Researchers have identified a recent cyber espionage campaign by a China-linked threat actor dubbed "UNK_SweetSpecter," which aims to harvest generative artificial intelligence (AI) secrets from experts in the United States. The threat actor targets AI experts using a remote access trojan (RAT) malware called SugarGh0st.  SugarGh0st infiltrates the systems of a highly selective list of AI experts from different verticals such as tech companies, government agencies and academic institutions. The SugarGh0st RAT was originally reported in November 2023 but was observed in only a limited number of campaigns. It is a custom variant of the Gh0st RAT, a tool that was first publicly attributed to a Chinese threat group in 2008. Researchers suspect that the threat actor UNK_SweetSpecter is likely of Chinese origin.

Spear-Phishing SugarGh0st Campaign Targets AI Experts

Proofpoint researchers discovered that the targets of this campaign were all connected to a leading US-based AI organization and were lured with distinct AI-themed emails. The infection chain began with a seemingly innocuous email from a free account, claiming to seek technical assistance with an AI tool. The attached zip file contained a shortcut file (LNK) that deployed a JavaScript dropper upon access. This dropper included a decoy document, an ActiveX tool for sideloading, and an encrypted binary, all encoded in base64. The infection chain ended with SugarGh0st RAT being deployed on the victim's system and communication being established with the attacker's command and control server. Analysis of the attack stages revealed that the group had shifted their C2 communications from an earlier domain to a new one, indicating their detection evasion motives. While the malware itself is relatively unsophisticated in it's attack chain, the targeted nature of AI the campaign makes it significant, the researchers noted. The SugarGh0st RAT was previously used in targeted campaigns in Central and East Asia.

Potential Motivations, Attribution and Context

Although direct attribution to a specific nation-state is challenging, researchers concluded the presence of Chinese language artifacts and the precise targeting of AI experts suggest a possible link to China-linked threat actors. The campaign also coincides with the U.S. government's efforts to restrict Chinese access to generative AI technologies. The new regulations established by the Biden administration would likely restrict the export of AI models, and their data to countries it deemed hostile to U.S. interests, such as Russia, China, North Korea and Iran. The Chinese Embassy labeled the action as economic coercion and unilateral bullying. Earlier in February, Microsoft reported observing Chinese, Russian, North Korean and Iranian threat actors' attempting to leverage AI tools from big tech AI companies like OpenAI for their campaigns. The report indicated that Chinese threat actors used AI tools to boost their technical prowess such as the development of tools and phishing content, while the Russian threat actors were observed researching  satellite and radar technologies possibly related to the war in Ukraine. With the regulatory efforts aimed at restricting proprietary/closed-source AI models, researchers theorize that this campaign is likely an attempt by a China-affiliated actor to harvest generative AI secrets via cyber theft before the policies are enacted. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

While the recent takedown of BreachForums by the FBI, in collaboration with international law enforcement agencies, marked a significant victory against cybercrime. Less than 24 hours after this major blow, the renowned threat actor known as USDoD made an announcement stating his plans to resurrect the forum's community, demonstrating the relentless nature of the cyber underworld. BreachForums had long been a central marketplace for cybercriminals, facilitating the trade of stolen data and hacking tools. Its sudden removal from the dark web was a monumental achievement for law enforcement, akin to dismantling a major illicit market. However, the cybercriminal community's response was swift and defiant as demonstrated by the alleged claim by ShinyHunters, one of the leftover administrators just a day later that the site domain itself had been recovered. Alongside the possible domain recovery, USDoD also separately pledged to rebuild and improve upon BreachForums through a newer competitive forum, promising a new beginning for the infamous community.

USDoD Announces Creation of Breach Nation Forum

In a bold statement following the takedown, USDoD assured the community that he had already been working on rebuilding BreachForums, promising that the forum's legacy and user data would be preserved. He emphasized his dedication to creating a new community, presenting the takedown as not the end but an opportunity for a fresh start. [caption id="attachment_69063" align="alignnone" width="523"] Source: X.com (@EquationCorp)[/caption] His announcement also detailed the allocation of resources and infrastructure to support the new forum. The new domains, breachnation.io and databreached.io, are set to launch on July 4, 2024, symbolically coinciding with Independence Day. This new community, dubbed "Breach Nation," aims to offer enhanced features and security. [caption id="attachment_69064" align="alignnone" width="544"] Source: X.com (@EquationCorp)[/caption] USDoD’s vision for BreachForums 3.0 includes robust infrastructure, with separate servers to ensure optimal performance and security. He has assured the community that he is not driven by profit and aims to offer an upgraded member rank to the first 200,000 users as a token of goodwill. He acknowledged the challenges ahead, including potential opposition from law enforcement as well as possible competition from the BreachForums administrator ShinyHunters. He also addressed concerns about compromise within the forum's administration, stating that he would initially manage it alone to ensure security and build trust.

USDoD's Earlier Activities

USDoD's bold promise to create the new Breach Nation forum highlights the persistence of the cybercriminal underworld. The threat actor is a notable figure in the cybercriminal community and was previously known as NetSec on RaidForums. USDoD is known to employ sophisticated social engineering and impersonation techniques to penetrate secure systems. His activities included exposing data related to several high-profile organizations such as InfraGard, Airbus, and several, the U.S. Army, NATO Cyber Center, and CEPOL. He also claimed responsibility for alleged data leaks from the defense contractor Thales as well the Communist Party of China. A newer CDN created by USDoD was first publicized around the same time as the alleged China data leak, this CDN is stated to be incorporated for the new domain's infrastructure and seemingly being reworked and shifted to a new domain. [caption id="attachment_69068" align="alignnone" width="566"] Source: X.com (@EquationCorp)[/caption] While the potential impact of the new forum remains unclear, it may be a key development to watch in the ongoing struggle between law enforcement and cybercrime in the aftermath of the BreachForums domain seizure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Norwegian National Cyber Security Centre (NCSC) has issued an recommendation advising organizations for the replacement of SSLVPN and WebVPN solutions with more secure alternatives, due to the repeated exploitation of vulnerabilities in edge network devices in the past that allowed attackers to breach corporate networks. The National Cyber Security Centre (NCSC), a sub-division of the Norwegian Security Authority functions as Norway's primary liaison for coordinating national efforts to prevent, detect, and respond to cyber attacks, as well as providing strategic guidance and technical support to enhance the overall cyber security posture of the country. This includes conducting risk assessments, disseminating threat intelligence, and promoting best practices in both the public and private sector. The NCSC's guidance is aimed at enhancing the security posture of organizations, particularly those within critical infrastructure sectors, by advocating for the transition to more robust and secure remote access protocols.

Replacement of SSLVPN and WebVPN With Secure Alternatives

The NCSC's recommendation is underpinned by the recognition that SSL VPN and WebVPN, while providing secure remote access over the internet via SSL/TLS protocols, have been repeatedly targeted due to inherent vulnerabilities. These solutions create an "encryption tunnel" to secure the connection between the user's device and the VPN server. However, the exploitation of these vulnerabilities by malicious actors has led the NCSC to advise organizations to migrate to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2). IPsec with IKEv2 is the NCSC's recommended alternative for secure remote access. This protocol encrypts and authenticates each packet of data, using keys that are refreshed periodically. Despite acknowledging that no protocol is entirely free of flaws, the NCSC believes that IPsec with IKEv2 significantly reduces the attack surface for secure remote access incidents, especially due to its reduced tolerance for configuration errors compared to SSLVPN. The NCSC emphasizes the importance of initiating the transition process without delay. Organizations subject to the Safety Act or classified as critical infrastructure are encouraged to complete the transition by the end of 2024, with all other organizations urged to finalize the switch by 2025. The recommendation to adopt IPsec over other protocols is not unique to Norway; other countries, including the USA and the UK, have also endorsed similar guidelines, underscoring the global consensus on the enhanced security offered by IPsec with IKEv2. As a preventative measure, the NCSC also recommended the use of 5G from mobile or mobile broadband as an alternative in locations where it was not possible to implement an IPsec connection.

Recommendation Follows Earlier Notice About Exploitation

Last month, the Norwegian National Cyber Security Centre had issued a notice about a targeted attack campaign against SSLVPN products in which attackers exploited multiple zero-day vulnerabilities in Cisco ASA VPN used to power critical infrastructure facilities. The campaign had been observed since November 2023. This notice intended primarily towards critical infrastructure businesses warned that while the entry vector in the campaign was unknown, the presence of at least one or more zero-day vulnerabilities potentially allowed external attackers under certain conditions to bypass authentication, intrude devices and and grant themselves administrative privileges. The notice shared several recommendations to protect against the attacks such as blocking access to services from insecure infrastructure such as anonymization services (VPN providers and Tor exit nodes) and VPS providers. Cisco released important security updates to address these vulnerabilities. The earlier notice also recommended that businesses switch from from the SSLVPN/clientless VPN product category to IPsec with IKEv2, due to the presence of critical vulnerabilities in such VPN products, regardless of the VPN provider. The NCSC recommends businesses in need of assistance to contact their sector CERT or MSSP. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Rockford Public School Disttrict in Michigan has successfully restored its systems after a ransomware attack caused significant disruption earlier this week, forcing the shutdown of its computer, email, and phone systems. Despite acting swiftly to contain the Rockford Public Schools ransomware attack as an attempt to ensure the safety of its students and staff, the measures also forced the school district to resort to traditional pen and paper-based offline methods for schooling. A day after the incident, the district superintendent confirmed the isolation of the attack and the restoration of systems, indicating that students and staff could operate as normal. Established in 1884, Rockford Public Schools is a prominent educational institution in Rockford, Illinois. With 45 schools catering to around 27,766 students, it spans across portions of Kent County and serves parts of Plainfield, Algoma, Courtland, Cannon, Grattan, and Oakfield Townships. The district's consolidation in the late 1950s brought together several neighborhood school systems, and it expanded into 45 schools serving approximately 27,766 students.

Systems Restored After Rockford Public Schools Ransomware Attack

On the morning of the incident, district leaders were alerted to computer system failures within the school district disrupting its phones and internet services. While it was initially suspected to be a vendor issue, it soon became clear that the district was struck by a ransomware attack after ransom notes were discovered on various printers. Superintendent Steve Matthews promptly ordered the shutdown of all network connections, including Wi-Fi, to contain the threat. He anticipated that it would take at least a couple of days for the district to return to normal operations. The official website of the school district displayed emergency phone numbers for various buildings within the school district during the time of the attack. [caption id="attachment_68941" align="alignnone" width="1768"] Source: rockfordschools.org[/caption] Despite the attack, there was no immediate threat to student safety. Classes continued as usual, albeit with a return to traditional, technology-free teaching methods. Superintendent Matthews reassured that security systems for school doors remained functional, and emergency cell phones were made available for parental contact. The FBI was also involved in the investigation, working alongside district staff to assess the extent of the breach.  Superintendent Matthews acknowledged the initial challenge but noted that staff were quickly adjusting to the incident. Students reported a unique experience of engaging in learning without digital tools, while some found the situation disconcerting. Parents were informed about the situation through emergency communication channels. While some parents chose to pick up their children early, the overall response was one of cautious adaptation. Following the preventative measures, the public school district restored its computer systems 24 hours later, with the district superintendent stating that the incident had been isolated and contained. The school issued a letter to parents, indicating that says students and staff could resume using district-provided school equipment or their own personal devices.

Expert Indicates Educational Institutes as Common Ransomware Target

Cybersecurity expert Greg Gogolin from Ferris State University noted in response to the incident, that school districts are common targets for ransomware attacks due to inadequate preventive measures and limited cybersecurity staff. Gogolin highlighted that the end of the school year is a particularly vulnerable time for such attacks, as the urgency to resolve the situation increases with grades due and other academic deadlines approaching. Affluent districts are particularly targeted due to attackers perceiving them as having more resources available. To mitigate such risks, Gogolin advises districts to invest in advanced email filtering while educating staff about phishing emails. Additionally, teachers and students should maintain backups of essential data, such as grades and assignments, outside of school networks. The return to the traditional schooling method following the Rockford Public Schools ransomware attack is reminiscent to an earlier incident affecting Cannes Hospital, which forced its staff to resort to pen-and-paper techniques to keep services running. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Josh Krueger, the Chief Information Security Officer at Project Hosts, Inc. has been appointed to the Federal Secure Cloud Advisory Committee (FSCAC). This prestigious committee plays a crucial role in advising the Federal Risk and Authorization Management Program (FedRAMP) on various aspects of cloud computing adoption and security. The FSCAC appointment recognizes Mr. Krueger's expertise and Project Hosts' ongoing efforts to support secure cloud-computing practices and compliance standards, benefiting users and providers of cloud services. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide compliance initiative in the United States that offers a standardized framework for security assessment, authorization, and continuous monitoring of cloud products and services.

FSCAC Appointment Includes New Chair and Three Members

Along with Josh Krueger's appointment, Lawrence Hale, the deputy assistant commissioner within the Office of Information Technology Category Management for GSA's Federal Acquisition Service, will serve as the new chair of the FSCAC. In this capacity, Hale will act as a liaison and spokesperson for the committee's work products, in addition to his oversight responsibilities. Josh Krueger, and Kayla Underkoffler, the lead security technologist of HackerOne, will fill the vacant seats. Krueger's term will run through July 9, 2026, while Underkoffler's term will end on May 14, 2025. Carlton Harris, the senior vice president of End to End Solutions, has been appointed as the third new member of the FSCAC, with a three-year term ending on May 14, 2027. While not among the recent appointees, Michael Vacirca, a senior engineering manager at Google, has been reappointed to the federal panel for a full three-year term after serving for one year. His term will conclude on May 14, 2027. As an appointed Representative Member of the FSCAC, Mr. Josh Krueger is expected to bring unique perspectives towards the delivery of FedRAMP's Compliance-as-a-Service solutions. The role at the committee will involve representing the needs and viewpoints of businesses both small and large in the cloud-computing industry, and ensuring their interests are considered in the federal discussions and strategies around cloud adoption.

Responsibilities of the Federal Secure Cloud Advisory Committee

The FSCAC was formed by the General Services Administration in February 2023, in compliance with the FedRAMP Authorization Act of 2022, which is part of the National Defense Authorization Act for fiscal year 2023. The committee's primary responsibilities include advising and providing recommendations to the GSA Administrator, the FedRAMP Board, and various agencies on technical, financial, programmatic, and operational matters related to the secure and effective adoption of cloud computing products and services across different sectors. The committee also plays a significant role in examining the operations of FedRAMP, seeking ways to continually improve authorization processes, and collecting information and feedback on agency compliance with the implementation of FedRAMP requirements. Additionally, the FSCAC serves as a forum for communication and collaboration among all stakeholders within the FedRAMP community. The FSCAC will hold an open meeting on May 20th to discuss its next priorities, which are expected to further enhance the security and adoption of cloud computing solutions across the federal government. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

GhostSec, a threat actor group previously involved in financially motivated cybercrimes, announced a significant shift in their focus to depart from the cybercrime and ransomware operations to their original hacktivist aims. The announcement detailing GhostSec returns to hacktivism roots, would mark a notable change in the group's priorities and operational strategies, leading several to speculate that the stated departure comes after recent law enforcement efforts against international ransomware groups. The GhostSec group identifies itself as part of the Anonymous collective and is known to have been active in their operations since 2015. The group used hashtags such as #GhostSec or #GhostSecurity to promote their activities. The group was previously involved in the #OpISIS, #OpNigeria, and #OpIsrael campaigns.

GhostSec Will Transfer Existing Ransomware Clients to Stormous

In an announcement made on its Telegram channel, the GhostSec group stated that they had gathered sufficient funds from their ransomware operations to support other activities moving forward. Rather than completely abandoning their previous work, this transition includes transferring existing clients to the new Stormous locker by Stormous, a partner organization to whom they will also share the source code of the V3 Ghostlocker ransomware strain. [caption id="attachment_68783" align="alignnone" width="483"] Source: GhostSec Telegram Channel[/caption] They claim that these efforts will ensure a smooth transition to Stormous' services, while avoiding the exit scams or disruption risks typically associated with ransomware exits. Stormous will also take over GhostSec's associates within the Five Families collective, which previously consisted of GhostSec, ThreatSec, Stormous, BlackForums, and SiegedSec. While GhostSec will halt some of its earlier services, the group intends to maintain its private channel and chat room. The group announced a discount offer starting today and lasting until May 23rd for lifetime access to its private channel and chat room, reducing the price from $400 to $250. The group also suggested the possibility of offering a hacking course, although they are still debating the details.

GhostSec Returns to Hacktivism

The announcement expressed GhostSec's intentions to focus solely on hacktivism, a form of activism that employs hacking to promote social or politically driven agendas. GhostSec had a record of intense hacktivist operations and campaigns such as their successful efforts back in 2015 to taken down hundreds of ISIS-associated websites or social media accounts, reportedly halting potential terrorist attacks. The group used social media hashtags like #GhostSec, #GhostSecurity, or #OpISIS to promote their activities and participate in hacktivist initiatives against the terrorist group. GhostSec also promoted a project ("New Blood") to assist newcomers in picking up hacking skills to participate in their campaigns and provided resources to assist activists in anonymizing their identities such as WeFreeInternet, a project that sought to offer free VPN facilities to Iranian activists. The group had stated its intent to expand the project to support activists in similar circumstances who found their internet to be restricted by the governments worldwide. The official GhostSec Telegram channel where the announcement took place had been created on October 25, 2020, and the group is known to utilize its social media handles on various websites to promote its activities. It is important to note that the group's decision to depart from the cybercrime scene does not necessarily imply a shift towards more ethical practices. Furthermore, the group's involvement in financially motivated cybercrimes raises questions about their true motivations and the potential for their hacktivism to be used for personal gain or dubious political agenda rather than genuine social change. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Santander, one of the largest banks in the eurozone, confirmed that an unauthorized party had gained access to a database containing customer and employee information. The Banco Santander data breach is stated to stem from the database of a third-party provider and limited to the only some of the bank's customers in specific regions where it operated, as well as some of its current and former employees. However, the bank's own operations and systems are reportedly unaffected. Banco Santander is a banking services provider founded on March 21, 1857 and headquartered in Madrid, Spain. The provider operates across Europe, North America, and South America. It's services include global payments services, online bank and digital assets.

Customer and Employee Data Compromised in Santander Data Breach

The bank reported that upon becoming aware of the data breach, it had immediately implemented measures to contain the incident, such as blocking access to its database from the compromised source as well as establishing additional fraud prevention mechanisms to protect impacted customers and affected parties. After conducting an investigation, the bank had determined that the leaked information stemmed from a thid-party database and consisted of details of customers from Santander Chile, Spain and Uruguay regions along with some data on some current and former Santander employees. Despite the third-party database breach, customer data from Santander markets and businesses operating in different regions were not affected. [caption id="attachment_68444" align="alignnone" width="2422"] Source: santander.com[/caption] The bank apologized for the incident and acknowledged concerns arising from the data breach, taking action to directly notify the affected customers and employees. The security team also informed regulators and law enforcement of the incident details, stating that the bank would continue to work with them during the investigation. Santander assured its customers that no transactional data, nor transaction-facilitating credentials such as banking details and passwords were contained in the database. The statement reported that neither the bank's operations nor systems were affected, and that customers could continue with secure transaction operations. Along with the official statement in response to the data breach, the bank had provided additional advice on its site on dealing with the data breach:

• Santander will never ask you for codes, OTPs or passwords.
• Always verify information your receive and contact us through official bank channels.
• If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
• Never access your online banking via links from suspicious emails or unsolicited emails.
• Never ignore security notifications or alerts from Santander related to your accounts.

Financial and Banking Sector Hit By Data Breaches

Increased cyber threats or third-party database exposure as in the Santander data breach pose serious concerns for stability within the financial and banking. The International Monetary Fund noted in a blog post last months that these incidents could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. In March, the European Central Bank instructed banks within the European region to implement stronger measures in anticipation of cyber attacks. Earlier, the body had stated that it would conduct a  resilience stest on at least 109 of its directly supervised banks in 2024. The initiatives come as part of broader concern about the security of European banks. Last year, data from the Deutsche Bank AG, Commerzbank AG and ING Groep NV were compromised after the CL0P ransomware group had exploited a security vulnerability in the MOVEit file transfer tool. The European Central Bank's site states that its banking supervisors rely on the stress tests to gather information on and assess how well the banks would able to cope, respond to and recover from a cyberattack, rather than just their ability to prevent attacks. The response and recovery assessments are described to include the activation of emergency procedures and contingency plans as well as the restoration of usual operations. The site states that these test results would then be used to aid supervisors in identifying weaknesses to be discussed in dialogue with the banks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) researchers have uncovered a new SideCopy campaign. The threat actor group has previously been observed targeting South Asian nations with a particular focus on government and military targets in India and Afghanistan. Active since May 2023, the campaign targets university students through sophisticated infection chains involving malicious LNK files, HTAs, and loader DLLs disguised as legitimate documents. Ultimately, the campaign deploys malware payloads such as Reverse RAT and Action RAT, granting attackers extensive control over infected devices. The research explores the tactics employed by SideCopy, such as their recent focus on university students, and potential overlap in activities with the Transparent Tribe APT group.

Technical Analysis of the SideCopy Campaign Infection Chain

In early May, CRIL identified a malicious domain employed by the SideCopy group in their operations. The website was discovered hosting a ZIP archive file named "files.zip" that contained sub-directories labeled as "economy," "it," and "survey." The survey directory included files similar to those previously employed by SideCopy in their earlier campaigns. [caption id="attachment_68383" align="alignnone" width="1228"] Source: Cyble[/caption] The campaign likely employs spam emails to distribute the malicious ZIP archive hosted through the compromised website as the initial infection vector. These archives contain malicious LNK files disguised as legitimate documents, such as "IT Trends.docx.lnk." Upon execution, the LNK files trigger a series of commands that proceeds to download and execute a malicious HTA file. The downloaded HTA files contain embedded payloads within additional lure documents and DLL files. The lure documents are typically themed around current affairs or relevant academic topics to appear legitimate to the targeted demographic. [caption id="attachment_68384" align="alignnone" width="604"] Source: Cyble Blog[/caption] [caption id="attachment_68385" align="alignnone" width="894"] Source: Cyble Blog[/caption] The malware is crafted with the functionality to adopt to the presence of different antivirus software such as Avast, Kaspersky and Bitdefender, which further amplifies its ability to evade detection and ensure persistence by placing the LNK shortcut files in the startup folder. The attack process ultimately leads to the deployment of malicious payloads such as Reverse RAT and Action RAT on to the victim system, which then connect to a remote Command-and-Control (C&C) server to commence malicious activities.

Intersection with Transparent Tribe Activities

The research further suggests a potential overlap or collaboration between SideCopy and Transparent Tribe, another APT group known for targeting Indian military and academic institutions. This intersection hints at a possible collaborative efforts or shared objectives between the two groups with researchers previously noting that SideCopy may function as a sub-division of Transparent Tribe. SideCopy is also known to emulate tactics of the Sidewinder APT group in the distribute of malware files, such as the use of disguised LNK files to initiate a complex chain of infections. CRIL researchers have advised the use of strong email filtering systems, exercise of caution, the deployment of network-level monitoring and the disabling of scripting languages such as PowerShell, MSHTA, cmd.exe to prevent against this potential threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Millions of Internet of Things (IoT) devices present across the industrial, healthcare, automotive, financial, and telecommunication sectors are at significant risk due to several vulnerabilities in a widely-used cellular modem technology. These Cinterion Modem Vulnerabilities, found in modems manufactured by Telit Cinterion, pose severe threats to device integrity and network security. Telit Cinterion, is an Internet of Things (IoT) technology provider company headquartered in Irvine, California, United States. It provides various edge-to-cloud IoT services such as connectivity plans, IoT SIMs, IoT embedded software and PaaS IoT deployment managed services. The newly discovered vulnerabilities pose significant risks to communication networks and IoT devices, potentially leading to extensive global disruption.

 Several Cinterion Modem Vulnerabilities Discovered

The findings by Kaspersky researchers were first presented at the OffensiveCon international security conference held recently in Berlin. The findings disclosed the identification of several critical vulnerabilities in Cinterion modems integrated into a wide range of IoT devices. These vulnerabilities include remote code execution (RCE) and unauthorized privilege escalation flaws that exist in user applications (MIDlets) and the OEM-bundled firmware integrated with the modems. The most severe vulnerability, CVE-2023-47610, is a memory heap overflow that allows attackers to remotely execute arbitrary commands through specially crafted SMS messages on affected devices, without requiring further authentication or any physical access. This vulnerability can also unlock access to special AT commands, enabling attackers to read and write to the modem's RAM and flash memory. The researchers demonstrated its existence by developing their own SMS-based File System, which they installed on the modem by exploiting the identified vulnerability. This allowed the researchers to then remotely activate OTA (Over The Air Provisioning) to install arbitrary MIDlets, that were protected from removal by standard mechanisms, and required a full reflash of the firmware for removal. In addition to the RCE vulnerability, researchers also identified several security issues in user applications called MIDlets and the OEM-bundled firmware of the modems. These vulnerabilities, assigned CVE-2023-47611 through CVE-2023-47616, could potentially allow attackers with physical access to the modem to compromise the confidentiality and integrity of user MIDlets, execute unauthorized code, extract and substitute digital signatures, and elevate execution privileges of user MIDlets to the manufacturer level. The researchers reported these vulnerabilities to Telit Cinterion last November and while the company has issued patches for some of the flaws, not all of them have been addressed, leaving millions of devices still at risk. The modems are embedded in various IoT products, including industrial equipment, smart meters, telematics systems, and medical devices, making it challenging to compile a comprehensive list of affected products. To mitigate potential threats, organizations are advised to disable non-essential SMS messaging capabilities, employ private Access Point Names (APNs), control physical access to devices, and conduct regular security audits and updates.

Rising Concerns Over IoT Security

The discovery of these vulnerabilities highlights a growing concern over the security of IoT environments, especially in industrial control and operational technology settings. An analysis of 2023 threat data by Nozomi Networks noted a significant increase in attacks targeting IoT and OT networks, driven by a rise in IoT vulnerabilities. Previous incidents, such as the 9 vulnerabilities found in industrial routers by Robustel R1510, indicate that routers remain a common point of weakness in networks with vulnerabilities such as remote code execution or DDoS flaws that may then be used to potentially spread attacks across connected devices. In conclusion, these vulnerabilities in Cinterion modems necessitate urgent action from both device manufacturers and telecom operators to mitigate risks and protect essential infrastructure. The researchers behind the findings plan to publish a white paper on modem security internals within May 2024, following findings from this study. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Just days before its highly anticipated spring art auctions, Christie's, the renowned auction house, had fallen victim to a cyberattack, taking its website offline and raising concerns about the security of client data. The Christie's auction house cyberattack has sent shockwaves through the art world, with collectors, advisers, and dealers scrambling to adapt to the sudden disruption. Christie's is a British auction house founded in 1766 by James Christie, offering around 350 different auctions annually in over 80 categories, such as decorative and fine arts, jewelry, photographs, collectibles, and wine. The auction house has a global presence in 46 countries, with 10 salerooms worldwide, including London, New York, Paris, Geneva, Amsterdam, Hong Kong, and Shanghai. The company provided a temporary webpage after its official website was taken down and later notified that the auctions would proceed despite the setbacks caused by the cyberattack.

Christie’s Auction House Cyberattack Occurs Ahead of Major Auctions

[caption id="attachment_68140" align="alignnone" width="1000"] Source: Shutterstock[/caption] The cyberattack came at an inopportune time for Christie's, with several high-stakes auctions estimated at around $850 million in worth scheduled to take place in New York and Geneva. Art adviser Todd Levin highlighted the significance of the timing, expressing concern that the cyberattack was happening during a pivotal moment before the spring sales when buyers confirm their interest in artworks. He raised a pressing question: "How can potential bidders access the catalog?" The auctions will include works by Warhol, Basquiat, and Claude Monet, and pieces from the Rosa de la Cruz Collection, that are expected to generate hundreds of millions of dollars in revenue. Christie's website was taken offline following the hack which affected some of its systems. Despite the setback, Christie's has assured clients that the auctions will proceed as planned, with bidders able to participate in person, by phone, or through Christie's Live platform. Despite the hack, Christie's CEO Guillaume Cerutti assured clients that all eight live auctions in New York and Geneva would proceed as scheduled, with the exception of the Rare Watches sale, which was postponed to May 14th. In a statement, Cerutti elaborated: "I want to assure you that we are managing this incident according to our well-established protocols and practices, with the support of additional experts. This included, among other things, the proactive protection of our main website by taking it offline."

Growing Cybersecurity Concerns in the Art World

The incident is a sobering reminder of the increasing threat of cyberattacks in the art world. In recent years, several museums and art market platforms have fallen victim to hacking, highlighting the need for vigilance in protecting sensitive client information amidst slumbering sales. Earlier in January, a service provider managing the online collections of several prominent museums had been targeted, affecting institutions like The Museum of Fine Arts in Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art. Last year in 2023, Christie's had another security incident come to light when it was discovered inadvertently exposing the GPS location and co-ordinates of several art pieces purchased by some of the world’s biggest and wealthiest collectors, revealing their exact whereabouts.  In 2017, hackers employed an email scam to intercept payments between dealers and clients, siphoning sums ranging from £10,000 to £1 million. These incidents underscore the art world's vulnerability to similar threats as the market becomes increasingly digital, auction houses and museums must take proactive steps to to invest in stronger defenses against a rapidly evolving cyber threat landscape and the risks it may pose to the art industry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An unidentified threat actor known as "pwns3c" has offered access to a database purported to contain sensitive data and documents from a City of New York data breach for sale on BreachForums. The City of New York website offers official digital representation of the city's government as well as access to related information such as alerts, 311 services, news, programs or events with the city. The claims made in the post, despite its alleged nature raises significant concerns about the extent of the data breach as well as the security practices followed by the government office.

Alleged City of New York Data Breach Claimed to Include Sensitive Data

The stolen database is allegedly stated to include 199 PDF files, approximately 70MB in size in total. The exposed data includes a wide range of personally identifiable information (PII), such as: Licensee Serial Number, Expiration Date, Applicant or Licensee Name, Trade Name, Street Address, City, Zip Code, Phone Number of Applicant, and Business Email of Applicant. Moreover, the data also reveals sensitive details about building owners, attorneys, and individuals, including their EIN, SSN, and signature. The threat actor is selling this sensitive information for a mere $30, and interested buyers are instructed to contact them through private messages within BreachForums or through their Telegram handle. The post seemingly includes links to download samples of the data allegedly stolen in the attack. [caption id="attachment_68084" align="alignnone" width="1872"] Source: BreachForums[/caption] The alleged data breach has far-reaching implications, as it puts the personal information of numerous individuals at risk. The leak of personally identifiable information (PII) and sensitive documents exposes individuals to potential risks of identity theft, fraud, and other malicious activities. The Cyber Express team has reached out to the New York City mayor's official press contact email for confirmation. However, no response has been received as of yet.

pwns3c Earlier Claimed to have Hacked Virginia Department of Elections

In an earlier post on BreachForums, pwns3c claimed an alleged data breach against the Virginia Department of Elections, compromising of at least 6,500 records. The earlier stolen data was also offered for USD 30 in Bitcoin (BTC), Litecoin (LTC), or Monero (XMR) on the dark web. The Virginia Department of Elections is responsible for providing and overseeing open and secure elections for the citizens of the Commonwealth of Virginia. It is responsible for voter registration, absentee voting, ballot access for candidates, campaign finance disclosure and voting equipment certification in coordination with about 133 of Virginia's local election offices. The compromised data was allegedly stated to have included sensitive information such as timestamps, usernames, election data, candidate information, and voting method details. However, there has been no official confirmation of the stated incident as of yet. The breaches claimed by pwns3c, despite their alleged nature highlight the persistent challenges of securing the websites of government institutions. The sensitive nature of the stolen data that may allegedly include Social Security Numbers (SSNs), contact information, election-related details, and signatures, underscores the urgency for government websites to strengthen their security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybersecurity researchers at Cyble's Research and Intelligence Labs (CRIL) have uncovered a new ransomware variant called Trinity, which employs a double extortion strategy and has potential links to the previously identified Venus ransomware. This article explores the findings about the Trinity ransomware strain as well as the noted similarities between the Trinity and Venus ransomware strains.

Uncovering Tactical and Technical Details of Trinity Ransomware

CRIL researchers observed a new ransomware variant called Trinity, that employs common double extortion tactics such as exfiltrating data from victim's systems before encrypting them, and the intent to use both a support and leak site in their operations. The support site allows victims to upload sample files less than 2MB in size for decryption, while the leak site though currently empty, threatens to expose victim data. [caption id="attachment_68024" align="alignnone" width="940"] Source: Cyble Blog[/caption] Upon initial stages of the investigation, researchers observed similarities between the Trinity ransomware and the 2023Lock ransomware which has been active since early 2024. The deep similarities between the two variants such as identical ransom notes, and code suggest that Trinity might be a newer variant of the 2023Lock ransomware. Researchers noted an intricate execution process in the ransomware's operations such as a search for a ransom note within its binary file and immediately terminates if the file is unavailable. The ransomware collects system information such as the processor count, the pool of threads, and existing drives to prepare its multi-threaded encryption process. The ransomware then attempts privilege escalation by impersonating a legitimate process's token for its own usage, enabling the ransomware to bypass security measures. The ransomware deploys network enumeration activity along with lateral movement, demonstrating broad attack capability. [caption id="attachment_68025" align="alignnone" width="547"] Source: Cyble Blog[/caption] The Trinity variant employs the ChaCha20 algorithm to encrypt of victim files. After encryption, filenames are appended with “.trinitylock,” while ransom notes are left in both text and .hta formats in. The ransomware also modifies the desktop wallpaper to the ransomware note and uses a specific registry key to facilitate this change.

Similarities Between Trinity Ransomware and Venus Ransomware

The connections between Trinity and Venus go beyond mere similarities in their ransom notes and registry usage. Venus, an established ransomware operation with a global reach, emerged around mid-2022. The similarities between Venus and Trinity extend to their usage of identical registry values and consistency in their mutex naming conventions and code base. Additionally, the ransom notes used by both ransomware variants exhibit a similar format. The shared tactics and techniques indicate a possible collaboration between the two groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns. CRIL researchers have advised organizations to stay vigilant and implement robust cybersecurity measures to protect against these evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

This week on TCE Cyberwatch we’re covering the different data breaches and vulnerabilities faced by different companies. Along with this, the rise of countries using AI and deepfake technology, some consensual and some not, adds depth to the conversation surrounding the security of it all. TCE Cyberwatch aims to bring updates around large-scale and small-scale events to ensure our readers stay updated and stay in the know of cybersecurity news that can impact them. Keep reading to learn about what’s currently trending in the industry.

Dropbox Sign data breached; Customers authentication information Stolen

Dropbox, a popular drive and file sharing service, revealed that they had recently faced a security breach which led to sensitive information being endangered. Specifically, Dropbox Sign, a service used to sign documents, was targeted. The data stolen was of Dropbox Sign users, which had information such as passwords, account settings, names, emails, and other authentication information. Rotation and generation of OAuth tokens and API keys are steps that have been taken by Dropbox to control fallout. Dropbox has assured that “from a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.” Read More

Cyberattacks on organizations in the UAE claimed by Five Families Alliance member, Stormous Ransomware

Stormous Ransomware has claimed responsibility for cyberattacks that have attacked several UAE entities. A ransomware group linked to the Five Families alliance which is known for targeting the UAE entities, Stormous Ransomware has targeted organisations like the Federal Authority for Nuclear Regulation (FANR); Kids.ae, the government’s digital platform for children; the Telecommunications and Digital Regulatory Authority (TDRA), and more. After announcing alleged responsibility for the attacks, the ransomware group demanded 150 BTCs, which comes to around $6.7 million USD. They had threatened to leak stolen data if the ransom was not paid. The organisations targeted by the group are yet to speak up about the situation and tensions are high due to the insurmountable damage these claims could cause. Read More

Russian bitcoin cybercriminal pleads guilty in the U.S. after arrest in France

Alexander Vinnik, a Russian cybercrime suspect, recently pleaded partially guilty to charges in the U.S. Previously arrested in Greece in 2017 on charges of money laundering of $4 billion through the digital currency bitcoin in France, Vinnik is now set to face a trial in California. Vinnik’s lawyer, Arkady Bukh, predicted that Vinnik could get a prison term of less than 10 years due to the plea bargain. The U.S. Department of Justice accused Vinnik of having "allegedly owned, operated, and administrated BTC-e, a significant cybercrime and online money laundering entity that allowed its users to trade in bitcoin with high levels of anonymity and developed a customer base heavily reliant on criminal activity." Read More

Many Android apps on Google Play store now have vulnerabilities that infiltrate them

Popular Android applications have faced a path traversal-affiliated vulnerability. Called the Dirty Stream attack, it can be exploited by one of these flagged applications leading to overwriting files. The Microsoft Threat Intelligence team stated that, “the implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation.” The apps who have faced this vulnerability are popular, with 500 million to 1 billion downloads. Exploitation would have led to the attacker having control of the app and being able to access the user’s data, like accounts used. Microsoft is worried about it being a bigger issue and has asked developers to focus on security to protect sensitive information. Read More

Department of Social Welfare, Ladakh, in India, allegedly hacked, but no proof provided

Recently, a threat actor had allegedly hacked the database of the Department of Social Welfare Ladakh, Government of India. Their claims, however, seemed to have no support. No information was disclosed from their side and no breaching of sorts was sensed on the department’s website. However, if the claims are true, the fallout is predicted to be very damaging. Investigations into the claims are currently happening. As no motive or even the authenticity has been confirmed, for the individuals whose data resides in the departments database and national security, it’s important to detect and respond in a swift manner as to preserve the nation’s cyber security. Read More

U.K. military data breach endangers information of current, veteran military personnel

The U.K. military faced a data breach where the information of serving UK military personnel was obtained. The attack was of Ministry of Defence’s payroll system and so information like names and bank details, sometimes addresses, were gathered. The hacker behind it was unknown until now but the Ministry has taken immediate action. The "personal HMRC-style information" of members in the Royal Navy, Army and Royal Air Force was targeted, some current and some past. The Ministry of Defence is currently providing support for the personnel whose information was exfiltrated, and this also requires informing veterans’ organisations. Defence Secretary Grant Shapps is expected to announce a "multi-point plan” when he updates the MPs on the attack. Read More

India’s current election sees deepfakes, Prime Minister Modi calls for arrests of political parties responsible

India’s current Prime Minister Modi has announced that fake videos of him and other leaders making “statements that we have never even thought of”, have been circulating. This election, with its new name of being India’s first AI election, has led to police investigations of opposition parties who have made these videos with Modi calling for arrests. Prior to this, investigations regarding fake videos of Bollywood actors criticising Modi were also taking place. However, in this situation, around nine people have been arrested - six of whom are members of Congress’ social media teams. Five of them have managed to be released on bail, but arrests of higher-ranking social media members have been made. There has been a trending tag #ReleaseArunReddy for Congress national social media co-ordinator, Arun Reddy, who had shared the fake videos.

Germany and Poland accuse Russian Military Service of cyber-attacks

Germany has come out stating that an attack on their Social Democratic Party last year was done by a threat group believed to be linked to Russian Military Services. German Foreign Minister Annalena Baerbock said at a news conference in Australia that APT28, a threat group also known as Fancy Bear, has been “unambiguously” confirmed to have been behind the cyberattack. Additionally, Poland has joined in support of Germany and said that they were targeted by ATP28 too. Poland has not revealed any details about the attack they faced but Germany shares that they are working to rebuild damage faced by it. Baerbock stated that, “it was a state-sponsored Russian cyber-attack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”

Ukraine unveils new AI-generated foreign ministry spokesperson

Ukraine has just revealed an AI spokesperson who has been generated to deliver official statements for the foreign ministry. The messages being delivered are written by humans, but the AI is set to deliver them, moving animatedly and presenting herself as an individual through introducing herself as Victoria Shi. Victoria is modelled based on a Ukrainian celebrity, Rosalie Nombre, who took part in her development and helped to model the AIs appearance and voice after her. Ukraine’s foreign minister has said that she was developed for “saving time and resources,” along with it being a “technological leap that no diplomatic service in the world has yet made.” Read More

Singapore passes new amendment to their cybersecurity bill which regulates temporary, high-risk attacks

A new amendment to Singapore’s Cybersecurity Law was made by its Parliament to keep up with the country’s evolving critical infrastructure and to adapt to technological advancements. The changes made regulate the Systems of Temporary Cybersecurity Concern (STCC), which encompass systems most vulnerable to attacks in a limited period. This means the Cyber Security Agency of Singapore (CSA) can oversee Entities of Special Cybersecurity Interest (ESCIs), due to their error disposition affecting the nation’s security as a whole. With the country’s defence, public health and safety, foreign relations, and economy in danger, the Bill is set to target critical national systems only, leaving businesses and such as they are. Read More

Eurovision becomes susceptible to cyberattacks as the world’s largest music competition takes place during conflict

The 68th Eurovision Song Contest is being held in Sweden, Malmö, this year due to current tensions surrounding conflicts like Israel and Gaza, and Russia and Ukraine. Security has been tightened as in 2019, hackers had infiltrated the online stream of the semi-finals in Israel by warning a missile strike and showed images of attacks in Tel Aviv, the host city. There are several reports about hackers hijacking the broadcast as over 167 million people tuned in to watch last year. The voting system can also be an issue with the finals coming up, but Malmö’s police chief claims to be more worried about disinformation. The spokesperson for the contest stated that “We are working closely with SVT's security team and the relevant authorities and expert partners to ensure we have the appropriate measures in place to protect from such risks.” Read More

Wrap Up

This week we’ve seen militaries and governments being cyber-attacked and that truly reminds us how interconnected everything is. If big organisations are vulnerable to attacks, then so are we. TCE Cyberwatch hopes that everyone stays vigilant in the current climate of increased cyberattack risks and ensure they stay protected and are on the lookout for any threats which could affect them. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Treacle, a cybersecurity startup founded in 2021 by Subhasis Mukhopadhyay, Subhajit Manna, and Partha Das, has raised about 40 million in its pre-Series A funding round. This milestone achievement underscores the company's rapid growth and recognition within the industry. Founded by three seasoned entrepreneurs, Treacle has been deliberate in its mission to develop cutting-edge cybersecurity solutions that safeguard businesses from the ever-evolving threat landscape. With this latest injection of capital, the company plans to expand its product offerings, enhance its research and development capabilities, and further solidify its presence in the market. The pre-seed funding round, which marks a significant milestone for the startup, is expected to propel Treacle's growth trajectory. The company's founders express belief that this influx of capital will enable them to further accelerate goals. The funding was led by prominent investors who have shown a keen interest in Treacle's approach to tackling modern digital threats.

Treacle Offers Defensive Cyber Security Solutions

Treacle serves both private and government sectors with solutions developed through rigorous research. Subhasis Mukhopadhyay stated, “Our mission centers on safeguarding network infrastructures through early detection, containment, and deception of threats. We're committed to delivering unparalleled value in the market, ensuring our clients have access to premium security solutions affordably. Our goal is to establish ourselves as a market leader and create a safer cyber world within the next five to six years. The standout product of Treacle is the AI-Based Proactive Defense System with in-built Deception. This service is designed to protect businesses even if their firewalls and defense layers have been breached. It works by tracking and analyzing attacker behavior in the early stages, then luring the attacker into a complex, containerized mirage network. This strategy not only keeps other systems safe but also allows the gathering of important data about the threat, which is used to provide early warnings to SOC analysts, helping to prevent an attack before it takes place. Treacle also offers a range of other services, including Customized Honeypot Solutions, Network and Host-Based Intrusion Detection Systems, Insider Threat Detection Systems, and OT Network Security Systems. Additionally, the company can conduct thorough Cyber Security Audits and help design effective security policies. Vikram Ramasubramanian, Partner at Inflection Point Ventures, highlighted Treacle's core strengths in AI-Based Deception Technology, a cornerstone of their Defensive Cyber Security solutions. The company plans to introduce new features and enhancements that will further strengthen its security offerings and provide even greater value to its clients.

Company Growth and Achievements

Since its inception, Treacle has achieved significant milestones. The firm secured grants such as the C3iHub Grant and the SISFS Grant, in 2021 and 2022, respectively. Additionally, Treacle represented India under DPIIT and participated in a sponsored delegation trip to Dubai in 2022. They also won a significant grant from the Department of Telecommunications, Government of India in DCIS 2023, and were named the Best Student Led Startup in the AWS Campus Fund Grand Challenge 2023. Treacle's journey began in June 2021, following the selection of its pioneering product idea for investment. The innovative approach towards developing a Deception Technology solution caught the attention of C3iHub, leading to the securement of early funding. The seeming dedication and hard work behind the team also resulted in securing the prestigious SISFS grant from the Government of India. Since July 2021, Treacle has been part of the esteemed IHub Programme, incubated at SIIC, IIT Kanpur, which has further strengthened their commitment to developing cybersecurity solutions that stand the test of time. The pre-seed funding round, which marks a significant milestone for the startup, is expected to propel Treacle's growth trajectory. The company's founders are confident that this influx of capital will enable them to accelerate their innovation pipeline, build a stronger team, and ultimately drive greater value for their customers. The startup's vision is to empower organizations with advanced cybersecurity solutions that provide real-time protection against emerging threats. With this vision in mind, Treacle is poised to make a significant impact in the cybersecurity landscape, and this latest funding round is a testament to the company's potential for growth and success. "Securing this funding allows us to accelerate our roadmap and bring our next-generation cybersecurity solutions to a wider audience," said Subhasis Mukhopadhyay, CEO of Treacle. "We are grateful for the support from our investors and are eager to continue our journey in making the digital world safer for everyone." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In an unexpected turn of events, LockBitSupp, the administrator of the notorious LockBit ransomware group, responded publicly to the Federal Bureau of Investigation (FBI) and international law enforcement's efforts to identify and apprehend him. After bringing back previously seized domains, law enforcement identified Dmitry Yuryevich Khoroshev as the mastermind behind the LockBit operations in an earlier public announcement. This was followed by official sanctions issued by the U.S., U.K., and Australia, accompanied by 26 criminal charges ranging from extortion to hacking, collectively carrying a potential maximum sentence of 185 years imprisonment. The Justice Department has also offered a staggering $10 million reward for information leading to Khoroshev's capture. However, LockBitSupp denied the allegations and attempted to turn the situation into a peculiar contest on the group's remaining leak site.

LockBitSupp Opens Contest to Seek Contact with Individual

The Lockbit admin made a post within the group's leak site about a new contest (contest.omg) in order to encourage individuals to attempt to contact Dmitry Yuryevich Khoroshev. The announcement asserts that the FBI is wrong in its assessment and that the named individual is not LockBitSupp. The announcement seems to try and attribute the alleged identification mistake as a result of an unfortunate cryptocurrency mixing with the ransomware admin's own cryptocurrency funds, which they claim must have attracted the attention of the FBI. Cryptocurrency mixing is activity done to blend different streams of potentially identifiable cryptocurrency to provide further anonymity of transactions. The contest, brazenly invites participants to reach out to the individual believed to be Dmitry Yuryevich Khoroshev and report back on his wellbeing for $1000. The ransomware admin then claimed that the first person to provide evidence such as videos, photos, or screenshots confirming contact with the the "poor guy," as LockBitSupp refers to him, would receive the reward. [caption id="attachment_67621" align="alignnone" width="1055"] Source: X.com (@RedHatPentester)[/caption] Participants were instructed to send their findings through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.

LockBitSupp Shares Details of Named Individual

In addition to the contest details, LockBitSupp shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive gathered details and submit as contest entries. They also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address,  passport and tax identification numbers Amid the defiance and contest announcement, LockBitSupp expressed concern for the well-being of the person they claim has been mistakenly identified as them, urging Dmitry Yuryevich Khoroshev, if alive and aware of the announcement, to make contact. This unusual move by LockBitSupp attempts to challenge the statement made by law enforcement agencies and underscores the complex dynamics of the cyber underworld, where hackers taunt their pursuers openly. LockBitSupp emphasized that the contest will remain relevant as long as the announcement is visible on the blog. The admin hinted that there may be similar contests in the future with more substantial rewards, urging followers to stay tuned for updates. The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and the cybersecurity community watching closely for further developments. In a recent indictment Khoroshev was identified to behind LockBit's operations and functioned as the group's administrator since September 2019. Khoroshev and the LockBit group was stated to have extorted at least $500 million from victims in 120 countries across the world. Khoroshev was stated to have received around $100m from his part in this activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The International Baccalaureate Organization (IBO) confirmed a hacking incident, while clarifying that no ongoing exam papers were leaked despite claims online of a wider cheating scandal. The IB found students sharing exam details online before the completion of their ongoing tests globally, and simultaneously observed increased malicious activity targeting its computer networks. On investigating the online claims, IB found that the leaked data set appeared to be limited to earlier data from 2018, while the ongoing exam paper leaks could be a result of some students sharing exam papers online rather than a hack. Founded in 1968, the International Baccalaureate is a non-profit educational organization based in Geneva, Switzerland. It aims to provide high quality international education free of regional, political or educational agendas.

Exam Cheating Concerns Amidst International Baccalaureate Hack

Earlier last week, the International Baccalaureate had released an update stating that it was investigating online speculation about potential cheating by some students in the ongoing exams. The organization stated that while there was no evidence of widespread cheating, some students might have engaged in "time zone cheating". The organization defined time zone cheating as an action where students "who have completed their examinations share what they can recall from memory about the exam questions on social media before other students take the examination." Citing its own academic integrity policy which forbids such behaviour, the organization stated that students engaging in such activity would not receive their Diploma certificates or grades and may potentially be banned from future exam retests. [caption id="attachment_67556" align="alignnone" width="2800"] Source: Official Update[/caption] After its initial investigations, the organization stated that it had experienced an increase in attempted malicious activity aiming to interfere with its systems. It also confirmed that some data from 2018, including employee names, positions, and emails, had been breached through a third-party vendor, and screenshots of this leaked data were shared online. However, the organization again clarified that at the time of the investigation, no recent exam material was found to be compromised. The notice further stated that IB was continuing to assess the incident and had taken steps to contain the incident. The organization mentioned that it would provide further information on the incident as the situation evolved. The Cyber Express team has reached out to the International Baccalaureate for further details, and a spokesman responded with a link to the second update notification.

Students Petition For Exam Cancellation

The exam is taken by nearly 180,000 students internationally. However, recent speculations over the hacking incident and cheating allegations have raised concerns among students and their parents, leading to an online petition demanding exam cancellation or re-test. Amidst the speculation, the International Baccalaureate took action to remove leaked content and stated that cheaters would face severe consequences. Some condemned the leaks as failures in governance and urged for improved exam security, prompting the IB to affirm its intention to stay ahead of technological threats while promoting academic integrity in the exam process. The IB further cautioned its authorized network of schools about data breaches and phishing attempts. The leaked materials from the International Baccalaureate data breach were observed to have been downloaded over 45,000 times. The leaked content, allegedly included mathematics and physics papers which were widely circulated online, further raising doubts about exam integrity. It remains to be seen, if the student petition demand's for justice or the organization's observation of increased hacking attempts will lead to a further escalation of the situation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Medusa ransomware group has demanded $3.5 million from the Chemring Group on their leak site, along with a looming threat to leak 186.78 GB of sensitive documents claimed to have been obtained from the Chemring Group data breach. The group set the negotiation deadline as May 16, 2024, providing the victim about 9 days to surrender to demands while also presenting additional options such as prolonging negotiation period, removing or downloading the data allegedly stolen during the attack at varying prices. The Chemring Group is a multi-national UK-based business that provides a range of technology solutions and services to the aerospace, defence and security markets around the world. The Chemring Group data breach post was shared on the threat actor's data leak site along with 3 American organizations listed as victims. However, the authenticity of these claims is yet to be verified. While the Chemring Group refutes any major compromise, they have confirmed an ongoing investigation into the alleged data breach.

Medusa Hackers Demand $3.5 Million Following Chemring Group Data Breach

On the leak site, the ransomware group demanded a ransom of 3.5 million USD with a negotiation deadline of 16th May 2024. The group allegedly exfiltrated 186.78 GB of confidential documents, databases, and SolidWorks design files. However no sample data had been shared making it harder to verify the group's claims. Additionally, the leak site provided the victim with the options to add an additional day to make ransom negotiations for 1 million, to delete all the data for 3.5 million or download/delete the exfiltrated data for 3.5 million. [caption id="attachment_67453" align="alignnone" width="944"] Source: X.com / @H4ckManac[/caption] The Chemring Group PLC listing was also accompanied by the listing of three alleged victim organizations, including One Toyota of Oakland, Merritt Properties and Autobell Car Wash. After being reached out for additional details by The Cyber Express team, a Chemring Group spokesman made the following statements about the alleged ransomware attack:

Chemring has been made aware of a post that has appeared on X (formerly Twitter) alleging that the Group has been subject to a ransomware attack. An investigation has been launched, however there is currently nothing to indicate any compromise of the Group’s IT systems, nor have we received any communication from a threat actor suggesting that we have been breached. We confirm that all Chemring businesses are operating normally. Our preliminary investigations lead us to believe that this attack was on a business previously owned by Chemring but where there is no ongoing relationship or connection into our IT systems. As this is subject to an ongoing criminal investigation we cannot comment further at this stage.

Who is Medusa Ransomware Group?

The MedusaLocker ransomware group has known to have been active since September 2019. The group  usually gains initial access to victims’ networks by exploiting known vulnerabilities in Remote Desktop Protocol (RDP). The Medusa ransomware group has been observed to increase their attack campaigns after the debut of a their dedicated data leak site in February 2023. The group primarily targets healthcare, education and public-sector organizations inits campaigns. The group was previously responsible for an attack on Toyota in December 2023 in which the group obtained access to sensitive details such as names, addresses, contact information, lease-purchase details, and IBAN numbers. The incident prompted the company to adopt stronger data protection and notify affected customers while informing details about the breach to relevant authorities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Hong Kong fire department uncovered a recent breach in its computer system that exposed the personal information of over 5,000 department personnel and hundreds of residents. The Hong Kong Fire Department data breach, the third incident involving government data in less than a week, stems from an unauthorized change in privileged access rights during a data migration procedure by an outsourced contractor, according to a statement from the Fire Services Department (FSD). The Hong Kong Fire Services Department is an emergency firefighting government service that conducts rescue operations on land and sea. The department is also responsible for providing emergency ambulance service for sick and injured as well in providing fire protection advice to the general public. However, there is no evidence that the leaked data from the Hong Kong Fire Department data breach had been published online.

Systems Suspended Following Hong Kong Fire Department Data Breach

[caption id="attachment_67236" align="alignnone" width="1000"] Source: Shutterstock[/caption] Following the discovery of the intrusion, the fire department suspended the affected system and launched an investigation along with the third-party contractor. The department immediately revoked the contractor's access rights to prevent further data leakage and implemented enhanced security measures to prevent similar incidents. The compromised data included the last names and phone numbers of approximately 480 individuals who reported tree collapse incidents during the Super Typhoon Saola in September 2023. Additionally, personal details such as names, phone numbers, and ranks of around 5,000 FSD staff were at risk, with 960 personnel having their incomplete identity card numbers exposed in the breach. Details regarding the breach were notified to the relevant authorities including the Police, Security Bureau, Privacy Commissioner for Personal Data, and Government Chief Information Officer. "The FSD believes that the incident happened when the outsourced contractor handled the data migration procedure. During the process, the access right of the data was found altered without authorisation, posing a potential risk of data leakage," a Fire Services Department spokesperson stated. The Hong Kong Fire Services Department apologised for the incident and notified those affected through text messages or phone calls. However the department assured the public that there was no evidence that the data had been leaked as of yet.

Data Breach Follows Two Cyber-Incidents within the Same Week

This Hong Kong Fire Department data breach follows similar data breach incidents involving the Electrical and Mechanical Services Department (EMSD) and the Companies Registry last week, where data stored on their servers had been compromised. Lawmaker Elizabeth Quat who heads the Panel on Information Technology and Broadcasting has called for improved data security measures and a punishment mechanism for future incidents and similar blunders. The Electrical and Mechanical Services Department (EMSD) system glitch last Tuesday allowed for unauthorized access to the names, telephone numbers, identity card numbers and addresses of around 17,000 individuals through the server platform without requiring a password. The Companies Registry stated last Friday that security flaws in its online e-Services Portal developed by a third-party contractor resulted in the transmission of additional personal data beyond what was requested by the client computer during searches. While this additional data was not displayed directly, it could be obtained through the use of web developer tools. The additional data was estimated to affect about 110,000 data subjects and included their names, full passport numbers, identity card numbers, residential addresses, telephone numbers and email addresses. The city's privacy watchdog reported a significant increase in data breach notifications last year, signaling a growing concern for data protection. In a recent case involving Cyberport, a government-owned tech hub, the watchdog identified lapses in security audits and unnecessary retention of personal data, highlighting the need for better oversight in handling sensitive information. The string of government-related data breaches highlights the possibility of security weaknesses introduced through dependence on external third-party contractors. This weakness remains a major problem globally as observed in the recent incident UK Ministry of Defense data breach stemming from an external payroll provider. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Brandywine Realty Trust issued a recent filing to the US Securities And Exchange Commission (SEC), where it confirmed that an unauthorized third-party had gained access to portions of its internal network. The Brandywine Realty Trust data breach is stated to have affected the functioning of some of its internal systems, following preventative measures as part of the firm's incident response plan. Brandywine Realty Trust is one of the largest publicly traded real estate companies in the United States with a primary focus in the Philadelphia, Texas and Austin markets. The firm is organized as a real estate investment trust and manages 69 properties comprising of 12.7 million square feet in land spanning multiple states. Upon detecting the intrusion, the trust initiated its response protocols and took steps to contain affected systems, assess the extent of the attack and move towards remediation. Investigative efforts were held together with external cybersecurity professionals, while details were shared with law enforcement.

Brandywine Realty Trust Data Breach Disrupted Trust's Operations

The filing reveals that along with unauthorized access to its internal systems, the attack also involved the  encryption of some of the company's internal resources. The encryption process disrupted access to portions of the company’s business applications responsible for several of the company's internal and corporate functions, including its financial and reporting systems. The company disclosed that certain files were stolen during the attack, but that it is still working on determining the extent of sensitive and confidential information accessed during the intrusion into its IT systems, and establishing if any personal information had been accessed. However, the company believes that the intrusion had been been contained from spreading further into its systems and stated that it is working diligently to restore its IT systems back online. The Company is also  evaluating if any additional regulatory and legal notifications are required after facing the incident and will issue appropriate notifications according to its findings.

Perpetrator Behind Brandywine Realty Trust Data Breach Unknown

The company is known to have rented out commercial properties to various prominent firms, with its biggest tenants including IBM, Spark Therapeutics, Comcast, and the FMC Corporation. However, the attack comes during a recent period of increased ongoing volatility in the office commercial space with  Brandywine recently cutting down its quarterly dividend, from 19 cents to 15 cents a share, for the first time since 2009. In an recent interview, the company's CEO acknowledged “turbulent times” in commercial real estate space and the company aimed at covering its “danger points.” He added the company has plenty of cash and available credit, while noting that compared to its peers, the firm had a substantially lower number of leases set to expire over the next few years.

The personal data of an unspecified number of active UK military personnel had been compromised in a significant Ministry of Defence data breach. The UK's Ministry of Defence (MoD) is tasked with protecting the UK, its crown dependencies, and its overseas territories against threats from both state and non-state actors. The ministry also oversees and trains the Royal Navy, British Army, Royal Air Force, and the Strategic Command. The breach occurred as a result of an attack on the Ministry of Defence (MoD) payroll system, but the exact motives of the perpetrators behind the breach remain unknown.

Victims of Ministry of Defence Data Breach Being Actively Notified

The compromised data spans several years and includes the names, bank details, and in at least a few instances, even the personal addresses of active and previously-serving armed forces members. The Royal Navy, Army, and Royal Air Force are included in this breach. However the ministry confirmed that no operational defence data had been accessed during the incident. The affected payroll system was managed by an external contractor. Upon becoming aware of the incident,  immediate action was taken by the Ministry of Defence, with the affected system taken offline, and investigations underway.  The MoD further confirmed that it would ensure that all salaries would reach its service members on time. The investigation parties which include public cybersecurity agencies GCHQ and NCSC, are also examining potential security failings or vulnerabilities by the third-party contractor SSCL, who operated the payroll system for the MoD. The MoD is actively notifying and providing support to those affected, including veterans' organizations. UK's Defence Secretary Grant Shapps is scheduled to update MPs in the Parliament about the breach and outline a "multi-point plan" to protect affected service personnel.

Several Sources Suspect China Behind Ministry of Defence Data Breach

Although the hackers' identity remains undisclosed, some officials and news agencies suspect China to be behind the attack amidst rising warnings about the threats posed by hostile states and third parties. China was previously reported to have attempted to obtain data from ex-RAF pilots through the use of financial lures. However, the MoD has not commented on China's involvement. Tobias Ellwood, a Conservative MP and veteran disclosed to Sky News that he believed China might behind the attack as a way of coercing the financially vulnerable in exchange for cash. In response to these allegations, the Chinese foreign ministry emphasized its stated opposition to all forms of cyber attacks and rejected the use of hacking incidents for political purposes. The UK-China relationship has been strained over recent hacking allegations, with Britain accusing Chinese-government sponsored hackers of targeting its lawmakers and electoral watchdogs over the past few years. While the breach is being investigated, concerns arise about sharing sensitive intelligence with countries harboring close relationships with China. This incident follows previous cyberattack campaigns attributed to China, prompting government officials to acknowledge China as a significant challenge. Martin Greenfield, CEO of the London-based cybersecurity consultancy Quod Orbis, expressed that the incident was the latest in a series of recent cyber-attacks demonstrating the threat of campaigns targeting nationally sensitive data as observed last month with an attack on the NHS. He added that UK organizations still face challenges in securing systems and that there needs to be further co-operation and information sharing between different teams and between public and private agencies to combat this threat rather than operating in isolation. He also expressed concern that the compromised service member data may be used in further targeted attacks in the digital and physical world, with tensions in the Middle East and Ukraine, such compromised data might pose additional challenges for MoD operations in the area. Mel Stride, a government minister, highlighted the need to balance security concerns with economic engagement with China. He emphasized the importance of including China in global discussions on issues like climate change. In Parliament, Deputy Prime Minister Oliver Dowden made use of the example of previously alleged incidents involving attacks on the Electoral Commission and targeted attempts on MPs who have made criticism against China. Opposition politicians and former military personnel expressed concerns and called for a comprehensive response from the government. As China's president, Xi Jinping, tours Europe, including friendly nations, concerns persist about the Chinese government's purported efforts at cyber espionage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Play ransomware group has claimed responsibility for an attack on the Kansas City Scout System which forced its staff to take immediate protective action by shutting down all systems. The Kansas City Scout System provides real-time weather and traffic updates to drivers along roads and highways in Kansas City. This system, managed jointly by the Departments of Transportation in Missouri and Kansas, suffered a significant setback during a weekend of severe storms. While the details of the attack are unknown, the Play ransomware gang later appeared to claim responsibility for the attack. The shut down affected the service's dynamic information boards, the official website as well as the real-time camera system.

Kansas City Scout System Systems Shut Down

Local news outlets posted images of blank screens along the Kansas City highways, highlighting the system's outage. The organization later confirmed through social media that a cyberattack had caused the disruption. Although specific details regarding the attack were not disclosed, the IT team took preemptive measures by shutting down all systems. [caption id="attachment_67016" align="alignnone" width="864"] KC Scout System Services Update Notice on X.[/caption] The Kansas City Scout staff stated on its official X.com (Twitter) account that restoration efforts were underway but stated that it was too early to provide a rough estimation of full availability and that could possibly take months for full restoration. The staff requested for patience from partners and the public as they work to restore the systems. [caption id="attachment_67012" align="alignnone" width="502"] Source: X.com (@AlvieriD)[/caption] The Play Ransomware group listed the Kansas City Scout System as a victim on its official leak site today, while giving about 6 days before publication of allegedly compromised data. No samples or further details were provided, making it difficult to confirm the group's involvement in the attack. While Play Ransomware group has claimed responsibility for the cyberattack on the Kansas City Scout System, however, it remains unconfirmed whether they actually conducted the attack or are merely claiming responsibility to attract attention. Official confirmation of the hacker collective responsible for the said attack is yet to be provided.

Attack coincided with severe weather conditions in the area

This attack coincided with severe weather conditions in the area, including tornadoes that claimed four lives. Trooper Tiffany Baylark from the Kansas Highway Patrol expressed concerns about the inability to communicate severe weather warnings or watches to drivers due to the outage. The inaccessibility of the system's official website, further complicated the situation amidst the severe weather forecast. Melissa Black, a spokeswoman for the Missouri Department of Transportation’s Kansas City District advised the public to seek Missouri traffic information via MoDOT.org or by calling 888-275-6636. Similarly, Kansas information could be obtained through KanDrive.gov or by calling 511. Officials stated that immediate and critical traffic information impacting the KC metro area would be shared through these sites. Limited information about the traffic and weather situation could be accessed via the toll-free number. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Australian privacy commissioner warned the Australian public that third-party suppliers serve as "a real weak spot" to safeguard customer privacy. The warning follows a massive data of over 1 million Australians stemming from a data breach involving a third-party club management software contractor. The leak impacted New South Wales and Australian Capital Territory club-goers while including sensitive personal details such as names, addresses and driver's license. The privacy commissioner has also expressed frustrations with the push towards urgent roll out of artificial intelligence without appropriate regulations to protect citizens.

Commissioner Makes Statement as Part of Privacy Awareness Week

Australia's new Privacy Commissioner, Carly Kind, emphasized that this issue was growing and that larger organizations such as clubs needed to ensure that third-party suppliers and contractors maintained adequate data privacy standards to fulfill their obligations to consumers. Kind highlighted that while the shift towards a digital economy presented significant opportunities for individuals, businesses, and the public, it also came at the expense of personal privacy. She pointed out that invasive data-gathering practices, weak security protocols, and unfair terms and conditions undermined individual agency while exposing organizations to additional liabilities in the form of data breaches and privacy complaints. The commissioner felt that these new technologies have led to an expansion in the collection and usage of personal information without considering the potential intrusions into individual and collective privacy. The commissioner advised the Australian public to be actively involved and engaged in protecting their personal information. She emphasized that businesses and other organizations collecting data must make informed decisions to safeguard and protect it, while avoiding unnecessary retention of data. Australian Information Commissioner Angelene Falk noted that the Office of the Australian Information Commissioner (OAIC) continues to receive numerous reports of multi-party breaches, primarily stemming from breaches in cloud or software providers.

Australian Privacy Commissioner Expresses Additional AI Concerns

As part of the privacy week statement, Kind also expressed frustration about the sense of urgency for AI deployment, which seemed to override a more cautionary approach. The commissioner noticed a worrying business perception that AI isn't being used enough, leading to  a sense of urgency and missed opportunity that ignores adequate considerations for its positive implementation and the integration of existing laws and regulations to protect customer data and privacy. Kind has professional expertise in AI, having worked previously as the inaugural director of the London-based AI and data research organization, the Ada Lovelace Institute.

Australian Privacy Commissioner Supports Law That Bolsters Privacy

While the Australian privacy commissioner has limited power to address serious privacy breaches, the  requirement threshold to meet the requirement is excessively rigid to the point only two civil penalty proceedings were passed in the past nine years. However, reforms to the Privacy Act introduced by Attorney-General Mark Dreyfus in August 2023, seek to empower the commissioner's ability to crack down on breaches with the inclusion of new low-tier and mid-tier civil penalty provisions that would effectively allow the commissioner to deal with non-serious and one-off breaches. The new bill aims to strengthen privacy protections by allowing Australians to sue for deemed privacy invasions and targeted use of personal information like doxing. This reform is deemed vital as personal privacy faces increasing threats. Carly Kind, the new privacy commissioner, has noted industry support for these reforms and highlighted concerns about excessive data collection and outdated privacy laws. Kind's appointment as the standalone privacy commissioner reflects a renewed focus on privacy issues and follows the Australian government's efforts to strengthen the Office of the Australian Information Commission. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Recent law enforcement action saw several LockBit sites resurrected, with the stated announcement that more details would be revealed about LockBit admin LockBitSupps, gang members and affiliates of the group. As part of the action, at least three former LockBit leak sites were brought back as part of the recent effort. The sites additionally state that the seized domains are set to shut down again within 4 days.

LockBit Sites Resurrected Were Seized Earlier by Law Enforcement

The sites were brought down earlier as part of the joint-sequence Operation Cronos from, where 10 countries took action to disrupt LockBit's infrastructure facilities within in the United States and abroad. The group said law enforcement had hacked its former dark web site using a vulnerability in the PHP programming language, which is widely used to build websites. [caption id="attachment_66818" align="alignnone" width="1471"] Source: X.com (@marktsec46065)[/caption] The resurrected site suggests that law enforcement personnel have obtained further access to details involving LockBit affiliates and the ransomware group's admin LockBitSupp while investigating the group's back-end systems. During the earlier operation, law enforcement also claimed to be aware of personal details involving LockBitSupp, claiming to know where he lives and that he had engaged with law enforcement. As indicated by the site, the agencies responsible for the recent action will likely issue official press statements. The agencies re-affirmed its commitment to supporting ransomware victims worldwide and encouraged individuals and organizations to report incidents to law enforcement.

LockBit Claimed Responsibility for Recent String of Attacks

Despite the earlier disruptions and seizures, LockBit continued to claim responsibility for several recent attacks including an attack on Cannes Hospital. The attack forced the hospital to take down its computer systems and switch to traditional pen and paper or manual systems to continue to support patients. Following the hospital's refusal to surrender to ransom demands, the group had allegedly published medical and personal data, including ID cards, health sheets and pay slips. However, the extent and scale of the ransomware group's operations remains much lower than observed in the past year. It is unknown what effect the current action might have on the group's operations as both law enforcement and the ransomware group as well as it's affiliates remain persistent with their efforts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The F Society ransomware group has listed 4 additional new victims on its leak site. The group's alleged victims include: Bitfinex, Coinmoma, Rutgers University, and SBC Global Net. Bitfinex is a prominent crypto-exchange platform while Coinmoma offers cryptocurrency-related coin, chart and event data. Rutgers University is a public land-grant university operating four campuses in the state of New Jersey. It is one of the oldest operating universities in the United States. SBC Global Net was an email service provided by SBC Communications, which was later acquired by AT&T.

F Society Ransomware Group Shared Alleged Samples

While the attack remains unconfirmed, the ransomware group shared unique descriptions for each victim along with links of sample data obtained from the attacks. The description for each attack included a mention of the total file size of the stolen information and the type of data obtained in the attack. [caption id="attachment_66368" align="alignnone" width="414"] Source: X.com (@AlvieriD)[/caption] Each victim was given 7 days to pay a ransom or threatened with leak of the obtained data. No ransom amount was publicly mentioned. [caption id="attachment_66365" align="alignnone" width="353"] Source: X.com (@AlvieriD)[/caption] The following claim was made about each victim:

• Bitfinex: The post description stated that the group had stolen 2.5 TB of information and the personal details of 400K users.
• Rutgers University: The group claimed to have stolen 1 TB of data, while not stating what form of information it had acquired.
• Coinmoma: The group claimed to have obtained sensitive data including user information and transaction histories. The file was stated to be 2TB in size and consisting of 210k user records.
• SBC Global Net: The group claimed to have obtained unauthorized access to the victim's system and that they had obtained sensitive data such as personal details of users. The file size was stated at 1 TB in size.

No official responses have been made yet and the claims remain unconfirmed. The Cyber Express Team has reached out to Rutgers University for details about the alleged data breach, however at the time of writing no response was received.

BitFinex Was Previously Hacked

While the F Society ransomware group's claims are unverified, BiFinex had previously fallen victim to a major hacking incident in the past. In the earlier 2016 incident, about 119,754 in bitcoin was stolen from the Bitfinex platform after a hacker breached its systems and initiated about 2,000 unauthorized transactions. The stolen bitcoin was sent to a man, who along with his wife, attempted to launder the money across digital accounts. Law enforcement managed to track the couple after 6 years, and managed to recover more than 94,000 bitcoin that had been stolen from Bitfinex. The total value of the recovered bitcoin was stated at over $3.6 billion at the time of arrest, making it the single largest recovery in the history of the US Department of Justice. However, the perpetrator of the hack is still unknown but is known to have used a data destruction tool to cover their trail. A former FBI agent was quoted as stating that Bitfinex’s earlier security lapse was likely due to its desire to accelerate transactions and thereby raise profits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Passwords remain the most common instrument in securing our digital lives, yet they still serve as the basis of targeted attacks by cybercriminals. World Password Day on May 2nd serves as a obligatory reminder of the importance of robust password practices. In light of this day, experts have offered offer key insights and secure password recommendations to enhance password security, safeguarding personal data from malicious attacks.

Secure Password Recommendations for World Password Day

Weak passwords are enticing to attackers as they could grant access to various types of sensitive data – personal data, financial information, identity documents or other compromising details. According to research from Kaspersky, telemetry data in 2023 indicated that at least 32 million password-based attacks were attempted in 2023. While the number of attempts have dropped down from about 40 million incursions in 2022, these number still remain a cause of concern. Here are some expert-backed secure password recommendations to mitigate the risks of password-based cyber threats and maintain personal security online: Creating Strong and Memorable Passwords: Experts recommend the "association method" as an effective method to craft strong yet memorable passwords. The association method involves using personally significant word sequences or concepts while creating passwords. For example, the use of special quotes or events you have been fond of can be used to form a sequence that is easy to recall due to personal significance but remains a challenge for outsiders to guess. Embracing Non-Standard Options: Unique or uncommon password characters such as emojis present an alternative to commonly-known words. As Emojis are based on the Unicode standard, they offer a range of characters that would be difficult to crack through automation. By incorporating emojis into passwords, users can enhance security while adding a creative touch to their login credentials. Avoiding Common Pitfalls: It remains important to steer clear of common and easily guessable passwords like "1234" or "password." Cybercriminals often exploit these predictions through automated brute-forcing techniques. Users may find it hard to keep track of passwords as most platforms require passwords with a minimum strength of symbols, letters & numbers.  Password managers can be used to generate strong and unique passwords for safekeeping. One Account, One Password Strategy: Managing multiple accounts can be challenging but adopting a one-account-one-password strategy can enhance personal security by limiting the potential impact of a compromised password. Password managers can assist you with the creation and maintenance of different passwords. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have discovered that several popular Android applications in the Google Play Store with millions, even a billion downloads are susceptible to a path traversal-related vulnerability that is being referred to as the 'Dirty Stream Flaw'. In the recently-released report, the Microsoft Threat Intelligence team, stated, "The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation." Successful exploitation of this vulnerability could allow an attacker to take full control of the application's behavior and leverage the stolen tokens to gain unauthorized access to the victim's online accounts and other data.

Xiaomi File Manager and WPS Office Vulnerable to Dirty Stream Flaw

The bug stems from the Android FileProvider class, a subclass of the ContentProvider class which is used to facilitate file sharing or picking between different applications while still maintaining secure isolation between each other. A correct implementation would provide a reliably solution for file sharing between applications, while an improper implementation could be exploited to bypass typical read/write restrictions or overwrite critical files within Android. While the researchers identified several applications potentially vulnerable to the attack and representing over 4 billion downloads together, they suspect that the vulnerability may be present in other applications. The Xiaomi Inc.’s File Manager (com.mi. Android.globalFileexplorer) with a billion downloads and WPS Office (WPS Office (cn.wps.moffice_eng) with over 500 million downloads are two prominent examples among the identified applications. The vulnerabilities were reported by the researchers to the Xiaomi, Inc. and WPS Office security teams, who deployed fixes for these apps on February 2024 with Xiaomi published version V1-210593 of it's file manager application and version 17.0.0 of WPS Office. Users are advised to keep their device and installed applications up to date. The researcher stated that their motive behind the publication of the research was to prompt developers and publishers to check if their apps were affected and issue fixes accordingly.

Dirty Stream Flaw Could Permit Overwrite &  Data Exfiltration

If successfully exploited, the vulnerability could permit an attacker to overwrite the target app's configuration file and force it to communicate with an attacker-controlled server, potentially leading to the exfiltration sensitive information and arbitrary command execution. The researchers behind the findings also collaborated with Google to publish an official guidance on Android Developers website, stating appreciation for the partnership with the Google’s Android Application Security. The Android developer guidance issued by Google, urges developers to handle the filename provided by the server application properly while ignoring filenames provided by the server applications rather than internally generated unique filename identifier as the filename, stating that there should be a sanitization check if internally-provided identifiers were not possible. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The CL0P ransomware group has listed 3 additional victims on its leak site. The mentioned victims include: McKinley Packing, Pilot and the Pinnacle Engineering Group. McKinley Packing is a firm that provides paper and packaging company across the United States of America, with its production and distribution network operating in multiple different states. The Pilot Corporation, founded in 1918, is a Japan-based manufacturer of writing instruments. The company has subsidiaries in Europe, Asia, South America and North America. The Pinnacle Engineering Group (P.E.G.) offers civil engineering, construction, land surveying, landscape architecture, and drone services to private developers and government agencies.

No Confirmation Yet of CL0P Ransomware Group's Claims

While the group has listed basic information and description about the firms, while linking to their official websites, the group has not provided larger context or details regarding the attack. However, along with their descriptions the group also claimed that these companies did not care about their victims and ignored security practices. These targets while unconfirmed, operate with millions of dollars in annual revenue and span across multiple territories. As CL0P listed the American branch of Pilot in its description of the attack, it is possible that the attack was likely focused on the American region and did not impact its main Japanese headquarters or other regional subsidiaries. It did not list headquarters nor physical address for its other victims, making details about the attack further unclear. [caption id="attachment_66039" align="alignnone" width="696"] Source: X.com (@ZephrFish)[/caption] The group shared no sample files or screenshots to further their claims, nor was their a mention of the scope or details stolen from the attacks, making it difficult to determine the extent of the alleged claims. The Cyber Express Team has reached out to both the American branch of Pilot Corporation as well as McKinley packaging for further details and confirmation about the attacks. However, no response has been received yet at the time of writing this article.

CL0P Ransomware Group Has a History of Striking Prominent Targets

The CL0P ransomware group, being one of the most prominent ransomware groups, is known for it's attacks on high-profile targets as well as the extent of data stolen in their operations. Last year in 2023, the group was responsible for massive data breach attacks on several different organizations through the exploitation of the MOVEit Vulnerability. This campaign prompted the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to issue a joint cybersecurity advisory (CSA) to disseminate the IOCs and TTPs associated in CL0P's operations through FBI investigations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The cybersecurity community is on edge after an unidentified threat actor operating under the username 'UAE', claimed responsibility for a massive data breach attack involving the United Arab Emirates government. In a BreachForums post, the threat actor threatened to leak the data from the alleged UAE attack, unless a ransom of 150 bitcoins (USD 9 million) was paid. The victims in the alleged UAE attack include major UAE government bodies such as the Telecommunications and Digital Government Regulatory Authority, the Federal Authority for Nuclear Regulation, and the Executive Council of Dubai, along with key government initiatives such as Sharik.ae and WorkinUAE.ae. Various ministries are also affected, including the UAE Ministry of Health and Prevention, Ministry of Finance, and the UAE Space Agency. In the post, the threat actor claimed to have access to the personally identifiable information (PII) of various government employees, and shared a few samples that included names, emails, phone numbers, roles, and genders of top officials.

Threat Actor Shared Alleged Samples from UAE Attack

[caption id="attachment_65993" align="alignnone" width="1237"] Source: Dark Web (BreachForums)[/caption] The sample screenshots shared by the threat actor allegedly display internal data from several major UAE government bodies. Additionally, the threat actor claimed to have acquired access to personally identifiable information (PII) of top government officials, displaying samples that list names, roles, and contact details. The possession alleged samples by the threat actor, raises concerns over the security of government personnel and the integrity of national operations. The abrupt emergence of the hacker adds complexity to the incident, casting doubt on the veracity of the claims but potentially indicating a high-stakes risk scenario. The implications of such a breach are severe, potentially affecting national security, public safety, and the economic stability of the UAE. The global cybersecurity community is closely watching the developments, emphasizing the need for a swift and decisive government investigation to confirm the extent of the intrusion and mitigate any potential damage.

Experts Advice Caution and Skepticism Regarding UAE Attack

The hacker's emergence from obscurity with no prior credibility or record of such activities, casts doubt over the legitimacy of the claims. Neither the UAE government nor the affected agencies have yet responded to these claims, nor has there been any independent confirmation of the breach. The Cyber Express team has reached out to the Telecommunications And Digital Government Regulatory Authority (TDRA) in Dubai for further information regarding the attacks. The extensive list of affected entities and the nature of the alleged stolen data would suggest a highly sophisticated and coordinated attack, which seems incongruent with the profile of a lone, unestablished hacker. As this story develops, it will be crucial to monitor responses from the UAE government and the cybersecurity community. It is critical for all stakeholders, including government officials and cybersecurity experts, to collaborate urgently to address this potential crisis, ensuring the protection of sensitive government data and maintaining public trust in national security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The LockBit ransomware group has allegedly claimed responsibility for an earlier Cannes Hospital cyberattack impacting the Cannes Simone Veil Hospital Center (Centre Hospitalier de Cannes). The Cannes Simone Veil Hospital Center, also known as the Broussailles Hospital, was named after former French health minister Simone Veil. The hospital offers patient facilities such as anesthesia, surgery, ENT, ophthalmology, dentistry, mental health, and senior care. While the hospital was immediate in implementing stringent containment measures, ongoing investigations did not find evidence of data theft or direct ties to any threat actor groups.

Staff Forced to Degrade Services After Cannes Hospital Cyberattack

After the cyberattack, medical professionals were forced to switch to pen, paper, and manual processes to continue to provide essential healthcare services such as emergency care, surgery, obstetrics, and pediatrics to patients. Telephony services continue to work normally. Even weeks after the attack, the site still maintains a notice of the cybersecurity attack. The notice reads that the hospital staff is investigating the cyberattack in conjunction with experts (ANSSI, Cert Santé, Orange CyberDéfense, GHT06). Further, the notice stated that while the investigation remains ongoing, there have not yet been any ransom demands or identification of data theft operations. [caption id="attachment_65802" align="alignnone" width="683"] Source: ch-cannes.fr[/caption] Cybersecurity analyst Dominic Alvieri, on X(Twitter), shared an alleged LockBit claim of responsibility for the earlier incident. [caption id="attachment_65735" align="alignnone" width="1200"] (Source: Dominic Alvieri/ @AlvieriD / x.com)[/caption] If the claims are true, the Cannes Simone Veil Hospital Center would be one of the latest victims in a series of recent cyberattacks claimed by LockBit after the ransomware group's operations were disrupted following joint-effort action from the FBI, NCA the UK, and the Europol.

LockBit Ransomware Group Apologised for Earlier Cyberattack on Children's Hospital

Since healthcare targets remain a sensitive target for cyberattacks, many threat actor groups have made claims or suggested they would avoid such targets in their operations. During the Covid-19 pandemic, the Maze ransomware group announced that they would not target healthcare organizations. Later the group was found to continue targeting healthcare units in its operations. Last year in January 2023, LockBit apologized for an attack on Toronto's Hospital for Sick Children, blamed a partner for the attack, in its data leak site, claiming to have blocked the partner allegedly responsible for the attack, and offered code to restore the affected systems. The cyberattack had significant consequences for the pediatric firm such as delayed lab and imaging results, shut down of phone lines, and the staff payroll system. These incidents highlight that the healthcare system remains vulnerable to cyberattacks and can prove to have unwelcome effects on patient health, staff functioning, and morale. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The UK government has taken steps to safeguard consumers from cyberattacks by prohibiting common and easily-guessable passwords such as "admin" or "12345". The UK government law comes into effect on 29 April 2024 and will mandate manufacturers, importers, and distributors of consumer connectable products in the UK to follow the obligations and standards set in the 'UK Product Security and Telecoms Infrastructure (PSTI) Act 2022' as well as the 2023 Regulations under the same act. The law aims at setting minimum security standards that must be followed before consumer devices can be sold in the UK, to protect UK homes.

Uk Government Law Was Passed in 2022; Will Come to Effect this Year

These measures are part of the Product Security and Telecommunications Infrastructure (PSTI) Act passed in 2022 as well as additional laws passed in 2023. These are designed to bolster the UK's resilience against cyber attacks and disruptive interference following growing concerns stemming from a series of incidents and proposed counter-legislation. A NordPass study in 2023 revealed that "123456, password, qwerty, Liverpool..." were among the most used passwords in the UK. The study highlights that default and weak passwords remain a relevant concern even today. Besides passwords, the new legislation also seeks to tackle inherent issues in existing incident reporting procedures and update periods. With regards to reporting, the law mandates manufacturers to provide consumers with details on reporting security issues within products, and timely updates until resolution, while the information should be made available without request and free of charge. The law mandated that such information should be "accessible, clear, and transparent." With regards to updates, the law mandates information on minimum update periods to be published and clearly accessible to the consumer in a transparent manner along with an end date. The updated information is required to be understandable for a reader without prior technical knowledge.

UK Government Law Could Fine Violators £10 Million or Up to £20,000 a Day

According to the law, the Office for Product Safety and Standards (OPSS) would be responsible for enforcing the relevant act operating from 29 April 2024. Manufacturers, vendors, or firms that fail to comply with the regulations could face fines of up to £10 million or four percent of their global turnover, as well as up to £20,000 a day in the case of an ongoing violation. This new UK law comes as the EU Cyber Resilience Act draft makes rounds for legislative discussion with the inclusion of recent amendments. The Act obliges manufacturers and retailers to follow minimum security requirements throughout the product lifecycle. Following the passing of the Cyber Resilience Act expected in Early 2024, internet-connected products and software would be required to receive independent assessments to check if they comply with the new standards. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The threat actor USDoD claimed that they had published the Personally Identifiable Information (PII) of about 2 million members of the Communist Party of China on their new content delivery network (CDN). If the threat actors claims are true, the alleged China data leak might hold significant consequences for the party, given its reputation as being highly secretive and restrictive with regards to the flow of information to the outside world. The Chinese Communist Party (CCP) is the political party responsible for leading modern-day China, officially known as the People’s Republic of China since 1949. The leak is stated to include several bits of sensitive and identifiable data that could be used to facilitate identity theft, social engineering, or targeted attacks on individuals. However, the leak remains unconfirmed and it is difficult to ascertain the veracity of the claims. There have been no official statements or responses regarding the alleged leak.

USDoD Creates New CDN to Publish Alleged China Data Leak

The alleged publication of the Communist Party of China member data leak on the CDN site was accompanied by related posts on X (Twitter) and BreachForums. In the BreachForums post description, USDoD claimed to have held onto the leaked data for several months and cited the alleged leaked database as the first to be hosted on their new content delivery network (CDN). The threat actor further stated that they do not support any government, claiming the published alleged data leak as a wider message and as a gesture of good faith. The threat actor stated on an X(Twitter) post that their content delivery network (CDN) was 'ready and operational' and had been built through the help of a 'secret friend', while upload rights would be private and solely and for their own usage. The site was stated to have an upload limit of 500GB per file. [caption id="attachment_65515" align="aligncenter" width="1180"] Source: X(Twitter)[/caption] [caption id="attachment_65516" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] However, in a later post on their X account, they claimed the CDN was down after they messed with the files. While the goals of the threat actor remain unclear, the new CDN will likely be used to upload and link leaked files to be shared for posts on BreachForums (as suggested by this incident). [caption id="attachment_65518" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] While the breach remains unconfirmed, a Cyble researcher stated, "Our preliminary analysis indicates that this data has 2 million records from 2020 with the following data fields: ID, Name, Sex, Ethnicity, Hometown, Organization, ID card number, Address, Mobile number, Phone number and Education.

USDoD Recently Announced Retirement on BreachForums

The alleged Communist Party of China member data leak comes abruptly as just last week, the threat actor announced retirement on BreachForums in a post about an alleged attack on Bureau van Dijk, claiming to have stolen confidential company and consumer data from the firm. However, after being reached out for confirmation by The Cyber Express, a spokesman from the parent company (Moody's) seemingly refuted the threat actor's earlier claims. It is unknown what persuaded the threat actor to remain and continue making posts within BreachForums despite the stated intent towards retirement and suspension of activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CRIL Researchers observed a new android banking trojan 'Brokewell,' being distributed through a phishing site disguised as the official Chrome update page. The malicious Android Banking Trojan comes equipped with various functionalities such as screen recording, keylogging and over 50 different remote commands. Upon further investigation, researchers were able to trace the trojan back to its developer, who described the trojan as capable of bypassing permission restrictions on the latest versions of the Android operating system.

Developer Behind Android Banking Trojan Found Distributing Other Spyware Tools

CRIL researchers identified the trojan being distributed through the domain “hxxp://makingitorut[.]com” which disguises itself as the official Chrome update website and bears several striking similarities. [caption id="attachment_65312" align="alignnone" width="1557"] Source: Cyble[/caption] The site deceives the user into thinking that an update is required, describing it as being necessary "to secure your browser and fix important vulnerabilities. A download button on the site leads users to download the malicious APK file “Chrome.apk” on to their systems. Upon examination, the downloaded APK file was discovered to be a new android banking trojan, incorporated with over 50 different remote commands such as collecting telephony data, collecting call history, waking the device screen, location gathering, call management, screen and audio recording. The trojan communicated through a remote command and control (C&C) server operating through the “mi6[.]operationanonrecoil[.]ru” domain and hosted on the IP address “91.92.247[.]182”. [caption id="attachment_65315" align="alignnone" width="1354"] Source: Cyble[/caption] The malware was further linked to a git repository, where it was described as being capable of circumventing permission-based restrictions on Android versions 13, 14, and 15. The git repository contained links to profiles on underground forums, a Tor page, and a Telegram channel. The Tor page directed to the malware developers’s personal page, where they took steps to introduce themselves and linked to a site listing various other projects they had developed such as checkers, validators, stealers, and ransomware. Since CRIL researchers did not observe any mentions of the android banking trojan on the site, it is assumed that the trojan is a very recent development which might be listed within the upcoming days.

Technical Capabilities of Android Banking Trojan "Brokewell"

[caption id="attachment_65324" align="alignnone" width="1501"] Source: Shutterstock[/caption] Researchers note that the Brokewll Banking Trojan is likely in its initial stages of development and thus possesses limited functionalities for the time period. The current attack techniques primarily involves the screen overlay attack, screen/audio capturing or keylogging techniques. However, researchers warn that future versions of the android banking trojan may incorporate additional features. The malware is observed conducting a pre-emptive check to determine whether the host system has been rooted. This stage involves checking for package names of a root check application, network traffic analysis tool and an .apk parsing tool. Once the device is detected to not be rooted, it proceeds with normal execution, first prompting the victim for accessibility permissions. The accessibility service is then abused to grant the application other permissions such as “Display over other apps” “Installation from unknown sources”. [caption id="attachment_65319" align="alignnone" width="385"] Source: Cyble[/caption] After obtaining permissions, the application prompts the user to enter the device pin through a fake PIN screen with German localization. The PIN is then stored to a text file for subsequent usage. The German localization along with several samples of the malware being uploaded to VirusTotal from the German region lead researchers to believe that it is primarily targeting Germany. In addition to German, several strings in Chinese, French, Finnish, Arabic, Indonesian, Swedish, Portuguese, and English were also spotted. These strings suggest that the malware could expand its targets with the emergence of subsequent iterations incorporating additional features. Researchers anticipate increased promotion of the tool on underground forums and through the malware developer’s product portal, underscoring the progressive stage of banking trojans and the need for continuous monitoring over such developments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CISA (Cybersecurity & Infrastructure Security Agency) has shared an ICS (Industrial Control Systems) advisory regarding several vulnerabilities present in Honeywell products, including Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC. The advisory outlines multiple vulnerabilities which could lead to remote code execution, privilege escalation, and sensitive information disclosure. The Honeywell product vulnerabilities are described as affecting the chemical, critical manufacturing, energy, water and wastewater systems critical-infrastructure industries worldwide. Honeywell has released updates addressing these vulnerabilities, and CISA advises users to upgrade to the recommended versions to mitigate risks.

CISA-Listed Honeywell Product Vulnerabilities of High Severity

The ICS (Industrial Control Systems) Advisory listed vulnerabilities of varying types of medium to high severity: Exposed Dangerous Method or Function (CWE-749): CVE-2023-5389 (CVSS v4 Base Score: 8.8) could be exploited to allow attackers to modify files on Experion controllers or SMSC S300, potentially leading to unexpected behavior or execution of malicious applications. Absolute Path Traversal (CWE-36): CVE-2023-5390 (CVSS v4 Base Score: 6.9) allows attackers to read files from Experion controllers or SMSC S300, exposing limited information from the device. Stack-based Buffer Overflow (CWE-121): CVE-2023-5407 (CVSS v4 Base Score: 8.3) could enable attackers to induce denial-of-service conditions or perform remote code execution on Experion controllers, ControlEdge PLC, Safety Manager, or SMSC S300 through crafted messages. CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403 (CVSS v4 Base Score: 9.2) could be used for similar attacks on Experion Servers and Stations. Binding to an Unrestricted IP Address (CWE-1327): CVE-2023-5398 (CVSS v4 Base Score: 8.7) in Experion Servers or Stations could attackers attacker to induce a denial-of-service condition using specially crafted messages over the host network. Debug Messages Revealing Unnecessary Information (CWE-1295): CVE-2023-5392 (CVSS v4 Base Score: 8.7) could be exploited to allow for further extraction of information than required from memory over the network. Out-of-bounds Write (CWE-787): CVE-2023-5406 (CVSS v4 Base Score: 8.2) could lead to attacker controlled manipulation of messages from controllers for denial-of-service or remote code execution over host networks. CVE-2023-5405 (CVSS v4 Base Score: 6.9) exploitation of this vulnerability in Experion Servers or Stations could result in information leaks during error generation. Heap-based Buffer Overflow (CWE-122): CVE-2023-5400, CVE-2023-5404 (CVSS v4 Base Score: 9.2) both vulnerabilities present in Experion Servers or Stations, could allow for denial-of-service attacks or remote code execution via crafted messages. Improper Input Validation (CWE-20): CVE-2023-5397 (CVSS v4 Base Score: 9.2) enables denial-of-service or remote code execution via specially crafted messages. Buffer Access with Incorrect Length Value (CWE-805): CVE-2023-5396 (CVSS v4 Base Score: 8.3) enables denial-of-service or remote code execution via specially crafted messages. Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119): CVE-2023-5394 (CVSS v4 Base Score: 8.3) in Experion servers or stations enables denial-of-service or remote code execution via specially crafted messages. Improper Handling of Length Parameter Inconsistency (CWE-130): CVE-2023-5393 (CVSS v4 Base Score: 9.2) in Experion servers or stations allows for denial-of-service or remote code execution via specially crafted messages.

CISA Shares Mitigations for Honeywell Product Vulnerabilities

CISA has advised affected Honeywell customers to immediately upgrade to the fixed versions of the software referenced in the official Security Notice. CISA additionally recommends users to take action to mitigate the risk of exploitation of the Honeywell product vulnerabilities, such as ensuring proper user privilege restrictions, minimizing network exposure or segmenting networks and remote devices behind firewalls to isolate them from enterprise networks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research & Intelligence Labs (CRIL) recently discovered evidence suggesting that the threat actors behind the DragonForce ransomware group might have leveraged a leaked LockBit 3.0 (Black) builder to craft their own ransomware builder. Detailed analysis revealed striking similarities between the binaries generated by the leaked LockBit 3.0 builder and DragonForce's own ransomware builder.  The findings come as part of a larger trend where newer threat actor groups are observed relying on previously-existing malware to form their own operational tools to deploy in campaigns.

DragonForce Ransomware Binary Likely Based on LockBit 3.0 Build

[caption id="attachment_64928" align="alignnone" width="660"] Source: Cyble[/caption] The DragonForce ransomware group began its operations on November 2023, employing double extortion tactics to target victims. The group is potentially linked to the Malaysian hacktivist group 'DragonForce' known for conducting campaigns against various government agencies and organizations present in the Middle East and Asia during 2021 and 2022.  While the group is known to have announced its intention to launch ransomware operations in 2022, proper attribution remains difficult due to limited information. CRIL Researchers recently came across a DragonForce ransomware binary based on a LockBit Black (third-known LockBit variant) binary. The LockBit ransomware builder was known to have been shared on X (Twitter) on September 2022. Ransomware builders allow ransomware operators specific options and customizability while generating ransomware payloads. The builder included a “config.json” file to customize payloads for functionalities such as encryption, filename encryption, impersonation, file/folder exclusion, exclusion based on languages spoken in CIS (Commonwealth of Independent States) countries, and ransom note templates. [caption id="attachment_64931" align="alignnone" width="938"] Source: Cyble[/caption] Comparison between a LockBit builder-generated ransomware binary to that of a DragonForce builder generated ransomware binary revealed several similarities in code structure, functions and process termination. These similarities suggest a strong likelihood that the DragonForce ransomware binary was developed based on the utilisation of the leaked LockBit binary file.

DragonForce Ransomware Operations

[caption id="attachment_64935" align="alignnone" width="936"] Source: Cyble[/caption] Earlier this year in February 2024, DragonForce listed two American companies, 'Westward360' and 'Compression Leasing Services' as victims on its leak site. Earlier in December 2023, the group claimed responsibility for an attack where over 600 GB of data was stolen from the Ohio Lottery. The stolen data consisted of both player and employee records with sensitive information such as names, addresses, winnings, dates of birth, and social security numbers. The Ohio Lottery confirmed the cyber-incident and stated that it involved significant data theft. In the same month, Yakult Australia fell victim to the DragonForce ransomware gang's operations impacting its Australia and New Zealand divisions with over 95GB of data being stolen in the attack. The Yakult Australia data breach is believed to contain business documents, spreadsheets, credit applications, employee records, and copies of identity documents, including passports. The company later acknowledged the incident and disclosed details relating to the incident to relevant authorities such as the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre. It is notable that in both attacks, the impacted systems continued to operate normally suggesting the group employs stealthy techniques. The discovery of DragonForce's use of a leaked LockBit builder underscores the general conduct of newer ransomware groups employing existing ransomware tools and the interconnected nature of cybercriminal operations. Last year in July 2023, researchers from VMware discovered similarities between the 8Base Ransomware and earlier ransomware groups such as RansomHouse and Phobos. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

SYNLAB Italia, a provider of medical diagnostic services has temporarily halted its healthcare services across Italy after experiencing a cyber incident. The healthcare diagnostics entity stated the SYNLAB Italia cyber-incident occurred during the early hours of 18th April and that it had become aware of the incident at 07.00 CET (Central European Time). Following the SYNLAB Italia cyber-incident, the IT department took action to block the entire company infrastructure from accessing the affected network while shutting down all machines in accordance with the company’s security guidelines. SYNLAB Italia is part of SYNLAB Group, which was founded by a loose association of German physicians. The group claims a presence in over 30 countries, with a staffing of over 28,000 employees and claims to conduct approximately 600 million tests every year.

Firm Halts Operations After SYNLAB Italia Cyber-incident

[caption id="attachment_64376" align="alignnone" width="1000"] Source: Shutterstock[/caption] After becoming aware of the SYNLAB Italia cyber-incident, the healthcare facilitator established a task force consisting of internal and external professionals who took action to mitigate potential impact stemming from the attack while focusing on restoring critical services as early as possible. SYNLAB then moved to secure biological samples that had already been collected and subsequently restored patient services such as specialist outpatient visits and physiotherapy. Upon visiting SYNLAB Italia’s site, visitors are prompted with links to visit either a patient service or customer service updates page. The patient page provides details about regional availability, outpatient services, regional center emergency numbers while informing patients about the services that remain suspended. The Customer and Business services page provides visitors with details about the cyberattack, alternative emergency numbers SYNLAB stated that its task force is investigating every aspect of its IT infrastructure as well as its backup systems to restore its systems as soon as possible. The company stated that it had filed a complaint with the Postal Police, and has followed procedure for issuing a preliminary notification to the Guarantor Authority for the Protection of Personal Data. SYNLAB has apologized to its patients for the incident and stated that it had made available dedicated telephone and social channels for managing patient requests and information in the interim as some of its services and official email system remained down. The company stated that it would update patients, customers and the public on updates through its official website and social media channels while stating that it is working on limiting customer inconvenience and providing necessary support.

Medical Data at Risk in SYNLAB Italia Cyber-incident

[caption id="attachment_64377" align="alignnone" width="1000"] Source: Shutterstock[/caption] The healthcare provider stated that although the investigation is ongoing and the full extent of compromised data hasn't been confirmed, it acknowledged the potential exposure of sensitive medical data. Moreover, SYNLAB Italia affirmed its adherence to GDPR regulations when addressing concerns regarding potential data exposure. It pledged to restore systems as readily as possible while implementing necessary measures aimed at secure resumption of services on an urgent basis. The company confirmed that it had issued emails communicating the incident to some of its patients through an external provider not impacted by the attack. The Cyber Express has reached out to SYNLAB Italia for further details regarding the attack, but no response has been received yet. No threat actor group or individual has been observed claiming responsibility for the attack so far. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actor USDoD (previously known as NetSec, ScarFace_TheOne, and Scarfac33) previously known for attacks against U.S. infrastructure and Airbus has claimed Bureau van Dijk as its latest victim. The threat actor also claimed that the alleged attack on Bureau van Dijk would likely be his last and seemed to bid farewell to the BreachForums community. Bureau van Dijk, a leading business intelligence firm owned by Moody's Analytics. The firm offers various consumer and private company intelligence-related products with a primary focus on sales, marketing, and customer support. The firm is known to maintain country-specific databases and the threat actor was likely referring to the US variant of the consumer database. The two shared files combined together form about 11.7 million lines of sensitive data as mentioned in the post description on BreachForums.

USDoD Threat Actor Targets Bureau van Dijk in Farewell Post

In a surprising gesture, USDoD bid farewell to the BreachForums community, federal agencies and ‘friends around the globe’, claiming his post as a way of stating goodbye. The threat actor stated that he did not expect anything further from the community, while expressing gratitude for all the people that he contacted over the years with the forums. The threat actor reiterated that he was a lone individual working alone in his activities while framing his decision to step away as a move to focus on personal life and family. The post description mentions the information in the first stolen database as containing around 8.9 GB of data and being delivered in CSV format. The file included fields such as Last Name, First Name, Email Addresses, Priority Telephone Number, and Priority Email Address. The Cyber Express has reached out to Bureau van Dijk to verify the authenticity of the hackers claims. However, at the time of writing this, no official statement has been received, leaving the claims of the Bureau van Dijk cyberattack stand unverified.

US Consumer Database Included Within Threat Actor's Post

The second database included within the threat actors post was purportedly a US consumer database stolen from the same agency and seemed to include data such as First Name, Last Name, Business Email, Mobile Phone, Direct Number, Job Title, Personal Address and Company Address. The second database was also in .csv format and was stated to include about 2.8 million lines of data records. Both databases were freely available for public download through shared links shared in the post. The attacker previously targeted the defense contractor Thales in a data breach on March 1, 2024 involving 24 GB of data. Prior to the incident the threat actor was responsible for the Airbus data breach on September 12, 2023. Earlier in August 2021 while operating under the NetSec moniker, the threat actor revealed that they had obtained administrator access to several websites belonging to the U.S. Army. This attack was part of a wider individual campaign under the '#RaidAgainstTheUS hashtag' involving large-scale attacks on the U.S. Department of Defense (DoD), U.S. Army websites, and U.S. Defense manufacturers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Several Victorian councils confirmed that their data had been exposed to the public, after their third-party OracleCMS call center operator had been breached. The compromised data from the customer services vendor may extend beyond the Victorian cities data breach. OracleCMS, (not to be confused with Oracle corporation) is an Australia-based localized provider of customer care solutions and call center services. According to the OracleCMS official disclosure, the breached information may include 'corporate information, contract details, invoices, and triage process workflows'. Last week, the LockBit #ransomware group mentioned OracleCMS as a victim on its official leak site.

Authorities Issue Data Breach Notices on Official Sites After Victorian Cities Data Breach

[caption id="attachment_64113" align="alignnone" width="1000"] Source: Shutterstock[/caption] Local governments entities are among those affected by the OracleCMS breach, with many of them conducting investigations into the incident over the weekend. Some affected entities instructed the OracleCMS provider to not to collect any further information information during the interim and requested direct transfer of urgent calls, including after-hour calls to their staff until further notice. The affected cities that are known to have issued official data breach notices include: Knox City, City of Port Phillip, Manningham Council, Whitehorse City Council and the City of Monash Earlier, LockBit had published some sample data such as bills associated with OracleCMS, giving the group until April 16th to negotiate with the group, with no ransom amount being publicly mentioned. The group had then published more than 60 gigabytes of leaked data contained within a single compressed archive. A “Clients” directory from the leaked data included more than 50 different folders of organizations ranging from local city councils to senior citizen care services. The Australian publication Cyber Daily stated that more than a dozen local councils were on the list, including the Campbelltown Council, Tweed Shire Council, Dandenong City Council, among various other government entities. Other clients included within the leak include several different law firms, a real estate agent giant, and the Queensland branch of the Philadelphia Church of God.

OracleCMS Issues Several Safety Recommendations After Victorian Cities Data Breach

[caption id="attachment_64117" align="alignnone" width="1000"] Source: Shutterstock[/caption] OracleCMS confirmed a cyber security incident had occurred where an unauthorised party gained access to a portion of its data and published the leaked data online. After discovering the incident, OracleCMS approached cyber security experts to aid in securing its systems and in conducting an official investigation. The site states that basic contact information could be extracted from contracts and invoices appearing in the breach, but  advised that the data presented 'a low risk of misuse. The organization stated that it had contacted clients which it had identified as being impacted, and would work with them to issue further notification and support to affected parties and individuals. OracleCMS apologized for the incident and affirmed its commitment to keeping stakeholders updated during the on-going incident response and investigation. The site issued several recommendations to affected parties to stay safe from the fallout of the data breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The ransomware gang 8Base might have been responsible for an attack on the Atlantic States Marine Fisheries Commission (ASMFC) in the United States, that caused to go down temporarily. This development has raised concerns given the ASMFC's pivotal role in overseeing fisheries along the Atlantic seaboard after the U.S. Atlantic States Marine Fisheries Commission's email system was temporarily down. Established 80 years ago, the fishery organization states on its site that its mission is 'to promote the better utilization of the fisheries, marine, shell and anadromous, of the Atlantic seaboard by the development of a joint program for the promotion and protection of such fisheries, and by the prevention of physical waste of the fisheries from any cause.' The 8Base ransomware group claimed the organization as a victim in its leak site and claimed to have stolen several pieces of critical data. However, the authenticity of these claims is still in question, given the corporation has not shared any update regarding any cyberattack or intrusion.

Atlantic States Marine Fisheries Commission: Officials were Given a Four-Day Deadline

[caption id="attachment_63831" align="alignnone" width="683"] Source: Shutterstock[/caption] On April 15th, the 8Base ransomware group asserted on its official leak site that it had obtained information such as personal data, invoices, receipts, accounting documents and certificates. The group gave the organization a deadline of four days to pay the ransom, warning that if the ransom was not paid by April 19th, they would release the data. Of particular concern is the extent of the alleged data breach due to the nature of the data stored on the ASMFC's website, which includes confidential information on fishery management, nearshore fish species, habitat conservation efforts and law enforcement initiatives. For a while, the commission's official website displayed a notice instructing users to use a different address and phone number temporarily while its official services remained down. While it's email services seem to have been restored as the notice is no longer displayed, it is uncertain if the disruption was due to the alleged attack, a routine maintenance effort, or otherwise. [caption id="attachment_63860" align="alignnone" width="2696"] Source: Archived copy of the official site(asmfc.org) displaying earlier notice.[/caption] The Cyber Express reached out to the ASMFC for further details and confirmation regarding the ransomware gang's claims, but have not received a response yet at the time of working on this report.

8Base Ransomware Group Shares Similarity with Other Groups

The ransomware group, which claimed this cyberattack, has been a notorious threat actor on the dark web, sharing similarities with other threat actors of equal prowess. Last year in 2023, researchers from VMware reported that they had discovered significant similarities between the operations of both 8Base and RansomHouse. These similarities included a 99% similarity match in ransom notes between the groups, and other similarities in the verbiage of the two groups in the leak site on the welcome page, terms of service page and FAQ page. Other similarities were also noted between 8Base and the Phobos threat actor group, raising questions about the relationships between these groups and the scale of collaboration or independence. Moreover, what seems like a possible cyberattack in the case of the Atlantic States Marine Fisheries Commission (ASMFC), the water industry saw many cyberattacks in 2023. In September 2023, another joint body water association between the U.S. and Canada, the International Joint Commission was been hacked by NoEscape. The group had stolen and encrypted similar confidential data including contracts, legal documents, personal details of employees and members, and financial and insurance information. These incidents highlight the need for robust measures within organizations responsible for managing vital resources and essential sectors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Void Interactive, the Ireland-based indie game developer behind Ready or Not, fell victim to massive data breach with over 4TB of data stolen consisting of over 2.1 million files in total. Ready or Not is a tactical, first-person shooter taking place in a contemporary modern and involves SWAT team operations. While reports circulating about the data breach, no particular threat actor was mentioned, however, the incident did occurred in March 2024. Void Interactive confirmed the data breach to Insider Gaming while stating that “no user or staff-related information has been leaked, and our development assets and proprietary code remain intact.” In response to the breach, Void Interactive seems to be conducting an on-going investigation to understand the full-extent of the intrusion.

Void Interactive Data Breach Linked to TeamCity Cloud Vulnerabilities

The data was stated to include the entire Ready or Not PC source code. It also includes data from performance benchmark tests and development builds for console versions of Ready or Not, for the Xbox One, Xbox Series X|S, and PlayStation 5 platforms. Purported images of the PS4 build of the game running on a PlayStation 4 test kit was also revealed in the leak, as reported by Insider Gaming. In another report from Kotaku, a representative from Void Interactive stated that the hack was a result of “critical vulnerabilities” present in TeamCity’s cloud service component for build-management. The game developer added that the hackers obtained access to certain source code and screenshots involving an upcoming project. The Void Interactives spokesperson further claimed that no user-related data had been breached, as they 'do not capture any personal user information in the first place'.  The developer again confirmed that some source code & directory information had been stolen as a part of the attack. However, development assets and proprietary code were not part of the breach. Void Interactive pointed the attack as being 'limited to the TeamCity services interface.' The Cyber Express has reached out to Void Interactive requesting information about the on-going investigation. [caption id="attachment_63453" align="alignnone" width="596"] Source: d0nutleaks leak site claim[/caption] [caption id="attachment_63457" align="alignnone" width="626"] Source: /u/DrinkMoreCodeMore's claim on /r/ReadyOrNotGame subreddit[/caption] While Kotaku and Insider Gaming seem to refuse to directly name the hacker group responsible, it is worth noting that around the same time the incident was stated to occur, a reddit user by the username "DrinkMoreCodeMore" claimed to have noticed the d0nutleaks ransomware group listing Void Interactive as a victim on its data leak site.

Data Breaches, Source-Code Leaks, and Hacks Plague Gaming Industry

[caption id="attachment_63515" align="alignnone" width="1000"] Source: Shutterstock[/caption] The gaming industry has been rife with data breach and hacking incidents affecting both prominent studios and smaller development teams. Last month in March, the Apex Legends North American Finals had been postponed after two professional players had been hacked to provide 'aimbots' and 'wallhacks' mid-tournament. In December 2023, prominent game developers Insomaniac Games and RockStar Games suffered massive data breach attacks. The Ryhsida ransomware gang leaked 1.67 TB (1.3 million files) of data from Insomniac Games, while another group leaked two files— a 4 GB file and a 200 GB File from Rockstar Games. The smaller file mostly contained code, while the bigger one contained 3D models and assets. The leaked data included data of at least 1158 of Rockstar employees. The recent series of data breaches serves as a stark reminder that as developers continue to innovate and push boundaries in gaming, protecting intellectual property and sensitive data must remain a top priority in order to provide a secure environment for creators and players alike. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The RansomHouse group allegedly added Lopesan Hotels to the list of victims on its extortion site, claiming that they had obtained 650GB of data regarding the hotel revenue ($382.4M) and details about 408 employees. The group claims to have encrypted the data on March 22 2024 while stating that the company is not interested in the confidential data being leaked on the internet. The Lopesan Hotel Group is a family-owned group that began its activities in 1972 as group that takes on public construction projects. The hotel chain later scaled to become a multinational company, operating from its headquarters in the Gran Canaria islands.

RansomHouse Group Shares Details on the Lopesan Hotels Cyberattack

The Cyber Express has reached out to the hotel group to learn more about this Lopesan Hotels cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for this intrusion stand unverified right now. However, the hacker group alleges that along with the claims of the cyberattack, the group added that the hotel chain is failing to resolve the cyberattack situation, stating, "Dear Lopesan Hotel Group, We are sure that you are not interested in your confidential data to be leaked or sold to a third party. We highly advise you to start resolving that situation." Moreover, RansomHouse shared a link to the downloadable data that doesn't require any password, making the data available to all the users on the data leak site.

RansomHouse Group is Known to Target High-Value Targets

The ransomware gang that claimed this attack began as a ransomware-as-a-service operation that emerged in late 2021 with active attacks against the networks of large enterprises and high-value targets. RansomHouse initially began targeting Italy, but later began targeting countries such as the United States and Spain. The group primarily tends to target the industrial and technology sectors and  set up a victim extortion page  on May 2022. In the words of RansomHouse representatives, the group claims to not encrypt data and that they are 'extortion only,' claiming itself as a ‘force for good’ that intends ‘shine a light’ on companies with poor security practices. The group has been observed accepting only Bitcoin payments. The group's operations tend to be smaller and more sophisticated than some of the bigger contemporary ransomware groups. They are known to recruit members on prominent underground marketplaces and utilize a Tor-based chat room for ransom negotiations. Since the group tends to conduct extortion only attacks, their techniques tend to be stealthier and quicker as no encryption process occurs and typical ransomware detection triggers are avoided.

RansomHouse Group Was Responsible for Massive Data Breaches

The RansomHouse group recently developed a new tool dubbed as 'MrAgent' that targets VMware ESXi hypervisors typically known to house valuable data.  The group targeted several large-sized organizations through the last year. Their campaigns include attacks such as the theft of 450 GB of data from the semi-conductor giant AMD, an attack disrupting the healthcare services of the Hospital Clínic de Barcelona in Spain, and an an attack on Shoprite, Africa's largest supermarket chain The sophistication of the RansomHouse group's campaigns and scale of their attacks demand heightened vigilance and proactive defense strategies to safeguard against similar breaches, despite their claims to be a positive force. As for the Lopesan Hotels cyberattack, this is an ongoing story. The Cyber Express will be monitoring the situation and we'll update this post once we have more information on this alleged attack or any official confirmation from Lopesan Hotels. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Federal Trade Commission (FTC) has proposed a $7 million fine against Cerebral Inc for what it sees as a mishandling of consumer data. Cerebral, allegedly not only mishandled the data but actively shared it with third parties for advertising purposes. The complaint alleges that Cerebral Inc consumer data consisting of sensitive information of nearly 3.2 million individuals had been to various third-party agencies, such as Google, Meta (Facebook), TikTok, among other advertising giants. This sharing of consumer data reportedly occurred through Cerebral's platforms by utilizing tracking tools on its website or apps, such as tracking pixels.

Cerebral, Inc. agreed to comply with a settlement with the FTC, which includes restrictions on the company's use or disclosure of sensitive consumer data.  In the statement, the FTC reaffirmed its fight against the poor data handling of consumers’ sensitive health data in some health companies.

FTC Cites Poor Handling and Malpractices Behind Cerebral Inc Consumer Data Collection

[caption id="attachment_63212" align="alignnone" width="1000"] Source: Shutterstock[/caption]

The data being mishandled reportedly included not only typical contact and payment information but also detailed medical histories, prescriptions, health insurance details, and even sensitive personal beliefs and orientations. The publication cites various examples of Cerebral's poor practices including a failure to restrict former employees from accessing confidential medical records, promotional postcards that disclosed patient health details, and relying on insecure access methods for its patient portal, which allowed users to access others' the confidential health information of other patients. Furthermore, the lawsuit accused Cerebral Inc. of violating the 'Restore Online Shoppers’ Confidence Act' (ROSCA) by making it difficult for consumers to cancel subscriptions. The complaint outlined a convoluted cancellation process that involved staff contacting consumers to dissuade them from canceling, keeping subscriptions active until staff "confirmed" cancellation demands, and even removing a simplified cancellation button after observing an increase in cancellations.

Mental Health Firm Issued Data Breach Notice Last Month

[caption id="attachment_63214" align="alignnone" width="1494"] Source: cerebral.com[/caption] Cerebral Inc. disclosed in a breach notice published on its website that company data had been shared through invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since 2019, without adequate patient permission. The breach had been reported on the U.S. Department of Health and Human Services breach portal, mentioning the personal details of 3,179,835 people being exposed as part of this breach. The data breach was stated to include details such as full name, phone number, email address, date of birth, IP address, Cerebral client ID number, and demographic information. However, the firm stated that the shared information did not include Social Security numbers, credit card information, or bank account information. The firm indicated that it had 'enhanced' its information security practices and technology vetting processes to mitigate the sharing of such information in the future. The firm claimed that it was among several others across industries such as health systems, traditional brick-and-mortar providers, and other telehealth companies who had resorted to the use of pixel and other common tracking technologies. Cerebral stated that it would provide free credit monitoring to help affected users. The data breach incident as well as FTC's proposed fine highlight the importance of safeguarding consumer data and ensuring transparent and accessible cancellation processes, particularly in sensitive industries such as mental health care. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The clearnet domain of the notorious BreachForums data leak and hacking forum has been taken down by rival threat actors. The threat actor group, R00TK1T, along with the pro-Russian gang Cyber Army of Russia, announced a breach of user data following the BreachForums take down. R00TK1T was previously responsible for an attack campaign targeting the Malaysian government and various private entities including one of one of Malaysia’s leading telecommunications operators. The hackers responsible for the attack on BreachForums also claimed that they would leak a list of the forum's users, IP addresses and emails. Despite the attack, the TOR version of the site remains operational.

Groups Claim More Surprises for Hacker Community and Active Users

[caption id="attachment_63054" align="aligncenter" width="2144"] Source: R00TK1TOFF Telegram channel[/caption] R00TK1TOFF claimed on Telegram, that the site 'has currently crashed due to the extent of our attack, which was executed with extreme precision and efficiency.' The DDoS campaign against the site had been conducted in a joint-effort operation of both groups. However, the BreachForums TOR address remains active and is known to implement DDoS protection. Cybersecurity firm Hackmanac claimed in a note on X (Twitter) that:

R00TK1T is known for making grand claims about significant data breaches, which more often than not turn out to be merely a collection of publicly available data. Given the group's reputation, the threat to publish the IP and email addresses is likely to be a mere republishing of user details that were leaked last year by more credible threat actors.

Baphomet Issues Statement Regarding BreachForums Take Down

Baphomet, the administrator of BreachForums, made a statement about the incident on Telegram: 'The domain is currently suspended. We're working on it. We apologize for any inconvenience.' He further advised its users to access the forums through via the TOR site until the issue was sorted. In a later post via Telegram, Baphomet joked that the action must have been the work of the Five Eyes network along with various other large nations 'working together to silence our forums.' He then downplayed the takedown of the .cx domain, recommending users to switch to a temporary new domain (breachforums.st). [caption id="attachment_63041" align="aligncenter" width="785"] Source: Baphomet Official  Telegram channel[/caption] He stated that the .st domain would temporarily function as their main site while the admins work on 'protection over the next week that'll make these one-time suspensions less effective' while emphasizing on the availability of the TOR domain at all times. He then claimed that nothing had been 'seized, hacked, or even reasonably attacked.' Noting that while their site might experience DDoS attacks and downtime, they would always come back. He advised users to be patient while thanking the community for being patient with such incidents. R00TK1T, later responded in its own channel that Baphomet was denying the attacks and that together with the Cyber Army of Russia would 'unleash a torrent of chaos that will leave you (Baphomet) reeling. BreachForums has faced a series of troubles in recent times, including the arrest of its former owner Conor Brian Fitzpatrick (pompompurin), followed by an official seizure of the site by the Federal Bureau of Investigation(FBI) in cooperation with several U.S. agencies. The FBI stated in an affidavit that during the time of seizure, it had access to the BreachForums database. A forum administrator operating under the screen name "Baphomet" took ownership of the website and its operations after the arrest of Fitzapatrick. The site was temporarily shut down after Baphomet's suspicion of the forum still being compromised. However, Baphomet later reopened the forum to the public with the aid of black-hat hacking group ShinyHunters. ShinyHunters was previously responsible for several large-scale data breach attacks, obtaining about 200 million records of stolen data from various companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A vulnerability had been discovered in the devices of several prominent manufacturers within the Lighttpd open-web server component. Lighttpd is recognized for its 'secure, fast, standards compliant, and flexible web server optimized for high-performance environments.' These features make it a popular choice for incorporating into various projects and tools, and it had been previously used to power sites such as Youtube and Wikipedia. This vulnerability existing for at least six-years within Lighttpd, affects over 2000 devices deployed by vendors such as American Megatrends International (AMI), Intel, Lenovo, and Supermicro. Researchers caution that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected. BMCs are built into servers to allow cloud centers as well as their clients to remotely manage servers. They enable administrative actions such as OS management, installation of apps, and control over different aspects of servers even while they are powered off. Over the years, BMCs from multiple manufacturers have incorporated vulnerable versions of lighttpd.

Lighttpd Bug Had Been Identified but Not Disclosed as Vulnerability

[caption id="attachment_62950" align="alignnone" width="1000"] (Source: Shutterstock)[/caption] The vulnerability had been discovered and patched in 1.4.51 of the software, described as fixing 'various use-after-free scenarios' while being marked as consisting of 'security fixes' in the change logs. The MITRE corporation describes this category of bugs as that 'can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw'. Researchers from Binarly who discovered the flaw's existence on Lenovo and Intel sold devices,  noted that the update did not describe the issue as a “vulnerability” or include a CVE vulnerability number. Such action they claim might have affected 'proper handling of these fixes down both the firmware and software supply chains'. While the bug is of moderate severity on its own, it could be chained with other vulnerabilities to access the read memory of a lighttpd Web Server process and exfiltrate sensitive data and  potentially bypass memory-protection techniques such as ASLR (Address space layout randomization). The ASLR memory protection is implemented in software to protect against buffer overflow or out-of-bounds memory attacks.

Vendors Plan Not to Release Lighttpd Bug Fix As They No Longer Support Hardware

[caption id="attachment_62955" align="alignnone" width="1000"] (Source: Shutterstock)[/caption] The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. Both Intel and Lenovo have reportedly stated that they had no plans to release fixes as they no longer support the hardware where these flaws may perist.  Supermicro, has however stated support for versions of its hardware still relying on lighttpd.

A Lenovo spokesman reportedly stated to ArsTechnica that 'Lenovo is aware of the AMI MegaRAC concern identified by Binarly. We are working with our supplier to identify any potential impacts to Lenovo products. ThinkSystem servers with XClarity Controller (XCC) and System x servers with Integrated Management Module v2 (IMM2) do not use MegaRAC and are not affected.'

It’s worth mentioning explicitly, however, that the severity of the lighttpd bug is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability. In general, BMCs should be enabled only when needed and locked down carefully, as they allow for extraordinary control of entire fleets of servers with simple HTTP requests sent over the Internet. Chip giant Intel previously issued an advisory in 2018 warning customers about over 13 security bugs discovered in its version of the baseboard management controller (BMC) firmware for Intel Server products while conducting internal evaluation.  The reported flaws included including one critical flaw that could be exploited to leak sensitive data or allow attackers to escalate privileges. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.