bread or Saint Louis Bread Co, spread across 48 states in the U.S. and Ontario, Canada. The Panera Bread data breach was disclosed in notification letters filed with the Office of California's Attorney General, where Panera detailed its response to what it termed a "security incident." Upon detecting the Panera Bread data breach, the company acted swiftly to contain it, enlisting external cybersecurity experts to investigate and inform law enforcement of the situation. The files involved were reviewed, and on May 16, 2024, we determined that a file contained your name and Social Security number. Other information you provided in connection with your employment could have been in the files involved. As of the date of mailing of this letter, there is no indication that the information accessed has been made publicly available," reads Panera's official notification.

Panera Bread Data Breach: Impact on Employees and Operations

The ransomware attack has had substantial repercussions on Panera's operations and its employees. Many of Panera's virtual machine systems were reportedly encrypted during the attack, leading to a significant outage that crippled internal IT systems, phones, point of sale systems, the company’s website, and mobile apps. During this outage, employees were unable to access their shift details and had to contact their managers to obtain work schedules. The stores faced further disruption as they could only process cash transactions, with electronic payment systems down. Additionally, the rewards program system was inoperable, preventing members from redeeming their points. The most concerning aspect of the breach for employees is the compromise of sensitive personal information. Panera has confirmed that files containing employee names and Social Security numbers were accessed. There is also the potential that other employment-related information was compromised. However, the company has assured employees that, as of the notification date, there is no evidence that the accessed information has been publicly disseminated. To mitigate the potential impact on affected individuals, Panera is offering a one-year membership to CyEx's Identity Defense Total, which includes credit monitoring, identity detection, and identity theft resolution services. This proactive measure aims to help employees safeguard their identities and respond swiftly to any signs of fraudulent activity.

The Bigger Picture: Unanswered Questions

Despite the detailed notifications to employees, Panera has yet to publicly disclose the total number of individuals impacted by the breach. The identity of the threat actors behind the ransomware attack also remains unknown. No ransomware group has claimed responsibility, which raises speculation that the attackers might be awaiting a ransom payment or have already received it. Moreover, Panera has not responded to requests for comment from The Cyber Express regarding the outage and the ransomware attack. This lack of communication leaves several critical questions unanswered, particularly about the measures being taken to prevent future incidents and the ongoing efforts to recover from the current breach.

Implications for Panera Bread Data Breach

The implications of this ransomware attack extend beyond the immediate disruption and data breach. Panera Bread's reputation is at stake, as customers and employees alike may question the company's ability to protect sensitive information. The operational disruptions also highlight vulnerabilities in the company’s IT infrastructure that need to be addressed to prevent similar incidents in the future. In response to the data breach, Panera has committed to enhancing its existing security measures. The company is likely to conduct a thorough review of its cybersecurity policies and practices to identify and address any gaps. Additionally, ongoing communication with employees and stakeholders will be crucial in rebuilding trust and ensuring that all affected parties are adequately supported. As the investigation continues, further details may emerge about the nature of the breach and the steps Panera is taking to strengthen its defenses.

Dordt University, a distinguished private Christian liberal arts college renowned for its reformed Christian perspective on education, has encountered a cybersecurity incident carried out by the BianLian ransomware group. The Dordt University data breach has listed a substantial amount of sensitive information online, leaving both the institution and its stakeholders in a state of vulnerability. The ramifications of this Dordt University data leak are profound, with a staggering revenue of $36.2 million and a data cache of approximately 3 terabytes compromised. Among the trove of exposed data are intricate financial records, personnel files, vital databases, internal and external email correspondences, incident logs, as well as comprehensive student profiles encompassing both local and international enrollees. 

Unverified Claims of Dordt University Data Breach

[caption id="attachment_77186" align="alignnone" width="1240"] Source: Dark Web[/caption] According to the threat actors, even minors' data has reportedly fallen prey to this Dordt University breach, alongside personally identifiable information (PII) and protected health records (PHI). Despite the gravity of the situation, official responses from Dordt University have yet to materialize, leaving the authenticity of the claims surrounding the Dordt University data leak in a precarious limbo.  Notably, the BianLian ransomware group seems to have targeted the database infrastructure rather than executing a frontal assault on the university's website, suggesting a meticulously orchestrated campaign targeting the institution's digital backbone.

The Rise of BianLian Ransomware Group

The BianLian ransomware group has carried out similar cyberattacks in the past and this Dordt University data leak has prompted a collaborative effort from cybersecurity agencies, including the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC), to disseminate crucial intelligence on the modus operandi of the BianLian ransomware and data extortion group. Originating in June 2022, BianLian has brazenly targeted critical infrastructure sectors in both the United States and Australia, leveraging tactics such as exploiting valid Remote Desktop Protocol (RDP) credentials and employing open-source tools for reconnaissance and credential harvesting. The evolution of BianLian's extortion tactics, transitioning from double-extortion encryption schemes to data exfiltration-based coercion since January 2023, highlights the escalating sophistication of cyber threats faced by modern organizations. In response, FBI, CISA, and ACSC have issued a joint cybersecurity advisory, urging critical infrastructure entities and small- to medium-sized organizations to fortify their defenses against ransomware groups by implementing robust mitigation strategies outlined in the advisory. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Borrer Executive Search, an AESC-accredited boutique search and selection firm headquartered in Lausanne, Switzerland, has allegedly fallen victim to the Eraleig ransomware. The attackers have issued a deadline of June 24, 2024, threatening to release 2.5MB of internal documents and agreements if their demands are not met. As of now, the specifics regarding the data compromised, the motives behind the Borrer Executive Search ransomware attack, and the extent of the breach remain undisclosed by the attackers. Upon inspecting the official website of Borrer Executive Search, no signs of foul play were detected, and the website remains fully functional. To further investigate the validity of these claims, The Cyber Express Team reached out to Borrer Executive Search officials for a statement. However, at the time of writing this report, no response was received, leaving the allegations unverified. [caption id="attachment_77181" align="aligncenter" width="1024"] Source: X[/caption]

Potential Implications of Borrer Executive Search Ransomware Attack

Borrer Executive Search is a specialized firm that operates on a retained and exclusive mandate basis. The company partners with corporate clients to identify, attract, and integrate top leadership talent. Their operations are not confined to Switzerland alone; they have a significant international presence, focusing on director, VP, and C-level positions in Global Operations (Supply Chain & Procurement), Commercial Leadership (General Management, Sales & Marketing), Finance, and HR. Given the high-profile nature of their clientele, which spans across Europe and potentially beyond, the implications of a verified ransomware attack could be far-reaching and severe. Should the ransomware attack be confirmed, Borrer Executive Search could face several significant consequences:

1. Data Breach and Confidentiality: The release of internal documents and agreements could lead to a breach of confidentiality agreements with clients. This could result in legal ramifications and a loss of trust among their client base.
2. Operational Disruption: Ransomware attacks can severely disrupt business operations, leading to downtime and a loss of productivity. For a firm that specializes in executive search, any delay in operations could mean missing out on critical placement opportunities and damaging its reputation for reliability and efficiency.
3. Financial Impact: Beyond the immediate ransom demand, the financial impact of a ransomware attack can be substantial. Costs associated with recovery, potential legal fees, and lost business opportunities can accumulate rapidly.
4. Reputational Damage: The mere association with a ransomware attack can tarnish the reputation of a firm, especially one that deals with high-profile clients and sensitive information. Clients may question the firm’s ability to safeguard their data, leading to potential loss of business.
5. Regulatory Scrutiny: Depending on the nature of the data compromised, Borrer Executive Search could find itself under the scrutiny of data protection authorities, especially given the stringent data privacy laws in Europe, such as the General Data Protection Regulation (GDPR).

Understanding Eraleig Ransomware

Eraleig ransomware is known for its sophisticated encryption techniques and its ability to inflict significant damage on targeted organizations. Typically, ransomware attacks aim to lock users out of their systems or encrypt valuable data, demanding a ransom for its release. The Eraleig strain is no different, often leaving victims with a stark choice: pay the ransom or risk having sensitive data leaked publicly. The threat to release 2.5MB of internal documents and agreements indicates a targeted approach, aimed at exerting maximum pressure on Borrer Executive Search by leveraging the potential exposure of confidential client information. The alleged ransomware attack on Borrer Executive Search, if verified, highlights a growing trend of cyberattacks targeting firms that handle significant amounts of sensitive data. The executive search industry, by its nature, deals with highly confidential information related to top-level corporate executives. The alleged ransomware attack on Borrer Executive Search is a developing story with potentially serious implications for the firm and its extensive client base. As we await further confirmation and details, the incident brings to light the critical importance of cybersecurity in protecting sensitive information and maintaining trust in the executive search industry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A significant data breach has exposed the private information of more than 1,200 Baw Baw Shire residents who contacted customer service after-hours over a nearly two-year period, the Baw Baw Shire council revealed. The breach occurred at OracleCMS, a third-party call center contracted by the council to field inquiries outside normal business hours. It reportedly does not impact the council's own systems and databases.

Over 1,200 Baw Baw Shire Residents Affected

The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.

OracleCMS Provider Implicated in Other Breaches

Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:

OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.

The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.

OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.

As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The financially motivated UNC3944 threat group has shifted focus to data theft extortion from software-as-a-service applications but without the use of ransomware variants, which it is historically known for. UNC3944, also known as 0ktapus, Octo Tempest, Scatter Swine and Scattered Spider, is a financially motivated threat group that has demonstrated significant adaptability in its tactics since its inception in May 2022. According to Google-owned cybersecurity company Mandiant, the threat group has now evolved its strategies to include data theft from SaaS applications. It leverages cloud synchronization tools for data exfiltration, persistence mechanisms against virtualization platforms and lateral movement via SaaS permissions abuse, Mandiant said.

Data Theft Extortion Without Ransomware

UNC3944 initially focused on credential harvesting and SIM swapping attacks but over the years has transitioned to ransomware. Mandiant has now found evidence that shows the threat group has taken a further leap and now shifted primarily to data theft extortion without any ransomware deployment. UNC3944’s latest attack lifecycle often begins with social engineering techniques aimed at corporate help desks. Mandiant said the threat group gained initial access exploiting privileged accounts in multiple instances. The UNC3944 group used personally identifiable information (PII) such as Social Security numbers, birth dates and employment details likely scraped from social media profiles of the victims to bypass identity verification processes of help desks. They often claimed the need for a multi-factor authentication (MFA) reset due to receiving a new phone, enabling them to reset passwords and bypass MFA protections on privileged accounts.

“Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” - Mandiant

Phase I of UNC3944’s Attack Lifecycle

The first phase of the threat group’s attack lifecycle includes:

• Social Engineering: UNC3944 conducted sophisticated social engineering attacks, leveraging extensive research on victims to gain help desk access.
• Credential Harvesting: Used SMS phishing campaigns to harvest credentials.
• Internal Reconnaissance: After gaining access, conducted reconnaissance on Microsoft applications like SharePoint to gather internal documentation on VPNs, VDI and remote work utilities.
• Privilege Escalation: Abused Okta permissions to self-assign roles and gain broader access to SaaS applications.

[caption id="attachment_77144" align="aligncenter" width="1024"] UNC3944 attack lifecycle (Source: Mandiant)[/caption]

Phase II of the Attack Lifecycle

In the second phase of UNC3944’s attack lifecycle, the threat group employed aggressive persistence methods through the creation of new virtual machines in environments like vSphere and Azure. They use administrative privileges to create these machines and configure them to disable security policies, such as Microsoft Defender, to avoid detection. A lack of endpoint monitoring allowed the group to download tools like Mimikatz, ADRecon, and various covert tunneling utilities like NGROK, RSOCX and Localtonet to maintain access to the compromised device without needing VPN or MFA. UNC3944 has previously deployed Alphv ransomware on virtual machine file systems but Mandiant said since the turn of 2024, it has not observed ransomware deployment by this threat group.

Focus Shifts to SaaS Applications

The novel shift in UNC3944’s targeting is its exploitation of SaaS applications to gain further access and conduct reconnaissance.

“Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.”

Once the threat group gained access to any of the SaaS applications, they then used endpoint detection and response tooling to test access to the environment and further used tools like Airbyte and Fivetran to exfiltrate data to attacker-owned cloud storage.

Advanced Techniques of Phase II

Some of the advanced techniques demonstrated by UNC3944 in phase two of the attack lifecycle includes: ADFS Targeting: Exporting Active Directory Federated Services certificates to perform Golden SAML attacks for persistent cloud access. Data Exfiltration: Using cloud synchronization utilities to move data from SaaS platforms to external cloud storage. Endpoint Detection and Response (EDR): Creation of API keys in CrowdStrike’s console for executing commands and further testing access. Anti-Forensic Measures: UNC3944 employed anti-forensic techniques to obscure their activities. They use publicly available utilities to reconfigure virtual machines, disable logging, and remove endpoint protections. The attackers also used ISO files like PCUnlocker to reset local administrator passwords and bypass domain controls.

Abuse of M365 Delve Feature

Mandiant observed advanced M365 features like Microsoft Office Delve being used for data reconnaissance by UNC3944 for uncovering accessible data sources. Delve offers quick access to files based on group membership or direct sharing and shows personalized content recommendations from M365 sources and mapping organizational relationships. While this feature is useful for collaboration, UNC3944 exploited Delve for rapid reconnaissance, identifying active projects and sensitive information by recent modification. These resources typically lack sufficient security monitoring and logging. Traditional security controls, like firewalls and network flow sensors, are ineffective for detecting large data transfers from SaaS platforms. Identifying data theft with traditional logs is challenging, and real-time detection remains difficult with historical log analysis. The storage of sensitive data in SaaS applications poses significant risks that is often overlooked due to the perceived security of SaaS models. UNC3944 exploited these weaknesses and took advantage of inadequate logging and monitoring to perform data theft undetected.

Recommended Mitigation Steps

Mandiant researchers recommended a number of controls to protect against the threat group's tactics:

• Implement host-based certificates and MFA for VPN access to ensure secure connections.
• Have stricter conditional access policies and limit visibility and access within cloud tenants.
• Have enhanced monitoring through centralized logs from SaaS applications and virtual machine infrastructures to detect suspicious activities.
• Ensure comprehensive logging for SaaS applications to detect signs of malicious intent.

The Toronto District School Board is investigating a recent ransomware attack that affected its testing environment. The Toronto board is Canada's largest school board, serving approximately 238,000 students across 600 schools in the city of Toronto. The board stated that it had taken immediate action and launched an investigation upon becoming aware of possible intrusion.

Toronto District School Board's Investigation Underway

The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"] Source: www.tdsb.on.ca[/caption] In its letter of notification sent to parents and guardians, the Toronto District School Board stated that it had launched an investigation with the aid of third-party experts to fully assess the nature and scope of the incident. This includes potential compromise of its networks or breach of sensitive personal information. [caption id="attachment_77137" align="alignnone" width="1770"] Source: www.tdsb.on.ca[/caption] The letter added, "If it is determined that any personal information has been impacted, we will provide notice to all affected individuals. We understand that news of a cyber incident is concerning, but please know that we are doing everything possible to learn more about what occurred and address this situation.

Impact Unknown; More Details Expected Soon

Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the  City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft’s cybersecurity efforts have been roundly criticized in recent months, and despite pledges to do better, the company has compounded the problem with missteps like the Copilot+ Recall rollout. Microsoft security controls came under scrutiny in April with the release of a U.S. Cyber Safety Review Board (CSRB) report that detailed “a cascade of security failures at Microsoft” that allowed threat actors linked to China to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China” in a July 2023 attack. Rather than make good on pledges to make cybersecurity a top priority, Microsoft followed with the cybersecurity equivalent of an own goal when it pushed ahead with the new Windows Recall screen recording feature despite the concerns of security and privacy advocates that the company belatedly tried to address. Late today, Microsoft announced that it will delay the Recall feature for further testing. The House Committee on Homeland Security held a hearing today to address the CSRB report and Microsoft security in general, with Microsoft President Brad Smith the sole witness. The hearing, titled “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security,” came on the same day that Pro Publica published a report detailing years of Microsoft security failings that led up to the massive 2021 SolarWinds breach.

Congressional Leaders Call for ‘Responsibility’ and ‘Accountability’

In his opening remarks, House Homeland Security Chairman Mark Green (R-TN) called the CSRB report “extremely concerning,” and spoke of the need of “restoring the public trust” in the security of Microsoft products. “China and Russia, Beijing and Moscow, are watching us right now,” he cautioned, underscoring the stakes of the hearing while offering to move any sensitive questions to a secure environment. Ranking member Bennie Thompson (D-MS) stressed that “It is not the committee’s goal to shame or discredit” Smith and Microsoft, but to improve security and accountability at the vendor that supplies 85% of federal government productivity tools. Thompson noted the Recall rollout and Pro Publica article in his comments, calling “even more troubling” Smith’s 2021 claim before Congress that no Microsoft vulnerability was exploited in the SolarWinds attack. Green and Thompson weren’t the only committee members taking a firm tone with Microsoft, as almost every member did the same in their allotted time for questioning. Lou Correa (D-CA), for example, said he was “beyond shocked” at the security revelations in the CSRB report and elsewhere.

Microsoft President Smith Pledges Action

Perhaps anticipating a rough reception from lawmakers, Smith struck a conciliatory tone in his written and spoken testimony to the committee. “Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said. “Without equivocation or hesitation. And without any sense of defensiveness. But rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.” Smith said the company is making cybersecurity part of senior executive bonus calculations and employee reviews as part of the its goal of “empowering and rewarding every employee to find security issues, report them, help fix them, and encourage broader learning from the process and the results. This requires that we incorporate this security work as an indispensable and integrated element in every aspect of the company’s engineering processes.” [caption id="attachment_77142" align="alignnone" width="750"] Microsoft President Brad Smith testifying before House Homeland Security Committee[/caption] To that end, Smith said the company has added 1,600 more security engineers this fiscal year, “and we will add another 800 new security positions in our next fiscal year.” Senior-level Deputy CISOs at Microsoft have been tasked with expanding “oversight of the various engineering teams to assess and ensure that security is ‘baked into’ engineering decision-making and processes.” Smith said cyberattacks in general have become a massive problem: “the pace of attacks has increased to the point where there is now constant combat in cyberspace,” he said. “Not just every day, but literally every second. Microsoft alone detects almost 4,000 password-based attacks against our customers every second of every day.”

Microsoft Security Plans

Smith said Microsoft has mapped all 16 of the CSRB recommendations applicable to Microsoft “to ensure that we are addressing them” as part of the company’s Secure Future Initiative. The company is “actively in the process of transitioning both our consumer and enterprise identity systems to a new hardened key management system that leverages hardware security modules for the storage and generation of keys. We are rolling out proprietary data and corresponding detection signals at all places where tokens are validated. And we have made significant progress on Automated and Frequent Key Rotation, Common Auth Libraries, and Proprietary Data used in our token generation algorithm.” Smith’s written testimony outlined six “pillars” for improving security: Protect Identities and Secrets: Microsoft plans to implement and enforce “best-in-class standards across our infrastructure that manages identities and sensitive information such as passwords ('secrets'), to ensure that only the right people and applications access the right resources.” Protect Tenants and Isolate Production Systems: The company pledges to “continuously validate isolation of production systems – including those upon which we operate the Microsoft Cloud.” Protect Networks: Microsoft will “Continuously improve and implement best-in-class practices to protect Microsoft production networks.” Protect Engineering Systems: The company said it will work to “Continuously improve our software supply chain and the systems that enable Microsoft engineers to develop, build, test, and release software, thereby protecting software assets and improving code security.” Monitor and Detect Threats: This initiative calls for Microsoft to improve “coverage and automatic detection of ever evolving threats to Microsoft production infrastructure and services, accelerating actioning against those threats.” Accelerate Response and Remediation: Speeding incident response and remediation is the final pillar, so “when we learn of vulnerabilities in our offerings or our infrastructure, to be even more comprehensive and timely and better prevent exploitation of those vulnerabilities.” Updated to reflect the delay in the Recall rollout.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a recent impersonation scam in which scammers posed as its representatives and employees. Fraudsters in the campaign may extort money in various ways, such as bank transfers, gift cards or cryptocurrency payments.

CISA Impersonation Scam

The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:

• Unsolicited phone calls that claim to be from CISA.
• Callers requesting personal information, such as passwords, social security numbers, or financial information.
• Callers demanding payment or transfer of money to "protect" your account.
• Callers creating a sense of urgency or pressuring you to take immediate action.

If you're targeted by a CISA impersonation scam, here's what you should do:

• Do not pay the caller.
• Take record of  the numbers used.
• Hang up the phone immediately while ignoring further calls from suspicious numbers.
• Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).

FTC Observes Uptick in Impersonation Scams

The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:

1. Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
2. Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
3. Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
4. Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
5. Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.

To avoid such scams, the FTC has advised consumers to not click on unexpected links or messages, avoid scenarios where gift cards are offered as an option to fix problems, and scrutinize urgent offers and claims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In the aftermath of the Synnovis ransomware attack that struck last week, London hospitals continue to struggle to deliver patient care at an optimal level. The attack on the pathology services provider has brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day, according to Synnovis.

“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - Synnovis

Services including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.

Blood Testing Severely Impacted After Synnovis Ransomware Attack

The biggest challenge that Synnovis is currently facing is that all its automated end-to-end laboratory processes are offline since all IT systems have been locked down in response to the ransomware attack. “This means we are having to log all samples manually when they arrive, select each test manually on analyzers and, once tests have been processed, type in each result on the laboratory’s computer system (the Laboratory Information Management System - LIMS),” Synnovis said. And this is not the end of it. Synnovis then must manually deliver these results to the Trust’s IT system so that the results can be further electronically submitted back to the requester. But since the Synnovis’ LIMS is presently disconnected from the Trusts’ IT systems, “this extensive manual activity takes so much time that it severely limits the number of pathology tests we can process at the moment,” Synnovis explained. The pathology service provider normally processes around 10,000 primary care blood samples a day, but at the moment is managing only up to 400 from across all six boroughs. “Despite the measures we know colleagues are taking to prioritize the most urgent samples, we are receiving many more than we can process and we have an increasing backlog,” Synnovis said. The lab services provider last week was able to process around 3,000 Full Blood Count samples but could not export results due to the lack of IT connectivity. “Of those tests processed, we have phoned through all results that sit outside of critical limits, however, we have been unable to return any results electronically and are unlikely to be able to do so,” Synnovis said. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this week to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Will Process only 'Clinically Critical' Blood Samples

To manage the inadequacy of the services, the service provider is momentarily only accepting blood samples that the requesting clinician considers to be “clinically critical.” Clinicians need to consider a test as “critical” only if a test result is needed within 24 hours to determine a patient’s urgent treatment or care plan. “As experts, your clinical view of what is considered ‘critical’ will be accepted by the laboratory, but we urge you to apply this definition carefully, given the severe capacity limitations we are facing,” Synnovis recommended. [caption id="attachment_77097" align="aligncenter" width="1024"] Source: Synnovis[/caption] The pathology service provider is also working with NHS Trust to install laptops at the hub laboratory, which will give them access to the Trust IT systems to return test results electronically.

Caregivers Working Overtime

Doctors and caregivers at Guy's and St Thomas' Hospital and King's College Hospital have been putting in extra hours since the Synnovis ransomware attack disrupted services last week. But this is not enough, as KCH has already cancelled some of its operations and is working only at about 70% capacity. Three of its 17 operating theatres remain shut, BBC reported.

A threat actor on a dark web forum has listed data from Truist Bank for sale following a cyberattack on the banking institution. Meanwhile, Kulicke and Soffa Industries, Inc. (K&S) is also dealing with a data breach. Reports indicate that Truist Bank client data, including sensitive information such as employee details and bank transactions, has been put up for sale on the dark web. The alleged Truist Bank data leak is attributed to a threat actor known as Sp1d3r. The data, reportedly obtained via the Snowflake breach, raises questions about the security measures in place at Truist Bank.

Truist Bank Data Breach Allegedly Goes on Sale on Dark Web

According to the threat actor’s post, the Truist Bank data breach is now selling for $1 million. The compromised data includes details of 65,000 employees, bank transactions containing names, account numbers, balances, and the source code for IVR funds transfers. [caption id="attachment_77051" align="alignnone" width="595"] Source: Dark Web[/caption] The post by the threat actor provides specific information about the data for sale and contact details for purchase. Additionally, the post includes various usernames, threads, reputation points, and contact information such as XMPP handles and email addresses associated with the threat actor. Meanwhile, Kulicke and Soffa Industries, a renowned semiconductor and electronics manufacturing company, disclosed a breach compromising millions of files. Initially detected on May 12, 2024, the breach exposed critical data, including source codes, engineering information, and personally identifiable information.

Two Cybersecurity Incidents at Once

In response to the Kulicke and Soffa data breach, K&S swiftly initiated containment measures in collaboration with cybersecurity experts and law enforcement agencies. The company's cybersecurity team worked diligently to isolate affected servers and prevent further intrusion. Despite the breach, K&S remains committed to safeguarding its systems and data integrity. In a filing with the U.S. Securities and Exchange Commission (SEC), K&S detailed its efforts to mitigate the impact of the breach. The company assured stakeholders that, as of the filing date, the incident had not materially disrupted its operations. However, investigations are ongoing to ascertain the full extent of the breach and increase the cybersecurity measures in place. The Truist Bank data breach and the Kulicke and Soffa cyber incident highlight the persistent threat of cyberattacks faced by organizations worldwide. While both entities are actively addressing the breaches, the incidents highlight a broader case of cybersecurity measures and their impact in safeguarding sensitive information and maintaining trust in the digital age. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Life360 Inc., the parent company of Tile, has recently disclosed that it was the victim of a criminal extortion attempt involving stolen customer data. The incident, the Life360 data breach, which was communicated by CEO Chris Hulls, highlights the growing threat of cyberattacks targeting companies that handle large amounts of user information. Chris Hulls, CEO of Life360 Inc., provided details about the extortion attempt in an official release: "Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information." Upon receiving these emails, Life360 swiftly initiated an investigation. The company detected unauthorized access to a Tile customer support platform, though notably, the breach did not affect the Tile service platform itself. The compromised data includes customer names, addresses, email addresses, phone numbers, and Tile device identification numbers. Crucially, it does not include sensitive information such as credit card numbers, passwords, log-in credentials, location data, or government-issued identification numbers, as these were not stored on the affected support platform. "We believe this incident was limited to the specific Tile customer support data described above and is not more widespread," Hulls assured. We take this event and the security of customer information seriously. We have taken and will continue to take steps designed to further protect our systems from bad actors, and we have reported this event and the extortion attempt to law enforcement. We remain committed to keeping families safe online and in the real world."

About Tile and Life360

Tile, much like Apple's AirTag, produces small Bluetooth-enabled devices that help users locate and track items such as keys, wallets, and bags. These devices work in conjunction with a mobile app, allowing users to find lost items using sound alerts or by viewing the last known location of the Tile tracker on a map. Tile is a subsidiary of Life360, the leading connection and safety app used by one in nine U.S. families. With over 66 million members, Life360 offers driving, location, and digital safety features that keep loved ones connected. The app's extensive user base makes the implications of any data breach potentially far-reaching.

Implications of the Life360 Data Breach

While the Life360 data breach did not include highly sensitive data, the exposure of personal information such as names, addresses, and phone numbers can still have significant implications. Such data can be used for targeted phishing attacks, identity theft, and other malicious activities. The breach highlights the importance of cybersecurity measures, particularly for companies managing large databases of personal information. Life360's swift response to the incident and its cooperation with law enforcement demonstrates the company's commitment to transparency and user security.

Moving Forward

In response to the breach, Life360 has reiterated its commitment to enhancing its security infrastructure and safeguarding user information. The company is taking proactive steps to prevent future cybersecurity incidents, including strengthening its cybersecurity protocols and continuing to monitor its systems for potential vulnerabilities. "We remain committed to keeping families safe online and in the real world," Hulls emphasized. The company’s prompt action and transparent communication are crucial in maintaining user trust and addressing concerns related to the breach.

The city of Dubai, known for its affluence and wealthy residents, has allegedly been hit by a ransomware attack claimed by the cybercriminal group Daixin Team. The group announced the city of Dubai ransomware attack on its dark web leak site on Wednesday, claiming to have stolen between 60-80GB of data from the Government of Dubai’s network systems. According to the Daixin Team's post, the stolen data includes ID cards, passports, and other personally identifiable information (PII). Although the group noted that the 33,712 files have not been fully analyzed or dumped on the leak site, the potential exposure of such sensitive information is concerning. Dubai, a city with over three million residents and the highest concentration of millionaires globally, presents a rich target for cybercriminals. [caption id="attachment_77008" align="aligncenter" width="504"] Source: Dark Web[/caption]

Potential Impact City of Dubai Ransomware Attack

The stolen data reportedly contains extensive personal information, such as full names, dates of birth, nationalities, marital statuses, job descriptions, supervisor names, housing statuses, phone numbers, addresses, vehicle information, primary contacts, and language preferences. Additionally, the databases appear to include business records, hotel records, land ownership details, HR records, and corporate contacts. [caption id="attachment_77010" align="aligncenter" width="1024"] Source: Dark Web[/caption] Given that over 75% of Dubai's residents are expatriates, the stolen data provides a treasure of information that could be used for targeted spear phishing attacks, vishing attacks, identity theft, and other malicious activities. The city's status as a playground for the wealthy, including 212 centi-millionaires and 15 billionaires, further heightens the risk of targeted attacks.

Daixin Team: A Persistent Threat

The Daixin Team, a Russian-speaking ransomware and data extortion group, has been active since at least June 2022. Known primarily for its cyberattacks on the healthcare sector, Daixin has recently expanded its operations to other industries, employing sophisticated hacking techniques. A 2022 report by the US Cybersecurity and Infrastructure Security Agency (CISA) highlights Daixin Team's focus on the healthcare sector in the United States. However, the group has also targeted other sectors, including the hospitality industry. Recently, Daixin claimed responsibility for a cyberattack on Omni Hotels & Resorts, exfiltrating sensitive data, including records of all visitors dating back to 2017. In another notable case, Bluewater Health, a prominent hospital network in Ontario, Canada, fell victim to a cyberattack attributed to Daixin Team. The attack affected several hospitals, including Windsor Regional Hospital, Erie Shores Healthcare, Chatham-Kent Health, and Hôtel-Dieu Grace Healthcare. The Government of Dubai has yet to release an official statement regarding the ransomware attack. However, on accessing the official website of the Dubai government, no foul play was sensed as the websites were fully functional. This leaves the alleged ransomware attack unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A notorious Chinese hacking group has reportedly gone on a cyber offensive against South Korea and targeted most of the country’s Government and financial sites. The CyberDragon hacking group has a mixture of Chinese and Russian ties and has been critically targeting countries that have been condemning Russia for the ongoing war in Ukraine. South Korea President Yoon Suk Yeol had recently confirmed his country's participation in a Ukraine peace summit in Switzerland this weekend to rally support for the country ending its war with Russia. Last year, Seoul had increased its Ukraine Aid package to $394 Million For 2024.

Government, Financial Sites Attacked by CyberDragon Hacking Group

Irked by its support being garnered against Russia, CyberDragon launched an extensive cyberattack on key South Korean sites and criticized the country for its alleged promotion of Russophobia. In its post on darkweb, CyberDragon said, “We are joining the “South Korean Company”. This is a country that has long been promoting Russophobia by supporting the Kyiv regime.” The list of websites reportedly targetted by CyberDragon include: Shinhan Financial Group: It was founded in September 2001 and is one of South Korea's big five financial groups. Its subsidiaries provide a full range of financial services, including banking, securities, life insurance, and investment banking. State Korean Import-Export Bank KEXIM:  The Export-Import Bank of Korea, also commonly known as the Korea Eximbank (KEXIM), is the official export credit agency of South Korea. The bank was first established in 1976. Its primary purpose is to support South Korea's export-led economy by providing loans, financing mega projects and thereby facilitating economic cooperation with other countries. [caption id="attachment_77014" align="alignnone" width="1600"] Home Page of Korea Eximbank[/caption] Korea Customs Service: The Korea Customs Service was established in 1970 and is one of tax organizations in South Korea and is run under the Ministry of Economy and Finance. The headquarters is in Seo District, Daejeon. Korean National Police: The Korean National Police Agency (KNPA), also known as the Korean National Police (KNP), is one of the national police organizations in South Korea. It is run under the Ministry of the Interior and Safety and is headquartered in Seodaemun, Seoul. National Tax Service: It is the tax organization in South Korea and is run under the Ministry of Economy and Finance. Its headquarters is in Sejong City. Like many of the previous attacks carried out by the Cyberdragon hacking group, it is unclear if sensitive data of the organisations listed above was compromised. Prima Facie, it looks like the group carried out a DDoS attack meant to disrupt the platform’s services. None of the organizations have publicly responded to the alleged breach. Most of the organizations too seem to have restored the functioning of its websites, hours after the group claimed to have carried out a cyberattack.

Previous Operations by CyberDragon Hacking Group

The CyberDragon group gained popularity after it took down the website and app for almost 24 hours after a massive data breach in March 2024. CyberDragon had then posted evidence of the attack on its TOR platform but LinkedIn didn’t comment on the attack. The peculiar hacking actor has both Chinese and Russian ties. It carries out cyberattacks with many pro-Russian hackers and most of its statements are posted in Russian. Both China and Russia are global allies and the targets of CyberDragon indicate their ideological and political affiliations. This scenario is, however, not new in the cybercrime world. Organizations around the world must deal with the fallout of cyberattacks by groups like CyberDragon. Their attacks indicate why it is crucial to remain vigilant and implement stringent security measures against cyberattacks.

Grand Traverse County, Michigan, finds itself at the center of a cyber crisis as authorities investigate a ransomware attack that has disrupted operations in public offices across the county and the City of Traverse City. The Grand Traverse County cyberattack began when county officials noticed "network irregularities" at 6:06 a.m. on Wednesday, prompting swift action from the IT Department and county leadership.  As a precautionary measure, both county and city offices were taken offline to assess the situation and prevent further damage.

Decoding the Grand Traverse County Cyberattack

Subsequent investigations confirmed the severity of the cyberattack on Grand Traverse County, leading officials to label it as a ransomware attack. Collaboration between Grand Traverse County, Michigan State Police, FBI, and liability providers is underway to comprehend the scope of the attack and plan a strategic response. As of now, there's no confirmation of data transfer, but a thorough investigation is ongoing to safeguard the integrity of the system. While disruptions are inevitable, emergency services such as 911, law enforcement, and fire operations remain operational, ensuring public safety amid the crisis. Nate Alger, Grand Traverse County Administrator, assured the public of swift action, stating, "Our IT Department acted promptly to isolate the incident and shut down affected networks to contain the threat. We're working closely with our partners to minimize disruptions and resolve the situation efficiently."

The Aftermath of the Cyberattack Grand Traverse County 

The impact of the cyberattack on Grand Traverse County extends to in-person customer services at county and city offices, particularly those reliant on network connectivity. Citizens are urged to postpone non-urgent in-person payments at the treasurer's offices, although online payment services remain unaffected and secure. Despite the challenges posed by the attack, the county and city websites remain accessible, hosted on separate servers to ensure uninterrupted public access to essential information and services. While the situation unfolds, authorities are deploying alternative measures and collaborative efforts to mitigate the impact and restore services promptly. Grand Traverse County remains resilient in the face of adversity, prioritizing the safety and well-being of its residents throughout the recovery process. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Grand Traverse County cyberattack or any additional information from the county. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The St. Petersburg International Economic Forum (SPIEF 2024) was reportedly targeted by a siege from a prolonged cyberattack. The SPIEF 2024 cyberattack, orchestrated by the IT Army of Ukraine, unfolded over a four-day period, commencing on June 5 and culminating on June 8, 2024. This brazen act of digital aggression targeted not only the SPIEF but also its cybersecurity guardian, Solar SC, a state-owned enterprise specializing in safeguarding information assets. The modus operandi of the cyberattack on SPIEF 2024 primarily involved a barrage of Distributed Denial of Service (DDoS) assaults, with the intensity reaching a staggering 200,000 malicious requests per second. 

IT Army of Ukraine Claims SPIEF 2024 Cyberattack

[caption id="attachment_76981" align="alignnone" width="1000"] Source: Dark Web[/caption] The claim of responsibility was boldly asserted by the IT Army of Ukraine through their Telegram channel. Their message, accompanied by a tone of defiance, boasted of rattling the nerves of their adversaries, even if the anticipated "big bang" did not materialize. Meanwhile, amidst the chaos, there emerged reports of Samara students joining the ranks of cyber vigilantes, highlighting the growing complexity of cybersecurity challenges faced by nations worldwide. The impact of this SPIEF 2024 cyberattack beyond the St. Petersburg International Economic Forum itself, affecting Solar SC and its crucial role in fortifying the forum's digital infrastructure. The ramifications reverberated not only across the Russian Federation but also rippled through Europe and the UK, highlighting the interconnected nature of contemporary cyber warfare.

More Cyberattacks to Counter

In response to inquiries regarding the authenticity of these claims, Solar SC's General Director, Igor Lyapunov, reassured the public that despite the relentless onslaught, the forum's infrastructure remained resilient. The collaborative efforts of cybersecurity experts successfully repelled all attacks, safeguarding the integrity and functionality of SPIEF's digital ecosystem. However, concerns linger as to the broader implications of such cyber incursions, particularly in an era where economic forums serve as pivotal platforms for global cooperation and exchange. The sophistication and audacity demonstrated by threat actors underscore the pressing need for better cybersecurity measures and international collaboration to mitigate future risks. The Cyber Express reached out to SPIEF organizers for further insights into the incident and the authenticity of the IT Army of Ukraine's claims. As of the time of reporting, no official statement has been issued, leaving the allegations surrounding the SPIEF 2024 cyberattack unconfirmed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ascension, a leading healthcare provider, has made significant progress in its investigation and recovery efforts following a recent cyberattack. With the help of third-party cybersecurity experts, Ascension has identified the extent of the Ascension cyberattack and the steps needed to protect affected individuals. Ascension reports that attackers managed to steal files from a few servers within its network. Specifically, seven out of approximately 25,000 servers, primarily used by associates for daily tasks, were compromised. These servers might contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals. "We now have evidence that attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks. Though we are still investigating, we believe some of those files may contain PHI and PII for certain individuals, although the specific data may differ from individual to individual," said an Ascension spokesperson.

What Caused Ascension Cyberattack?

The cyberattack on Ascension was traced back to an innocent mistake by an employee who accidentally downloaded a malicious file, mistaking it for a legitimate one. "We have also identified how the attacker gained access to our systems. An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake," informed the spokesperson. This incident highlights the importance of continuous cybersecurity training and vigilance among all employees to prevent such occurrences in the future. Ascension has assured its patients and associates that there is no evidence suggesting any data was taken from the Electronic Health Records (EHR) system or other clinical systems where comprehensive patient records are securely stored. This means the most sensitive health information remains uncompromised, providing some relief amidst the ongoing investigation.

Ongoing Review and Protective Measures

Ascension is currently conducting a detailed review and analysis of the potentially impacted files to determine precisely what data was affected and identify the individuals involved. This meticulous process is expected to take considerable time due to the volume and complexity of the data. In the meantime, Ascension is taking proactive steps to protect its patients and associates. The healthcare provider is offering free credit monitoring and identity theft protection services to all patients and associates, regardless of whether their data is eventually found to be compromised. This service is intended to provide immediate peace of mind and mitigate potential risks from the Ascension data breach. Individuals who wish to enroll in these protective services are encouraged to contact Ascension's dedicated call center at 1-888-498-8066.

Commitment to Transparency and Legal Compliance

Ascension remains committed to transparency throughout this investigation. While specific details regarding whether an individual's data was affected cannot be provided, Ascension pledges to follow all applicable laws and regulations related to data breach notifications. "We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear that this offer does not mean we have determined that any specific individual patient’s data has been compromised. Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals’ data," the spokesperson explained. "Once our data analysis is complete, we are committed to following all applicable laws and regulations to notify affected individuals and the appropriate regulatory bodies. To our patients, associates, and the communities we serve, we regret any disruption or concern you may have experienced as a result of this incident," the spokesperson added.

Background and Impact of Cyberattack on Ascension

On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Due to the cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.

A threat actor that goes by the name “enlared” surfaced on a dark web forum, offering a hacked method for online advertising: a "New Click Fraud Software for Google ADS." Priced at $700 per license, this software is promoted as an aggressive marketing tool for online fraud and taking down competitors.  The new click fraud software, according to the threat actor, had a bunch of practical features that go beyond conventional marketing practices. Specifically, the threat actor claims that the software can drain the competitor's budget and release multiple attacks.  “Tired of your competitors beating you on Google ADS? Want to level the playing field and drain their advertising budget? We have the perfect solution for you!”, reads the threat actor post. 

Understanding the New Click Fraud Software for Google Ads

The new click fraud software offers a range of features aimed at fraudsters and creating a hack in the competitive realm of online marketing. Its functionalities include location search change, allowing users to simulate clicks from different geographical areas to bypass detection algorithms used by advertising platforms.  Additionally, the software utilizes a network of proxies to generate clicks from multiple IP addresses, ensuring user anonymity. Users can also target specific ad domains and customize campaigns by selecting keywords, maximizing their campaigns' impact and relevance.

How It Operates and Pricing

The software integrates a user-friendly interface, facilitating quick setup and configuration in a matter of minutes. Users have full control over the parameters of their campaigns, from defining target locations and domains to specifying keyword targets. The results are immediate, says the threat actor, with competitors witnessing a rapid depletion of their advertising budgets as the software executes its strategy with ruthless efficiency. Additionally, the new click fraud software offers remote desktop demonstrations, providing potential buyers with a glimpse into the tool's potency before making a purchase decision. Priced at USD 700 per license, the software offers a compelling hack proposition for businesses seeking to gain an edge in the world of online advertising. Escrow payments are accepted to ensure security for both parties involved in the transaction. With its arsenal of advanced features and promise of tangible results, the new click fraud software for Google Ads represents a darker method for competing in the online advertising game. As businesses vie for visibility and market share in an increasingly competitive online sphere, this dark web tool offers a means of cheating and targeting competitors for a very cheap price.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Monti ransomware has been sold to new owners. According to the actor's latest update, "This project was bought. It was bought because it suited our goals perfectly and did not have a bad reputation." The change in ownership and a shift in focus towards Western countries highlights a new approach towards ransomware. According to recent statements, the project has been acquired, with new owners expressing their intentions to revamp its infrastructure for future endeavors. In a cryptic post on their platform, the group hinted at upcoming developments, rallying for a collaborative effort to "build the future of the USA and Europe together."

Monti Ransomware Group and Change in Ownership

[caption id="attachment_76870" align="alignnone" width="938"] Source: Dark Web[/caption] This announcement follows a string of cyberattacks perpetrated by the Monti ransomware gang. Notably, a recent incident in the South of France targeted three prominent institutions simultaneously: the Pau-Pyrénées airport, the Pau business school, and the city's digital campus. These attacks, occurring overnight from May 12 to May 13, 2024, disrupted operations and raised concerns regarding cybersecurity vulnerabilities in critical sectors. While the affected institutions scrambled to mitigate the fallout, journalists uncovered insights from the Chamber of Commerce and Industry (CCI) shedding light on the situation. Despite assurances of minimal disruption to activities, the compromised digital infrastructure left a trail of compromised data, including sensitive documents and personal information of employees and students. The modus operandi of the Monti ransomware group draws parallels to its predecessors, notably the Conti ransomware, which ceased operations in May 2022. The emergence of Monti, with its similar tactics and techniques, suggests a strategic emulation aimed at exploiting the void left by Conti's absence.

A Deeper Dive into Monti Ransomware Group

A deeper dive into the Monti ransomware incident reveals a sophisticated operation orchestrated through the exploitation of vulnerabilities like the notorious Log4Shell. The attackers infiltrated networks, encrypted user desktops, and disrupted critical server clusters, leaving organizations grappling with the aftermath. Despite its relative obscurity, the Monti ransomware group has garnered attention within the cybersecurity community. Analysts speculate that the group's emulation of Conti's strategies may stem from the leaked trove of Conti's internal data, providing a blueprint for nefarious activities. As cybersecurity threats evolve, it becomes imperative for organizations to fortify their defenses and stay vigilant against threat actors like the Monti ransomware. Collaborative efforts between cybersecurity experts and stakeholders are essential to mitigate risks and safeguard critical infrastructures from malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Kaspersky researchers discovered widespread vulnerabilities in biometric terminals developed by ZKTeco, which are known to be deployed internationally. These flaws could be exploited by threat actors to bypass authentication, steal sensitive data, and even gain full control over affected terminals. The vulnerabilities pose a major risk, as these biometric terminals are often white-labeled to be sold under various brand names by multiple distributors. They are also widely used in high-security/sensitive environments, such as nuclear power plants, chemical plants or hospitals while storing thousands of facial templates.

Vulnerabilities in ZKTeco Biometric Terminals

Biometric terminals see multiple uses aside from their primary purpose of acquiring biometric data such as fingerprints, voices, facial features, or irises. They can be connected to other scanners to support alternative authentication methods, or be deployed as a means of ensuring employee productivity or to reduce fraud. These devices see increasing usage in confidential facilities such as power plants, executive suites or server rooms. ZKTeco biometric terminals support facial recognition(with the ability to store thousands of face templates), password entry, electronic pass, and QR codes. Researchers conducted several tests to assess the security and reliability of these devices, finding 24 different vulnerabilities that may be exploited by threat actors in real attack scenarios on confidential facilities:

• 6 SQL injection vulnerabilities
• 7 buffer stack overflow vulnerabilities
• 5 command injection vulnerabilities
• 4 arbitrary file write vulnerabilities
• 2 arbitrary file read vulnerabilities

The researchers grouped some of the more critical vulnerabilities present in these devices by their attack type:

• Physical Bypass via Fake QR Codes CVE-2023-3938 allows cybercriminals to perform a SQL injection attack by injecting malicious code into access strings. This could allow them to gain unauthorized entry to restricted areas.
• Biometric Data Theft and Backdoor Deployment The CVE-2023-3940 and CVE-2023-3942 vulnerabilities could give attackers access to sensitive user data and password hashes stored on the device. Additionally, CVE-2023-3941 could allow them to remotely alter device databases, allowing them to potentially add unauthorized individuals into systems or create a backdoor.
• Remote Code Execution The CVE-2023-3939 and CVE-2023-3943 flaws enable the execution of arbitrary commands or code on the device, effectively giving attackers full control and the ability to launch further attacks on the wider network.

Georgy Kiguradze, Senior Application Security Specialist at the cybersecurity firm, expressed concern over the risks posed by these vulnerabilities in real scenarios, risks posed by deepfake and social engineering tactics, and the urgency of immediately patching these vulnerabilities. He stated:

“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas.”

Mitigating Risks to Biometric Terminals

The researchers stated that they had disclosed all information about the discovered vulnerabilities to ZKTeco, but lacked accessible data on whether these vulnerabilities had been patched. The researchers have shared the following recommendations to protect these biometric terminals from attacks in the meanwhile:

• Isolate biometric reader usage into a separate network segment.
• Employ robust administrator passwords and change default ones.
• Audit and fortify the device's security settings, including enabling temperature detection.
• If feasible, minimize the use of QR code functionality.
• Regularly update the device's firmware.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests. Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix. Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said at the time of patching. The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.

Black Basta’s Privilege Escalation Bug Exploitation

The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,” Symantec said. These TTPs included the use of batch scripts disguised as software updates, the researchers added.

Black Basta Exploit Tool Analysis

The exploit tool leverages a flaw where the Windows file “werkernel.sys” uses a null security descriptor for creating registry keys. The tool exploits this by creating a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key, setting its “Debugger” value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained. Two variants of the tool analyzed:

• Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
• Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.

While time stamp values in executables can be modified, in this case the attackers likely had little motivation to alter them, suggesting genuine pre-patch compilation.

Indicators of Compromise

Symantec shared the following IoCs: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect

About Black Basta Ransomware

The latest attempts of exploiting a Windows privilege escalation bug comes a month after Microsoft revealed details of Black Basta ransomware operators abusing its Quick Assist application that enables a user to share their Windows or macOS device with another person over a remote connection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a May advisory said Black Basta's affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia since its launch in April 2022. An analysis from blockchain analytics firm Elliptic indicates that Black Basta has accumulated at least $107 million in ransom payments since early 2022, targeting more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million each. The average ransom payment was $1.2 million.

Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups. The 28-year-old cryptor developer was unnamed in Ukraine and Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to May’s massive “Operation Endgame” botnet takedown.

Cryptor Developer Worked with Conti, LockBit

Ukraine cyber ​​police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"] Items seized in Ukraine ransomware arrest[/caption] The Ukraine cyber police said the man “specialized in the development of cryptors,” or “special software for masking computer viruses under the guise of safe files” (quotes translated from the Ukraine statement). “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,” the Ukraine statement added.

LockBit Remains Active Despite Repeated Enforcement Activities

The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”

A resident of Moreton Bay, Australia was shocked to discover that the private information of several resident ratepayers in the region, including their friends and neighbors, had been accidentally published on the Moreton Bay council's official website. The leaked information included names, residential addresses, email addresses, and phone numbers, as well as resident complaints to the council and details about council investigations.

Data Breach Discovered By Local Resident

City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers,  complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."

City of Moreton Bay Responses to Data Breach

After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]

We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.

The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web hacker that goes by the name “Tombstone” has claimed and advertised multiple vulnerabilities affecting a subdomain affiliated with Google LLC. The hacker claimed these flaws on the Russian-language cybercrime forum Exploit and stressed the susceptibility of the domain to XSS-DOM and prototype pollution vulnerabilities. Screenshots shared by threat actor Tombstone showcased 'edu.google.com' as one of the allegedly impacted domains, raising concerns about potential exploits. Tombstone's post on Exploit lacked a specified price for the vulnerabilities, urging interested parties to initiate private communications for further details. The disclosed vulnerabilities pose significant risks to Google and its associated services, warranting immediate attention to mitigate potential cyber threats. "These vulnerabilities are in the software, not the source code Note that I only sell bugs with POC and full proof not exploits With a great price for long-term cooperation in other projects Exchange of Apple, FB, Meta, Microsoft banks", reads the threat actor post.

Dark Web Hacker Claims Prototype Pollution and XSS-DOM Vulnerability

[caption id="attachment_76830" align="alignnone" width="1108"] Source: Dark Web[/caption] The vulnerabilities advertised by Tombstone have direct implications for Google LLC, a prominent entity within the IT & ITES industry. Notably, domains such as google.com and edu.google.com have been identified as being at risk, primarily affecting users currently using the Google services.  The vulnerabilities disclosed by Tombstone encompass XSS-DOM and prototype pollution, both of which can serve as entry points for malicious cyber activities. XSS-DOM vulnerabilities, in particular, enable threat actors to inject client-side scripts into web pages viewed by other users, potentially leading to session hijacking, phishing attacks, malware distribution, and data theft. Prototype pollution vulnerabilities, however, involve manipulating a JavaScript object's prototype to achieve unintended behavior, often resulting in unauthorized data manipulation or code execution. The combination of these vulnerabilities within Google's subdomain highlights the critical need for robust cybersecurity measures to safeguard against potential cyberattacks.

Previous Incidents and Security Research

Prior to Tombstone's disclosure, security researcher Henry N. Caga had identified the XSS vulnerability within a Google subdomain, further emphasizing the susceptibility of Google's infrastructure to such exploits. Caga's research revealed the presence of a vulnerability within the URL associated with 'https://aihub.cloud.google.com,' prompting an in-depth investigation. Despite initial challenges in replicating the XSS pop-up, Caga's persistence ultimately led to the discovery of a double-encoded payload that triggered the vulnerability. Subsequent testing unveiled the widespread nature of the vulnerability across all URLs within the aihub.cloud.google.com domain, accentuating the severity of the issue. Following responsible disclosure protocols, Caga promptly reported the findings to Google's security team, accompanied by comprehensive documentation and proof of concept scripts. Google's swift response included an upgrade in the issue's priority and severity levels, acknowledging Caga's contributions with a reward of $4,133.70, along with a $1,000 bonus for the thoroughness of the report and proof of concept scripts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The MEDUSA ransomware group has reared its ugly head again and this time it has claimed to have targeted three new victims: GEMCO Constructors, Dynamo Electric and Farnell Packaging. The ransomware group’s dark web portal highlighted these additions, adding to their growing list of victims. Like many of its earlier attacks, the group has not disclosed crucial details, such as the type of compromised data. It has, however, demanded a bounty of US $900,000 from GEMCO and $100,000 each from Dynamo and Farnell Packaging to stop leaking its internal data.

MEDUSA Ransomware Attack: The Latest Victims

GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days. The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days. Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days. Despite the gigantic claims made by the ransomware group, the official websites of the targeted companies seem to be fully operational, with no signs of foul play. The organizations, however, have not yet responded to the alleged cyberattack, leaving the claims made by the ransomware group unverified.  The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen whether it is a tactic employed by MEDUSA to garner attention or if there are ulterior motives attached to their actions. Only an official statement by the affected companies can shed light on the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be far-reaching. The potential leak of sensitive data could pose a significant threat to the affected organizations and their employees.

Background of MEDUSA Ransomware Group

MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America. MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.

Previous Ransomware Attacks

Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services.  In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group. MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The United Kingdom and Canada privacy watchdogs announced a joint investigation this week to determine the security lapses in the genetic testing company 23andMe’s October data breach, which leaked ancestry data of 6.9 million individuals worldwide. The UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will lead the investigation, pooling the resources and expertise of their respective offices.

Focus of 23andMe Data Breach Investigation

The joint investigation will examine three key aspects:

• Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
• Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
• Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.

Edwards said the investigation was needed to garner the trust of people in organizations that handle sensitive personal data. He stated:

“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.

“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.

Genetic Testing Company 23andMe Data Breach Timeline

23andMe first disclosed details of the October data breach in an 8-K filing with the U.S. Securities and Exchange Commission. The genetic testing company said attackers scraped profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. This profiling feature connects users with genetic distant relatives - or other 23andMe users who share their bits of DNA. The attackers used credential stuffing attacks that affected 0.1% of user accounts, the company told SEC. Using these accounts as a launchpad, hackers were able to access “a significant number of files containing profile information about other users' ancestry.” Threat actors claimed on underground forums that they were able to siphon “20 million pieces of code” from 23andMe. The claimed data set included information DNA ancestry backgrounds belonging to more than 1.3 million Ashkenazi Jewish and Chinese users. By the end of October, another threat actor claimed compromise of 4 million genetic profiles, which the company also investigated. The genetic testing company 23andMe said it notified the affected 6.9 million users - 5.5 million DNA Relatives profiles and 1.4 million Family Tree profile – in December. The company told federal regulators that the data breach incident was set to incur between $1 million and $2 million in one-time expenses. The company faces at least 30 class action lawsuits in U.S.state and federal jurisdictions as well as in Canada. 23andMe blamed the customers’ poor security hygiene for the breach and has since made two-step verification a prerequisite for account logon. It also mandated customers to reset their passwords. *Update 1 (June 12 – 12:00 AM EST): Added response from the 23andMe spokesperson.