An Iranian cyber group known as Handala has asserted the breaching of Israel's radars and taking down the Iron Dome missile defense systems.  The Handala hacker group, notorious for its targeting of Israeli interests, allegedly infiltrated Israel's radar defenses and inundated Israeli citizens with text messages, marking a large-scale cyber intrusion. The group claimed to have penetrated the radar systems, issuing a dire warning through 500,000 text messages dispatched to Israeli citizens, indicating a limited window for Israel to rectify the breached systems. [caption id="attachment_62898" align="alignnone" width="660"] Source: Falcon Feeds on X[/caption] Within this attack, the group also claimed that it hacked the Iron Dome missile defense systems. As part of the evidence of their intrusion, Handala has shared screenshots of the hacking of Israeli radars.

Handala Hacker Group Claims Large-Scale Cyberattack on Israel

[caption id="attachment_62890" align="alignnone" width="1280"] Source: YourOpinion on X[/caption] Handala's cyberattack on Israel has been multifaceted, extending beyond the cyberattacks on the radar systems and the Iron Dome missile defense systems. Rada Electronics, a defense technology firm aligned with Israel's interests, reportedly fell victim to Handala's incursion, with leaked dashboard images purportedly confirming the breach.  The Cyber Express has reached out to Rada Electronics to verify the claims of this cyberattack. However, at the time of writing this, no official statement or response has been received. Furthermore, a service provider responsible for Israeli customer alerts and Israel's Cyber Security College allegedly experienced sizable data breaches, amounting to terabytes of compromised information. [caption id="attachment_62903" align="alignnone" width="484"] Source: Source: Falcon Feeds on X[/caption] The group's expression has been brazen, with messages explicitly targeting Israeli entities affiliated with the 8200 unit, emphasizing their vulnerability despite their purported expertise in cybersecurity. Such provocations serve to intensify the ongoing cyber conflict between Iran and Israel, with Handala positioning itself as a supporter challenging Israel's digital defenses. The Handala hacker group recently came into the spotlight as it represented support for Palestine against Israel. The threatening messages to Israeli citizens further show their intent to sow discord and undermine public confidence in Israel's security. Previously, the group claimed a cyberattack on the Viber instant messaging service, breaching and stealing over 740 GB of data from the company's servers. The group seems to be influenced by or based on the Palestinian resistance cartoon character Handala.

Who is the Handala Hacker Group?

Being a pro-Palestian group, the hackers behind the group took inspiration from Handala, a significant national emblem of the Palestinian people. The character of Handala was created by political cartoonist Naji al-Ali in 1969 and assumed its current form in 1973.  It embodies the spirit of Palestinian identity and resistance, often depicted in al-Ali's cartoons. Named after the Citrullus colocynthis plant native to Palestine, Handala symbolizes resilience, with deep roots and a bitter fruit that regrows when cut. Since al-Ali's assassination in 1987, Handala has remained a powerful symbol of Palestinian identity, prominently displayed on walls and buildings in the West Bank, Gaza, and Palestinian refugee camps. It has also gained traction as a tattoo and jewelry motif and has been adopted by movements like Boycott, Divestment and Sanctions, and the Iranian Green Movement — now the Handala hacker group. Handala's iconic posture, with its back turned and hands clasped behind reflects a rejection of imposed solutions and solidarity with the marginalized. The character, perpetually ten years old, signifies al-Ali's age when he left Palestine, embodying the hope of returning to a homeland.  Moreover, the inspired hacker group, similarly, claimed many such attacks to retain its identity as a supporter for Palestine. Although official Israeli sources have yet to confirm Handala's claims, security experts within Israel have expressed apprehension regarding the plausibility of Iranian cyberattacks targeting critical national infrastructure. 

Iran Attacks Israel With Missiles and Drones

The recent surge of drones and missiles directed towards Israel overnight on April 14 has raised a phase of tension and confrontation in the Middle East. Iran's attack on Israel, purportedly in retaliation to a suspected Israeli strike on the Iranian consulate in Damascus earlier this month, marks an escalation in the longstanding discord between the two nations. Iran's attack, comprising over 300 projectiles including drones and ballistic missiles, targeted various locations in Israel, albeit with minimal impact due to interception by Israeli defense systems. The Nevatim airbase was among the sites reportedly hit, allegedly in response to Israel's earlier strike on the Iranian consulate, reported The Times of Israel. Despite causing only minor structural damage, the attack highlights Iran's retaliatory position.  The airstrike on the Iranian consulate in Damascus, attributed to Israel, resulted in casualties including high-ranking Iranian officials, prompting vows of retribution from Iranian leadership. The ensuing regional instability has prompted concerns of a broader conflict, prompting calls from Israel's allies to prioritize de-escalation. Israel has responded defensively, emphasizing its successful interception of the majority of incoming projectiles while urging preparedness for any scenario. However, calls for restraint and de-escalation from Western allies, including the United States, highlights the urgency of avoiding further conflict. The immediate response from Israel's War Cabinet remains pending, with discussions ongoing regarding the timing and scope of potential retaliatory measures. Iran, on the other hand, has warned of retaliation should Israel pursue further attacks on its interests, suggesting a potential escalation of hostilities.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The National Security Agency (NSA) is taking a proactive stance in cybersecurity with the release of a Cybersecurity Information Sheet (CSI) titled “Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems.” This initiative underlines the growing importance of securing artificial intelligence (AI) systems in the face of evolving cyber threats.

Dave Luber, National Security Agency Cybersecurity Director, emphasized the significance of AI in today’s landscape, acknowledging both its potential benefits and the security challenges it poses. He stated, “AI brings unprecedented opportunity, but also can present opportunities for malicious activity. NSA is uniquely positioned to provide cybersecurity guidance, AI expertise, and advanced threat analysis.”

NSA Collaborative Effort

The CSI, a collaborative effort involving the National Security Agency's Artificial Intelligence Security Center (AISC) and several international partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), aims to provide guidance to National Security System owners and Defense Industrial Base companies deploying AI systems developed by external entities. While initially targeted at national security applications, the guidance holds relevance for any organization integrating AI capabilities into managed environments, particularly those operating in high-threat, high-value sectors. It builds upon previously released guidelines, signaling a concerted effort to address emerging security challenges in AI development and deployment. This release marks a significant milestone for the AISC, established by the National Security Agency in September 2023 as part of the Cybersecurity Collaboration Center (CCC). The center's mission encompasses detecting and countering AI vulnerabilities, fostering partnerships with industry stakeholders, academia, and international allies, and promoting best practices to enhance the security of AI systems.

Future Directions

Looking ahead, the AISC plans to collaborate with global partners to develop a comprehensive series of guidance on various aspects of AI security. These topics include data security, content authenticity, model security, identity management, model testing and red teaming, incident response, and recovery. By addressing these critical areas, the NSA aims to enhance the confidentiality, integrity, and availability of AI systems, staying ahead of adversaries' tactics and techniques. The release of the CSI reflects a broader commitment to cybersecurity and highlights the importance of collaboration in defending against cyber threats. As AI continues to reshape industries and society at large, ensuring the security of these systems is paramount to safeguarding sensitive data, critical infrastructure, and national security interests. With the rapid evolution of AI technology, ongoing collaboration and proactive security measures will be essential to mitigate emerging risks and maintain trust in AI-driven solutions. The National Security Agency's guidance serves as a foundation for organizations to enhance the resilience of their AI systems and adapt to the evolving threat landscape. In an era defined by digital transformation and unprecedented connectivity, securing AI systems is not merely a technical challenge but a strategic imperative. By leveraging collective expertise and resources, stakeholders can navigate the complexities of AI security and foster a safer, more resilient digital ecosystem for all. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Sean Connelly, a prominent member of the Cybersecurity and Infrastructure Security Agency (CISA) and manager of the Trusted Internet Connections (TIC) program, is stepping down from his role as senior cybersecurity architect. His departure from CISA concludes a significant chapter that lasted more than ten years, a period in which he launched several key cybersecurity initiatives. Connelly's expertise has played a crucial role in the development of key programs at CISA. His work has significantly influenced the direction of the TIC program and he has been a pioneer in advancements in zero-trust security. His contributions have made a lasting impact on federal cybersecurity strategy.

Sean Connelly Leaves CISA to Join Zscaler

[caption id="attachment_62935" align="alignnone" width="480"] Source: CISA[/caption] Transitioning from federal service in the US, Connelly will embark on a new chapter at Zscaler, a prominent player in the cybersecurity industry. At Zscaler, he will channel his wealth of experience into international zero-trust projects, aiming to support global cybersecurity frameworks. Stephen Kovac, Global Chief Compliance Officer at Zscaler, expressed enthusiasm about Connelly's addition to the team, emphasizing his role as a leader in shaping Zero-trust and secure access service edge (SASE) policies and compliance worldwide, reported Hstoday.  Sean is leaving his position after 11 years at CISA and more than seven years as a contractor with organizations like the State Department and NOAA. His move to Zscaler represents a strategic shift, focusing on international compliance challenges and utilizing his extensive federal cybersecurity experience.

From Federal Government to Private Sector

Notably, Connelly is not the sole federal cybersecurity expert to join Zscaler recently. Brian Conrad, former acting director of the Federal Risk Authorization and Management Program (FedRAMP), also made the transition and joined Zscaler in 2024. During his time at CISA, Connelly led significant initiatives, from developing TIC architectures to advocating for zero-trust principles across federal civilian agencies. His impact reached beyond policy development, highlighted by his co-authorship of key publications and his instrumental role in establishing the CISA Zero Trust Initiative Office. Moreover, Connelly influenced the Technology Modernization Fund Board, where he played a pivotal role in evaluating and allocating funding for cybersecurity projects. As Connelly embarks on this new journey, his legacy within the federal government serves as an indication of professionalism in cybersecurity on both national and global scales. His transition to Zscaler marks a continuation of his mission to shape the future of cybersecurity, highlighting the ongoing collaboration between public and private sectors in protecting digital infrastructure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cisco Duo's security team has issued a warning regarding a cyberattack that compromised some customers' VoIP and SMS logs, potentially exposing sensitive information used for multi-factor authentication (MFA) messages. This Cisco Duo data breach, occurring through their telephony provider, highlights the persistent threat posed by cybercriminals targeting communication channels vital for security measures.

Cisco Duo, a prominent multi-factor authentication and Single Sign-On service utilized by numerous corporations for secure network access found itself at the center of a cybersecurity incident. The Cisco Duo data breach, which occurred on April 1, 2024, involved the illicit access of employee credentials through a phishing attack. Subsequently, the threat actor leveraged these credentials to infiltrate the systems of a telephony provider responsible for handling SMS and VoIP MFA messages.

Impact on Customers of Cisco Duo Data Breach

Affected customers received notifications revealing that SMS and VoIP MFA message logs associated with specific Duo accounts were compromised between March 1, 2024, and March 31, 2024. While the stolen logs did not include message content, they contained valuable metadata such as phone numbers, carriers, locations, and timestamps. This information could potentially be weaponized in targeted phishing attacks aimed at obtaining corporate credentials and other sensitive data. "We are writing to inform you of an incident involving one of our Duo telephony suppliers (the “Provider”) that Duo uses to send multifactor authentication (MFA) messages via SMS and VOIP to its customers. Cisco is actively working with the Provider to investigate and address the incident," reads the notice released by Cisco Duo. Upon discovering the breach, the telephony provider swiftly initiated an investigation and implemented mitigation measures. These efforts included invalidating compromised credentials, analyzing activity logs, and notifying Cisco Duo of the incident. Additionally, the provider enhanced security protocols and committed to reinforcing employee awareness through social engineering training programs.

Customer Assistance and Vigilance

In response to the data breach, Cisco Duo offers affected customers access to the compromised message logs upon request. They advise customers to promptly notify impacted users and educate them about the risks of social engineering attacks. Heightened vigilance is encouraged, with users urged to report any suspicious activity to designated incident response teams or relevant points of contact. "The Provider has provided us with a copy of the message logs pertaining to your Duo account that the threat actor obtained, and we will provide you with a copy of those logs upon request. To request such a copy, or if you have any questions, please contact msp@duo.com," reads the notice further. "Because the threat actor obtained access to the message logs through a successful social engineering attack on the Provider, please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters," Cisco Duo requested employees. The Cyber Express team, while investigating the breach reached out to Cisco Duo to learn more about the cyber incident, however, as of writing this news report, the company's official response has not been revived. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A vulnerability had been discovered in the devices of several prominent manufacturers within the Lighttpd open-web server component. Lighttpd is recognized for its 'secure, fast, standards compliant, and flexible web server optimized for high-performance environments.' These features make it a popular choice for incorporating into various projects and tools, and it had been previously used to power sites such as Youtube and Wikipedia. This vulnerability existing for at least six-years within Lighttpd, affects over 2000 devices deployed by vendors such as American Megatrends International (AMI), Intel, Lenovo, and Supermicro. Researchers caution that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected. BMCs are built into servers to allow cloud centers as well as their clients to remotely manage servers. They enable administrative actions such as OS management, installation of apps, and control over different aspects of servers even while they are powered off. Over the years, BMCs from multiple manufacturers have incorporated vulnerable versions of lighttpd.

Lighttpd Bug Had Been Identified but Not Disclosed as Vulnerability

[caption id="attachment_62950" align="alignnone" width="1000"] (Source: Shutterstock)[/caption] The vulnerability had been discovered and patched in 1.4.51 of the software, described as fixing 'various use-after-free scenarios' while being marked as consisting of 'security fixes' in the change logs. The MITRE corporation describes this category of bugs as that 'can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw'. Researchers from Binarly who discovered the flaw's existence on Lenovo and Intel sold devices,  noted that the update did not describe the issue as a “vulnerability” or include a CVE vulnerability number. Such action they claim might have affected 'proper handling of these fixes down both the firmware and software supply chains'. While the bug is of moderate severity on its own, it could be chained with other vulnerabilities to access the read memory of a lighttpd Web Server process and exfiltrate sensitive data and  potentially bypass memory-protection techniques such as ASLR (Address space layout randomization). The ASLR memory protection is implemented in software to protect against buffer overflow or out-of-bounds memory attacks.

Vendors Plan Not to Release Lighttpd Bug Fix As They No Longer Support Hardware

[caption id="attachment_62955" align="alignnone" width="1000"] (Source: Shutterstock)[/caption] The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. Both Intel and Lenovo have reportedly stated that they had no plans to release fixes as they no longer support the hardware where these flaws may perist.  Supermicro, has however stated support for versions of its hardware still relying on lighttpd.

A Lenovo spokesman reportedly stated to ArsTechnica that 'Lenovo is aware of the AMI MegaRAC concern identified by Binarly. We are working with our supplier to identify any potential impacts to Lenovo products. ThinkSystem servers with XClarity Controller (XCC) and System x servers with Integrated Management Module v2 (IMM2) do not use MegaRAC and are not affected.'

It’s worth mentioning explicitly, however, that the severity of the lighttpd bug is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability. In general, BMCs should be enabled only when needed and locked down carefully, as they allow for extraordinary control of entire fleets of servers with simple HTTP requests sent over the Internet. Chip giant Intel previously issued an advisory in 2018 warning customers about over 13 security bugs discovered in its version of the baseboard management controller (BMC) firmware for Intel Server products while conducting internal evaluation.  The reported flaws included including one critical flaw that could be exploited to leak sensitive data or allow attackers to escalate privileges. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

IntelBroker has claimed the Channel Logistics LLC data breach, operating under the brand Space-Eyes. The breach was announced on the BreachForums platform, however, the black hat–hacking crime forum is facing its own set of issues from other hacking groups and is currently down.  According to IntelBroker’s claims, the leaked database, accompanied by Java source codes, was purportedly stolen from Channel Logistics LLC. The incident is said to have taken place in April 2024. The leaked data comprises three files, namely “CASUALTY_202404150045.csv,” “DENIED_PERSON.csv,” and “PTUSER.csv.” Notably, the “DENIED_PERSON.csv” file contains personally identifiable information (PII) of users, including names, addresses, contact details, and more.

IntelBroker Alleges Channel Logistics LLC Data Breach

[caption id="attachment_62981" align="alignnone" width="2098"] Source: Dark Web[/caption] Among the sample files shared by the hacker, one particular concern is the discovery of email addresses linked to various US government entities within the leaked data. However, due to limited information, it has been challenging to ascertain the precise extent of the breach and its implications for these organizations. Space-Eyes, a division of Channel Logistics LLC, specializes in technology services, with a focus on national security. The leaked documents reportedly include highly confidential information related to services provided to prominent US government agencies such as the Department of Justice, Department of Homeland Security, and the US military branches. The Cyber Express has reached out to Channel Logistics LLC to learn more about this alleged Space-Eyes data leak. However, at the time of writing this, no official confirmation or denial has been shared, leaving the claims for this Channel Logistics LLC data leak unconfirmed. 

Cyberattack on BreachForums' Clearnet Site

Upon further investigation, The Cyber Express found that the organization's website appears to be operational, showing no immediate signs of the reported breach. Moreover, BreachForums, the platform where IntelBroker disclosed the alleged breach, has faced its own set of challenges. The clearnet site of BreachForums is currently inaccessible, with the administrator, Baphomet, issuing a statement acknowledging the suspension of the domain. Users have been advised to access the platform via TOR until the issue is resolved — leaving the clearnet users out of the sample data provided by the hacker.  Additionally, BreachForums may have been targeted by a distributed denial-of-service (DDoS) attack. R00TK1T, in conjunction with the CyberArmyofRussia, has claimed responsibility for the attack and threatened to publish the IP and email addresses of users. Despite this, the TOR address of BreachForums remains functional and is accessible to Tor users.  As for the Channel Logistics LLC data breach, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Channel Logistics LLC data leak.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Trust Wallet, a leading provider of crypto wallets, has issued an advisory to Apple users regarding potential iMessage vulnerability. The warning stems from credible intelligence indicating the presence of a zero-day exploit in the iOS iMessage platform, available for purchase on the dark web for a staggering $2 million. According to Trust Wallet, this iMessage zero-day exploit poses a threat as it allows hackers to gain control of iPhones without any interaction from the user. Unlike traditional exploits that require clicking on malicious links or downloading infected files, this exploit operates seamlessly, making it especially threatening for high-value targets.

Trust Wallet Issues Warning about iOS iMessage Vulnerability

[caption id="attachment_63036" align="alignnone" width="1080"] Source: Eowync.eth on X[/caption] While Trust Wallet's alert has raised questions about iOS security, with some probing the authenticity of the intelligence shared by CEO Eowyn Chen, the company stands by its warning. Trust Wallet emphasizes that the information is sourced from its security team and trusted partners, highlighting the urgency of the situation amidst growing concerns about cybersecurity, particularly within the blockchain ecosystem. The advisory advises iOS users to take immediate action to safeguard their devices by disabling iMessage until Apple addresses the vulnerability with a security patch. Disabling iMessage can be done through the Settings menu, under Messages, by toggling the iMessage option off. Trust Wallet reassures users that their security remains a top priority, urging vigilance until the issue is resolved. [caption id="attachment_63042" align="alignnone" width="680"] Source: X[/caption] CEO Eowyn Chen has shared a screenshot purportedly depicting the zero-day exploit for sale, highlighting the gravity of the situation. The Cyber Express has also reached out to Apple to learn more about this iMessage vulnerability. However, at the time of writing this, no official statement or response has been received regarding the iMessage vulnerability.

The Recent Apple Vulnerabilities

In light of these developments, users are advised to exercise caution and remain vigilant against potential threats, particularly as hackers continue to exploit these Apple vulnerabilities.  Previously, academic researchers from five different universities revealed a newly discovered vulnerability in Apple’s M-series chips, allowing attackers to extract secret keys from Macs during cryptographic operations.  This flaw, inherent in the silicon's design, cannot be directly patched. Instead, it requires third-party cryptographic software defenses, potentially slowing M-series performance. The vulnerability stems from the chips' prefetcher, which predicts data access, inadvertently leaking key material.  Dubbed "GoFetch," the attack can extract various key types in relatively short timeframes. Exploiting normal user privileges, GoFetch mines secrets while running alongside targeted applications.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The clearnet domain of the notorious BreachForums data leak and hacking forum has been taken down by rival threat actors. The threat actor group, R00TK1T, along with the pro-Russian gang Cyber Army of Russia, announced a breach of user data following the BreachForums take down. R00TK1T was previously responsible for an attack campaign targeting the Malaysian government and various private entities including one of one of Malaysia’s leading telecommunications operators. The hackers responsible for the attack on BreachForums also claimed that they would leak a list of the forum's users, IP addresses and emails. Despite the attack, the TOR version of the site remains operational.

Groups Claim More Surprises for Hacker Community and Active Users

[caption id="attachment_63054" align="aligncenter" width="2144"] Source: R00TK1TOFF Telegram channel[/caption] R00TK1TOFF claimed on Telegram, that the site 'has currently crashed due to the extent of our attack, which was executed with extreme precision and efficiency.' The DDoS campaign against the site had been conducted in a joint-effort operation of both groups. However, the BreachForums TOR address remains active and is known to implement DDoS protection. Cybersecurity firm Hackmanac claimed in a note on X (Twitter) that:

R00TK1T is known for making grand claims about significant data breaches, which more often than not turn out to be merely a collection of publicly available data. Given the group's reputation, the threat to publish the IP and email addresses is likely to be a mere republishing of user details that were leaked last year by more credible threat actors.

Baphomet Issues Statement Regarding BreachForums Take Down

Baphomet, the administrator of BreachForums, made a statement about the incident on Telegram: 'The domain is currently suspended. We're working on it. We apologize for any inconvenience.' He further advised its users to access the forums through via the TOR site until the issue was sorted. In a later post via Telegram, Baphomet joked that the action must have been the work of the Five Eyes network along with various other large nations 'working together to silence our forums.' He then downplayed the takedown of the .cx domain, recommending users to switch to a temporary new domain (breachforums.st). [caption id="attachment_63041" align="aligncenter" width="785"] Source: Baphomet Official  Telegram channel[/caption] He stated that the .st domain would temporarily function as their main site while the admins work on 'protection over the next week that'll make these one-time suspensions less effective' while emphasizing on the availability of the TOR domain at all times. He then claimed that nothing had been 'seized, hacked, or even reasonably attacked.' Noting that while their site might experience DDoS attacks and downtime, they would always come back. He advised users to be patient while thanking the community for being patient with such incidents. R00TK1T, later responded in its own channel that Baphomet was denying the attacks and that together with the Cyber Army of Russia would 'unleash a torrent of chaos that will leave you (Baphomet) reeling. BreachForums has faced a series of troubles in recent times, including the arrest of its former owner Conor Brian Fitzpatrick (pompompurin), followed by an official seizure of the site by the Federal Bureau of Investigation(FBI) in cooperation with several U.S. agencies. The FBI stated in an affidavit that during the time of seizure, it had access to the BreachForums database. A forum administrator operating under the screen name "Baphomet" took ownership of the website and its operations after the arrest of Fitzapatrick. The site was temporarily shut down after Baphomet's suspicion of the forum still being compromised. However, Baphomet later reopened the forum to the public with the aid of black-hat hacking group ShinyHunters. ShinyHunters was previously responsible for several large-scale data breach attacks, obtaining about 200 million records of stolen data from various companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Keepit, a global leader in SaaS data backup and recovery, has announced the appointment of Kim Larsen as its new Chief Information Security Officer (CISO). With over two decades of leadership experience in IT and cybersecurity spanning both governmental and private sectors, Kim Larsen brings a wealth of expertise to his new role. Talking about backup and recovery, Kim Larsen denoted his take cybersecurity posture, stating, “I am very happy to join Keepit: Backup and recovery are critical components of a solid cybersecurity posture, and the unique Keepit solution is the answer to so many compliance and security challenges. It’s a great opportunity to work with organizations on how to retain access to their data in the face of any malign or arbitrary threats to their infrastructure.”

Kim Larsen Expertise in Government and Private Sector

Larsen's career trajectory encompasses significant roles in esteemed organizations such as the Danish National Police and the Security and Intelligence Service (PET), where he served as a delegate for the Danish government in NATO’s and the EU’s security committees. Transitioning to the private sector, Larsen contributed his strategic insights to companies like Verizon, Huawei, and Systematic, while also serving on the information security board of the Danish Industry Confederation (DI) and the Danish Council for Digital Security. Speaking on the development Morten Felsvang, Keepit CEO said, “It's a real pleasure to welcome Kim Larsen to the team — his deep government and broad private sector experience is exceptional, and perfectly positions him to bring Keepit’s security advisory capabilities and development of future services to the next level. Our current growth trajectory and go-to-market strategy has us engaging in conversations where his expertise is highly valuable.”

Larsen Holistic Approach to Cybersecurity

Larsen's expertise extends across various domains including business-driven security, aligning corporate, digital, and security strategies, risk management, and threat mitigation. His adeptness in developing and implementing security strategies, coupled with his prowess in leadership and communication, make him a strategic asset to Keepit's mission of providing next-level SaaS data protection. Emphasizing the proactive approach necessary for cybersecurity preparedness, Larsen said, “If there’s one thing we can be sure of, it’s this: We don’t know the threats we will be facing in the future. But we can make educated guesses. And based on those, we can make sure to cross the t’s and dot the i’s that we do know about. That’s why the Keepit solution is a future-proof solution: With its vendor-independent tech stack that keeps data physically and logically separate from the production environment, it’s a guarantee that customer data is always available. And with local data centers keeping data in the same regulatory regions as the organization, full compliance is assured. It is really quite unique.” With Larsen at the helm of Keepit's cybersecurity initiatives, the company aims to reinforce its commitment to providing robust data protection solutions to its global clientele. Larsen's emphasis on compliance, security, and disaster recovery best practices underscores Keepit's dedication to staying ahead of emerging threats and evolving regulatory landscapes. Keepit's vendor-independent cloud dedicated to SaaS data protection, based on a blockchain-verified solution, offers a future-proof safeguard against evolving cyber threats. By keeping data physically and logically separate from the production environment and maintaining local data centers in regulatory-compliant regions, Keepit ensures the availability and compliance of customer data, making it a preferred choice for organizations worldwide. In his role as CISO, Larsen will lead Keepit's efforts to advance its security advisory capabilities, develop future services, and navigate the complex cybersecurity landscape with resilience and innovation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

UnitedHealth Group disclosed on Tuesday that it anticipates the hack of its Change Healthcare unit to result in expenses of up to $1.6 billion this year. However, the healthcare giant affirmed its 2024 earnings forecast, suggesting a potentially less severe impact of the Change Healthcare cyberattack. The cyberattack on UnitedHealth Group, which targeted Change Healthcare, a vital provider of healthcare billing and data systems within the U.S. healthcare infrastructure, had far-reaching consequences.  Not only did it disrupt payments to medical practitioners and facilities nationwide for a month, but it also inflicted severe strains on community health centers catering to over 30 million underprivileged and uninsured patients. Despite the substantial financial implications of the cyberattack, UnitedHealth Group surpassed estimates for first-quarter earnings. This was propelled by a decline in medical costs compared to the elevated rates experienced late last year. The company's shares surged by 5.3% following the earnings report. Prior to this, United shares had experienced a decline of nearly 15% since the revelation of the ransomware attack on February 21.

The Aftermath of the Change Healthcare Cyberattack

[caption id="attachment_60476" align="alignnone" width="1000"] Source: Shutterstock[/caption] The disruption caused by the cyberattack extended beyond financial transactions, leading to delays in claim submissions as healthcare providers grappled with manual paperwork due to the inability to access the Change Healthcare system. In response to the crisis, UnitedHealth Group's CEO, Andrew Witty, assured stakeholders of the company's unwavering commitment to resolving the connectivity issues faced by care providers, emphasizing progress in addressing the fallout of the Change Healthcare cyberattack during a recent conference call discussing the company's financial results. The impact of the cyberattack reverberated through UnitedHealth Group's financial performance in the first quarter of 2024, with total cyberattack-related costs amounting to $0.74 per share. Looking ahead, the company estimates a full-year impact ranging from $1.15 to $1.35 per share, encompassing both direct response costs and business disruption impacts. Despite the challenges posed by the cyberattack, UnitedHealth Group reported robust first-quarter earnings, surpassing expectations. The company's revenues for the quarter surged by nearly $8 billion year-over-year to reach $99.8 billion, fueled by strong growth in its Optum and UnitedHealthcare segments.

Response to the UnitedHealth Group Cyberattack 

While the Change Healthcare cyberattack did leave a notable dent in UnitedHealth Group's earnings from operations, which included $872 million in adverse effects, the company's adjusted earnings from operations remained resilient, excluding direct response costs attributed to the cyberattack. As per the latest press release, In light of the cyberattack's potential implications on claims receipt timing, UnitedHealth Group exercised prudence by allocating an additional $800 million towards claims reserves in the first quarter, reflecting a proactive approach to manage potential future impacts on its financial stability. Looking beyond the immediate financial repercussions, UnitedHealth Group remains focused on maintaining consistent care patterns and supporting its care providers through accommodations necessitated by the cyberattack, as evidenced by a medical care ratio of 84.3% in the first quarter of 2024. Despite the turbulence induced by the cyberattack on Change Healthcare, UnitedHealth Group reaffirmed its commitment to shareholder value by returning $4.8 billion through dividends and share repurchases in the first quarter.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The United Nations Development Programme (UNDP) finds itself at the center of a cybersecurity storm as it grapples with the aftermath of a recent cyberattack targeting its local IT infrastructure in UN City, Copenhagen. The agency informed about the cyberattack on UNDP by issuing an official notice on their website.

According to the notification, in the last week of March 2024, the UNDP received a troubling threat intelligence notification, revealing that a data-extortion actor had breached its systems, pilfering sensitive data including human resources and procurement information.

"On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information," reads the notice.

[caption id="attachment_63166" align="aligncenter" width="1024"] Source: United Nations Development Programme[/caption]

Swift Response and Vigilance on Cyberattack on UNDP

Upon knowing the incident, UNDP swiftly sprang into action, initiating a series of urgent measures aimed at identifying the source of the data breach and mitigating its impact. Immediate steps were taken to isolate the affected server, with meticulous efforts underway to ascertain the precise nature and extent of the compromised data, as well as to identify individuals affected by the breach. The organization has maintained transparent communication with those impacted by the cyberattack on UNDP, empowering them to safeguard their personal information against potential misuse. Moreover, UNDP has embarked on a comprehensive outreach initiative to apprise its partners within the UN system about the incident, underlining its commitment to transparency and accountability in the face of adversity. UNDP is currently conducting a thorough assessment of the nature and scope of the cyber-attack, and we have maintained ongoing communication with those affected by the breach so they can take steps to protect their personal information from misuse. Additionally, we are continuing efforts to contact other stakeholders, including informing our partners across the UN system," informed Officials.

Potential Impact of the UNDP Cyberattack

As the United Nations' lead agency on international development, UNDP occupies a pivotal role in shaping the global agenda for sustainable development. Operating in 170 countries and territories, the organization spearheads initiatives aimed at eradicating poverty, reducing inequality, and fostering inclusive growth. Through its multifaceted approach, UNDP empowers nations to develop robust policies, enhance leadership capabilities, forge strategic partnerships, and bolster institutional capacities, thereby accelerating progress towards the attainment of the Sustainable Development Goals (SDGs). Therefore, the ramifications of this cyberattack on UNDP extend far beyond the confines of its digital infrastructure. Given the organization's indispensable role in driving global development efforts, the breach poses significant implications for the continuity and efficacy of vital initiatives aimed at addressing pressing socio-economic challenges. The compromised data, encompassing sensitive human resources and procurement information, could potentially undermine the confidentiality and integrity of crucial operations, impeding UNDP's ability to deliver essential services and support to communities worldwide. Moreover, the breach may erode trust and confidence in UNDP's ability to safeguard sensitive information, jeopardizing its partnerships and collaborative endeavors with governments, civil society organizations, and other stakeholders. In the aftermath of this cyberattack, UNDP remains steadfast in its mission to advance the cause of global development, undeterred by the challenges posed by malicious cyber actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

As the countdown to the Paris Olympics 2024 begins, organizers are gearing up to confront potential cybersecurity threats and the looming specter of terrorism, particularly surrounding the highly anticipated grand opening ceremony. Despite these challenges, there's an atmosphere of confidence regarding their preparedness to tackle any Paris Olympics 2024 cyberattack head-on.  Set to take place from July 26th to August 11th, the XXXII Summer Olympic Games in Paris will be closely monitored for any signs of cyberattacks and security breaches by authorities and cybersecurity organizations.  Franz Regul, the leader of the team tasked with defending against cyber threats for this year's Summer Games in Paris, is well aware of the risks. Speaking from his office in the Paris Olympic organizing committee's headquarters, Regul anticipates the inevitable: "We will be attacked."

Paris Olympics 2024 Cyberattack Risk and Precautions

With teams like Regul's stationed in high-tech rooms equipped with servers and monitoring screens, vigilance against any cyberattacks on Paris Olympics 2024. The Paris operations center even boasts a red alert system to signal the gravest dangers. Thus far, there have been no disruptions, but as the Olympics draw nearer, the frequency and severity of hacking attempts are expected to escalate dramatically. Unlike other organizations that are preparing for potential cyberattacks on Paris Olympics 2024 without a specific timeline, Regul's team knows precisely when to brace for impact: July and August. While security concerns at major events traditionally revolved around physical threats such as terrorism, digital intrusions have brought cyberattacks to the forefront of Olympic organizers' minds. To learn more about the risk of cyberattacks on the Paris Olympics 2024, The Cyber Express has reached out to the organization. Paris Olympics 2024 replied, stating that scammers are impersonating Paris 2024 to target unsuspecting victims.

Scams and Cyberattacks on Paris Olympics 2024

A spokesperson for Paris Olympics 2024 further explained the full extent of cyberattacks and scams targeting the event. Among the ongoing scams, a fraudulent scheme has emerged, with scammers posing as representatives of Paris 2024 or On Location, employing deceptive tactics such as fake emails, sales materials, and legal documents to lure businesses into purported Olympic venue deals. The appeal for the Olympic and Paralympic Games is generating scam attempts by companies posing as Paris 2024 or On Location, the exclusive supplier of hospitality for Paris 2024, to offer fictitious services in connection or in relation with the Games", stated the spokesperson. These scammers target restaurants, shopkeepers, and others, promising slots at hypothetical Olympic venues during the Games and demanding deposits. Paris 2024 and On Location have taken legal action, filing criminal complaints for offenses including fraud, identity theft, and counterfeiting. Victims are encouraged to report incidents to the French police or contact the following addresses: integrityandenforcement@paris2024.org and alertfraud@onlocationexp.com. Paris 2024 emphasizes vigilance, urging individuals to reach out to designated email addresses for assistance if suspicious.

The Paris Olympics 2024 Cybersecurity Plan 

In a conversation with TCE, Paris Olympics 2024 emphasized the significance of the Olympic and Paralympic Games, highlighting them as unparalleled opportunities for a country's image enhancement. They acknowledged the vast audience of billions of television viewers and the multifaceted challenges they entail: technical, technological, and human. Addressing cybersecurity concerns, they outlined a comprehensive strategy built on three pillars: anticipation, coordination, and expertise. This strategy encompasses both the Organizing Committee's systems and those of their external suppliers and partners. By collaborating with government departments, the International Olympic Committee (IOC), and key partners like Atos, Cisco, and Orange, they aim to mitigate any cybersecurity risk during the games. "Our cybersecurity strategy covers both the systems directly under the responsibility of the Organizing Committee, and the external systems of our suppliers and partners, which means we are already preparing external partners to all the risks", said a Paris Olympics 2024 spokesperson. During the Games, various entities, including a Technology Operations Center (TOC), a Cybersecurity Operations Center (CSOC), and the National Strategic Command Center (CNCS), will operate in seamless coordination. These centers will bring together the expertise of the Paris 2024 cybersecurity team and their partners, establishing physical hubs in undisclosed locations around Paris.

The Biggest Challenge for Cybersecurity Experts 

The upcoming Paris Olympics 2024, which are expected to draw over 4 billion viewers, pose a substantial cybersecurity challenge. With ten million spectators, 20,000 journalists, and 15,000 athletes from 206 countries converging on Paris, the scale of the event magnifies the risk. The array of potential cyber threats includes cybercriminals, hacktivists, and even state-sponsored actors, all aiming to disrupt the Games. Their targets range from IT systems supporting press rooms and ticketing to stadium entry systems, TV broadcasts, and even the power supply to event venues. According to experts cited by The New York Times, hacking groups and nations like Russia, China, North Korea, and Iran possess sophisticated capabilities capable of crippling not only computer networks but also digital ticketing systems and event timing systems. The 2018 Pyeongchang Winter Olympics in South Korea serves as a stark reminder of the real-world implications of cyberattacks on major sporting events. A successful attack during the opening ceremony caused widespread disruption, with the Wi-Fi network failing, the official Olympics smartphone app malfunctioning, and broadcast drones being grounded. With the Paris Olympics 2024 drawing closer, the spotlight is on cybersecurity, highlighting the critical need for robust defenses against potential cyber threats that could undermine the integrity and smooth functioning of this global event. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Federal Trade Commission (FTC) has proposed a $7 million fine against Cerebral Inc for what it sees as a mishandling of consumer data. Cerebral, allegedly not only mishandled the data but actively shared it with third parties for advertising purposes. The complaint alleges that Cerebral Inc consumer data consisting of sensitive information of nearly 3.2 million individuals had been to various third-party agencies, such as Google, Meta (Facebook), TikTok, among other advertising giants. This sharing of consumer data reportedly occurred through Cerebral's platforms by utilizing tracking tools on its website or apps, such as tracking pixels.

Cerebral, Inc. agreed to comply with a settlement with the FTC, which includes restrictions on the company's use or disclosure of sensitive consumer data.  In the statement, the FTC reaffirmed its fight against the poor data handling of consumers’ sensitive health data in some health companies.

FTC Cites Poor Handling and Malpractices Behind Cerebral Inc Consumer Data Collection

[caption id="attachment_63212" align="alignnone" width="1000"] Source: Shutterstock[/caption]

The data being mishandled reportedly included not only typical contact and payment information but also detailed medical histories, prescriptions, health insurance details, and even sensitive personal beliefs and orientations. The publication cites various examples of Cerebral's poor practices including a failure to restrict former employees from accessing confidential medical records, promotional postcards that disclosed patient health details, and relying on insecure access methods for its patient portal, which allowed users to access others' the confidential health information of other patients. Furthermore, the lawsuit accused Cerebral Inc. of violating the 'Restore Online Shoppers’ Confidence Act' (ROSCA) by making it difficult for consumers to cancel subscriptions. The complaint outlined a convoluted cancellation process that involved staff contacting consumers to dissuade them from canceling, keeping subscriptions active until staff "confirmed" cancellation demands, and even removing a simplified cancellation button after observing an increase in cancellations.

Mental Health Firm Issued Data Breach Notice Last Month

[caption id="attachment_63214" align="alignnone" width="1494"] Source: cerebral.com[/caption] Cerebral Inc. disclosed in a breach notice published on its website that company data had been shared through invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since 2019, without adequate patient permission. The breach had been reported on the U.S. Department of Health and Human Services breach portal, mentioning the personal details of 3,179,835 people being exposed as part of this breach. The data breach was stated to include details such as full name, phone number, email address, date of birth, IP address, Cerebral client ID number, and demographic information. However, the firm stated that the shared information did not include Social Security numbers, credit card information, or bank account information. The firm indicated that it had 'enhanced' its information security practices and technology vetting processes to mitigate the sharing of such information in the future. The firm claimed that it was among several others across industries such as health systems, traditional brick-and-mortar providers, and other telehealth companies who had resorted to the use of pixel and other common tracking technologies. Cerebral stated that it would provide free credit monitoring to help affected users. The data breach incident as well as FTC's proposed fine highlight the importance of safeguarding consumer data and ensuring transparent and accessible cancellation processes, particularly in sensitive industries such as mental health care. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a move aimed at enhancing cybersecurity capabilities across the globe, leading cybersecurity firm McAfee has joined the Brokerslink network as a 'B.Tech affiliate'.

This strategic partnership enables McAfee to extend its range of cutting-edge cybersecurity services to Brokerslink's extensive network of partners and affiliates spanning 133 countries.

McAfee is renowned for its comprehensive suite of consumer cybersecurity solutions, encompassing antivirus protection, mobile security, virtual private network (VPN), web protection, personal data cleanup, and identity monitoring.

McAfee and Brokerslink Partnership: Comprehensive Cybersecurity Solutions

With over 600 million devices safeguarded globally, McAfee will play a pivotal role in ensuring the safety and security of individuals. By integrating McAfee's industry-leading expertise into its network, Brokerslink aims to revolutionize the approach to cyber risk mitigation. Leveraging McAfee's strong solutions, Brokerslink seeks to empower its partners and affiliates with the tools and knowledge needed to protect clients against evolving cyber threats. In an era marked by escalating digital risks, this collaboration is poised to enhance security and resilience, enabling businesses to navigate the complexities of the digital age with confidence. Anne Collette, Business Development & Partnerships Director at Brokerslink, expressed enthusiasm about the partnership, stating, "McAfee is a globally recognized business synonymous with cyber security. They are a true global leader in their field and are a strong addition to our growing B-tech affiliate program. As the nature of risks evolves, so must we, broadening the scope of what we do as a broking network to address these risks with innovative shared solutions."

Commitment to Innovation from McAfee

Shery D’Silva, McAfee’s Global Business Development Director, emphasized McAfee's commitment to innovation and privacy protection, stating, "McAfee is committed to continuous innovation to better protect privacy, identity and personal information while bringing truth, trust, and transparency to the forefront of your online experience. One of the many ways we innovate is by partnering with organizations to broaden access to our range of privacy protection services; we’re pleased to be doing so with Brokerslink and its global network of partners and affiliates." Brokerslink's decision to open its network to non-ubroking or risk consulting firms in 2022, coupled with the introduction of 'B.Tech affiliates', highlights its commitment to fostering collaboration and innovation in addressing emerging digital challenges. By harnessing the collective expertise of industry leaders like McAfee, Brokerslink aims to redefine cybersecurity practices and fortify businesses against cyber threats in an increasingly interconnected world. As businesses navigate the complexities of the digital landscape, the McAfee and Brokerslink Partnership promises to deliver holistic cybersecurity solutions that not only mitigate risks but also foster trust and resilience in the digital ecosystem. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following a cybersecurity incident dubbed as an indirect ‘HHS data breach’, and theft of funds, the U.S. Department of Health and Human Services has taken the decisive step of removing HHS Login from its grantee payment system. This move comes in the wake of a cyberattack on HHS, wherein hackers exploited data from a federal contracting hub to siphon funds from seven grantee organizations. The HHS cybersecurity incident, which transpired between March 2023 and the close of the same year, saw threat actors make off with a staggering $7.5 million, with the potential for this figure to escalate as internal assessments progress, reported Nextgov/FCW.

HHS Cybersecurity Incident and Removal of Login from Grantee Payment System

The perpetrators behind this HHS cybersecurity incident employed a sophisticated strategy, leveraging information gleaned from SAM.gov and publicly available data to impersonate legitimate employees within grant recipient organizations. This enabled them to alter banking details, facilitating the illicit transfer of funds. To strengthen its defenses, HHS has replaced HHS Login with the private sector tool ID.me within its Payment Management System, responsible for processing grant payments across government agencies. Notably, both HHS and the General Services Administration (GSA), overseers of Login.gov, assert that the identity system remained uncompromised and disconnected from the theft. Despite the proactive measures taken by HHS, questions linger regarding the specifics of the breach and subsequent security protocols. Efforts to obtain official statements or responses from relevant government entities regarding the removal of HHS Login from the grantee payment system remain unanswered at present.

Response to the HHS Leak and Stolen Funds

This incident highlights the rise of cyberattacks on multiple sectors in the US, with data breaches and cyberattacks becoming increasingly prevalent. In 2023 alone, a staggering 133 million healthcare records were compromised, marking an escalation from previous years. The recent cyberattack on Change Healthcare in February 2024 further highlights the urgent need for enhanced cybersecurity measures within the industry. Responding to these challenges, the Biden administration unveiled a comprehensive federal strategy in December 2023 aimed at shoring up cybersecurity defenses within the healthcare sector. Titled "Health Care Sector Cybersecurity," this strategy delineates 20 Cybersecurity Performance Goals (CPGs), providing detailed guidelines for healthcare systems to fortify their defenses. Building upon existing initiatives such as the creation of the "wall of shame" and tailored training, this strategy represents a concerted effort to mitigate cyber vulnerabilities within the healthcare industry. By outlining clear expectations and performance goals, the plan aims to equip healthcare systems with the necessary tools to fight against cybercrime.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ernest Health, a US-based healthcare system, faces lawsuits after a cyberattack compromised the data of around 94,747 patients. The Ernest Health data breach, detected on February 1, 2024, involved unauthorized access to its networks from January 16 to February 4, 2024. The LockBit ransomware group claimed responsibility and threatened to release stolen information, including patient names, contact details, health data, and Social Security numbers. LockBit, notorious for its ransomware-as-a-service operations, reemerged online mere days after a global police crackdown aimed to capture its operation. Following this Ernest Health cyberattack, the healthcare provider was compelled to file a notice of data breach with the Attorney General of Massachusetts upon discovering unauthorized access to its IT network, including the networks of its hospitals.  This breach led to the exposure of sensitive patient information, encompassing details like names, Social Security numbers, addresses, medical records, and more.

Ernest Health Data Breach Turns Into Class Action Lawsuit

Following an extensive investigation, Ernest Health commenced a process of notifying affected individuals about the breach, ensuring transparency about the compromised data. In response to the Ernest Health data breach, plaintiffs Joe Lara and Laurie Cook have initiated a class-action lawsuit against Ernest Health.  Alleging negligence in safeguarding highly sensitive data, the lawsuit highlights Ernest Health's failure to adequately train employees on cybersecurity measures and maintain sufficient security protocols, leaving patient information vulnerable to cybercriminals. The lawsuit, filed in the United States District Court, Northern District of Texas, contends that Ernest Health's actions not only breached its duty to protect patient data but also violated state and federal laws governing data protection and breach notifications. Plaintiffs Lara and Cook, representing the class of over one hundred current and former patients affected by the breach, argue that Ernest Health's delayed notification deprived them of the opportunity to mitigate potential damages promptly. The exposed information places them at risk of identity theft and other harms, necessitating legal recourse to address the Ernest Health data breach and its repercussions.

Decoding the Ernest Health Class Action Lawsuit 

The Ernest Health class action lawsuit outlines various causes of action, including negligence, negligence per se under the FTC Act and HIPAA, and breach of implied contract, emphasizing Ernest Health's failure to fulfill its obligations in protecting patient information and mitigating damages resulting from the breach. In seeking relief, the plaintiffs and class members are pursuing certification of the case as a class action, along with declaratory and equitable relief, damages, coverage for attorneys' fees and costs, and other appropriate remedies deemed necessary by the court. With demands for a jury trial and a comprehensive legal strategy in place, plaintiffs aim to hold Ernest Health accountable for its role in the data breach and secure justice for those affected by the cyberattack. As the case unfolds, the Ernest Health lawsuit highlights the growing threat posed by cyberattacks on healthcare institutions. In a similar case, the recent cyberattack Change Healthcare is going to result in expenses of $1.6 billion this year.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The RansomHouse group allegedly added Lopesan Hotels to the list of victims on its extortion site, claiming that they had obtained 650GB of data regarding the hotel revenue ($382.4M) and details about 408 employees. The group claims to have encrypted the data on March 22 2024 while stating that the company is not interested in the confidential data being leaked on the internet. The Lopesan Hotel Group is a family-owned group that began its activities in 1972 as group that takes on public construction projects. The hotel chain later scaled to become a multinational company, operating from its headquarters in the Gran Canaria islands.

RansomHouse Group Shares Details on the Lopesan Hotels Cyberattack

The Cyber Express has reached out to the hotel group to learn more about this Lopesan Hotels cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for this intrusion stand unverified right now. However, the hacker group alleges that along with the claims of the cyberattack, the group added that the hotel chain is failing to resolve the cyberattack situation, stating, "Dear Lopesan Hotel Group, We are sure that you are not interested in your confidential data to be leaked or sold to a third party. We highly advise you to start resolving that situation." Moreover, RansomHouse shared a link to the downloadable data that doesn't require any password, making the data available to all the users on the data leak site.

RansomHouse Group is Known to Target High-Value Targets

The ransomware gang that claimed this attack began as a ransomware-as-a-service operation that emerged in late 2021 with active attacks against the networks of large enterprises and high-value targets. RansomHouse initially began targeting Italy, but later began targeting countries such as the United States and Spain. The group primarily tends to target the industrial and technology sectors and  set up a victim extortion page  on May 2022. In the words of RansomHouse representatives, the group claims to not encrypt data and that they are 'extortion only,' claiming itself as a ‘force for good’ that intends ‘shine a light’ on companies with poor security practices. The group has been observed accepting only Bitcoin payments. The group's operations tend to be smaller and more sophisticated than some of the bigger contemporary ransomware groups. They are known to recruit members on prominent underground marketplaces and utilize a Tor-based chat room for ransom negotiations. Since the group tends to conduct extortion only attacks, their techniques tend to be stealthier and quicker as no encryption process occurs and typical ransomware detection triggers are avoided.

RansomHouse Group Was Responsible for Massive Data Breaches

The RansomHouse group recently developed a new tool dubbed as 'MrAgent' that targets VMware ESXi hypervisors typically known to house valuable data.  The group targeted several large-sized organizations through the last year. Their campaigns include attacks such as the theft of 450 GB of data from the semi-conductor giant AMD, an attack disrupting the healthcare services of the Hospital Clínic de Barcelona in Spain, and an an attack on Shoprite, Africa's largest supermarket chain The sophistication of the RansomHouse group's campaigns and scale of their attacks demand heightened vigilance and proactive defense strategies to safeguard against similar breaches, despite their claims to be a positive force. As for the Lopesan Hotels cyberattack, this is an ongoing story. The Cyber Express will be monitoring the situation and we'll update this post once we have more information on this alleged attack or any official confirmation from Lopesan Hotels. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cannes Simone Veil Hospital Center (CHC-SV) is grappling with the aftermath of a cyberattack that struck the hospital on April 16. The cyberattack on CHC-SV has thrust the hospital into a state of heightened alert as it navigates the complexities of ensuring uninterrupted patient care while contending with the fallout of compromised digital systems.

The response to the cyberattack has been swift and decisive by CHC-SV. The hospital's crisis unit wasted no time in implementing stringent measures, including a general cyber containment protocol that swiftly severed all computer access while ensuring telephony services remained operational. "All computer access was consequently cut off. Telephony continues to work," reads the official notice on the Cannes Simone Veil Hospital Center website.

Cyberattack on CHC-SV: Ongoing Investigations

Collaboration with expert partners such as ANSSI, Cert Santé, Orange CyberDéfense, and GHT06 has been instrumental in analyzing the cyberattack and formulating an effective response strategy. Despite the absence of ransom demands or identified data theft, investigations remain ongoing. "The cyberattack is currently being analyzed in conjunction with expert partners (ANSSI, Cert Santé, Orange CyberDéfense, GHT06). There have been no ransom demands or data theft identified at this stage. Investigations remain ongoing," informed the hospital. In the wake of the CHC-SV cyberattack, hospital professionals have seamlessly transitioned to so-called degraded procedures, relying on paper-based methods to maintain essential healthcare services. While these procedures may be more time-consuming, they ensure that critical medical needs across various specialties, including emergencies, surgery, obstetrics, and pediatrics, continue to be met with unwavering diligence. "Hospital professionals have been applying so-called degraded procedures since Tuesday morning (using paper kits). These procedures are more time-consuming and examination delivery times are longer. Everything is done to guarantee the continuation of care in complete safety across all fields of activity (emergencies, medicine, surgery, obstetrics, geriatrics, pediatrics, psychiatry, home hospitalization, rehabilitation)," notice reads further.

Regional Collaboration for Patient Care Optimization

The coordination efforts extend beyond the confines of CHC-SV, with the establishment collaborating closely with regional health agencies and partner hospitals to regulate patient flow and optimize utilization of healthcare resources. Despite the disruptions caused by the cyberattack on CHC-SV, emergency services remain active. The solidarity demonstrated by partner institutions, including CHU Nice, CH Grasse, CH Antibes, and private sector collaborators, has been invaluable in navigating this challenging period. However, the impact of the cyberattack has been felt, with approximately a third of non-urgent interventions and consultations disrupted in the initial days following the incident. Efforts are underway to expedite the resumption of services, with the operating program expected to reach 90% capacity in the coming days. Importantly, CHC-SV's proactive approach to cybersecurity, including regular risk assessments and preparedness exercises, has ensured a swift and coordinated response to the cyberattack. Priority is being given to restoring IT systems directly linked to patient care processes, emphasizing the hospital's unwavering commitment to maintaining the highest standards of healthcare delivery. The road to recovery, however, remains fraught with uncertainties, as technical investigations and necessary catch-up efforts are anticipated to prolong the return to normalcy. Drawing from the experiences of other healthcare institutions that have faced similar challenges, CHC-SV is bracing for a protracted recovery process. Furthermore, the recent cyberattack on Change Healthcare in the United States highlights the pervasive nature of cyber threats in the healthcare sector. With disruptions reverberating across the country, the incident underlines the urgent need for enhanced cybersecurity measures to fortify healthcare systems worldwide. In response to the cyberattack on Change Healthcare, UnitedHealth Group has mobilized substantial financial support to mitigate the impact on healthcare providers, highlighting the far-reaching consequences of cyber incidents in the healthcare ecosystem. Against the backdrop of a global healthcare landscape increasingly vulnerable to cyber threats, the incident at CHC-SV serves as a poignant reminder of the critical importance of cybersecurity in safeguarding patient welfare. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Amidst the complexities of the Israel-Iran conflict, the Middle East is witnessing another form of strife: cyber warfare. Jordan finds itself at the forefront of this battle, facing a barrage of alleged cyberattacks orchestrated by various hacktivist groups. The BlackMaskers Team has emerged as a prominent threat, claiming cyberattacks on Jordan, targeting crucial Jordanian entities, ranging from the stock exchange to private sector enterprises. The ongoing cyberattacks are exemplified by recent incidents of Jordan supporting Israel against Iran in the ongoing war. The BlackMaskers Team proclaimed their actions, declaring Jordan as their prime target. [caption id="attachment_63513" align="alignnone" width="1280"] Source: X[/caption] Their assaults on Jordanian websites and subsequent data breaches have sparked concern, amplifying the vulnerability of national infrastructure and private companies alike.

Cyberattacks on Jordan Amidst Public Outrage

[caption id="attachment_63508" align="alignnone" width="780"] Source: X[/caption] Jordanian authorities are dealing with reports of cyberattacks while also facing public criticism for their decision to support Israel against Iran. The organizations suspected to be affected include the Jordan Stock Exchange and the Jordanian Water Company Yarmook. [caption id="attachment_63510" align="alignnone" width="776"] Source: X[/caption] The gravity of the Jordan cyberattacks was highlighted when the hacker group threatened to leak sensitive information pertaining to more Jordanian companies. This warning, coupled with the release of sample documents, further exacerbated the situation in the country. Amidst the chaos, the cyber assailants remain elusive, evading detection as they exploit vulnerabilities in Jordanian organizations.  The leaked sample data allegedly comprises sensitive documents and information, including financial auditing reports for companies like Jordan Steel, insights into Jordan's alleged assistance to Israel against Iranian threats, and documents from other Jordanian entities.  The Cyber Express has reached out to the listed victims to learn more about these cyberattacks on Jordan. However, at the time of writing this, no official statement or response has been received, leaving the claims made by the threat actor to stand unverified right now. 

Jordanians Display Insurgency Against the Government 

The ramifications extend beyond Jordan's borders, intersecting with the broader geopolitical setup of the region. Reports of Jordan's assistance to Israel in countering Iranian threats have triggered uproar and dissent within the country wherein the local public feels betrayed by their government.  The fallout from these events reverberates across social media platforms, fueling speculation and resentment. Accusations of betrayal and collusion with Israel overburden online discourse, painting a portrait of disillusionment and discontent among Jordanians.  Jordan reportedly is experiencing public outrage for supporting Israel against an Iranian attack. Misinformation regarding the king's role is being circulated online. Many Jordanians feel betrayed by their government's stance, resulting in significant anger and protests against the alliance with Israel. Amidst the chaos, Jordan's vulnerabilities are laid bare once again, wherein an unfamiliar hacker group is claiming cyberattacks on multiple organizations at once. This intrusion, not confirmed though, highlights the current situation in the Middle East where hackers, governments, and the local public are taking sides while war is disrupting the livelihood of common citizens.  This is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Jordan or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a concerted effort to fortify the integrity of America's democratic processes, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) have jointly released a comprehensive guidance document.

Titled "Securing Election Infrastructure Against the Tactics of Foreign Malign Influence Operations," the comprehensive guidance document delineates the latest tactics employed by foreign adversaries to manipulate U.S. policies, decisions, and discourse, with a particular focus on election infrastructure vulnerabilities.

The guidance meticulously outlines prevalent tactics utilized in foreign malign influence operations, furnishing real-world examples and prescribing potential mitigations for stakeholders within the election infrastructure realm. While many of these tactics are not novel, the proliferation of generative artificial intelligence (AI) technology has significantly facilitated the creation and dissemination of persuasive malign content by adversaries.

Comprehensive Guidance Document: Commitment to Defending Democracy

Highlighting the paramount importance of safeguarding the electoral process, CISA Senior Advisor Cait Conley emphasized, "The elections process is the golden thread of American democracy, which is why our foreign adversaries deliberately target our elections infrastructure with their influence operations. Defending our democratic process is the responsibility of all of us." Conley reiterated CISA's unwavering commitment to equipping election officials and the American public with the necessary tools and knowledge to counter foreign influence and ensure the conduct of secure and transparent elections in 2024 and beyond.

Collaborative Vigilance and Action

Acting Assistant Director Joseph Rothrock of the FBI's Counterintelligence Division highlighted the collaborative approach in combating foreign malign influence, stating, “We are putting out this guide because our strategy in combatting this threat starts with awareness and collaboration. We will continue to relentlessly pursue bad actors looking to disrupt our election infrastructure.” Rothrock emphasized the FBI's relentless pursuit of perpetrators seeking to undermine the integrity of U.S. election infrastructure, emphasizing the importance of awareness and proactive measures in countering such threats. ODNI Foreign Malign Influence Center Director Jessica Brandt elucidated on the evolving landscape of influence activities, characterizing them as a "whole-of-society challenge" for the Intelligence Community and broader governmental, industrial, and civil society stakeholders. Brandt emphasized the imperative for collective action to confront the normalization of malign influence activities, particularly in light of advancing technologies that exacerbate the threat landscape.

Response to the Russian Cyber Campaign

The issuance of the guidance follows proactive measures taken by CISA in response to a targeted Russian cyber campaign known as Midnight Blizzard. Orchestrated by state-sponsored Russian actors, the campaign aimed to infiltrate Microsoft corporate email accounts, raising concerns regarding potential access to correspondence with Federal Civilian Executive Branch (FCEB) agencies. In response, CISA swiftly issued Emergency Directive 24-02 to address and mitigate the threat posed by the Russian cyber campaign. In the face of evolving cyber threats and foreign malign influence operations, the collaborative efforts of U.S. agencies highlight a proactive approach to defending the integrity of democratic processes and preserving public trust in electoral institutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Void Interactive, the Ireland-based indie game developer behind Ready or Not, fell victim to massive data breach with over 4TB of data stolen consisting of over 2.1 million files in total. Ready or Not is a tactical, first-person shooter taking place in a contemporary modern and involves SWAT team operations. While reports circulating about the data breach, no particular threat actor was mentioned, however, the incident did occurred in March 2024. Void Interactive confirmed the data breach to Insider Gaming while stating that “no user or staff-related information has been leaked, and our development assets and proprietary code remain intact.” In response to the breach, Void Interactive seems to be conducting an on-going investigation to understand the full-extent of the intrusion.

Void Interactive Data Breach Linked to TeamCity Cloud Vulnerabilities

The data was stated to include the entire Ready or Not PC source code. It also includes data from performance benchmark tests and development builds for console versions of Ready or Not, for the Xbox One, Xbox Series X|S, and PlayStation 5 platforms. Purported images of the PS4 build of the game running on a PlayStation 4 test kit was also revealed in the leak, as reported by Insider Gaming. In another report from Kotaku, a representative from Void Interactive stated that the hack was a result of “critical vulnerabilities” present in TeamCity’s cloud service component for build-management. The game developer added that the hackers obtained access to certain source code and screenshots involving an upcoming project. The Void Interactives spokesperson further claimed that no user-related data had been breached, as they 'do not capture any personal user information in the first place'.  The developer again confirmed that some source code & directory information had been stolen as a part of the attack. However, development assets and proprietary code were not part of the breach. Void Interactive pointed the attack as being 'limited to the TeamCity services interface.' The Cyber Express has reached out to Void Interactive requesting information about the on-going investigation. [caption id="attachment_63453" align="alignnone" width="596"] Source: d0nutleaks leak site claim[/caption] [caption id="attachment_63457" align="alignnone" width="626"] Source: /u/DrinkMoreCodeMore's claim on /r/ReadyOrNotGame subreddit[/caption] While Kotaku and Insider Gaming seem to refuse to directly name the hacker group responsible, it is worth noting that around the same time the incident was stated to occur, a reddit user by the username "DrinkMoreCodeMore" claimed to have noticed the d0nutleaks ransomware group listing Void Interactive as a victim on its data leak site.

Data Breaches, Source-Code Leaks, and Hacks Plague Gaming Industry

[caption id="attachment_63515" align="alignnone" width="1000"] Source: Shutterstock[/caption] The gaming industry has been rife with data breach and hacking incidents affecting both prominent studios and smaller development teams. Last month in March, the Apex Legends North American Finals had been postponed after two professional players had been hacked to provide 'aimbots' and 'wallhacks' mid-tournament. In December 2023, prominent game developers Insomaniac Games and RockStar Games suffered massive data breach attacks. The Ryhsida ransomware gang leaked 1.67 TB (1.3 million files) of data from Insomniac Games, while another group leaked two files— a 4 GB file and a 200 GB File from Rockstar Games. The smaller file mostly contained code, while the bigger one contained 3D models and assets. The leaked data included data of at least 1158 of Rockstar employees. The recent series of data breaches serves as a stark reminder that as developers continue to innovate and push boundaries in gaming, protecting intellectual property and sensitive data must remain a top priority in order to provide a secure environment for creators and players alike. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Millions of Magic Rampage players could be facing a potential security threat following about a data breach that has stemmed from a vulnerability within the misconfigured cloud storage. Asantee Games, an independent game development company known for its commitment to quality, is the creative force behind popular titles like Magic Rampage, Magic Portals, Hit The Gator, and Bee Avenger. The Cyber Express has reached out to Asantee Games for clarification regarding the alleged Magic Rampage data breach. In response to the breach, the organization confirmed the existence of a vulnerability, sating that the flaw was "identified a few weeks ago and was promptly addressed within a few hours of its discovery"

Magic Rampage Data Breach Stemmed from a Vulnerability 

The Magic Rampage breach at Asantee Games appears to stem from a misconfiguration within MongoDB, a popular document-oriented database platform. This oversight left the company's data repository devoid of password protection, rendering data from the organization accessible to the public for a short amount of time. A spokesperson for Asantee Games confirmed that the vulnerability was identified and contained a few weeks ago. 

In a statement shared with TCE, Asantee Games, stated that "our team took immediate action to secure our systems and further strengthen our database security to prevent such occurrences in the future. It is important to note that no other critical personal data was compromised. We do not store sensitive information such as names, birth dates, or addresses, hence minimizing the potential impact on our users."

Moreover, MongoDB itself acknowledged a security incident on December 13, 2023, indicating unauthorized access to certain corporate systems. Investigations subsequently revealed that the breach was the result of a successful phishing attack. Fortunately, it appears that the breach did not compromise data stored within MongoDB Atlas, the company's fully managed cloud database service. Nonetheless, the incident affected other organizations using MongoDB for operations. 

The MongoDB Data Breach and Cyberattacks on the Gaming Industry 

The MongoDB data breach was contained as the company activated its incident response plan, however, the repercussions of the breach are still visible on the market — with the latest example being the Magic Rampage data leak.  Moreover, the access to the Magic Rampage database was secured in a few hours. The leaked data, however, reportedly includes players' usernames, emails, device information, statistics, and admin credentials with encrypted passwords. Detailed logs reveal various categories of information, including prize counts, storage sizes, and timestamps, providing insights into the scope of the breach. However, the organization denies the involvement of any user data being compromised in this breach. Furthermore, the gaming industry at large faces persistent threats from hackers and ransomware groups, as evidenced by the recent breach affecting Void Interactive, developers of Ready or Not. With over 4TB of data allegedly stolen, including millions of files, the incident highlights the ongoing challenges posed by cybersecurity vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Frontier Communications, a prominent telecom provider in the United States, finds itself grappling with the aftermath of a recent cyberattack orchestrated by a nefarious cybercrime group. The cyberattack on Frontier Communications, which occurred on April 14, 2024, has thrown the company into disarray as it races to restore its compromised systems and reassure its millions of customers across 25 states.

The cyberattack on Frontier Communications, detected by the company's vigilant cybersecurity team, prompted the company to take swift action, partially shutting down affected systems to thwart further unauthorized access.

This proactive measure, while essential for containing the breach, resulted in operational disruptions, leaving many customers facing internet connection issues and encountering difficulties reaching support services.

Disclosure of Cyberattack on Frontier Communications

In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, Frontier Communications divulged the unsettling details of the breach. The cybercriminals managed to infiltrate portions of the company's information technology infrastructure, gaining access to sensitive personally identifiable information (PII). While the specifics of the compromised data remain undisclosed, concerns linger regarding the potential exposure of customer and employee information. Despite the severity of the cyberattack on Frontier Communications, Company assures stakeholders that it has successfully contained the incident and restored its core IT systems affected during the attack. However, the road to recovery has been fraught with challenges, as evidenced by ongoing technical issues plaguing the company's website.

Customer Conundrum: Support Snags and Communication Breakdowns

Customers attempting to access Frontier's online services are met with warnings of internal support technical difficulties, exacerbating frustrations amid the connectivity woes. Furthermore, reports have surfaced indicating that affected customers are experiencing prolonged internet outages, with support phone lines inundated with prerecorded messages instead of connecting to live operators. This breakdown in customer communication compounds the anxiety and uncertainty surrounding the situation, underscoring the urgency for Frontier to swiftly address the fallout from the cyberattack on Frontier Communications. [caption id="attachment_63730" align="aligncenter" width="594"] Source: X[/caption] [caption id="attachment_63731" align="aligncenter" width="594"] Source: X[/caption] In response to the breach, Frontier has mobilized a comprehensive investigative effort, enlisting the expertise of cybersecurity specialists and promptly notifying law enforcement authorities. Despite these concerted efforts, a Frontier spokesperson remained unavailable for comment when contacted by The Cyber Express Team, leaving concerned consumers clamoring for reassurance and transparency from the embattled telecom provider. Amid the chaos and disruption wrought by the cyberattack, Frontier remains steadfast in its commitment to safeguarding customer data and restoring normal business operations. While the company maintains that the incident is unlikely to have a significant impact on its financial standing, the full extent of the breach's ramifications is yet to be fully realized. As stakeholders await further updates from Frontier, the telecom giant faces a critical test of resilience and accountability in the wake of these brazen cyberattacks. Only time will tell whether Frontier can emerge from this trial stronger and more fortified against future threats or if lingering doubts and repercussions will continue to cast a shadow over its operations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious HelloKitty ransomware has rebranded itself as HelloGookie ransomware. This transformation is accompanied by strategic maneuvers and community engagement that shed light on the adaptability and agility of this ransomware operator. This rebranding comes with more than just a change in name; it signifies a shift in tactics and possibly a response to the competitive environment within the cybercriminal community. HelloGookie's emergence was accompanied by the release of decryption keys and the establishment of a new blog, signaling a proactive approach to engaging with potential victims.

HelloKitty Ransomware Rebranded to HelloGookie Ransomware

[caption id="attachment_63762" align="alignnone" width="1447"] Source: 3xp0rt on X[/caption] Behind the scenes, the creator behind HelloGookie, known simply as Gookee/Gookie, has made strategic overtures to the LockBit ransomware group. This gesture, while seemingly diplomatic, hints at a desire to avoid direct competition and potentially collaborate for mutual benefit. Such an alliance highlights the collaborative nature of ransomware groups, where operators navigate a fine line between cooperation and rivalry. Moreover, Gookie's successful reclamation of their account on the Exploit forum further represents the shift in technology and authority in the ransomware group where the group has claimed credibility over the years. [caption id="attachment_63763" align="alignnone" width="1539"] Source: 3xp0rt on X[/caption] The forum serves as a hub for cybercriminal activity, facilitating discussions, collaboration, and the exchange of tools and techniques. Gookie's return to the forum also represents a resurgence in their activities and potentially newly added victims.

Forum Conversations Reveals HelloGookie’s Plan

[caption id="attachment_63760" align="alignnone" width="1422"] Source: 3xp0rt on X[/caption] Forum conversations provide insights into HelloGookie's tactics and capabilities. Updates targeting both Linux and Windows systems suggest a commitment to expanding its reach across diverse platforms. Additionally, calls for collaboration and the recruitment of individuals with access to high-value targets indicate a strategic shift towards more sophisticated and lucrative operations. The HelloGookie website further highlights the ransomware's impact, listing new victims and showcasing the breadth of its reach. From prominent organizations like CD PROJEKT to industry giants like CISCO, the ransomware group has started expanding its reach to various sectors. The passwords for leaked encrypted source code archives, including Witcher 3 and Thronebreaker, previously priced at $10k each, are also available on the new data leak site. The divulgence of private keys adds another layer of complexity wherein the threat actor is openly sharing private keys on its blog, commencing new levels of threat for the affected parties. The original HelloKitty ransomware group was identified in 2020, specializing in infiltrating networks, encrypting data, and demanding ransoms. It targets organizations with sensitive data, posing a serious threat to businesses. Now, the threat is bigger and more capable that goes beyond mere encryption and extortion. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

FBI Director Christopher Wray issued a warning on April 18, alerting national security and intelligence experts, as well as students, about the imminent risks posed by the government of China to U.S. national and economic security.

Speaking at the Vanderbilt Summit on Modern Conflict and Emerging Threats in Nashville, Wray emphasized that the threat extends to critical infrastructure within the United States, presenting a formidable challenge to the nation's resilience.

Comprehensive Threat Landscape: The CCP's Hybrid Approach

Wray delineated the multifaceted threat posed by the Chinese Communist Party (CCP), characterizing it as a hybrid challenge encompassing crime, counterintelligence, and cybersecurity. The FBI, he noted, is engaged in combating this threat across all three domains, leveraging resources and expertise to thwart China's ambitions. "The overall threat from the Chinese Communist Party (CCP) is a hybrid one that involves crime, counterintelligence, and cybersecurity—and which the FBI is countering with resources from all three missional spheres," Wray said. Central to China's agenda, Wray asserted, is its relentless pursuit of economic dominance, driven by aspirations for wealth and power. The CCP's modus operandi involves the theft of intellectual property, technology, and research across diverse sectors of the U.S. economy. This aggressive posture underscores China's determination to secure strategic advantages, even at the expense of fair competition.

Strategic Maneuvers: Cyber Intrusions and Future Crisis Mitigation

Beyond economic motives, Wray highlighted China's strategic imperatives, including its efforts to preemptively neutralize potential obstacles to its geopolitical ambitions. Notably, he referenced China's aim to diminish U.S. influence in a potential crisis involving Taiwan by 2027. The ripple effects of China's aggressive cyber intrusions and criminal activities are already being felt, with implications for U.S. cybersecurity and national security strategies. Wray further highlighted the urgency of proactive measures in preparing for future confrontations with China, emphasizing the pivotal role of budgets currently under consideration in shaping the nation's readiness. Partnerships with the private sector and academia, he asserted, constitute indispensable assets in countering the evolving threat landscape posed by China.

The Specter of Critical Infrastructure Vulnerability

Expressing grave concern over the vulnerability of U.S. critical infrastructure, Wray highlighted the CCP's relentless targeting of essential sectors such as water treatment facilities, energy grids, transportation, and information technology. The sheer scope and intensity of China's hacking program pose an existential threat, empowering China to potentially wreak havoc on critical infrastructure at its discretion.

“The fact is, the PRC’s targeting of our critical infrastructure is both broad and unrelenting,” he said. And, he added, the immense size—and expanding nature—of the CCP’s hacking program isn’t just aimed at stealing American intellectual property. “It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” he said.

This risk isn’t new. CCP-sponsored cyber actors "prepositioned” themselves to potentially mount cyber offenses against American energy companies in 2011—targeting 23 different pipeline operators," he added further.

Drawing from operational insights, Wray illuminated China's cyber tactics, citing past incidents as harbingers of its malicious intent. From prepositioning cyber assets to mounting indiscriminate cyber campaigns, China's actions highlight its determination to undermine U.S. national security and economic resilience.

Collaborative Responses: FBI Led Operations and Joint Initiatives

In combating the China threat, Wray emphasized the significance of collaborative responses, leveraging joint, sequenced operations alongside partners in government and industry. Through information sharing, technical expertise, and coordinated law enforcement actions, the FBI endeavors to disrupt and deter China's malign activities. Encouraging active engagement from the private sector and academia, Wray stressed the imperative of collective vigilance and resilience. By fortifying networks, enhancing resiliency planning, and fostering transparency in supply chains, partners can contribute to safeguarding vital networks and mitigating the risk posed by China's predatory tactics. As the United States confronts the formidable challenge posed by China, Wray reaffirmed the FBI's commitment to fostering robust partnerships and promoting strategic preparedness. By heeding the warning signs and embracing collaborative strategies, the nation can navigate the evolving threat landscape with resolve and resilience. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Mitel, a leading provider of business communications solutions worldwide, has announced the appointment of Bill Dunnion as its new Chief Information Security Officer (CISO).

In his new role, Dunnion will spearhead Mitel’s information security strategy, oversee security architecture, and ensure compliance with security standards. His responsibilities also include assessing, developing, and implementing industry best practices for security across the organization.

Bill Dunnion Expertise and Experience

Bringing over two decades of progressive experience across various industries, Dunnion boasts a comprehensive understanding of IT, cybersecurity, and risk management. His expertise encompasses cybersecurity trends, adherence to security standards and frameworks, as well as emerging business risks. Mitel's Chief Information Officer, Jamshid Rezaei, emphasized the critical importance of security in today's digital landscape. Rezaei highlighted that in an era where secure, reliable, and compliant digital tools are paramount, Dunnion's leadership and experience in implementing cybersecurity policies and procedures will greatly benefit Mitel. “In today's world, providing secure, reliable, and compliant digital tools, including communications and collaboration solutions, for our employees, partners, and customers is more crucial than ever. Bill’s proven leadership, combined with his considerable experience in implementing and operationalizing cybersecurity policies and procedures, is a great asset for Mitel," said Rezaei. Expressing his enthusiasm for his new role, Dunnion highlighted the ever-evolving nature of security threats faced by businesses today. He stressed the necessity for organizations to adopt agile solutions that prioritize the confidentiality, residency, and protection of critical data. Dunnion expressed his eagerness to collaborate with the combined Mitel and Unify teams to develop a cohesive and comprehensive security program for all stakeholders. "After 25 years, I am very excited to be returning to Mitel where the people are as amazing as I remember. The company's continued growth and 51-year legacy are incredible testaments to the leadership and employee commitment to excellence. I am looking forward to helping the excellent security team manage and mature the security program at Mitel," reads Dunnion's LinkedIn post.

Bill Dunnion's Professional Journey

Prior to joining Mitel, Dunnion held notable IT and cybersecurity leadership positions at esteemed organizations such as Calian Ltd, 2Keys Security Solutions, and Bell Canada. In his most recent role as Senior Director of Corporate Cybersecurity at Calian, he played a pivotal role in developing, implementing, and operationalizing the company's cybersecurity program. Dunnion ensured alignment with industry standards such as NIST, ISO, and SOC2, demonstrating his commitment to enhanced cybersecurity practices. Dunnion holds a degree in mechanical engineering from Queen's University in Kingston, Ontario, and actively contributes to the cybersecurity community as the volunteer chair of the Canadian Cyber Forum in Ottawa. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Akira ransomware group has been identified as the culprit behind a series of cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia. According to the latest advisory by the U.S. Federal Bureau of Investigation (FBI), since March 2023, the Akira ransomware group has successfully breached over 250 organizations, amassing a staggering $42 million in ransomware payments. Initially focusing on Windows systems, Akira's tactics have recently expanded to include Linux variants, intensifying concerns among global cybersecurity agencies. The FBI, in collaboration with key players such as the Cybersecurity and Infrastructure Security Agency (CISA), Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), has issued a joint advisory on Akira ransomware to raise awareness and disseminate crucial threat information.

The Hidden Modus Operandi of the Akira Ransomware Group

The FBI revealed the modus operandi of the Akira ransomware group that involves a multi-faceted approach to infiltrate and compromise targeted organizations. Leveraging vulnerabilities in Cisco systems, particularly CVE-2020-3259 and CVE-2023-20269, Akira actors exploit weaknesses in virtual private networks (VPNs) lacking multifactor authentication (MFA), alongside other entry points such as Remote Desktop Protocol (RDP) and spear phishing. Once inside the network, Akira operatives establish persistence by creating new domain accounts and employing post-exploitation techniques like credential scraping and credential scraping tools like Mimikatz and LaZagne. This enables them to escalate privileges and navigate the network undetected, utilizing reconnaissance tools like SoftPerfect and Advanced IP Scanner to map out the infrastructure. Moreover, the threat actor has evolved over the years and has been using multiple ransomware variants “against different system architectures within the same compromise event”. This strategy differs from what was previously reported in the Akira affiliate partners and their hacking processes.  “Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”)”, says the FBI.

Defense Evasion, Encryption and Mitigation

Apart from upgrades in its offensive side, the Akira ransomware group has next-gen stealth to evade detection. The group, according to the FBI, has been deploying a variety of tactics, including disabling security software and deploying multiple ransomware variants simultaneously.  The ransomware encryption process is sophisticated, employing a hybrid encryption scheme combining ChaCha20 stream cipher with RSA public-key cryptosystem, tailored to file types and sizes. Encrypted files are marked with either a .akira or .powerranges extension, with the ransom note strategically placed in directories. In response to the threat posed by Akira ransomware, cybersecurity authorities like CISA advocate for proactive measures to mitigate risks and enhance organizational resilience. Recommendations include implementing multifactor authentication, maintaining up-to-date software patches, segmenting networks, and employing robust endpoint detection and response (EDR) tools. Furthermore, organizations are advised to conduct regular audits of user accounts, disable unused ports, and enforce the principle of least privilege to limit unauthorized access. Backup strategies should include offline, encrypted backups covering the entire data infrastructure, ensuring rapid recovery in the event of a ransomware attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The ransomware gang 8Base might have been responsible for an attack on the Atlantic States Marine Fisheries Commission (ASMFC) in the United States, that caused to go down temporarily. This development has raised concerns given the ASMFC's pivotal role in overseeing fisheries along the Atlantic seaboard after the U.S. Atlantic States Marine Fisheries Commission's email system was temporarily down. Established 80 years ago, the fishery organization states on its site that its mission is 'to promote the better utilization of the fisheries, marine, shell and anadromous, of the Atlantic seaboard by the development of a joint program for the promotion and protection of such fisheries, and by the prevention of physical waste of the fisheries from any cause.' The 8Base ransomware group claimed the organization as a victim in its leak site and claimed to have stolen several pieces of critical data. However, the authenticity of these claims is still in question, given the corporation has not shared any update regarding any cyberattack or intrusion.

Atlantic States Marine Fisheries Commission: Officials were Given a Four-Day Deadline

[caption id="attachment_63831" align="alignnone" width="683"] Source: Shutterstock[/caption] On April 15th, the 8Base ransomware group asserted on its official leak site that it had obtained information such as personal data, invoices, receipts, accounting documents and certificates. The group gave the organization a deadline of four days to pay the ransom, warning that if the ransom was not paid by April 19th, they would release the data. Of particular concern is the extent of the alleged data breach due to the nature of the data stored on the ASMFC's website, which includes confidential information on fishery management, nearshore fish species, habitat conservation efforts and law enforcement initiatives. For a while, the commission's official website displayed a notice instructing users to use a different address and phone number temporarily while its official services remained down. While it's email services seem to have been restored as the notice is no longer displayed, it is uncertain if the disruption was due to the alleged attack, a routine maintenance effort, or otherwise. [caption id="attachment_63860" align="alignnone" width="2696"] Source: Archived copy of the official site(asmfc.org) displaying earlier notice.[/caption] The Cyber Express reached out to the ASMFC for further details and confirmation regarding the ransomware gang's claims, but have not received a response yet at the time of working on this report.

8Base Ransomware Group Shares Similarity with Other Groups

The ransomware group, which claimed this cyberattack, has been a notorious threat actor on the dark web, sharing similarities with other threat actors of equal prowess. Last year in 2023, researchers from VMware reported that they had discovered significant similarities between the operations of both 8Base and RansomHouse. These similarities included a 99% similarity match in ransom notes between the groups, and other similarities in the verbiage of the two groups in the leak site on the welcome page, terms of service page and FAQ page. Other similarities were also noted between 8Base and the Phobos threat actor group, raising questions about the relationships between these groups and the scale of collaboration or independence. Moreover, what seems like a possible cyberattack in the case of the Atlantic States Marine Fisheries Commission (ASMFC), the water industry saw many cyberattacks in 2023. In September 2023, another joint body water association between the U.S. and Canada, the International Joint Commission was been hacked by NoEscape. The group had stolen and encrypted similar confidential data including contracts, legal documents, personal details of employees and members, and financial and insurance information. These incidents highlight the need for robust measures within organizations responsible for managing vital resources and essential sectors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The digital landscape continues to be a battleground, with cyber threats evolving and attackers targeting an ever-wider range of victims. This week's TCE Cyberwatch roundup highlights a surge in attacks against governments and national security infrastructure, alongside various other cybersecurity incidents. From a critical vulnerability in firewalls to a data breach impacting the United Nations, this week serves as a reminder of the constant vigilance required in the face of cyberattacks. Let's delve into the details to learn more about these incidents.

TCE Cyberwatch: Weekly Round-Up

Palo Alto Warns: Critical Firewall Flaw Could Lead to Cyberattacks

A new vulnerability named "Kaby Lake" was found in Palo Alto, a cybersecurity firm, Networks' firewall devices potentially exposing them to cyber threats, specifically devices running PAN-OS, the operating system produced for and used by Palo Alto Networks' firewalls. The vulnerability, which allows attackers to execute arbitrary code on affected devices, seems to have no patch released to address the issue and customers are currently being provided temporary fixes. Users are advised to stay informed about security updates from Palo Alto Networks and take necessary precautions to mitigate the risks. Read More

HTW Halts Work to Recover From Data Breach 

Herron Todd White (HTW), an Australian valuation firm is currently dealing with the aftermath of an alleged data breach, causing a pause in new work. Major banks that work with HTW regarding property-related assessments have taken precautionary measures as well.   National Australia Bank and Commonwealth Bank have taken action to suspend HTW from any further commercial and agricultural valuation work due to this breach but allow for residential valuations unaffected by it. The motive behind the attack, whether malicious or a security lapse within HTW’s infrastructure, remains uncertain. Australia has become vigilant against cyberattacks due to past reoccurring incidences and now requires organizations to make a report to the Australian Cyber Security Centre (ACSC) within 12 hours of the attack.  Read More

Cyberattack Disrupts French Municipal Governments, Investigation Underway

Multiple French municipal governments recently experienced a cyberattack, disrupting their operations. Attributed to a group identified as the "Shadow Kill Hackers,” the attack targeted numerous municipalities throughout France. Exploiting vulnerabilities in the computer systems of these municipalities, the attackers gained unauthorized access and disrupted essential services, including emails and administrative functions. The motive behind the attack remains unclear, prompting French authorities, including the National Agency for the Security of Information Systems (ANSSI), to launch an investigation and initiate efforts to restore the affected systems. Read More

Cisco Duo Data Breach Exposes User Information

Recently, Cisco's Duo security product encountered a breach that exposed information related to multi-factor authentication (MFA). The breach, facilitated by a phishing attack through SMS and VOIP, targeted employee details and impacted Duo's MFA service. As a result, usernames, email addresses, and MFA device information were potentially compromised. However, Cisco has reassured users that sensitive information such as passwords or authentication methods remained secure. In response to the incident, Cisco promptly notified affected users and implemented necessary security measures to prevent future breaches. Nevertheless, users are advised to remain vigilant and monitor their accounts for any signs of suspicious activity. Read More

Ransomware Attack Targets UNDP, Stealing HR Data

The United Nations Development Programme (UNDP) recently experienced a cyberattack resulting in the breach of human resources (HR) data. The attack compromised the personal information of current and former employees at a branch in Denmark, including staff contracts and internal documents. UNDP issued a notice acknowledging that they had received a threat intelligence notification indicating that a data extortion actor had stolen certain human resources and procurement information. Taking swift action, UNDP promptly implemented necessary precautions and is currently conducting a comprehensive assessment to determine the nature and extent of the cyberattack. Read More

UnitedHealth Takes $1.6 Billion Hit from Change Healthcare Cyberattack

UnitedHealth Group, one of the largest healthcare companies in the U.S., recently issued a warning about a cyberattack that resulted in a potential financial impact of $1.6 billion. The attack, targeting Change, led to disruptions in payments to doctors and healthcare facilities nationwide, as well as adversely affecting community health centers serving over 30 million impoverished and uninsured patients for a month. UnitedHealth estimates that the hack will reduce profits by $1.15 to $1.35 per share this year but emphasizes that the impact is not as severe as initially anticipated. While the company has not yet disclosed the extent of the personal data breached in the attack, federal law mandates that they do so within 60 days. Read More

Cyberattack Cripples Ukrainian Media Giant 1+1 Media

1+1 Media, a prominent media conglomerate in Ukraine, recently experienced a severe cyberattack targeting its satellite TV channels. In a statement released on Wednesday addressing the cyber assault, the media giant disclosed that 39 channels, including some of its flagship networks, became inaccessible, dealing a significant blow to the country's media infrastructure.

Officials stated that the cyberattack on 1+1 Media coincided with escalated tensions in the region, notably the "cynical attack" on the peaceful city of Chernihiv. The attack involved deliberate efforts to disrupt satellite communications on the Astra 4A 11766 H transponder. Read More

Trust Wallet Warns of $2 Million iMessage Exploit

Trust Wallet, a prominent provider of cryptocurrency wallets, has issued a cautionary notice to Apple users concerning a potential vulnerability in iMessage. The alert arises from reliable information suggesting the existence of a zero-day exploit within the iOS iMessage platform, which is reportedly being sold on the dark web for an exorbitant $2 million.

As per Trust Wallet, this zero-day exploit in iMessage poses a significant risk as it enables hackers to take control of iPhones without any interaction from the device user. Unlike conventional exploits that necessitate clicking on malicious links or downloading infected files, this exploit operates seamlessly, posing a particularly serious threat to high-profile targets. Read More

BreachForums Breached! Rival Hackers Claim User Data

The primary website of the infamous BreachForums, a forum known for data leaks and hacking activities, has been shut down by competing threat actors. The group of threat actors known as R00TK1T, in collaboration with the pro-Russian Cyber Army of Russia, declared that they had breached user data subsequent to the takedown of BreachForums.

Additionally, the hackers behind the BreachForums attack asserted their intention to release a roster containing user details, IP addresses, and email addresses from the forum. Despite the assault, the TOR version of the website remains functional. Read More

Benjamin Ambrose Appointed as CISO at NPCI

Benjamin Ambrose has been appointed as the Chief Information Security Officer (CISO) at the National Payments Corporation of India (NPCI), marking a strategic move aimed at bolstering cybersecurity measures in India's rapidly evolving digital payments sector.

Bringing with him extensive experience gained from notable roles at AWS and Citi, Ambrose offers a seasoned perspective to NPCI's cybersecurity initiatives. Read More

Wrap Up

This week's TCE Cyberwatch roundup paints a sobering picture of the ever-evolving cyber threat landscape. From critical infrastructure vulnerabilities to attacks on international organizations and healthcare providers, no entity seems immune.

However, amidst this complexity, there's a crucial takeaway: vigilance is key. By staying informed about the latest threats, implementing robust security practices, and fostering a culture of cybersecurity awareness, we can all play a vital role in mitigating these risks.

TCE remains committed to keeping you informed about the latest developments in the cybersecurity world. We encourage you to stay tuned for future updates and actively participate in building a more secure digital future.

TransparentTribe is an Advanced Persistent Threat (APT) group with a large appetite for targeting Indian government organizations, military personnel, and defense contractors. The threat actor recently came into the spotlight and was seen levering the notorious Crimson RAT (Remote Access Trojan), among other sophisticated tools and tactics. [caption id="attachment_63905" align="alignnone" width="627"] Source: Cyble[/caption] The threat actor’s modus operandi is as complex as its name — starting with gathering sensitive information, conducting cyber espionage, and compromising the security of its targets. They are adept at exploiting various platforms, from Windows to Android, often masquerading as legitimate government entities or organizations through fake websites and documents.  These deceptive maneuvers aim to deceive unsuspecting users into sharing credentials or unwittingly downloading malware onto their systems.

Decoding the New Threat Actor: TransparentTribe

According to the Cyble Vision Threat Library, TransparentTribe, also known as APT 36 or Project Mythic Leopard, has been active, with its last sighting dated April 1, 2023. Their activities extend beyond traditional cyber espionage, with recent investigations uncovering connections to watering hole sites focused on Indian military personnel. [caption id="attachment_63901" align="alignnone" width="662"] Source: Cyble Vision Threat Library[/caption] Moreover, TransparentTribe's reach spans across borders, with primary targets including India and Afghanistan, along with various other nations such as Australia, Japan, and the USA, among others. Their relentless pursuit of sensitive information knows no bounds, targeting sectors ranging from defense to education and governmental organizations. [caption id="attachment_63902" align="alignnone" width="442"] Source: Cyble Vision[/caption] Operating out of Pakistan, TransparentTribe poses a significant threat to national security, employing aliases like Green Havildar and APT-C-56. Suspected ties with other APT groups like SideCopy and SideWinder further underscore the complexity of the threat landscape.

The Mechanics of TransparentTribe Hacker Group

[caption id="attachment_63903" align="alignnone" width="1378"] Source: Cyble[/caption] The lifecycle of TransparentTribe's attacks involves multiple infection vectors, including phishing emails, malvertising, and social engineering. Their persistence is evident in the continuous monitoring of developments within targeted sectors, exploiting them as lures for their campaigns. Windows, Linux, and Android systems alike fall prey to TransparentTribe's tactics, with tailored approaches for each platform. Exploiting vulnerabilities like CVE-2012-0158 and CVE-2010-3333, they deliver their payloads, including a diverse range of RATs like Crimson RAT, DarkComet, and QuasarRAT, each with its specific capabilities and functionalities. Their network activities are intricate, utilizing well-crafted phishing URLs and registering domains on servers associated with Hostinger ASN. Moreover, the overlap in command and control (C&C) infrastructure and the use of platforms like Google Drive for hosting malware further complicate detection and mitigation efforts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The MITRE Corporation revealed on April 19 that it was one of over 1700 organizations compromised by a state-backed hacking group in January 2024. The MITRE data breach, which involved chaining two Ivanti VPN zero-days, highlights the evolving nature of cyber threats and the challenges organizations face in defending against them.

The MITRE data breach was detected after suspicious activity was noticed on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. [caption id="attachment_63933" align="aligncenter" width="609"] Source: X[/caption]

MITRE DATA Breach Discovery and Response

Following the detection, MITRE promptly took NERVE offline and launched an investigation with the assistance of both internal and external cybersecurity experts. "Following detection of the incident, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and quickly launched an investigation with the support of in-house and leading third-party experts. The investigation is ongoing, including to determine the scope of information that may be involved," reads the Official notice. MITRE CEO Jason Providakes emphasized that "no organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible." Providakes highlighted the importance of disclosing the incident in a timely manner to promote best practices and enhance enterprise security. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices,” said Providakes. Charles Clancy, MITRE's Chief Technology Officer, provided additional insights, explaining that the threat actor compromised the Ivanti Connect Secure appliance used to provide connectivity into trusted networks. Clancy stressed the need for the industry to adopt more sophisticated cybersecurity solutions in response to increasingly advanced threats. MITRE outlined four key recommendations:

1. Advance Secure by Design Principles: Hardware and software should be inherently secure.
2. Operationalize Secure Supply Chains: Utilize software bill of materials to understand threats in upstream software systems.
3. Deploy Zero Trust Architectures: Implement micro-segmentation of networks in addition to multi-factor authentication.
4. Adopt Adversary Engagement: Make adversary engagement a routine part of cyber defense to provide detection and deterrence.

MITRE has a long history of contributing to cybersecurity research and development in the public interest. The organization has developed frameworks like ATT&CK®, Engage™, D3FEND™, and CALDERA™, which are used by the global cybersecurity community.

Details of the MITRE Data Breach

The MITRE data breach involved two zero-day vulnerabilities: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887). These vulnerabilities allowed threat actors to bypass multi-factor authentication defenses and move laterally through compromised networks using hijacked administrator accounts. The attackers utilized sophisticated webshells and backdoors to maintain access to hacked systems and harvest credentials. Since early December, the vulnerabilities have been exploited to deploy multiple malware families for espionage purposes. Mandiant has attributed these attacks to an advanced persistent threat (APT) known as UNC5221, while Volexity has reported signs of Chinese state-sponsored actors exploiting the zero-days. Volexity discovered over 2,100 compromised Ivanti appliances, affecting organizations of various sizes globally, including Fortune 500 companies. The scale and severity of the attacks prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive on January 19, instructing federal agencies to mitigate the Ivanti zero-days immediately. MITRE's disclosure serves as a reminder of the ongoing threat posed by cyber adversaries and the critical need for organizations to continually enhance their cybersecurity defenses. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Atlanta, Georgia, April 20, 2024 —Cyble, a leading force in AI-based cybersecurity, proudly unveils the relaunch of AmIBreached, marking a significant milestone in the realm of digital defense. AmIBreached 3.0, Cyble's dark web search engine, empowers consumers to detect, prioritize, and effectively mitigate dark web risks.   With cyber threats continuing to evolve in sophistication and scale, consumers and organizations face an ever-growing challenge to safeguard their digital assets. With the launch of AmIBreached 3.0, Cyble reinforces its commitment to providing cutting-edge tools that empower consumers to stay ahead of cyber adversaries.  "Today's cyber landscape demands continuous innovation to counter emerging threats effectively," noted Beenu Arora, Co-founder and CEO of Cyble. The launch of AmIBreached 3.0 underscores our dedication to equipping consumers with the tools and insights they need to mitigate risks and fortify their defenses against cyber attacks," he added. AmIBreached 3.0 stands as Cyble's most extensive dark web monitoring engine, boasting access to over 150,447,938,145 records sourced from a myriad of breaches, hacking forums, and indexed conversations. This vast repository of data enables organizations to gain unparalleled visibility into potential threats and vulnerabilities lurking in the dark corners of the internet.   Manish Chachada, Co-founder, and COO of Cyble, commented "By leveraging AmIBreached 3.0's advanced capabilities, consumers can proactively identify and neutralize cyber risks before they escalate into full-fledged security breaches."  With access to over 150 trillion records, AmIBreached 3.0 provides comprehensive coverage of the dark web, ensuring consumers and organizations have visibility into a vast array of potential threats.  AmIBreached 3.0 offers real-time monitoring capabilities, enabling organizations to stay abreast of emerging cyber threats and take proactive measures to mitigate risks. The platform delivers actionable intelligence tailored to each organization's specific needs, empowering them to prioritize and address vulnerabilities effectively.  AmIBreached 3.0's launch marks a significant step forward in Cyble's mission to empower consumers and enterprises with the tools and insights they need to defend against cyber threats. By enabling businesses to proactively monitor the dark web for signs of compromised data, AmIBreached 3.0 plays a pivotal role in strengthening their cybersecurity posture and safeguarding their critical assets.  About Cyble:  Cyble, a trailblazer in Cyber Threat Intelligence, is committed to democratizing Dark Web Threat Intelligence through advanced AI and Machine Learning solutions. Recognized as one of the most sought-after workplaces, Cyble’s culture fosters innovation, collaboration, and professional growth. With a proven track record in delivering cutting-edge research and proactive monitoring, Cyble stands at the forefront of the cybersecurity landscape. Headquartered in Atlanta, Georgia, and with a global presence spanning Australia, Malaysia, Singapore, Dubai, Saudi Arabia, and India, Cyble is the trusted authority empowering organizations to proactively combat evolving cyber threats.  Media Contact: Cyble Inc enquiries@cyble.com Ph: +1 678 379 3241 

by Neelesh Kripalani, Chief Technology Officer, Clover Infotech As businesses grapple with an ever-changing and increasingly hostile threat environment, the emergence of AI and machine learning technologies introduces fresh challenges to cybersecurity. While these technologies offer the potential to transform our security strategies, they also introduce new risks and vulnerabilities that need effective management. Here are some of the latest cyber threats that businesses need to be aware of:

Cyber Threats Businesses Need to be Aware of

Targeted Ransomware Attacks - This type of malware is designed to hold a victim’s information at ransom. The tactics involve denying users and system administrators access to individual files or even entire digital networks, followed by a “ransom note” demanding payment to regain access. IoT Creates New Cybersecurity Threats - The Internet of Things (IoT) enables billions of physical devices around the globe to collect and share data over the Internet. This creates new cyber threats by expanding the attack surface with diverse and often inadequately secured devices. Common issues include default credentials, lack of regular updates, and data privacy concerns due to the extensive collection and transmission of sensitive information. Deepfake and Synthetic Media Attacks - Such cyberattacks use AI to manipulate content, such as pictures, videos, or audio recordings, to deceive individuals or influence public opinion. Credential Stuffing and Brute Force Attacks - Credential stuffing and brute force attacks involve automated attempts to gain unauthorized access to user accounts using stolen or guessed credentials.

Cybersecurity Best Practices

Here are some key strategies and best practices that businesses can implement to enhance their overall security posture: Risk Assessment and Management - Conduct a comprehensive risk assessment to identify vulnerabilities and prioritize them based on potential impact. Implement risk mitigation strategies to address identified vulnerabilities and reduce the overall risk level. Implement Strong Authentication and Access Control - Add an extra layer of security by mandating users to verify their identity through multiple factors, such as passwords, biometric data, and OTP. Additionally, role-based access control allows enterprises to restrict access to sensitive information and critical systems based on users’ roles and responsibilities. Regular Software Updates and Patch Management - Regularly update and patch all software, operating systems, and firmware to address known vulnerabilities and reduce the risk of exploitation. Implement Endpoint Security Measures - Deploy endpoint protection platforms and endpoint detection and response solutions to secure endpoints from malware attacks. Implement Data Encryption and Privacy Measures - Encrypt sensitive data at rest and in transit to protect it from unauthorized access and data breaches. Implement Security Awareness and Training Programs - Provide regular cybersecurity training and awareness programs to educate employees about cybersecurity best practices, phishing awareness, and the importance of strong passwords. Conduct periodic incident response training to prepare employees for potential security incidents and ensure a coordinated and effective response. In the face of evolving cybersecurity threats, businesses must adopt enhanced strategies, including comprehensive risk assessment, strong authentication, regular updates, and employee training, to safeguard their assets and critical systems. Proactive measures and a culture of cybersecurity awareness are essential to mitigate risks effectively, ensure compliance, and protect the organization's reputation and business continuity in an interconnected world. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

By Nathan Wenzler, Chief Security Strategist, Tenable India is ranked third globally among nations facing the most severe cyber threats, as per the World Economic Forum. However, despite this alarming statistic, there exists a significant disparity between the escalating volume of threats and the resources allocated to combat them. The cybersecurity sector is grappling with a colossal skills deficit, with a shortage of 4 million professionals worldwide. Even seasoned cybersecurity experts find it daunting to navigate and decipher the increasingly intricate landscape of modern cyber threats across the ever-widening attack surface due to limited resources.

Role of Generative AI in Enhancing Cybersecurity Strategy

In response to this challenge, organizations are turning towards generative AI to bridge the expertise gap and enhance their resilience against risks. A survey reveals that 44% of IT and cyber leaders express high levels of confidence in the capacity of generative AI to enhance their organization’s cybersecurity strategy. Security teams are increasingly consumed by the arduous task of scrutinizing various attack vectors in their systems and analyzing the tactics, techniques, and procedures employed by potential threat actors. Often, they find themselves reacting to cyberattacks post-incident, rather than proactively thwarting them—a strategy far from ideal for robust cybersecurity. Organizations in India must shift towards a proactive stance, actively pursuing and understanding threats to establish a robust line of defense. The expanding attack surface, coupled with the rapid adoption of cloud services, virtualization platforms, microservices, applications, and code libraries has added immense complexity to the security landscape. Organizations now must contend with vulnerabilities, cloud misconfigurations, and risks associated with identity access, groups, and permissions. Conventional attack path analysis tools offer insights into threat actor entry points, which assets are key targets, and what threats may exist but this can demand painstaking manual effort to decipher implications step-by-step. While attackers require just one entry point to infiltrate and laterally move within a system, defenders face the formidable task of analyzing the entire threat landscape all at once, identifying all potential attack paths, and implementing security measures in the places that can mitigate the most risk, especially when operating with limited staff.

Empowering Security Teams with Generative AI

Generative AI emerges as a potent solution to these challenges, empowering security teams by providing them with the perspective of attackers to map out potential threats and prioritize mitigation strategies based on criticality. By consolidating data from disparate sources, generative AI offers an easier way to understand the complexity of the attack surface, enabling organizations to more quickly assess exposures, prioritize actions, and visualize relationships across the entire attack surface. This means security teams can make risk decisions more quickly, leaving less time for an attacker to take advantage of an exposed asset and begin their assault on the organization. Generative AI-powered attack path analysis amalgamates and distills insights from vulnerability management, cloud security, web application, and identity exposures, enabling organizations to comprehend their risk from the perspective of an attacker. This facilitates informed and targeted cyber defense strategies, allowing organizations to anticipate threats and fortify their defenses accordingly. Through succinct summaries and mitigation guidelines, generative AI equips security teams with a quicker and more efficient view of actionable insights, sparing them the tedious task of manually researching what the threats are and what the correct security controls should be, whether that’s identifying specific patches or version numbers or understanding how to correct unauthorized user access. Even team members with varying levels of expertise can draw actionable conclusions from generative AI, simplifying complex cyberattack paths and enabling effective threat mitigation. In summary, generative AI supports a more comprehensive and proactive approach to cybersecurity, empowering organizations to understand and address potential threats quickly. By breaking free from the constraints of siloed security data, organizations can develop strategies to predict, prevent, and mitigate cyber risks effectively and faster than ever before. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

By Andrew Hural, VP of Managed Detection and Response, UnderDefense Do you know how firefighters famously run to their stations and hop into their trucks every time an alarm rings? It’s quite the iconic scene and with that kind of response speed, the chances of saving the day are in their favor. But now imagine 100 fire alarms going off, and teams scrambling to manage their resources - just to find out there is no fire. This is how a lot of security teams feel. With a new high-profile security incident in the headlines every other day, it’s not surprising that these teams are trying to arm themselves with the best defenses, investing in tools that promise to make their lives easier and their assets more secure. However, we often see this having the opposite effect, with the growing number of tools resulting in increasingly complex configurations and an increasing amount of noise and alerts that are wearing down security teams.

Why CISOs Are Rethinking Their Approach?

To combat this phenomenon, CISOs are rethinking their approach as the model of 24/7 in-house threat hunting is no longer sustainable for many businesses.  Instead, we see an increasing focus on value-driven security solutions that make their own tools work better, harder, and more harmoniously together. This means prioritizing tools that leverage telemetry, deliver actionable insights and integrate into existing stacks seamlessly - and don’t just  create another source of noise.  This is where Managed Detection and Response (MDR) services come in. Managed Detection and Response (MDR) services offer a strategic solution to these challenges. MDR providers employ experienced security analysts who monitor your environment 24/7, leveraging advanced threat detection and analysis tools and techniques. This frees up your internal security team to focus on critical strategic tasks, such as incident response, vulnerability management, and active threat hunting.

Benefits of Managed Detection and Response

• Access to a team of security experts: Gain the expertise of MDR providers' seasoned analysts, enabling continuous monitoring and threat detection.
• Advanced threat detection and analysis: MDR services utilize sophisticated tools and techniques to identify and prioritize real threats, minimizing false positives.
• Reduced workload for internal teams: By outsourcing threat hunting, your security team can focus on areas where their expertise is most valuable.

Of course, there are some downsides to consider when looking into MDR, which can include time and investment into finding the right solution and a potential vendor lock-in with the wrong provider. That being said, there are steps to mitigate these risks by selecting the right MDR provider for your business.

What to consider when selecting an MDR partner

Choosing the right MDR partner requires careful consideration. Here's a breakdown of key steps to ensure a successful selection process: Self-Assessment: Understanding Your Needs Start by evaluating your current security posture. Identify your organization's specific security needs and vulnerabilities. This helps you understand how MDR can benefit you and what features are most important. Beyond Brand Names: Explore All Options Don't be swayed by brand recognition alone. While established players offer strong solutions, smaller MDR providers can be equally adept, often with greater flexibility and potentially lower costs. Test Drive Before You Commit Many providers offer MDR solution trials lasting 1-3 months. This allows you to test the service and ensure it meets your specific requirements before committing to a full deployment. Defining Success: Setting Clear Goals and KPIs Develop clear goals (SMART goals are ideal) and Key Performance Indicators (KPIs) for your MDR provider. These will serve as benchmarks to measure success. Look for a provider who can collaborate with you to define these based on your unique security needs. Going Beyond the Standard SLA While an SLA outlines basic service expectations, explore additional factors that impact your security:

• Communication and Availability: How easily can you reach the MDR team, and what are their response times?
• Automation Levels: To what extent does the provider leverage automation for faster response and reduced human error?
• MDR Provider Security: Evaluate the MDR provider's security controls to mitigate the risk of data breaches due to their internal practices. Look for relevant security certifications.
• MDR Response Scope: What actions constitute an MDR response? Does it include just notifications, recommendations, or even taking action items without requiring intervention from your team?
• Detection Testing: How does the MDR team validate the accuracy of their threat detections to minimize false positives and negatives?
• Proactive Security Measures: What proactive security services are offered beyond basic threat hunting? Look for services like monitoring industry news, assisting with new vulnerability remediations, staying updated on CVEs (Common Vulnerabilities and Exposures), and promoting security hardening of your organization's tools.

By leveraging MDR, smart CISOs can move beyond the limitations of traditional threat hunting and empower their security teams to focus on strategic initiatives. The right MDR service provides the continuous vigilance, advanced threat detection, and expert analysis needed to effectively combat today's ever-evolving cyber threats. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

India is currently hosting its general elections, spanning from April 19 to June 1, 2024, across seven phases to elect 543 members to the Lok Sabha, the lower house of India’s Parliament. Amidst this pivotal democratic India elections 2024, the integrity of the electoral process is under threat from a spectrum of cybersecurity challenges. These threats range from international cyberattacks targeting the election's infrastructure to domestic insiders undermining the system. As the world's largest democracy conducts its elections, the occurrence and sophistication of these cyber threats have intensified. The election battleground is also witnessing an unprecedented use of AI-generated content and deepfakes by political entities and foreign agents, heightening tensions and manipulating public perception. This article delves into the complex cybersecurity landscape of the elections in India, examining the impact of technological exploitation, foreign interference, and internal political strife on the nation's democratic foundations.

India Elections 2024: Experts Warns a 'Year of Deception'

The ongoing elections in India are proving to be exceptionally challenging, with cybersecurity experts predicting a tumultuous voting session. The integrity of the voting process is deeply compromised by the widespread use of deepfakes and the dissemination of false information generated by artificial intelligence. While India is using its own set of cybersecurity measures to combat AI-generated misinformation, Meta recently created a dedicated fact-checking helpline on WhatsApp in collaboration with the Misinformation Combat Alliance (MCA). This initiative aims to empower users to identify and flag deepfakes, offering support in multiple languages, including English, Hindi, Tamil, and Telugu.  Industry leaders in cybersecurity, such as IBM and McAfee, are highlighting the significant challenges that India is expected to face in the ongoing elections in India. The rapid advancement of AI technology provides cybercriminals with powerful tools like deepfakes, voice cloning, and advanced malware, increasing the complexity of threats to the electoral process. The potency of artificial intelligence (AI) in the hands of cybercriminals was highlighted by Pratim Mukherjee, senior director of engineering at McAfee, who also emphasizes the urgent need for proactive cybersecurity solutions to reduce the risks posed by developing threats. Additionally, amid one of the most contentious election seasons in India, Kerala Legislative Assembly Leader of the Opposition VD Satheesan has called for the dismissal of cases about a deepfake video that purports to be directed at CPM leader KK Shailaja. Implying a link between CPM and BJP in the state, he charges CPM leaders of disseminating false information and attacks the government's management of police operations during the annual Hindu temple festival Thrissur Pooram. Thrissur Pooram is an annual Hindu festival held in Kerala, India. It's one of the largest and most colorful temple festivals in India, attracting large crowds and significant media attention.

India Elections 2024: Foreign Interference and Insider Threats

Foreign interference poses another set of threats to the integrity of the Indian electoral process. Chinese hackers, in particular, have been identified as potential adversaries seeking to manipulate public opinion and influence election outcomes.  According to a report by Microsoft, Chinese hackers and influence operatives, along with North Korean agents, may seek to interfere with the electoral process in India and other high-profile elections globally. The use of AI-generated content to sway public opinion is another large risk faced by Indian cybersecurity, however, this is not the only thing that is eroding the integrity of the 2024 general India election.  The 2024 Indian election is facing another threat from domestic political rivalries, with allegations of cyberattacks and misinformation campaigns emerging from within India. The Vadakara Lok Sabha constituency exemplifies this phenomenon, with both the CPI(M) and the Congress accusing each other of launching vicious cyberattacks. The CPI(M), or Communist Party of India (Marxist), and the Congress are major political entities in India. The escalation of these allegations to the Election Commission complicates the decision-making of the general public as misinformation influences the choices made by voters. Previously, in a similar vein, the attempted hack on the website of the Ram Mandir during the Pran Pratishtha ceremony is another reminder of the cybersecurity challenges faced by India's cultural and religious institutions while conducting the upcoming elections. The Ram Mandir refers to a new temple being constructed in Ayodhya, a site of historical and religious significance, and a focal point of long-standing and sometimes contentious political and religious debates in India.

The Cyberattack on Indian Culture: What to Expect and How to Protect?

These incidents highlight the vulnerability of e-platforms to cyberattacks, raising concerns about the broader implications for cybersecurity in the country. As India's cultural and religious heritage intersects with the ongoing 2024 India elections, the need for better cybersecurity measures cannot be ignored.  To strengthen cybersecurity defenses, proactive steps and group efforts are essential as India battles the threat of cyberattacks on several fronts. To reduce the risks associated with foreign meddling and AI-generated disinformation, cooperation between government agencies, cybersecurity professionals, and tech businesses is vital. Campaigns for public awareness can be quite effective in informing the public about the risks posed by false information and the value of being vigilant in the digital era. The cybersecurity measures in the 2024 Indian elections are set to capture global attention, as the threat of cyberattacks is significant. Protecting the integrity of the electoral process will demand a unified effort from all involved parties. Through the strategic use of technology and collaborative initiatives, India aims to confront cybersecurity challenges and maintain democratic integrity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Several Victorian councils confirmed that their data had been exposed to the public, after their third-party OracleCMS call center operator had been breached. The compromised data from the customer services vendor may extend beyond the Victorian cities data breach. OracleCMS, (not to be confused with Oracle corporation) is an Australia-based localized provider of customer care solutions and call center services. According to the OracleCMS official disclosure, the breached information may include 'corporate information, contract details, invoices, and triage process workflows'. Last week, the LockBit #ransomware group mentioned OracleCMS as a victim on its official leak site.

Authorities Issue Data Breach Notices on Official Sites After Victorian Cities Data Breach

[caption id="attachment_64113" align="alignnone" width="1000"] Source: Shutterstock[/caption] Local governments entities are among those affected by the OracleCMS breach, with many of them conducting investigations into the incident over the weekend. Some affected entities instructed the OracleCMS provider to not to collect any further information information during the interim and requested direct transfer of urgent calls, including after-hour calls to their staff until further notice. The affected cities that are known to have issued official data breach notices include: Knox City, City of Port Phillip, Manningham Council, Whitehorse City Council and the City of Monash Earlier, LockBit had published some sample data such as bills associated with OracleCMS, giving the group until April 16th to negotiate with the group, with no ransom amount being publicly mentioned. The group had then published more than 60 gigabytes of leaked data contained within a single compressed archive. A “Clients” directory from the leaked data included more than 50 different folders of organizations ranging from local city councils to senior citizen care services. The Australian publication Cyber Daily stated that more than a dozen local councils were on the list, including the Campbelltown Council, Tweed Shire Council, Dandenong City Council, among various other government entities. Other clients included within the leak include several different law firms, a real estate agent giant, and the Queensland branch of the Philadelphia Church of God.

OracleCMS Issues Several Safety Recommendations After Victorian Cities Data Breach

[caption id="attachment_64117" align="alignnone" width="1000"] Source: Shutterstock[/caption] OracleCMS confirmed a cyber security incident had occurred where an unauthorised party gained access to a portion of its data and published the leaked data online. After discovering the incident, OracleCMS approached cyber security experts to aid in securing its systems and in conducting an official investigation. The site states that basic contact information could be extracted from contracts and invoices appearing in the breach, but  advised that the data presented 'a low risk of misuse. The organization stated that it had contacted clients which it had identified as being impacted, and would work with them to issue further notification and support to affected parties and individuals. OracleCMS apologized for the incident and affirmed its commitment to keeping stakeholders updated during the on-going incident response and investigation. The site issued several recommendations to affected parties to stay safe from the fallout of the data breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web user has allegedly claimed a breach involving Luxor International Private Limited, a prominent Indian manufacturer of stationery products. The Luxor data breach was first detected on April 19, 2024, when postmaster, operating within the nuovo BreachForums, disclosed the leak of a database purportedly belonging to Luxor.  The leaked data, initially shared on the Telegram channel Leakbase, comprises 692 MB of SQL data, encompassing a trove of sensitive information. Among the data elements exposed are first names, middle names, last names, dates of birth, hashed passwords, billing and shipping details, tax information, and more.

Alleged Luxor Data Breach Exposes Sensitive Database

[caption id="attachment_64173" align="alignnone" width="1757"] Source: Dark Web[/caption] The Luxor data breach included information about individuals registered on the Luxor's website, implying that the leaked data could be authentic. If the stolen data turns out to be true, the Luxor data leak can lead to loss of trust, financial losses, reputational damage, identity theft, operational disruption, and potential fraud, impacting not only the company but also its customers and stakeholders. Luxor Writing Instruments Private Limited and Luxor International Private Limited, the entities allegedly affected by the breach, are notified about the breach. With operations spanning the Indian subcontinent, Luxor's breach has ramifications not only for its domestic clients but also for its customers and partners across Asia & Pacific (APAC). Moreover, the postmaster's motives remain unclear as the hacker has not shared any intent or motivation regarding the breach, and the stolen data seems to be limited to customers only as it only contains data from Gmail accounts instead of the organization’s business accounts. 

Decoding the Luxor Data Breach Leak

In a public post attributed to postmaster, the threat actor provided insights into the Luxor data breach, describing Luxor as the "brand leader in the Indian Writing Instrument Industry." The post included details such as the file name (luxor.in.sql) and size (692 MB uncompressed), offering a glimpse into the scale of the data compromised. The leaked data appears to consist of billing information or transaction records, organized into distinct entries featuring various fields. These fields likely include identifiers, timestamps, numerical values, and textual data, indicating a comprehensive system for managing billing-related activities. The Cyber Express has reached out to the organization to learn more about the authenticity of this Luxor data leak. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Luxor data breach stand unverified.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Luxor data breach or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Cyber Army Russia has claimed a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. The Consol Energy cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. However, the website is now back online and functioning normally. Consol Energy, with its presence in the Agriculture and Mining industry, plays a crucial role in the nation's energy supply chain, contributing over $1 billion in revenue and providing employment to thousands. The cyberattack on the energy company highlights the growing nature of targeted cyberattacks in the energy sector. 

Alleged Consol Energy Cyberattack Claims by Pro-Russian Hackers

[caption id="attachment_64266" align="alignnone" width="450"] Source: Falcon Feeds on X[/caption] The threat actor's post suggests a motive behind the attack, citing Consol Energy's role as a competitor in the European energy market and its alleged benefits from the conflict in Ukraine. The Cyber Express has reached out to the organization to verify the authenticity of the Alleged Consol cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Alleged Consol cyberattack stand unverified.  [caption id="attachment_64268" align="alignnone" width="712"] Source: X[/caption] Interestingly, this isn't the first time Consol Energy has been targeted by cyber threats. In 2023, the Cl0p ransomware group claimed responsibility for a similar attack on the company. Despite these incidents, Consol Energy continues to post on its social media channels and is contributing to the country's power supply. In the wake of the cyberattack, financial analysts are observing the impact on Consol Energy's stock performance. Justin Spittler, Chief Trader at Hedge_Your_Risk, notes insights into coal stocks, highlighting CONSOL Energy's resilience despite a recent decline. [caption id="attachment_64269" align="alignnone" width="990"] Source: Justin Spittler on X[/caption] However, the extent to which the cyberattack influenced this decline remains uncertain, pending official statements from the company.

Cyber Army Russia Reborn and Ongoing Investigation 

The cyberattack on Consol Energy is part of a broader trend of cyber threats targeting energy companies worldwide. Just last month, Cyber Army Russia Reborn claimed responsibility for cyberattacks in Slovenia, targeting government bodies and the public broadcaster.  In a video message, group implied that attacks were due to Slovenia's backing of Ukraine. Voiced in Slovenian and circulated by local news, the message urged Russians and Slovenians not to harbor animosity, citing shared heritage. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from Consol Energy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actor USDoD (previously known as NetSec, ScarFace_TheOne, and Scarfac33) previously known for attacks against U.S. infrastructure and Airbus has claimed Bureau van Dijk as its latest victim. The threat actor also claimed that the alleged attack on Bureau van Dijk would likely be his last and seemed to bid farewell to the BreachForums community. Bureau van Dijk, a leading business intelligence firm owned by Moody's Analytics. The firm offers various consumer and private company intelligence-related products with a primary focus on sales, marketing, and customer support. The firm is known to maintain country-specific databases and the threat actor was likely referring to the US variant of the consumer database. The two shared files combined together form about 11.7 million lines of sensitive data as mentioned in the post description on BreachForums.

USDoD Threat Actor Targets Bureau van Dijk in Farewell Post

In a surprising gesture, USDoD bid farewell to the BreachForums community, federal agencies and ‘friends around the globe’, claiming his post as a way of stating goodbye. The threat actor stated that he did not expect anything further from the community, while expressing gratitude for all the people that he contacted over the years with the forums. The threat actor reiterated that he was a lone individual working alone in his activities while framing his decision to step away as a move to focus on personal life and family. The post description mentions the information in the first stolen database as containing around 8.9 GB of data and being delivered in CSV format. The file included fields such as Last Name, First Name, Email Addresses, Priority Telephone Number, and Priority Email Address. The Cyber Express has reached out to Bureau van Dijk to verify the authenticity of the hackers claims. However, at the time of writing this, no official statement has been received, leaving the claims of the Bureau van Dijk cyberattack stand unverified.

US Consumer Database Included Within Threat Actor's Post

The second database included within the threat actors post was purportedly a US consumer database stolen from the same agency and seemed to include data such as First Name, Last Name, Business Email, Mobile Phone, Direct Number, Job Title, Personal Address and Company Address. The second database was also in .csv format and was stated to include about 2.8 million lines of data records. Both databases were freely available for public download through shared links shared in the post. The attacker previously targeted the defense contractor Thales in a data breach on March 1, 2024 involving 24 GB of data. Prior to the incident the threat actor was responsible for the Airbus data breach on September 12, 2023. Earlier in August 2021 while operating under the NetSec moniker, the threat actor revealed that they had obtained administrator access to several websites belonging to the U.S. Army. This attack was part of a wider individual campaign under the '#RaidAgainstTheUS hashtag' involving large-scale attacks on the U.S. Department of Defense (DoD), U.S. Army websites, and U.S. Defense manufacturers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ted Brown Music, a longstanding family-owned full-service music store established in 1931, has allegedly been targeted by the MEDUSA ransomware group. The Ted Brown Music cyberattack, marked by a post from the threat actors, further explains the depth of the attack and its repercussions.  The dark web post, laden with countdown timers and cryptic codes, presents a harrowing scenario for Ted Brown Music. Beginning with a countdown of "DAYS", "HOURS", "MINUTES", and "SECONDS", it sets a tone of urgency, suggesting a deadline of 7 days before the stolen data gets published. 

Decoding the Ted Brown Music Cyberattack Claims

[caption id="attachment_64315" align="alignnone" width="1030"] Source: X[/caption] Transitioning to more tangible information, the post provides details about Ted Brown Music, including its rich history, family ownership, and corporate address in Tacoma, Washington. With 95 employees and a distressing disclosure of 29.4 GB of leaked data, the magnitude of the alleged breach becomes all too apparent. The ransom demands escalate, starting at $10,000 to add one more day before the data gets published. Similarly, by paying $300,000, the threat actor will “delete all data” or the organization can “download all data” again. The message concludes with the numeral "23", adding the list of viewers who saw the data.  The Cyber Express has reached out to the organization to learn more about this cyberattack on Ted Brown Music. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Ted Brown Music cyberattack stand unverified. 

The Rise of MEDUSA Ransomware Group

The cyberattack on Ted Brown Music follows a list of cyberattacks faced by the music industry. According to Gitnux, the sector grapples with an alarming rate of cyber attacks, with breach detection often taking months and the average cost of an attack skyrocketing.  Among these cyberattacks, the MEDUSA ransomware group has manifested into a sophisticated cybercrime group. Emerging as a ransomware-as-a-service (RaaS) platform in late 2022, Medusa gained infamy in 2023, primarily targeting Windows environments.  The threat actors operate a site where they expose sensitive data from organizations that refuse to meet their ransom demands. Employing a multi-extortion approach, they offer victims choices like extending deadlines, deleting data, or downloading it, each option coming with a price. In addition to their Onion site, they use a Telegram channel named “information support” to publicly share compromised files, making them more accessible. As for the cyberattack on Ted Brown Music, this is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged attack or any confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In today's digital age, where data breaches and cyber threats loom large, the role of Chief Information Security Officer (CISO) is more critical than ever. PayPal, a global leader in digital payments, has taken a significant step forward in fortifying its cybersecurity posture with the appointment of Shaun Khalfan as its new Senior Vice President and Chief Information Security Officer.

With over 20 years of extensive experience in information security and risk management across various industries, Khalfan brings a wealth of knowledge and expertise to his new role at PayPal. His appointment underlines PayPal's commitment to ensuring the security and protection of both its own and its customers' data, digital assets, and payments.

Shaun Khalfan: Industry Leadership

Before joining PayPal, Khalfan served as the Senior Vice President and CISO for Discover Financial, where he led the information security organization, implementing enhanced strategies to monitor and mitigate current and emerging risks. His tenure at Discover Financial, along with previous experience as the Managing Director and CISO at Barclays International, has equipped him with invaluable insights into the evolving landscape of cybersecurity within the financial sector. Khalfan's journey to becoming a leading figure in cybersecurity began with his education at the University of Maryland, where he honed his skills in information security. He furthered his academic pursuits with an MBA from the George Washington University School of Business, which provided him with a solid foundation in business management and strategy. In addition to his professional achievements, Khalfan's commitment to cybersecurity extends beyond his corporate roles. He serves on the board of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a vital platform for collaboration and information sharing among financial institutions to combat cyber threats effectively. Furthermore, Khalfan's dedication to nurturing the next generation of cybersecurity professionals is evident through his role as an adjunct professor at Carnegie Mellon University. By sharing his knowledge and experiences, he contributes to shaping future leaders in cybersecurity, ensuring a robust talent pipeline to address the evolving challenges in the field. As an Army combat veteran, Khalfan understands the importance of leadership and resilience in the face of adversity, qualities that are invaluable in the realm of cybersecurity. His military background, coupled with his extensive expertise, allows him to approach cybersecurity challenges with a strategic mindset and unwavering determination.

Credentials and Expertise

Khalfan's credentials speak volumes about his commitment to excellence in cybersecurity. He holds certifications such as Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH), demonstrating his proficiency in safeguarding information systems and networks from malicious threats. Additionally, his graduation from the Department of Defense Executive Leadership Development Program underscores his leadership capabilities honed through rigorous military training. Beyond his professional endeavors, Shaun Khalfan is deeply engaged in the cybersecurity community. He advises several companies, ranging from Series A to D funding rounds, on go-to-market strategies and opportunities to bolster their cybersecurity defenses. His insights and guidance are instrumental in preparing these companies for eventual acquisitions and ensuring their continued success in an increasingly digital world. In his new role at PayPal, Khalfan is poised to lead the charge in strengthening the company's cybersecurity defenses on a global scale. His vision, coupled with his extensive experience and expertise, will play a pivotal role in safeguarding PayPal's infrastructure and maintaining its reputation as a trusted payments provider. In a statement on LinkedIn, Khalfan expressed his excitement about the new challenge, highlighting his admiration for PayPal's leadership team and growth strategy. "I am excited to embark on a new challenge as SVP, Chief Information Security Officer at PayPal! I am inspired by the leadership team, growth strategy, and look forward securing a digital company on a global scale," said Khalfan. With Khalfan at the helm of cybersecurity, PayPal is well-positioned to navigate the complex landscape of cybersecurity threats and emerge stronger than ever before. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Former Russian Federal Security Service (FSB) officer Grigory Tsaregorodtsev was sentenced to nine years in prison in a penal colony. The decision was made after Perm Garrison Military Court found Tsaregorodtsev guilty of accepting 1.7 million USD bribe from a cybercrime syndicate in exchange for turning a blind eye to their illicit activities.  The Grigory Tsaregorodtsev corruption scandal began to unfold in 2022 when Russian authorities apprehended six individuals associated with a notorious cybercrime group operating in the city of Perm in Russia. This group had orchestrated a sophisticated scheme, hacking into thousands of e-commerce websites and pilfering sensitive payment card data. Their activities facilitated the sale of millions of stolen card details on underground platforms like Trump’s Dumps, among others.

Former FSB Officer Grigory Tsaregorodtsev Sentenced For Taking Bribes

At the bottom of this scandal is the once-respected figure within the FSB's counterintelligence division based in the city of Perm. His role came under scrutiny when it was revealed that he had accepted substantial bribes from the hacker groups. These bribes, totaling a staggering 160 million rubles, were exchanged for his protection and influence, allowing the hackers to operate without fear of authorities., reported Krebs on Security. However, Tsaregorodtsev's downfall was inevitable as he was detained and subsequently brought to trial. Throughout the proceedings, the court uncovered a web of deceit and corruption woven by the former FSB officer. Despite his attempts to downplay his involvement, the evidence against him proved damning.  Tsaregorodtsev's defense argued that he had merely engaged in fraudulent activities, rather than outright bribery, as he failed to deliver on the promises made to the cybercriminals.

The Trial of Former FSB Officer Grigory Tsaregorodtsev

The trial of Grigory Tsaregorodtsev shed light on the extent of the operation and the things acquired by the ex-FBS officer with the bribes, including lavish properties, luxury vehicles, and a substantial cache of cash and gold bars.  According to Russian newspaper Коммерсантъ, the outcome of the court session revealed that Tsaregorodtsev had abused his position of authority for personal enrichment, betraying the trust placed in him by the Russian state and its citizens. Ultimately, the court handed down a harsh sentence, condemning Tsaregorodtsev to nine years in a maximum-security facility and imposing a hefty fine of 320 million rubles. Furthermore, he was stripped of his military rank and barred from holding certain positions upon his released.

The court also stated that "he must pay the state an amount equal to the size of the bribe: minus the value of the valuables and money seized during the investigation, it amounts to slightly more than 138 million rubles", added the newspaper.

The repercussions of Tsaregorodtsev's actions extended beyond his own fate, casting doubt over the integrity of the Russian security apparatus. Questions were raised about the extent of corruption within the FSB and the measures needed to root out such malfeasance. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a bid to safeguard patient data, UnitedHealth Group, a prominent healthcare conglomerate, confirmed that it has paid ransom to cyberthreat actors after its subsidiary, Change Healthcare, fell victim to a cyberattack in February. The company also acknowledged that files containing personal information were compromised in the Change Healthcare cyberattack.

According to a statement provided to CNBC, UnitedHealth stated, “This attack was conducted by malicious threat actors, and we continue to work with law enforcement and multiple leading cybersecurity firms during our investigation. A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”

Ransom Payment Amount And Method

Though the exact ransom amount was not disclosed by UnitedHealth, Wired magazine reported on March 4 that the company likely paid around $22 million in bitcoin to the attackers, citing darknet forum posts and blockchain analysis. The Cyber Express Team contacted Change Healthcare officials to inquire about the reported ransom payment. However, at the time of publication, no official response has been received. UnitedHealth further disclosed that cyberthreat actors accessed files containing protected health information (PHI) and personally identifiable information (PII). The breached files could potentially affect a significant portion of the American population. However, the company clarified that, to date, there is no evidence of exfiltration of materials such as doctors’ charts or full medical histories among the compromised data. "Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data," reads the official release. Andrew Witty, CEO of UnitedHealth Group, expressed the company’s commitment to addressing the concerns raised by the attack, stating, “We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it.”

Change Healthcare Cyberattack Details and Infiltration

The attackers, identified as the ALPHV ransomware gang or one of its affiliates, infiltrated Change Healthcare’s networks more than a week before launching the ransomware strike, as reported by The Wall Street Journal. They gained entry through compromised credentials on an application that allows staff to remotely access systems, as multifactor authentication protocols were not enabled on this particular application. In response to the breach, UnitedHealth has taken steps to mitigate the impact on affected individuals. The company has set up a dedicated website for patients to access resources and launched a call center offering free identity theft protection and credit monitoring for two years. However, due to the ongoing complexity of the data review, the call center is unable to provide specific details about individual data impact. Change Healthcare, which processes approximately 15 billion transactions a year and handles one in three medical records, suffered significant disruption from the attack. More than 100 systems were shut down, affecting numerous healthcare providers and leaving some reliant on loans and personal funds to stay operational. UnitedHealth reported that the attack has cost the company $872 million so far.

Recovery Efforts and Assistance Programs

Despite the challenges, UnitedHealth has been steadily restoring systems since March, including pharmacy software, claims management, and other platforms. The company has also launched financial assistance programs, although some providers have expressed dissatisfaction with the amounts offered and reported feeling pressured to make positive public comments about the loans by UnitedHealth staff. As UnitedHealth continues its efforts to recover from the cyberattack, it remains vigilant in ensuring the security of patient data and strengthening its cybersecurity defenses to prevent future incidents. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

SYNLAB Italia, a provider of medical diagnostic services has temporarily halted its healthcare services across Italy after experiencing a cyber incident. The healthcare diagnostics entity stated the SYNLAB Italia cyber-incident occurred during the early hours of 18th April and that it had become aware of the incident at 07.00 CET (Central European Time). Following the SYNLAB Italia cyber-incident, the IT department took action to block the entire company infrastructure from accessing the affected network while shutting down all machines in accordance with the company’s security guidelines. SYNLAB Italia is part of SYNLAB Group, which was founded by a loose association of German physicians. The group claims a presence in over 30 countries, with a staffing of over 28,000 employees and claims to conduct approximately 600 million tests every year.

Firm Halts Operations After SYNLAB Italia Cyber-incident

[caption id="attachment_64376" align="alignnone" width="1000"] Source: Shutterstock[/caption] After becoming aware of the SYNLAB Italia cyber-incident, the healthcare facilitator established a task force consisting of internal and external professionals who took action to mitigate potential impact stemming from the attack while focusing on restoring critical services as early as possible. SYNLAB then moved to secure biological samples that had already been collected and subsequently restored patient services such as specialist outpatient visits and physiotherapy. Upon visiting SYNLAB Italia’s site, visitors are prompted with links to visit either a patient service or customer service updates page. The patient page provides details about regional availability, outpatient services, regional center emergency numbers while informing patients about the services that remain suspended. The Customer and Business services page provides visitors with details about the cyberattack, alternative emergency numbers SYNLAB stated that its task force is investigating every aspect of its IT infrastructure as well as its backup systems to restore its systems as soon as possible. The company stated that it had filed a complaint with the Postal Police, and has followed procedure for issuing a preliminary notification to the Guarantor Authority for the Protection of Personal Data. SYNLAB has apologized to its patients for the incident and stated that it had made available dedicated telephone and social channels for managing patient requests and information in the interim as some of its services and official email system remained down. The company stated that it would update patients, customers and the public on updates through its official website and social media channels while stating that it is working on limiting customer inconvenience and providing necessary support.

Medical Data at Risk in SYNLAB Italia Cyber-incident

[caption id="attachment_64377" align="alignnone" width="1000"] Source: Shutterstock[/caption] The healthcare provider stated that although the investigation is ongoing and the full extent of compromised data hasn't been confirmed, it acknowledged the potential exposure of sensitive medical data. Moreover, SYNLAB Italia affirmed its adherence to GDPR regulations when addressing concerns regarding potential data exposure. It pledged to restore systems as readily as possible while implementing necessary measures aimed at secure resumption of services on an urgent basis. The company confirmed that it had issued emails communicating the incident to some of its patients through an external provider not impacted by the attack. The Cyber Express has reached out to SYNLAB Italia for further details regarding the attack, but no response has been received yet. No threat actor group or individual has been observed claiming responsibility for the attack so far. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

As the United States gears up for another round of crucial elections, the focus on securing polling locations is more critical than ever. In a bid to fortify security preparedness at the frontline of U.S. elections, the Cybersecurity and Infrastructure Security Agency (CISA) has released the Physical Security Checklist for Polling Locations, a new tool tailored to empower election workers with actionable and accessible security measures.

Cait Conley, Senior Advisor at CISA, emphasized the importance of protecting polling places, stating, “Protecting against physical threats to election locations like polling places where Americans cast their vote is one of the most significant responsibilities election officials bear. CISA is committed to doing anything we can to support this mission,”

Simplified Security Measures With Physical Security Checklist

The Physical Security Checklist is part of CISA’s suite of election security resources, designed to equip election workers with straightforward measures for enhancing security at temporary election facilities. It is crafted for simplicity, requiring no prior security expertise for implementation, and covers pre-planning and Election Day procedures. The checklist is adaptable to individual facility needs and resources, allowing election workers and volunteers to assess potential security threats and incidents easily. Through a series of yes or no questions, election workers can evaluate existing security measures and identify areas for improvement, aiding in the establishment and enhancement of physical security measures. While no measure can eliminate all risk, these resources empower officials to understand, mitigate, and address security challenges proactively. The checklist is part of a broader initiative by CISA to support the physical security of election infrastructure. The agency's Protective Security Advisors, serving all 50 states, the District of Columbia, and territories, offer support to state and local election officials by sharing information, conducting physical security assessments of election facilities, and providing no-cost services and training on various security areas. These offerings include de-escalation techniques, responding to active shooter situations, and other physical threat-specific training to address the evolving threats facing election officials.

Key Security Principles

In an effort to ensure ease of use and accessibility, the Physical Security Checklist for Polling Locations broadly addresses several overarching security principles:

1. Identifying Responsibility: Establishing an individual or group responsible for security and safety.
2. Risk Assessment: Utilizing risk assessments to inform security measures.
3. Developing Plans: Developing plans to inform processes and procedures.
4. Refining Measures: Refining security measures before Election Day.
5. Implementing Mitigations: Implementing mitigations and “day of” security measures.
6. Reporting Incidents: Encouraging the reporting of suspicious behavior or potential incidents.

Individuals or groups responsible for preparing polling locations for use on Election Day can utilize this resource to assess potential security vulnerabilities and identify additional actions required in advance of the election. The checklist requires no prior security experience and is designed to be user-friendly. As the nation prepares for upcoming elections, CISA's Physical Security Checklist for Polling Locations serves as a crucial tool in safeguarding the integrity of the electoral process. By empowering election workers with accessible and actionable security measures, CISA continues to demonstrate its commitment to ensuring the security and resilience of U.S. elections. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.