A threat actor has reportedly taken responsibility for recent data breaches involving Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake, a third-party cloud storage company. Snowflake, however, has shot down these breach claims, attributing the breaches to poor credential hygiene in customer accounts instead.

"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product," the cloud storage giant said in a statement today.

Snowflake's AI Data Cloud platform serves more than 9,000 customers, including major companies such as Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others.

Alleged Snowflake Breach Details

According to cybersecurity firm Hudson Rock, the threat actor claims to have accessed data from additional high-profile companies using Snowflake's services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. The method described involved bypassing Okta's authentication by using stolen credentials to log into a Snowflake employee's ServiceNow account. From there, they allegedly generated session tokens to extract data from Snowflake customers. Hudson Rock reported that the threat actor claimed the breach affected up to 400 companies, showing evidence of access to over 2,000 customer instances related to Snowflake's Europe servers.

Extortion Attempt and Malware Involvement

The threat actor claimed to have attempted to extort Snowflake for $20 million to buy back the stolen data, but Snowflake did not respond. Hudson Rock noted that a Snowflake employee was infected with a Lumma-type Infostealer in October, which stole their corporate credentials. The malware infection was supported by screenshots shared by the threat actor.

Snowflake Responds

Snowflake has confirmed breaches of customer accounts but denied that any vulnerability or misconfiguration in its products was exploited. The cloud storage company stated that they observed unauthorized access to certain customer accounts , which they said is likely unrelated to any flaws in Snowflake's infrastructure.

"We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.

Snowflake has notified the "limited" number of customers about these attacks and urged them to enhance their account security by enabling multi-factor authentication (MFA).

Tools and Indicators of Compromise

The company published a security bulletin containing Indicators of Compromise (IoCs), investigative queries, and guidance for securing affected accounts. One IoC indicates that the threat actors used a custom tool named "RapeFlake" to exfiltrate data from Snowflake's databases. Another showed the use of "DBeaver Ultimate" data management tools, with logs indicating connections from the "DBeaver_DBeaverUltimate" user agent. Snowflake also shared query to identify access from suspected clients and how to disable a suspected user. But this might not be enough. A very important step here is: "If you have enabled the ALLOW_ID_TOKEN parameter on your account, the user must be left in the disabled state for 6 hours to fully invalidate any possible unauthorized access via this ID token feature.  If the user is re-enabled before this time the attacker may be able to generate a new session using an existing ID token, even after the password has been reset or MFA has been enabled." While a threat actor claims to have breached Snowflake and accessed data from numerous high-profile companies, Snowflake maintains that these breaches resulted from compromised customer accounts rather than any inherent vulnerabilities in their systems. Snowflake continues to investigate the incidents and has taken steps to improve customer account security.

Researchers have uncovered new attacks by a North Korean advanced persistent threat actor – Andariel APT group – targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors. The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC). The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions. Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said. [caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]

Malware Used by Andariel APT in this Campaign

The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.

Additional Malware Strains

• Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
• Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
• Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.

The Andariel group, part of the larger Lazarus umbrella, has shifted from targeting national security information to also pursuing financial gains. Last month, the South Korean National Police Agency revealed a targeted campaign of the Andariel APT aimed at stealing the country’s defense technology. Andariel APT hackers gained access to defense industry data by compromising an employee account, which was used in maintaining servers of a defense industry partner. The hackers injected malicious code into the partner’s servers around October 2022, and extracted stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. Andariel APT's initial attack methodology primarily includes spear phishing, watering hole attacks, and exploiting software vulnerabilities. Users should remain cautious with email attachments from unknown sources and executable files from websites. Security administrators are advised to keep software patched and updated, including operating systems and browsers, to mitigate the risk of malware infections, the researchers recommended.

IoCs to Watch for Signs of Andariel APT Attacks

IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RAT

Researchers discovered a new data theft campaign, active since at least 2021, attributed to an advanced persistent threat (APT) actor dubbed "LilacSquid." This campaign, observed by researchers at Cisco Talos, targets a diverse set of industries, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. This broad victimology suggests that LilacSquid is agnostic to industry verticals, aiming to steal data from various sectors.

Use of Open-Source Tools and Customized Malware

The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as "PurpleInk," as primary implants after compromising vulnerable application servers exposed to the internet. LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.

LilacSquid's Long-Term Access for Data Theft through Persistence

Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers. The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology. LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials. [caption id="attachment_73284" align="aligncenter" width="1024"] LilacSquid Initial Access and Activity. (Credit: Cisco Talos)[/caption] Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. [caption id="attachment_73286" align="aligncenter" width="1024"] LilacSquid's Lateral Movement via RDP. (Credit: Cisco Talos)[/caption] MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants. On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.

PurpleInk Implant of LilacSquid

PurpleInk, derived from QuasarRAT, has been customized extensively since 2021.

"Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family."

It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection. InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader. [caption id="attachment_73282" align="aligncenter" width="1024"] PurpleInk Activation Chain (Credit: Cisco Talos)[/caption] Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.

Parallels with North Korean APT Groups

The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers. The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide. IoCs to detect LilacSquid's PurpleInk infection:

PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

Network IOCs 

67[.]213[.]221[.]6 192[.]145[.]127[.]190 45[.]9[.]251[.]14 199[.]229[.]250[.]142

Seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted or infected with NSO Group’s proprietary Pegasus spyware. A joint investigation by Citizen Lab and Access Now detailed incidents from August 2020 to January 2023 and concluded that a single NSO Group customer might be responsible for at least five of these cases.

Threats Against Critics of Russian and Belarusian Regimes

In September 2023, Citizen Lab and Access Now reported the hacking of exiled Russian journalist Galina Timchenko, CEO and publisher of Meduza, with Pegasus spyware. Building on these findings, the investigation, in collaboration with digital security expert Nikolai Kvantiliani, now reveals the targeting of seven additional Russian and Belarusian-speaking civil society members and journalists. Many of these individuals, living in exile, have vocally criticized the Russian government, including its invasion of Ukraine, and have faced severe threats from Russian and Belarusian state security services. Critics of the Russian and Belarusian governments typically face intense retaliation, including surveillance, detention, violence, and hacking. The repression has escalated following Russia’s 2022 invasion of Ukraine, with laws severely curtailing the operations of media and civil society organizations. An example of this is the Russian government designating the Munk School of Global Affairs & Public Policy at the University of Toronto, home to the Citizen Lab, as an “Undesirable Organization,” in March 2024. Many opposition activists and independent media groups have relocated abroad to continue their work. Despite the geographic distance, these exiled communities face ongoing threats, including violent attacks, surveillance, and digital risks. For instance, Meduza reported a significant Distributed Denial of Service (DDoS) attack on their website during Russia’s 2024 presidential elections.

Investigation Confirmed Pegasus Spyware Targeting

The investigation confirmed that the following individuals were targeted or infected with Pegasus spyware. Their names are published with their consent. [caption id="attachment_73182" align="aligncenter" width="1532"] Table Showing Individuals Identified in the Latest Pegasus Spyware Infections (Credit: Citizen Lab)[/caption] Access Now and Citizen Lab confirmed that five victims' phones had Apple IDs used by Pegasus operators in hacking attempts. Exploits leveraging bugs in HomeKit can leave the attacker's Apple ID email address on the victim's device. Citizen Lab believes each Apple ID is tied to a single Pegasus operator, although one operator may use multiple IDs. The same Apple ID was found on the phones of Pavlov, Radzina, and a second anonymous victim. A different email account targeted both Erlikh and Pavlov’s phones on November 28, 2022. Artifacts from Andrei Sannikov and Natallia Radzina’s phones contained another identical email. This indicates that a single Pegasus spyware operator may have targeted at least three of the victims, possibly all five. [caption id="attachment_73184" align="aligncenter" width="1024"] Credit: Citizen Lab[/caption] The investigators could not attribute the attacks to a specific operator but certain trends pointed to Estonia’s involvement. Based on previous investigation, Poland, Russia, Belarus, Lithuania, and Latvia are all known to be customers of the NSO Group’s spyware, but the likeliness of their involvement is low as they do not target victims outside their borders, the investigators said. Estonia, however, is known to use Pegasus extensively beyond its borders, including in multiple European countries.

Concerns Over Digital Transnational Repression

This pattern of targeting raises serious concerns about the legality and proportionality of such actions under international human rights law. The attacks occurred in Europe, where the targeted individuals sought safety, prompting questions about host states’ obligations to prevent and respond to these human rights violations. The ongoing investigation highlights the persistent threats faced by exiled Russian and Belarusian journalists and activists. As digital transnational repression continues, it underscores the urgent need for robust international measures to protect freedom of expression and privacy for these vulnerable groups.

“Access Now [urged] governments to establish an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a history of enabling human rights abuses.”

Apple recently issued notifications to users in more than 90 countries alerting them of possible mercenary spyware attacks. The tech giant replaced the term "state-sponsored" in its alerts with "mercenary spyware attacks," drawing global attention. Previously, Apple used "state-sponsored" for malware threats, but now it highlights threats from hacker groups. Apple noted that while these attacks were historically linked to state actors and private entities like the NSO Group’s Pegasus, the new term covers a broader range of threats.

In a joint international law enforcement action dubbed “Operation Endgame,” the agencies and judicial authorities dismantled major botnet infrastructure, targeting notorious malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and TrickBot. In a Thursday announcement Europol said that between May 27 and 29, Operation Endgame led to four arrests and the takedown of over 100 servers worldwide.

“This is the largest ever operation against botnets, which play a major role in the deployment of ransomware,” Europol said.

Botnets are used for different types of cybercrime including ransomware, identity theft, credit card scams, and several other financial crimes. “The dismantled botnets consisted of millions of infected computer systems,” a joint press statement from the Operation Endgame team said. Led by France, Germany, and the Netherlands, and supported by Eurojust, the operation involved countries including Denmark, the United Kingdom, the United States, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Operation Endgame resulted in:

• 4 arrests - 1 in Armenia and 3 in Ukraine.
• 16 location searches - 1 in Armenia, 1 in the Netherlands, 3 in Portugal, and 11 in Ukraine.
• Over 100 servers dismantled or disrupted in countries such as Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the US, and Ukraine.
• Over 2,000 domains seized and brought under law enforcement control.
• 8 summons were also served against other suspects.

Targeting the Cybercrime Infrastructure

Operation Endgame focused on high-value targets, their criminal infrastructure behind various malware and the freezing of illicit proceeds. “The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software,” according to Europol. One primary suspect, the Europol said, earned at least €69 million in cryptocurrency by renting out sites for ransomware deployment. Authorities are closely monitoring these transactions and have secured permissions to seize the assets. The infrastructure and financial seizures had a global impact on the dropper ecosystem, the authorities believe.

Key Dropper Malware Dismantled in Operation Endgame

- SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers. - Bumblebee: Delivered via phishing campaigns or compromised websites, enabling further payload execution. - Smokeloader: Used primarily to download and install additional malicious software. - IcedID (BokBot): Evolved from a banking trojan to a multi-purpose tool for various cybercrimes. - Pikabot: Enabled ransomware deployment, remote takeovers, and data theft through initial system access.

“All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol said.

[caption id="attachment_72953" align="aligncenter" width="1920"] Operation Endgame seizure notice (Credit: Europol)[/caption]

The Role of Dropper Malware in Cyberattacks

Droppers are essential tools in cyberattacks, acting as the initial vector to bypass security and install harmful software such as ransomware and spyware. They facilitate further malicious activities by enabling the deployment of additional malware on compromised systems.

How Droppers Operate

1. Infiltration: Enter systems through email attachments, compromised websites, or bundled with legitimate software.
2. Execution: Install additional malware on the victim's computer without the user's knowledge.
3. Evasion: Avoid detection by security software through methods like code obfuscation and running in memory.
4. Payload Delivery: Deploy additional malware, potentially becoming inactive or removing itself to evade detection.

The success of the operation was bolstered by private partners such as Bitdefender, Sekoia, Shadowserver, Proofpoint, and Fox-IT, among others. Their support was crucial in disrupting the criminal networks and infrastructure, the authorities said.

Wait for Operation Endgame Season 2

Operation Endgame signifies a major victory, but this is not really the end of it. Taking cue from the Marvel cinematic movie ‘Avengers – Endgame,’ the law enforcement is set to to release a part two of this operation in a few hours from now as they said their efforts continue.

“This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways,” the authorities said.

“Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.” Future actions will be announced on the Operation Endgame website, possibly targeting suspects and users, and ensuring accountability. The news of this massive botnet takedown operation comes a day after the announcement of the dismantling of “likely the world’s largest botnet ever” – the 911 S5 botnet. The botnet’s alleged administrator Yunhe Wang, was arrested last week and a subsequent seizure of infrastructure and assets was announced by the FBI. The recent law enforcement actions represent a historic milestone in combating cybercrime, dealing a significant blow to the dropper malware ecosystem that supports ransomware and other malicious activities. The operation's success underscores the importance of international cooperation and the need for robust cybersecurity measures to tackle evolving threats.

The FBI, in collaboration with international partners, has successfully dismantled the 911 S5 botnet's massive network that infected over 19 million IP addresses across 200 countries and facilitated several cybercriminal activities, including cyberattacks, financial frauds, identity theft, and child exploitation. In addition to the infrastructural takedown of the 911 S5 botnet, Chinese national YunHe Wang, the alleged administrator of the botnet, was also arrested on May 24, U.S. Attorney General Merrick Garland said in a Wednesday press briefing.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators,” Wray added. Wang and two of his associates, along with three Thailand-based businesses linked to the botnet, were sanctioned by the U.S. Treasury Department on Tuesday. Wang faces up to 65 years in prison on charges that include computer fraud, wire fraud, and money laundering.

911 S5 Botnet Operations

Beginning in 2014, Wang allegedly developed and distributed malware that compromised millions of Windows operating systems worldwide, including over 600,000 IP addresses in the U.S. Wang allegedly spread malware through malicious VPN programs like MaskVPN and DewVPN, as well as through pirated software bundled with malware. Wang managed and controlled approximately 150 dedicated servers worldwide.

“Using the dedicated servers, Wang was able to deploy and manage applications, command and control the infected devices, operate his 911 S5 service and provide to paying customers access to the proxied IP addresses associated with the infected devices,” Wang's indictment said.

The residential proxy service that Wang developed and operated allowed subscribers to access the more than 19 million compromised IP addresses, which helped them mask their online activities. This service generated approximately $99 million for Wang. The 911 S5 botnet facilitated a range of cybercrimes, including cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations, Garland said. One such example is that of customers using the botnet's services for fraudulently filing 560,000 unemployment insurance claims that resulted in a confirmed loss of $5.9 billion from federal pandemic relief programs. In another instance, the 911 S5 botnet customers used the service to file more than 47,000 Economic Injury Disaster Loan applications, which again resulted in the loss of millions of dollars.

Infrastructure and Assets Seized

Authorities seized 23 internet domains and more than 70 servers, which formed the core of the 911 S5 botnet and its successor services. This action effectively shut down the botnet and prevented Wang from reconstituting the service under a new name, Clourouter.io. The U.S. Department of Justice emphasized that this seizure closed existing malicious backdoors used by the botnet. Wang allegedly used the proceeds from the botnet to purchase properties across the globe, including the U.S., China, Singapore, Thailand, the United Arab Emirates, and St. Kitts and Nevis, where he also holds a citizenship. Authorities have moved to forfeit his assets, which include 21 properties and a collection of luxury cars such as a Ferrari F8, several BMWs, and a Rolls Royce.

Investigation Triggered by Ecommerce Incident

The investigation into the 911 S5 botnet was initiated following a probe into more than 2,000 fraudulent orders placed with stolen credit cards on ShopMyExchange, an e-commerce platform linked to the Army and Air Force Exchange Service. The perpetrators in Ghana and the U.S. were found to be using IP addresses acquired from 911 S5.

“Although approximately 2,525 fraudulent orders valued at $5.5 million were submitted, credit card fraud detection systems and federal investigators were able to thwart the bulk of the attempted purchases, reducing the actual loss to approximately $254,000,“ the Justice Department said.

The latest takedown is part of a broader effort of the Justice Department to combat nation-state hacking and international cybercrime. At the beginning of the year, the Justice Department dismantled botnets linked to the China-affiliated hacking group Volt Typhoon, followed by the disruption of botnet controlled by the Russian APT28 group associated with the Russian military intelligence, the GRU. Google-owned cybersecurity firm Mandiant also warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. Garland highlighted the global collaboration in this operation, underscoring the Justice Department's commitment to disrupting cybercrime networks that pose a significant threat to individuals and national security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Treasury Department sanctioned three Chinese nationals on Tuesday for their alleged involvement in operating the 911 S5 proxy botnet widely used for fraudulent activities, including credit card theft and Coronavirus Aid, Relief, and Economic Security program frauds. The sanctions are aimed at curbing the operations linked to the botnet, which caused major financial losses amounting to "billions" of dollars to the U.S. government.

The Rise and Demise of 911 S5 Botnet

The botnet in question played a critical role in executing numerous fraudulent schemes through stolen residential IP addresses.

"The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government."

911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses they can use to connect to the internet using intermediary, internet-connected computers that have been compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to conceal their originating location, effectively defeating fraud detection systems, the U.S. Treasury explained. The 911 S5 botnet was also implicated in a series of bomb threats made in July 2022, according to the Treasury. Investigators found links of IP addresses within the proxy botnet network being used in this incident. The network was connected to 911 S5, a residential proxy service that allowed users to mask their IP addresses by routing their web activity through compromised devices. The 911 S5 service went offline in July 2022, following a purported hacking incident that damaged essential data. The disruption was reported by independent journalist Brian Krebs. Despite its shutdown, the impacts of its previous operations continued to reverberate, leading to the current sanctions.

The Individuals and Businesses Sanctioned

The sanctioned individuals include Yunhe Wang, allegedly the administrator of the botnet; Jingping Liu, accused of laundering proceeds for Wang; and Yanni Zheng, who reportedly acted as power of attorney for Wang and facilitated business transactions on his behalf through the company Spicy Code Company Limited. The men are believed to reside in Singapore and Thailand, countries that were acknowledged as partners in the sanctions announcement. Three businesses registered in Thailand were also sanctioned for their connections to Wang. These sanctions require that any property and interests owned by the three men within the U.S. be reported to the Treasury, and prohibit U.S. citizens or residents from engaging in business with them. Only these three individuals and the businesses implicated in their fraudulent schemes were sanctioned by the Treasury, but no indictments or legal actions were revealed by the U.S. Department of Justice (DOJ), as is the case in many other instances.

Broader Ongoing Cybersecurity Concerns

The sanctions against these individuals are part of a broader effort by the U.S. government to address cybersecurity threats linked to state-sponsored hacking groups. Google-owned cybersecurity firm Mandiant warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. In January, the DOJ announced the takedown of a botnet associated with Volt Typhoon, a hacking group with ties to the Chinese government. This group was known for infecting home and office routers with malware to obscure its hacking activities. The concerted actions by U.S. authorities and private defenders highlight the ongoing challenges and complexities in combating cybercrime and protecting critical financial and infrastructural systems from sophisticated malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft has uncovered a new “FakePenny” ransomware variant being deployed by a North Korean threat actor to target organizations in the software, information technology, education and defense industrial base sectors for both espionage and monetary gains. The threat actor, which Microsoft tracks as Moonstone Sleet, was first observed delivering a new custom ransomware variant in April, to an undisclosed company whose networks it compromised a couple of months earlier. The ransomware is straightforward and contains a loader and an encryptor module. North Korean threat actor groups have previously developed such custom ransomware, but “this is the first time we have observed this threat actor deploying ransomware,” the tech giant said.

“Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation.”

FakePenny ransomware demands exorbitant ransoms, with recent demands reaching $6.6 million in Bitcoin. “This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st,” Microsoft said. Notably, the ransom note used by FakePenny ransomware closely resembles the one employed in the infamous NotPetya ransomware attack, which is attributed to the North Korean group Seashell Blizzard. This continuity in tactics highlights the interconnected nature of North Korean cyber operations.

Moonstone Sleet’s Strategy and Tradecraft

Moonstone Sleet has a diverse set of operations supporting its financial and espionage objectives. This group has been observed creating fake companies, employing trojanized versions of legitimate tools, and even developing malicious games to infiltrate targets. Their ability to conduct concurrent operations and quickly evolve and adapt their techniques is notable. The threat actor, as noted earlier, has several different tradecrafts under its belt. In early August 2023, Moonstone Sleet delivered a compromised version of PuTTY, an open-source terminal emulator, through platforms like LinkedIn, Telegram, and freelancing websites. The trojanized software decrypted and executed the embedded malware when the user provided an IP and password mentioned in a text document contained in the malicious Zip file that the threat actor sent. The same technique was used by another North Korean actor Diamond Sleet. Moonstone Sleet has also targeted victims using malicious “npm” packages distributed through freelancing sites and social media. These packages often masqueraded as technical assessments, lead to additional malware downloads when executed. Since February 2024, Moonstone Sleet has also taken a different approach by using a malicious game called DeTankWar to infect devices. The group approached targets posing as a game developer or fake company, presenting the game as a blockchain project. Upon launching the game, additional malicious DLLs were loaded, executing a custom malware loader known as “YouieLoad.” This loader performs network and user discovery and browser data collection.

Fake Companies and Work-for-Hire Schemes

Since January 2024, Moonstone Sleet has created several fake companies, including StarGlow Ventures and C.C. Waterfall, to deceive targets. These companies posed as software development and IT service firms, often related to blockchain and AI, to establish trust and gain access to organizations. Moonstone Sleet has also pursued employment opportunities in legitimate companies, which is consistent with reports of North Korea using remote IT workers to generate revenue. Recently, U.S. charged North Korean job fraud nexus that was amassing funds to support its nuclear program. The nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million. This employment tactic could also provide another avenue for gaining unauthorized access to organizations. Moonstone Sleet’s notable attacks include compromising a defense technology company to steal credentials and intellectual property and deploying ransomware against a drone technology firm.

“Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.”

Defending Against Moonstone Sleet

To defend against Moonstone Sleet, Microsoft recommends endpoint detection and response (EDR), implementing attack surface reduction rules to block executable content from email clients and webmail, preventing executable files from running unless they meet specific criteria, use advanced protection against ransomware, and block credential stealing from LSASS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

OpenAI announced a new safety and security committee as it begins training a new AI model intended to replace the GPT-4 system that currently powers its ChatGPT chatbot. The San Francisco-based startup announced the formation of the committee in a blog post on Tuesday, highlighting its role in advising the board on crucial safety and security decisions related to OpenAI’s projects and operations. The creation of the committee comes amid ongoing debates about AI safety at OpenAI. The company faced scrutiny after Jan Leike, a researcher, resigned, criticizing OpenAI for prioritizing product development over safety. Following this, co-founder and chief scientist Ilya Sutskever also resigned, leading to the disbandment of the "superalignment" team that he and Leike co-led, which was focused on addressing AI risks. Despite these controversies, OpenAI emphasized that its AI models are industry leaders in both capability and safety. The company expressed openness to robust debate during this critical period.

OpenAI's Safety and Security Committee Composition and Responsibilities

The safety committee comprises company insiders, including OpenAI CEO Sam Altman, Chairman Bret Taylor, and four OpenAI technical and policy experts. It also features board members Adam D’Angelo, CEO of Quora, and Nicole Seligman, a former general counsel for Sony.

"A first task of the Safety and Security Committee will be to evaluate and further develop OpenAI’s processes and safeguards over the next 90 days." 

The committee's initial task is to evaluate and further develop OpenAI’s existing processes and safeguards. They are expected to make recommendations to the board within 90 days. OpenAI has committed to publicly releasing the recommendations it adopts in a manner that aligns with safety and security considerations. The establishment of the safety and security committee is a significant step by OpenAI to address concerns about AI safety and maintain its leadership in AI innovation. By integrating a diverse group of experts and stakeholders into the decision-making process, OpenAI aims to ensure that safety and security remain paramount as it continues to develop cutting-edge AI technologies.

Development of the New AI Model

OpenAI also announced that it has recently started training a new AI model, described as a "frontier model." These frontier models represent the most advanced AI systems, capable of generating text, images, video, and human-like conversations based on extensive datasets. The company also recently launched its newest flagship model GPT-4o ('o' stands for omni), which is a multilingual, multimodal generative pre-trained transformer designed by OpenAI. It was announced by OpenAI CTO Mira Murati during a live-streamed demo on May 13 and released the same day. GPT-4o is free, but with a usage limit that is five times higher for ChatGPT Plus subscribers. GPT-4o has a context window supporting up to 128,000 tokens, which helps it maintain coherence over longer conversations or documents, making it suitable for detailed analysis. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have observed a significant increase in attempts to spread the Anatsa Banking Trojan under the veil of legitimate-looking PDF and QR code reader apps on the Google Play store. Also known as TeaBot, the malware employs dropper applications that appear harmless to users, deceiving them into unwittingly installing the malicious payload, said researchers at cybersecurity firm Zscaler. Once installed, Anatsa extracts sensitive banking credentials and financial information from various global financial applications. It achieves this through overlay and accessibility techniques, allowing it to discreetly intercept and collect data.

Distribution and Impact of Anatsa Banking Trojan

Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications' legitimacy. Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack.

Anatsa Infection Steps

The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities. Dropper Application:

• The fake QR code application downloads and loads the DEX file.
• The application uses reflection to invoke code from the loaded DEX file.
• Configuration for loading the DEX file is downloaded from the C&C server.

Payload Execution:

• After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes.
• Upon successful verification, it downloads the third and final stage payload from the remote server.

Malicious Activities:

• The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis.
• Upon execution, the malware decodes all encoded strings, including those for C&C communication.
• It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections.

Data Theft:

• After receiving a list of package names for financial applications, Anatsa scans the device for these applications.
• If a targeted application is found, Anatsa communicates this to the C&C server.
• The C&C server then supplies a counterfeit login page for the banking operation.
• This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server.

[caption id="attachment_71735" align="aligncenter" width="1038"] Anatsa Banking Trojan Attack Chain (Source: Zscaler)[/caption] The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security.

Best Practices to Stop the Anatsa Trojan

To protect against such threats, Cyble's Research and Intelligence Labs suggests following essential cybersecurity best practices:

• Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store.
• Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software.
• Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible.
• Be Cautious with Links: Be careful when opening links received via SMS or emails.
• Enable Google Play Protect: Always have Google Play Protect enabled on Android devices.
• Monitor App Permissions: Be wary of permissions granted to applications.
• Regular Updates: Keep devices, operating systems, and applications up to date.

By adhering to these practices, users can establish a robust first line of defense against malware and other cyber threats, Cyble researchers said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The impact of the Cencora data breach is far more widespread than earlier thought as more than a dozen pharmaceutical giants including Novartis and GlaxoSmithKline disclose personal and health information data leaks stemming from the February breach incident. Cencora Inc., formerly recognized as AmerisourceBergen, and its Lash Group affiliate announced in a February filing with the Securities and Exchange Commission (SEC) that the company faced a cybersecurity incident where “data from its information systems had been exfiltrated.” Cencora is a major pharmacy company with over 46,000 employees and approximately $262.2 billion in revenue in 2023. Based in Pennsylvania, it operates in around 50 countries globally. The popular American drug wholesaler did not disclose the extent of the data breach in its February SEC filing but did confirm at the time that some of the data exfiltrated in the attack could contain personal information. Last week, however, Cencora and The Lash Group clients began notifying state Attorneys General about a data breach that stemmed from the February cybersecurity incident at Cencora. At least 15 pharmaceutical companies reported that the personal data of hundreds of thousands of individuals were compromised. Notifications identified the following affected companies:

• AbbVie Inc.
• Acadia Pharmaceuticals Inc.
• Bayer Corporation
• Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
• Dendreon Pharmaceuticals LLC
• Endo Pharmaceuticals Inc.
• Genentech, Inc.
• GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
• Incyte Corporation
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
• Novartis Pharmaceuticals Corporation
• Pharming Healthcare, Inc.
• Regeneron Pharmaceuticals, Inc.
• Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
• Tolmar

State Attorneys General often announce data breaches without specifying the number of affected people but AG’s office in Texas does disclose the number impacting the state residents. Based on these partial numbers, at least 542,000 individuals seem to be impacted from the Cencora data breach, till date. The Cyber Express reached out to Cencora for confirming the total number of individuals impacted to understand the full extent of the data breach but did not receive any communication till the time of publishing the article.

Cyber Forensic Findings from the Cencora Data Breach

Cencora detected the cyberattack on February 21, and took immediate action to contain and prevent further unauthorized access. Based on the investigation that likely concluded in April, Cencora said personal information including first name, last name, address, date of birth, health diagnosis, and medications and prescriptions was compromised in the attack. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said Friday the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. Further details on how the supply program was exploited remain unclear. U.S. has been rocked by a host of cybersecurity breaches linked to the healthcare industry in recent days. While Change Healthcare cyberattack was one of the most notable ones, the Medstar and Ascension breaches have displayed the vulnerability of the healthcare sector to cyberattacks. The latest in the list of healthcare data breaches is the Sav-Rx data breach that compromised the health data of more than 2.8 million people. Cencora’s investigation, however, found no connection with other major healthcare cyberattacks and, in its notifications, said they were unaware of any actual or attempted misuse of the stolen data. The company said it has not seen any public disclosure of the stolen data, till date. The affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost and steps have also been taken to harden defenses to prevent such security breaches in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Russian hackers were found using legitimate remote monitoring and management software to spy on Ukraine and its allies. The malicious scripts required for downloading and running the RMM program on the victims’ computers are hidden among the legitimate Python code of the “Minesweeper” game from Microsoft. The Government Computer Emergency Response Team of Ukraine (CERT-UA), operating under the State Special Communications Service, warned that Russian cybercriminals are using the legitimate SuperOps RMM software program to gain unauthorized access to Ukrainian organizations’ information systems, particularly those in the financial sector. The Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and CERT-UA recorded and analyzed phishing emails sent to victims with a Dropbox link containing an executable file (.SCR) that was about 33 megabytes in size. The emails were sent from the address “support@patient-docs-mail.com,” which impersonated a medical center and had the subject line “Personal Web Archive of Medical Documents.” The .SCR file contained a Python clone of the Minesweeper game along with malicious Python code that downloads additional scripts from a remote source “anotepad.com.” The Minesweeper code contained a function named “create_license_ver” which is repurposed to decode and execute the hidden malicious code. The legitimate SuperOps RMM program is eventually downloaded and installed from a ZIP file, granting attackers remote access to the victim’s computer. The CERT-UA found five similar files, named after financial and insurance institutions in Europe and the USA, indicating that these cyberattacks, which took place between February and March 2024, have a wide geographic reach. CERT-UA tracked this threat activity to an actor it identified as UAC-0188. UAC-0118, also known as FRwL or FromRussiaWithLove, is a Russian state-aligned hacktivist threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily targeted critical infrastructure, media, energy and government entities. FRwL has been previously linked to the use of the Vidar stealer and Somnia ransomware, which they employ as a data wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.

Possible Defense Against Ongoing Remote Monitoring Campaign

CERT-UA recommends the following:

• Organizations not using SuperOps RMM should verify the absence of network activity associated with the domain names: [.]superops[.]com, [.]superops[.]ai.
• Improve employee cyber hygiene.
• Use and constantly update anti-virus software.
• Regularly update operating systems and software.
• Use strong passwords and change them regularly.
• Back up important data.

Ukrainian Financial Institutions Also on Smokeloader’s Radar

The financially motivated group UAC-0006 has actively launched phishing attacks targeting Ukraine through 2023. CERT-UA reported the resurfacing of UAC-0006 in spring 2024, with hackers attempting to distribute Smokeloader, a common malware in the group’s toolkit. This threat group’s goal has primarily been to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. SmokeLoader is a malicious bot application and trojan that can evade security measures to infect Windows devices. It can then install other malware, steal sensitive data and damage files, among other issues. Throughout 2023, UAC-0006 conducted several phishing campaigns against Ukraine, exploiting financial lures and using ZIP and RAR attachments to distribute Smokeloader CERT-UA last week issued another warning about a significant surge in UAC-0006 activity. Hackers have conducted at least two campaigns to distribute Smokeloader, displaying similar patterns to previous attacks. The latest operations involve emails with ZIP archives containing images that include executable files and Microsoft Access files with macros that execute PowerShell commands to download and run other executable files. After initial access, the attackers download additional malware, including TALESHOT and RMS. The botnet currently consists of several hundred infected computers. CERT-UA anticipates an increase in fraudulent operations involving remote banking systems and thus, strongly recommends enhancing the security of accountants’ automated workstations and ensuring the implementation of necessary policies and protection mechanisms to reduce infection risks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Sav-Rx, a medication benefits management service provider, experienced a data breach incident that potentially exposed the personal and health information of more than 2.8 million individuals in the United States. Sav-Rx, operating under A&A Services, provides medication benefits management services to various health plans, which requires collecting and storing personal data from health plan participants and employees. The incident was first detected on October 8, last year, when the company identified an unauthorized access to its computer network, a breach notification to the Maine Attorney General said. Sav-Rx engaged third-party cybersecurity experts to contain and investigate the breach. The affected IT systems were restored the next business day, ensuring no disruption to patient care or prescription services. The investigation revealed that an unauthorized third party accessed non-clinical systems and obtained files containing personal and health information, such as:

• names,
• dates of birth,
• social security numbers,
• email addresses,
• physical addresses,
• phone numbers,
• eligibility data, and
• insurance identification numbers.

Clinical and financial information remained secure. The breach investigation concluded on April 30, and notifications to impacted individuals were sent out beginning May 24. Sav-Rx confirmed that the unauthorized party destroyed the acquired data and did not further disseminate it. Whether it paid a ransom in exchange of this is unclear as Sav-Rx did not immediately respond to a comment request from The Cyber Express. Although additional details about the attackers and their motive remain under wraps, Conti ransomware group had reportedly, at the time, claimed responsibility for the attack and demanded an undisclosed amount for not publishing the leaked data. To mitigate potential harm, the company offers two years of complimentary credit monitoring and identity theft protection through Equifax. Sav-Rx advises affected individuals to monitor their credit reports and account statements for signs of fraud or identity theft. Affected individuals can contact Sav-Rx's call center at 888-326-0815 for further assistance and information regarding credit monitoring services. Sav-Rx implemented enhanced security measures, including 24/7 security operations, multi-factor authentication, BitLocker encryption, new firewalls, and system hardening protocols, to prevent future incidents. The company promptly notified law enforcement authorities after detecting the breach. For more information about the incident, people can visit the FAQ page on the company’s website.

Call for Class Action Against Sav-Rx Data Breach

Considering the widespread impact where the personal and health information of 2,812,336 individuals was compromised, Abington Cole + Ellery, an Oklahoma-based law firm has initiated a class action lawsuit investigation in the Sav-Rx data breach. ACE requested victims interested in participating as a class representative in this class action against Sav-Rx to submit their details in an online form.

Ransomware Attacks on Healthcare Bleeding Billions from U.S. Economy

A recent study revealed that over the past several years, more than 500 successful ransomware attacks have impacted nearly 10,000 healthcare providers, exposing over 52 million patient records and costing the US economy $77.5 billion in downtime alone. Another study by Proofpoint and Ponemon found that 68% of respondents reported disrupted patient care due to ransomware attacks, 46% noted increased mortality rates, and 38% saw more complications in medical procedures. Additionally, ransomware attacks were linked to 42 to 67 patient deaths over five years and a 33% monthly increase in deaths among hospitalized Medicare patients. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Google released a new Chrome update on Thursday to fix the fourth zero-day vulnerability in two weeks and eighth overall in 2024. "Google is aware that an exploit for CVE-2024-5274 exists in the wild," the company said in an advisory. Google did not provide details on the bug or the exploitation but credited Clement Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security for reporting the flaw. There is no knowledge of any bug bounty reward for this discovery. "Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user," the Center for Internet Security explained. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights." Chrome vulnerabilities are often targeted by commercial spyware vendors. Google TAG researchers have previously reported several zero-days exploited by spyware vendors, including security defects in Google’s browser. CVE-2024-5274 is the fourth zero-day patched in the last 15 days, following CVE-2024-4671 (use-after-free in Visuals), CVE-2024-4761 (out-of-bounds write in V8), and CVE-2024-4947 (type confusion in V8). So far this year, Google has resolved a total of eight Chrome zero-days. Three of these, CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159, were demonstrated at the Pwn2Own Vancouver 2024 hacking contest in March. Complete list of zero-days published in 2024:

• CVE-2024-0519: Out-of-bounds memory access in V8
• CVE-2024-2886: Use-after-free in WebCodecs (presented at Pwn2Own 2024)
• CVE-2024-2887: Type confusion in WebAssembly (presented at Pwn2Own 2024)
• CVE-2024-3159: Out-of-bounds memory access in V8 (presented at Pwn2Own 2024)
• CVE-2024-4671 - Use-after-free in Visuals
• CVE-2024-4761 - Out-of-bounds write in V8
• CVE-2024-4947 - Type confusion in V8

The latest Chrome version has now been rolled out as 125.0.6422.112 for Linux and 125.0.6422.112/.113 for Windows and macOS. Google also released Chrome for Android versions 125.0.6422.112/.113 with the same security fixes.

Opera Rolled-Out Update to Fix Chrome Zero-Day

The current version of Opera browser is based on Chromium, the same engine that Google Chrome uses. Opera released a subsequent patch on Friday to fix the same bug.

Dear Opera Users! The latest stable release of Opera – 110.0.5130.39, incorporates a crucial 0-day fix for CVE-2024-5274, enhancing user security. This update ensures safer browsing for everyone.

Opera is available on Windows, macOS, Linux, Android and iOS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers compromised a popular courtroom recording platform used across jails and prisons around the globe, to gain full control of systems through a backdoor implanted in a software update. Justice AV Solutions (JAVS) software records events like lectures, court hearings and council meetings, with over 10,000 installations worldwide. Users can download it through the vendor's website as a Windows-based installer package. This week, the company announced it had identified a security issue with a previous version of its JAVS Viewer software. The company stated on Thursday, “Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file.” JAVS removed all versions of Viewer 8.3.7 from its website, reset all passwords and conducted a full internal audit of its systems. The company confirmed that all currently available files on the JAVS website are genuine and malware-free. It also verified that no JAVS source code, certificates, systems, or other software releases were compromised. The malicious file containing malware did not originate from JAVS or any associated third party. As a precautionary measure, the company urged users to verify any JAVS software they install is digitally signed by the company.

“Manually check for file 'fffmeg.exe': If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer.”

If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, JAVS advised uninstalling the Viewer software and performing a full Anti-Virus/malware scan. “Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8,” the company recommended. Cybersecurity firm Rapid7 analyzed the issue and found that the corrupted JAVS Viewer software, which opens media and logs files, included a backdoored installer that gives attackers full access to affected systems. Based on the open-source intelligence, Rapid7 determined that the binary fffmpeg.exe is associated with the GateDoor and Rustdoor malware family. These malwares perform malicious actions such as collecting information, downloading additional files, and executing commands. RustDoor focuses on backdoor functions, but GateDoor has many loader functions. “The infrastructure used by the two malware appears to be related to a RaaS affiliate called ShadowSyndicate, and the possibility that they are cybercrime collaborators who specialize in providing infrastructure cannot be ruled out,” said S2W, the company who first observed the backdoors earlier in February. Rapid7 tracked the issue as CVE-2024-4978 and coordinated the disclosure with the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Rapid7 noted that the malicious versions of the software were signed by "Vanguard Tech Limited," allegedly based in London. In its advisory, Rapid7 urged users to reimage all endpoints where the software was installed and reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote.

“Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate,” Rapid7 advised.

The issue first surfaced on platform X (formerly Twitter) in April when a threat intelligence researcher claimed that “malware is being hosted on the official website of JAVS.” On May 10, Rapid7 responded to an alert on a client's system and traced an infection back to an installer downloaded from the JAVS website. The malicious file downloaded by the victim was no longer available on the website, and it's unclear who removed it. A few days later, researchers found a different installer file containing malware on the JAVS website, confirming the vendor site as the source of the initial infection. JAVS did not comment on the discrepancy between their findings and Rapid7's analysis. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Australian cyber chief announced Friday an “unwelcome development” in the recently disclosed MediSecure data breach. A hacker claimed to possess the patient data likely siphoned during the ransomware attack and listed it for sale on a Russian hacking forum for $50,000.

“We are aware a dataset purporting to be from the MediSecure breach has been advertised for sale on a dark web marketplace, along with a sample of the data,” said Australia’s National Cyber Security Coordinator, Lieutenant General Michelle McGuinness.

She said that all federal agencies involved in the response to the data breach incident “are aware of the advertisement” and “are working with MediSecure to verify the data that has been posted online.” MediSecure, only one of the two providers of electronic prescription services to healthcare professionals in Australia, announced last week that it had fallen victim to a large-scale ransomware attack. Preliminary investigation over the weekend revealed that it was an “isolated” attack and no impact on current e-Prescriptions was observed. However, personal and health data of its customers and providers until November 2023 was likely accessed, the company confirmed. The Australian Federal Police and Australian Signals Directorate are now investigating and responding to the incident under joint standing arrangements of Operation Aquila.

The Hacker Claim and Attempted Sale

A week after the MediSecure data breach incident became public, a Russian hacking forum member claimed to have 6.5 terabytes of data including personal information of thousands of Australians, available for sale. The post on the forum read, “For sale: Database of an Australian medical prescriptions company MedSecure [sic].” It detailed the information available, including citizens' insurance numbers, phone numbers, addresses, full names, supplier and contractor information, emails, username and passwords for the MediSecure website, prescription details and IP addresses of site visitors. The forum member stated they would sell the information to only one buyer. Hacktivist tracker CyberKnow group indicated that their research suggested the forum post was likely legitimate. They noted the threat actor created this Russian hacker forum account on May 15, likely for the sole purpose of selling the stolen MediSecure data. CyberKnow group said the actor’s pivot to the new forum could also be due to the recent seizure of BreachForums. The threat actor has not posted anything else to the forum.

“It appears from the limited information that this is not a traditional ransomware extortion shakedown and it begs to wonder if there was any negotiation or extorting attempt between the threat actor and Medisecure,” CyberKnow group said.

“Australians should recognize that the cyberthreat landscape is diverse, and groups and actors can impact businesses regardless of their capability, organization, or structure,” it added. The cyber chief McGuinness warned Australians against searching for this alleged MediSecure data set. “Accessing stolen sensitive or personal information on the dark web only feeds the business model of cybercriminals,” she said. “While this is an unwelcome development, I want to again assure Australians that if individuals are at risk of serious harm through the publication of their information, then we will work with MediSecure to make sure that individuals are appropriately informed, so they may take steps to protect themselves from any further risk to their personal information.”

Hack Calls for Stricter Legislative Reforms

Earlier this week, Australian Privacy Commissioner Carly Kind accepted there are ongoing challenges in how organizations collect and protect customer data. She said, “any major data breach reinforces the reality of today’s world: there are increasing cyber threats and continual challenges to digital defenses.” Kind advised organizations to prioritize protecting individuals' personal information, review and improve their practices and only collect necessary information. She urged, “Know what information you hold. And if that information is not necessary to your business, delete it.” She also called for urgent legislative reforms to ensure all Australian organizations build the highest levels of security into their operations.

“The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors. Reform of the Privacy Act is urgent, to ensure all Australian organizations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible,” Kind said.

The OAIC’s office is additionally investigating whether MediSecure complied with federal laws requiring companies to notify authorities of a data breach. Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Georgia man was sentenced to 10 years in prison after being convicted of money laundering and conspiracy in connection with a digital fraud network that included business email compromise (BEC) attacks, romance scams, and healthcare benefits frauds, the U.S. Department of Justice announced. Malachi Mullings, 31, from Sandy Springs scammed over $4.5 million from his victims and laundered the proceeds through 20 bank accounts opened in the name of a shell company, The Mullings Group LLC. The scams relied on a variety of common techniques used in BEC scams and targeted elderly individuals of a health care benefit program, private companies and romance scam victims. “In one instance, Mullings laundered $310,000 that was fraudulently diverted from a state Medicaid program and had been intended as reimbursement for a hospital,” the Justice Department said. In another instance, Mullings was able to get $260,000 from a romance scam, which he used to buy a Ferrari. The sentencing of Mullings comes after he pleaded guilty in January 2023 to one count of conspiracy to commit money laundering and seven counts of various money laundering offenses. Mullings was first charged in February 2022, along with nine others from multiple states across the country. They were all charged in connection with multiple business email compromise, money laundering and wire fraud schemes that targeted Medicare, state Medicaid programs, private health insurers, and numerous other victims, which resulted in more than $11.1 million in total losses. “These defendants defrauded numerous individuals, companies, and federal programs, resulting in millions of dollars in financial losses to vital federal programs meant to provide assistance to those in need,” said U.S. Attorney Ryan Buchanan, at the time. “Millions of American citizens rely on Medicaid, Medicare, and other health care systems for their health care needs. These subjects utilized complex financial schemes, such as BECs and money laundering, to defraud and undermine health care systems across the United States,” said Luis Quesada, who at the time was Assistant Director of the FBI’s Criminal Investigative Division.

“Elder fraud and romance fraud schemes utilized by the subjects often target our most vulnerable citizens and the FBI is committed to pursuing justice for those who were victimized by these schemes.”

Together, the fraud schemes of these 10 scammers deceived five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers, who made payments to them and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals.

Elder Fraud Growing: FBI Data

Elder fraud complaints increased by 14% in 2023, according to a recently released report by the FBI’s Internet Crime Complaint Center (IC3). The associated losses reported by those over the age of 60 topped at $3.4 billion, an almost 11% increase in reported losses from 2022. While tech support scams were the most widely reported kind of elder fraud, personal data breaches, confidence and romance scams, non-payment or non-delivery scams, and investment scams rounded out the top five most common types of elder fraud reported to IC3 last year. [caption id="attachment_69765" align="aligncenter" width="1400"] Source: IC3[/caption] Investment scams were the costliest elder fraud in 2023 and cost victims more than $1.2 billion in losses last year. Tech support scams, business email compromise scams, confidence and romance scams, government impersonation scams, and personal data breaches, all respectively cost victims hundreds of millions of dollars in 2023. [caption id="attachment_69767" align="aligncenter" width="1400"] Source: IC3[/caption] On the state level, Florida ranked second in the country for the number of complaints and reported losses.

“It’s disturbing to hear the stories of financial hardship these schemes create,” said FBI Tampa Field Special Agent Rodney Crawford.

“Combatting the financial exploitation of those over 60 years of age continues to be a priority of the FBI,” said FBI Assistant Director Michael Nordwall, who leads the Bureau’s Criminal Investigative Division. “Along with our partners, we continually work to aid victims and to identify and investigate the individuals and criminal organizations that perpetrate these schemes and target the elderly.” The agency regards elderly fraud as a more insidious threat than the report shows. Many of these crimes likely go unreported, as “only about half” of the fraud scam complaints that get through to IC3 include IC3 data, the report said. Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Thousands of GitHub Enterprise Server (GHES) instances in the United States using SAML single sign-on (SSO) authentication are at high risk of compromise from a critical vulnerability that now has a proof-of-concept exploit available on the open internet. GitHub Enterprise Server, a self-hosted platform for software development, acts as a self-contained virtual appliance. It helps build and ship software using Git version control, powerful APIs, productivity and collaboration tools, and integrations. GHES is recommended for use in enterprises that are subject to regulatory compliance, which helps to avoid issues that arise from software development platforms in the public cloud. GitHub rolled out fixes on Monday to address a maximum severity vulnerability in the GitHub Enterprise Server that could allow an attacker to bypass authentication protections. The critical flaw, tracked as CVE-2024-4985, has the maximum severity rating possible on the CVSS scale since it allowed attackers unauthorized access to the targeted instance without requiring prior authentication. “On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” GitHub explained. GitHub said that encrypted assertions are not enabled by default. “Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted,” it further added. Encrypted assertions improve GHES instance's security with SAML SSO by encrypting the messages that an SAML identity provider (IdP) sends. GitHub noted that the critical vulnerability impacts all versions of GHES prior to 3.13.0. It has been fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4. The users upgrading to the latest patch could, however, face some issues. Known issues with this updated version are:

• Custom firewall rules are removed during the upgrade process.
• During the validation phase of a configuration run, a “No such object” error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
• If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell.
• If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using ghe-ssl-ca-certificate-install are not respected, and connections to the server fail.
• The mbind: Operation not permitted error in the /var/log/mysql/mysql.err file can be ignored. MySQL 8 does not gracefully handle when the CAP_SYS_NICE capability isn't required, and outputs an error instead of a warning.
• On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance.
• On an instance with the HTTP X-Forwarded-For header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
• In some situations, large .adoc files stored in a repository do not render properly in the web UI. The raw contents are still available to view as plaintext.
• On an instance in a cluster configuration, restoration of a backup using ghe-restore will exit prematurely if Redis has not restarted properly.
• On an instance with GitHub Actions enabled, Actions workflows that deploy GitHub Pages sites may fail.

• Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.

Thousands at Risk as PoC Goes Public

ODIN, an Internet search engine by Cyble for attack surface management and threat intelligence, found that nearly 3,000 instances of Github Enterprise Server exposed to the internet are vulnerable to CVE-2024-4985. Of these, the most number of instances (2.09k) that are currently unpatched and at risk of being exploited are from the U.S., who is distantly followed by Ireland which has 331 vulnerable instances. ODIN’s customers can use the query: services.modules.http.title:"Github Enterprise" to track the vulnerable instances. [caption id="attachment_69721" align="aligncenter" width="300"] Country-wise distribution of GitHub Enterprise Servers vulnerable to CVE-2024-4985 (Source: ODIN by Cyble)[/caption] This maximum severity bug needs urgent patching as a proof-of-concept is now available on GitHub itself. The GitHub user has given a step-by-step guidance on the PoC exploit owing to which widespread exploitation could be expected soon, if not already taking place. Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

UK data watchdog has warned against ignoring the data protection risks in generative artificial intelligence and recommended ironing out these issues before the public release of such products. The warning comes on the back of the conclusion of an investigation from the U.K.’s Information Commissioner’s Office (ICO) into Snap, Inc.'s launch of the ‘My AI’ chatbot. The investigation focused on the company's approach to assessing data protection risks. The ICO's early actions underscore the importance of protecting privacy rights in the realm of generative AI. In June 2023, the ICO began investigating Snapchat’s ‘My AI’ chatbot following concerns that the company had not fulfilled its legal obligations of proper evaluation into the data protection risks associated with its latest chatbot integration. My AI was an experimental chatbot built into the Snapchat app that has 414 million daily active users, who on a daily average share over 4.75 billion Snaps. The My AI bot uses OpenAI's GPT technology to answer questions, provide recommendations and chat with users. It can respond to typed or spoken information and can search databases to find details and formulate a response. Initially available to Snapchat+ subscribers since February 27, 2023, “My AI” was later released to all Snapchat users on April 19. The ICO issued a Preliminary Enforcement Notice to Snap on October 6, over “potential failure” to assess privacy risks to several million ‘My AI’ users in the UK including children aged 13 to 17. “The provisional findings of our investigation suggest a worrying failure by Snap to adequately identify and assess the privacy risks to children and other users before launching My AI,” said John Edwards, the Information Commissioner, at the time.

“We have been clear that organizations must consider the risks associated with AI, alongside the benefits. Today's preliminary enforcement notice shows we will take action in order to protect UK consumers' privacy rights.”

On the basis of the ICO’s investigation that followed, Snap took substantial measures to perform a more comprehensive risk assessment for ‘My AI’. Snap demonstrated to the ICO that it had implemented suitable mitigations. “The ICO is satisfied that Snap has now undertaken a risk assessment relating to My AI that is compliant with data protection law. The ICO will continue to monitor the rollout of My AI and how emerging risks are addressed,” the data watchdog said. Snapchat has made it clear that, “While My AI was programmed to abide by certain guidelines so the information it provides is not harmful (including avoiding responses that are violent, hateful, sexually explicit, or otherwise dangerous; and avoiding perpetuating harmful biases), it may not always be successful.” The social media platform has integrated safeguards and tools like blocking results for certain keywords like “drugs,” as is the case with the original Snapchat app. “We’re also working on adding additional tools to our Family Center around My AI that would give parents more visibility and control around their teen’s usage of My AI,” the company noted.

‘My AI’ Investigation Sounds Warning Bells

Stephen Almond, ICO Executive Director of Regulatory Risk said, “Our investigation into ‘My AI’ should act as a warning shot for industry. Organizations developing or using generative AI must consider data protection from the outset, including rigorously assessing and mitigating risks to people’s rights and freedoms before bringing products to market.”

“We will continue to monitor organisations’ risk assessments and use the full range of our enforcement powers – including fines – to protect the public from harm.”

Generative AI remains a top priority for the ICO, which has initiated several consultations to clarify how data protection laws apply to the development and use of generative AI models. This effort builds on the ICO’s extensive guidance on data protection and AI. The ICO’s investigation into Snap’s ‘My AI’ chatbot highlights the critical need for thorough data protection risk assessments in the development and deployment of generative AI technologies. Organizations must consider data protection from the outset to safeguard individuals' data privacy and protection rights. The final Commissioner’s decision regarding Snap's ‘My AI’ chatbot will be published in the coming weeks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CyberArk, a leading identity security provider announced its definitive agreement to acquire Venafi, a leading machine identity management provider from Thoma Bravo. The acquisition will merge Venafi’s advanced machine identity management capabilities with CyberArk’s identity security expertise, creating a comprehensive platform for enterprise-scale machine identity security. CyberArk CEO Matt Cohen said in a Monday investors call, "Our combined solutions and expertise will uniquely address the growing identity security needs of global enterprises to secure the explosive growth of machine identities. These identities are increasingly leveraged in sophisticated cyberattacks." The rise in digital transformation and cloud migration has led to a surge in machine identities, including workloads, applications, IoT devices and containers. Machine identities now outnumber human identities significantly, with over 40 machine identities for each human identity. These identities, if unprotected, are prime targets for cybercriminals. Effective management and security of machine identities are crucial, especially with shorter certificate lifecycles and the need for quantum-ready solutions. Forrester says there is a growing urgency in managing machine identities due to their exponential increase. Historically, enterprises have focused less on machine identities compared to human identities because of the former's unique requirements and lifecycle challenges. However, the growth in machine identities for devices and cloud workloads demands improved management to mitigate associated risks, it said. "Cloud computing has expanded the attack surface, increasing the connectivity between humans and machines in a perimeter-less world," Cohen said. "Every workload, API application, consumer and IoT device is now connected, and each connection point creates a potential vulnerability."

The Acquisition, a Mix of Strategic Synergies

Technological Integration: The integration of Venafi’s certificate lifecycle management, private Public Key Infrastructure (PKI), IoT identity management and cryptographic code signing with CyberArk’s secrets management will enhance security against the misuse and compromise of machine identities. This unified solution will support rapid risk mitigation across various deployment models, including SaaS and hybrid environments. Market Expansion: Venafi’s strengths in PKI and certificate management will expand CyberArk’s total addressable market by nearly $10 billion, reaching approximately $60 billion. Chip Virnig, a partner at Thoma Bravo said, "We believe CyberArk is a great partner for Venafi and that the scaled end-to-end machine identity security platform created by this strategic combination will deliver significant value to shareholders."

Acquisition Details

Transaction Value: CyberArk will acquire Venafi for an enterprise value of approximately $1.54 billion, consisting of about $1 billion in cash and $540 million in CyberArk shares. Board Approvals: The Boards of both CyberArk and Venafi have approved the transaction. Closing Timeline: The acquisition is expected to close in the second half of 2024, pending regulatory approvals and customary conditions.

Financial Impact

Revenue Contribution: Venafi is expected to add approximately $150 million in annual recurring revenue (ARR). Business Model: Venafi boasts a strong business model with 95% recurring revenue, including SaaS and term-based licenses. Synergies and Expansion: The transaction is anticipated to be immediately accretive to margins and drive significant revenue synergies through cross-selling, up-selling, and geographic expansion. CyberArk is considered one of the global leaders in identity security, offering solutions for both human and machine identities across various environments, including business applications, hybrid clouds, and DevOps lifecycles. The company acquired multi-cloud security and compliance provider C3M in July 2022 for $28.3 million to enhance its cloud privilege security offerings. CyberArk also acquired Aapi.io in March 2022 to bolster Identity Lifecycle Management capabilities and broaden Identity Automation and Orchestration capabilities across its Identity Security Platform. Venafi on the other hand is a pioneer in machine identity management, protecting machine-to-machine connections through cryptographic key and digital certificate orchestration. Venafi’s solutions offer global visibility and automated remediation to safeguard machine identities across diverse environments, ensuring secure information flow and preventing untrusted machine communication. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. law enforcement has arrested an alleged operator of "Incognito Market," a major online dark web narcotics marketplace that facilitated more than $100 million in illegal narcotics sales globally. Rui-Siang Lin, a 23-year-old from Taiwan, was arrested at John F. Kennedy Airport on May 18 for allegedly operating the Incognito Market using the pseudonym "Pharoah." Lin oversaw all aspects of the site, including managing employees, vendors and customers, revealed an unsealed indictment filed with the federal court at the U.S. Southern District of New York. Since its inception in October 2020 until its closure in March, Incognito Market sold vast quantities of illegal narcotics, including hundreds of kilograms of cocaine and methamphetamines, globally via the dark web site that could be reached through Tor web browser. The underground marketplace facilitated an overall sale of more than $100 million of narcotics in its 41 months of operation. The popularity of this marketplace can be gauged from the fact that by June 2023 it was generating sales of $5 million per month. [caption id="attachment_69369" align="aligncenter" width="2560"] Credit: Justice Department[/caption]

Features and Transactions of Incognito Market

Incognito Market mimicked legitimate e-commerce sites with features like branding, advertising and customer service. Users could search listings for various narcotics after logging in with unique credentials. [caption id="attachment_69367" align="aligncenter" width="624"] Credit: Justice Department[/caption] The site offered illegal narcotics and misbranded prescription drugs, including heroin, cocaine, LSD, MDMA, oxycodone, methamphetamines, ketamine, and alprazolam. [caption id="attachment_69368" align="aligncenter" width="624"] Credit: Justice Department[/caption] “For example, in November 2023, an undercover law enforcement agent received several tablets that purported to be oxycodone, which were purchased on Incognito Market. Testing on those tablets revealed that they were not authentic oxycodone at all and were, in fact, fentanyl pills,” the Justice Department said. Vendors paid a non-refundable admission fee of $750 and a 5% commission on each sale to Incognito Market, according to the indictment. This fee funded market operations, including salaries and server costs. Incognito Market also operated its own “bank,” to facilitate the illicit transactions. This bank allowed users to deposit cryptocurrency, which facilitated anonymous transactions between buyers and sellers while deducting the site’s commission, again of 5%. [caption id="attachment_69376" align="aligncenter" width="398"] Credit: Justice Department[/caption] This banking service obscured the locations and identities of vendors and customers from each other and from law enforcement. It kept the financial information of vendors and buyers separate, making it more difficult for any one actor on the marketplace to learn any other actor’s true identity, a complaint filed against Lin said. The bank also offered an “escrow” service enabling both buyers and customers to have additional security concerning their narcotics transactions. The escrow service was set in such a way that a buyer’s money would be released to a seller only after specified actions, for example, the shipment of narcotics is made. “With the escrow service, sellers know they will be paid for their illegal narcotics and buyers know their payments will be released to sellers after specified events occur,” the complaint said.

The Exit Scam

As Lin suddenly shuttered the Incognito Market in March 2024, he tried pulling an exit scam stealing the users’ funds stored in its escrow system and also tried to ransom the market’s drug vendors. Lin demanded ransom in the range of $100 to $2,000 from them in exchange of not turning their data over to the law enforcement.

Lin’s Technical Prowess

Lin seems like a knowledgeable person in the field of security and cryptocurrency, as per social media accounts listed in the complaint against him. Lin’s GitHub account describes him as a “Backend and Blockchain Engineer, Monero Enthusiast.” This GitHub account has approximately 35 publicly available software coding projects. “Collectively, these coding projects indicate that LIN has significant technical computing knowledge, including knowledge necessary to administer a site like (“Incognito Marketplace”),” the complaint said. The coding projects include operation of cryptocurrency servers and web applications like PoW Shield, a tool to mitigate DDoS attacks; Monero Merchant, a software tool that allows online merchants to accept XMR for payment; and Koa-typescript-framework, a webframe software program used as a foundation for web applications. Lin also did a YouTube interview explaining how his anti-DDoS tool “PoW Shield” worked for Pentester Academy TV in October 2021, displaying his technical prowess. The final evidence that law enforcement found linking Lin to the administrator “Pharoah” of Incognito Market was a “simple” hand-drawn workflow diagram of a darknet marketplace that was mailed from Lin’s personal email address. [caption id="attachment_69380" align="aligncenter" width="1690"] Workflow of Darknet Marketplace sent from Lin's personal email account. Credit: Justice Department[/caption] “This diagram appears to be a plan for a darknet market. Notably, the diagram indicated “vendor,” “listing,” “pgp key,” and “admin review,” all of which are features of (Incognito Market),” the complaint said.

Charges and Potential Sentences

Lin faces the following potential sentencing, if convicted:

• Continuing Criminal Enterprise: Mandatory minimum penalty of life in prison.
• Narcotics Conspiracy: Maximum penalty of life in prison.
• Money Laundering: Maximum penalty of 20 years in prison.
• Conspiracy to Sell Adulterated and Misbranded Medication: Maximum penalty of five years in prison.

A federal district court judge will determine Lin's sentence after reviewing the U.S. Sentencing Guidelines and other statutory factors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) is using destructive data wiping attacks combined with influence operations to target Israel and Albania. Tracked as Void Manticore, aka Storm-842, the threat actor operates under multiple online personas in which the primary alias includes “Homeland Justice” for attacks in Albania and "Karma" for those in Israel. Since October 2023, Check Point Research monitored Void Manticore's activities targeting Israeli organizations with destructive attacks using wipers and ransomware. The group employs five different methods for disruptive operations, including custom wipers for both Windows and Linux operating systems, as well as manual deletion of files and shared drives. Void Manticore’s activities in Israel are marked by the use of a custom wiper named “BiBi,” after Israeli Prime Minister Benjamin Netanyahu. The group also uses a persona named "Karma" to leak stolen information, portraying themselves as an anti-Zionist Jewish group. This persona gained prominence during the Israel-Hamas conflict in late 2023. Void Manticore threat actor employs relatively simple and direct techniques, often using basic publicly available tools. Their operations typically involve lateral movements using Remote Desktop Protocol (RDP) and the manual deployment of wipers. One of their prominent tools is “Karma Shell,” a homebrewed web shell disguised as an error page. This malicious shell is capable of directory listing, process creation, file uploads, and service management.

The Destructive Wiper Capabilities of Void Manticore

Void Manticore utilizes various custom wipers in their attacks:

1. Cl Wiper: First used in attacks against Albania, this wiper uses the ElRawDisk driver to interact with files and partitions, effectively erasing data by overwriting physical drives with predefined buffers.
2. Partition Wipers: These wipers remove partition information, leading to the loss of all data on the disk by corrupting the partition table, resulting in a system crash during reboot.
3. BiBi Wiper: Deployed in recent attacks against Israel, this wiper exists in both Linux and Windows variants. It corrupts files and renames them with specific extensions, causing significant data loss.

Apart from automated wipers, Void Manticore engages in manual data destruction using tools like Windows Explorer, SysInternals SDelete and the Windows Format utility, furthering their impact on targeted systems.

Psychological Warfare and Collaboration with Scarred Manticore

Void Manticore’s strategy also includes psychological operations, aiming to demoralize and disrupt their targets by publicly leaking sensitive information. This dual approach amplifies the impact of their cyberattacks, making them a formidable threat. Notably, there is a significant overlap and cooperation between Void Manticore and another Iranian threat group, Scarred Manticore (aka Storm-861). Analysis shows a systematic handoff of victims between these two groups. For instance, Scarred Manticore might establish initial access and exfiltrate data after which Void Manticore executes the destructive data wiping attack. This collaboration enables Void Manticore threat actor to leverage Scarred Manticore’s advanced capabilities and gain access to high-value targets. “In the case of one victim, we discovered that after residing on the targeted network for over a year, Scarred Manticore was interacting with the infected machine at the exact moment a new web shell was dropped to disk. Following the shell’s deployment, a different set of IPs began accessing the network, suggesting the involvement of another actor – Void Manticore,” the researchers said. “The newly deployed web shell and subsequent tools were significantly less sophisticated than those in Scarred Manticore’s arsenal. However, they led to the deployment of the BiBi wiper, which is linked to Karma’s activity.” Void Manticore represents a significant cyber threat, particularly in the context of geopolitical tensions involving Iran. Iranian President Ebrahim Raisi died in a helicopter crash in a remote area of the country. Rescuers identified Raisi's body early Monday after searching in the mountainous northwest near the Azerbaijan border. Since his election in 2021, Raisi had tightened morality laws, cracked down on antigovernment protests and resisted international oversight of Tehran’s nuclear program. Israel’s war in Gaza has escalated conflicts with Iran-backed groups like Hezbollah in Lebanon and the Houthis in Yemen. Last month, Iran and Israel exchanged direct strikes. It is still unclear whether Raisi’s death is also linked to Israeli operations. Meanwhile, the recent escalations meant that Void Manticore’s coordinated operations with Scarred Manticore, combines their dual approach of technical destruction and psychological manipulation and positions them as a highly dangerous actor. Their activities not only target infrastructure but also aim to influence public perception and political stability, underlining the multifaceted nature of modern cyber warfare. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The SEC is tightening its focus on financial data breach response mechanisms of very specific set of financial institutions, with an update to a 24-year-old rule. The amendments announced on Thursday mandate that broker-dealers, funding portals, investment companies, registered investment advisers and transfer agents develop comprehensive plans for detecting and addressing data breaches involving customers’ financial information. Under the new rules, covered institutions are required to formulate, implement, and uphold written policies and procedures specifically tailored to identifying and mitigating breaches affecting customer data. Additionally, firms must establish protocols for promptly notifying affected customers in the event of a breach, ensuring transparency and facilitating swift remedial actions. “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” According to the amendments, organizations subject to the regulations must notify affected individuals expeditiously with a deadline of no later than 30 days following the discovery of a data breach. The notification must include comprehensive details regarding the incident, the compromised data and actionable steps for affected parties to safeguard their information. While the amendments are set to take effect two months after publication in the Federal Register, larger entities will have an 18-month grace period to achieve compliance, whereas smaller organizations will be granted a two-year window. However, the SEC has not provided explicit criteria for distinguishing between large and small entities, leaving room for further clarification.

The Debate on SEC's Tight Guidelines

The introduction of these amendments coincides with the implementation of new incident reporting regulations for public companies, compelling timely disclosure of “material“ cybersecurity incidents to the SEC. Public companies in the U.S. now have four days to disclose cybersecurity breaches that could impact their financial standing. SEC’s interest in the matter stems from a major concern: breach information leads to a stock market activity called informed trading, currently a grey area in the eyes of law. Several prominent companies including Hewlett Packard and Frontier, have already submitted requisite filings under these regulations, highlighting the increasing scrutiny on cybersecurity disclosures. Despite pushback from some quarters, including efforts by Rep. Andrew Garbarino to The SEC’s incident reporting rule has however received pushback from close quarters including Congressman Andrew Garbarino, Chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee and a Member of the House Financial Services Committee. Garbarino in November introduced a joint resolution with Senator Thom Tillis to disapprove SEC’s new rules. “This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” Garbarino said, at the time. Senator Tillis added to it saying the SEC was doing its “best to hurt market participants by overregulating firms into oblivion.” Businesses and industry leaders across the spectrum have expressed intense opposition to the new rules but the White House has signaled its commitment to upholding the regulatory framework. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The MediSecure data breach is an “isolated” attack with no impact on the current e-Priscription services, the Australian National Cyber Security Coordinator said on Friday. There is also no evidence of an increased cyber threat to the medical sector, she added. After the electronic prescriptions provider MediSecure on Thursday reported being victim of a “large-scale ransomware data breach” that likely originated from a third-party vendor, Australia’s cyber chief, Lieutenant General Michelle McGuinness, said in an update the government was still “working to build a picture of the size and nature of the data that has been impacted by this data breach.”

“This (breach) discovery work often takes time and I understand Australians are anxious about the possibility of their personal information being affected,” the cyber chief said.

McGuinness said she convened the National Coordination Mechanism (NCM) with the National Emergency Management Agency on Thursday, which brings all relevant Government stakeholders together and ensures they are in-sync with the same information and understanding of the issue. “The NCM allows us to achieve strong situational awareness and ensures that together, we’re best positioned to identify options available to the Australian Government to respond to the incident,” she added. The cyber chief assured that the authorities were working at top pace to complete their investigation and would soon share information about what has been impacted. “We will share this with you – along with what affected people may need to do to protect themselves,” McGuinness said.

Timeline of the MediSecure Data Breach – So Far

The Australian National Cyber Security Coordinator first disclosed details of the MediSecure “large-scale ransomware data breach incident” on Thursday morning stating it impacted the personal and health information of individuals. McGuinness said in a statement that her office was managing the fallout from the major hacking incident through a “whole-of-government response.” “We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organization to address the impacts caused by the incident,” said McGuinness, at the time. She did not initially name the victim company but said it was a “commercial health information organization.” Local media, however, later confirmed that the unnamed entity was MediSecure, which was at the center of the large-scale ransomware data breach announced by the National Cyber Security Coordinator. The e-prescription provider MediSecure’s websites were down since Wednesday but the company on Thursday evening issued a statement acknowledging the cybersecurity incident which said that "early indicators suggest the incident originated from one of our third-party vendors." The company did not disclose the specifics like the number of people impacted, the type of information compromised and the threat actor behind the ransomware breach, but said the cybersecurity incident impacts “the personal and health information of individuals.” McGuinness said the Australian Cyber Security Centre was aware of the incident and the Australian Federal Police was investigating it. In a Friday update the cyber chief said that based on the preliminary investigation, what the Government could confirm was that “no current ePrescriptions have been impacted or accessed.” “The Department of Health has confirmed there has been no impact to the ePrescription services currently in use,” McGuinness said.

“On the basis of technical advice from MediSecure to date, the original compromise has been isolated and there is no evidence to suggest an increased cyber threat to the medical sector,” McGuinness said.

The investigators have not seen any evidence of identity documents been compromised in the breach. They are currently working with the company and other agencies “to build a full picture of the impacted dataset,” McGuinness said. “We have not seen evidence so far to suggest that anyone needs to replace their Medicare card. If our investigation turns up any evidence to suggest Australians’ identities are at risk and they need to replace their documents, we will let them know.” The Australian Medical Association was briefed Friday morning from the cyber chief’s office about the MediSecure data breach after it demanded a thorough and transparent investigation with clear and consistent communication to the public and the medical fraternity. “This is critical to maintaining community trust in the electronic systems that are now integral to the functioning of our health system,” the AMA had earlier said. The AMA welcomed the formation of a National Stakeholder Group to support the government's response. “While we expect to see further updates from the government, the most important message today is that patients should not hesitate to get their prescriptions filled as these are not affected by the breach,” the AMA said.

MediSecure is Only One-of-Two

MediSecure is a prescription exchange service (PES), a kind of secure messaging system that specializes in transferring prescriptions between healthcare providers or doctors (prescribers) and the pharmacy (dispenser). It is only one of the two ePrescriptions providers in Australia that became prominent for issuing millions of electronic prescriptions when the Covid-19 pandemic began in 2020. As of January 2024, more than 80,000 prescribers in Australia including general practitioners and nurses have issued over 189 million e-prescriptions. The tender closed on 2 June 2022 and in May 2023, the department signed a 4-year contract for Fred IT's. The Department of Health last year shifted to a single provider – eRx supplied by Fred IT Group – in a four-year agreement that costed more than $100. As part of that agreement, eRx Script Exchange became the sole supplier of the national Prescription Delivery Service from July 1, 2023, which meant public healthcare providers and pharmacies were required to shift entirely from MediSecure to eRx ePrescriptions. MediSecure still provides prescription services to private providers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. federal prosecutors on Thursday revealed charges against a North Korean job fraud nexus that ran its fraudulent scheme to generate illicit revenue for Kim Jong Un’s regime and support its sanctioned nuclear program. The U.S. Department of Justice indicted an Arizona woman, a Ukrainian man and three North Korean nationals for their alleged participation in job fraud schemes that placed overseas information technology workers – posing as U.S. citizens and residents - in remote positions at U.S. companies. This job fraud nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million, said the unsealed indictment of Christina Marie Chapman, 49, from Litchfield Park, Arizona. The U.S. State Department said that between October 2020 and October 2023, Chapman, a U.S. citizen, helped North Korean IT workers under the aliases Jiho Han, Chunji Jin and Haoran Xu, to fraudulently obtain work as remote software and applications developers with companies in a range of sectors and industries including a major television network, a Silicon Valley technology company, an aerospace and defense company, an American car manufacturer, a luxury retail store and a U.S.-hallmark media and entertainment company.

“They also attempted - but failed - to gain similar employment at two U.S. government agencies,” the State Department said.

In pursuit of running the job fraud scheme, Chapman and her co-conspirators took help of identity fraud. “They compromised more than 60 identities of (legitimate) U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to the Department of Homeland Security on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers,” the Justice Department said.

Chapman’s Role in Job Fraud

Chapman hosted a “laptop farm,” for the North Korean IT workers at her residence, so that the computers appeared to be located within the United States on a daily basis.

“She also helped launder the proceeds from the scheme by receiving, processing, and distributing paychecks from the U.S. firms to these IT workers and others,” the State Department said.

Chapman was arrested on Wednesday in her hometown in Arizona and faces a litany of counts including conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money transmitting business, and unlawful employment of aliens.

Didenko, the Facilitator

The Justice department also named a Ukrainian national Oleksandr Didenko, 27, in the unsealed charges. Didenko allegedly run a multi-year scheme to create accounts at U.S.-based freelance IT job search platforms under false identities and sold these accounts to overseas IT workers. Remote workers used these false identities to apply for jobs with unsuspecting companies. To facilitate this fraudulent activity, Didenko hosted a website “UpWorkSell”, which advertised the ability for remote IT workers to buy or rent accounts on various platforms using identities other than their own. The complaint alleged that Didenko offered a full array of services to allow an individual to pose under a false identity and market themselves for remote IT work, and that he knew that some of his customers were North Korean. Didenko managed approximately 871 proxy identities, provided proxy accounts for three freelance IT hiring platforms and for three different money service transmitters, the complaint against Didenko said. Together with the co-conspirators, Didenko facilitated the operation of at least three U.S.-based “laptop farms,” hosting approximately 79 computers. The Justice Department said it raided four U.S. residences under Didenko’s control where he ran laptop farms. He also laundered $920,000 worth payments since July 2018 in the job fraud scheme. Didenko was arrested in Poland on May 7, and the State Department is seeking his extradition.

The North Korean Trio

The three North Korean workers "are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs," the State Department said. The department said the workers tried to get hired at two unnamed U.S. government agencies but failed three separate times. Details about the three North Korean IT workers are scarce but the State Department released an image of Jiho Han on its Rewards for Justice platform where it also announced a bounty of up to $5 million for information on any of these North Korean IT workers that leads to the disruption of financial mechanisms of the people engaged. [caption id="attachment_68911" align="aligncenter" width="1024"] Credit: U.S. Department of State[/caption]   The FBI also released an alert about North Korean IT workers and their scheme to defraud U.S. businesses and fund Pyongyang’s illicit activities.

Targeting of Illicit IT Worker Activities

The latest announcement comes almost a year after the U.S. Treasury announced sanctions on four entities that employed thousands of North Korean IT workers that help illicitly finance the regime's missile and weapons of mass destruction programs. The treasury, at the time, said North Korea had scores of “highly skilled” IT workers around the globe who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.” These individuals, who can earn up to $300,000 annually, “deliberately” obscure their identities, locations and nationalities, using proxy accounts, stolen identities and falsified or forged documentation to apply for jobs, the Treasury said. The 15-member United Nations Security Council has long prohibited North Korea from engaging in nuclear tests and ballistic missile launches. Since 2006, the country has been under stringent UN sanctions, continuously bolstered by the Council to sever financial support for its weapons of mass destruction (WMD) development endeavors. Yet, Pyongyang has amassed a staggering $3 billion funding for its nuclear program from cyberattacks particularly on cryptocurrency related companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Gone in 60 seconds is a thing of the past. With the world moving towards digital assets and cryptocurrency, “Gone in 12 seconds” seems to be the new norm for digital heists. The U.S. Department of Justice arrested two siblings for attacking the Ethereum blockchain and siphoning $25 million of cryptocurrency during a 12 second exploit. Hailing from Boston and New York respectively, Anton Peraire-Bueno, 24, and James Peraire-Bueno, 28, stand accused of a litany of charges including conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering. According to an unsealed indictment on Wednesday the brothers mixed their “specialized skills” from their education at MIT with their expertise in cryptocurrency trading to exploit “the very integrity of the (Ethereum) blockchain,” said U.S. Attorney Damian Williams. The brothers meticulously planned the exploit scheme for months “and once they put their plan into action, their heist only took 12 seconds to complete,” he added.

“This alleged scheme was novel and has never before been charged.”

Through the Exploit, which is believed to be the very first of its kind, Peraire-Bueno brothers manipulated and tampered with the process and protocols by which transactions are validated and added to the Ethereum blockchain.

The MEV Conundrum from Ethereum Blockchain Exploit

According to the indictment, the Pepaire-Bueno brothers initiated their scheme in December 2022, targeting specific traders on the Ethereum platform through what investigators term a "baiting" operation. At the heart of the indictment lies the concept of MEV-Boost, a software tool utilized by Ethereum validators to optimize transaction processing and maximize profitability. MEV, or maximal extractable value, has long been a subject of controversy within the cryptocurrency community, with proponents arguing its economic necessity and critics highlighting its potential for abuse. They exploited a critical flaw in MEV-Boost's code, granting them unprecedented access to pending transactions before their official validation by Ethereum validators. Leveraging this loophole, the siblings embarked on a sophisticated campaign targeting specific traders utilizing MEV bots. The indictment elucidates the modus operandi employed by the accused duo. The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. By establishing their own Ethereum validators and deploying bait transactions, they enticed MEV bots from these traders for their illicit scheme. Subsequently, through a series of meticulously orchestrated maneuvers, including frontrunning and transaction tampering, they siphoned off $25 million of cryptocurrency from unsuspecting victims – all in just 12 seconds. Following the successful execution of their nefarious scheme, the brothers allegedly laundered the ill-gotten gains through a network of shell companies. Converting the stolen funds into more liquid cryptocurrencies such as DAI and USDC, they attempted to rebuff attempts of victims and Ethereum representatives to recover the stolen cryptocurrency. Following their arrest on Tuesday, the brothers are set to appear in federal courts in New York and Boston to face charges. If convicted the brothers face a maximum sentence of up to 20 years in prison for each count. Deputy Attorney General Lisa Monaco lauded the Justice Department’s prosecutors and IRS agents, “who unraveled this first-of-its kind wire fraud and money laundering scheme.”

“As cryptocurrency markets continue to evolve, the Department will continue to root out fraud, support victims, and restore confidence to these markets.”

Cryptocurrency Heists and Convictions Growing Every Day

The news of the arrest comes on the heels of another crypto heist from Sonne Finance, the cryptocurrency lending protocol. The team at Sonne Finance is offering an undisclosed bounty to a hacker responsible for a $20 million theft on Tuesday evening. Sonne Finance facilitates lending and borrowing without intermediaries like banks. The theft, tracked by blockchain security companies, involved digital coins like ether and USDC. Developers paused all markets and later detailed the attack in a postmortem, offering a bounty for the return of funds. They detected the attack within 25 minutes, with some users preventing $6.5 million theft. The hacker has since been exchanging stolen cryptocurrency for bitcoin and others. Law enforcement focus on crypto theft has intensified in 2024, with notable convictions including a $110 million theft from Mango Markets resulting in up to 30 years in prison and sentences for individuals involved in crypto scams and market manipulation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers recently uncovered two new backdoors implanted within the infrastructure of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. Slovakian cybersecurity firm ESET who found these two new backdoors dubbed “LunarWeb” and “LunarMail,” attributed them to the Turla cyberespionage group believed to be aligned with Russian interests. Turla has operated since at least 2004, possibly starting in the late 1990s. Linked to the Russian FSB, Turla primarily targets high-profile entities like governments and diplomatic organizations in Europe, Central Asia and the Middle East. Notably, they have breached significant organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014. Researchers believe the Lunar toolset that has been used since at least 2020 is an addition to the arsenal of Russia-aligned cyberespionage group Turla based on the similarities between the tools’ tactics, techniques, and procedures (TTPs) and past activities.

LunarWeb Backd: Used to Navigate the Digital Terrain

LunarWeb backdoor stealthily infiltrates servers, establishing its foothold within the targeted infrastructure. Operating covertly, it communicates via HTTP(S) while mirroring legitimate traffic patterns to obfuscate its presence. Concealment is key in LunarWeb's playbook. For this the backdoor used steganography technique. This backdoor covertly embeds commands within innocuous images, effectively evading detection mechanisms. LunarWeb's loader, aptly named LunarLoader, showcases remarkable versatility, the researchers noted. Whether masquerading as trojanized open-source software or operating in standalone form, this entry point demonstrates the adaptability of the adversary's tactics.

LunarMail: Used to Infiltrate Individual Workstations

LunarMail takes a different approach as compared to LunarWeb. It embeds itself within Outlook workstations. Leveraging the familiar environment of email communications, this backdoor carries out its spying activities remaining hidden amidst the daily deluge of digital correspondence that its victims receive on their workstations. [caption id="attachment_68881" align="aligncenter" width="1024"] LunarMail Operation (credit: ESET)[/caption] On first run, the LunarMail backdoor collects information on the environment variables, and email addresses of all outgoing email messages. It then communicates with the command and control server through the  Outlook Messaging API to receive further instructions. LunarMail is capable of writing files, setting email addresses for C&C communication, create arbitrary processes and execute them, take screenshots and more. Similar to its counterpart, LunarMail harnesses the power of steganography albeit within the confines of email attachments. By concealing commands within image files, it perpetuates its covert communication channels undetected. LunarMail's integration with Outlook extends beyond mere infiltration. It manipulates email attachments, seamlessly embedding encrypted payloads within image files or PDF documents which facilitates unsuspicious data exfiltration.

Initial Access and Discovery

The initial access vectors of the Turla hackers, though not definitively confirmed, point towards the exploitation of vulnerabilities or spearphishing campaigns. The abuse of Zabbix network monitoring software is also a potential avenue of compromise, the researchers said. The compromised entities were primarily affiliated with a European MFA, which meant the intrusion was of a strategic nature. The investigation first began with the detection of a loader decrypting and running a payload from an external file, on an unidentified server. This was a previously unknown backdoor, which the researchers named LunarWeb. A similar attack chain with LunarWeb was then found deployed at a diplomatic institution of a European MFA but with a second backdoor – named LunarMail. In another attack, researchers spotted simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. “The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network,” the researchers noted. The threat actors displayed varying degrees of sophistication in the compromises. The coding errors and different coding styles used to develop the backdoors suggested that “multiple individuals were likely involved in the development and operation of these tools.”

Russian State Hackers Biggest Cyber Threat

Recently, Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest including the European Union, the United Kingdom and the United States. Russia’s approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia’s national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In response to heightened cyber threats targeting political candidates, election officials and civil society groups, the National Cyber Security Centre (NCSC) in the UK, a part of GCHQ, has introduced a new initiative called the Personal Internet Protection (PIP) service. The service that was unveiled at CYBERUK 2024 in Birmingham, aims to provide an additional layer of security to individuals at “high-risk” of cyberattacks like spear-phishing, malware and other threats, ahead of the upcoming election year. The Personal Internet Protection service works by alerting users when attempting to access malicious domains known to the NCSC and by blocking outgoing traffic to these domains. The PIP offered to high-risk individuals is built on the NCSC’s Protective DNS service that was developed primarily for use by organizations. Since its inception in 2017, PDNS has provided protection at scale for millions of public sector users, handling more than 2.5 trillion site requests and preventing access to 1.5 million malicious domains, the NCSC said.

Cyber Threats Targeting Political Candidates

The Personal Internet Protection service is part of a broader effort by the UK government to enhance cyber support for individuals and organizations crucial to the democratic process, especially considering recent attempts by Russian and Chinese state-affiliated actors to disrupt UK's government and political institutions as well as individuals. While the Russian intelligence services had attempted to use cyberattacks to target prominent persons and organizations in the UK for meddling in the electoral processes, China is likely seen targeting various government agencies including the Ministry of Defence (MoD), whose payroll system was recently breached. Although both, Moscow and Beijing have rejected the use of hacking for political purposes, the relations between them remain strained over these allegations. Jonathon Ellison, NCSC Director for National Resilience and Future Technology, noted the importance of protecting individuals involved in democracy from cyber threats, highlighting the attractiveness of their personal accounts to espionage operations.

“Individuals who play important roles in our democracy are an attractive target for cyber actors seeking to disrupt or otherwise undermine our open and free society. That’s why the NCSC has ramped up our support for people at higher risk of being targeted online to ensure they can better protect their accounts and devices from attacks,” Ellison said.

Ahead of the major election year where more than 50 countries around the world cast their vote, Ellison urged individuals eligible for the Personal Internet Protection services to sign up and to follow their guidance to bolster defenses against various cyber threats. The initiative also extends support to civil society groups facing a heightened risk of cyber threats. A new guide, "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," which offers practical advice for individuals such as elected officials, journalists, activists, academics, lawyers and dissidents was released on Tuesday. This guide, developed by the U.S. Cybersecurity and Infrastructure Security Agency in collaboration with international partners, aims to empower high-risk civil society communities with limited resources to combat cyber threats effectively. These include customized risk assessment tools, helplines for digital emergencies and free or discounted cybersecurity services tailored to the needs of civil society organizations. The launch of the Personal Internet Protection service and the release of the guidance for civil society mark significant steps in bolstering the cybersecurity posture of individuals and organizations critical to the democratic process. By enhancing protection against cyber threats, the UK aims to safeguard the integrity of its democracy and promote collective resilience against global threats to democracy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious BreachForums seized for the second time in a year. The U.S. law enforcement today seized the clear web domain of the second version of BreachForums - popularly known as a Breached hacking forum in the underground market - that helped sell stolen data and credentials. Hosted at BreachForums[.]st, the domain now shows a seizure banner saying the website was taken down by the FBI and the U.S. Department of Justice with assistance from international partners. Other law enforcement authorities worldwide were also part of this action, including the Australian Federal Police, the U.K. National Crime Agency, New Zealand Police, police department of the canton of Zürich in Switzerland and Icelandic Police, among others. As is common with domain seizure messages, law enforcement displayed the logo for the site. It however took an unconventional approach by also featuring two avatar's - likely of BreachForums' administrators "Baphomet" and "ShinyHunters" - behind bars in the seizure banner.

BreachForums Seized

The message on the banner reads: "We are reviewing this site's backend data. If you have information to report about cybercriminal activity on BreachForums, please contact us." The law enforcement has also shared a link to a form hosted on the Internet Crime Complaint Center. The FBI has put out a questionnaire for victims or individuals that have information to assist in any of the investigations against BreachForums v2, BreachForums v1, or Raidforums. A summary of the takedown of BreachForums on this portal says, "The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. "From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services." Earlier a separate version of BreachForums hosted at breached.vc/.to/.co and run by pompompurin between March 2022 to 2023 was seized by the U.S. law enforcement in June 2023. Raidforums, hosted at raidforums.com and run by an admin under the moniker "Omnipotent" was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022. *The Telegram channel of "Baphomet," one of the administrators behind the BreachForums, has also been seized, according to a pinned message from the law enforcement on his channel. [caption id="attachment_68571" align="aligncenter" width="446"] Credit: Dark Web Intelligence[/caption]

ShinyHunters Confirms Baphomets Arrest

*Shiny Hunters, one of the administrators of the BreachForums, allegedly confirmed on a Telegram channel called "BF Announcements" the arrest of Baphomet and said that the law enforcement did not get to anyone from the ShinyHunters gang. [caption id="attachment_68843" align="aligncenter" width="300"] Message on BF Announcements Telegram channel[/caption] Later in the same channel the administrator claimed that the domain was recovered back from the law enforcement's control, as was the case during the BreachForums v1 takedown where the cat and mouse game went on for a while between the two. The Cyber Express tried to verify this claim and saw that the domain is now redirecting to a Telegram chat group called "Jacuzzi 2.0" The FBI and Justice Department spokespersons were not immediately available for comment when contacted by The Cyber Express for details on the latest claims. This is a developing story. The article will be updated with the latest information as it becomes available. Update 1*: Added Telegram account seizure details along with screenshot. Update 2* May 16 - 9:40 AM (UTC) : Added details from Shiny Hunters' BF Announcements Telegram channel that allegedly confirmed details of one of the administrators of BreachForums - Baphomets - arrest. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Dutch court ruling on Tuesday found one of the co-founders of the now-sanctioned Tornado Cash cryptocurrency mixer service guilty of laundering $1.2 billion illicit cybercriminal proceeds. He was handed down a sentence of 5 years and 4 months in prison, as a result. Alexey Pertsev, a 31-year-old Russian national and the developer of Tornado Cash, awaited trial in the Netherlands on money laundering charges after his arrest in Amsterdam in August 2022, just days after the U.S. Treasury Department sanctioned the service for facilitating malicious actors like the Lazarus Group in laundering their illicit proceeds from cybercriminal activities. “The defendant declared that it was never his intention to break the law or to facilitate criminal activities,” according to a machine translated summary of the judgement. Instead Pertsev intended to offer a legitimate solution with Tornado Cash to a growing crypto community that craved privacy. He argued that “it is up to the users not to abuse Tornado Cash.” Pertsev also said that given the technical specifications of the cryptocurrency mixer service, it was impossible for him to prevent the abuse. However, the District Court of East Brabant disagreed, asserting that the responsibility for Tornado Cash's operations lay solely with its founders and lacked adequate mechanisms to prevent abuse. “Tornado Cash functions in the way the defendant and his cofounders developed Tornado Cash. So, the operation is completely their responsibility,” the Court said. “If the defendant had wanted to have the possibility to take action against abuse, then he should have built it in. But he did not.”

“Tornado Cash does not pose any barrier for people with criminal assets who want to launder them. That is why the court regards the defendant guilty of the money laundering activities as charged.”

Tornado Cash functioned as a decentralized cryptocurrency mixer, also known as a tumbler, allowing users to obscure the blockchain transaction trail by mixing illegally and legitimately obtained funds, making it an appealing option for adversaries seeking to cover their illicit money links. Tornado Cash laundered $1.2 billion worth of cryptocurrency stolen through at least 36 hacks including the theft of $625 million from the Axie Infinity hack in March 2022 by North Korea’s Lazarus Group hackers. The Court used certain undisclosed parameters in selecting these hacks due to which only 36 of them were taken into consideration. Without these parameters, more than $2.2 billion worth of illicit proceeds from Ether cryptocurrency were likely laundered. The Court also did not rule out the possibility of Tornado Cash laundering cryptocurrency derived from other crimes. The Court further described Tornado Cash as combining “maximum anonymity and optimal concealment techniques” without incorporating provisions to “make identification, control or investigation possible.” It failed to implement Know Your Customer (KYC) or anti-money laundering (AML) programs as mandated by U.S. federal law and was not registered with the U.S. Financial Crimes Enforcement Network (FinCEN) as a money-transmitting entity. "Tornado Cash is not a legitimate tool that has unintentionally been abused by criminals," it concluded. "The defendant and his co-perpetrators developed the tool in such a manner that it automatically performs the concealment acts that are needed for money laundering." In addition to the prison term, Pertsev was ordered to forfeit cryptocurrency assets valued at €1.9 million (approximately $2.05 million) and a Porsche car previously seized.

Other Tornado Cash Co-Founders Face Trials Too

A year after Pertsev’s arrest, the U.S. Department of Justice unsealed an indictment where the two other co-founders, Roman Storm and Roman Semenov, were charged with conspiracy to commit money laundering, conspiracy to operate an unlicensed money-transmitting business and conspiracy to violate the International Emergency Economic Powers Act. Storm goes to trial in the Southern District of New York later in September, while Semenov remains at large. The case has drawn a debate amongst two sides – privacy advocates and the governments. Privacy advocates argue against the criminalization of anonymity tools like Tornado Cash as it gives users a right to avoid financial surveillance, while governments took a firm stance against unregulated offerings susceptible to exploitation by bad actors for illicit purposes. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft patched a zero-day vulnerability exploited by attackers to distribute QakBot and other malware payloads on susceptible Windows systems. Identified as CVE-2024-30051, this vulnerability is a privilege escalation flaw resulting from a heap-based buffer overflow in the Desktop Window Manager (DWM) core library. Successful exploitation grants attackers “SYSTEM privileges,” Microsoft said.

“These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware (actors),” said Dustin Childs of the Zero Day Initiative.

Introduced in Windows Vista, the Desktop Window Manager (dwm.exe) is a compositing window manager that renders all GUI effects in Windows like transparent windows, live taskbar thumbnails, Flip3D, and even high-resolution monitor support. Applications do not draw directly on the screen. Instead, they write their window images to a specific spot in memory. Windows then combines and creates a “composite” of all these windows into one view before sending it to the monitor. This allows Windows to add effects like transparency and animations while displaying the windows. Kaspersky researchers uncovered this vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033, also exploited as a zero-day in attacks. While analyzing data related to recent exploits and associated attacks, Kaspersky researchers discovered an intriguing file uploaded to VirusTotal on April 1. The file's name hinted that it contained details on a Windows vulnerability. The file had information regarding a Windows DWM vulnerability – written in broken English - that could be exploited to escalate privileges to SYSTEM level, with the exploitation process nearly mirroring the one used in CVE-2023-36033 attacks, “but the vulnerability was different,” researchers said. Initially skeptical due to the document's quality and lack of crucial details on exploiting the vulnerability, further investigation confirmed the legitimacy of another zero-day vulnerability capable of privilege escalation. Kaspersky promptly reported it to Microsoft, leading to its designation as CVE-2024-30051 and subsequent patching in this month’s Patch Tuesday.

Zero-Day Exploited by QakBot

Following the reporting to Microsoft, Kaspersky continued monitoring for exploits and attacks leveraging this flaw.

“In mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware and believe that multiple threat actors have access to it,” Kaspersky said.

Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google-owned Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks, Childs said.

“Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer,” said Childs.

The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2024-30051 to its Known Exploited Vulnerabilities catalog and directed all federal agencies to complete the patching process by June 4. Kaspersky plans to disclose technical specifics of CVE-2024-30051 once users have had adequate time to update their Windows systems.

QakBot’s Journey from Banking Trojan to Initial Access Broker

QakBot, also known as Qbot, emerged as a banking trojan in 2008 and was used to steal credentials, website cookies, and credit cards to commit financial fraud. QakBot operators evolved over the years into initial access brokers, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, and data theft. QakBot’s infrastructure was taken down in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as “Operation Duck Hunt.” But Microsoft identified the resurgence of QakBot in phishing campaigns targeting the hospitality industry in December. Law enforcement linked QakBot infections to 700,000 victim computers which included ransomware attacks targeting businesses, healthcare providers, and government agencies worldwide, which according to conservative estimates caused hundreds of millions of dollars in damage. Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently Black Basta.

Another Zero-Day Fix

Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, with one rated “critical,” 57 rated as “important” and one rated as “moderate.” The patch also contains a fix for another zero-day flaw other that the one exploited by QakBot. The other bug, tracked as CVE-2024-30040, is rated "important" on the CVSS scale and is a Windows MSHTML platform security feature bypass vulnerability. MSHTML is a proprietary browser engine for the Microsoft Windows version of Internet Explorer.

“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said.

A hacker who socially-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers exploited an unpatched remote access server vulnerability in the Helsinki education division data breach to scour through records of 80,000 students, their guardians, and all of administrative personnel. The City of Helsinki detected the data breach on April 30, promptly initiating an investigation that found the hacker had gained access to student and personnel usernames and email addresses. Hannu Heikkinen, the chief digital officer of the City of Helsinki, in a Monday press conference said, “Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division.”

“Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” Heikkinen said.

“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel,” said City Manager Jukka-Pekka Ujula. “We regret this situation deeply.”

Helsinki Education Division Data Breach Linked to Remote Access Bug

The preliminary investigation found out that the Helsinki Education Division data breach was possible due to a vulnerability in a remote access server.

“The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.”

The city authorities did not reveal the name of the remote access server but said a hotfix patch was available at the time of exploitation, but why it was not installed on the server is currently unknown.

“Our security update and device maintenance controls and procedures have been insufficient,” said Heikkinen.

The breach targeted an extensive group, with most of the network drive data – comprising of tens of millions of files - containing non-identifying information or ordinary personal data, minimizing potential abuse, according to the city authorities. However, some files include confidential or sensitive personal data such as fees for early childhood education customers, children's status information like information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, and sick leave records of Education Division personnel. The data breach also includes historical customer and personnel data. Meaning, even if an individual is not currently a customer or a member of staff at the Education Division, the hacker may still have accessed their data.

“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians,” Ujula said.

Satu Järvenkallas, executive director of the Education Division, said the authorities are currently unable to provide an accurate assessment of what data the hacker may have accessed as “the volume of data under investigation is significant.”

VPN Gateways, Network Edge Devices Need ‘Special Attention’

The City officials immediately notified the Data Protection Ombudsman, the Finnish Police, and Traficom’s National Cyber Security Centre after the discovery of the data breach at the Helsinki’s Education Division. Traficom’s cybersecurity center acknowledged the notification and said it was supporting the City of Helsinki in investigating the case. “The data breach that targeted the City of Helsinki is exceptionally large for its size in the municipal sector. The case affects many Finns and causes great concern,” it said on platform X (formerly known as Twitter). Critical vulnerabilities in network edge devices like this pose a risk to organizations' cybersecurity, said Traficom’s NCSC. Exploiting the vulnerabilities of VPN products intended for establishing secure remote connections, it is also possible for parties outside the organization to gain access to the internal networks, “especially if other measures to limit the attack are not in use,” it added.

“Severe and easy-to-exploit vulnerabilities have been detected in the network edge devices of many major device manufacturers, such as VPN gateways, in the past six months,” said Samuli Bergström, the director of the cybersecurity center. “That is why it is important that special attention is paid to resources and expertise in organizations.”

A very recent example of one such VPN appliance abuse is the zero-day exploitation in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. Chinese state-backed hackers used two zero-day vulnerabilities in these products: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug to compromise several organizations including MITRE. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city’s senior management,” Ujula said. “After the breach, we have taken measures to ensure that a similar breach is no longer possible,” Heikkinen added.

“We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”

Information for affected individuals is available via the Traficom’s Cybersecurity Centre website, data breach customer service, crisis emergency services and MIELI Mental Health Finland. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A state or state-sponsored actor orchestrated the "sophisticated" cyberattacks against the British Columbia government networks, revealed the head of B.C.’s public service on Friday. Shannon Salter, deputy minister to the premier, disclosed to the press that the threat actor made three separate attempts over the past month to breach government systems and that the government was aware of the breach, at the time, before finally making it public on May 8. Premier David Eby first announced that multiple cybersecurity incidents were observed on government networks on Wednesday, adding that the Canadian Centre for Cyber Security (CCCS) and other agencies were involved in the investigation. Salter in her Friday technical briefing refrained from confirming if the hack was related to last month’s security breach of Microsoft’s systems, which was attributed to Russian state-backed hackers and resulted in the disclosure of email correspondence between U.S. government agencies. However, she reiterated Eby's comments that there's no evidence suggesting sensitive personal information was compromised.

British Columbia Cyberattacks' Timeline

The B.C. government first detected a potential cyberattack on April 10. Government security experts initiated an investigation and confirmed the cyberattack on April 11. The incident was then reported to the Canadian Centre for Cyber Security, a federal agency, which engaged Microsoft’s Diagnostics and Recovery Toolset (DaRT) due to the sophistication of the attack, according to Salter. Premier David Eby was briefed about the cyberattack on April 17. On April 29, government cybersecurity experts discovered evidence of another hacking attempt by the same “threat actor,” Salter said. The same day, provincial employees were instructed to immediately change their passwords to 14 characters long. B.C.’s Office of the Chief Information Officer (OCIO) described it as part of the government's routine security updates. Considering the ongoing nature of the investigation, the OCIO did not confirm if the password reset was actually linked to the British Columbia  government cyberattack but said, "Our office has been in contact with government about these incidents, and that they have committed to keeping us informed as more information and analysis becomes available."

Another cyberattack was identified on May 6, with Salter saying the same threat actor was responsible for all three incidents.

The cyberattacks were not disclosed to the public until Wednesday late evening when people were busy watching an ice hockey game, prompting accusations from B.C. United MLAs that the government was attempting to conceal the attack.

“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?”the Opposition MLA Todd Stone asked. Salter clarified that the cybersecurity centre advised against public disclosure to prevent other hackers from exploiting vulnerabilities in government networks. She revealed three separate cybersecurity incidents, all involving efforts by the hackers to conceal their activities. Following a briefing of the B.C. NDP cabinet on May 8, the cyber centre concurred that the public could be notified. Salter said that over 40 terabytes of data was being analyzed but she did not specify if the hackers targeted specific areas of government records such as health data, auto insurance or social services. The province stores the personal data of millions of British Columbians, including social insurance numbers, addresses and phone numbers. Public Safety Minister and Solicitor General Mike Farnworth told reporters Friday that no ransom demands were received, making the motivation behind the multiple cyberattacks unclear.

Farnworth said that the CCCS believes a state-sponsored actor is behind the attack based on the sophistication of the attempted breaches.

"Being able to do what we are seeing, and covering up their tracks, is the hallmarks of a state actor or a state-sponsored actor." - Farnworth

Government sources told CTV News that various government ministries and agencies, and their respective websites, networks and servers, face approximately 1.5 billion “unauthorized access” or hacking attempts daily. The number has increased over the last few years and the reason why the province budgets millions of dollars per year to cybersecurity. Salter confirmed the government spends more than $25 million a year to fortify its defenses and added that previous investments in B.C.'s cybersecurity infrastructure helped detect the multiple attacks last month. Microsoft last month alerted several U.S. federal agencies that Russia-backed hackers might have pilfered emails sent by the company to those agencies, including sensitive information like usernames and passwords. However, Salter did not confirm if Russian-backed hackers are associated with the B.C. security breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

British Columbia in Canada has faced multiple "sophisticated cybersecurity incidents" on government networks, province premier said this week. Premier David Eby emphasized that there is presently no evidence of compromised sensitive information and that investigations are ongoing, with further efforts required to ascertain potential data access, as per his Wednesday statement. While the attack's specific nature remains unclear, labeling it as "sophisticated" and its involvement with government networks suggests fans theories of espionage from a state-sponsored actor seeking political intelligence. “I know the public will have many questions about these incidents, and we will be as transparent as we can without compromising the investigation. As this complex work proceeds, government will provide British Columbians with updates and information as we are able.” Eby said. The provincial government's investigation involves the Canadian Centre for Cyber Security and other agencies, with the Office of the Information and Privacy Commissioner duly informed. Neither of the agencies immediately responded to The Cyber Express’ request for a comment.

Opposition’s Spar in the House

B.C.'s political adversaries engaged in heated debate during the question period on Thursday morning, a day after the province disclosed the multiple cybersecurity incidents within its networks. British Columbia United MLA Todd Stone criticized the government, alleging it "concealed a massive cyberattack on the provincial government for eight days." Stone’s accusations came on the backdrop of a memo from The Office of the Chief Information Officer that directed all provincial employees to immediately change passwords. British Columbians are rightly concerned about their sensitive information, questioning whether it has been compromised by a foreign, state-sponsored cyberattack. So, I ask the premier today: Will he reveal who was responsible for this attack?" Stone demanded. Stone pointed out the timing of Eby's Wednesday statement, suggesting it was issued discreetly "while everyone was preoccupied with last night’s Canucks game." [caption id="attachment_67963" align="aligncenter" width="256"] BC United MLA Todd Stone arguing in the House during the QP on Thursday morning. (Credit: Legislative Assembly of B.C.)[/caption]

“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” the Opposition MLA asked.

In response to BC United's criticisms, Public Safety Minister Mike Farnworth accused Stone of "playing politics." “We take our advice from the Canadian Cyber Security Service, who deal with these kinds of things on an ongoing basis. That’s who we will take the advice from in terms of protecting public information, every single time. We will never take advise from the opposition — all they ever want to do is play politics,” Farnworth retorted amid uproar in the House. [caption id="attachment_67981" align="aligncenter" width="271"] Public Safety Minister Mike Farnworth addressing opposition queries. (Credit: Legislative Assembly of B.C.)[/caption]

“When an incident like this happens, the first thing that happens is the protection of the system, honourable speaker. The protection of the information that’s done by technical experts, honourable speaker, who work on the advice of the Canadian Cyber Security System,” Farnworth explained.

“And, honourable speaker, the reason they do that is because if you go out and give information before that’s done, you actually end up compromising people’s information, potentially.”

Multiple Cybersecurity Incidents Rock B.C. in Last Few Weeks

The latest revelation of cyberattacks on government networks comes on the heels of a string of cyberattacks that the westernmost province in Canada is facing. B.C. headquartered retail and pharmacy chain London Drugs announced April 28, closure of its stores across Western Canada after falling victim to a cybersecurity incident. The impact was such that they were forced to even take their phones offline and pharmacies could only satisfy “urgent” needs of patients on-site. Addressing reporters later Thursday afternoon, Farnworth clarified that there was no evidence linking the multiple cybersecurity incidents targeting the province networks to the event that led to the closure of London Drugs locations in the west for several days. "At present, we lack any information suggesting a connection. Once an incident is detected, technical security teams work swiftly to secure the system and ensure its integrity, while closely coordinating with the Canadian Cyber Security Service to address the situation," he explained. "While a comprehensive investigation involving multiple agencies is ongoing, we currently have no indication of any link to the London Drugs incident." The same day as the London Drugs cyberattack came to light, another western province entity BC Libraries reported a cybersecurity incident where a hacker attempted to extort payment for data exfiltrated from its newly commissioned server and threatening to release that data publicly if no payment was received.

China’s Involved?

This development follows an official inquiry in Canada, revealing unsuccessful Chinese attempts to interfere in past elections. Beijing has refuted these allegations. The Canadian Security Intelligence Service (CSIS) recently published an annual report, warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.

“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.

The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.

Dell has issued a warning to its customers regarding a data breach following claims by a threat actor of pilfering information for roughly 49 million customers. In an email sent to customers, the computer manufacturer disclosed that a Dell portal containing customer data associated with purchases had been compromised. "We are presently investigating an incident involving a Dell portal, housing a database containing limited types of customer information linked to Dell purchases," stated a Dell data breach notification. Dell clarified that the accessed information encompassed:

• Names
• Physical addresses
• Dell hardware and order details, comprising service tags, item descriptions, order dates, and relevant warranty information

The company said the stolen data did not encompass financial or payment data, email addresses or phone numbers. Dell assured customers that they are collaborating with law enforcement and a third-party forensics firm to probe the matter. [caption id="attachment_67595" align="aligncenter" width="687"] Dell data breach notification[/caption] Dell Technologies is a publicly traded company that operates in 180 countries and is headquartered in Round Rock, Texas. Dell is the third-largest personal computer vendor in the world by unit sales, behind Lenovo and HP and serves more than 10 million small and medium-sized businesses and receives 500 million annual eCommerce visits. The tech giant generated a revenue of $102.3 billion in 2023 and has over 500,000 commercial customers and 2,500 enterprise accounts.

Dell Data Breach Set Appeared on Dark Web

Despite Dell's reassurances, the breach data was purportedly put up for sale on an underground hacker forum by a threat actor named “Menelik” on April 28. The threat actor claimed this data set contained an up-to-date details of registered Dell servers including vital personal and company information such as full names, addresses, cities, provinces, postal codes, countries, unique 7-digit service tags of systems, system shipment dates (warranty start), warranty plans, serial numbers (for monitors), Dell customer numbers and Dell order numbers. The threat actor asserted that he was the sole possessor of this data that entailed approximately 7 million records of individual/personal purchases, while 11 million belong to consumer segment companies. The remaining data pertained to enterprise, partners, schools or unidentified entities. The threat actor also highlighted the top five countries with the most systems represented in the database, which included the United States, China, India, Australia and Canada. The data, claimed to be sourced from Dell and containing 49 million customers and other systems details between 2017 and 2024, aligned with the details outlined in Dell's breach notification. However, The Cyber Express could not confirm if the two data sets are the same as Dell did not immediately respond to our request for confirmation. Although the sale of the database appears to have ceased, the possibility of further exploitation remains. Although Dell refrained from disclosing the specific impact of the breach, it remains vigilant about potential risks associated with the stolen information. While the compromised data lacks email addresses, threat actors could exploit it for targeted phishing and smishing attacks against Dell customers. They could contact Dell customers as fake customer service executives and lead them into downloading malware or infostealers as is seen in many previous campaigns. Dell advises customers to exercise caution regarding any communications purportedly from Dell, especially those urging software installations, password changes or other risky actions and encourages customers to verify the legitimacy of such communications directly with Dell. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Boeing confirmed that the LockBit ransomware gang attack in October 2023, which impacted certain parts and distribution operations of the company, carried a staggering $200 million cyber extortion demand from the cybercriminals, to not publish leaked data. Boeing on Wednesday acknowledged that it is the unnamed “multinational aeronautical and defense corporation headquartered in Virginia,” which is referenced in an unsealed indictment from the U.S. Department of Justice that unmasked the LockBitSupp administrator. Boeing did not provide an immediate response to The Cyber Express' inquiry seeking confirmation of this news, which was initially reported by Cyberscoop. The indictment in question singled out Dmitry Yuryevich Khoroshev as the principal administrator and developer behind the LockBit ransomware operation, as part of a coordinated international effort that included sanctions from the U.S., the U.K., and Australia. Boeing has not provided confirmation on the negotiations and if the company paid any ransom in exchange of the massive $200 million cyber extortion demand.

Boeing Cyber Extortion Saga

LockBit first listed Boeing as its victim on October 27 and set a ransom payment deadline for November 2. Boeing had chosen not to provide any comments or statements regarding the incident, at that time, leaving the LockBit claims unverified. Three days later LockBit took down Boeing’s name from the victims’ list fueling further speculations that it was a hoax or the company likely paid ransom. Following this incident, Boeing eventually confirmed falling victim to LockBit’s cyberattack. But as ransom negotiations reportedly failed, LockBit re-listed Boeing on its leak site and threatened to publish 4 gigabytes of sample data as proof of the Boeing data breach. The post also warned that, “All available data will be published!” in coming days. Following on the threat, LockBit published more than 40GB of data on November 10, as the company likely did not agree to pay the ransom demand. Boeing is yet to address the stolen data publicly.

Ransom Demands Getting Exorbitant

The indictment's reference to the unnamed company highlights the exorbitant ransom demands made by Khoroshev and his cohorts, totaling over $500 million in ransoms extorted from victims since late 2019. Of this, he got nearly $100 million from a 20% share on the ransom payments, which was further “used to continue funding the LockBit operation and its infrastructure.” Ransomware analysts are now calling the Boeing cyber extortion as one of the largest ransom demands from a ransomware gang till date. Researchers suspects LockBit likely made an inflated demand, without realistic expectations of receiving the full amount, merely to test the waters. Between September 2019 and February 2024, Khoroshev grew LockBit into a massive global criminal operation in which along with his affiliates he attacked approximately 2,500 victims, which included nearly 1,800 in the U.S. alone, the indictment said. Apart from Boeing LockBit’s victim list also contains law enforcement agencies, security firms, municipalities, schools, financial institutions and even multinational fast-food chains.

Who is LockBit Ransomware Gang?

The LockBit ransomware gang emerged in 2019, primarily targeting thousands of global companies, with a focus on those headquartered in the United States. Linked to Russian entities, LockBit has amassed tens of millions of dollars in ransom payments since its inception. According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit has executed over 1700 attacks in the United States, often by compromising and threatening to release sensitive data for financial gain. The recent Boeing data breach highlights the persistent threat posed by cyberattacks to major corporations. LockBit's aggressive tactics and specific targeting of Boeing, a key player in aerospace and defense, highlight the urgent need for robust cybersecurity measures. The ransomware group's imposed deadline heightens the urgency, highlighting the severe consequences of data breaches and the critical importance of safeguarding sensitive information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ascension, one of the largest nonprofit healthcare systems in the United States, is facing disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. The organization detected unusual activity on select technology network systems on Wednesday, prompting immediate response, investigation initiation and activation of remediation efforts. Consequently, access to certain systems has been interrupted during the ongoing investigation process. The healthcare organization has advised its business partners to temporarily sever connections to its systems as a precautionary measure and said it would notify partners when it is safe to reconnect. The cyber incident has disrupted clinical operations, prompting an investigation into the extent and duration of the disruption. Ascension has notified relevant authorities about the cyberattack and enlisted the services of Mandiant incident response experts to aid in the investigation and remediation efforts. The organization operates in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts of a significant workforce comprising of 8,500 providers, 35,000 affiliated providers and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion.

Patients Say Chaos on Display at Ascension Healthcare

Talking about the disruptions at the healthcare facility, Ascension said, “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible.” But the ground reality seems to be different, as per a patient account. Talking to local news media Fox 2, a patient named Zackery Lopez said “chaos” was on display this Wednesday in Ascension Providence Southfield hospital where he had to wait nearly seven hours to get a pain medication for his cancer resurgence.

“Right now it is crazy. Nurses are running around. Doctors are running around. There’s no computers whatsoever they can use," Lopez said. "So, they’re actually using charts.”

Lisa Watson, a nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, told another local news outlet that the hospital shut down its operating rooms on Wednesday following the cybersecurity issue. She also said that system’s, which the hospital uses to scan medications of patients was down, along with their electronic charts.

“We are paper-charting all medications, and all lab orders are being hand-written and sent by pneumatic tube systems to the unit they’re supposed to go to,” said Watson.

"No one knew where they (forms) were or which ones to use for hours. We need to have the forms ready to go to switch to paper charting. I left still not knowing how to place lab orders, talked with dozens of people from lab to phlebotomy to management, no one knew. No one was prepared and patients suffered."

“We have endless incessant modules about stupid policies to save hospitals money but never about downtime protocol,” she added.

Lopez is also concerned that his personal information was possibly at risk but said he has not received a convincing answer from the authorities yet. "They really didn’t tell me if it was protected or not," he said. "They really kind of just brushed it off when I asked them. They say they’re trying to get everything back on, back on track." **Update on May 10, 1 AM ET** The company in a Thursday update said that it did not have a definite timeline to restore systems that were pulled offline as a result of the cybersecurity incident.

“Systems that are currently unavailable include our electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications.”

It added that patient care was being provided with established downtime protocols and procedures, in which Ascension's workforce is well trained. “It is expected that we will be utilizing downtime procedures for some time. Patients should bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies,” the update said. As a precautionary measure, some non-emergent elective procedures, tests and appointments have been temporarily paused and patients appointments or procedures will need to be rescheduled.

“Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.”

Healthcare Breaches on the Rise

This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients’ personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. In a related development, the U.S. Department of Health and Human Services (HHS) recently cautioned about threat actors employing social engineering tactics to target IT help desks in the Healthcare and Public Health (HPH) sector. These attackers employ deception to enroll new multi-factor authentication (MFA) devices under their control, thereby gaining access to corporate resources, the HHS warned.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Google has brought together its Gemini AI model with its Mandiant cybersecurity unit and VirusTotal threat Intelligence to enhance threat landscape accessibility and efficiency. The company also plans to use its Gemini 1.5 Pro large language model, released in February, to ease the understanding of threat reports for a broader audience. At the RSA Conference in San Francisco, Google unveiled their latest AI-based solution to add more value to threat intelligence. Tackling the long-standing challenges of fragmented threat landscapes and cumbersome data collection processes, Google Threat Intelligence integrates Mandiant's frontline expertise, real-time contributions from VirusTotal's global community and Google's visibility into extensive user and device footprint to deliver a comprehensive defense against evolving cyber threats. Bernardo Quintero, founder of VirusTotal called this initiative a “sharing knowledge, protecting together” mission, which it has embraced with Google and Mandiant.

“I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats,” Quintero said.

“VirusTotal remains committed to a level playing field, ensuring all partners, including Google Threat Intelligence, have equal access to the crowdsourced data VirusTotal collects. We also want to assure you that the core features and functionalities of VirusTotal will remain free and accessible to everyone, as always,” he added, clearing the air around VirusTotal’s future. “The strength of VirusTotal lies in its network of contributors and the vast amount of data they provide. This data serves as a valuable resource for the entire security industry, empowering our partners and others to enhance their products and contribute to a more secure digital world. This collaborative approach, based on transparency and equal access, strengthens the industry as a whole, ultimately leading to better protection for everyone.”

Challenges Addressed and Google’s Gemini AI Integration

For years, organizations have grappled with two primary hurdles in threat intelligence: a lack of holistic visibility into the threat landscape and the arduous task of collecting and operationalizing intelligence data. Google's new offering aims to address these challenges head-on providing insights and operational efficiency to security teams worldwide. The integration of Gemini, Google's AI-powered agent, enhances the operationalization of threat intelligence, streamlining the analysis process and accelerating response times. Using the Gemini 1.5 Pro large language model, Google claims to significantly reduce the time required to analyze malware attacks. For instance, the model took only 34 seconds to dissect the WannaCry virus and identify a kill switch, demonstrating its efficacy in threat analysis. Another key feature of Gemini AI is its ability to summarize threat reports into natural language, aiding companies in assessing potential attacks' impact and prioritizing responses. Threat Intelligence also offers a comprehensive threat monitoring network, empowering users to gain insights into the cybersecurity landscape and prioritize their defense strategies. Mandiant's experts, acquired by Google in 2022, play a vital role in assessing security vulnerabilities in AI projects through the Secure AI Framework. They conduct rigorous testing to fortify AI models against potential threats like data poisoning, ensuring their resilience against malicious exploitation. While Google is pioneering the integration of AI into cybersecurity, other tech giants like Microsoft are also exploring similar avenues, underscoring the growing significance of AI in safeguarding digital assets against evolving threats. As cyber threats continue to evolve, proactive defense strategies are more critical than ever. With Google Threat Intelligence, organizations can leverage cutting-edge technology to detect, analyze, and mitigate threats effectively, ensuring the security and resilience of their digital infrastructure in an increasingly complex threat landscape.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

MedStar Health, a prominent non-profit healthcare provider disclosed a data breach that impacts more than 183,000 patients from its hundreds of care locations which it operates in the Baltimore-Washington area in the U.S. The not-for-profit healthcare provider is worth $7.7 billion and is one of the largest employers in the region with more than 34,000 associates working across 300 care locations including 10 hospitals and 33 urgent care clinics, ambulatory care centers and primary and specialty care providers. They together treat hundreds of thousands of patients on a yearly basis. The impacted individuals' personal data may have been compromised when an outsider gained access to emails and files of three employees, MedStar Health said in a statement on the data breach. MedStar Health reported notifying 183,709 affected patients via letters and filed a notice with the Department of Health and Human Services. The unauthorized access occurred sporadically between January and October last year, with patient information found in breached files and emails. Although there's no indication of actual acquisition or viewing of patient data, the company couldn't rule out such access. Patient information including names, addresses, dates of birth, service dates, provider names and insurance details, were contained in the compromised emails and files, MedStar Health said. The healthcare provider urged affected patients to monitor healthcare statements for any unusual activities and assured implementation of new safeguards to prevent future breaches.

Earlier MedStar Health Data Breach

The digital woes of the healthcare provider are not new. In fact, this is the second time in a decade that MedStar Health is facing a massive data breach scare. In 2016, a virus, likely a ransomware malware infected the computer network of MedStar Health. This prompted a complete shutdown of services for the healthcare giant, which resulted in diversion of new patients to other hospitals and the care givers had to resort to pen and paper to continue regular operations. The impact was such that the FBI was called in to investigate the MedStar Health data breach, which followed similar cyberattacks on at least three other medical institutions in California and Kentucky.

Healthcare Breaches on the Rise

This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv – ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients' personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. Blackcat in September 2023 claimed a similar data breach on McLaren Healthcare, where nearly 6 terabytes worth of data was siphoned. Owing to such large scale healthcare data breaches, the U.S. Cybersecurity and Infrastructure Security Agency in March unveiled a cybersecurity toolkit for healthcare sector that would help them implement advanced tools, that fortify their defenses against evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A coordinated multi-nation law enforcement action has led to a takedown of an Austria-based crypto scam where half a dozen suspects were arrested and assets worth hundreds of thousands of Euros were seized. This followed a separate investigation in the United Kingdom, which led to the sentencing of two Brits involved in an international crypto scam worth millions.

Takedown of Austria-based Crypto Scam

The law enforcement agencies from Austria, Cyprus and Czechia have arrested six Austrians responsible for an online cryptocurrency scam that was launched in December 2017. Between 2017 and February 2018, the scammers assured and convinced its victims of having set up a legitimate online trading company that had launched a new cryptocurrency coin. The scammers offered an initial coin offering of 10 million tokens or respective rights to the new currency for sale. Considering the returns on investment from Bitcoin at the time, which was up nearly 39% in Dec. 2017, investors likely saw the opportunity in the new crypto coin and paid them in regular crypto values such as Bitcoin and Ethereum. To gain investors’ confidence and credibility, the Austrian fraudsters also claimed of having developed their own software and algorithm for the sale of the tokens.

“Traditionally, an ICO will build upon transparency and communicate clearly about each team member responsible for it. In this instance, there was a lack of transparency regarding both the team members involved and the algorithm underpinning the cryptocurrency,” said Europol, who coordinated the multi-nation operation.

Two months into the scheme, the perpetrators in February 2018 shuttered all their social media accounts and took offline the fake company’s homepage. Following this, it became obvious to the investors that they were defrauded in an exit scam. Not all victims of this crypto scam have been identified yet, but it is estimated that they lost around EUR 6 million, in totality. The law enforcement agencies raided six houses and seized over EUR 500,000 (approximately $537,120) in cryptocurrencies, EUR 250,000 (approximately $268,560) in fiat currency and froze dozens of bank accounts linked to the perpetrators and their fraudulent crypto scams. Two cars and a luxury property worth EUR 1.4 million was also seized.

Two Brits Jailed for International Crypto Scam

Law enforcement in Europe is further tightening screws against crypto scammers as is evident in another instance where two men who stole more than 5.7 million pounds (approximately $7.1 million) worth of cryptocurrency from victims worldwide were sentenced following an investigation of the South West Regional Organized Crime Unit (SWROCU). [caption id="attachment_67275" align="aligncenter" width="243"] James Heppel (credit: SWROCU)[/caption]   Jake Lee, aged 38, and James Heppel, aged 42, admitted guilt to three counts of conspiracy to commit fraud. Bristol Crown Court sentenced Lee to four years and Heppel to 15 months on May 3. [caption id="attachment_67274" align="aligncenter" width="227"] Jake Lee (Credit: SWROCU)[/caption]   The duo conducted the fraud by spoofing the domain of the online cryptocurrency exchange Blockchain[.]com to pilfer victims’ Bitcoin wallets, stealing their money and login credentials. They together targeted 55 victims across 26 countries, amassing £835,000 in cash, including £551,000 handed over by Lee in January, along with £64,000 in cryptocurrency, a Banksy print valued at £60,000 and three vehicles. [caption id="attachment_67271" align="aligncenter" width="1024"] £551k in cash voluntarily handed over by Lee (Credit: SWROCU)[/caption] A confiscation order of nearly £1 million was issued against Lee to compensate the victims. DS Matt Brain from SWROCU’s Regional Cyber Crime Unit stated, “Our investigation started back in 2018 after colleagues at Avon and Somerset Police arrested Lee on suspicion of money laundering.” “Officers from the force seized digital devices and three laminated Bitcoin wallet recovery seeds. At the same time, our unit had started an investigation into a cryptocurrency scam reported by a Wiltshire victim who had £11k worth of Bitcoin from his Blockchain wallet.”

“We took on the investigation into Lee and when we analyzed his devices, we established he was a central figure involved in a sophisticated domain spoofing fraud and worked to identify numerous victims.”

Brain added that the fact they both pleaded guilty to all counts also showed the strength of evidence that the police secured against them.” Pamela Jain, a prosecutor with the Crown Prosecution Service, noted, “Jake Lee and James Heppel defrauded people in 26 countries, including 11 victims in the UK, by diverting Bitcoin into wallets over which they had control. This was a complex and time-consuming prosecution which involved enquiries with numerous victims and prosecuting authorities all over the world.” Lee has already been served a confiscation order but “confiscation proceedings against James Heppel are ongoing,” Jain said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Singaporean parliament approved an amendment to the Cybersecurity Law on Tuesday that aimed at fortifying the defenses of the nation's evolving critical infrastructure and adapting to technological advancements. The amendments to the Cybersecurity Law mandate that owners of critical information infrastructure (CII) report a broader spectrum of incidents, encompassing those occurring within their supply chains. Senior Minister of State for Communications and Information Janil Puthucheary said it was imperative to address the evolving tactics of malicious cyber actors, stressing the need to extend vigilance to peripheral systems and supply chains.

What the Latest Cybersecurity Law Amendment Mean

The new legislation empowers authorities to regulate Systems of Temporary Cybersecurity Concern (STCC), which are systems at high risk of cyberattacks for a limited period, posing a threat to Singapore's national interests if compromised. The amendment gives the Cyber Security Agency of Singapore (CSA) authority to oversee Entities of Special Cybersecurity Interest (ESCIs), whose disruption could have significant adverse effects on defense, foreign relations, economy, public health, safety, or order. To prevent inadvertently identifying ESCIs as targets, their specific identities will not be publicly disclosed. The proposed law will also add new categories of entities whose digital defenses will be audited by the authorities, including autonomous universities, which may hold sensitive data or perform significant functions. Moreover, CSA can regulate CIIs supporting essential services from overseas if their owners are based in Singapore. Dr. Janil emphasized that the Bill aims to address shifts in the cybersecurity landscape and operational challenges faced by CSA. The evolving cybersecurity landscape, characterized by increased cloud computing usage and digital technology reliance, necessitates updated laws to safeguard essential services.

“When the Act was first written, it was the norm for CII to be physical systems held on premises and entirely owned or controlled by the CII owner. But the advent of cloud services has challenged this model,” Dr. Janil said.

“As the tactics and techniques of malicious actors evolve to target systems at the periphery or along supply chains, we must also start placing our alarms at those places,” he added. The proliferation of digital communication and technology adoption underscores the heightened cyber risks faced by individuals and organizations. Against this backdrop, updating the cybersecurity law is imperative to ensure Singapore's digital resilience and stay ahead of emerging threats. While Members of Parliament voiced concerns about compliance costs and regulatory clarity, Dr. Janil clarified that the Bill targets cybersecurity of critical national systems, rather than imposing broad obligations on the business community. The new law will regulate only the cybersecurity of systems infrastructure and services that are important at a national level because their disruption or compromise could affect Singapore’s survival, security, safety or other national interest, according to Dr. Janil. “This is a known and finite set of systems and entities. Our approach is a targeted and calibrated one, precisely because we recognise that regulation will involve compliance costs,” Dr Janil said.

“Some compliance costs cannot be avoided where regulation is concerned. It's something we are mindful of. We do not seek to regulate without good reason.”

CSA will provide support to regulated entities, engaging with them before designating systems or entities and offering guidance on compliance measures. Appeals processes are in place for designated entities, ensuring transparency and accountability in regulatory decisions. Dr. Janil underscored the significance of decisions to designate entities, emphasizing their potential impact on national security and interests. The government remains committed to a calibrated approach, balancing regulatory requirements with the need to minimize compliance costs and support affected entities.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Secretary of State Antony Blinken unveiled an International Cyberspace and Digital Policy Strategy on Monday, outlining the Biden administration's plan to engage the global community on various technological security issues. Blinken introduced this robust international cyber strategy while delivering a keynote at the RSA cybersecurity conference in San Francisco. The strategic blueprint outlined in the latest strategy displayed the federal government's multifaceted approach to engaging the global community on a wide array of technological security issues, aiming to foster collaboration and cooperation among allies, partners and stakeholders worldwide.

What’s at the Core of the International Cyberspace and Digital Policy Strategy

At the heart of the plan lies the concept of "digital solidarity," characterized by mutual assistance to victims of malicious cyber activity and other digital harms. Digital solidarity entails collaborating on shared goals, capacity building, and mutual support to enhance security, resilience, self-determination, and prosperity. Against the backdrop of ongoing cyberattacks targeting U.S. allies by foreign actors like Russia, China, North Korea and Iran, efforts focus on supporting allies and partners, particularly emerging economies, in harnessing the benefits of digital technologies while sustaining economic and development objectives. The strategy emphasizes alignment with international partners on technology governance, fostering strong partnerships with civil society and the private sector, and promoting cybersecurity resilience through diverse products and services from trusted technology vendors. Moreover, it underscores cooperative efforts to defend and advance human rights and build digital and cyber capacity for long-term resilience and responsiveness. The Department of State, in collaboration with other federal agencies, will advance digital solidarity through four key areas of action supported by three guiding principles:

1. Promoting an open, inclusive, secure, and resilient digital ecosystem.
2. Aligning rights-respecting approaches to digital and data governance with international partners.
3. Advancing responsible state behavior in cyberspace and countering threats through coalition-building and engagement.
4. Strengthening international partner digital and cyber capacity.

Efforts to forge digital solidarity will be reinforced by active participation in international fora to shape obligations, norms, standards, and principles impacting cyberspace and digital technology issues. Leadership in these venues is crucial to safeguarding U.S. interests and values in the evolving digital landscape. Recognizing the significance of digital diplomacy, the Department of State will lead interagency efforts to coordinate cyber and digital technology diplomacy to advance U.S. national interests and values in the coming decade.

Cybersecurity Threats from Nation States

The strategy addresses the malign activities of nations such as Russia, China, Iran, and North Korea, condemning their exploitative use of technology for nefarious purposes, including hacking and espionage campaigns. It highlights concerns about these countries' efforts to undermine international regulatory frameworks and undercut U.S. technology manufacturers through state-sponsored subsidies. “Cyber criminals and criminal syndicates operating in cyberspace now represent a specific threat to the economic and national security of countries around the world,” the International Cyberspace and Digital Strategy said. “Cybercrime and online fraud cause significant harm to economic development, with small- to medium-sized enterprises and financial service providers especially at risk. According to one estimate, the global cost of cybercrime is estimated to top $23 trillion in 2027.”

AI Technology Governance

The landscape of AI technology governance is intricate, as per the latest strategy. While AI systems offer promising avenues for societal progress, the complexities of geopolitics further compound the challenges and uncertainties in their regulation and management. AI technologies hold immense potential to drive knowledge expansion, boost prosperity, enhance productivity, and tackle pressing global issues. However, the rapid proliferation of AI technologies also presents substantial risks and ethical considerations. These encompass a spectrum of concerns ranging from exacerbating inequality and economic instability to privacy breaches, discriminatory practices, and amplification of malicious cyber activities. Moreover, the dual-use nature of many AI applications poses challenges in ensuring that emerging technologies are not leveraged for nefarious purposes, including disinformation campaigns and military advancements lacking adequate human rights safeguards. Balancing risks and rewards requires safeguarding democratic values, human rights, and fostering international collaboration to harness AI's benefits while mitigating destabilizing impacts. The strategy also warns against complacency in critical technological domains, cautioning that failure to act could enable authoritarian states to shape the future of technology in a manner detrimental to U.S. interests and values. By advocating for concerted efforts to uphold a rights-respecting, open, and secure cyberspace, the United States aims to advance a vision of global governance that safeguards democratic principles and promotes innovation and prosperity.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Data sourced from over 40 million exposures that pose high-impact risks to numerous critical business entities revealed that Active Directory typically accounts for 80% of all security exposures identified in organizations. The research from XM Cyber in collaboration with the Cyentia Institute found that identity and credential misconfigurations fuel a striking majority of security exposures across organizations. Among these exposures, a third directly jeopardize critical assets, serving as a prime target for adversaries seeking to exploit vulnerabilities.

Active Directory Exposures Dominate the Attack Surface

Active Directory accounts for over half of entities identified across all environments, as per the report from XM Cyber. Thus, a significant portion of security exposures lies within a company's Active Directory, a vital component for user-network resource connectivity. However, this critical infrastructure also presents an attractive target for attackers as it interests them with additional elevated rights. “An attacker who has compromised an Active Directory account could use it to elevate privileges, conceal malicious activity in the network, execute malicious code and even gain access to the cloud environment,” XM Cyber explained. “Many of these exposures stem from the inherent nature of dynamic configuration issues in Active Directory as well as the challenge of keeping it updated. This creates a blind spot that appears secure on the surface but hides a nest of problems that many security tools can’t see,” the report said. Misconfigurations and credential attacks emerge as the top contributors to these exposures, introducing gaps that traditional security tools often overlook, such as issues in member management and password resets. These issues “present a challenge for nearly every organization,” XM Cyber said. Techniques like credential harvesting, dumping, relay and domain credentials feature prominently in the list of top techniques identified by attack path analysis for AWS, Azure and GCP, and Tools like Mimikatz make these techniques even easier to execute and thus make it extremely popular. Poor practices also make credential-related attack paths more easy and potent. XM Cyber said it identified highly privileged Active Directory credentials cached on multiple machines in 79% of organizations, and one in five of those have admin-level permissions on 100 or more devices. Furthermore, poor endpoint hygiene afflicts the majority of environments, with over 25% of devices lacking EDR coverage or containing cached credentials, offering attackers ample entry points to establish footholds. These overlooked vulnerabilities in identity and endpoint security form a fertile ground for hackers, demanding urgent attention from organizations. Zur Ulianitzky, Vice President of Security Research at XM Cyber, emphasized the necessity of broadening exposure management beyond vulnerabilities to encompass all potential adversary pathways, including misconfigurations and user behavior. The research revealed that a mere 2% of exposures exist on critical 'choke points,' where adversaries exploit vulnerabilities to access crucial assets.

CVEs are a Drop in the Ocean

Despite organizations' focus on managing traditional software vulnerabilities tracked by CVE identifiers, these efforts barely scratch the surface. XM Cyber's analysis uncovered approximately 15,000 exposures per organization, with CVE-based vulnerabilities constituting less than 1% of this extensive exposure landscape. Even concerning exposures affecting critical assets, CVEs represent only a minute fraction, highlighting significant blind spots in security programs fixated solely on vulnerability patching.

Exposed Critical Assets in the Cloud

Active Directory is the largest attack surface, according to XM Cyber, but the largest share of exposures to critical assets is in the cloud. Cloud environments, amidst rapid adoption by organizations, are not immune to exposure risks. Over half (56%) of exposures affecting critical assets are traced back to cloud platforms, presenting a significant threat as attackers seamlessly traverse between on-premises and cloud environments. This fluid movement poses a substantial risk to cloud-based assets, allowing attackers to compromise critical resources with minimal effort.

Exposure Risks Across Sectors

Industry-specific analysis from the report reveals discrepancies in exposure risks across sectors. Industries like Energy and Manufacturing exhibit a higher proportion of internet-exposed critical assets affected by exposures compared to Financial Services organizations, despite the latter's larger digital footprint. Healthcare providers, facing inherent challenges in minimizing risk, contend with a median number of exposures five times higher than the Energy and Utilities sector, emphasizing the need for tailored exposure management strategies. Exposure Management is currently beyond addressing only vulnerabilities and CVEs. Organizations need to adopt a holistic and ongoing Exposure Management approach, incorporating attack path modeling to pinpoint and resolve infrastructure weak points. Emphasis should be placed on tackling identity issues, Active Directory exposures and cloud cyber hygiene, while advocating for tailored solutions according to industry and scale. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Finland has warned of an ongoing Android malware campaign that targets banking details of its victims by enticing them to download a malicious counterfeit McAfee app. Finland's Transport and Communications Agency – Traficom - issued a warning last week about an ongoing Android malware campaign that aims to withdraw money from the victim's online bank accounts. Traficom said this campaign exclusively targets Android devices, with no separate infection chain identified for Apple iPhone users. The agency has identified multiple cases of SMS messages written in Finnish language, instructing recipients to call a specified number. These messages often impersonate banks or payment service providers like MobilePay and utilize spoofing technology to appear as if they originate from domestic telecom operators or local networks. [caption id="attachment_66875" align="aligncenter" width="1024"] Finnish language smishing message (Credit: Traficom)[/caption] The scammers answering these calls direct victims to install a McAfee app under the guise of providing protection. However, the McAfee app being promoted is, in fact, malware designed to compromise victims' bank accounts. According to reports received by the Cyber Security Center, targets are prompted to download a McAfee application via a link provided in the message. This link leads to the download of an .apk application hosted outside the app store for Android devices. Contrary to expectations, this is not antivirus software but malware intended for installation on the phone. The OP Financial Group, a prominent financial service provider in Finland, also issued an alert on its website regarding these deceptive messages impersonating banks or national authorities. The police have similarly emphasized the threat posed by this malware, warning that it enables operators to access victims' banking accounts and initiate unauthorized money transfers. In one reported case, a victim lost 95,000 euros (approximately $102,000) due to the scam.

Vultur Android Malware Campaign Trademarks

While Finnish authorities have not definitively identified the type of malware involved or shared specific hashes or IDs for the APK files, the attacks bear a striking resemblance to those reported by Fox-IT analysts in connection with a new version of the Vultur trojan. [caption id="attachment_66873" align="alignnone" width="1024"] Vultur Trojan infection chain (Credit: Fox-IT)[/caption] The new iteration of the Vultur trojan employs hybrid smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app. This app introduces the final payload in three separate parts for evasion purposes. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, app blocking, disabling Keyguard, and serving custom notifications in the status bar.

Things to Do If You Suspect Being Victim

If you suspect that your device has been infected with the malware, it is advisable to contact your bank immediately to enable protection measures. Additionally, restoring "factory settings" on the infected Android device to wipe all data and apps is recommended. OP Financial Group emphasizes that they do not request customers to share sensitive data over the phone or install any apps to receive or cancel payments. “We will never send you messages with a link to the online bank login page. The bank also never asks you for your ID or card information via messages. Such messages are scams and you should not click on the links in them,” the OP Financial Group said. “Even in order to receive or cancel a payment, you do not need to log in from a link, confirm with codes or provide your information. If you are asked to do this, contact the bank's customer service.” Any similar requests should also be promptly reported to the police. The news of the online banking fraud comes days after a multi-national police operation crack opened a massive fraudulent call center network run across Europe that targeted especially senior citizens with an intent to dupe them of thousands of dollars. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.