The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its known exploited vulnerabilities catalog to include three new entries, including flaws within D-Link routers and Google Chromium.  According to a post shared by CISA, among the listed vulnerabilities, one affects D-Link routers, a common target for cyberattacks. The CVE-2014-100005 is related to the D-Link DIR-600 router series, specifically revolving around Cross-Site Request Forgery (CSRF) concerns. 

CISA Adds Three Known Exploited Vulnerabilities

Exploiting the D-Link router vulnerability, malicious actors can hijack administrative privileges, allowing them to execute unauthorized actions remotely.  Another D-Link router vulnerability listed is CVE-2021-40655, affecting the DIR-605 model. This flaw enables attackers to obtain sensitive information like usernames and passwords through forged requests, posing a significant risk to affected users. Additionally, CISA's catalog includes the CVE-2024-4761, concerning Google Chromium's V8 engine. This Chromium vulnerability, marked with a severity rating of 'High,' involves an out-of-bounds memory write issue. Exploiting this flaw, remote attackers can execute malicious code via crafted HTML pages, potentially compromising user data and system integrity.

Importance of Catalog Vulnerabilities

These exploited vulnerabilities, once exploited, can lead to severe consequences, making them prime targets for cybercriminals. Notably, these entries are part of CISA's ongoing effort to maintain an updated list of significant threats facing federal networks. The known exploited vulnerabilities catalog aligns with Binding Operational Directive (BOD) 22-01, aimed at mitigating risks within the federal enterprise.  While BOD 22-01 specifically targets Federal Civilian Executive Branch (FCEB) agencies, CISA emphasizes the importance of all organizations prioritizing vulnerability remediation.  By promptly addressing cataloged vulnerabilities, organizations can bolster their cybersecurity posture and reduce the risk of successful cyberattacks.

The Exploited Vulnerability Dilemma 

According to Bitsight's analysis, global companies struggle to address critical vulnerabilities promptly. The report draws from data from 1.4 million organizations, revealing that critical vulnerabilities take an average of 4.5 months to remediate, with over 60% unresolved past CISA's deadlines.  Despite their prevalence, known exploited vulnerabilities (KEVs) remain a challenge for organizations. Derek Vadala, Chief Risk Officer at Bitsight, urges prioritization of vulnerability remediation, citing an average resolution time of 4.5 months for critical KEVs. Ransomware vulnerabilities, constituting 20% of the KEV catalog, prompt remediation efforts 2.5 times faster than non-ransomware KEVs.  While federal agencies fare better in meeting CISA's deadlines, technology companies face the highest exposure to critical KEVs, with a faster remediation turnaround of 93 days. Roland Cloutier, a Bitsight advisor, stresses the need for enhanced vulnerability management, citing organizational challenges in assigning responsibility and ensuring visibility.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the recent Ascension ransomware attack, legal challenges are mounting for the healthcare giant. Just days after the cyberattack disrupted operations across its extensive network of 140 hospitals, Ascension is facing two proposed class-action lawsuits. The lawsuits, filed in the District Courts of Illinois and Texas, allege negligence on Ascension's part, citing the failure to encrypt patient data as a critical oversight. This, plaintiffs argue, has exposed them to the risk of identity theft for years to come, following the Ascension cyberattack that forced the diversion of ambulances and the suspension of elective care services.

Class-Action Lawsuit Arises from Ascension Ransomware Attack

While Ascension has not confirmed any compromise of patient data, investigations are ongoing. Plaintiffs contend that had proper encryption measures been in place, data stolen by the cybercriminal group Black Basta would have been rendered useless, highlighting the negligence they claim Ascension displayed. We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement," an Ascension spokesperson stated. "If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations”, reported Healthcare Dive on Thursday. The lawsuits, filed shortly after the Ascension ransomware attack, target the healthcare provider's alleged failure to implement adequate cybersecurity measures, a move plaintiffs argue could have prevented the incident. Both cases, represented by the same legal counsel, highlight the harm suffered by patients due to the exposure of their private information, which they assert was foreseeable and preventable.

Ascension Lawsuit and Mitigation Tactics

Despite ongoing investigations and assurances of cooperation with authorities, Ascension has yet to disclose whether patients' sensitive information was compromised during the cyber incident.  “Ascension continues to make progress towards restoration and recovery following the recent ransomware attack. We continue to work with industry leading forensic experts from Mandiant to conduct our investigation into this attack and understand the root cause and how this incident occurred”, stated Ascension on its Cybersecurity Event Update page.  In parallel, additional cybersecurity experts from Palo Alto Networks Unit 42 and CYPFER have been brought in to supplement the rebuilding and restoration efforts. The focus is on safely and swiftly bringing systems back online. “We are also working on reconnecting with our vendors with the help of our recovery experts. Please be aware that it may still take some time to return to normal operations”, added Ascension.  The Catholic health system, which spans 140 hospitals and 40 senior living facilities nationwide, employs a workforce of approximately 132,000 individuals. Despite the financial strain imposed by the Ascension ransomware attack, industry analysts note Ascension's robust liquidity and leverage position, offering a significant rating cushion against such one-off events. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recent cyberattack on Chicago Fire FC has come to light, with the football club officially confirming the data breach. The club released a statement addressing the incident, highlighting the importance of privacy and security for all involved parties.  The Chicago Fire FC data breach, discovered on October 25, 2023, involved unauthorized access to the club's systems, potentially compromising personal information. Immediate measures were taken upon detection, including securing systems and launching an investigation with legal and forensic experts.  The unauthorized access occurred between October 22 and October 25, 2023.

Decoding the Chicago Fire FC Data Breach

According to the official press release, personal data that may have been accessed includes names, social security numbers, driver’s license and passport information, medical records (including Covid test results and injury reports), health insurance details, financial account information, and dates of birth. While there is no current indication of misuse, the club is taking proactive steps to address the Chicago Fire FC data breach. In response to the cyberattack on the football club, Chicago Fire FC has initiated several actions. These include providing affected individuals access to credit monitoring services through Cyberscout, a TransUnion company specializing in fraud assistance. Instructions for enrollment in these complimentary services have been made available, and affected individuals are encouraged to confirm eligibility by contacting the club. Individuals who believe they may have been affected but have not received notification are urged to reach out to Chicago Fire FC for assistance and to receive a credit monitoring code. Additionally, the club has reported the incident to law enforcement for further investigation.

Mitigation Against the Chicago Fire FC Cyberattack

To safeguard against potential identity theft and fraud, affected individuals are advised to monitor their accounts and credit reports for any suspicious activity. They can obtain free credit reports annually from major credit reporting bureaus and are entitled to place fraud alerts or credit freezes on their accounts. For further information and support regarding identity theft and fraud prevention, individuals can contact the credit reporting bureaus, the Federal Trade Commission (FTC), or their state Attorney General. The FTC encourages victims of identity theft to file a complaint with them and provides resources for reporting instances of misuse. Chicago Fire FC emphasizes its commitment to data security and the protection of individuals' information. The club remains dedicated to maintaining trust and providing support to those affected by the cyberattack.

Chicago Fire FC Offers Credit Monitoring Services 

[caption id="attachment_68968" align="alignnone" width="1280"] Source: Chicago Fire FC[/caption] To enroll in the Credit Monitoring services provided by Chicago Fire FC at no charge, individuals are instructed to visit https://bfs.cyberscout.com/activate and follow the provided instructions. It's essential to enroll within 90 days from the date of the notification letter to receive the monitoring services. However, minors under 18 years of age may not be eligible for this service. During the enrollment process, individuals may need to verify personal information to confirm their identity for security purposes. It's strongly advised to monitor accounts and credit reports regularly to detect any suspicious activity or errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: TransUnion, Experian, and Equifax. These reports can be ordered at www.annualcreditreport.com or by calling 1-877-322-8228. Upon receiving the report, individuals should carefully review it for any discrepancies, unauthorized accounts, or inquiries. Individuals also have the right to place a fraud alert on their credit file at no cost. This alert lasts for one year and requires businesses to verify the individual's identity before extending new credit. Victims of identity theft can request an extended fraud alert lasting seven years. Alternatively, individuals can opt for a "credit freeze," which restricts access to their credit report without their explicit authorization. While this prevents unauthorized access, it may also delay or interfere with legitimate credit applications. To request a fraud alert or credit freeze, individuals need to provide specific information to the three major credit reporting bureaus, including their full name, social security number, date of birth, address history, and proof of identity. Additionally, victims of identity theft should file a police report and notify law enforcement, their state Attorney General, and the Federal Trade Commission (FTC). Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

During a recent Senate committee hearing, Director of National Intelligence Avril Haines emphasized state hackers' continued prominence as a threat, citing its aims to undermine trust in U.S. democratic institutions and exacerbate societal divisions. The hearing follows the rise of potential cyberattack on the US election, which has intensified over the last few months, and foreign interference has peaked with many state actors aiming to launch cyberattacks on the upcoming US elections in 2024.  The upcoming 2024 United States elections are slated to take place on Tuesday, November 5, 2024. In this crucial presidential election cycle, the nation will elect its president and vice president. Leveraging the attention to these events, several state-back hackers are running multiple threat campaigns to target the integrity of the US election and possibly accomplish their personal agendas.  Democratic Senator Mark Warner, chairman of the Senate Intelligence Committee, expanded on the scope of foreign influence efforts, including not only state actors but also non-state entities like hacktivists and cybercriminals. Warner stressed the ease with which these actors can now infiltrate and disrupt U.S. politics, emphasizing the increasingly low barriers to entry for such malicious activities. 

Potential Cyberattack on the US Election: A Pressing Concern!

https://www.youtube.com/watch?v=WphVoguvVd8 At the forefront of defending against this potential cyberattack on the US election is the Cybersecurity and Infrastructure Security Agency (CISA). In a recent update on foreign threats to the 2024 elections, CISA Director Jen Easterly outlined the agency's efforts to safeguard election infrastructure since its designation as critical infrastructure in 2017.  "While our election infrastructure is more secure than ever, today’s threat environment is more complex than ever. And we are very clear eyed about this. As the DNI noted, our foreign adversaries remain a persistent threat to our elections, intent on undermining Americans’ confidence in the foundation of our democracy and sowing partisan discord, efforts which could be exacerbated by generative AI capabilities", said Jen Easterly. Despite these persistent threats, Easterly highlighted the successful conduct of secure federal elections in 2018, 2020, and 2022, with no evidence of vote tampering. However, Easterly cautioned against complacency, noting the complexity of ransomware groups/threat actors and their unconventional modus operandi.  Moreover, foreign hackers remain intent on undermining confidence in U.S. democracy, compounded by the proliferation of generative AI capabilities. Moreover, Easterly highlighted the rise in large-scale attacks on US elections, targeting political leaders and other election officials — fueled by baseless claims of electoral fraud.

CISA’s Plan To Bolster Cybersecurity in the Upcoming US Election

In response to these cyberattacks on the upcoming US elections, CISA has intensified its efforts, expanding its services and outreach to election stakeholders across the nation. From cybersecurity assessments to physical security evaluations and training sessions, CISA has been actively engaged in fortifying security in the upcoming election and its infrastructure.  The agency has also ramped up efforts to combat disinformation, providing updated guidance and amplifying the voices of state and local election officials. Despite the political nature of elections, Easterly emphasized that election security remains apolitical. CISA remains steadfast in its commitment to preserving the integrity of the electoral process and looks to the support of leaders in this endeavor.  As the nation prepares for future elections, bolstering cybersecurity measures and defending against foreign  influence operations remain central priorities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

💾

A new WiFi vulnerability is reportedly leading users to a SSID confusion attack. The vulnerability has been identified in the very fabric of the IEEE 802.11 standard. This newly discovered vulnerability targets the foundation of  WiFi security protocols and potentially places millions of users at risk worldwide. The SSID confusion attack, identified under the identifier CVE-2023-52424, capitalizes on a critical oversight in WiFi design, allowing malicious actors to deceive WiFi clients across various operating systems into connecting to untrusted networks unwittingly.  The ramifications of this vulnerability extend beyond mere inconvenience, opening potential games for a host of malicious activities, including traffic interception and manipulation.

New IEEE 802.11 Standard WiFi Vulnerability Links to SSID Confusion Attack

According to security researcher Mathy Vanhoef, the IEEE 802.11 standard WiFi vulnerability is set to be presented at the WiSec ’24 conference in Seoul, sheds light on the inner workings of the SSID confusion Attack, highlighting its potential impact on enterprise, mesh, and home WiFi networks. At the core of this WiFi vulnerability lies a fundamental flaw in the IEEE 802.11 standard, which fails to enforce authentication of network names (SSIDs) during the connection process. This oversight paves the way for attackers to lure unsuspecting victims onto less secure networks by spoofing legitimate SSIDs, leaving them vulnerable to cyberattacks. The SSID confusion attack targets WiFi clients across diverse platforms and operating systems. From home users to corporate networks, no device using the IEEE 802.11 standard WiFi protocol is immune to these attacks

IEEE 802.11 Standard Vulnerability Even Targets Virtual Private Networks (VPNs)

The collaboration between Top10VPN and Vanhoef shares insights into the inner workings on the vulnerability, touted as projection of online privacy and security, are not impervious to this threat, with certain clients susceptible to automatic disablement when connected to "trusted" WiFi networks. Universities, often hotbeds of network activity, emerge as prime targets for exploitation due to prevalent credential reuse practices among staff and students. Institutions in the UK, US, and beyond have been identified as potential breeding grounds for SSID Confusion Attacks, highlighting the urgent need for proactive security measures, said Top10VPN.  To defend against this insidious threat, concerted efforts are required at multiple levels. From protocol enhancements mandating SSID authentication to client-side improvements for better protection, the SID confusion attack is still an ongoing issue.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A ransomware attack has compromised MediSecure, a leading Australian script provider facilitating electronic prescribing and dispensing of prescriptions. The MediSecure data breach was reported by the national cyber security coordinator — the healthcare provider believes that the breach stems from a third-party vendor. The Australian government, through its National Cyber Security Coordinator (NCSC), has shared updates on the MediSecure data breach, initiating a comprehensive investigation and a "whole-of-government response" to address the incident's ramifications.  Lieutenant General Michelle McGuinness, the national cyber security coordinator, confirmed MediSecure as the victim of this cyberattack in a statement on LinkedIn, describing it as a 'large-scale ransomware data breach incident.'

Government Response to MediSecure Data Breach

Authorities, including the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), are actively engaged in probing the MediSecure data breach.  However, details remain scarce as investigators navigate the complexities of the incident. The absence of a known threat actor claiming responsibility further complicates the situation, heightening concerns about the sophistication of cyber threats targeting the healthcare sector.  Cyber Security Minister Clare O’Neil said the government was commited to address the breach, convening a National Coordination Mechanism to coordinate efforts and mitigate the breach's impact effectively. “I have been briefed on this incident in recent days, and the government convened a National Coordination Mechanism regarding this matter today,” Minister O’Neil said in a LinkedIn post.

“Speculation at this stage risks undermining significant work underway to support the company's response,” O'Neil added.

The Shadow Home Affairs and Cyber Security Minister James Paterson told Sky News in an interview that the latest breach was a reminder of the currently “dangerous” cyber threat landscape, especially for the health sector. Paterson said healthcare is a lucrative sector both for cybercriminals and nation-state actors.

“Criminal actors like to use it for ransomware because the health sector is often vulnerable to those targets, and sometimes they do pay. And nation state backed actors use it as an opportunity to gather intelligence and information about us,” Paterson explained.

Australia has been hit in the past few years by some of the largest data breaches in the form of Medibank and Optus data breaches, that impacted millions across Australia. The scope of the current breach is reportedly unlike the earlier ones, but it is still some of the most personally and privately significant information that exists about a person, Paterson said. “This is very distressing for Australians when it is released publicly. And it is important that the federal government get on top of this straight away and do whatever they can to stop the proliferation of this information online,” he added. MediSecure has taken proactive measures, including taking its website offline, as it works to contain the breach's fallout. In a statement, the company acknowledged the incident and stated, “We have taken immediate steps to mitigate any potential impact on our systems. While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors”, reads the statement. The Cyber Express has reached out to MediSecure to learn more about this data breach. However, at the time of writing this, no official statement or response has been shared. The organization did share a statement on its website, stating “MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.”

Cyberattacks on the Healthcare Sector

This cyberattack on MediSecure echoes previous breaches in Australia's healthcare sector, including the 2022 data breach involving Medibank, which compromised the personal data of millions of Australians. In 2023, healthcare organizations globally faced an unprecedented wave of cyberattacks, affecting over 116 million individuals in the US alone, more than double the previous year's count.  Notable incidents include data breaches at Delta Dental of California, Fred Hutch Cancer Center, Norton Healthcare, and HCA Healthcare, among others. German hospitals also fell victim to ransomware attacks, disrupting medical services.  The European Union Agency for Cybersecurity reported that the majority of attacks targeted healthcare providers, with financial motives driving 83% of incidents. India witnessed a surge in cybercrime, with significant financial losses and high-profile attacks during the G20 summit.  The recurrence of such incidents highlights the persistent cybersecurity vulnerabilities plaguing the healthcare industry, necessitating comprehensive strategies to fortify defenses against evolving cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the massive Nissan data breach from November last year that exposed the Social Security numbers of thousands of former and current employees, the Japanese automaker has shared new updates on the cybersecurity incident.  In a new letter sent on May 15, 2024, Nissan shared details of the cyberattack, stating the incident has affected Nissan North America. The letter disclosed that a threat actor targeted the company's virtual private network, demanding payment. Nissan has not confirmed whether it acquiesced to the ransom demands.

Nissan Data Breach Update: 53,000 Employees Affected

Upon discovering the Nissan data breach, the Japanese automaker notified law enforcement and engaged cybersecurity experts to contain and neutralize the threat. The company also conducted an internal investigation, informing employees during a town hall meeting held in December 2023, a month after the Nissan cyberattack. To mitigate potential harm, Nissan is offering complimentary identity theft protection services for two years to those impacted by the breach. The company's positive response to safeguarding employee privacy is highlighted by these proactive measures. The official communication emphasized Nissan's dedication to reinforcing its security infrastructure and practices. Following the incident, the company has implemented additional security measures and enlisted cybersecurity specialists to conduct a thorough review, ensuring enhanced protection against future threats. Despite the Nissan breach, the automotive maker has not detected any instances of fraud or identity theft resulting from the incident. Nonetheless, as a precautionary measure, affected individuals are urged to take advantage of the complimentary credit monitoring services provided by Experian IdentityWorks.

No Identity Fraud Detected

“This is in addition to the employee benefit you may have elected with Nissan. These complimentary credit services are being provided to you for 24 months from the date of enrollment. Finally, Nissan is providing you with proactive fraud assistance to help with any questions you might have or if you become a victim of fraud. These services are provided by Experian, a company specializing in fraud assistance and remediation services”, said Nissan. To activate the identity protection service, recipients are instructed to enroll by a specified deadline and utilize the provided activation code. Additionally, individuals are encouraged to remain vigilant against potential fraud by monitoring their credit reports and promptly reporting any suspicious activity. Recipients are assured of assistance for 90 days from the letter's date in enrolling for the complimentary credit monitoring services. They are encouraged to contact the dedicated helpline at 833-931-6266, with the engagement number B120412 ready for reference.  Nissan highlights its commitment to employee welfare and the seriousness with which it regards the protection of personal information, expressing regret for any inconvenience caused by the incident. The letter concludes with signatures from Leon Martinez, Vice President of Human Resources, and William Orange, Vice President of IS/IT and Chief Information Officer. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The ever-evolving landscape of cybersecurity is shaped by a dedicated group of individuals. These pioneers, through their research, entrepreneurship, and tireless efforts, have left a significant mark on the industry.  From seasoned security leaders steering the helm of major companies, to passionate bloggers, journalists, podcasters, and authors, this diverse group offers a wealth of perspectives on the ever-present fight against cybercrime.  Veterans with decades of experience share the stage with innovative minds constantly pushing boundaries. Whether it's investigative journalists uncovering cybercrime rings, ethical hackers forging new defensive strategies, or company founders shaping the future of online safety, these influencers are united in a common cause.   They leverage social media to not only stay updated on the latest threats but also advocate for increased awareness and education. This list compiles the top 30 most influential cybersecurity influencers who actively share their expertise online. If you're interested in cybersecurity, following and engaging with these influential figures is a surefire way to stay informed and inspired.

Top 30 Cybersecurity Influencers of 2024

30. Alexandre Blanc - President and Owner at Alexandre Blanc Cyber

[caption id="attachment_68576" align="alignnone" width="541"] Source: LinkedIn[/caption] Alexandre Blanc is a renowned Cybersecurity dvisor, ISO/IEC 27001 and 27701 Lead Implementer, and a recognised security expert. With a track record of holding successful cybersecurity events, Blanc serves as an Independent Strategic and Security Advisor, providing invaluable counsel to various organisations. His expertise spans incident response management, digital transformations, and dark web investigations. Recognised as a LinkedIn Top Voice in Technology and named among the top security experts with over 75k followers on LinkedIn, Blanc's insights are highly sought-after in the cybersecurity community. Through publications, speaking engagements, and advisory roles, he continues uplift the IT and security industry. 

29. Alissa Abdullah - Deputy CSO at Mastercard

[caption id="attachment_68502" align="alignnone" width="541"] Source: LinkedIn[/caption] Alissa Abdullah, PhD, is a distinguished senior information technology and cybersecurity executive with a rich background spanning Fortune 100 companies, the White House, and the government intelligence community. Currently serving as Deputy Chief Security Officer for Mastercard, she brings over 20 years of experience in IT strategy, fiscal management, and leading large government programmes. Abdullah's strategic leadership extends beyond her corporate role; she serves as a board member for organisations like Girls in Tech, Inc. and Smartsheet, while also lecturing at the University of California, Berkeley. With a PhD in Information Technology Management, and over 17k followers on LinkedIn, she is a recognised authority in cybersecurity and IT leadership.

29. Jane Frankland - CEO at KnewStart

[caption id="attachment_68503" align="alignnone" width="541"] Source: LinkedIn[/caption] Jane Frankland is a prominent figure in cybersecurity with a career spanning over two decades of experience in the field. As a cybersecurity influencer and LinkedIn Top Voice, she has established herself as an award-winning leader, coach, board advisor, author, and speaker. Frankland's expertise lies in bridging the gap between business strategy and technical cybersecurity needs, enabling smoother and more effective engagements. With a portfolio career, she works with major brands as an influencer, leadership coach, and board advisor. Additionally, Frankland is deeply involved in initiatives promoting diversity and inclusion in cybersecurity, aligning her work with the UN Sustainable Development Goals.

27. Mark Lynd - Head of Executive Advisory & Corporate Strategy at NETSYNC

[caption id="attachment_68504" align="alignnone" width="541"] Source: LinkedIn[/caption] Mark Lynd is a globally recognised cybersecurity strategist, and keynote speaker in cybersecurity and AI. With over 25 years of experience, including four stints as a CIO & CISO for global companies, he excels in technology, cybersecurity, and AI. Currently, he serves as the Head of Executive Advisory & Corporate Strategy at Netsync, a global technology reseller, where he concentrates on cybersecurity, AI, data center, IoT, and digital transformation. Lynd's accolades include being ranked globally for security and AI thought leadership, and he's authored acclaimed books and eBooks. He holds a Bachelor of Science from the University of Tulsa and is a proud military veteran.

26. Naomi Buckwalter - Director of Product Security at Contrast Security

[caption id="attachment_68505" align="alignnone" width="541"] Source: LinkedIn[/caption] Naomi Buckwalter is an accomplished Information Security Leader, Nonprofit Director, Keynote Speaker, and LinkedIn Learning Instructor. With extensive experience in directing information security programmes, she has notably served as Director of Product Security at Contrast Security and Director of Information Security & IT at Beam Dental. Buckwalter's expertise encompasses compliance, risk management, and security operations. She is also the Founder & Executive Director of the Cybersecurity Gatebreakers Foundation, aiming to revolutionise cybersecurity hiring practices. With a background in computer science and over 99K followers on LinkedIn, she is recognised for her contributions as a cybersecurity thought leader and advocate for diversity in tech.

25. Raj Samani- Chief Scientist for Cybersecurity

[caption id="attachment_68506" align="alignnone" width="541"] Source: Australian Cyber Conference 2024[/caption] Raj Samani is currently a Chief Scientist at Rapid7 and has experience in this industry spanning 20 years. He has worked with law enforcement and is also advisor to the European Cybercrime Centre. Samani is a sought-after speaker at industry conferences, a published author, and continues to make appearances in podcasts where he discusses his expertise surrounding threat intelligence, cyber defence strategies, and emerging threats. With his following of over 15.2k followers on LinkedIn and 14.4k on Twitter, Samani is influential to his followers due to the cybersecurity related articles, updates and insights he shares, often engaging not only cybersecurity enthusiasts but also professionals.

24. Tyler Cohen Wood- Co- Founder of Dark Cryptonite

[caption id="attachment_68507" align="alignnone" width="541"] Source: BankInfoSecurity[/caption] Tyler Cohen Wood is a prominent and respected figure in the cybersecurity field. Currently the co-founder of Dark Cryptonite, a Special Comms method of cybersecurity, Woods has over 20 years of experience in the intelligence community. Woods previously served as Senior Intelligence Officer at the Defence Intelligence Agency (DIA) and Cyber Branch Chief at the DIA's Science and Technology Directorate. Woods is also a keynote speaker and provides insight into global cyber threats and national security due to her knowledge on digital privacy and national security.  Woods has a following of over 27k on LinkedIn, attention she’s garnered due to her ability to share insightful commentary on cybersecurity issues which explains complex technical concepts easily for all types of audiences.

23. Theresa Payton- CEO of Fortalice Solutions

[caption id="attachment_68509" align="alignnone" width="541"] Source: Experience McIntire[/caption] Theresa Payton was the first ever female Chief Information Officer for the White House from 2006-2008, serving under George W. Bush, and is now the CEO of her company Fortalice Solutions which she founded in 2008. Payton is best known for consulting as that is the purpose of her company, providing services like risk assessments, incident response, and digital forensics to government agencies and different industries and businesses about cybersecurity strategy and best IT practices. Payton has over 25k followers on LinkedIn and this is due to her continuous and avid blogging exposing cybercrimes and tackling cybersecurity on her companies page.

22. Bill Brenner-Vice President, Custom and Research Content Strategy, CyberRisk Alliance 

[caption id="attachment_68510" align="alignnone" width="541"] Source: SC Magazine[/caption] Bill Brenner is an experienced professional in the cybersecurity field and has ventured into many areas including journalist, editor, and community manager. His work has focused on cybersecurity education and awareness. Brenner is currently the Vice President of Custom and Research Content Strategy at CyberRisk Alliance. Brenners 15.7k followers on Twitter come from his influence surrounding articles posted on CS Media and Techtarget which are informative and relevant to cybersecurity professionals.

21. Brian Honan- CEO of BH Consulting

[caption id="attachment_68511" align="alignnone" width="541"] Source: BH Consulting[/caption] Brian Honan is the CEO of BH Consulting and has over 30 years of experience in  cybersecurity. He was formerly a special advisor on cyber security to Europol’s Cyber Crime Centre, along with being an advisor to the European Union Agency for Network and Information Security. Honan’s work in consultancy is not just aimed at government agencies but also multinational corporations, and small businesses. Honan advocates highly for education in the field and is a founding member of the Irish Reporting and Information Security Service (IRISS-CERT). His following of 36.2k on Twitter can be attested to the articles and blogs he’s written and posted along with presentations at industry conferences worldwide.

20. Magda Chelly- Senior Cybersecurity Expert

[caption id="attachment_68513" align="alignnone" width="541"] Source: LinkedIn[/caption] Magda Chelly is the first Tunisian woman to be on the advisory board of Blackhat. She has over 10 years of experience in security architecture, risk management, and incident response. Chelly is also a published author and is also known to be a keynote speaker who can deliver her talks in five different languages. She is currently the Managing Director at Responsible Cyber where she helps organisations implement effective cybersecurity strategies, while also being the founder of Women of Security (WoSEC) Singapore which aims to encourage women to join the field of cybersecurity. Chelly has over 57k followers on LinkedIn due to her posts on cybersecurity, but also her diversity initiatives which make her an advocate in the field. 

19. Marcus J. Carey- Principal Research Scientist at ReliaQuest, CEO of ThreatCare

[caption id="attachment_68514" align="alignnone" width="541"] Source: Facebook[/caption] Marcus J Carey is a former Navy Cryptologist who is now in cybersecurity innovation. He has worked many roles including penetration tester, security researcher, and security engineer, all of which helped to gain new and revolutionary insights into offensive and defensive cybersecurity techniques. Carey is famous for the books he has written surrounding hackers and cybersecurity and is an established CEO of Threatcare, a cybersecurity company focused on providing proactive threat detection and risk assessment solutions. His 52.4k Twitter followers stem from the expertise he shares on social media and his importance in educating future professionals in the field. He is also sought after for speaking in industry conferences. 

18. Andy Greenberg- Senior Writer at WIRED

[caption id="attachment_68515" align="alignnone" width="541"] Source: Penguin Random House[/caption] Andy Greenberg is currently a senior writer at Wired magazine, and has written many articles investigating high-profile cyber incidents, hacking groups, and emerging cybersecurity threats. Greenberg's reports often focus on the details of cyberattacks and looks at the broader implications for people, the government, and the industry as a whole. His 70.4k followers on Twitter are influenced by his updates and in-depth articles exploring the world of cybersecurity, not only informing the general public but also professionals about the hazards.

17. Paul Asadoorian- IT Security Engineer

[caption id="attachment_68516" align="alignnone" width="541"] Source: SC Magazine[/caption] Paul Asadoorian is a professional in the cybersecurity field for over 20 years, but his following comes from his blogs and podcasts. He’s best known as the founder and host of Security Weekly where Asadoorian brings together experts and practitioners from the cybersecurity field to discuss latest news and research in the field such as network security, application security, incident response, etc. Additionally, he is also the founder and CEO of Offensive Countermeasures, a company that helps cybersecurity professionals enhance their skills and stay ahead of evolving threats. His 77.3k followers on Twitter are mostly due to his large social media presence as a podcaster and his posts surrounding resources , opinions, and promotion of Security Weekly.

16. Nicole Perlroth- New York Times

[caption id="attachment_68518" align="alignnone" width="541"] Source:[/caption] Nicole Perlroth is a Pulitzer Prize-winning journalist who covers cybersecurity and digital espionage for The New York Times. She is regarded for her intensive reporting on cyber threats, hacking incidents, and the intersection of technology and national security. Perlroth has also written a book on the cyberweapons arms race. With 91.5k followers on Twitter, Perlroth shares her own articles, as well as insights and updates related to cybersecurity and technology which creates engagement for her from both cybersecurity professionals and general readers interested in security.

15. Graham Cluley- Smashing Security

[caption id="attachment_67630" align="alignnone" width="523"] Source: Smashing Security[/caption] Graham Cluley is an author and blogger who has written books on cybersecurity and continues to be avid in sharing news and stories on cybersecurity through the written word and speech. Currently, Graham Cluley is an independent cybersecurity analyst, writer, and public speaker. He also runs a podcast where he discusses internet threats and safety in an entertaining, engaging and informative way. Cluley’s 112.9k Twitter followers are updated with his podcast, tweets and YouTube videos which explain cybersecurity topics and how to tackle them in a way patented to the general users of the internet. 

14. Rachel Tobac- Hacker and CEO of SocialProof Security 

[caption id="attachment_68522" align="alignnone" width="541"] Source: LinkedIn[/caption] Rachel Tobac is an ethical hacker who helps companies keep safe through her work as CEO of SocialProof Security, which she co-founded. The company focuses on educating employees to recognize and deal with cyberattacks. She has a background in behavioural psychology and uses it to improve cybersecurity awareness and defences in the general public. Tobac also works with the non-profit Women in Security and Privacy (WISP) where she helps women advance in the security field and often speaks for underrepresented groups to pursue a career in cybersecurity. Tobac’s 106k strong following on Twitter is due to her activism and due to the tips and updates she shares related to the industry, with some posts being popular for starting debates amongst professionals.

13. Katie Moussouris- Founder of Luta Security

[caption id="attachment_68523" align="alignnone" width="541"] Source: SANS Cyber Security Certifications & Research[/caption] Katie Moussouris is the Founder of Luta Security which encompasses her aims surrounding vulnerability disclosure and safer and responsible research in security. She is a leading figure in both the aspects and has 20 years of experience on the field. Some of Moussouris’s leading work is the Microsoft's bug bounty programme, which she developed and was one of the first-of-its-kind in the industry. She also advocates for vulnerability disclosure, which merits more transparency between security researchers and organisations. Moussouris’s 115.5k followers come from her revolutionary developments. She is a frequent speaker at cybersecurity conferences and events. She often posts and talks about her advocacy for ethical hacking and responsible security practices along with her expertise on vulnerability disclosure and bug bounty programmes.

12. Chuck Brooks- President of Brooks Consulting International 

[caption id="attachment_68524" align="alignnone" width="541"] Source: The Official Cybersecurity Summit[/caption] Brooks is the president of his consulting company where he advises clients on cybersecurity strategy, risk assessment, and business development. Along with that, he is a featured author in many technology and cybersecurity blogs. Brooks has previously worked in advisory roles with corporations and also at government agencies, including the Department of Homeland Security and the Defence Intelligence Agency. Brooks’ 116k LinkedIn followers are due to his regular contributions to industry research and news, media articles. Along with that, he is a popular keynote speaker who shares his expertise on a wide range of cybersecurity topics.

11. Daniel Miessler- Founder of Unsupervised Learning

[caption id="attachment_68525" align="alignnone" width="541"] Source: The Official Cybersecurity Summit[/caption] Miessler is the founder and CEO of Unsupervised Learning where he writes informative articles and tackles relevant issues surrounding cybersecurity and what the world after AI means for human beings.  Miesslers following of 139.4k on Twitter comes from professionals in the field and novice enthusiasts engaging with his content and discussions due to his experience in the field. He also avidly shares articles, podcasts, bringing his audience up to speed with cybersecurity.

10. Kevin Beaumont- Internet Cyber Personality

[caption id="attachment_68526" align="alignnone" width="541"] Source: iTWire[/caption] Kevin Beaumont is an experienced professional who has worked in various cybersecurity roles, including security engineer and consultant. He also specialises in threat detection and incident response. Kevin is now the Head of Cybersecurity Operations at Arcadia Ltd. along with being a cybersecurity researcher who runs his own platform where he discusses cybersecurity. Beaumont appeals to newer, younger cybersecurity enthusiasts with around 150.9k followers on Twitter due to his engagement with trolling on the internet. Additionally, he writes articles for Medium where he informs about cybercrime issues such as Microsoft Windows vulnerability. 

9. Lesley Carhart- hacks4pancakes

[caption id="attachment_68527" align="alignnone" width="541"] Source: hacks4pancakes[/caption] Lesley Carhart is currently a threat analyst and principal responder at Dragos, a company which works to protect industrial control systems from cyber threats, and has experience as a security analyst, incident responder and threat hunter. Her work in both the public and private sectors allowed her to gain valuable insights into cybersecurity issues across different industries. Her following of 168k comes from her works such as blogger and speaker who offers career advice in the field of cybersecurity. She also speaks about topics such as industrial control, ransomware attacks and more.   

8. Bruce Schneier- Schneier on Security

[caption id="attachment_68528" align="alignnone" width="541"] Source: Wikipedia[/caption] Schneier is a specialist in computer security and privacy along with being a cryptographer. Schneier is regarded as one of the most influential people in his field of cryptography and has written numerous books on cybersecurity, some of which are considered seminal works in the field. He has also written articles about security and privacy for magazines such as Wired. Schneier’s following of 147.1k comes from being acknowledged as impactful in his field but also due to his blog where he addresses the prevalence of hacking and other cyber dangers intersecting with our everyday lives.

7. Eugene Kaspersky- CEO of Kaspersky Lab

[caption id="attachment_68530" align="alignnone" width="541"] Source: LinkedIn[/caption] Eugene Kaspersky is an individual most impactful in the cybersecurity, best known as the CEO of Kaspersky Lab, a company he co-founded in 1997 which identified government-sponsored cyberwarfare. Kaspersky’s following of 187.5k comes from how Kaspersky Lab has grown into a global cybersecurity powerhouse, offering a wide range of products and services, along with his advocacy for cybersecurity education. Kaspersky is also a keynote speaker on emerging threats, and the importance of cybersecurity awareness at industry conferences and events. Furthermore, he writes a blog where he regularly posts updates about his life in the industry. 

6. Eric Geller - Cybersecurity Journalist

[caption id="attachment_68532" align="alignnone" width="541"] Source: LinkedIn[/caption] Eric Geller is a freelance cybersecurity journalist recognised for his insightful coverage of digital security. With a comprehensive portfolio including esteemed publications like WIRED, Politico, and The Daily Dot, Geller offers in-depth analysis on cyber policy, encryption, and data breaches. His investigative reporting touches the intricate intersections of cybersecurity and everyday life, from election security to critical infrastructure protection. Geller's expertise extends to interviews with top officials and breaking news on government initiatives. With a Bachelor of Arts in Political Science from Kenyon College, Geller's accolades include induction into the Pi Sigma Alpha national political science Honors society.

5. Shira Rubinoff- The Futurum Group 

[caption id="attachment_68533" align="alignnone" width="541"] Source: The Futurum Group[/caption] Shira Rubinoff is a cybersecurity and blockchain advisor as well as being a popular keynote speaker and author. She is the President of SecureMySocial, a cybersecurity company that focuses on protecting organizations from social media risks such as data leakage, reputational damage, and insider threats. Her videos are many and impactful, consisting of interviews and conversations with other professionals. She is known to be one of the top businesswomen in the field and currently runs a cybersecurity consulting firm and serves as the Chair of the Women in Cybersecurity Council (WCI), aiming to influence more women to join the field. Her follower count of 190.4k isn’t only due to her experience as a businesswoman, but also her constant interaction on social media as she posts talks, videos, podcasts, written work and more about many topics in cybersecurity.

4. Mikko Hyppönen- Chief Research Officer at WithSecure 

[caption id="attachment_68535" align="alignnone" width="541"] Source: WithSecure[/caption] Miko Hyppönen has been in the world of cybersecurity since the late 1980s. Since then he has led researchers in identifying and eliminating emerging cyber threats, while providing insights and solutions to protect individuals, businesses, and governments from cybercrime. Hyppönen has written for many famous newspapers like the New York Times and has also appeared on international TV and lectured at universities like Oxford and Cambridge. His 230.5k followers is due to his engaging and informative presentations, which help raise awareness about cybersecurity threats. He also has a following for his blog posts and research papers detailing his expertise. 

3. Kim Zetter - Investigative Journalist and Book Author

[caption id="attachment_68536" align="alignnone" width="541"] Source: IMDb[/caption] Kim Zetter is an award-winning investigative journalist renowned for her expertise in cybersecurity and national security. With a distinguished career spanning publications like WIRED, Politico, and The New York Times Magazine, Zetter is a respected authority on topics ranging from election security to cyber warfare. Her book, "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon," offers a gripping narrative of covert cyber operations. As a sought-after speaker and social media personality with over 7K followers on LinkedIn, she shares insights at conferences worldwide. Zetter's relentless pursuit of truth has earned her acclaim and established her as a leading voice in the cybersecurity journalism.

2. Brian Krebs- Krebs on Security

[caption id="attachment_68537" align="alignnone" width="541"] Source: Keppler Speakers[/caption] Brian Krebs is an investigative journalist who wrote for The Washington post from 1995 to 2009 for the security fix blog. He now runs his own blog, Krebs on Security. In it, he provides in-depth analysis and reports, along with promptly posted breaking news on cybercrime, hacking, data breaches, etc. Krebs has received many awards for his investigative journalism, including the Pulitzer Prize finalist for his coverage of cybersecurity problems. Krebs’ 347.9k are due to the reputation his blog widely holds for being a first choice when looking for accurate, fast information, as well as the truth as he’s known to hold individuals and organisations accountable for in his work.

1. Robert Herjavec- CEO of Global Cybersecurity Firm - Cyderes

[caption id="attachment_68538" align="alignnone" width="541"] Source: Cyderes[/caption] Herjavec is the CEO of the Herjavec Group and the Global Cybersecurity Firm, Cyderes, which leads cybersecurity options and supports many security services including threat detection and response, identity and access management, and compliance solutions. Along with that, he features on BBC’s Shark Tank and also provides motivational business advice through his books and videos. His following of 2.2 million may be due to his appearance on the show, but he continues to actively post insights and gives commentary on cybersecurity trends and ever-changing threats. Most of his followers are there to witness what he shares on business and entrepreneurship. Herjavec frequently shares cybersecurity related articles and updates.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious DragonForce ransomware group has expanded its list of victims, adding two new names to their dark web portal — Malone & Co and Watt Carmicheal. In a dark web post on their platform, the threat actor boasted about their latest conquests.  The first victim, Malone & Co, a prominent accounting firm based in Ireland, seemed to have fallen prey to the DragonForce cyberattack. The post provided details about the company's services and location, indicating a breach of sensitive information. Similarly, Watt Carmichael, a reputable investment management firm in Toronto, Canada, found itself ensnared in a similar situation by the DragonForce ransomware attack. However, despite their claims, both the cyberattacks are unverified.

DragonForce Cyberattack Targets Two New Victims

The Cyber Express has reached out to both organizations to learn more about this alleged DragonForce cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the DragonForce ransomware attack unverified.  [caption id="attachment_68487" align="alignnone" width="355"] Source: X[/caption] Interestingly, both victims' websites remain operational, showing no immediate signs of the cyberattacks. This discrepancy adds another layer of mystery to the unfolding situation.  Moreover, along with the cyberattack post, the DragonForce ransomware group stated that it had access to 15.34 GB of data associated with Malone & Co. The hacker group has shared a deadline of 16 days before the data gets published.  [caption id="attachment_68490" align="alignnone" width="353"] Source: X[/caption] As for the second alleged victim, Watt Carmicheal, the hacker group claims access to 27.3 GB of data, and no ransom deadline was shared. The threat actor, DragonForce, has used the same modus operandi to target similar victims in the past. 

Who is the DragonForce Ransomware Group?

DragonForce, a hacktivist group hailing from Malaysia, is infamous for its relentless cyberattacks on government institutions and commercial entities, primarily in India. Their targets extend beyond geographical borders, with a particular focus on websites affiliated with Israel while advocating for pro-Palestinian causes. Utilizing a variety of tactics such as defacement attacks, distributed denial-of-service (DDoS) attacks, and data leaks, DragonForce demonstrates a high level of adaptability and sophistication in their operations. This versatility has enabled them to evolve their strategies over time, staying one step ahead of their adversaries. Embracing their role as vigilantes for the people, DragonForce Malaysia boldly proclaims its mission on various online platforms, including social media giants like Facebook, YouTube, and X (formerly Twitter). Through these channels, they amplify their voice, connecting with like-minded individuals and fostering a sense of community among Malaysian cybersecurity enthusiasts. Central to DragonForce's ideology is their staunch advocacy for the Palestinian cause. Their actions speak volumes, from high-profile hacks targeting Israeli networks to broadcasting messages of solidarity through unconventional mediums like TikTok. Despite their formidable capabilities, DragonForce does not operate in isolation. Collaborative efforts with other local hacker threat groups have been reported, highlighting the interconnected nature of the hacktivist groups. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CISA, in collaboration with DHS, FBI, and international cybersecurity entities, has revealed a comprehensive guide aimed at bolstering cybersecurity for civil society organizations, particularly those facing heightened risks from state-sponsored cyber threats.  The guide, titled "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," offers practical steps to enhance digital defenses for nonprofits, advocacy groups, academic institutions, journalists, and other high-risk groups. Talking about this cybersecurity plan for civil society organizations, Jen Easterly, Director of CISA, stated that threat actors aim to undermine democratic and humanitarian values upheld by civil society.  “These high-risk community organizations often lack cyber threat information and security resources. With our federal and international partners, we are providing this resource to help these organizations better understand the cyber threats they face and help them improve their cyber safety”, added Easterly.

CISA, FBI, and DHS Collaborate to Support Cybersecurity for Civil Society

Civil society organizations play a crucial role in upholding democratic values, making them prime targets for malicious cyber activities orchestrated by state-sponsored actors. These threats, often originating from countries like Russia, China, Iran, and North Korea, include sophisticated tactics such as social engineering and spyware deployment. The security guide emphasizes proactive measures and best practices tailored to the unique challenges faced by civil society entities. Recommendations include regular software updates, the adoption of phishing-resistant multi-factor authentication, and the implementation of the principle of least privilege to minimize vulnerabilities. Furthermore, the guide stresses the importance of cybersecurity training, vendor selection diligence, and the development of incident response plans. It also guides individual members of civil society, advising on password security, privacy protection, and awareness of social engineering tactics. The release of this security guidance highlights a broader effort to empower high-risk communities with the knowledge and tools needed to safeguard against cyber threats. International collaboration, as evidenced by partnerships with entities from Canada, Estonia, Japan, and the United Kingdom, further enhances the effectiveness of these initiatives. John Scott-Railton, senior researcher at CitizenLab, emphasized the need for cybersecurity for civil societies on X (previously Twitter). Talking about this new initiative, John stated, “Historically law enforcement & governments in democracies have been achingly slow to recognize this issue and help out groups in need.” Despite some exceptions, the lack of prioritization has resulted in damages, including missed opportunities for accountability and diminished trust. “That's why I'm glad to see this @CISAgov & UK-led joint initiative come to fruition”, added John.

Aiming for Better Protection Against Cyber Threats

Government agencies and cybersecurity organizations worldwide have joined forces to support civil society against online threats. For instance, the FBI, in conjunction with its partners, aims to equip organizations with the capacity to defend against cyber intrusions, ensuring that entities dedicated to human rights and democracy can operate securely. "The FBI and its partners are putting out this guidance so that civil society organizations have the capacity to mitigate the threats that they face in the cyber realm,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. Similarly, international partners like Japan's National Center of Incident Readiness and Strategy for Cybersecurity and Estonia's State Information Authority stress the importance of collective action in addressing global cyber threats. These collaborations reflect a shared commitment to bolstering cybersecurity resilience on a global scale. The guide also provides valuable insights into the tactics and techniques employed by state-sponsored actors, enabling organizations to make informed decisions regarding cybersecurity investments and resource allocation. In addition to the guidance document, a range of resources and tools are available to assist high-risk communities in enhancing their cyber defenses. These include customized risk assessment tools, helplines for digital emergencies, and free or discounted cybersecurity services tailored to the needs of civil society organizations. By leveraging these resources and fostering international cooperation, civil society can better defend against cyber threats and continue their vital work in promoting democracy, human rights, and social justice. Through collective efforts and ongoing collaboration, the global community can build a more resilient and secure cyber environment for all. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new Google Chrome vulnerability has been uncovered and exploited, marking the sixth zero-day incident in 2024 alone. In response, Google swiftly released an emergency update to patch the issue. This latest Chrome vulnerability, identified as CVE-2024-4761, targets Chrome's V8 JavaScript engine, a crucial component responsible for executing JavaScript code within the browser. 

Decoding the New Google Chrome Vulnerability 

Specifically, the flaw involves an out-of-bounds write problem, a type of issue where a program oversteps its designated memory boundaries, potentially leading to unauthorized data access or even arbitrary code execution. Google acted promptly upon becoming aware of the exploit, rolling out updates to address the vulnerability across different platforms, including Mac, Windows, and Linux.  While the fix is being progressively deployed to users worldwide, those keen on ensuring their safety can manually check for updates by navigating to Settings > About Chrome and initiating the update process. This Chrome vulnerability follows closely on the heels of another zero-day exploit, CVE-2024-4671, which Google addressed just days prior. This recurrent pattern highlights the shift in vulnerability management where the most secure products are facing crises due to active exploitation by ransomware groups and dark web actors.

Multiple Zero-day Chrome Vulnerabilities

Notably, Google has refrained from divulging specific details regarding the exploits, a common practice aimed at preventing further exploitation until a majority of users have applied the necessary patches. Despite the lack of explicit details, the severity of these Google Chrome vulnerabilities is apparent, with Google's designation of an "emergency patch" signaling the urgency of the matter. The string of zero-day vulnerabilities identified in 2024 highlights the persistent efforts of threat actors to exploit weaknesses in popular software like Google Chrome. From out-of-bounds memory access to use-after-free issues, these vulnerabilities represent various avenues through which attackers can compromise user security. Several critical vulnerabilities have been identified in Google Chrome throughout the year 2024. These include CVE-2024-0519, an out-of-bounds memory access issue in the Chrome JavaScript engine discovered in January.  In March, CVE-2024-2887, a type confusion flaw in WebAssembly, was demonstrated by Manfred Paul during Pwn2Own 2024, alongside CVE-2024-2886, a use-after-free problem in WebCodecs, highlighted by Seunghyun Lee.  Additionally, CVE-2024-3159, another out-of-bounds memory access flaw in the V8 JavaScript engine, was showcased by Edouard Bochin and Tao Yan of Palo Alto Networks during the same event.  Finally, in May, CVE-2024-4671, a use-after-free issue within the Visuals component, was uncovered, further emphasizing the ongoing challenges in securing the Chrome browser against various vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web actor named DuckyMummy claimed responsibility for an alleged data breach at Frotcom International, a prominent player in vehicle tracking and fleet management based in Carnaxide, Portugal.  The Frotcom data breach, disclosed on nuovo BreachForums, exposes a vulnerability in Frotcom's internal systems, potentially compromising sensitive information including GPS IMEI numbers, real-time vehicle tracking data, billing details, and customer account information.

Alleged Frotcom Data Breach Surfaces on Dark Web

DuckyMummy's post on the forum detailed the extent of the Frotcom data breach, indicating access to internal systems across more than 40 countries and over 5,000 companies. The compromised data encompassed a wealth of information crucial to Frotcom's operations, from GPS tracking data to customer billing information.  [caption id="attachment_68365" align="alignnone" width="1732"] Source: Dark Web[/caption] As proof of their claims, the threat actor shared sample records showcasing live GPS vehicle information sorted by country and offered the compromised database for sale at a staggering price of USD 5,000.

“These days I have breached the company security, and I have dumped all information and got access to all internal systems of the company, more than 40 countries, more than 5,000 COMPANIES !”, stated the hacker. 

The Cyber Express has reached out to Frotcom for official confirmation and further details regarding the breach. However, as of the time of writing, no official statement or response has been received, leaving the claims surrounding the Frotcom data leak unverified.

Cyberattacks on Freight Companies 

The Frotcom data leak is not an isolated event and is a reminder of the growing threats faced by the transportation sector in an increasingly digitized world. With transportation systems becoming more reliant on interconnected digital technologies, they have become lucrative targets for cyber threat actors seeking to disrupt operations, extort sensitive data, or inflict financial harm. The ramifications of cyberattacks on transportation infrastructure are profound, ranging from supply chain disruptions to the compromise of sensitive passenger data. Recent incidents such as the ransomware attack on Japan's Port of Nagoya, which halted operations for two days, highlight the real-world impact of such breaches on global trade and commerce. Moreover, the nature of cyber threats poses a significant challenge to the transportation sector. Attack vectors are becoming increasingly diversified, with intrusions often originating from third-party supply chain partners or software vendors. Additionally, the rise of politically motivated threat actors further complicates the domain, as evidenced by the DDoS attacks on US airports claimed by Russian-speaking hackers. Looking back at historical events, cyber incidents targeting transportation infrastructure have resulted in widespread disruption and societal harm. From DDoS attacks on Czech railways and airports to ransomware incidents affecting Italian State Railways, these incidents highlight the vulnerability of transportation systems to malicious cyber activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The field of Artificial Intelligence is rapidly evolving, and OpenAI's ChatGPT is a leader in this revolution. This groundbreaking large language model (LLM) redefined the expectations for AI. Just 18 months after its initial launch, OpenAI has released a major update: GPT-4o. This update widens the gap between OpenAI and its competitors, especially the likes of Google. OpenAI unveiled GPT-4o, with the "o" signifying "omni," during a live stream earlier this week. This latest iteration boasts significant advancements across various aspects. Here's a breakdown of the key features and capabilities of OpenAI's GPT-4o.

Features of GPT-4o

Enhanced Speed and Multimodality: GPT-4o operates at a faster pace than its predecessors and excels at understanding and processing diverse information formats – written text, audio, and visuals. This versatility allows GPT-4o to engage in more comprehensive and natural interactions. Free Tier Expansion: OpenAI is making AI more accessible by offering some GPT-4o features to free-tier users. This includes the ability to access web-based information during conversations, discuss images, upload files, and even utilize enterprise-grade data analysis tools (with limitations). Paid users will continue to enjoy a wider range of functionalities. Improved User Experience: The blog post accompanying the announcement showcases some impressive capabilities. GPT-4o can now generate convincingly realistic laughter, potentially pushing the boundaries of the uncanny valley and increasing user adoption. Additionally, it excels at interpreting visual input, allowing it to recognize sports on television and explain the rules – a valuable feature for many users. However, despite the new features and capabilities, the potential misuse of ChatGPT is still on the rise. The new version, though deemed safer than the previous versions, is still vulnerable to exploitation and can be leveraged by hackers and ransomware groups for nefarious purposes. Talking about the security concerns regarding the new version, OpenAI shared a detailed post about the new and advanced security measures being implemented in GPT-4o.

Security Concerns Surround ChatGPT 4o

The implications of ChatGPT for cybersecurity have been a hot topic of discussion among security leaders and experts as many worry that the AI software can easily be misused. Since its inception in November 2022, several organizations such as Amazon, JPMorgan Chase & Co., Bank of America, Citigroup, Deutsche Bank, Goldman Sachs, Wells Fargo and Verizon have restricted access or blocked the use of the program citing security concerns. In April 2023, Italy became the first country in the world to ban ChatGPT after accusing OpenAI of stealing user data. These concerns are not unfounded.

OpenAI Assures Safety

OpenAI reassured people that GPT-4o has "new safety systems to provide guardrails on voice outputs," plus extensive post-training and filtering of the training data to prevent ChatGPT from saying anything inappropriate or unsafe. GPT-4o was built in accordance with OpenAI's internal Preparedness Framework and voluntary commitments. More than 70 external security researchers red teamed GPT-4o before its release. In an article published on its official website, OpenAI states that its evaluations of cybersecurity do not score above “medium risk.” “GPT-4o has safety built-in by design across modalities, through techniques such as filtering training data and refining the model’s behavior through post-training. We have also created new safety systems to provide guardrails on voice outputs. Our evaluations of cybersecurity, CBRN, persuasion, and model autonomy show that GPT-4o does not score above Medium risk in any of these categories,” the post said. “This assessment involved running a suite of automated and human evaluations throughout the model training process. We tested both pre-safety-mitigation and post-safety-mitigation versions of the model, using custom fine-tuning and prompts, to better elicit model capabilities,” it added. OpenAI shared that it also employed the services of over 70 experts to identify risks and amplify safety. “GPT-4o has also undergone extensive external red teaming with 70+ external experts in domains such as social psychology, bias and fairness, and misinformation to identify risks that are introduced or amplified by the newly added modalities. We used these learnings to build out our safety interventions in order to improve the safety of interacting with GPT-4o. We will continue to mitigate new risks as they’re discovered,” it said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor using the alias qpwomsx has claimed responsibility for an alleged data breach affecting the popular Indian online shopping platform, Meesho. However, the legitimacy of this Meesho data breach is under scrutiny, as the threat actor seems to have reposted data from 2020 and only joined the platform in May 2024, raising questions about their credibility. On Nuovo BreachForums, qpwomsx displayed what they claimed was a database from Meesho, presenting snippets of data as proof. These excerpts, which included names, email addresses, and phone numbers, initially raised concerns. However, upon closer examination, a twist emerged: the sample records provided were identical to those from the 2020 IndiaMART database leak, which affected about 38 million user records. This discovery casts significant doubt on the credibility of qpwomsx's claims about a Meesho data breach.

Unconfirmed Meesho Data Breach Surfaces on Dark Web

[caption id="attachment_68336" align="alignnone" width="1333"] Source: Dark Web[/caption] The discrepancies didn't end there. The Cyber Express further analyzed the claims and found inconsistencies within the data itself. Specifically, discrepancies between names and associated phone numbers raised red flags. Given qpwomsx's brief tenure on the platform and apparent credibility issues, discerning the authenticity of the Meesho data breach becomes a daunting task. However, examining the stolen data paints a perplexing situation as the majority of the email addresses are valid and deliverable. Along with the emails, the data appears to be a compilation of personal information belonging to individuals, predominantly based in India.  Alongside names, email addresses, and phone numbers, additional details such as location and workplace affiliations were also included. However, the presence of "null" values suggests potential gaps or inaccuracies within the dataset.

The IndiaMART Data Breach Link

The Cyber Express has reached out to the e-commerce giant to learn more about this alleged Meesho data leak. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the data breach unverified.  Moreover, parallels emerge between the purported Meesho breach and the 2020 IndiaMART data leak, which exposed sensitive information from over 40,000 suppliers. IndiaMART, a prominent business-to-business e-commerce platform, was also targeted in a cyberattack in 2020. Despite assertions from the company that only basic contact information is publicly available, cybersecurity researchers found an extensive exposure of sensitive data. Interestingly, the stolen data from the IndiaMART data leak is similar to the current Meesho data breach, raising concerns about the authenticity of the leak and the motives behind it.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Meesho data breach or any official confirmation from the Indian e-commerce giant. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The IntelBroker hacker has allegedly leaked a database belonging to the National Parent Teacher Association (PTA), a cornerstone of child advocacy in America since its establishment in 1897. The National Parent Teacher Association breach, which occurred in March, was posted by the threat actor on May 13, 2024.  Over 70,000 records of registered users, comprising a wealth of sensitive data, were reportedly compromised in this PTA data breach. The leaked data, disclosed on nuovo BreachForums, includes a trove of information ranging from personal identifiers to financial details. 

Dark Web Hacker Discloses National Parent Teacher Association Breach 

Among the exposed data are insured data, college information, client lists, medical insurance records, and payment information. This PTA data breach not only poses a threat to the privacy and security of individuals but also raises concerns about the misuse of such sensitive information. [caption id="attachment_68309" align="alignnone" width="861"] Source: X[/caption] The impact of this breach extends beyond the confines of the PTA itself, affecting individuals across the United States, particularly in the North American region. With PTA.org being the primary platform for engagement, the breach, if true, can have severe consequences.  The post on BreachForums by the IntelBroker hacker, titled "Parent Teacher Association Database, Leaked - Download!" and timestamped May 13, 2024, provides insights into the extent of the PTA data breach. The threat actor proudly claims responsibility for the breach alongside an entity named GodLike. The data dump shared by IntelBroker reveals intricate details, including identifiers, addresses, contact information, and policy-related data.

Cyberattack on Educational Institutions

The Cyber Express reached out to the National Parent Teacher Association for clarification and response regarding the breach. However, at the time of writing this, no official statement or response has been received. Moreover, this isn’t the first time a student-centric organization was targeted in a cyberattack. Educational institutions, from K-12 schools to universities, store vast amounts of personal data, making them prime targets for cyberattacks. The educational sector witnessed a 258% surge in incidents in 2023, with 1,537 confirmed data disclosures, often attributed to vulnerabilities like MOVEit. Ransomware remains a major external threat, while internal risks stem from uninformed users and overworked staff.  Attacks, primarily financially motivated, exploit the emotionally fraught nature of personal data exposure. Common attacks include data breaches, ransomware, BEC, DDoS, and online invasions. Recent high-profile attacks, like those on the University of Manchester and the University of California, highlight the urgent need for enhanced cybersecurity measures in educational institutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In the latest twist of the cyber warfare between Anonymous Egypt group and R00TK1T hackers, the latter has turned up the heat on Egyptian soil, accusing the Anonymous Egypt group of content theft. In a dark web post, R00TK1T has vowed to intensify cyberattacks on Egypt, targeting major infrastructure and organizations within the nation.  The retaliation was swift and severe — starting the attacks with cyber assaults on the Ministry of Supply and Internal Trade in Egypt and a prominent software company with operations in Egypt.  The hacker used the same methods to target all the alleged victims and left several messages on their data leak channel, condemning the Anonymous Egypt group, stating, “Anonymous Egypt made a grave mistake thinking they could outsmart us. Now, it's time to show them the true power of our skills. ”

R00TK1T's Cyberattacks on Egypt Post Anonymous Egypt Confrontation

[caption id="attachment_68271" align="alignnone" width="431"] Source: Dark Web[/caption] In a declaration on dark web, R00TK1T proclaimed, "Security Is Just An Illusion, Privacy Is Just Another Illusion." They warned of impending chaos, signaling their determination to disrupt the status quo. Their message resonated with defiance: "F*ck Society & The System! We Are R00TK1T Will Be Anywhere Anytime!" The Ministry of Supply and Internal Trade was among the first victims that allegedly fell prey to R00TK1T's infiltration, with the group proudly flaunting evidence of their access to the ministry's most secure networks.  [caption id="attachment_68095" align="alignnone" width="522"] Source: X[/caption] As images surfaced, showcasing the depth of their intrusion, it became clear that R00TK1T's retaliation was not against the hacker group but the whole of Egypt. 

R00TK1T Cyberattacks Intensifies 

[caption id="attachment_68274" align="alignnone" width="443"] Source: X[/caption] But these cyberattacks on Egyptian companies didn't end there. CorporateStack, a renowned company specializing in digital transformation solutions, also fell victim to an alleged cyberattack by the hacker group.  With clients like Bentley, Vodafone, and Hexa, CorporateStack was a prime target for R00TK1T's message: no entity was beyond their reach. The group's infiltration into CorporateStack's systems sent a clear message to businesses operating in Egypt.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Egypt by the hacker group or any official confirmation from the organizations listed by R00TK1T hackers.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web hacker, known as "makishimaaaa," has recently advertised a significant data breach on the Nuovo BreachForums. The compromised data originates from Hosocongty, a prominent Vietnamese job search platform. According to makishimaaaa's post on May 12, 2024, the hacker claims to have exfiltrated a PII (Personally Identifiable Information) database from the Hosocongty data breach in 2024. The database, offered for sale at the price of $320, contains approximately 160,000 records. These records include sensitive information such as company names, passwords, contact details, and various other personal identifiers. Interested buyers are instructed to contact the hacker privately, with the option of using escrow systems for transactions.

Hosocongty Data Breach Exposes Thousands of Job Seekers

Hosocongty.vn, the affected platform, serves as a crucial link between job seekers and employers across Vietnam. Its rapid growth highlights its significance in the country's job market. However, this data breach raises concerns about the security and privacy of the platform's users. [caption id="attachment_68133" align="alignnone" width="1622"] Source: Dark Web[/caption] Makishimaaaa's relatively low ransom demand and status as a new member of the hacking forum suggest a developing situation. The hacker joined the platform in March 2024 and has since posted 38 times. This calculated move indicates a deliberate attempt to minimize suspicion while maximizing profits from the stolen data. The compromised database contains a wealth of personal information, including company details, contact numbers, email addresses, and more. Makishimaaaa emphasizes the quality and active rate of the data, reassuring potential buyers of its reliability. However, the ethical implications of purchasing stolen data remain a cause for concern. The Cyber Express has reached out to the recruitment firm to learn more about this Hosocongty data breach. However, at the time of writing this, no official statement or response has been released, leaving the claims for the Hosocongty data leak unverified. 

Cyberattack on the Recruitment Sector

The Hosocongty data breach is indicative of a broader trend of increasing cyberattack on the recruitment sector. In February 2024, Das Team Ag, a prominent job placement agency in Switzerland and Liechtenstein, fell victim to the Black Basta ransomware group, highlighting the vulnerability of recruitment platforms.  Cyber risks in the digital hiring process have intensified over the years, with cybercriminals targeting sites housing sensitive data, such as employment platforms. The surge in digitalization has exacerbated these threats, necessitating enhanced security measures across industries.  Polymorphic attacks, phishing, and malware are among the most prevalent cyber threats facing the recruitment sector, posing risks to both job seekers and companies. As such, users of Hosocongty are urged to exercise vigilance and implement necessary security measures to safeguard personal information.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Hosocongty data breach or any official confirmation from the Vietnamese job portal.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hacktivist collective R00TK1T ISC CyberTeam has claimed responsibility for breaching the Ministry of Supply and Internal Trade in Egypt. The group's announcement, posted on their platform, boldly declares their successful infiltration into the ministry's systems, accompanied by purported evidence of their access to highly secure networks. This Ministry of Supply and Internal Trade breach claims come on the heels of previous announcements by R00TK1T ISC, including their intention to target the BreachForums and the subsequent closure of their official Telegram channel.  The group cited security considerations for their shift back to operating in secrecy, leaving their private data channel as the sole means of communication for their activities.

Ministry of Supply and Internal Trade Breach Claims

[caption id="attachment_68095" align="alignnone" width="212"] Source: X[/caption] The Cyber Express has tried reaching out to the Egyptian ministry to learn more about this alleged Ministry of Supply and Internal Trade data breach claims. However, efforts to verify the intrusion were hampered by communication difficulties, preventing direct contact with the ministry. As a result, the claims made by R00TK1T ISC remain unconfirmed. The website for the Ministry of Supply and Internal Trade seems to be operational at the moment and doesn’t show any immediate sign of the intrusion. The threat actor has shared several screenshots of the document pilfered through this intrusion.  Talking about the Ministry of Supply and Internal Trade breach in their post, the threat actor said, “We have successfully hacked into The Ministry of Supply and Internal Trade in Egypt, showcasing our deep infiltration into their systems.”

R00TK1T ISC CyberTeam Hacking Spree

Meanwhile, in a separate incident on January 30, 2024, R00TK1T ISC CyberTeam launched an attack on Malaysia's digital infrastructure, further highlighting the global reach and impact of such malicious activities. Their claim to have accessed sensitive information from prominent companies like L'Oreal and Qatar Airways highlights the sophistication and persistence of cyber threats faced by businesses worldwide. In Egypt, the corporate sector has witnessed a surge in ransomware attacks in recent weeks, posing a significant risk to businesses across various industries. This escalating threat necessitates urgent action to bolster cybersecurity measures and mitigate potential damages. Amid ongoing political and security challenges in the Middle East, Egyptian businesses remain prime targets for cyberattacks, with ransomware emerging as a prevalent threat. The consequences of such attacks, including data loss and reputational damage, highlight the critical need for better defense mechanisms to safeguard against cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following Australia's vocal support for Ukraine, the nation finds itself targeted by a Cyber Army Russia Reborn cyberattack. The recent alleged Distributed Denial of Service (DDoS) attacks on Australian entities, including two prominent organizations in Australia — Auditco and Wavcabs. The DDoS attacks, orchestrated by Cyber Army Russia Reborn, seem to be a response to Australia's solidarity with Ukraine. While the precise motives behind these attacks remain unclear, the timing suggests a correlation between Australia's stance and the cyber onslaught.

Cyber Army Russia Reborn Cyberattack Targets Australia

[caption id="attachment_68069" align="alignnone" width="641"] Source: X[/caption] Wavcabs, a transportation service, and Auditco, an auditing company, were among the targets of these Cyber Army Russia Reborn cyberattacks. Wavcabs' online services were disrupted, with users encountering connection timeouts when attempting to access the website. Similarly, Auditco faced technical difficulties, as indicated by error code 522 on their site earlier.  [caption id="attachment_68071" align="alignnone" width="656"] Source: X[/caption] The Cyber Express has reached out to both organizations to learn more about this Cyber Army Russia Reborn cyberattack. Despite the severity of these cyber incidents, both Wavcabs and Auditco have not issued official statements regarding the attacks.  The lack of response leaves the claims of Cyber Army Russia Reborn's involvement unverified, highlighting the complexity of attributing cyberattacks to specific actors.

Australia's Support for Ukraine

These assaults on Australian companies occur as the nation reaffirms its support for Ukraine. The Albanese Government's commitment to aiding Ukraine was recently reinforced with a $100 million assistance package. Deputy Prime Minister and Minister for Defence, Richard Marles, revealed the assistance during a visit to Ukraine, where he witnessed firsthand the impact of Russia's aggression. Australia's $100 million aid package to Ukraine includes $50 million for military assistance, prioritizing Australian defense industry support for uncrewed aerial systems and essential equipment. Another $50 million is designated for short-range air defense systems, alongside the provision of air-to-ground precision munitions.  Amidst ongoing cyberattacks on Australia, the nation’s unwavering support for Ukraine highlights the complexities of modern warfare and the critical need for cybersecurity measures. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on these cyberattacks on Australian companies or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recent Cégep de Lanaudière cyberattack has paralyzed the education system, causing classes to grind to a halt and prompting exam cancellations, affecting around 7,000 students. The assailant, targeting the college network's servers, rendered Omnivox inaccessible – the primary digital platform for both faculty and student communication. Students logging into Omnivox were met with a disconcerting sight: a flood of images, some of them highly inappropriate. The affected CEGEPs – Lanaudière, L'Assomption, Joliette, and Formation Continue - remain suspended as cybersecurity experts mitigate the cyberattack on Cégep de Lanaudière.

Decoding the Cégep de Lanaudière Cyberattack 

In a Sunday communication to students and staff, college management emphasized the need for external cybersecurity expertise to investigate the attack's origins and, if feasible, patch the breach. "The investigation is ongoing. Data compromise is not a current concern," said Marilyn Sansregret, spokesperson for Cégep régional de Lanaudière, reported CBC.  However, hopes for a swift resolution were dashed when students were informed on Tuesday evening that the class hiatus would extend until at least Friday. Sansregret affirmed that the IT department is working tirelessly to reinforce the college's digital defenses, but it is too early to anticipate a return to normalcy. The Cyber Express has sought a response from Cégep de Lanaudière regarding the cyber attack. However, at the time of writing this, no official statement or response has been shared, leaving the identity of the threat actor unknown.

Cyberattacks on Education Institutions and Universities

Meanwhile, Academica Group weighed in on the crisis, highlighting the profound impact of the cyberattack. Cégep de Lanaudière temporarily closed its campuses in Joliette, L’Assomption, Terrebonne, and Repentigny as it grappled with the aftermath of the intrusion. While the full extent of the Cégep de Lanaudière cyberattack is unknown, a music school on the Joliette campus reported disruptions to essential services like lighting, heating, ventilation, and fire alarms. In a broader context, the surge in cyber assaults against educational institutions highlights the acute vulnerability of academic infrastructure to digital threats. Verizon's 2024 Data Breach Investigations Report reveals a staggering increase in attacks targeting the educational services sector. With ransomware emerging as a preeminent external threat and internal vulnerabilities compounding the security measures in education institutions, the need for preemptive cybersecurity measures cannot be overstated. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Cégep de Lanaudière cyberattack or any further information from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Lenovo takes a bold step towards fortifying cybersecurity by joining the Secure by Design pledge, initiated by the US Cybersecurity and Infrastructure Security Agency (CISA). This collaborative endeavor, announced on May 8th, unites industry giants in a concerted effort to raise security standards across diverse tech sectors. With a comprehensive approach encompassing multi-factor authentication, vulnerability reduction, and robust supply chain security, Lenovo stands at the forefront of this initiative, highlighting the initiative of Secure by Design.

Lenovo Joins CISA’s Secure by Design Pledge

The Secure by Design pledge targets key facets of enterprise technology, including software products and services, on-premises solutions, cloud services, and SaaS features. Participating companies, including Lenovo, pledge to make tangible strides across seven core focus areas.  These encompass critical aspects such as multi-factor authentication (MFA), default password protocols, vulnerability reduction, security patching, vulnerability disclosure policies, common vulnerabilities and exposures (CVE), and intrusion evidence. Doug Fisher, Lenovo's Chief Security Officer, expressed profound support for the pledge, emphasizing the critical of industry-wide collaboration in fortifying cybersecurity frameworks.  "We commend CISA’s initiative to drive an industry-wide ‘secure by design’ pledge and welcome the opportunity to align our own well-established security by design approach with other industry best practices," stated Fisher. "It’s good for the industry that global technology leaders are able to share best practices, driving meaningful progress and accountability in security." Lenovo's commitment to the Secure by Design pledge dovetails seamlessly with its existing security protocols. The company boasts a robust security infrastructure encompassing best-in-class practices across product development, supply chain management, and privacy initiatives. These include the implementation of the Security Development Lifecycle, a vigilant Product Security Incident Response Team (PSIRT), and stringent global supply chain security measures. "Our pledge transcends geographies and benefits all our global customers who face the same industry-wide security challenges US CISA seeks to address, including continued alignment with emerging security regulations around the world," remarked Fisher, underlining Lenovo's global outlook towards cybersecurity enhancement.

Global Cybersecurity Initiative

Lenovo's proactive stance positions it as a pioneer among the initial group of 68 companies committing to the Secure by Design pledge. These companies, range from tech titans like Amazon Web Services, Cisco, Google, IBM, Microsoft, Palo Alto Networks, and Trend Micro to cybersecurity specialists such as Claroty, CrowdStrike, Cybeats, Finite State, Forescout, Fortinet, Rapid7, SentinelOne, Sophos, Tenable, Trend Micro, and Zscaler, have all endorsed the Secure by Design pledge.  The Secure by Design pledge highlights a voluntary commitment to advancing security measures within enterprise software realms, aligning with CISA’s overarching principles. While physical products like IoT devices and consumer goods fall outside the pledge's scope, participating companies pledge to diligently pursue the outlined goals over the ensuing year. Furthermore, the pledge encourages radical transparency, urging manufacturers to publicly document their progress and challenges encountered. This fosters a culture of accountability and knowledge sharing within the cybersecurity domain. In acknowledging the diversity of approaches, the pledge empowers software manufacturers to devise bespoke strategies tailored to their product portfolios. Companies exceeding the outlined goals are encouraged to share their methodologies, fostering an environment of continuous improvement and innovation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Security researchers have revealed new critical vulnerabilities in F5’s Next Central Manager, posing severe risks to organizational cybersecurity. These Next Central Manager vulnerabilities allowed attackers to exploit the Central Manager remotely, gaining full administrative control over the device. Subsequently, attackers could create unauthorized accounts on any F5 assets managed by the Central Manager, remaining undetected within the system. The vulnerabilities, collectively known as the "F5 Next Central Manager vulnerability," were first identified by security researchers from Eclypsium. They disclosed their findings to F5, which subsequently assigned CVE identifiers CVE-2024-21793 and CVE-2024-26026 to the reported vulnerabilities.

Understanding the Next Central Manager Vulnerabilities

[caption id="attachment_67545" align="alignnone" width="1732"] Source: Eclypsium[/caption] F5 promptly responded to the Next Central Manager vulnerabilities in software version 20.2.0, urging organizations to upgrade to the latest version immediately to mitigate potential risks. However, it's crucial to note that while five vulnerabilities were reported, CVEs were only assigned to two of them. The Next Central Manager serves as the centralized point of control for managing all tasks across the BIG-IP Next fleet. Despite F5's efforts to enhance security with the Next generation of BIG-IP software, these vulnerabilities highlight the persistent challenges in safeguarding network and application infrastructure. The vulnerabilities enabled attackers to exploit various aspects of the Central Manager's functionality. For instance, one vulnerability allowed attackers to inject malicious code into OData queries, potentially leading to the leakage of sensitive information, including administrative password hashes. Another vulnerability involved an SQL injection flaw, providing attackers with a means to bypass authentication measures.

Technical Details and Responses to Next Central Manager Vulnerabilities

Furthermore, an undocumented API vulnerability facilitated Server-Side Request Forgery (SSRF) attacks, enabling attackers to call API methods on any BIG-IP Next device. This allowed them to create unauthorized accounts on individual devices, evading detection by the Central Manager. Additionally, inadequate Bcrypt cost and a flaw allowing administrators to reset their passwords without prior knowledge posed further security risks. These weaknesses significantly lowered the barrier for attackers to compromise the system and maintain unauthorized access. The implications of these vulnerabilities were profound, as they could be exploited in various attack scenarios. Attackers could exploit the vulnerabilities to gain administrative control, manipulate account credentials, and create hidden accounts on managed devices, undermining the integrity and security of the entire network infrastructure. In response to these findings, security experts emphasized the importance of proactive security measures and vigilant monitoring of management interfaces. They advised organizations to enforce access control policies and adopt a zero-trust approach to mitigate the risks associated with such vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

IntelBroker has asserted a massive breach, and has now sold the access to a cybersecurity entity with a hefty annual revenue of USD 1.8 billion. The threat actor has traded USD 20,000 in XMR or ETH to an unknown entity on a dark web forum.  The initial offer touted access to a trove of sensitive information, including SSL keys, SMTP access, PAuth/Pointer Authentication, and various login credentials. Despite the lack of concrete evidence, a conversation surfaced on social media platforms purportedly involving IntelBroker, further fueling speculation.  While the forum post rumors hinted at the US-based cloud security giant, Zscaler Inc., the actual target remains unconfirmed due to the absence of corroborating proof. However, Zscaler's recent security update on its website hints at a possible connection between the two events. 

Alleged Zscaler Data Breach Threatens the Cybersecurity Community

[caption id="attachment_67457" align="alignnone" width="1765"] Source: Dark Web[/caption] The gravity of the alleged Zscaler data breach escalated when rumors emerged surrounding a possible breach within the organization's infrastructure. Allegations circulated that a threat actor was peddling access to the company's systems. In response, Zscaler swiftly took its "test environment" offline for analysis, aiming to ascertain the authenticity of the claims. However, the current update from the hacker stated that the unauthorized access has now been sold. Apart from the update, no further information was provided on the receiver who allegedly purchased the unauthorized access for USD 20,000. Zscaler has updated its security page, stating, "Zscaler continues to investigate and reiterates there is no impact or compromise to our customer, production, and corporate environments. During the afternoon of May 8, we engaged a reputable incident response firm that initiated an independent investigation. We continue to monitor the situation and will provide additional updates through the completion of the investigation". [caption id="attachment_67460" align="alignnone" width="1330"] Source: Zscaler[/caption] Initially, Zscaler reassured stakeholders that their investigation yielded no evidence of compromise within their customer or production environments. However, concerns persisted as discussions around the purported Zscaler data breach proliferated online. Users on various platforms debated the authenticity of the claims, with some expressing skepticism while others confirmed the breached organization is cybersecurity giant.

Zscaler Responds to the Alleged Breach Claims 

Amid the uncertainty, Zscaler remained positive, emphasizing its commitment to safeguarding customer and production environments. Updates from Zscaler's Trust site reiterated their dedication to thorough investigation and transparency. While it confirmed the discovery of an isolated test environment exposed to the internet, they highlighted its lack of connectivity to critical systems and absence of customer data. Talking about the rumors, Zscaler stated that the organization is aware of the claims and they are currently investigating the data. “Zscaler is aware of a public X (formerly known as Twitter) post by a threat actor claiming to have potentially obtained unauthorized information from a cybersecurity company. There is an ongoing investigation we initiated immediately after learning about the claims. We take every potential threat and claim very seriously and will continue our rigorous investigation”, added Zscaler. 

Who is IntelBroker?

https://www.youtube.com/watch?v=wXuurLlu25I IntelBroker is a solo hacker who gained infamy in 2023 for breaching Weee! and leaking data of 11M customers. Allegations hint at its connection to Iranian state entities, though IntelBroker denies it, claiming independence from Serbia. The hacker's focus on US defense suggests state cooperation. In an exclusive interview with The Cyber Express, the hacker shared information about these operations and himself as a person. Instead of being a full-fledged member of a ransomware group, IntelBroker has been working alone but has collaborated with other hackers in the industry. IntelBroker's targets span national security, government, critical infrastructure, and commerce sectors, executing extensive data breaches without traditional ransomware tactics. The hacker's methods include exploiting vulnerabilities and utilizing the "Endurance-wiper" tool. Transactions predominantly occur in XMR cryptocurrency, ensuring anonymity. The hacker breaches extend to companies like Razer, AT&T, and Verizon, sparking debates on corporate cybersecurity practices. Despite lucrative gains, IntelBroker advocates transparency in reporting breaches to maintain credibility. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

💾

SigningHub has denied the allegations of the cyberattack orchestrated by the IntelBroker hacker. The UK-based online document signing and digital signature creation service provider has shared a blog post, detailing the false claims made by the threat actor.  The organization stated that "this claim has been found to be 100% false", and upon analysis of the file purported to be the source code of Ascertia SigningHub, the organization denoted that the file does not include any source code or executable related to SigningHub or any other Ascertia product. The SigningHub data leak, initially posted on the nuovo BreachForums, shared insights into the operation of the organization. IntelBroker, a known entity in the hacker community, revealed the breach on May 8, 2024, shedding light on an incident that allegedly occurred in December 2023. The leaked source code encompasses crucial elements of SigningHub's infrastructure, including API services, docker container files, certificates, libraries, and other sensitive data. 

Ascertia Denies Allegations of the SigningHub Data Leak

Following the SigningHub data leak claims, Ascertia responded to the claims via a blog post, stating the SigningHub data breach and source code leak to be false. Allegations arose on May 8th via Twitter/X, claiming unauthorized access to Ascertia's network in December 2023. After thorough investigation, Ascertia confirmed no breach or access to SigningHub's source code. The file posted online purported to be SigningHub's source code was analyzed, revealing no related content. The Ascertia IT team simultaneously began a thorough investigation of the Ascertia network security systems and logs. At this time, Ascertia can confirm that there is no unauthorised access from bad actors and has concluded that the claims of a data breach are also false", stated Ascertia. Simultaneously, Ascertia's IT team examined network security systems and logs, confirming no unauthorized access. Ascertia emphasizes its dedication to information security, GDPR compliance, and robust security measures. Ongoing analysis of network access points and systems ensures product, staff, and client data security."

IntelBroker Claims SigningHub Data Leak

[caption id="attachment_67397" align="alignnone" width="1402"] Source: Dark Web[/caption] The announcement of the SigningHub data breach paints a grim picture of the intrusion and its alleged impact. The post, titled "SigningHub - File Signing SRC Leaked, Download!", was shared by the threat actor while other users commended the hacker for this intrusion, stating the SigningHub code leak was “another great hit”, “top release” and other words of praise.  The Cyber Express has reached out to Ascertia to learn more about this SigningHub data leak. However, at the time of writing this, no official statement or response has been shared apart from the blog post by the parent company Ascertia. In an attempt to shed light on the operation associated with the hacker, The Cyber Express reached out to IntelBroker for insights into their motivations and methods. In a recent interview, IntelBroker shared details of their hacking journey, affiliations, and previous exploits, highlighting the scale and sophistication of their operations.

The IntelBroker Modus Operandi and Recent Attacks

[embed]https://youtu.be/wXuurLlu25I?si=FQYqB3byG3-0lgyr[/embed] IntelBroker's track record includes a series of high-profile breaches targeting organizations across various sectors, ranging from aviation and technology to government agencies. Notable breaches attributed to IntelBroker include infiltrations at the Los Angeles International Airport, Acuity, General Electric, DC Health Link, and others, each revealing the extent of vulnerabilities in digital infrastructure. The alleged breach at SigningHub adds another layer of complexity to the IntelBroker operations as the hacker has claimed multiple data breaches in 2024, highlighting the pressing issue of security. The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the SigningHub source code leak or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

💾

Hackers IntelBroker and Sanggiero have claimed a data breach allegedly impacting HSBC Bank and Barclays Bank. The HSBC Bank data breach, along with the breach at Barclays reportedly occurred in April 2024, involving a security incident through a third-party contractor, ultimately leading to the leak of sensitive data.  The compromised data, which was being offered for sale on Breachforums, allegedly includes a wide array of files such as database files, certificate files, source code, SQL files, JSON configuration files, and compiled JAR files. Preliminary analysis suggests that the data may have been sourced from the services provided by Baton Systems Inc., a post-trade processing platform, potentially impacting both HSBC Bank and Barclays Bank. However, Baton Systems has not shared any update on this alleged attack or any connection with the sample data provided by the threat actor.

Hacker Duo Claims Barclays and HSBC Bank Data Breach

Barclays Bank PLC and The Hong Kong and Shanghai Banking Corporation Limited (HSBC) are the primary organizations reportedly affected by this breach. With operations spanning across the United Kingdom, United States, and regions including Europe and North America, the threat actor threatens the banking systems and probably targets customers' data, however, there has been no evidence of such data getting leaked.  [caption id="attachment_67347" align="alignnone" width="2084"] Source: Dark Web[/caption] In a post on Breachforums, one of the threat actors, IntelBroker, shared details of the Barclays and HSBC Bank data breach, offering the compromised data for download. The post, dated May 8, 2024, outlined the nature of the breach and the types of data compromised, including database files, certificate files, source code, and more. The post also provided a sample of the leaked data, revealing a mixture of CSV data representing financial transactions across different systems or entities.

While talking about the stolen data, IntelBroker denoted that he is "uploading the HSBC & Barclays data breach for you to download. Thanks for reading and enjoy! In April 2024, HSBC & Barclays suffered a data breach when a direct contractor of the two banks was breached. Breached by @IntelBroker & @Sanggiero".

A Closer Look at the Sample Data 

A closer look at the sample data reveals three distinct datasets, each containing transaction records with detailed information about financial activities. These records encompass a range of information, from transaction IDs and timestamps to descriptions and account numbers involved. The datasets provide a comprehensive view of various transactions, offering valuable insights for financial analysis and tracking. The Cyber Express has reached out to both the banks to learn more about these alleged data breaches. HSBC Bank has denied these allegations about the breach, stating, "We are aware of these reports and confirm HSBC has not experienced a cybersecurity incident and no HSBC data has been compromised.” However, at the time of writing this, no official statement or response has been shared by Barclays, leaving the claims of the data breach related to Barclays stand unverified. Moreover, the two hackers in question, IntelBroker and Sanggiero, have claimed similar attacks in the past, targeting various global organizations. In an exclusive interview with The Cyber Express, one of the hackers, IntelBroker shed light on their hacking activities and the motivations behind their operations. IntelBroker had also praised Sanggiero from BreachForums for “his exceptional intellect and understated contributions to the field are deserving of far greater recognition and respect.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new UPS management vulnerability in CyberPower Uninterrupted Power Supply (UPS) management software has been uncovered, revealing multiple flaws that have serious implications for the security of vital systems across various sectors. The utilization of UPS management software spans a wide array of sectors, ranging from data centers to healthcare facilities and government agencies. Its role in maintaining uninterrupted operations is crucial, making any vulnerability in such software a matter of utmost concern.

Understanding the CyberPower UPS Management Vulnerability

[caption id="attachment_67311" align="alignnone" width="1282"] Source: Cyble[/caption] The Cybersecurity and Infrastructure Security Agency (CISA), a key entity responsible for safeguarding critical infrastructure in the United States, has issued alerts highlighting the increased interest of hacktivist groups in targeting internet-exposed Industrial Control Systems (ICS) devices. Cyble Research and Intelligence Labs (CRIL) also shared an elaborate report on the rise of hackers exploiting UPS management systems to target unsuspecting victims.

“CRIL researchers speculate that threat actors could soon leverage the critical vulnerabilities disclosed in PowerPanel in upcoming campaigns. With the potential for exploitation looming, urgent attention to patching and mitigation measures is imperative to preemptively thwart any attempts to exploit these weaknesses”, said CRIL.

[caption id="attachment_67315" align="alignnone" width="1536"] Source: Cyble[/caption] Against this CyberPower UPS vulnerability, the official report details critical information about the flaw and the mitigation strategies, including opting for the latest patch updates across multiple devices.  PowerPanel is a UPS management software designed to offer advanced power management capabilities for various critical systems such as Uninterrupted Power Supply, Power Distribution Units, and Automatic Transfer Switches. Its features include real-time monitoring, remote management, event logging, automatic shutdown, and energy management, among others, providing organizations with the tools needed to ensure continuous power availability and optimize energy usage.

Overview of the UPS Management Vulnerability

The disclosed vulnerabilities in PowerPanel Business Software, version 4.9.0 and prior, present a technical risk to system integrity and security. These vulnerabilities range from the use of hard-coded passwords and credentials to active debug code and SQL injection flaws. Exploitation of these vulnerabilities could potentially allow attackers to bypass authentication, gain administrator privileges, execute arbitrary code, and compromise sensitive data. [caption id="attachment_67317" align="alignnone" width="309"] Source: Cyble[/caption] Past incidents involving cyberattacks on UPS systems highlight the potential consequences of such vulnerabilities. Groups like GhostSec and TeamOneFist have targeted UPS systems in various campaigns, demonstrating the disruptive capabilities of such attacks. While the impact of these incidents may vary, the direct access to UPS systems by attackers remains a critical concern. [caption id="attachment_67318" align="alignnone" width="495"] Source: Cyble[/caption] Addressing the vulnerabilities in PowerPanel Business Software requires a proactive approach, including timely patching and implementation of mitigation measures. Organizations are advised to implement robust patch management strategies, conduct regular security audits and penetration testing, and enhance user awareness. Additionally, measures such as network segmentation and the use of Multi-Factor Authentication (MFA) can help bolster defenses against potential attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A class action lawsuit has been filed against J.P. Morgan Chase & Co., alleging that the financial giant failed to implement adequate security measures, leading to the exposure of sensitive personal data of its clients. Benjamin Valentine, a former employee of the Long Island Railroad, filed a complaint alleging that his personal information was improperly obtained in a recent J P Morgan data breach that compromised the accounts of thousands of users.

J P Morgan Data Breach Compromised Thousands of Users

[caption id="attachment_67262" align="alignnone" width="971"] Source: Chase[/caption] According to documents filed in the U.S. District Court for the Southern District of New York on May 3, Valentine's case is detailed in a Class Action Complaint (Case 1:24-cv-03438-JLR). The lawsuit contends that J.P. Morgan, a significant player in the financial industry offering a wide array of services to millions of customers, failed to adequately safeguard the personal information of its clients' employees, resulting in substantial harm. Valentine's complaint outlines how J.P. Morgan collected and maintained sensitive personally identifiable information (PII) of its clients' employees, including names, addresses, payment details, and Social Security numbers. This information, crucial for financial transactions and security, was compromised in the J P Morgan data breach and fell into the hands of cybercriminals. The lawsuit asserts that as a consequence of the breach, Valentine and approximately 451,000 other affected individuals suffered tangible damages, including invasion of privacy, identity theft, and the loss of trust and value in their personal information. Moreover, the breach exposed them to ongoing risks of fraud and further misuse of their data.

The Legal Action on J P Morgan

The legal action further alleges that J.P. Morgan's failure to implement adequate cybersecurity measures and its reckless handling of sensitive data contributed directly to the breach. Despite claims by J.P. Morgan that the breach was not the result of a cyberattack, the lawsuit argues that the company's negligence made it a target for such malicious activities. Valentine's complaint highlights J.P. Morgan's purported lack of transparency and timely notification regarding the breach, leaving affected individuals uninformed about the root cause and remedial actions taken. This, the lawsuit claims, exacerbates the emotional and financial distress experienced by victims. The Cyber Express has reached out to the organization to learn more about this J P Morgan data leak. However, J.P. Morgan has not provided an official statement regarding the cyber incident. Following the incident, a regulatory filing revealed that the breach stemmed from a software issue, which the company addressed promptly upon discovery. Valentine seeks various forms of relief through the lawsuit, including compensation for damages, injunctive relief, and reimbursement of legal fees. He is represented by the law firm Milberg Coleman Bryson Phillips Grossman LLC, based in Garden City, New York. As the legal proceedings unfold, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the data breach or any new updates about the lawsuit.   Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Despite the major collaborative effort by law enforcement agencies resulting in the exposure and sanctioning of Dmitry Yuryevich Khoroshev, the Russian national thought to be at the helm of LockBit's widespread hacking operations, the hacker group shows no signs of ceasing its activities. LockBit has reportedly launched a cyberattack on Wichita, Kansas, targeting state government and various local entities. The news of the Wichita cyberattack emerged on LockBit's previously inactive platforms, which were reactivated after the shutdown of their official website.

Cyberattack on Wichita Post LockBit Leader Arrest

[caption id="attachment_67202" align="alignnone" width="402"] Source: Dark Web[/caption] The Wichita cyberattack targeted the official website (wichita.gov), prompting concerns over the security of critical municipal systems. While the ransomware group has not yet released any compromised data, they have set a deadline of May 15, 2024, for its publication.  The announcement by LockBit ransomware follows closely on the heels of an earlier notification by the city of Wichita regarding a ransomware attack on May 5, 2024, although the responsible ransomware gang was not initially disclosed. Wichita, the largest city in the state of Kansas, serves as the county seat of Sedgwick County and is a populous urban center in the region.  The Cyber Express has reached out to the state government to learn more about this cyberattack on Wichita. However, at the time of writing this, no official statement or response has been received. However, the city of Wichita denoted a ransomware attack that targeted various government and private organizations within the city. 

Security Update from Wichita: Ransomware Group Remains Unnamed!

According to a press release by the city of Wichita, the recent posts from the state's Cyber Security Incident Update indicate ongoing efforts by the city's information technology department and security partners to address the cyberattack.  “Many City systems are down as security experts determine the source and extent of the incident. There is no timetable for when systems could be coming back online. We appreciate your patience as we work through this incident as quickly and as thoroughly as possible”, reads the official press release.  In the meantime, various city services and amenities have been impacted by the cyber incident, prompting adjustments to normal operations. Water systems remain secure and functional, with provisions in place for those experiencing difficulties paying bills or facing water shut-offs.  Transit services, city vendors, park and recreation facilities, licensing procedures, and municipal court operations have all been affected to varying degrees, necessitating alternative arrangements such as cash payments and in-person transactions. Similarly, services provided by cultural institutions, resource centers, planning departments, and housing and community services are also subject to modifications and delays as the city works to address the cyberattack. The city's airport and library services have experienced disruptions to Wi-Fi access and digital infrastructure, although essential operations continue with minimal impact on services provided to the public. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the cyberattack on Wichita or any new updates from the government.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new VPN vulnerability has emerged on the internet, compromising the very essence of online privacy and data protection. The TunnelVision vulnerability, lurking within VPN applications since 2002, has the potential to render VPN connections useless, leaving users vulnerable to data interception and snooping by malicious actors. The TunnelVision vulnerability represents a sophisticated method of breaching VPN encryption, allowing attackers to intercept and snoop on unencrypted traffic while masquerading under the guise of a secure VPN connection.  This emergence of this flaw, detailed in a comprehensive report by Leviathan Security, highlights the exploitation of a longstanding vulnerability within the Dynamic Host Configuration Protocol (DHCP), specifically targeting option 121—a mechanism intended for configuring static routes on client systems.

Decoding the TunnelVision Vulnerability

[caption id="attachment_67149" align="alignnone" width="700"] Source: TunnelVision Vulnerability Exploitation Process by Leviathan[/caption] The modus operandi of attackers involves the setup of rogue DHCP servers strategically positioned to intercept VPN traffic. By manipulating routing tables, all VPN-bound data is diverted away from the encrypted tunnel, exposing it to interception on local networks or malicious gateways. Leviathan Security's report shed light on a phenomenon known as "decloaking," where VPN traffic is stripped of its encryption, leaving it vulnerable to interception. Despite the presence of VPN control channels and kill switches, these defenses prove ineffective against TunnelVision, leaving users unaware of the breach and their data exposed. The implications of this VPN vulnerability are profound, especially for individuals reliant on VPNs for sensitive communications, such as journalists and whistleblowers. Urgent action is needed to address this issue and safeguard the integrity of VPN connections.

Mitigation Against the TunnelVision VPN Vulnerability

Proposed solutions include the adoption of network namespaces, a technique employed by known protocols to mitigate similar vulnerabilities. By segregating interfaces and routing tables, network namespaces offer a promising avenue for protecting VPN traffic from interception. Understanding the underlying mechanisms of DHCP, VPNs, and networking is crucial in comprehending the full extent of TunnelVision's impact. DHCP, initially designed to dynamically allocate IP addresses, now serves as a gateway for attackers to exploit vulnerabilities in VPN connections. Additionally, the implementation of DHCP option 121 routes opens up avenues for attackers to manipulate routing tables and compromise VPN security. Mitigation efforts must prioritize the identification and rectification of these vulnerabilities to ensure the continued efficacy of VPNs in safeguarding user data. The implications of TunnelVision extend beyond geographical location as it has ability to expose data from almost any country with access to internet connection.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers have honed in on a critical WP-Automatic plugin vulnerability, aiming to infiltrate WordPress websites by creating unauthorized admin accounts, according to recent reports. The flaw, identified in versions preceding 3.9.2.0 of the WP Automatic plugin, has prompted cybersecurity experts to issue urgent warnings to website owners and administrators. The vulnerability, flagged under the identifier "CVE-2024-27956," has been characterized as a high-severity issue with a CVSS score of 9.8. It pertains to a SQL injection flaw within the plugin's user authentication mechanism, which essentially enables threat actors to circumvent security measures and gain administrative privileges. 

Decoding WP-Automatic Plugin Vulnerability

[caption id="attachment_65416" align="alignnone" width="1172"] Source: WordPress[/caption] Exploiting this vulnerability grants hackers the ability to implant backdoors within websites, ensuring prolonged unauthorized access. Reports indicate that hackers have been actively exploiting this vulnerability, capitalizing on the widespread use of the WP Automatic plugin across more than 30,000 websites. The exploit allows them to execute various malicious activities, including the creation of admin accounts, uploading of corrupted files, and executing SQL injection attacks. Cybersecurity researchers have observed a surge in exploit attempts, with over 5.5 million recorded attacks since the vulnerability was publicly disclosed. The threat landscape escalated rapidly, peaking on March 31st, underscoring the urgency for website owners to take immediate action to secure their online assets.

The Technical Side of the WP-Automatic Plugin Vulnerabilities

The Automatic Plugin, developed by ValvePress, faces an challenge beyond comprehension since the vulnerability effects thousands of users who downloaded the plugin through WordPress and other WP plugin markets. The vulnerability stemmed from the inc/csv.php file, which allowed unauthenticated users to supply and execute arbitrary SQL queries. Despite initial checks using wp_automatic_trim() function, bypassing them was feasible by providing an empty string as the authentication parameter ($auth) and crafting the MD5 hash of the SQL query to subvert integrity checks. Furthermore, the vulnerability lied within the downloader.php file, where unauthenticated users could provide arbitrary URLs or even local files via the $_GET['link'] parameter for fetching through cURL. This flaw facilitated server-side request forgery (SSRF) attacks. To mitigate the vulnerabilities, the vendor enacted several measures. For the SQL Execution vulnerability, the entire inc/csv.php file was removed. For the File Download and SSRF vulnerability, a nonce check was implemented, coupled with validation checks on the $link variable.

Mitigation Against the WP-Automatic Plugin Vulnerability

To safeguard against potential compromises, cybersecurity analysts recommend the following measures, including regularly updating the WP-Automatic plugin to its latest version is crucial to patch known vulnerabilities and bolster security measures. Regular audits of WordPress user accounts help identify and remove unauthorized or suspicious admin users, reducing the risk of unauthorized access. Employing robust security monitoring tools aids in detecting and responding promptly to malicious activities, improving threat detection capabilities. It's essential to maintain up-to-date backups of website data to enable swift restoration in case of compromise, minimizing downtime and data loss. Website administrators should watch out for indicators of compromise, including admin accounts with names starting with "xtw," renamed vulnerable file paths, and dropped SHA1 hashed files in the site's filesystem. The exploitation of WP-Automatic plugin vulnerabilities highlights the ongoing cybersecurity threats within WordPress ecosystems. By promptly implementing suggested mitigations and staying alert for potential indicators of compromise, website owners can strengthen their defenses against malicious actors aiming to exploit these vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

American private equity firm Thoma Bravo has inked an agreement to acquire British cybersecurity giant Darktrace for $4.6bn. This all-cash transaction between Thoma Bravo and Darktrace, valued at $5.3bn, marks a pivotal moment for both companies and the cybersecurity sector at large. The Darktrace acquisition, though pending shareholder approval, has already received the green light from the boards of both Darktrace and Thoma Bravo, signaling a strong vote of confidence in the deal's potential. Immediately following the announcement, Darktrace's shares surged by over 19%, showcasing investor enthusiasm for the partnership.

Tech Titans Thoma Bravo and Darktrace Seal $4.6 Billion Cybersecurity Deal

Under the terms of the Darktrace acquisition, Darktrace shareholders stand to benefit substantially, receiving $7.75 (620p) for each share they hold. This represents a remarkable 44.3% premium compared to Darktrace's recent stock performance. Darktrace's board has expressed its belief that the company's operational and financial successes have not been adequately reflected in its valuation. Thus, the acquisition offer presents shareholders with an opportunity to realize fair value for their cash investments. Gordon Hurst, Chair of Darktrace, emphasized the attractiveness of the proposed offer, stating that it provides shareholders with certainty and fair value. Additionally, he highlighted the potential benefits of partnering with Thoma Bravo, a financial powerhouse with deep expertise in the software sector.

The proposed acquisition will provide Darktrace access to a strong financial partner in Thoma Bravo, with deep software sector expertise, who can enhance the Company's position as a best-in-class cyber AI business headquartered in the UK", says Gordon Hurst.

Darktrace, known for its cutting-edge artificial intelligence-driven cybersecurity solutions, has experienced a surge in demand for its services, leading to an upgrade in its revenue forecast for the fiscal year 2024.

Accelerating Cybersecurity Preparedness in the UK 

The potential takeover of Darktrace by Thoma Bravo has drawn attention to the state of the UK's tech industry. Analysts suggest that such acquisitions highlights the need for governmental action to retain tech companies within the UK market. If the Thoma Bravo and Darktrace deal is approved by shareholders, the acquisition is slated to be finalized in the third or fourth quarter of 2024. Andrew Almeida, Partner at Thoma Bravo, expressed admiration for the deal between Thoma Bravo and Darktrace, highlighting the cybersecurity technology, and emphasizing the firm's commitment to supporting Darktrace's growth and development as a global leader in the field. "Darktrace is driven by a culture of innovation and we are excited by the opportunity to work alongside Darktrace's team and accelerate its development into a scaled, global leader, further strengthening its capability and offer to customers. Thoma Bravo has been investing exclusively in software for over twenty years and we will bring to bear the full range of our platform, operational expertise and deep experience of cybersecurity in supporting Darktrace's growth", says Almeida. Thoma Bravo's extensive experience in software investment, coupled with its substantial financial resources, positions Darktrace for accelerated expansion and innovation in the cybersecurity domain. With Thoma Bravo's backing, Darktrace aims to reinforce its position as a pioneering cybersecurity firm while contributing to the UK's technological advancement. Thoma Bravo's acquisition of Darktrace represents not only a strategic move for both entities but also a significant development in the cybersecurity sector.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Volkswagen, the automotive giant, finds itself at the center of a large-scale cyber operation, with suspicions pointing toward hackers operating from China. The Volkswagen cyberattack, which occurred over a decade ago but continues to reverberate today, sheds light on Chinese hackers and their espionage activities.  The stolen data from the multiple-year Volkswagen cyberattack, described as "explosive," includes sensitive information on Volkswagen's internal workings, ranging from development plans for gasoline engines to crucial details about e-mobility initiatives. Investigations led by ZDF frontal and "Der Spiegel" unveiled more than 40 internal documents implicating Chinese hackers in the sophisticated operation.

Multi-year Volkswagen Cyberattack by Chinese Hackers

The timeline of the cyberattacks on Volkswagen, spanning from 2010 to 2015, highlights the meticulous planning and execution by the perpetrators. Reports suggest that the hackers meticulously analyzed Volkswagen's IT infrastructure before breaching its networks, leading to the exfiltration of approximately 19,000 documents.  Among the stolen intellectual property were coveted insights into emerging technologies like electric and hydrogen cars, areas crucial for Volkswagen's competitiveness in the global market. While China is not directly accused, evidence points to its involvement, with IP addresses traced back to Beijing and the timing of the attacks aligning with the Chinese workday.  Moreover, the hacking tools employed, including the notorious "China Chopper," further implicate Chinese origins, though conclusive proof remains elusive.

The Implications of Volkswagen Data Breaches

The implications of these Volkswagen data breaches extend beyond corporate espionage, raising concerns about the integrity of fair competition in the automotive industry. Professor Helena Wisbert of Ostfalia University emphasizes the strategic advantage gained by those privy to competitors' plans, highlighting the significance of stolen data in shaping market dynamics. Volkswagen's acknowledgment of the incident highlights the gravity of the situation, with reassurances of bolstered IT security measures. However, the Federal Office for Information Security (BSI) warns of ongoing threats, stressing the attractiveness of German expertise as a target for espionage. As German companies gear up for the "Auto China" trade fair, the cyberattack on Volkswagen questions the intent of Chinese hackers and their targets in the automobile industry. The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the alleged attacks or any updates from Volkswagen. 

Cyberattacks on the Automotive Industry

As automotive technology advances, vehicles are increasingly vulnerable to cyberattacks, particularly with the rise of electronics, software, and internet connectivity. Experts warn that even electric vehicles (EVs) are at heightened risk due to their intricate electronic systems. Ransomware attacks could target critical functions like steering and braking systems, posing significant safety concerns.  The abundance of software codes in modern vehicles creates ample opportunities for cyber threats, not only affecting the cars themselves but also their entire ecosystem. While cybersecurity defenses are improving, the automotive industry faces challenges in managing software lifecycles and ensuring end-to-end risk management.  Collaboration between industry stakeholders, government, and private players is essential to address these challenges. As the global automotive cybersecurity market grows, the need for robust cybersecurity measures becomes increasingly critical, prompting software solution providers to offer localized and cost-effective solutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

SpaceX, the aerospace manufacturer and space transport services company founded by Elon Musk, has allegedly met with a cybersecurity incident, involving a data breach with Hunters International, a notorious hacking group that reportedly posted samples of SpaceX data breach. The Space X data breach seems to involve relatively old data from SpaceX, with Hunters International employing name-dropping tactics to exert extortion pressure. Interestingly, these same samples were involved in an earlier data breach that SpaceX faced in early 2023, attributed to the LockBit ransomware group.

Hunters International shared samples and databases supposedly linked to SpaceX, including access to 149.9 GB of data. This database, originally associated with the initial SpaceX data breach linked to LockBit, was traced back to a third-party supplier within SpaceX's supply chain, specifically a manufacturing contractor based in Texas.

Through infiltration of the vendor's systems, LockBit allegedly gained control of 3,000 drawings or schematics verified by SpaceX engineers.

SpaceX Data Breach Resurfaces on the Dark Web

[caption id="attachment_65258" align="alignnone" width="1170"] Source: X[/caption] Interestingly, the threat actor sheds light on the SpaceX data breach's infiltration including an undisclosed GoPro development environment. Adding another layer to the intrigue, recent events in April 2024 reveal the Cactus ransomware group's purported targeting of Aero Dynamic Machining, Inc., a US-based aerospace equipment manufacturer.  The group alleges to have extracted a staggering 1.1 TB of data, encompassing confidential, employee, and customer information from industry giants like Boeing, SpaceX, and Airbus. Subsequently, the group leaked 5.8 MB of compressed data, containing agreements, passports, shipping orders, and engineering drawings, further intensifying the gravity of the situation. The Cyber Express has reached out to SpaceX to learn more about the data breach claims made by the Hunters International group. However, at the time of writing this, no official statement or response has been received, leaving the claims for the SpaceX data breach stand unverified.  Moreover, the website for SpaceX seems to be operational at the moment and doesn’t show any immediate sign of the attack or data breach suggesting a likelihood that the data shared by Hunters International may indeed stem from the breach of 2023.

How LockBit Ransomware Group Breached SpaceX?

In March 2023, the LockBit Ransomware group infiltrated a third-party manufacturing contractor in Texas, part of SpaceX's supply chain, seizing 3,000 certified drawings and schematics created by SpaceX engineers.  LockBit directly addressed SpaceX CEO Elon Musk, demanding ransom payment within a week under the threat of selling the stolen blueprints. The gang's audacious move aimed to profit from the sensitive data, regardless of the vendor's response. Despite concerns over compromised national security and the potential for identity theft, SpaceX has not confirmed the breach, leaving the claims unresolved.  This breach, along with the reappearance of leaked data from previous incidents, highlights the persistent threat of cyberattacks on critical infrastructure. It sheds light on the urgent need for robust cybersecurity measures to safeguard against such breaches, as the ramifications extend beyond financial loss to encompass broader security implications.  The reappearance of data from last year's SpaceX data breach is raising significant concerns. This recurrence poses a serious threat to the personal and financial security of millions, potentially exposing them to the risks of identity theft and fraud. Notably, despite the breach being initially reported last year and now resurfacing, SpaceX has yet to confirm the incident, leaving the claims unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In late 2023, concerns surfaced regarding a potential data breach at Bharat Sanchar Nigam Limited (BSNL), a major telecommunications provider owned by the Indian government. However, BSNL did not confirm these reports at the time. Recently, the issue has resurfaced after data purportedly from the unconfirmed BSNL data breach has again appeared on the dark web. On April 24, 2024, a known threat actor named 'Perell', who was previously linked to the alleged 2023 BSNL data breach, released a database that reportedly belongs to BSNL. This database contains more than 2.9 million records and was originally part of an extortion scheme. In December last year, Perell claimed to have obtained sensitive BSNL data and threatened to use it against the company on the now-defunct BreachForums. Despite the time elapsed, the threat to user privacy remains significant as Perell has made the supposedly stolen data publicly available, intensifying worries about the security of information and the potential implications for BSNL’s customers.

The 2024 BSNL Data Breach Claims Surfaces on BreachForums

[caption id="attachment_64986" align="alignnone" width="1747"] Source: Dark Web[/caption] The leaked data, according to Perell's post on the forum, includes sensitive information from BSNL, a major player in India's telecommunications sector. While the exact reason for the resurfacing of data from 2023 is unknown, Perell shared a link on BreachForums for the stolen data, stating that the "following list of databases would be exfiltrated.” Discussions on BreachForums suggest that the recently leaked data, claimed to be from BSNL in 2024, actually dates back to 2023. Despite its age, the data remains a significant concern due to its large volume and sensitive nature. The decision to leak the same data again in 2024 is puzzling and raises questions about the motives behind this move. [caption id="attachment_65015" align="alignnone" width="1701"] The earlier post shared by the threat actor in December 2023.[/caption] The seriousness of the situation is highlighted by the fact that the compromised data from 2023 was posted on the same forum without any clear evidence of communication between the hacker and Bharat Sanchar Nigam Limited (BSNL), and it's uncertain whether a ransom was demanded or paid. Like the current incident, the original post focused solely on revealing the data of 2.9 million users, indicating a deliberate effort to exploit and profit from the breach. The Cyber Express has reached out to the Indian telecommunication giant to learn more about the authenticity of the data being shared by the threat actor. However, at the time of writing this, no official statement or response has been shared, leaving the claims made by the threat actor stand unverified. 

The Far-reaching Consequences of the BSNL Database Leak

Following initial reports of the BSNL data leak in December last year, experts expressed concerns about the implications of the incident. Saket Modi, CEO of the cyber risk management startup Safe Security, commented to the Economic Times that the nature of the hack suggested it was likely carried out by an individual rather than an organization. Modi pointed out that the claim of approximately 2.9 million records being compromised suggested that the breach might involve a single website. Additionally, Kanishk Gaur, founder of India Future Foundation, spoke to the Indian media about the wider consequences of the breach, emphasizing its significant impact on both BSNL and its customers. The reappearance of data from last year's BSNL data breach raises serious concerns. This leak threatens the personal and financial security of millions, potentially leading to identity theft and fraud. Notably, despite the breach first surfacing last year and reemerging now, BSNL has yet to confirm the incident, leaving the claims unverified. The Cyber Express has contacted BSNL for comment and is currently awaiting their response. Updates to this story will be provided as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Qiulong ransomware group has taken responsibility for a cyberattack on renowned Brazilian plastic surgeon Dr. Willian Segalin. The alleged Dr Willian Segalin cyberattack was made on April 23, 2024, on their data leak website, where the threat actor confirmed compromising the website associated with Dr. Segalin. The group, known for its sophisticated ransomware tactics, shared its motivations for the attack, stating Dr Willian Segalin as an “outlaw plastic surgeon” who “does not protect patients’ privacy safely”. The cyberattack on Dr Willian Segalin, while not immediately visible on the website's front end, suggests a potential breach in the backend systems. 

Dr Willian Segalin Cyberattack Claims Surfaces on Dark Web

The ransomware group's post on the dark web revealed sensitive information allegedly extracted from Dr Willian Segalin's website, including images of nude patients, confidential personal data, and financial information. The group's message admonished Dr Willian for purportedly neglecting patient privacy and urged him to take action to safeguard sensitive information. [caption id="attachment_64873" align="alignnone" width="1028"] Source: chum1ng0 on X[/caption] “Dr. Willian, if you care about your patients' data and privacy, stop driving your Mustang around like a negligent doctor and avoid remaining silent”, reads the threat actor post. [caption id="attachment_64877" align="alignnone" width="746"] Source: chum1ng0 on X[/caption] The cyberattack on Dr Willian Segalin is not an isolated incident. Within the same timeframe, the Qiulong ransomware group targeted three other Brazilian organizations including two related to plastic surgery and one car dealership.  The Cyber Express has reached out to the plastic surgeon's office to learn more about the authenticity of the cyberattack on Dr Willian Segalin. However, at the time of writing this, no official statement or response has been received. 

Qiulong Ransomware Group Targets Multiple Victims in Brazil 

The Qiulong ransomware group's recent cyberattacks extend beyond Dr. Willian Segalin, affecting three other Brazilian entities. The group's posts on the dark web highlight their grievances against these victims, accusing them of neglecting patient privacy and data protection. [caption id="attachment_64880" align="alignnone" width="1074"] Source: chum1ng0 on X[/caption] One victim, Dr. Andrea Rechia, a plastic surgeon, faced criticism for allegedly disregarding patient privacy despite numerous attempts to reach out. The group's post includes sensitive information about the clinic's operations and contact details. Similarly, Dr. Lincoln Graça Neto, another plastic surgeon, was targeted by the ransomware group. The post exposes the clinic's location and amenities but condemns Dr. Lincoln for purportedly neglecting patient data security. The final victim, Rosalvo Automóveis, a car dealership, faced data exposure threats, indicating potential repercussions from the cyberattack. While specific details about the data breach are not provided, the post suggests imminent data exposure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The founders and CEO of Samourai Wallet, Keonne Rodriguez, and William Lonergan Hill, have been apprehended and charged with serious offenses related to money laundering and unlicensed money transmitting.  The money laundering charges stem from the alleged operation of Samourai Wallet as an unlicensed money-transmitting business, facilitating over $2 billion in illicit transactions and laundering more than $100 million in criminal proceeds.  Previously, Samourai Wallet was a prominent mobile Bitcoin wallet prioritizing user privacy and security. The crypto app was a popular choice among crypto users that aligns with Bitcoin's core principles of decentralization, financial privacy, transparency, security, and fungibility.

Samourai Wallet Operator Arrest and Assets Seized

[caption id="attachment_64836" align="alignnone" width="624"] Source: justice.gov[/caption] The announcement of the Samourai Wallet operator arrest was made jointly by Damian Williams, the United States Attorney for the Southern District of New York; Thomas Fattorusso, the Special Agent in Charge of the New York Field Office of the Internal Revenue Service, Criminal Investigation (IRS-CI); and James Smith, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (FBI). According to the indictment, Rodriguez and Hill were actively involved in developing, marketing, and operating the Samourai Wallet, which served as a conduit for illegal financial activities, including transactions originating from notorious dark web markets like Silk Road and Hydra Market. Rodriguez was arrested in Pennsylvania, while Hill was apprehended in Portugal based on the charges filed in the United States. Efforts are underway to extradite Hill to face trial in the U.S. District Court. The case has been assigned to U.S. District Judge Richard M. Berman. Rodriguez, 35, of Harmony, Pennsylvania, and Hill, 65, were charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money-transmitting business, carrying maximum sentences of 20 years and five years in prison, respectively.

The Crackdown of Samourai Wallet Operators

The crackdown on Samourai Wallet extends beyond the arrests of its operators. In collaboration with authorities in Iceland, the web servers and domain associated with Samourai Wallet were seized, along with a seizure warrant served on the Google Play Store, preventing further downloads of the Samourai mobile application in the United States. U.S. Attorney Damian Williams emphasized the gravity of the allegations, stating that Rodriguez and Hill knowingly facilitated large-scale money laundering through Samourai Wallet, providing criminals with a platform to conceal the origins of illicit funds.  “Rodriguez and Hill allegedly knowingly facilitated the laundering of over $100 million of criminal proceeds from the Silk Road, Hydra Market, and a host of other computer hacking and fraud campaigns. Together with our law enforcement partners, we will continue to relentlessly pursue and dismantle criminal organizations that use cryptocurrency to hide illicit conduct”, said Williams According to the indictment, Rodriguez and Hill began developing the Samourai Wallet around 2015, offering users a mobile application for managing their cryptocurrency assets. The application, downloaded over 100,000 times, allowed users to store their private keys while employing centralized servers to facilitate transactions. Samourai Wallet offered features such as "Whirlpool," a cryptocurrency mixing service, and "Ricochet," which added unnecessary intermediate transactions to obscure the source of funds. The indictment further alleges that Rodriguez and Hill actively promoted the Samourai Wallet as a tool for criminals to evade detection and launder money. Social media posts and marketing materials indicated their awareness of the illicit use of their platform, with references to servicing individuals engaged in criminal activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Nothing community is once again facing concerns over security as news of a data breach from 2022 resurfaces. The Nothing data breach was reported on social media platforms, and eventually led to the organization confirming the breach — shedding light on the unpredictable vulnerabilities within the Nothing ecosystem. Confirming the Nothing data leak to Android Authority, the UK-based phone manufacturer acknowledged that the data of 2,250 community members had been compromised, primarily consisting of email addresses. Although no sensitive information like passwords was accessible, the exposure of user emails raised concerns about the privacy and security of the community members. 

Rediscovering the 2022 Nothing Data Breach in 2024

Recently, reports emerged on social media, notably on X (formerly Twitter), highlighting the discovery of personal information associated with Nothing Community accounts in an online database. While much of the leaked data, such as usernames, was already publicly available, the inclusion of private email addresses raised suspicions among the community members.    [caption id="attachment_64648" align="alignnone" width="756"] Source: X[/caption] At the time of writing this, reports and tweets related to the Nothing data breach were removed to prevent further exploitation. Although investigations confirmed the existence of the leaked database, there was no evidence suggesting the compromise of user account passwords. However, official emails of Nothing employees were also found in the database, further exacerbating the security concerns. Despite efforts to obtain confirmation from Nothing regarding the data breach and potential implications of the leaked data, The Cyber Express has not yet received an official statement or response at the time of writing. Moreover, several community members and tech reporters removed the sample data and any other information from their social media accounts within 72 hours of reporting. 

Immediate Action and Enhanced Security Measures

Nothing responded to inquiries, acknowledging the breach and tracing it back to a vulnerability identified in December 2022. The phone manufacturer confirmed that while email addresses were affected, no other sensitive information such as names, addresses, passwords, or payment details were compromised. Immediate action was taken to address the vulnerability and enhance security measures. "In December 2022, Nothing discovered a vulnerability, which impacted email addresses belonging to community members at the time," the company said. "No names, personal addresses, passwords, or payment information were compromised. Upon this discovery nearly a year and half ago, Nothing took immediate action to remedy the situation and bolster its security features”, stated a Nothing spokesperson to Android Authority. Despite efforts to contain the situation, concerns lingered regarding the extent of the breach and its impact on community members. Although the breach is relatively minor, it adds to the series of security incidents surrounding Nothing, including the infamous Nothing Chats debacle wherein the phone company received backlash on inadequate security of its message systems.  While users may experience an increase in spam emails with this data breach, the overall impact on Nothing Community users is expected to be limited. However, users are advised to remain vigilant and consider changing their passwords as a precautionary measure, although no account passwords were compromised in this breach. Notably, there were no indications that Nothing reached out to affected users regarding the breach, raising questions about communication and transparency. Nonetheless, internal changes were implemented to safeguard user data in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web user has allegedly leaked a database containing employee records linked to Glints, an online job recruitment platform in Singapore. This Glints data breach, reported on April 23, 2024, was added to a dark web forum where the sample data was leaked, specifically highlighting sensitive employee information.  According to a post shared on the nuovo BreachForums platform, the data breach purportedly contains approximately 1,000 records with personally identifiable information (PII) of Glint's employees. 

Understanding the Glints Data Breach Claims

The exposed data includes sensitive details such as names, employee IDs, designations, email addresses, dates of birth, physical addresses, national ID numbers, and even bank account information. Samples of these records were provided by the threat actor, adding weight to the claims. [caption id="attachment_64570" align="alignnone" width="1713"] Source: Dark Web[/caption] The impact of this Glints data leak extends to Glints Pte Ltd and Glints Singapore Pte Ltd, two entities closely associated with the recruitment platform. With Singapore as the focal point of this incident, concerns are raised about the potential misuse of this data, especially within the professional services industry. The post attributed to sedapmalam on the BreachForums explicitly lists a vast array of information, including employee IDs, job positions, bank details, and even personal contact details. This comprehensive data dump highlights the severity of the alleged breach and the potential risks faced by those affected.

Response to the Breach and Vulnerability Assessment Program

The Cyber Express has reached out to the requirement platform to learn more about the authenticity of the Glints data leak. However, at the time of writing this, no official statement or response has been shared, leaving the claims by sedapmalam largely unverified. Interestingly, while the Glints website appears to be operational, there are no immediate indications of a cyberattack on the front end. This suggests that the threat actor may have targeted the organization's database directly, circumventing traditional security measures. Notably, Glints has a dedicated service page inviting security researchers to identify vulnerabilities within its platform. While the recruitment firm data breach and any possible connection between the vulnerability assessment platform has not been verified, the alleged leak raises questions about the stolen data being part of the program or is simply republished on the dark web platform. As the investigation into the Glints data breach unfolds, The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Glints data breach or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The 8Base ransomware group has claimed an attack on Bieler Lang GmbH, a provider of gas detection and warning systems in Germany. Alongside the Bieler Lang GmbH cyberattack, the threat actor has claimed 4 different victims from Italy, Germany, and the United States.  The 8Base ransomware group asserted their infiltration, claiming to have accessed sensitive information including invoices, receipts, accounting documents, personal data, certificates, and more. While no evidence has been provided to validate these claims, the group has set a deadline of April 29, 2024, for the potential leak of this data.

Analyzing the Bieler Lang GmbH Cyberattack and Other Intrusions

This cyberattack has significant implications for Bieler Lang GmbH. However, other organizations, including FEB31st, Wasserkraft Volk AG, Speedy France, and The Tech Interactive are facing the same allegation from the threat actor, highlighting the scape of the breach and threat actor perplexing intentions. [caption id="attachment_64534" align="alignnone" width="991"] Source: X[/caption] The Bieler Lang GmbH cyberattack was posted on the threat actor’s data leak site and several screenshots were posted about the organization and the data stolen from the attack. In 8Base’s words, the threat actor said, they have uploaded “invoices, receipts, accounting documents, personal data, A huge amount of confidential information”, and other personal data about the organization.  The Cyber Express reached out to Bieler Lang GmbH for further details regarding the incident. However, as of now, no confirmation or denial has been issued by the organization, leaving the claims of the cyberattack on Bieler Lang GmbH stand unverified.

The Anonymity of the 8Base Ransomware Group 

Despite the cyber intrusion, the website of Bieler Lang GmbH appears to be operational, showing no immediate signs of the attack. However, it's important to note that 8Base operates not solely as a ransomware operation but as a data-extortion cybercrime group. They have gained notoriety for targeting similar companies and posting about their exploits on data leak sites. While the origins and identities of the 8Base operators remain unknown, cybersecurity experts emphasize that their recent surge in activity indicates a well-established and mature organization. With a history of targeting companies that neglect data privacy, the group presents a challenge to cybersecurity efforts globally. As for the Bieler Lang GmbH cyberattack, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information about the attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Former Russian Federal Security Service (FSB) officer Grigory Tsaregorodtsev was sentenced to nine years in prison in a penal colony. The decision was made after Perm Garrison Military Court found Tsaregorodtsev guilty of accepting 1.7 million USD bribe from a cybercrime syndicate in exchange for turning a blind eye to their illicit activities.  The Grigory Tsaregorodtsev corruption scandal began to unfold in 2022 when Russian authorities apprehended six individuals associated with a notorious cybercrime group operating in the city of Perm in Russia. This group had orchestrated a sophisticated scheme, hacking into thousands of e-commerce websites and pilfering sensitive payment card data. Their activities facilitated the sale of millions of stolen card details on underground platforms like Trump’s Dumps, among others.

Former FSB Officer Grigory Tsaregorodtsev Sentenced For Taking Bribes

At the bottom of this scandal is the once-respected figure within the FSB's counterintelligence division based in the city of Perm. His role came under scrutiny when it was revealed that he had accepted substantial bribes from the hacker groups. These bribes, totaling a staggering 160 million rubles, were exchanged for his protection and influence, allowing the hackers to operate without fear of authorities., reported Krebs on Security. However, Tsaregorodtsev's downfall was inevitable as he was detained and subsequently brought to trial. Throughout the proceedings, the court uncovered a web of deceit and corruption woven by the former FSB officer. Despite his attempts to downplay his involvement, the evidence against him proved damning.  Tsaregorodtsev's defense argued that he had merely engaged in fraudulent activities, rather than outright bribery, as he failed to deliver on the promises made to the cybercriminals.

The Trial of Former FSB Officer Grigory Tsaregorodtsev

The trial of Grigory Tsaregorodtsev shed light on the extent of the operation and the things acquired by the ex-FBS officer with the bribes, including lavish properties, luxury vehicles, and a substantial cache of cash and gold bars.  According to Russian newspaper Коммерсантъ, the outcome of the court session revealed that Tsaregorodtsev had abused his position of authority for personal enrichment, betraying the trust placed in him by the Russian state and its citizens. Ultimately, the court handed down a harsh sentence, condemning Tsaregorodtsev to nine years in a maximum-security facility and imposing a hefty fine of 320 million rubles. Furthermore, he was stripped of his military rank and barred from holding certain positions upon his released.

The court also stated that "he must pay the state an amount equal to the size of the bribe: minus the value of the valuables and money seized during the investigation, it amounts to slightly more than 138 million rubles", added the newspaper.

The repercussions of Tsaregorodtsev's actions extended beyond his own fate, casting doubt over the integrity of the Russian security apparatus. Questions were raised about the extent of corruption within the FSB and the measures needed to root out such malfeasance. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ted Brown Music, a longstanding family-owned full-service music store established in 1931, has allegedly been targeted by the MEDUSA ransomware group. The Ted Brown Music cyberattack, marked by a post from the threat actors, further explains the depth of the attack and its repercussions.  The dark web post, laden with countdown timers and cryptic codes, presents a harrowing scenario for Ted Brown Music. Beginning with a countdown of "DAYS", "HOURS", "MINUTES", and "SECONDS", it sets a tone of urgency, suggesting a deadline of 7 days before the stolen data gets published. 

Decoding the Ted Brown Music Cyberattack Claims

[caption id="attachment_64315" align="alignnone" width="1030"] Source: X[/caption] Transitioning to more tangible information, the post provides details about Ted Brown Music, including its rich history, family ownership, and corporate address in Tacoma, Washington. With 95 employees and a distressing disclosure of 29.4 GB of leaked data, the magnitude of the alleged breach becomes all too apparent. The ransom demands escalate, starting at $10,000 to add one more day before the data gets published. Similarly, by paying $300,000, the threat actor will “delete all data” or the organization can “download all data” again. The message concludes with the numeral "23", adding the list of viewers who saw the data.  The Cyber Express has reached out to the organization to learn more about this cyberattack on Ted Brown Music. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Ted Brown Music cyberattack stand unverified. 

The Rise of MEDUSA Ransomware Group

The cyberattack on Ted Brown Music follows a list of cyberattacks faced by the music industry. According to Gitnux, the sector grapples with an alarming rate of cyber attacks, with breach detection often taking months and the average cost of an attack skyrocketing.  Among these cyberattacks, the MEDUSA ransomware group has manifested into a sophisticated cybercrime group. Emerging as a ransomware-as-a-service (RaaS) platform in late 2022, Medusa gained infamy in 2023, primarily targeting Windows environments.  The threat actors operate a site where they expose sensitive data from organizations that refuse to meet their ransom demands. Employing a multi-extortion approach, they offer victims choices like extending deadlines, deleting data, or downloading it, each option coming with a price. In addition to their Onion site, they use a Telegram channel named “information support” to publicly share compromised files, making them more accessible. As for the cyberattack on Ted Brown Music, this is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged attack or any confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Cyber Army Russia has claimed a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. The Consol Energy cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. However, the website is now back online and functioning normally. Consol Energy, with its presence in the Agriculture and Mining industry, plays a crucial role in the nation's energy supply chain, contributing over $1 billion in revenue and providing employment to thousands. The cyberattack on the energy company highlights the growing nature of targeted cyberattacks in the energy sector. 

Alleged Consol Energy Cyberattack Claims by Pro-Russian Hackers

[caption id="attachment_64266" align="alignnone" width="450"] Source: Falcon Feeds on X[/caption] The threat actor's post suggests a motive behind the attack, citing Consol Energy's role as a competitor in the European energy market and its alleged benefits from the conflict in Ukraine. The Cyber Express has reached out to the organization to verify the authenticity of the Alleged Consol cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Alleged Consol cyberattack stand unverified.  [caption id="attachment_64268" align="alignnone" width="712"] Source: X[/caption] Interestingly, this isn't the first time Consol Energy has been targeted by cyber threats. In 2023, the Cl0p ransomware group claimed responsibility for a similar attack on the company. Despite these incidents, Consol Energy continues to post on its social media channels and is contributing to the country's power supply. In the wake of the cyberattack, financial analysts are observing the impact on Consol Energy's stock performance. Justin Spittler, Chief Trader at Hedge_Your_Risk, notes insights into coal stocks, highlighting CONSOL Energy's resilience despite a recent decline. [caption id="attachment_64269" align="alignnone" width="990"] Source: Justin Spittler on X[/caption] However, the extent to which the cyberattack influenced this decline remains uncertain, pending official statements from the company.

Cyber Army Russia Reborn and Ongoing Investigation 

The cyberattack on Consol Energy is part of a broader trend of cyber threats targeting energy companies worldwide. Just last month, Cyber Army Russia Reborn claimed responsibility for cyberattacks in Slovenia, targeting government bodies and the public broadcaster.  In a video message, group implied that attacks were due to Slovenia's backing of Ukraine. Voiced in Slovenian and circulated by local news, the message urged Russians and Slovenians not to harbor animosity, citing shared heritage. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from Consol Energy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web user has allegedly claimed a breach involving Luxor International Private Limited, a prominent Indian manufacturer of stationery products. The Luxor data breach was first detected on April 19, 2024, when postmaster, operating within the nuovo BreachForums, disclosed the leak of a database purportedly belonging to Luxor.  The leaked data, initially shared on the Telegram channel Leakbase, comprises 692 MB of SQL data, encompassing a trove of sensitive information. Among the data elements exposed are first names, middle names, last names, dates of birth, hashed passwords, billing and shipping details, tax information, and more.

Alleged Luxor Data Breach Exposes Sensitive Database

[caption id="attachment_64173" align="alignnone" width="1757"] Source: Dark Web[/caption] The Luxor data breach included information about individuals registered on the Luxor's website, implying that the leaked data could be authentic. If the stolen data turns out to be true, the Luxor data leak can lead to loss of trust, financial losses, reputational damage, identity theft, operational disruption, and potential fraud, impacting not only the company but also its customers and stakeholders. Luxor Writing Instruments Private Limited and Luxor International Private Limited, the entities allegedly affected by the breach, are notified about the breach. With operations spanning the Indian subcontinent, Luxor's breach has ramifications not only for its domestic clients but also for its customers and partners across Asia & Pacific (APAC). Moreover, the postmaster's motives remain unclear as the hacker has not shared any intent or motivation regarding the breach, and the stolen data seems to be limited to customers only as it only contains data from Gmail accounts instead of the organization’s business accounts. 

Decoding the Luxor Data Breach Leak

In a public post attributed to postmaster, the threat actor provided insights into the Luxor data breach, describing Luxor as the "brand leader in the Indian Writing Instrument Industry." The post included details such as the file name (luxor.in.sql) and size (692 MB uncompressed), offering a glimpse into the scale of the data compromised. The leaked data appears to consist of billing information or transaction records, organized into distinct entries featuring various fields. These fields likely include identifiers, timestamps, numerical values, and textual data, indicating a comprehensive system for managing billing-related activities. The Cyber Express has reached out to the organization to learn more about the authenticity of this Luxor data leak. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Luxor data breach stand unverified.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Luxor data breach or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

India is currently hosting its general elections, spanning from April 19 to June 1, 2024, across seven phases to elect 543 members to the Lok Sabha, the lower house of India’s Parliament. Amidst this pivotal democratic India elections 2024, the integrity of the electoral process is under threat from a spectrum of cybersecurity challenges. These threats range from international cyberattacks targeting the election's infrastructure to domestic insiders undermining the system. As the world's largest democracy conducts its elections, the occurrence and sophistication of these cyber threats have intensified. The election battleground is also witnessing an unprecedented use of AI-generated content and deepfakes by political entities and foreign agents, heightening tensions and manipulating public perception. This article delves into the complex cybersecurity landscape of the elections in India, examining the impact of technological exploitation, foreign interference, and internal political strife on the nation's democratic foundations.

India Elections 2024: Experts Warns a 'Year of Deception'

The ongoing elections in India are proving to be exceptionally challenging, with cybersecurity experts predicting a tumultuous voting session. The integrity of the voting process is deeply compromised by the widespread use of deepfakes and the dissemination of false information generated by artificial intelligence. While India is using its own set of cybersecurity measures to combat AI-generated misinformation, Meta recently created a dedicated fact-checking helpline on WhatsApp in collaboration with the Misinformation Combat Alliance (MCA). This initiative aims to empower users to identify and flag deepfakes, offering support in multiple languages, including English, Hindi, Tamil, and Telugu.  Industry leaders in cybersecurity, such as IBM and McAfee, are highlighting the significant challenges that India is expected to face in the ongoing elections in India. The rapid advancement of AI technology provides cybercriminals with powerful tools like deepfakes, voice cloning, and advanced malware, increasing the complexity of threats to the electoral process. The potency of artificial intelligence (AI) in the hands of cybercriminals was highlighted by Pratim Mukherjee, senior director of engineering at McAfee, who also emphasizes the urgent need for proactive cybersecurity solutions to reduce the risks posed by developing threats. Additionally, amid one of the most contentious election seasons in India, Kerala Legislative Assembly Leader of the Opposition VD Satheesan has called for the dismissal of cases about a deepfake video that purports to be directed at CPM leader KK Shailaja. Implying a link between CPM and BJP in the state, he charges CPM leaders of disseminating false information and attacks the government's management of police operations during the annual Hindu temple festival Thrissur Pooram. Thrissur Pooram is an annual Hindu festival held in Kerala, India. It's one of the largest and most colorful temple festivals in India, attracting large crowds and significant media attention.

India Elections 2024: Foreign Interference and Insider Threats

Foreign interference poses another set of threats to the integrity of the Indian electoral process. Chinese hackers, in particular, have been identified as potential adversaries seeking to manipulate public opinion and influence election outcomes.  According to a report by Microsoft, Chinese hackers and influence operatives, along with North Korean agents, may seek to interfere with the electoral process in India and other high-profile elections globally. The use of AI-generated content to sway public opinion is another large risk faced by Indian cybersecurity, however, this is not the only thing that is eroding the integrity of the 2024 general India election.  The 2024 Indian election is facing another threat from domestic political rivalries, with allegations of cyberattacks and misinformation campaigns emerging from within India. The Vadakara Lok Sabha constituency exemplifies this phenomenon, with both the CPI(M) and the Congress accusing each other of launching vicious cyberattacks. The CPI(M), or Communist Party of India (Marxist), and the Congress are major political entities in India. The escalation of these allegations to the Election Commission complicates the decision-making of the general public as misinformation influences the choices made by voters. Previously, in a similar vein, the attempted hack on the website of the Ram Mandir during the Pran Pratishtha ceremony is another reminder of the cybersecurity challenges faced by India's cultural and religious institutions while conducting the upcoming elections. The Ram Mandir refers to a new temple being constructed in Ayodhya, a site of historical and religious significance, and a focal point of long-standing and sometimes contentious political and religious debates in India.

The Cyberattack on Indian Culture: What to Expect and How to Protect?

These incidents highlight the vulnerability of e-platforms to cyberattacks, raising concerns about the broader implications for cybersecurity in the country. As India's cultural and religious heritage intersects with the ongoing 2024 India elections, the need for better cybersecurity measures cannot be ignored.  To strengthen cybersecurity defenses, proactive steps and group efforts are essential as India battles the threat of cyberattacks on several fronts. To reduce the risks associated with foreign meddling and AI-generated disinformation, cooperation between government agencies, cybersecurity professionals, and tech businesses is vital. Campaigns for public awareness can be quite effective in informing the public about the risks posed by false information and the value of being vigilant in the digital era. The cybersecurity measures in the 2024 Indian elections are set to capture global attention, as the threat of cyberattacks is significant. Protecting the integrity of the electoral process will demand a unified effort from all involved parties. Through the strategic use of technology and collaborative initiatives, India aims to confront cybersecurity challenges and maintain democratic integrity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

TransparentTribe is an Advanced Persistent Threat (APT) group with a large appetite for targeting Indian government organizations, military personnel, and defense contractors. The threat actor recently came into the spotlight and was seen levering the notorious Crimson RAT (Remote Access Trojan), among other sophisticated tools and tactics. [caption id="attachment_63905" align="alignnone" width="627"] Source: Cyble[/caption] The threat actor’s modus operandi is as complex as its name — starting with gathering sensitive information, conducting cyber espionage, and compromising the security of its targets. They are adept at exploiting various platforms, from Windows to Android, often masquerading as legitimate government entities or organizations through fake websites and documents.  These deceptive maneuvers aim to deceive unsuspecting users into sharing credentials or unwittingly downloading malware onto their systems.

Decoding the New Threat Actor: TransparentTribe

According to the Cyble Vision Threat Library, TransparentTribe, also known as APT 36 or Project Mythic Leopard, has been active, with its last sighting dated April 1, 2023. Their activities extend beyond traditional cyber espionage, with recent investigations uncovering connections to watering hole sites focused on Indian military personnel. [caption id="attachment_63901" align="alignnone" width="662"] Source: Cyble Vision Threat Library[/caption] Moreover, TransparentTribe's reach spans across borders, with primary targets including India and Afghanistan, along with various other nations such as Australia, Japan, and the USA, among others. Their relentless pursuit of sensitive information knows no bounds, targeting sectors ranging from defense to education and governmental organizations. [caption id="attachment_63902" align="alignnone" width="442"] Source: Cyble Vision[/caption] Operating out of Pakistan, TransparentTribe poses a significant threat to national security, employing aliases like Green Havildar and APT-C-56. Suspected ties with other APT groups like SideCopy and SideWinder further underscore the complexity of the threat landscape.

The Mechanics of TransparentTribe Hacker Group

[caption id="attachment_63903" align="alignnone" width="1378"] Source: Cyble[/caption] The lifecycle of TransparentTribe's attacks involves multiple infection vectors, including phishing emails, malvertising, and social engineering. Their persistence is evident in the continuous monitoring of developments within targeted sectors, exploiting them as lures for their campaigns. Windows, Linux, and Android systems alike fall prey to TransparentTribe's tactics, with tailored approaches for each platform. Exploiting vulnerabilities like CVE-2012-0158 and CVE-2010-3333, they deliver their payloads, including a diverse range of RATs like Crimson RAT, DarkComet, and QuasarRAT, each with its specific capabilities and functionalities. Their network activities are intricate, utilizing well-crafted phishing URLs and registering domains on servers associated with Hostinger ASN. Moreover, the overlap in command and control (C&C) infrastructure and the use of platforms like Google Drive for hosting malware further complicate detection and mitigation efforts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Akira ransomware group has been identified as the culprit behind a series of cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia. According to the latest advisory by the U.S. Federal Bureau of Investigation (FBI), since March 2023, the Akira ransomware group has successfully breached over 250 organizations, amassing a staggering $42 million in ransomware payments. Initially focusing on Windows systems, Akira's tactics have recently expanded to include Linux variants, intensifying concerns among global cybersecurity agencies. The FBI, in collaboration with key players such as the Cybersecurity and Infrastructure Security Agency (CISA), Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), has issued a joint advisory on Akira ransomware to raise awareness and disseminate crucial threat information.

The Hidden Modus Operandi of the Akira Ransomware Group

The FBI revealed the modus operandi of the Akira ransomware group that involves a multi-faceted approach to infiltrate and compromise targeted organizations. Leveraging vulnerabilities in Cisco systems, particularly CVE-2020-3259 and CVE-2023-20269, Akira actors exploit weaknesses in virtual private networks (VPNs) lacking multifactor authentication (MFA), alongside other entry points such as Remote Desktop Protocol (RDP) and spear phishing. Once inside the network, Akira operatives establish persistence by creating new domain accounts and employing post-exploitation techniques like credential scraping and credential scraping tools like Mimikatz and LaZagne. This enables them to escalate privileges and navigate the network undetected, utilizing reconnaissance tools like SoftPerfect and Advanced IP Scanner to map out the infrastructure. Moreover, the threat actor has evolved over the years and has been using multiple ransomware variants “against different system architectures within the same compromise event”. This strategy differs from what was previously reported in the Akira affiliate partners and their hacking processes.  “Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”)”, says the FBI.

Defense Evasion, Encryption and Mitigation

Apart from upgrades in its offensive side, the Akira ransomware group has next-gen stealth to evade detection. The group, according to the FBI, has been deploying a variety of tactics, including disabling security software and deploying multiple ransomware variants simultaneously.  The ransomware encryption process is sophisticated, employing a hybrid encryption scheme combining ChaCha20 stream cipher with RSA public-key cryptosystem, tailored to file types and sizes. Encrypted files are marked with either a .akira or .powerranges extension, with the ransom note strategically placed in directories. In response to the threat posed by Akira ransomware, cybersecurity authorities like CISA advocate for proactive measures to mitigate risks and enhance organizational resilience. Recommendations include implementing multifactor authentication, maintaining up-to-date software patches, segmenting networks, and employing robust endpoint detection and response (EDR) tools. Furthermore, organizations are advised to conduct regular audits of user accounts, disable unused ports, and enforce the principle of least privilege to limit unauthorized access. Backup strategies should include offline, encrypted backups covering the entire data infrastructure, ensuring rapid recovery in the event of a ransomware attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious HelloKitty ransomware has rebranded itself as HelloGookie ransomware. This transformation is accompanied by strategic maneuvers and community engagement that shed light on the adaptability and agility of this ransomware operator. This rebranding comes with more than just a change in name; it signifies a shift in tactics and possibly a response to the competitive environment within the cybercriminal community. HelloGookie's emergence was accompanied by the release of decryption keys and the establishment of a new blog, signaling a proactive approach to engaging with potential victims.

HelloKitty Ransomware Rebranded to HelloGookie Ransomware

[caption id="attachment_63762" align="alignnone" width="1447"] Source: 3xp0rt on X[/caption] Behind the scenes, the creator behind HelloGookie, known simply as Gookee/Gookie, has made strategic overtures to the LockBit ransomware group. This gesture, while seemingly diplomatic, hints at a desire to avoid direct competition and potentially collaborate for mutual benefit. Such an alliance highlights the collaborative nature of ransomware groups, where operators navigate a fine line between cooperation and rivalry. Moreover, Gookie's successful reclamation of their account on the Exploit forum further represents the shift in technology and authority in the ransomware group where the group has claimed credibility over the years. [caption id="attachment_63763" align="alignnone" width="1539"] Source: 3xp0rt on X[/caption] The forum serves as a hub for cybercriminal activity, facilitating discussions, collaboration, and the exchange of tools and techniques. Gookie's return to the forum also represents a resurgence in their activities and potentially newly added victims.

Forum Conversations Reveals HelloGookie’s Plan

[caption id="attachment_63760" align="alignnone" width="1422"] Source: 3xp0rt on X[/caption] Forum conversations provide insights into HelloGookie's tactics and capabilities. Updates targeting both Linux and Windows systems suggest a commitment to expanding its reach across diverse platforms. Additionally, calls for collaboration and the recruitment of individuals with access to high-value targets indicate a strategic shift towards more sophisticated and lucrative operations. The HelloGookie website further highlights the ransomware's impact, listing new victims and showcasing the breadth of its reach. From prominent organizations like CD PROJEKT to industry giants like CISCO, the ransomware group has started expanding its reach to various sectors. The passwords for leaked encrypted source code archives, including Witcher 3 and Thronebreaker, previously priced at $10k each, are also available on the new data leak site. The divulgence of private keys adds another layer of complexity wherein the threat actor is openly sharing private keys on its blog, commencing new levels of threat for the affected parties. The original HelloKitty ransomware group was identified in 2020, specializing in infiltrating networks, encrypting data, and demanding ransoms. It targets organizations with sensitive data, posing a serious threat to businesses. Now, the threat is bigger and more capable that goes beyond mere encryption and extortion. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Millions of Magic Rampage players could be facing a potential security threat following about a data breach that has stemmed from a vulnerability within the misconfigured cloud storage. Asantee Games, an independent game development company known for its commitment to quality, is the creative force behind popular titles like Magic Rampage, Magic Portals, Hit The Gator, and Bee Avenger. The Cyber Express has reached out to Asantee Games for clarification regarding the alleged Magic Rampage data breach. In response to the breach, the organization confirmed the existence of a vulnerability, sating that the flaw was "identified a few weeks ago and was promptly addressed within a few hours of its discovery"

Magic Rampage Data Breach Stemmed from a Vulnerability 

The Magic Rampage breach at Asantee Games appears to stem from a misconfiguration within MongoDB, a popular document-oriented database platform. This oversight left the company's data repository devoid of password protection, rendering data from the organization accessible to the public for a short amount of time. A spokesperson for Asantee Games confirmed that the vulnerability was identified and contained a few weeks ago. 

In a statement shared with TCE, Asantee Games, stated that "our team took immediate action to secure our systems and further strengthen our database security to prevent such occurrences in the future. It is important to note that no other critical personal data was compromised. We do not store sensitive information such as names, birth dates, or addresses, hence minimizing the potential impact on our users."

Moreover, MongoDB itself acknowledged a security incident on December 13, 2023, indicating unauthorized access to certain corporate systems. Investigations subsequently revealed that the breach was the result of a successful phishing attack. Fortunately, it appears that the breach did not compromise data stored within MongoDB Atlas, the company's fully managed cloud database service. Nonetheless, the incident affected other organizations using MongoDB for operations. 

The MongoDB Data Breach and Cyberattacks on the Gaming Industry 

The MongoDB data breach was contained as the company activated its incident response plan, however, the repercussions of the breach are still visible on the market — with the latest example being the Magic Rampage data leak.  Moreover, the access to the Magic Rampage database was secured in a few hours. The leaked data, however, reportedly includes players' usernames, emails, device information, statistics, and admin credentials with encrypted passwords. Detailed logs reveal various categories of information, including prize counts, storage sizes, and timestamps, providing insights into the scope of the breach. However, the organization denies the involvement of any user data being compromised in this breach. Furthermore, the gaming industry at large faces persistent threats from hackers and ransomware groups, as evidenced by the recent breach affecting Void Interactive, developers of Ready or Not. With over 4TB of data allegedly stolen, including millions of files, the incident highlights the ongoing challenges posed by cybersecurity vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Amidst the complexities of the Israel-Iran conflict, the Middle East is witnessing another form of strife: cyber warfare. Jordan finds itself at the forefront of this battle, facing a barrage of alleged cyberattacks orchestrated by various hacktivist groups. The BlackMaskers Team has emerged as a prominent threat, claiming cyberattacks on Jordan, targeting crucial Jordanian entities, ranging from the stock exchange to private sector enterprises. The ongoing cyberattacks are exemplified by recent incidents of Jordan supporting Israel against Iran in the ongoing war. The BlackMaskers Team proclaimed their actions, declaring Jordan as their prime target. [caption id="attachment_63513" align="alignnone" width="1280"] Source: X[/caption] Their assaults on Jordanian websites and subsequent data breaches have sparked concern, amplifying the vulnerability of national infrastructure and private companies alike.

Cyberattacks on Jordan Amidst Public Outrage

[caption id="attachment_63508" align="alignnone" width="780"] Source: X[/caption] Jordanian authorities are dealing with reports of cyberattacks while also facing public criticism for their decision to support Israel against Iran. The organizations suspected to be affected include the Jordan Stock Exchange and the Jordanian Water Company Yarmook. [caption id="attachment_63510" align="alignnone" width="776"] Source: X[/caption] The gravity of the Jordan cyberattacks was highlighted when the hacker group threatened to leak sensitive information pertaining to more Jordanian companies. This warning, coupled with the release of sample documents, further exacerbated the situation in the country. Amidst the chaos, the cyber assailants remain elusive, evading detection as they exploit vulnerabilities in Jordanian organizations.  The leaked sample data allegedly comprises sensitive documents and information, including financial auditing reports for companies like Jordan Steel, insights into Jordan's alleged assistance to Israel against Iranian threats, and documents from other Jordanian entities.  The Cyber Express has reached out to the listed victims to learn more about these cyberattacks on Jordan. However, at the time of writing this, no official statement or response has been received, leaving the claims made by the threat actor to stand unverified right now. 

Jordanians Display Insurgency Against the Government 

The ramifications extend beyond Jordan's borders, intersecting with the broader geopolitical setup of the region. Reports of Jordan's assistance to Israel in countering Iranian threats have triggered uproar and dissent within the country wherein the local public feels betrayed by their government.  The fallout from these events reverberates across social media platforms, fueling speculation and resentment. Accusations of betrayal and collusion with Israel overburden online discourse, painting a portrait of disillusionment and discontent among Jordanians.  Jordan reportedly is experiencing public outrage for supporting Israel against an Iranian attack. Misinformation regarding the king's role is being circulated online. Many Jordanians feel betrayed by their government's stance, resulting in significant anger and protests against the alliance with Israel. Amidst the chaos, Jordan's vulnerabilities are laid bare once again, wherein an unfamiliar hacker group is claiming cyberattacks on multiple organizations at once. This intrusion, not confirmed though, highlights the current situation in the Middle East where hackers, governments, and the local public are taking sides while war is disrupting the livelihood of common citizens.  This is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Jordan or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.