Normal view

There are new articles available, click to refresh the page.
Before yesterdayMain stream

Malicious Firmware Update Destroyed Over 600,000 Routers Across ISP

✇Cybersecurity News and Magazine
By: Alan J
30 May 2024 at 14:12

Pumpkin Eclipse Router Attack

In one of the largest mass bricking events in history, at least 600,000 routers belonging to subscribers of the same ISP service were essentially destroyed last October. The incident has been dubbed "Pumpkin Eclipse," with researchers still unclear on how the routers became infected. The affected devices displayed a steady red light and were unresponsive to troubleshooting attempts, and had to be replaced. Now new research is shedding light on the attack, which involved unusually sophisticated and stealthy attack methods.

'Pumpkin Eclipse' Router Attack

The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling.

Researchers Unsure Over Initial Attack Vector but Theorize Possibilities

Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Internet Archive Defends Against Cyberattack Amid DDoS Assault

✇Cybersecurity News and Magazine
By: Ashish Khaitan
30 May 2024 at 11:14

Internet Archive cyberattack

Internet Archive, one of the oldest online directories of websites, movies, books, software and more, is facing a cyberattack that has disrupted its services for over three days. The Internet Archive cyberattack, identified as a distributed denial-of-service (DDoS) assault, has besieged the service and inundated its servers with repeated requests. While the organization is reassuring users that its collections remain secure, the accessibility of its Wayback Machine, a tool allowing users to explore historical web pages, has been compromised.

Internet Archive Cyberattack Targets Multiple Systems

According to a blog post shared by Internet Archive on May 28, intermittent service disruptions have been reported over the past few days, confirmed by updates shared by Archive officials on social media platforms. Despite efforts to mitigate the attack, the exact source remains undisclosed. In response to the DDoS attack, Brewster Kahle, the founder and digital librarian of the Internet Archive, expressed gratitude for the outpouring of support while reaffirming the organization's commitment to fortify its defenses. Kahle characterized the attack as "sustained, impactful, targeted, adaptive, and importantly, mean" in the blog post.

Mitigation Against the Internet Archive DDoS Attack

The Internet Archive serves as a valuable resource for users seeking access to a diverse range of media content, both historical and contemporary, free of charge. However, its mission to democratize access to knowledge has encountered legal challenges, with the organization facing lawsuits from the U.S. book publishing and recording industry associations in the last year. The legal actions alleged copyright infringement and sought significant damages, casting a shadow over the future operations of libraries worldwide. The cyberattack on the Internet Archive echoes a troubling trend of attacks targeting libraries and knowledge institutions globally. Recent victims include the British Library, the Solano County Public Library in California, the Berlin Natural History Museum, Ontario’s London Public Library, and just this week, the Seattle Public Library. In light of the ongoing cyberattack and legal battles, Kahle emphasized the broader implications for libraries everywhere. He warned that the actions of publishing and recording industries threaten to undermine the very existence of libraries, posing a grave concern for patrons worldwide. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Internet Archive cyberattack or any further communication from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Johnson & Johnson Reports Data Breach Potentially Linked to Massive Cencora Breach

✇Cybersecurity News and Magazine
By: Alan J
30 May 2024 at 10:40

Johnson & Johnson Data Breach Cencora

Pharmaceutical giant Johnson & Johnson recently announced a data breach that may stem from a larger data breach affecting Lash Group, a division of Cencora. In February, Cencora reported a data breach incident to the U.S. Securities and Exchange Commission (SEC) after learning that data had been exfiltrated from its information systems, some of which contained personal information. The breach may have compromised some sensitive information of patients registered with Johnson & Johnson Patient Assistance Foundation, Inc.

Johnson & Johnson Data Breach Notice

On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.

Link to Cencora Data Breach

The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:
  • AbbVie: 54,344 Texans affected
  • Acadia Pharmaceuticals: 753 Texans affected
  • Bayer: 8,822 Texans affected
  • Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
  • Dendreon: 2,923 Texans affected
  • Endo: no numbers provided
  • Genentech: 5,805 Texans affected
  • GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
  • Incyte Corporation: 2,592 Texans affected
  • Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
  • Novartis Pharmaceuticals: 12,134 Texans affected
  • Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
  • Regeneron Pharmaceuticals: 91,514 Texans affected
  • Sumitomo Pharma America, Inc.: 24,102 Texans affected
  • Tolmar: 1 New Hampshire resident
Data breach notices have also been filed with California officials too. While the full extent of the damage has yet to be determined, it has affected over 540,000 patients so far. Cencora stated in its notification to the Securities and Exchange Commission that it had not yet been able to determine if the incident had a material impact on its operations. In in a notice on its website, the Leash Group indicated that personal information as well as personal health information had been potentially affected, including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions. The Leash Group said in a statement that no personal data appears to have been exposed because of the incident:
“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”
The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

TRAM Barcelona Hit by DDoS Attack: NoName Group, Cyber Army of Russia Claim Responsibility

✇Cybersecurity News and Magazine
By: Krishna Murthy
30 May 2024 at 07:55

Tram Barcelona cyberattack

The website of Barcelona tram services, a central component of Spain's transportation network, was reportedly the target of a Distributed Denial-of-Service (DDoS) cyberattack. The TRAM Barcelona cyberattack has been claimed by the pro-Russian hacker group called "NoName," in collaboration with the Cyber Army of Russia. In a post, the group, which claims to be "NoName057(16)", made the announcement which read, "Supporting the attack by our friends from the People's Cyber Army, we are taking down one of Spain's transport websites." Since first emerging in March 2022, the pro-Russian hacker group NoName has been increasingly active, taking responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe.

Decoding the Tram Barcelona Cyberattack

[caption id="attachment_72970" align="aligncenter" width="530"]Barcelona Tram Source: X[/caption] TRAM Barcelona, with its origins dating back to 1872, was one of Europe's earlier tram systems. After services were discontinued in 1971, the tram was reintroduced in 2004 with the new Trambaix and Trambesòs lines, which have since become a popular mode of transportation throughout Spain’s Catalonia region. [caption id="attachment_73002" align="alignnone" width="1642"] The hacker group declared the attack on May 29, 2024, and as of the time of this report, the website remains offline.[/caption] The specifics of the cyberattack on Tram Barcelona, including potential data breaches and the attackers' motives, have not been fully disclosed. The hacker group announced the attack on May 29, 2024, and as of this report, the website is still down. The company has not yet acknowledged the incident or issued any official statement about the status of the website and its services. The claimed cyberattack on Tram Barcelona highlights the persistent threat of security incidents on crucial entities, such as banks and government organizations. However, the absence of an official statement raises questions about the severity and credibility of the NoName cyberattack claim.

TRAM Barcelona Cyberattack: Latest in Series of Assaults

This isn’t the first instance of NoName targeting organizations. In January 2024, the group claimed responsibility for a series of cyberattacks across the Netherlands, Ukraine, Finland, and the USA. NoName has previously targeted a range of organizations, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), PrivatBank 24, Credit Agricole Bank, MTB BANK, Accordbank, Matek Systems in China, Pixhawk in Switzerland, SpetsInTech, and Kvertus. Incidentally, just like Tram Barcelona, OV-chipkaart too is involved in the public transportation system offering a contactless smart card system widely used in for public transportation in the Netherlands. Until an official statement is released by the affected organization, the full scope and impact of the alleged NoName cyberattack remain unclear. As the cybersecurity landscape continues to evolve, these incidents highlight the importance of bolstering security protocols and adopting proactive measures to mitigate the increasing threat of cyberattacks. This is an ongoing story, and we will provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Family-Owned Woodworking Company Western Dovetail Hit by Akira Ransomware Attack

✇Cybersecurity News and Magazine
By: Samiksha Jain
30 May 2024 at 05:05

Akira Ransomware

The notorious Akira ransomware group has added another victim to its growing list of targeted organizations, striking at Western Dovetail, a prominent woodworking company founded in 1993 by Maxfield Hunter, its president, and CEO, along with support from his father, George Hunter, and brother, Josh Hunter. The family-owned business, known for its dedication to woodworking craftsmanship, has become the latest casualty of cybercrime. The Akira ransomware group took to online forums to announce their latest Western Dovetail data breach, proclaiming the availability of "a few GB of their data" for public access. The compromised data reportedly includes sensitive employee information such as addresses, emails, phone numbers, and even details of relatives, along with tax and payment information, and a snippet of medical records.

Western Dovetail Cyberattack: Verification Efforts and Official Response

Despite this disclosure, Akira has remained tight-lipped about their motives behind targeting Western Dovetail. Upon investigating Western Dovetail's official website, no signs of foul play were immediately evident, as the website appeared to be fully functional. To corroborate further, The Cyber Express Team reached out to Western Dovetail officials for comment. However, at the time of compiling this report, no official response had been received, leaving the claim of the Western Dovetail data breach unverified. [caption id="attachment_72947" align="aligncenter" width="850"]Akira ransomware Source: X[/caption]

Akira Ransomware Trail of Cyber Destruction

The latest cyberattack on Western Dovetail adds to a growing list of cyber onslaughts orchestrated by the Akira ransomware group. In April 2024, the group was identified as the mastermind behind a series of devastating cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia. According to the U.S. Federal Bureau of Investigation (FBI), Akira has breached over 250 organizations since March 2023, raking in a staggering $42 million in ransom payments. Initially focusing on Windows systems, Akira has expanded its tactics to include Linux variants, raising alarm bells among global cybersecurity agencies. Before targeting Western Dovetail, the ransomware group had set its sights on prominent entities such as DENHAM the Jeanmaker, a renowned denim brand based in Amsterdam, and TeraGo, a Canada-based provider of secure cloud services and business-grade internet solutions.

Conclusion and Awaited Response

In the wake of the Western Dovetail cyberattack, the cybersecurity landscape remains fraught with uncertainty. While the company's official response is eagerly awaited, the incident serves as a reminder of the ever-present threat posed by cybercriminals. As organizations strive to protect themselves against such cyberattacks, collaboration between cybersecurity experts, law enforcement agencies, and affected entities becomes increasingly crucial in combating the pervasive menace of ransomware. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

LockBit Ransomware Group Allegedly Strikes Heras UK in Cyberattack

✇Cybersecurity News and Magazine
By: Ashish Khaitan
30 May 2024 at 04:05

Heras cyberattack

The LockBit ransomware group has targeted Heras UK, a prominent European provider of end-to-end perimeter protection solutions. The threat actor claimed the Heras cyberattack and shared a website status displaying the downtime alongside a countdown, ticking away the time until the data breach is potentially exploited. Heras, operating across 24 countries with a workforce of over 1100 skilled professionals, reportedly faces a data breach.  The Cyber Express, in pursuit of clarity on the attack, reached out to the organization for comments. However, at the time of writing this, no official statement has been issued, leaving the alleged Heras data breach unconfirmed. Despite the claims, Heras' website remains functional, showing no immediate signs of the cyber attack. It's plausible that the attackers targeted the website's backend, opting for stealth over a frontal assault like DDoS or defacement.

Alleged Heras Cyberattack Surfaces on Dark Web

[caption id="attachment_72935" align="alignnone" width="422"]Heras cyberattack Source: Dark Web[/caption] The cyberattack on Heras comes amidst a spree of cyber attacks orchestrated by the LockBit ransomware group. Notably, the group targeted Allied Telesis, Inc., a leading American telecommunication equipment supplier. While the Heras data breach purportedly occurred on May 27, 2024, the authenticity of the claims and the leaked data remains unverified.  In a bold move earlier this year, the United States imposed sanctions on affiliates of the Russia-based LockBit ransomware group. This decisive action, led by the U.S. Department of Justice and the Federal Bureau of Investigation, signals a unified stance against cyber threats. LockBit, notorious for its Ransomware-as-a-Service (RaaS) model, employs double extortion tactics to extort hefty ransoms from its victims.

Who is the LockBit Ransomware Group?

The LockBit ransomware group is a sophisticated cybercrime organization that targets enterprises and government organizations. Formerly known as "ABCD" ransomware, LockBit operates as a crypto-virus, demanding financial payment in exchange for the decryption of encrypted files. Unlike some ransomware that targets individuals, LockBit primarily focuses on large entities, seeking hefty sums from viable targets. Since its inception in September 2019, LockBit has targeted organizations globally, including those in the United States, China, India, Indonesia, Ukraine, France, the UK, and Germany. It strategically selects targets likely to have both the financial means and the urgency to resolve the disruption caused by the attack. Notably, LockBit avoids attacking systems within Russia and the Commonwealth of Independent States, possibly to evade prosecution. As for the Heras data breach, this is an ongoing story and The Cyber Express will be closely monitoring the situation and we'll update this post once we have more information on the attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Seattle Public Library Recovers Key Services After Ransomware Attack

✇Cybersecurity News and Magazine
By: Samiksha Jain
30 May 2024 at 02:45

SPL Cyberattack

Amid the setbacks from the SPL cyberattack, the Seattle Public Library has managed to restore some digital services. Patrons can now access the event calendar and online versions of major newspapers like the New York Times, Wall Street Journal, and Washington Post. Additionally, Hoopla, a digital media borrowing service, is operational, though users may need to log out and back in or reinstall the app if they encounter issues. However, access to e-books remains disrupted. Patrons can choose to delay the delivery of their Libby holds, which offers a workaround to maintain access to held items when the service resumes fully. The Seattle Public Library (SPL) faced a ransomware attack that crippled its computer systems this week. On May 28, libraries across South Seattle were noticeably quiet, with signs informing patrons that all computer services were down. This included not only the physical computer terminals and printing services but also the in-building Wi-Fi, crucial for many library users.

The SPL Cyberattack and Immediate Response

The ransomware attack was detected early in the morning of Saturday, May 25, just one day before planned maintenance on a server over the Memorial Day weekend. The SPL cyberattack impacted several critical services, including staff and public computers, the online catalog and loaning system, e-books and e-audiobooks, and the library’s website. Upon discovering the attack, SPL quickly engaged third-party forensic specialists and contacted law enforcement. The library took all its systems offline to prevent further damage and assess the situation. “We are working as quickly and diligently as we can to confirm the extent of the impacts and restore full functionality to our systems,” library officials said. Ensuring the privacy and security of patron and employee information remains a top priority, and systems will stay offline until their security can be guaranteed. SPL officials have been transparent about the ongoing nature of the investigation and restoration efforts. Although they have not provided an estimated time for when all services will be fully restored, they have promised regular updates. “Securing and restoring our systems is where we are focused,” they emphasized, expressing regret for the inconvenience and thanking the community for its patience and understanding.

The Broader Impact of Library Cyberattacks

Ransomware attacks on public libraries have become increasingly common, posing severe operational challenges. The London Public Library's December attack forced the closure of three branches—Carpenter, Lambeth, and Glanworth—until January 2. This incident highlighted the vulnerability of public institutions to cyber threats and the significant disruption such attacks can cause to community services. Similarly, the National British Library faced a major outage in October 2023 that initially seemed like a technical glitch but rapidly escalated into a widespread disruption. This affected online systems, including the website and onsite services such as public Wi-Fi and phone lines. The library’s operational challenges were compounded by the extent of the services impacted, which underscored the critical nature of cybersecurity for public knowledge institutions.

Moving Forward

As SPL works to recover from the ransomware attack, the incident highlights the importance of enhanced cybersecurity measures for public libraries. These institutions are pivotal in providing access to information and services to the community, and disruptions can have far-reaching consequences. Library officials continue to prioritize restoring full functionality and ensuring the security of their systems. The community awaits further updates, hopeful for a swift resolution to regain full access to the valuable resources the Seattle Public Library offers. In the meantime, patrons are encouraged to use the limited digital services available and to stay informed through the library’s updates on their website and social media channels.

Klein ISD Student Faces Felony Charge for Cyberattack Disrupting State Testing for 24,000 Students

✇Cybersecurity News and Magazine
By: Samiksha Jain
30 May 2024 at 01:59

Klein ISD Cyberattack

An 18-year-old high school student from Texas has found himself at the center of a significant cybercrime investigation. Keontra Kenemore is facing a third-degree felony charge of electronic access interference, accused of launching a Klein ISD cyberattack that disrupted state-mandated testing for thousands of students. The implications of this digital cyberattack have rippled across the Klein Independent School District (Klein ISD), affecting more than 24,000 students and raising serious concerns about cybersecurity in educational institutions.

Klein ISD Cyberattack: Disruption During Critical Testing Period

The cyberattack, known as a Distributed Denial of Service (DDoS) attack, was carried out using Kenemore’s school-issued Chromebook. According to court documents, Kenemore allegedly accessed websites that initiated the DDoS attack, overwhelming the district's network services during the crucial STARR testing period in April. The impact was immediate and widespread, with students at all campuses within the district experiencing significant disruptions. On the first day of testing, about 3,000 students attempting the English Language Arts test were locked out of the system, forced to stop and restart their exams. The chaos continued the following day, affecting another 700 students. Investigation reveals that Kenemore admitted to using websites to launch DDoS attacks on multiple occasions. The district’s IT department discovered the DDoS attack when the testing coordinator at Kenemore’s high school reported internet issues during the testing period. The disruptions not only interrupted the testing process but also posed a threat to the district’s accountability rating with the Texas Education Agency, potentially impacting future funding and evaluations. When questioned by school administrators, Kenemore reportedly admitted to accessing the websites used to send the DDoS attacks. However, a family member told Houston NBC affiliate KPRC 2 that Kenemore claimed it was an accident, asserting that he was expelled and unable to graduate as a result of the incident.

District's Response and Future Implications

Despite Kenemore’s expulsion and the ongoing legal proceedings, Klein ISD has remained tight-lipped about the incident. The silence from Klein ISD leaves many questions unanswered, particularly concerning their cybersecurity measures and how they plan to prevent similar incidents in the future. The case against Kenemore highlights the growing vulnerabilities in school district networks and the ease with which they can be exploited. As the investigation continues, the full extent of the damage caused by the DDoS attack remains to be seen. For the students affected, the disruption to their testing period has been a significant setback, one that may have lasting consequences on their academic records. For Keontra Kenemore, the legal ramifications of his actions will likely shape his future in profound ways. This Klein ISD cyberattack serves as a reminder of the potential dangers posed by cyber assault in our increasingly connected world. It calls for heightened awareness and more robust cybersecurity protocols within educational institutions to protect against such disruptive and damaging actions. As the case unfolds, it will undoubtedly contribute to the broader dialogue on digital security and the measures necessary to protect vulnerable systems from malicious interference. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

U.S. Treasury Sanctions Chinese Nationals Behind Billion-Dollar 911 S5 Botnet Fraud

✇Cybersecurity News and Magazine
By: Mihir Bagwe
29 May 2024 at 08:50

911 S5 Botnet, Botnet, US Treasury Department, Treasury Sanction, Fraud

The U.S. Treasury Department sanctioned three Chinese nationals on Tuesday for their alleged involvement in operating the 911 S5 proxy botnet widely used for fraudulent activities, including credit card theft and Coronavirus Aid, Relief, and Economic Security program frauds. The sanctions are aimed at curbing the operations linked to the botnet, which caused major financial losses amounting to "billions" of dollars to the U.S. government.

The Rise and Demise of 911 S5 Botnet

The botnet in question played a critical role in executing numerous fraudulent schemes through stolen residential IP addresses.
"The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government."
911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses they can use to connect to the internet using intermediary, internet-connected computers that have been compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to conceal their originating location, effectively defeating fraud detection systems, the U.S. Treasury explained. The 911 S5 botnet was also implicated in a series of bomb threats made in July 2022, according to the Treasury. Investigators found links of IP addresses within the proxy botnet network being used in this incident. The network was connected to 911 S5, a residential proxy service that allowed users to mask their IP addresses by routing their web activity through compromised devices. The 911 S5 service went offline in July 2022, following a purported hacking incident that damaged essential data. The disruption was reported by independent journalist Brian Krebs. Despite its shutdown, the impacts of its previous operations continued to reverberate, leading to the current sanctions.

The Individuals and Businesses Sanctioned

The sanctioned individuals include Yunhe Wang, allegedly the administrator of the botnet; Jingping Liu, accused of laundering proceeds for Wang; and Yanni Zheng, who reportedly acted as power of attorney for Wang and facilitated business transactions on his behalf through the company Spicy Code Company Limited. The men are believed to reside in Singapore and Thailand, countries that were acknowledged as partners in the sanctions announcement. Three businesses registered in Thailand were also sanctioned for their connections to Wang. These sanctions require that any property and interests owned by the three men within the U.S. be reported to the Treasury, and prohibit U.S. citizens or residents from engaging in business with them. Only these three individuals and the businesses implicated in their fraudulent schemes were sanctioned by the Treasury, but no indictments or legal actions were revealed by the U.S. Department of Justice (DOJ), as is the case in many other instances.

Broader Ongoing Cybersecurity Concerns

The sanctions against these individuals are part of a broader effort by the U.S. government to address cybersecurity threats linked to state-sponsored hacking groups. Google-owned cybersecurity firm Mandiant warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. In January, the DOJ announced the takedown of a botnet associated with Volt Typhoon, a hacking group with ties to the Chinese government. This group was known for infecting home and office routers with malware to obscure its hacking activities. The concerted actions by U.S. authorities and private defenders highlight the ongoing challenges and complexities in combating cybercrime and protecting critical financial and infrastructural systems from sophisticated malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

RansomHub Cyberattack Targets Serbian Gas Firm PSG BANATSKI DVOR, Disables SCADA Systems

✇Cybersecurity News and Magazine
By: Ashish Khaitan
29 May 2024 at 05:33

RansomHub Cyberattack Targets Serbian Gas Firm PSG BANATSKI DVOR, Disables SCADA Systems

The RansomHub group has claimed a cyberattack on PSG BANATSKI DVOR D.O.O., a gas storage services provider based in Serbia. The claims for this RansomHub cyberattack were posted on May 28, 2024, and revealed sensitive data about the organization, targeting the security of critical infrastructure and the integrity of sensitive data. According to the threat actor post, the RansomHub exfiltrated a substantial amount of data totaling 80 GB. Among the stolen information are critical files encompassing IT, Accounting, Finance, Projects, Client database (in SQL format), Budgets, Taxes, Logistics and supply chain management, Production data, HR, Legal data, KPI, and R&D documents.  Additionally, the threat actors has allegedly disabled the SCADA (Supervisory Control and Data Acquisition) systems, further exacerbating the operational impact of the attack.

RansomHub Cyberattack Allegedly Targets PSG BANATSKI DVOR

[caption id="attachment_72377" align="alignnone" width="612"]RansomHub Cyberattack Source: Dark Web[/caption] The cybercriminals have set a deadline of 5 days for the potential leak of the stolen data, adding urgency to the situation. The implications of such a breach extend beyond PSG BANATSKI DVOR, affecting not only the company but also its clients and stakeholders. The Cyber Express has reached out to the Serbian gas service provider to learn more about the authenticity of this alleged PSG BANATSKI DVOR cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for this RansomHub cyberattack stand unconfirmed. Moreover, the PSG BANATSKI DVOR website is currently nonfunctional and is displaying a "took too long to respond" error. This error, often associated with cyberattacks, suggests disruptions in the normal functioning of the website, possibly due to overwhelming server loads or exploitation of vulnerabilities in the site's infrastructure.

Threat Actor Blames Employee for the PSG BANATSKI DVOR Cyberattack

Apart from allegedly claiming a cyberattack on PSG BANATSKI DVOR, the threat actor is demanding cooperation, or else they'll expose it.  “We have all the important files, such as: IT, Accounting, Finance, Projects, Client database (in SQL format) Budgets, Taxes, Logistics and supply chain management, Production data, HR, Legal data, KPI, R&D. Over 80 GB of sensational information has been downloaded”, says the hacker Additionally, the group blames an employee named Dejan Belić for the breach. The threat actors have previously targeted similar victims and share similarities with traditional Russian ransomware groups while refraining from targeting certain countries and non-profits. Their victims span various countries, including the US and Brazil, with healthcare institutions being particularly targeted. While major corporations haven't been hit yet, the breadth of targeted sectors is concerning.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

First American Data Breach: 44,000 Affected After December Cyberattack

✇Cybersecurity News and Magazine
By: Samiksha Jain
29 May 2024 at 02:00

First American Data Breach

The First American Financial Corporation, one of the largest title insurance companies in the United States, revealed that a cyberattack in December 2023 exposed the personal information of around 44,000 people. The First American data breach disclosure was made in a filing with the U.S. Securities and Exchange Commission (SEC) on May 28, 2024, raising serious concerns about data security at the company. The filing disclosed that attackers had breached some of First American's systems and accessed sensitive data without authorization. "As of the date of this filing, the Company’s investigation of the incident has concluded. Based upon our investigation and findings, the Company has determined that personal information pertaining to approximately 44,000 individuals may have been accessed without authorization as a result of the incident," the company stated. In response to the First American data breach, the company committed to notifying the affected individuals and providing them with credit monitoring and identity protection services at no cost. This proactive measure aims to mitigate the potential fallout for those whose data was compromised. "The Company will provide appropriate notifications to potentially affected individuals and offer those individuals credit monitoring and identity protection services at no cost to them," the company stated in filing. [caption id="attachment_72061" align="aligncenter" width="1603"]First American Data Breach Source: SEC[/caption]

First American Cyberattack: A Troubled History

The December 2023 data breach occurred just a month after First American settled a significant cybersecurity incident from 2019. On November 29, 2023, the company agreed to pay a $1 million penalty to New York State for violating cybersecurity regulations. This penalty stemmed from a May 2019 breach where the company's proprietary EaglePro application exposed personal and financial data. The breach allowed unauthorized access to documents without proper authentication, exposing sensitive information from hundreds of thousands of individuals. The New York Department of Financial Services (DFS) criticized First American's security practices, noting that the company's senior management had been aware of the vulnerability in EaglePro. The DFS's findings underscored the importance of robust cybersecurity measures, especially for companies handling large volumes of personal and financial data.

Industry-Wide Challenges

First American is not alone in facing cybersecurity threats. In November 2023, Fidelity National Financial, another major American title insurance provider, experienced a cybersecurity incident. The cyberattack forced Fidelity to take down some of its systems to contain the breach, causing disruptions to its business operations. In January 2024, Fidelity confirmed in an SEC filing that the attackers had stolen data from approximately 1.3 million customers using non-self-propagating malware. These cybersecurity reflect a broader trend of increasing cyberattacks targeting financial institutions, emphasizing the need for enhanced cybersecurity frameworks across the industry. Title insurance companies, which handle vast amounts of sensitive information, are particularly attractive targets for cybercriminals.

The Road Ahead for First American Data Breach

The latest Frist American data breach marks another challenge for the company as it strives to regain trust and enhance its cybersecurity posture. The company must address both immediate and long-term security concerns to protect against future incidents. This includes investing in advanced security technologies, conducting regular security audits, and fostering a culture of cybersecurity awareness among employees. Moreover, regulatory scrutiny is likely to intensify. Financial institutions are expected to adhere to stringent cybersecurity standards, and any lapses can result in substantial penalties and reputational damage. First American's recent history indicates a pressing need for the company to strengthen its defenses and ensure compliance with all regulatory requirements.

Customer Impact and Response

For the 44,000 individuals affected by the December 2023 Frist American data breach, offer of free credit monitoring and identity protection services is a critical step. These services can help detect and prevent potential misuse of their personal information. However, the emotional and psychological impact of knowing their data has been compromised cannot be understated. Customers should remain vigilant, monitoring their financial accounts for any suspicious activity and taking advantage of the protection services offered by First American. Additionally, they should be aware of phishing attempts and other forms of cyber fraud that often follow such breaches. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Alleged Cyberattack Strikes Allied Telesis: LockBit Ransomware Suspected

✇Cybersecurity News and Magazine
By: Ashish Khaitan
28 May 2024 at 04:53

Alleged Allied Telesis data breach

The notorious LockBit has claimed an alleged cyberattack on Allied Telesis, Inc., a prominent American telecommunication equipment supplier. The purported Allied Telesis data breach incident involves the infiltration of the company's systems by the ransomware group, known for its sophisticated cyber operations. The claimed breach, dated May 27, 2024, suggests that the Allied Telesis data breach exposed sensitive data about the organization. However, the claims have not been verified nor is the sample data posted by the threat actor. 

Alleged Allied Telesis Data Breach Exposes Sensitive Information

The information supposedly exfiltrated includes confidential project details dating back to 2005, passport information, and various product specifications. As a demonstration of their intrusion, the threat actors purportedly disclosed blueprints, passport details, and confidential agreements, issuing a deadline of June 3, 2024, for the full release of the compromised data. [caption id="attachment_71414" align="alignnone" width="748"]Alleged Allied Telesis Data Breach Source: Dark Web[/caption] Despite the gravity of the allegations, Allied Telesis has yet to confirm or refute the purported cyberattack. The Cyber Express reached out to the company for clarification, but as of this writing, no official statement has been issued. Consequently, the authenticity of the alleged breach remains unverified, leaving the situation shrouded in uncertainty. Interestingly, the timing of these allegations coincides with significant organizational changes within Allied Telesis. On May 27, 2024, the company reportedly relocated its China branch to a new address. Moreover, the recent re-appointment of Jon Wilner as the Vice President of Customer Success highlights some of the big changes within the organization and possibly deciphering the “why” of the alleged data. 

Collaborative Ventures Amid Uncertainty

In the midst of this alleged security breach, Allied Telesis has been actively engaged in strategic partnerships aimed at upgrading its security features. Just last month, the company announced a collaboration with Hanwha Vision America, integrating cutting-edge video surveillance technology with its networking infrastructure. This alliance aims to deliver secure and scalable surveillance solutions to organizations seeking enhanced security measures. Key highlights of this partnership include interoperability, enhanced security features, scalability, and simplified management of surveillance systems. By leveraging Allied Telesis' expertise in secure networking alongside Hanwha Vision America's advanced surveillance technology, customers can expect comprehensive solutions tailored to their security needs. While the motives behind the alleged Allied Telesis cyberattack remain unclear, previous actions against the LockBit ransomware group shed light on the severity of the hacker group. Law enforcement agencies have previously taken down servers associated with LockBit operations, confiscating crucial details such as admin panel credentials, affiliate network information, and cryptocurrency transactions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Russian Cyber Army Claims Alleged Cyberattack on Bulgarian Ports Infrastructure Company

✇Cybersecurity News and Magazine
By: Ashish Khaitan
27 May 2024 at 07:40

Bulgarian Ports Infrastructure Company cyberattack

The notorious Russian Cyber Army hacker group has allegedly claimed the Bulgarian Ports Infrastructure Company cyberattack. The threat actor asserts a targeted assault on the organization’s website. While the hacker group asserts the website's downtime, initial observations contradict this claim, indicating that the site remains operational without visible signs of a cyber onslaught. The Cyber Express has reached out to the  Bulgarian Ports Infrastructure Company to verify the claims of the cyberattack incident. However, at the time of writing this, no official statement or response has been forthcoming, leaving the veracity of the claims surrounding the Bulgarian Ports Infrastructure Company cyberattack unconfirmed.

Russian Cyber Army Assets Bulgarian Ports Infrastructure Company Cyberattack

Contrary to typical cyberattacks that result in website defacements or distributed denial-of-service (DDoS) disruptions, the purported assault by the Russian Cyber Army appears to have had minimal impact, if any, on the targeted website's operations. This suggests a potentially brief and ineffective attack, diverging from the more disruptive tactics commonly associated with cyber warfare. [caption id="attachment_70364" align="alignnone" width="462"]Bulgarian Ports Infrastructure Company Cyberattack Source: X[/caption] Talking about the Bulgarian Ports Infrastructure Company cyberattack in its post, the Russian Cyber Army states that they are attacking the “State Enterprise “Port Infrastructure” (IF)”, which is the territorial authority of the Bulgarian ports, for public transport, providing traffic management and delivery information services. The Russian Cyber Army's recent activities have garnered attention, including a peculiar interview conducted by WIRED with a purported spokesperson known as "Julia." The interview sheds light on the group's motivations, which ostensibly revolve around defending Russian interests in the face of perceived external pressure from the United States, the European Union, and Ukraine.

Who is the Russian Cyber Army Hacker Group?

While the Russian Cyber Army portrays itself as a formidable force in the information warfare arena, experts caution against overestimating its influence, suggesting that the group's actions may primarily serve to bolster nationalist sentiments domestically rather than exert significant influence abroad. Moreover, the group's exposure by cybersecurity firms and government agencies highlights its emergence as a noteworthy entity on the global stage. Despite the hype surrounding the Russian Cyber Army's activities, analysts warn against succumbing to fear-mongering tactics, emphasizing the need for measured responses to cyber threats. As for the Bulgarian Ports Infrastructure Company cyberattack, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on the alleged Bulgarian Ports Infrastructure Company cyberattack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Federal Court Denies Optus Appeal to Withhold Deloitte Report on 2022 Cyberattack

✇Cybersecurity News and Magazine
By: Alan J
27 May 2024 at 07:14

Optus Australia 2022 Data Breach Deloitte Report

Optus, one of Australia's largest telecommunications companies, has lost a legal battle in the Federal Court. The Australian Federal Court has ordered the company to release an external review performed by Deloitte to investigate the cause of a significant 2022 cyberattack that led to the release of sensitive customer data. The Optus 2022 data breach resulted in the exposure of the names, dates of birth, phone numbers, and email addresses of over 10 million customers with addresses, driver's licence or passport numbers being exposed for a portion of the affected customers.

Optus Appeal Against Sharing External Deloitte Report

The data breach incident along with 14-hour outage of its telecommunication services, frustrations over the availability of information/credit monitoring services and attempts of attackers to exploit the compromised data for use in SMS phishing attacks, led to intense scrutiny towards the company. [caption id="attachment_70354" align="alignnone" width="2230"]Optus Deloitte External Report 2022 Data Breach Source: www.optus.com.au/support/cyberresponse[/caption] The company commissioned an independent external forensic review of the cyberattack from Deloitte over its security systems, controls and processes under the advise of the then CEO Kelly Bayer Rosmarin and the approval of its board. Bayer made the following statement over the decision:
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.
Kelly, later resigned over the incident with Optus now being led by a new CEO, who is working to rebuild trust with customers in a 'challenging' market. Despite the efforts of the company to deal with the data breach, the recent court decision comes after Optus appealed an earlier ruling that it must hand over the report to Slater & Gordon, the law firm pursuing a class action against the company for allegedly failing to protect its customers' personal information. Optus has not yet made a public statement regarding the Federal Court's decision. However, the company had previously argued that the Deloitte report was commissioned to provide legal advice and therefore it was privileged. The court, however, decided that Optus had failed to prove that the dominant purpose of the report was for legal advice.

Class Action Law Suit Against Optus and Implications of Court Ruling

Slater & Gordon, the law firm representing the affected Optus customers, has welcomed the court's decision. The law firm's class actions practice group leader, Ben Hardwick, criticized Optus's efforts to keep the report confidential, stating that it indicates the company's refusal to accept responsibility for its role in the data breach and its impact on millions of its customers. In it's April 2023 press release, the law firm's leader had stated that more than 100,000 of Optus’s current and former customers had registered for the class action, with some notable examples among the group group such as:
  • a domestic violence victim who spent money that was intended for counselling for her children on increasing security measures around the house, including installing video cameras and extra locks on doors and windows
  • a former Optus customer who had previously been burgled and had his identity stolen who now suffers severe anxiety after learning his personal information had been shared online
  • a stalking victim who takes extreme measure to maintain her privacy, especially her address, who fears her life has genuinely been put in danger by the data breach
  • a woman who is now too fearful to answer the telephone after noticing an increase in scam phone calls following the Optus cyberattack, and
  • a retired police officer concerned that his home address may have been shared with criminals he was involved in the prosecution and incarceration of.
The press release also cited the frustration several customers expressed over alleged delays by Optus in providing details over the data breach, and reported inconsistencies in how the telecommunications giant had been treating affected customers Some Optus registrants claimed to the law firm that they were dismissed when they sought further information from Optus, while others informed that the company refused to pay for credit monitoring services under the basis that they were no longer Optus customers. “There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same." The Federal Court's decision sets a significant precedent for companies involved in data breaches. It underscores the importance of transparency and accountability in such situations, and it may encourage other companies to take stronger measures to protect their customers' personal information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

FIRST Heritage Co-operative Credit Union Issues Alert Following Cyberattack

✇Cybersecurity News and Magazine
By: Ashish Khaitan
24 May 2024 at 09:17

FHC cyberattack

FIRST Heritage Co-operative Credit Union is updating its customers regarding any irregular financial activities in the coming weeks following a recent FHC cyberattack that disrupted its database. The credit union disclosed in a member advisory issued on Wednesday that it had been grappling with resolving a system disruption since April 3, 2024. This cyberattack on the credit union had hampered FHC's access to certain information, causing delays in processing members' financial requests.

Understanding the FHC Cyberattack

According to FHC, personal data such as member contact details and other documents submitted to facilitate transactions may have been affected by the attack. Despite this, investigations suggest that the credit union's IT security measures effectively mitigated the risk of unauthorized access to its core systems. Fortunately, assessments have shown no compromise to the integrity of members' financial accounts or those of affiliated organizations. FHC acted swiftly upon detecting the breach, collaborating with technology partners to investigate and contain the threat. Subsequent steps included activating data backup and recovery protocols alongside implementing additional security measures. “However, our investigations so far indicate that our IT security mechanisms were helpful in significantly minimising the risk of access to data on our core systems,” reads the statement by FHC, as reported by Jamaica Observer.

Mitigation Against Fraudulent Activities

As part of its ongoing efforts to upgrade security practices, FHC has initiated a password reset prompt for users of its iTransact banking platform. Additionally, automated tools are being employed to detect and prevent any suspicious activities across accounts and IT infrastructure. The credit union is actively cooperating with cybersecurity and law enforcement authorities in response to the incident. Members are advised to remain vigilant for any suspicious financial activities and are encouraged to regularly update their iTransact banking passwords. FHC highlighted the importance of using unique passwords for online services and urged caution against phishing emails or unsolicited communications that may follow a data breach. The cyberattack on FHC coincided with a report by global cybersecurity firm Fortinet, which highlighted Jamaica's exposure to 43 million attempted cyberattacks in 2023. The Latin American and Caribbean region collectively faced 200 billion attempted attacks, with Mexico, Brazil, and Colombia topping the list. The Cyber Express has reached out to FIRST Heritage Co-operative Credit Union to learn more about this FHC cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving additional information about the incident pending verification. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Optus Faces Legal Action Over 2022 Data Breach: ACMA Alleges Failure to Protect Customer Data

✇Cybersecurity News and Magazine
By: Ashish Khaitan
24 May 2024 at 02:53

Optus data breach

Australian telco Optus faces legal battle with the country's communications and media watchdog over the 2022 data breach. The Optus data breach resulted in the theft of personal information of over 10 million - about 40% of the population - current and former customers. The Australian Communications and Media Authority (ACMA) has taken action against the country's second-largest telecommunications company, alleging negligence in safeguarding customer data as mandated by the Telecommunications (Interception and Access) Act 1979 (Cth).

Parent company Singtel, Faces Legal Action Following the Optus Data Breach

The Cyber Express has reached out to Optus to learn more about this legal action by the Australian Communications and Media Authority (ACMA). In response, a Optus spokesperson stated that they are aware of the proceedings in the Federal Court of Australia in relation to the cyberattack in September 2022. "At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise. Optus has previously apologised to its customers and has taken significant steps, including working with the police and other authorities, to protect them. It also reimbursed customers for the cost of replacing identity documents. Optus intends to defend these proceedings. As the matter is now before the courts, Optus is unable to make any further comment", denoted the Optus spokesperson. In the Optus cyberattack, which occurred between September 17 and 20, 2022, hackers infiltrated Optus's security measures, gaining unauthorized access to sensitive customer information. ACMA's move to file Federal Court proceedings signifies a significant step in holding Optus accountable for the breach, highlighting the regulatory emphasis on data protection and privacy. “The ACMA has filed proceedings in the Federal Court against Optus Mobile Pty Ltd (Optus). We allege that during a data breach that occurred between 17 to 20 September 2022, Optus failed to protect the confidentiality of its customers’ personal information from unauthorized interference or unauthorized access as required under the Telecommunications (Interception and Access) Act 1979 (Cth)”, ACMA's statement read.  Optus, owned by Singaporean company Singtel, has expressed its intention to defend itself against the allegations while acknowledging the severity of the incident. “At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise,” a spokesperson told local media. The company has previously issued apologies to affected customers and taken proactive measures, including collaboration with law enforcement agencies, to mitigate further risks. Moreover, Optus has reimbursed customers for expenses incurred in replacing compromised identity documents, reflecting its commitment to addressing the aftermath of the breach.

Optus on the Road to Recovery but Legal Headache Ensues

Following the cyberattack, Optus disclosed that approximately 2.1 million Australians had their identification numbers compromised, including details from driver's licenses and passports. Additionally, around 10,000 customers had their information exposed on the dark web, exacerbating concerns regarding the extent of the breach's impact on individuals' privacy and security. Financially, the repercussions of the cyberattack have been substantial for Optus and its parent company, Singtel. The latter reported cyberattack-related costs amounting to 142 million Singapore dollars ($159 million) for the fiscal year ending March 31, 2023. These costs encompass various expenses, including regulatory investigations and potential litigation. The telecommunications company even on the back of the challenges faced post the cyberattack, reported stable earnings and mobile growth in FY24. Optus added 116,000 subscribers to its mobile customer base including growth of 108,000 prepaid customers. Interim CEO and CFO Michael Venter said the results demonstrated a solid performance in a difficult environment, as Optus remained focussed on enhancing customer experience. “Optus is working hard to rebuild the trust of customers after a challenging 18 months and these results demonstrate we are on the right track,” Venter said. “We’re listening to our customers and in the year ahead we’ll be continuing to prioritise what we know is important to them – a resilient network that delivers seamless connectivity, great value products and services, and simple, efficient customer service.” This strong performance, however, does not lessen the legal woes for Optus. Legal proceedings have further intensified with the commencement of class action proceedings by law firm Slater and Gordon on behalf of affected individuals. The lawsuit alleges Optus's violation of privacy, telecommunication, and consumer laws, signaling a broader legal battle over accountability and corporate responsibility in safeguarding customer data. In response to escalating cyber threats, the Australian government has ramped up investments in cybersecurity initiatives, imposing stricter penalties for companies failing to address privacy breaches adequately. The Office of the Australian Information Commissioner (OAIC) has been empowered with enhanced authority to expedite breach resolutions and notify affected individuals promptly, signaling a concerted effort to enhance data protection measures nationwide. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

First Nations Health Authority in Crisis: Cyberattack Shakes BC’s Healthcare Sector

✇Cybersecurity News and Magazine
By: Ashish Khaitan
23 May 2024 at 03:00

First Nations Health Authority cyberattack

The First Nations Health Authority (FNHA) in British Columbia is currently grappling with the aftermath of a recent cyberattack on its corporate network. This First Nations Health Authority cyberattack, discovered on May 13, 2024 has prompted swift investigation and action from the authority. FNHA, renowned as the first and sole provincial health authority of its kind across Canada, detected what it termed as "unusual activity" within its corporate network. Acting promptly, the authority intercepted an unauthorized entity that had breached its network perimeter.  Although certain employee information and limited personal data were compromised, FNHA assures that its clinical information systems remained unaffected.

Understanding the First Nations Health Authority Cyberattack

First Nations Health Authority cyberattack [caption id="attachment_69815" align="alignnone" width="631"]First Nations Health Authority cyberattack Source: First Nations Health Authority[/caption] This cyber intrusion marks the latest in a string of cybersecurity incidents across British Columbia. While FNHA asserts no direct link between this attack and previous breaches, the province has been on high alert following similar incidents, including attempted ransomware attacks on B.C. libraries and a cybersecurity breach impacting the operations of a major retailer, London Drugs. In response to the cyberattack, FNHA has mobilized a comprehensive response strategy. The authority has engaged third-party cybersecurity experts to contain and remediate the breach while conducting a thorough forensic investigation to gauge the extent of the incident. Moreover, FNHA has promptly notified law enforcement and the Office of the Information and Privacy Commissioner of British Columbia. Acknowledging the severity of the situation, Premier David Eby highlighted earlier in the month the presence of "sophisticated cybersecurity incidents" targeting government networks. This sentiment highlights the urgent need for heightened vigilance and robust cybersecurity measures across all sectors, particularly within critical infrastructure like healthcare.

Mitigation Against the FNHA Cyberattack

In light of these developments, Caelan Drayer, a solutions architect at Dyrand Systems, emphasized the vulnerability of health authorities to cyber threats due to the sensitive nature of the data they handle.  Drayer noted that cyber attackers often target health authorities due to perceived weaknesses in cybersecurity practices and the valuable personal information they possess. He further advised individuals potentially affected by the FNHA cyberattack to secure their email accounts, employ strong passwords, and enable two-factor authentication to mitigate risks. As investigations continue and the fallout from the cyberattack on FNHA unfolds, affected individuals have been urged to remain vigilant, monitor their financial accounts, and report any suspicious activity promptly. While the FNHA endeavors to restore normalcy and bolster its cybersecurity posture, the First Nations Health Authority cyberattack is one of the latest string of cyberattacks on the healthcare industry Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CentroMed Data Breach Exposed 400,000 Patient Records

✇Cybersecurity News and Magazine
By: Ashish Khaitan
22 May 2024 at 11:03

CentroMed data breach

El Centro Del Barrio, operating as CentroMed, an integrated primary care clinic, confirms a recent cyberattack marking its second breach in a year. The earlier breach disclosed in August 2023, involved unauthorized access by the Karakurt threat group but data remained unreleased. The current data breach saw hackers infiltrating their systems and gaining access to the personal data of around 400,000 current and former patients. The CentroMed data breach raised concerns about the security of patient information and prompted the healthcare provider to take immediate action. According to CentroMed's data breach notice, the breach was discovered on May 1, after unusual activity was detected in their information technology (IT) network. Upon this discovery, CentroMed swiftly initiated measures to secure their systems and launched an investigation into the matter.  The preliminary investigation revealed that an unauthorized actor infiltrated their IT network on or around April 30, and accessed files containing sensitive information related to current and former patients.

Decoding the CentroMed Data Breach

The compromised data included patient names, addresses, dates of birth, Social Security numbers, financial account details, medical records, health insurance information, diagnosis and treatment data, as well as claims information. This breach posed significant risks to the privacy and security of individuals whose information was compromised. In response to the CentroMed cyberattack, the healthcare provider took several steps to mitigate the impact on affected individuals. CentroMed began notifying individuals whose information may have been compromised, starting on May 17. Additionally, a dedicated toll-free call center was established to address any questions or concerns from affected individuals. Expressing deep regret for the incident and the resulting concerns it may have caused, CentroMed assured the public that they were taking the matter seriously. To prevent similar incidents in the future, the healthcare provider stated that they had implemented additional safeguards and technical security measures to enhance the protection and monitoring of their systems.

Mitigation Against the Cyberattack on CentroMed

Individuals whose information may have been affected by the CentroMed data breach were advised to take proactive measures to safeguard their personal information. This included reviewing statements from healthcare providers for any unfamiliar services, monitoring financial account statements for suspicious activity, and promptly reporting any suspicious activity to their financial institutions. Furthermore, CentroMed provided additional guidance on steps individuals could take to protect their information, such as obtaining free credit reports and placing fraud alerts or security freezes on their credit files. They also offered specific instructions for parents or guardians concerned about their child's information security in light of the breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Kyivstar Cyberattack: Company Allocates $90 Million for Recovery Efforts

✇Cybersecurity News and Magazine
By: Ashish Khaitan
21 May 2024 at 08:58

Kyivstar Cyberattack

Ukraine's leading mobile operator, Kyivstar, is facing the aftermath of last year’s cyberattack. In December 2023, the telecom provider faced, what is described by the CEO as, the “biggest cyberattack on telecoms infrastructure in the world”, which left several operations down.  CEO Oleksandr Komarov revealed the impact on Kyivstar's growth trajectory, stating, "Before the cyberattack, we were moving with an increase of 11%-12% quarter-on-quarter in 2023. The cyberattack ate up about 3% of annual growth." While specifics on the affected growth aspects were not provided, Komarov emphasized the significant setback faced by the company.

Kyivstar Cyberattack Update

According to Reuters, the $90 Million allocation is earmarked for repairing infrastructure damage, fortifying the system against future breaches, and implementing a loyalty program for clients. Kyivstar, a subsidiary of Amsterdam-listed Veon, boasts 24.3 million mobile subscribers and over 1.1 million home internet subscribers, highlighting its significant presence in the Ukrainian telecommunications market. The cyberattack on Kyivstar was not an isolated incident but rather part of a broader pattern of cyber aggression. According to Illia Vitiuk, the head of Ukraine's cybersecurity department, Russian hackers had infiltrated Kyivstar's infrastructure months before the December attack.  The attack, attributed to the Russian state-controlled hacker group Sandworm, left a trail of destruction, wiping out crucial network functions and disrupting services for an extended period.

The Technical Details of the Kyivstar Cyberattack

Vitiuk's assessment suggests that the attackers may have gained full access to Kyivstar's network as early as November 2023, indicating a prolonged period of vulnerability. The attack's severity prompted concerns about potential data theft, interception of communications, and the compromise of sensitive information. While Kyivstar maintains that no personal or subscriber data was leaked, the incident highlights the grave cybersecurity risks faced by telecommunications operators. The attack's objectives, according to Vitiuk, extended beyond mere disruption, aiming to deliver a psychological blow and gather intelligence. He emphasized the attack's significance as a warning to the Western world, highlighting the escalating cyber threats posed by state-sponsored actors. Despite the challenges posed by the cyberattack, Kyivstar remains committed to restoring normalcy and strengthening its cybersecurity posture. The allocation of substantial resources highlights the company's determination to overcome the aftermath of the attack and safeguard its operations against future threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Comwave Networks Faces Alleged Cyberattack from Medusa Ransomware Group

✇Cybersecurity News and Magazine
By: Ashish Khaitan
21 May 2024 at 05:12

Comwave cyberattack

The Medusa ransomware group has allegedly claimed a cyberattack on Comwave, a Canadian communications giant. The ransomware actors listed Comwave as its latest victim after a likely attack on May 18, which targeted critical information contained on the company's customer database. Comwave Networks Inc., claims to be the largest independent communications company in Canada and is renowned for providing internet, network security solutions, and customer support services. Based in the Toronto district of North York and run by president and CEO Yuval Barzakay, Comwave was established in 1999 and serves across Canada. The company also provides some wholesale services in the United States. In 2023, Comwave was acquired by Rogers Communications.
Medusa ransomware actors claimed infiltrating Comwave's systems, and exfiltrating a nearly 274.8 gigabytes of sensitive data.

Comwave Cyberattack Allegedly Targets Sensitive Data

[caption id="attachment_69372" align="alignnone" width="1381"]Comwave Cyberattack Source: Dark Web[/caption] Among the information exfiltrated are scanned copies of various personal documents - likely belonging to its customers - such as driving licenses, birth certificates, identity cards, passports, invoices, screenshots of email correspondence, and an internal Excel database. The Medusa ransomware group has issued a deadline, giving Comwave  nine days to comply with their demands, failing which they threatened to publicly release the compromised data. The severity of the situation cannot be overstated, with implications reaching far beyond Comwave Networks Inc. itself. As a leading player in Canada's telecommunications, the cyberattack on Comwave potentially impacts hundreds of thousands of users in 1,100 Canadian and 1,600 U.S. cities that use their services. The Cyber Express has tried reaching out to the organization to learn more about this Comwave Networks cyberattack. However, due to communication issues, contact was not possible, leaving the claims for the Comwave Networks cyberattack unverified. 

Who is the Medusa Ransomware Group?

The operational status of Comwave's website appears unaffected, suggesting that the attack may have targeted backend systems rather than launching a frontal assault. This modus operandi aligns with Medusa's established tactics, which often involve exploiting vulnerable Remote Desktop Protocols (RDP) and deploying deceptive phishing campaigns.  By utilizing PowerShell for command execution and systematically erasing shadow copy backups, Medusa disrupts data restoration efforts, leaving victims in a precarious position. The Medusa ransomware, which first emerged in June 2021, has grown increasingly audacious over time. Its latest iteration, marked by the creation of the "Medusa Blog," serves as a repository for data leaked from non-compliant victims. Operating within the dark recesses of the internet, Medusa's TOR website serves as a grim reminder of the far-reaching consequences of cybercrime. As organizations grapple with the fallout from cyberattacks like the one targeting Comwave Networks Inc., it becomes imperative to remain vigilant and implement stringent security measures. Detecting and mitigating the threat posed by Medusa and similar ransomware strains requires a concerted effort, one that extends beyond individual companies to encompass collaborative industry-wide initiatives. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Kansas City Cyberattack Disrupts KC Scout Cameras, Impacts Crash Investigations and Services

✇Cybersecurity News and Magazine
By: Ashish Khaitan
21 May 2024 at 02:22

Kansas City cyberattack

Kansas City faced significant disruptions following a cyberattack, particularly affecting its crucial KC Scout camera system, which monitors Metro highways. The Kansas City cyberattack, occurring over the weekend of May 4, 2024, resulted in widespread system shutdowns, leaving various services offline for an extended period. As a consequence of the attack, the KC Scout camera system, maintained by the Missouri State Highway Patrol, suffered extensive downtime, potentially lasting for months. 

Kansas City Cyberattack Shuts Down Major Operations

This outage directly impacted crash investigations, as authorities relied heavily on the video footage captured by these cameras. Without this vital resource, the investigative process for accidents became considerably more challenging, particularly in cases with potential criminal implications. Furthermore, the broader implications of the cyberattack extended to essential city services, such as online bill payments and building permits, which remained unavailable nearly two weeks after the initial incident. Despite efforts to restore these services, the city faced logistical issues in bringing systems back online promptly. Kansas City Mayor Quinton Lucas acknowledged the challenges posed by the cyberattack, emphasizing the city's commitment to conducting a thorough investigation while striving to restore services efficiently. Despite the setbacks, essential services such as emergency response, wastewater treatment, and trash pickup remained operational, ensuring minimal disruption to residents' daily lives. "Last week, the city became aware of suspicious activity on our IT network. In response, we proactively shut down parts of the network to secure our systems. This proactive measure resulted in outages to certain operations but was necessary to help to protect the security and integrity of our systems — and to allow us to further our investigation into the cause and potential impact of the issue", said Lucas.

Cyberattack on Kansas City is Impacting Citizens

The impact of the cyberattack reverberated beyond administrative inconveniences, affecting individuals like Leia Sanders, whose car accident on May 10 highlighted the critical role of KC Scout cameras. Sanders, involved in a collision on Highway 71, discovered that the outage of the surveillance system hindered efforts to determine the accident's cause, leaving her without crucial evidence for insurance purposes, reported Fox 4 Kansas City. “I had no time to do anything, there were cars on both sides of me. I just sat there and was like okay, this has to happen. “After I figured out what was wrong with my car, I called the police department to ask about any cameras that would be on the interstate. They told me that the KC Scout cameras are down right now and there was no way that we could figure out where the tire had come from or anything like that,” Sanders said. The prolonged downtime of the KC Scout cameras elicited frustration among residents and visitors alike, prompting questions about the delay in restoring critical infrastructure. With the timeline for service restoration extending into months, concerns regarding public safety and efficient accident response mechanisms loomed large. As authorities work tirelessly to address the aftermath of the cyberattack, residents are urged to remain patient and vigilant. Despite the challenges posed by the disruption, efforts to restore normalcy are underway, with a concerted focus on bolstering cybersecurity measures to prevent future incidents of this nature. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Amateur Radio Group Hit by Cyberattack, Key Database Offline

✇Cybersecurity News and Magazine
By: Samiksha Jain
20 May 2024 at 03:04

Cyberattack on ARRL

The amateur radio community, the American Radio Relay League (ARRL), the preeminent national association for amateur radio enthusiasts in the United States, has confirmed that it has been the target of a significant cyberattack. In an official statement, ARRL detailed the scope of cyberattack on ARRL.

"We are in the process of responding to a serious incident involving access to our network and headquarters-based systems."

This cyberattack on ARRL has affected multiple network systems and several of ARRL's vital online services.

Cyberattack on ARRL: What is Affected?

Foremost among the compromised services is the "Logbook of The World" (LoTW) internet database. This platform is crucial for amateur radio operators, allowing them to record and verify successful contacts (QSOs) with fellow operators globally. The LoTW's functionality as a digital logbook and a user confirmation system is central to the operations of many enthusiasts who rely on its integrity for maintaining accurate records. "Several services, such as Logbook of The World® and the ARRL Learning Center, are affected. Please know that restoring access is our highest priority, and we are expeditiously working with outside industry experts to address the issue. We appreciate your patience," the official statement read. The ARRL's importance to the amateur radio community cannot be overstated. As the national amateur radio organization, it provides crucial technical assistance, advocates for regulatory considerations, and organizes educational and networking opportunities for its members. The ARRL cyberattack thus has a broad impact, affecting not just the organization but the wider community of amateur radio operators who depend on ARRL’s services for their activities and growth.

Reassurances on Data Security

In a follow-up update, ARRL addressed growing concerns from its members about the potential compromise of personal information. Officials reassured members that no social security numbers or credit card information are stored on their systems. "Some members have asked whether their personal information has been compromised in some way. ARRL does not store credit card information anywhere on our systems, and we do not collect social security numbers. Our member database only contains publicly available information like name, address, and call sign along with ARRL-specific data like email preferences and membership dates," the update clarified. Despite these reassurances, the organization acknowledged that its member database includes sensitive information such as call signs and addresses. While email addresses are necessary for membership and are part of the stored data, it remains unclear to what extent this information might have been accessed or exploited in the cyberattack on American Radio Relay League. The exact nature of the cyber incident, whether it was a ransomware attack or another form of cybersecurity breach, has not been confirmed by ARRL. The situation remains dynamic, with ARRL collaborating with external cybersecurity experts to mitigate the impact and restore full functionality to their services. The response from the amateur radio community has been mixed, with many expressing support and patience, while others have voiced concerns over data security and the potential long-term effects on ARRL’s operations. This incident also serves as a reminder of the vulnerabilities inherent in digital transformation. As organizations increasingly rely on online platforms for critical services, enhanced cybersecurity measures become indispensable. The ARRL’s experience could prompt other associations and similar entities to re-evaluate their cybersecurity postures and adopt more stringent safeguards. For now, the amateur radio community remains in a state of cautious optimism. The expertise and dedication of ARRL’s team, combined with external support, provide hope that the affected services will be restored soon. The Cyber Express Team has reached out to ARRL for further comments and updates on the situation. However, as of now, no response has been received. As the story develops, the amateur radio community and cybersecurity experts alike await more detailed information on the nature and extent of the breach, and the steps being taken to safeguard against future incidents. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Unverified Claims of Cyberattack on Hamburg Airport Surface Amid Cybersecurity Concerns

✇Cybersecurity News and Magazine
By: Ashish Khaitan
20 May 2024 at 03:01

Hamburg Airport cyberattack

The Just Evil/Killmilk hacker group has claimed the Hamburg Airport cyberattack, asserting access to certain parts of the airport's premises. The claim, posted in cryptic messages on social media platforms, suggests a breach of security protocols with detailed descriptions of airport locations and systems. The post, which includes snippets of code and references to specific areas within the airport, has raised concerns about the vulnerability of critical infrastructure to cyber threats. However, as of now, there has been no official confirmation or response from Hamburg Airport authorities regarding the alleged cyberattack.

Unverified Hamburg Airport Cyberattack Claims

[caption id="attachment_69180" align="alignnone" width="535"]Hamburg Airport Cyberattack Source: X[/caption] The Cyber Express reached out to the airport authorities for clarification on the alleged cyberattack on Hamburg Airport. However, at the time of writing this, no official statement of response has been received. This lack of response leaves the claims of a cyberattack on Hamburg Airport unverified at present. While the airport's website appears to be functioning normally, with no visible signs of disruption, the possibility of a targeted cyberattack on the backend systems cannot be ruled out. If indeed an attack occurred, it may have been limited in scope or duration, as indicated by similar attacks in the past.  Adding to the intrigue surrounding these claims is the background of the individual behind Just Evil/Killmilk. Identified as Nikolai Serafimov, a 30-year-old Russian citizen, he is purportedly the leader of the infamous hacktivist group Killnet. Serafimov's past involvement in criminal activities, including narcotics-related offenses and a stint in a Russian prison, adds a layer of complexity to the situation.

Who is the Killnet Hacker Group?

On August 1, 2022, "Killmilk" and its founder launched a cyber-attack on Lockheed Martin, citing retaliation for the U.S. supplying HIMARS systems to Ukraine. Accusing Lockheed Martin of sponsoring terrorism, the group targeted production systems and employee information. This marked a shift from their previous tactics of Distributed Denial-of-Service (DDoS) attacks.  Led by Serafimov, Killmilk had been involved in various cyber activities, including operating "Black Listing," a DDoS-for-pay platform. Serafimov introduced "Black Skills," a Private Military Hacking Company, indicating the increasing threat of cyber warfare by non-state actors.  The emergence of new tactics and entities like "Black Skills" highlights the new threat actor and its immovable plans for creating cyber conflict. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this story once we have more information on the alleged Hamburg Airport cyberattack or any official confirmation from the authorities.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ascension Faces Multiple Lawsuits Following Ransomware Attack

✇Cybersecurity News and Magazine
By: Ashish Khaitan
17 May 2024 at 07:23

Ascension ransomware attack

Following the recent Ascension ransomware attack, legal challenges are mounting for the healthcare giant. Just days after the cyberattack disrupted operations across its extensive network of 140 hospitals, Ascension is facing two proposed class-action lawsuits. The lawsuits, filed in the District Courts of Illinois and Texas, allege negligence on Ascension's part, citing the failure to encrypt patient data as a critical oversight. This, plaintiffs argue, has exposed them to the risk of identity theft for years to come, following the Ascension cyberattack that forced the diversion of ambulances and the suspension of elective care services.

Class-Action Lawsuit Arises from Ascension Ransomware Attack

While Ascension has not confirmed any compromise of patient data, investigations are ongoing. Plaintiffs contend that had proper encryption measures been in place, data stolen by the cybercriminal group Black Basta would have been rendered useless, highlighting the negligence they claim Ascension displayed. We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement," an Ascension spokesperson stated. "If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations”, reported Healthcare Dive on Thursday. The lawsuits, filed shortly after the Ascension ransomware attack, target the healthcare provider's alleged failure to implement adequate cybersecurity measures, a move plaintiffs argue could have prevented the incident. Both cases, represented by the same legal counsel, highlight the harm suffered by patients due to the exposure of their private information, which they assert was foreseeable and preventable.

Ascension Lawsuit and Mitigation Tactics

Despite ongoing investigations and assurances of cooperation with authorities, Ascension has yet to disclose whether patients' sensitive information was compromised during the cyber incident.  “Ascension continues to make progress towards restoration and recovery following the recent ransomware attack. We continue to work with industry leading forensic experts from Mandiant to conduct our investigation into this attack and understand the root cause and how this incident occurred”, stated Ascension on its Cybersecurity Event Update page.  In parallel, additional cybersecurity experts from Palo Alto Networks Unit 42 and CYPFER have been brought in to supplement the rebuilding and restoration efforts. The focus is on safely and swiftly bringing systems back online. “We are also working on reconnecting with our vendors with the help of our recovery experts. Please be aware that it may still take some time to return to normal operations”, added Ascension.  The Catholic health system, which spans 140 hospitals and 40 senior living facilities nationwide, employs a workforce of approximately 132,000 individuals. Despite the financial strain imposed by the Ascension ransomware attack, industry analysts note Ascension's robust liquidity and leverage position, offering a significant rating cushion against such one-off events. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Nissan Cybersecurity Incident Update: 53,000 Employees Affected

✇Cybersecurity News and Magazine
By: Ashish Khaitan
16 May 2024 at 02:15

Nissan data breach

Following the massive Nissan data breach from November last year that exposed the Social Security numbers of thousands of former and current employees, the Japanese automaker has shared new updates on the cybersecurity incident.  In a new letter sent on May 15, 2024, Nissan shared details of the cyberattack, stating the incident has affected Nissan North America. The letter disclosed that a threat actor targeted the company's virtual private network, demanding payment. Nissan has not confirmed whether it acquiesced to the ransom demands.

Nissan Data Breach Update: 53,000 Employees Affected

Upon discovering the Nissan data breach, the Japanese automaker notified law enforcement and engaged cybersecurity experts to contain and neutralize the threat. The company also conducted an internal investigation, informing employees during a town hall meeting held in December 2023, a month after the Nissan cyberattack. To mitigate potential harm, Nissan is offering complimentary identity theft protection services for two years to those impacted by the breach. The company's positive response to safeguarding employee privacy is highlighted by these proactive measures. The official communication emphasized Nissan's dedication to reinforcing its security infrastructure and practices. Following the incident, the company has implemented additional security measures and enlisted cybersecurity specialists to conduct a thorough review, ensuring enhanced protection against future threats. Despite the Nissan breach, the automotive maker has not detected any instances of fraud or identity theft resulting from the incident. Nonetheless, as a precautionary measure, affected individuals are urged to take advantage of the complimentary credit monitoring services provided by Experian IdentityWorks.

No Identity Fraud Detected

“This is in addition to the employee benefit you may have elected with Nissan. These complimentary credit services are being provided to you for 24 months from the date of enrollment. Finally, Nissan is providing you with proactive fraud assistance to help with any questions you might have or if you become a victim of fraud. These services are provided by Experian, a company specializing in fraud assistance and remediation services”, said Nissan. To activate the identity protection service, recipients are instructed to enroll by a specified deadline and utilize the provided activation code. Additionally, individuals are encouraged to remain vigilant against potential fraud by monitoring their credit reports and promptly reporting any suspicious activity. Recipients are assured of assistance for 90 days from the letter's date in enrolling for the complimentary credit monitoring services. They are encouraged to contact the dedicated helpline at 833-931-6266, with the engagement number B120412 ready for reference.  Nissan highlights its commitment to employee welfare and the seriousness with which it regards the protection of personal information, expressing regret for any inconvenience caused by the incident. The letter concludes with signatures from Leon Martinez, Vice President of Human Resources, and William Orange, Vice President of IS/IT and Chief Information Officer. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

DragonForce Cyberattack Strikes Again: Malone & Co and Watt Carmicheal Added as Victims

✇Cybersecurity News and Magazine
By: Ashish Khaitan
15 May 2024 at 07:40

DragonForce cyberattack

The notorious DragonForce ransomware group has expanded its list of victims, adding two new names to their dark web portal — Malone & Co and Watt Carmicheal. In a dark web post on their platform, the threat actor boasted about their latest conquests.  The first victim, Malone & Co, a prominent accounting firm based in Ireland, seemed to have fallen prey to the DragonForce cyberattack. The post provided details about the company's services and location, indicating a breach of sensitive information. Similarly, Watt Carmichael, a reputable investment management firm in Toronto, Canada, found itself ensnared in a similar situation by the DragonForce ransomware attack. However, despite their claims, both the cyberattacks are unverified.

DragonForce Cyberattack Targets Two New Victims

The Cyber Express has reached out to both organizations to learn more about this alleged DragonForce cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the DragonForce ransomware attack unverified.  [caption id="attachment_68487" align="alignnone" width="355"]DragonForce Cyberattack Source: X[/caption] Interestingly, both victims' websites remain operational, showing no immediate signs of the cyberattacks. This discrepancy adds another layer of mystery to the unfolding situation.  Moreover, along with the cyberattack post, the DragonForce ransomware group stated that it had access to 15.34 GB of data associated with Malone & Co. The hacker group has shared a deadline of 16 days before the data gets published.  [caption id="attachment_68490" align="alignnone" width="353"]DragonForce Ransomware Source: X[/caption] As for the second alleged victim, Watt Carmicheal, the hacker group claims access to 27.3 GB of data, and no ransom deadline was shared. The threat actor, DragonForce, has used the same modus operandi to target similar victims in the past. 

Who is the DragonForce Ransomware Group?

DragonForce, a hacktivist group hailing from Malaysia, is infamous for its relentless cyberattacks on government institutions and commercial entities, primarily in India. Their targets extend beyond geographical borders, with a particular focus on websites affiliated with Israel while advocating for pro-Palestinian causes. Utilizing a variety of tactics such as defacement attacks, distributed denial-of-service (DDoS) attacks, and data leaks, DragonForce demonstrates a high level of adaptability and sophistication in their operations. This versatility has enabled them to evolve their strategies over time, staying one step ahead of their adversaries. Embracing their role as vigilantes for the people, DragonForce Malaysia boldly proclaims its mission on various online platforms, including social media giants like Facebook, YouTube, and X (formerly Twitter). Through these channels, they amplify their voice, connecting with like-minded individuals and fostering a sense of community among Malaysian cybersecurity enthusiasts. Central to DragonForce's ideology is their staunch advocacy for the Palestinian cause. Their actions speak volumes, from high-profile hacks targeting Israeli networks to broadcasting messages of solidarity through unconventional mediums like TikTok. Despite their formidable capabilities, DragonForce does not operate in isolation. Collaborative efforts with other local hacker threat groups have been reported, highlighting the interconnected nature of the hacktivist groups. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Christie’s Auction Website Hacked Just Before Major Sales

✇Cybersecurity News and Magazine
By: Alan J
13 May 2024 at 06:27

Christie’s Auction House

Just days before its highly anticipated spring art auctions, Christie's, the renowned auction house, had fallen victim to a cyberattack, taking its website offline and raising concerns about the security of client data. The Christie's auction house cyberattack has sent shockwaves through the art world, with collectors, advisers, and dealers scrambling to adapt to the sudden disruption. Christie's is a British auction house founded in 1766 by James Christie, offering around 350 different auctions annually in over 80 categories, such as decorative and fine arts, jewelry, photographs, collectibles, and wine. The auction house has a global presence in 46 countries, with 10 salerooms worldwide, including London, New York, Paris, Geneva, Amsterdam, Hong Kong, and Shanghai. The company provided a temporary webpage after its official website was taken down and later notified that the auctions would proceed despite the setbacks caused by the cyberattack.

Christie’s Auction House Cyberattack Occurs Ahead of Major Auctions

[caption id="attachment_68140" align="alignnone" width="1000"]Christie’s Auction House Cyberattack Source: Shutterstock[/caption] The cyberattack came at an inopportune time for Christie's, with several high-stakes auctions estimated at around $850 million in worth scheduled to take place in New York and Geneva. Art adviser Todd Levin highlighted the significance of the timing, expressing concern that the cyberattack was happening during a pivotal moment before the spring sales when buyers confirm their interest in artworks. He raised a pressing question: "How can potential bidders access the catalog?" The auctions will include works by Warhol, Basquiat, and Claude Monet, and pieces from the Rosa de la Cruz Collection, that are expected to generate hundreds of millions of dollars in revenue. Christie's website was taken offline following the hack which affected some of its systems. Despite the setback, Christie's has assured clients that the auctions will proceed as planned, with bidders able to participate in person, by phone, or through Christie's Live platform. Despite the hack, Christie's CEO Guillaume Cerutti assured clients that all eight live auctions in New York and Geneva would proceed as scheduled, with the exception of the Rare Watches sale, which was postponed to May 14th. In a statement, Cerutti elaborated: "I want to assure you that we are managing this incident according to our well-established protocols and practices, with the support of additional experts. This included, among other things, the proactive protection of our main website by taking it offline."

Growing Cybersecurity Concerns in the Art World

The incident is a sobering reminder of the increasing threat of cyberattacks in the art world. In recent years, several museums and art market platforms have fallen victim to hacking, highlighting the need for vigilance in protecting sensitive client information amidst slumbering sales. Earlier in January, a service provider managing the online collections of several prominent museums had been targeted, affecting institutions like The Museum of Fine Arts in Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art. Last year in 2023, Christie's had another security incident come to light when it was discovered inadvertently exposing the GPS location and co-ordinates of several art pieces purchased by some of the world’s biggest and wealthiest collectors, revealing their exact whereabouts.  In 2017, hackers employed an email scam to intercept payments between dealers and clients, siphoning sums ranging from £10,000 to £1 million. These incidents underscore the art world's vulnerability to similar threats as the market becomes increasingly digital, auction houses and museums must take proactive steps to to invest in stronger defenses against a rapidly evolving cyber threat landscape and the risks it may pose to the art industry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Australia Faces Unprecedented Cyber Threats Amid Support for Ukraine

✇Cybersecurity News and Magazine
By: Ashish Khaitan
13 May 2024 at 02:22

Cyber Army Russia Reborn cyberattack

Following Australia's vocal support for Ukraine, the nation finds itself targeted by a Cyber Army Russia Reborn cyberattack. The recent alleged Distributed Denial of Service (DDoS) attacks on Australian entities, including two prominent organizations in Australia — Auditco and Wavcabs. The DDoS attacks, orchestrated by Cyber Army Russia Reborn, seem to be a response to Australia's solidarity with Ukraine. While the precise motives behind these attacks remain unclear, the timing suggests a correlation between Australia's stance and the cyber onslaught.

Cyber Army Russia Reborn Cyberattack Targets Australia

[caption id="attachment_68069" align="alignnone" width="641"]Cyber Army Russia Reborn cyberattack Source: X[/caption] Wavcabs, a transportation service, and Auditco, an auditing company, were among the targets of these Cyber Army Russia Reborn cyberattacks. Wavcabs' online services were disrupted, with users encountering connection timeouts when attempting to access the website. Similarly, Auditco faced technical difficulties, as indicated by error code 522 on their site earlier.  [caption id="attachment_68071" align="alignnone" width="656"]Cyber Army Russia Reborn cyberattack Source: X[/caption] The Cyber Express has reached out to both organizations to learn more about this Cyber Army Russia Reborn cyberattack. Despite the severity of these cyber incidents, both Wavcabs and Auditco have not issued official statements regarding the attacks.  The lack of response leaves the claims of Cyber Army Russia Reborn's involvement unverified, highlighting the complexity of attributing cyberattacks to specific actors.

Australia's Support for Ukraine

These assaults on Australian companies occur as the nation reaffirms its support for Ukraine. The Albanese Government's commitment to aiding Ukraine was recently reinforced with a $100 million assistance package. Deputy Prime Minister and Minister for Defence, Richard Marles, revealed the assistance during a visit to Ukraine, where he witnessed firsthand the impact of Russia's aggression. Australia's $100 million aid package to Ukraine includes $50 million for military assistance, prioritizing Australian defense industry support for uncrewed aerial systems and essential equipment. Another $50 million is designated for short-range air defense systems, alongside the provision of air-to-ground precision munitions.  Amidst ongoing cyberattacks on Australia, the nation’s unwavering support for Ukraine highlights the complexities of modern warfare and the critical need for cybersecurity measures. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on these cyberattacks on Australian companies or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

New Attack Against Self-Driving Car AI

✇Security Boulevard
By: Bruce Schneier
10 May 2024 at 12:01

This is another attack that convinces the AI to ignore road signs:

Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the diode flash and the line capture.

The result is the camera capturing an image full of lines that don’t quite match each other. The information is cropped and sent to the classifier, usually based on deep neural networks, for interpretation. Because it’s full of lines that don’t match, the classifier doesn’t recognize the image as a traffic sign...

The post New Attack Against Self-Driving Car AI appeared first on Security Boulevard.

State Actor Made Three Attempts to Breach B.C. Government Networks

✇Cybersecurity News and Magazine
By: Mihir Bagwe
10 May 2024 at 19:21

British Columbia Cyberattack

A state or state-sponsored actor orchestrated the "sophisticated" cyberattacks against the British Columbia government networks, revealed the head of B.C.’s public service on Friday. Shannon Salter, deputy minister to the premier, disclosed to the press that the threat actor made three separate attempts over the past month to breach government systems and that the government was aware of the breach, at the time, before finally making it public on May 8. Premier David Eby first announced that multiple cybersecurity incidents were observed on government networks on Wednesday, adding that the Canadian Centre for Cyber Security (CCCS) and other agencies were involved in the investigation. Salter in her Friday technical briefing refrained from confirming if the hack was related to last month’s security breach of Microsoft’s systems, which was attributed to Russian state-backed hackers and resulted in the disclosure of email correspondence between U.S. government agencies. However, she reiterated Eby's comments that there's no evidence suggesting sensitive personal information was compromised.

British Columbia Cyberattacks' Timeline

The B.C. government first detected a potential cyberattack on April 10. Government security experts initiated an investigation and confirmed the cyberattack on April 11. The incident was then reported to the Canadian Centre for Cyber Security, a federal agency, which engaged Microsoft’s Diagnostics and Recovery Toolset (DaRT) due to the sophistication of the attack, according to Salter. Premier David Eby was briefed about the cyberattack on April 17. On April 29, government cybersecurity experts discovered evidence of another hacking attempt by the same “threat actor,” Salter said. The same day, provincial employees were instructed to immediately change their passwords to 14 characters long. B.C.’s Office of the Chief Information Officer (OCIO) described it as part of the government's routine security updates. Considering the ongoing nature of the investigation, the OCIO did not confirm if the password reset was actually linked to the British Columbia  government cyberattack but said, "Our office has been in contact with government about these incidents, and that they have committed to keeping us informed as more information and analysis becomes available."

Another cyberattack was identified on May 6, with Salter saying the same threat actor was responsible for all three incidents.

The cyberattacks were not disclosed to the public until Wednesday late evening when people were busy watching an ice hockey game, prompting accusations from B.C. United MLAs that the government was attempting to conceal the attack.

“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?”the Opposition MLA Todd Stone asked. Salter clarified that the cybersecurity centre advised against public disclosure to prevent other hackers from exploiting vulnerabilities in government networks. She revealed three separate cybersecurity incidents, all involving efforts by the hackers to conceal their activities. Following a briefing of the B.C. NDP cabinet on May 8, the cyber centre concurred that the public could be notified. Salter said that over 40 terabytes of data was being analyzed but she did not specify if the hackers targeted specific areas of government records such as health data, auto insurance or social services. The province stores the personal data of millions of British Columbians, including social insurance numbers, addresses and phone numbers. Public Safety Minister and Solicitor General Mike Farnworth told reporters Friday that no ransom demands were received, making the motivation behind the multiple cyberattacks unclear.

Farnworth said that the CCCS believes a state-sponsored actor is behind the attack based on the sophistication of the attempted breaches.

"Being able to do what we are seeing, and covering up their tracks, is the hallmarks of a state actor or a state-sponsored actor." - Farnworth
Government sources told CTV News that various government ministries and agencies, and their respective websites, networks and servers, face approximately 1.5 billion “unauthorized access” or hacking attempts daily. The number has increased over the last few years and the reason why the province budgets millions of dollars per year to cybersecurity. Salter confirmed the government spends more than $25 million a year to fortify its defenses and added that previous investments in B.C.'s cybersecurity infrastructure helped detect the multiple attacks last month. Microsoft last month alerted several U.S. federal agencies that Russia-backed hackers might have pilfered emails sent by the company to those agencies, including sensitive information like usernames and passwords. However, Salter did not confirm if Russian-backed hackers are associated with the B.C. security breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

New Attack Against Self-Driving Car AI

✇Schneier on Security
By: Bruce Schneier
10 May 2024 at 12:01

This is another attack that convinces the AI to ignore road signs:

Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the diode flash and the line capture.

The result is the camera capturing an image full of lines that don’t quite match each other. The information is cropped and sent to the classifier, usually based on deep neural networks, for interpretation. Because it’s full of lines that don’t match, the classifier doesn’t recognize the image as a traffic sign.

So far, all of this has been demonstrated before.

Yet these researchers not only executed on the distortion of light, they did it repeatedly, elongating the length of the interference. This meant an unrecognizable image wasn’t just a single anomaly among many accurate images, but rather a constant unrecognizable image the classifier couldn’t assess, and a serious security concern.

[…]

The researchers developed two versions of a stable attack. The first was GhostStripe1, which is not targeted and does not require access to the vehicle, we’re told. It employs a vehicle tracker to monitor the victim’s real-time location and dynamically adjust the LED flickering accordingly.

GhostStripe2 is targeted and does require access to the vehicle, which could perhaps be covertly done by a hacker while the vehicle is undergoing maintenance. It involves placing a transducer on the power wire of the camera to detect framing moments and refine timing control.

Research paper.

British Columbia Discloses Multiple ‘Cybersecurity Incidents’ Impacting Government Networks

✇Cybersecurity News and Magazine
By: Mihir Bagwe
10 May 2024 at 07:18

Multiple Cybersecurity Incidents, British Columbia, British Columbia Cybersecurity Incidents, British Columbia Cyberattack, British Columbia Government

British Columbia in Canada has faced multiple "sophisticated cybersecurity incidents" on government networks, province premier said this week. Premier David Eby emphasized that there is presently no evidence of compromised sensitive information and that investigations are ongoing, with further efforts required to ascertain potential data access, as per his Wednesday statement. While the attack's specific nature remains unclear, labeling it as "sophisticated" and its involvement with government networks suggests fans theories of espionage from a state-sponsored actor seeking political intelligence. “I know the public will have many questions about these incidents, and we will be as transparent as we can without compromising the investigation. As this complex work proceeds, government will provide British Columbians with updates and information as we are able.” Eby said. The provincial government's investigation involves the Canadian Centre for Cyber Security and other agencies, with the Office of the Information and Privacy Commissioner duly informed. Neither of the agencies immediately responded to The Cyber Express’ request for a comment.

Opposition’s Spar in the House

B.C.'s political adversaries engaged in heated debate during the question period on Thursday morning, a day after the province disclosed the multiple cybersecurity incidents within its networks. British Columbia United MLA Todd Stone criticized the government, alleging it "concealed a massive cyberattack on the provincial government for eight days." Stone’s accusations came on the backdrop of a memo from The Office of the Chief Information Officer that directed all provincial employees to immediately change passwords. British Columbians are rightly concerned about their sensitive information, questioning whether it has been compromised by a foreign, state-sponsored cyberattack. So, I ask the premier today: Will he reveal who was responsible for this attack?" Stone demanded. Stone pointed out the timing of Eby's Wednesday statement, suggesting it was issued discreetly "while everyone was preoccupied with last night’s Canucks game." [caption id="attachment_67963" align="aligncenter" width="256"]multiple cybersecurity incidents, British Columbia, British Columbia United MLA Todd Stone BC United MLA Todd Stone arguing in the House during the QP on Thursday morning. (Credit: Legislative Assembly of B.C.)[/caption]
“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” the Opposition MLA asked.
In response to BC United's criticisms, Public Safety Minister Mike Farnworth accused Stone of "playing politics." “We take our advice from the Canadian Cyber Security Service, who deal with these kinds of things on an ongoing basis. That’s who we will take the advice from in terms of protecting public information, every single time. We will never take advise from the opposition — all they ever want to do is play politics,” Farnworth retorted amid uproar in the House. [caption id="attachment_67981" align="aligncenter" width="271"]Public Safety Minister Mike Farnworth, multiple cybersecurity incidents Public Safety Minister Mike Farnworth addressing opposition queries. (Credit: Legislative Assembly of B.C.)[/caption]
“When an incident like this happens, the first thing that happens is the protection of the system, honourable speaker. The protection of the information that’s done by technical experts, honourable speaker, who work on the advice of the Canadian Cyber Security System,” Farnworth explained.
“And, honourable speaker, the reason they do that is because if you go out and give information before that’s done, you actually end up compromising people’s information, potentially.”

Multiple Cybersecurity Incidents Rock B.C. in Last Few Weeks

The latest revelation of cyberattacks on government networks comes on the heels of a string of cyberattacks that the westernmost province in Canada is facing. B.C. headquartered retail and pharmacy chain London Drugs announced April 28, closure of its stores across Western Canada after falling victim to a cybersecurity incident. The impact was such that they were forced to even take their phones offline and pharmacies could only satisfy “urgent” needs of patients on-site. Addressing reporters later Thursday afternoon, Farnworth clarified that there was no evidence linking the multiple cybersecurity incidents targeting the province networks to the event that led to the closure of London Drugs locations in the west for several days. "At present, we lack any information suggesting a connection. Once an incident is detected, technical security teams work swiftly to secure the system and ensure its integrity, while closely coordinating with the Canadian Cyber Security Service to address the situation," he explained. "While a comprehensive investigation involving multiple agencies is ongoing, we currently have no indication of any link to the London Drugs incident." The same day as the London Drugs cyberattack came to light, another western province entity BC Libraries reported a cybersecurity incident where a hacker attempted to extort payment for data exfiltrated from its newly commissioned server and threatening to release that data publicly if no payment was received.

China’s Involved?

This development follows an official inquiry in Canada, revealing unsuccessful Chinese attempts to interfere in past elections. Beijing has refuted these allegations. The Canadian Security Intelligence Service (CSIS) recently published an annual report, warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.
“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.
The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.

Cyberattack Paralyzes 4 Quebec CEGEPs: Classes and Exams Cancelled

✇Cybersecurity News and Magazine
By: Ashish Khaitan
10 May 2024 at 05:16

Cégep de Lanaudière cyberattack

A recent Cégep de Lanaudière cyberattack has paralyzed the education system, causing classes to grind to a halt and prompting exam cancellations, affecting around 7,000 students. The assailant, targeting the college network's servers, rendered Omnivox inaccessible – the primary digital platform for both faculty and student communication. Students logging into Omnivox were met with a disconcerting sight: a flood of images, some of them highly inappropriate. The affected CEGEPs – Lanaudière, L'Assomption, Joliette, and Formation Continue - remain suspended as cybersecurity experts mitigate the cyberattack on Cégep de Lanaudière.

Decoding the Cégep de Lanaudière Cyberattack 

In a Sunday communication to students and staff, college management emphasized the need for external cybersecurity expertise to investigate the attack's origins and, if feasible, patch the breach. "The investigation is ongoing. Data compromise is not a current concern," said Marilyn Sansregret, spokesperson for Cégep régional de Lanaudière, reported CBC However, hopes for a swift resolution were dashed when students were informed on Tuesday evening that the class hiatus would extend until at least Friday. Sansregret affirmed that the IT department is working tirelessly to reinforce the college's digital defenses, but it is too early to anticipate a return to normalcy. The Cyber Express has sought a response from Cégep de Lanaudière regarding the cyber attack. However, at the time of writing this, no official statement or response has been shared, leaving the identity of the threat actor unknown.

Cyberattacks on Education Institutions and Universities

Meanwhile, Academica Group weighed in on the crisis, highlighting the profound impact of the cyberattack. Cégep de Lanaudière temporarily closed its campuses in Joliette, L’Assomption, Terrebonne, and Repentigny as it grappled with the aftermath of the intrusion. While the full extent of the Cégep de Lanaudière cyberattack is unknown, a music school on the Joliette campus reported disruptions to essential services like lighting, heating, ventilation, and fire alarms. In a broader context, the surge in cyber assaults against educational institutions highlights the acute vulnerability of academic infrastructure to digital threats. Verizon's 2024 Data Breach Investigations Report reveals a staggering increase in attacks targeting the educational services sector. With ransomware emerging as a preeminent external threat and internal vulnerabilities compounding the security measures in education institutions, the need for preemptive cybersecurity measures cannot be overstated. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Cégep de Lanaudière cyberattack or any further information from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

LockBit Ransomware Targets Wichita City Following Unmasking of Group Leader

✇Cybersecurity News and Magazine
By: Ashish Khaitan
8 May 2024 at 03:45

cyberattack on Wichita

Despite the major collaborative effort by law enforcement agencies resulting in the exposure and sanctioning of Dmitry Yuryevich Khoroshev, the Russian national thought to be at the helm of LockBit's widespread hacking operations, the hacker group shows no signs of ceasing its activities. LockBit has reportedly launched a cyberattack on Wichita, Kansas, targeting state government and various local entities. The news of the Wichita cyberattack emerged on LockBit's previously inactive platforms, which were reactivated after the shutdown of their official website.

Cyberattack on Wichita Post LockBit Leader Arrest

[caption id="attachment_67202" align="alignnone" width="402"]Cyberattack on Wichita Source: Dark Web[/caption] The Wichita cyberattack targeted the official website (wichita.gov), prompting concerns over the security of critical municipal systems. While the ransomware group has not yet released any compromised data, they have set a deadline of May 15, 2024, for its publication.  The announcement by LockBit ransomware follows closely on the heels of an earlier notification by the city of Wichita regarding a ransomware attack on May 5, 2024, although the responsible ransomware gang was not initially disclosed. Wichita, the largest city in the state of Kansas, serves as the county seat of Sedgwick County and is a populous urban center in the region.  The Cyber Express has reached out to the state government to learn more about this cyberattack on Wichita. However, at the time of writing this, no official statement or response has been received. However, the city of Wichita denoted a ransomware attack that targeted various government and private organizations within the city. 

Security Update from Wichita: Ransomware Group Remains Unnamed!

According to a press release by the city of Wichita, the recent posts from the state's Cyber Security Incident Update indicate ongoing efforts by the city's information technology department and security partners to address the cyberattack.  “Many City systems are down as security experts determine the source and extent of the incident. There is no timetable for when systems could be coming back online. We appreciate your patience as we work through this incident as quickly and as thoroughly as possible”, reads the official press release In the meantime, various city services and amenities have been impacted by the cyber incident, prompting adjustments to normal operations. Water systems remain secure and functional, with provisions in place for those experiencing difficulties paying bills or facing water shut-offs.  Transit services, city vendors, park and recreation facilities, licensing procedures, and municipal court operations have all been affected to varying degrees, necessitating alternative arrangements such as cash payments and in-person transactions. Similarly, services provided by cultural institutions, resource centers, planning departments, and housing and community services are also subject to modifications and delays as the city works to address the cyberattack. The city's airport and library services have experienced disruptions to Wi-Fi access and digital infrastructure, although essential operations continue with minimal impact on services provided to the public. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the cyberattack on Wichita or any new updates from the government.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

New Attack on VPNs

✇Security Boulevard
By: Bruce Schneier
7 May 2024 at 11:32

This attack has been feasible for over two decades:

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then...

The post New Attack on VPNs appeared first on Security Boulevard.

New Attack on VPNs

✇Schneier on Security
By: Bruce Schneier
7 May 2024 at 11:32

This attack has been feasible for over two decades:

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

[…]

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself.

A Cyber Insurance Backstop

✇Schneier on Security
By: Bruce Schneier
28 February 2024 at 07:02

In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of Merck’s computers, which significantly disrupted the company’s drug and vaccine production. After Merck filed its $700 million claim, the pharmaceutical giant’s insurers argued that they were not required to cover the malware’s damage because the cyberattack was widely attributed to the Russian government and therefore was excluded from standard property and casualty insurance coverage as a “hostile or warlike act.”

At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?

One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for the federal government to step in and help pay for these sorts of attacks by providing a cyber insurance backstop. A cyber insurance backstop would provide a means for insurers to receive financial support from the federal government in the event that there was a catastrophic cyberattack that caused so much financial damage that the insurers could not afford to cover all of it.

In his discussion of a potential backstop, Chertoff specifically references the Terrorism Risk Insurance Act (TRIA) as a model. TRIA was passed in 2002 to provide financial assistance to the insurers who were reeling from covering the costs of the Sept. 11, 2001, terrorist attacks. It also created the Terrorism Risk Insurance Program (TRIP), a public-private system of compensation for some terrorism insurance claims. The 9/11 attacks cost insurers and reinsurers $47 billion. It was one of the most expensive insured events in history and prompted many insurers to stop offering terrorism coverage, while others raised the premiums for such policies significantly, making them prohibitively expensive for many businesses. The government passed TRIA to provide support for insurers in the event of another terrorist attack, so that they would be willing to offer terrorism coverage again at reasonable rates. President Biden’s 2023 National Cybersecurity Strategy tasked the Treasury and Homeland Security Departments with investigating possible ways of implementing something similar for large cyberattacks.

There is a growing (and unsurprising) consensus among insurers in favor of the creation and implementation of a federal cyber insurance backstop. Like terrorist attacks, catastrophic cyberattacks are difficult for insurers to predict or model because there is not very good historical data about them—and even if there were, it’s not clear that past patterns of cyberattacks will dictate future ones. What’s more, cyberattacks could cost insurers astronomic sums of money, especially if all of their policyholders were simultaneously affected by the same attack. However, despite this consensus and the fact that this idea of the government acting as the “insurer of last resort” was first floated more than a decade ago, actually developing a sound, thorough proposal for a backstop has proved to be much more challenging than many insurers and policymakers anticipated.

One major point of issue is determining a threshold for what types of cyberattacks should trigger a backstop. Specific characteristics of cyberattacks—such as who perpetrated the attack, the motive behind it, and total damage it has caused—are often exceedingly difficult to determine. Therefore, even if policymakers could agree on what types of attacks they think the government should pay for based on these characteristics, they likely won’t be able to calculate which incursions actually qualify for assistance.

For instance, NotPetya is estimated to have caused more than $10 billion in damage worldwide, but the quantifiable amount of damage it actually did is unknown. The attack caused such a wide variety of disruptions in so many different industries, many of which likely went unreported since many companies had no incentive to publicize their security failings and were not required to do so. Observers do, however, have a pretty good idea who was behind the NotPetya attack because several governments, including the United States and the United Kingdom, issued coordinated statements blaming the Russian military. As for the motive behind NotPetya, the program was initially transmitted through Ukrainian accounting software, which suggests that it was intended to target Ukrainian critical infrastructure. But notably, this type of coordinated, consensus-based attribution to a specific government is relatively rare when it comes to cyberattacks. Future attacks are not likely to receive the same determination.

In the absence of a government backstop, the insurance industry has begun to carve out larger and larger exceptions to their standard cyber coverage. For example, in a pair of rulings against Merck’s insurers, judges in New Jersey ruled that the insurance exclusions for “hostile or warlike acts” (such as the one in Merck’s property policy that excluded coverage for “loss or damage caused by hostile or warlike action in time of peace or war … by any government or sovereign power”) were not sufficiently specific to encompass a cyberattack such as NotPetya that did not involve the use of traditional force.

Accordingly, insurers such as Lloyd’s have begun to change their policy language to explicitly exclude broad swaths of cyberattacks that are perpetrated by nation-states. In an August 2022 bulletin, Lloyd’s instructed its underwriters to exclude from all cyber insurance policies not just losses arising from war but also “losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”  Other insurers, such as Chubb, have tried to avoid tricky questions about attribution by suggesting a government response-based exclusion for war that only applies if a government responds to a cyberattack by authorizing the use of force. Chubb has also introduced explicit definitions for cyberattacks that pose a “systemic risk” or impact multiple entities simultaneously. But most of this language has not yet been tested by insurers trying to deny claims. No one, including the companies buying the policies with these exclusions written into them, really knows exactly which types of cyberattacks they exclude. It’s not clear what types of cyberattacks courts will recognize as being state-sponsored, or posing systemic risks, or significantly impairing the ability of a state to function. And for the policyholders’ whose insurance exclusions feature this sort of language, it matters a great deal how that language in their exclusions will be parsed and understood by courts adjudicating claim disputes.

These types of recent exclusions leave a large hole in companies’ coverage for cyber risks, placing even more pressure on the government to help. One of the reasons Chertoff gives for why the backstop is important is to help clarify for organizations what cyber risk-related costs they are and are not responsible for. That clarity will require very specific definitions of what types of cyberattacks the government will and will not pay for. And as the insurers know, it can be quite difficult to anticipate what the next catastrophic cyberattack will look like or how to craft a policy that will enable the government to pay only for a narrow slice of cyberattacks in a varied and unpredictable threat landscape. Get this wrong, and the government will end up writing some very large checks.

And in comparison to insurers’ coverage of terrorist attacks, large-scale cyberattacks are much more common and affect far more organizations, which makes it a far more costly risk that no one wants to take on. Organizations don’t want to—that’s why they buy insurance. Insurance companies don’t want to—that’s why they look to the government for assistance. But, so far, the U.S. government doesn’t want to take on the risk, either.

It is safe to assume, however, that regardless of whether a formal backstop is established, the federal government would step in and help pay for a sufficiently catastrophic cyberattack. If the electric grid went down nationwide, for instance, the U.S. government would certainly help cover the resulting costs. It’s possible to imagine any number of catastrophic scenarios in which an ad hoc backstop would be implemented hastily to help address massive costs and catastrophic damage, but that’s not primarily what insurers and their policyholders are looking for. They want some reassurance and clarity up front about what types of incidents the government will help pay for. But to provide that kind of promise in advance, the government likely would have to pair it with some security requirements, such as implementing multifactor authentication, strong encryption, or intrusion detection systems. Otherwise, they create a moral hazard problem, where companies may decide they can invest less in security knowing that the government will bail them out if they are the victims of a really expensive attack.

The U.S. government has been looking into the issue for a while, though, even before the 2023 National Cybersecurity Strategy was released. In 2022, for instance, the Federal Insurance Office in the Treasury Department published a Request for Comment on a “Potential Federal Insurance Response to Catastrophic Cyber Incidents.” The responses recommended a variety of different possible backstop models, ranging from expanding TRIP to encompass certain catastrophic cyber incidents, to creating a new structure similar to the National Flood Insurance Program that helps underwrite flood insurance, to trying a public-private partnership backstop model similar to the United Kingdom’s Pool Re program.

Many of these responses rightly noted that while it might eventually make sense to have some federal backstop, implementing such a program immediately might be premature. University of Edinburgh Professor Daniel Woods, for example, made a compelling case for why it was too soon to institute a backstop in Lawfare last year. Woods wrote,

One might argue similarly that a cyber insurance backstop would subsidize those companies whose security posture creates the potential for cyber catastrophe, such as the NotPetya attack that caused $10 billion in damage. Infection in this instance could have been prevented by basic cyber hygiene. Why should companies that do not employ basic cyber hygiene be subsidized by industry peers? The argument is even less clear for a taxpayer-funded subsidy.

The answer is to ensure that a backstop applies only to companies that follow basic cyber hygiene guidelines, or to insurers who require those hygiene measures of their policyholders. These are the types of controls many are familiar with: complicated passwords, app-based two-factor authentication, antivirus programs, and warning labels on emails. But this is easier said than done. To a surprising extent, it is difficult to know which security controls really work to improve companies’ cybersecurity. Scholars know what they think works: strong encryption, multifactor authentication, regular software updates, and automated backups. But there is not anywhere near as much empirical evidence as there ought to be about how effective these measures are in different implementations, or how much they reduce a company’s exposure to cyber risk.

This is largely due to companies’ reluctance to share detailed, quantitative information about cybersecurity incidents because any such information may be used to criticize their security posture or, even worse, as evidence for a government investigation or class-action lawsuit. And when insurers and regulators alike try to gather that data, they often run into legal roadblocks because these investigations are often run by lawyers who claim that the results are shielded by attorney-client privilege or work product doctrine. In some cases, companies don’t write down their findings at all to avoid the possibility of its being used against them in court. Without this data, it’s difficult for insurers to be confident that what they’re requiring of their policyholders will really work to improve those policyholders’ security and decrease their claims for cybersecurity-related incidents under their policies. Similarly, it’s hard for the federal government to be confident that they can impose requirements for a backstop that will actually raise the level of cybersecurity hygiene nationwide.

The key to managing cyber risks—both large and small—and designing a cyber backstop is determining what security practices can effectively mitigate the impact of these attacks. If there were data showing which controls work, insurers could then require that their policyholders use them, in the same way they require policyholders to install smoke detectors or burglar alarms. Similarly, if the government had better data about which security tools actually work, it could establish a backstop that applied only to victims who have used those tools as safeguards. The goal of this effort, of course, is to improve organizations’ overall cybersecurity in addition to providing financial assistance.

There are a number of ways this data could be collected. Insurers could do it through their claims databases and then aggregate that data across carriers to policymakers. They did this for car safety measures starting in the 1950s, when a group of insurance associations founded the Insurance Institute for Highway Safety. The government could use its increasing reporting authorities, for instance under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, to require that companies report data about cybersecurity incidents, including which countermeasures were in place and the root causes of the incidents. Or the government could establish an entirely new entity in the form of a Bureau for Cyber Statistics that would be devoted to collecting and analyzing this type of data.

Scholars and policymakers can’t design a cyber backstop until this data is collected and studied to determine what works best for cybersecurity. More broadly, organizations’ cybersecurity cannot improve until more is known about the threat landscape and the most effective tools for managing cyber risk.

If the cybersecurity community doesn’t pause to gather that data first, then it will never be able to meaningfully strengthen companies’ security postures against large-scale cyberattacks, and insurers and government officials will just keep passing the buck back and forth, while the victims are left to pay for those attacks themselves.

This essay was written with Josephine Wolff, and was originally published in Lawfare.

❌
❌