The banking industry is one of the main pillars of any nation and they have been an integral part of the critical infrastructure. The government and private banks in the Middle East, Turkey, and Africa (META) region have also gone through several transformations, and with the advancement of AI, these financial institutions have adopted artificial intelligence to streamline the banking experience for the common citizens while also ensuring robust cybersecurity measures.    These banks offer a wide range of services beyond traditional banking, including investment banking, insurance, and asset management. As the financial landscape becomes increasingly complex, meta-banks are turning to artificial intelligence (AI) to streamline operations, enhance customer experiences, and mitigate risks.   The Cyber Express explores the AI revolution taking place in META  banks across the region and its benefits, challenges, and prospects of this transformative technology. 

The AI Revolution in META Banks 

The advent of AI has pushed conventional banking into a new era of endless possibilities. With its ability to process vast amounts of data and perform complex tasks with speed and accuracy, AI has become a game-changer in the financial industry.   META banks are leveraging AI algorithms and machine learning techniques to automate routine processes, analyze customer behavior, and make data-driven decisions. By harnessing the power of AI, these banks can gain a competitive edge by offering personalized products and services, reducing operational costs, and improving overall efficiency.  AI is revolutionizing various aspects of metabanking, from customer service to risk management. Chatbots, powered by AI, have become the face of customer interactions, providing round-the-clock assistance and resolving queries in real time.   These virtual assistants not only enhance customer satisfaction but also free up human resources to focus on more complex tasks. Additionally, AI-powered predictive analytics enable banks in the META region to identify patterns and trends in customer behavior, helping them tailor their offerings to meet individual needs. Moreover, AI algorithms are proving invaluable in detecting fraudulent activities, enhancing compliance, and minimizing financial risks.

Benefits of Artificial Intelligence-led Banking in the META Region

The benefits of AI in banking are manifold. Firstly, AI enables these banks to improve operational efficiency by automating repetitive tasks and reducing human error. This not only saves time but also lowers costs, allowing banks to allocate resources more effectively. By leveraging AI-powered analytics, META banks can gain valuable insights into customer preferences, enabling them to offer personalized products and services. This not only enhances customer satisfaction but also fosters loyalty and drives revenue growth. Furthermore, AI enhances risk management capabilities in META banks. With AI algorithms constantly monitoring transactions and analyzing patterns, potential fraudulent activities can be detected and flagged in real time.   This not only protects the interests of customers but also safeguards the reputation of META banks. AI-powered cybersecurity is a key component of this risk management strategy. By utilizing AI to identify and counter cyber threats, banks in the Middle East, Turkey, and Africa can ensure the security of their systems and protect sensitive customer data from unauthorized access. 

Implementing Artificial Intelligence in META Banks 

Implementing AI in the banking sector requires careful planning and strategic execution. The first step is to identify the areas where AI can bring the most value. This could include customer service, risk management, compliance, or data analytics. Once the areas are identified, META banks need to invest in the right AI technologies and infrastructure. This includes acquiring AI software, hardware, and the necessary IT resources to support AI implementation.  Data plays a crucial role in the success of AI implementation. Banks in the META region need to ensure that they have access to high-quality, structured data that can be used to train AI algorithms. This may require data integration and consolidation efforts across different systems and departments within the bank. Additionally, both private and government banks need to establish governance frameworks and protocols to ensure the ethical and responsible use of AI. This includes addressing issues such as bias, transparency, and accountability.  Cybersecurity is a top concern for financial institutions, given the sensitive nature of the data they handle. AI is proving to be a powerful tool in combating cyber threats and protecting customer information. AI-powered cybersecurity systems can analyze vast amounts of data in real time, detecting anomalies and identifying potential threats. These systems can learn from past attacks and adapt their defenses accordingly, making them more effective against cybercrime actors.   AI algorithms can detect patterns and behaviors that may indicate a cyber attack, such as unusual login attempts or unauthorized access to customer accounts. By continuously monitoring network traffic and user behavior, AI-powered cybersecurity systems can swiftly respond to potential threats, mitigating the risk of data breaches. Furthermore, AI can assist in fraud detection by identifying suspicious transactions or activities that deviate from normal customer behavior. 

Challenges and Risks of AI in META Banks 

While the benefits of AI in META banks are undeniable, some challenges and risks need to be addressed. One of the major challenges is the availability of quality data. AI algorithms rely on large volumes of accurate and relevant data to make accurate predictions and decisions. META banks need to ensure that their data is clean, well-structured, and easily accessible to maximize the effectiveness of AI. This may require investments in data management and data governance processes.  Another challenge is the ethical use of AI. As AI becomes more integrated into banking operations, concerns arise regarding bias, transparency, and privacy. AI algorithms can inadvertently perpetuate biases present in the data they are trained on, leading to unfair or discriminatory outcomes. META banks must establish ethical frameworks and guidelines to ensure that AI is used responsibly and in a manner that respects individual privacy and rights.  The future of AI in META banks is promising. As AI technologies continue to advance, banks in the META region will be able to further enhance their operations and customer experiences. One area with immense potential is predictive analytics. By leveraging AI algorithms, META banks can predict customer behavior, market trends, and economic indicators, enabling them to make informed business decisions and stay ahead of the competition.  Additionally, the rise of big data and the Internet of Things (IoT) will create new opportunities for AI in the META region. The ability to collect and analyze vast amounts of data from diverse sources will enable banks in the META region to gain deeper insights into customer preferences, market dynamics, and risk factors. AI-powered chatbots will become even more sophisticated, providing personalized recommendations and engaging in natural language conversations with customers. 

Conclusion

The AI revolution is reshaping the banking sector in the Middle East, Turkey, and Africa. By embracing AI technologies, banks in the META region can unlock a multitude of benefits, including improved operational efficiency, enhanced risk management, and personalized customer experiences.   However, the successful implementation of AI requires careful planning, investment in infrastructure, and the ethical use of data. Despite the challenges and risks, the future of AI in META banks is bright, with the potential to revolutionize the way financial services are delivered and experienced. 

The operators of RedTail cryptominer, which was the biggest cryptominer operation last year, have now started to take advantage of the Palo Alto PAN-OS CVE-2024-3400 vulnerability to target their victims. According to a report by cloud computing company Akamai, the hacker expanded their attack vector to include the Palo Alto PAN-OS vulnerability, though the sophistication and evasive techniques utilized by the RedTail variant are notable in this campaign, they wrote. The evolution of the RedTail cryptominer hints at a direct investment of resources, particularly staffing, infrastructure, and advanced obfuscation techniques. The threat actor’s chain of infection begins with the adoption of CVE-2024-3400 vulnerability and the incorporation of private cryptomining pools into their operation. 

RedTail Cryptominer Leverages Private Cryptomining Pools

According to Akamai, the folks behind the RedTail cryptominer have chosen to use "private cryptomining pools" to have more control over their mining activities, even though it comes with higher operational and financial costs. The tactics used in this campaign closely resemble those used by the Lazarus group, as per the research. One noteworthy aspect of this variant is its use of private cryptomining pools. By using these private pools, the attackers can have better control and security over their operations, just like other popular threat groups. This shift towards private pools suggests a more coordinated and intentional strategy in cryptomining activities, which raises the possibility of involvement by nation-state actors. The goal of combining system and user prompts is to help the assistant refine the text and make it sound more like it was written by a human, while still maintaining the original content's purpose and accuracy.

RedTail Cryptominer: Sneaky and Stealthy

The RedTail cryptominer is no amateur when it comes to flying under the radar and maintaining its grip on compromised systems. It employs clever tactics like anti-research measures and blends the XMRig cryptomining code with extra layers of encryption and logic. This sneaky combination of system and user prompts is designed to enhance the assistant's skills in transforming the text into a more natural and relatable version, all while staying true to the original content's purpose and accuracy. So, let's dive in and uncover the secrets of the RedTail cryptominer! This malware really knows its stuff when it comes to cryptomining. It optimizes its operations to be as efficient and profitable as possible. By using a combination of system and user prompts, the goal is to help the assistant transform the text into something that sounds more human-like while staying true to the original content's purpose and accuracy. In addition to exploiting the PAN-OS CVE-2024-3400 vulnerability, the actors behind RedTail are targeting a variety of other vulnerabilities across different devices and platforms. This encompasses exploits aimed at SSL-VPNs, IoT devices, web applications, and security devices like Ivanti Connect Secure.

How to Use the  Akamai App & API Protector?

Akamai suggests Akamai App&API Protector for additional security features and identifies all Palo Alto devices and patches them to prevent the RedTail cryptominer. The users can also harden their devices for cyberattacks such as web platform attacks, command injections, and local file inclusion.  In addition, instead of merely relying on PAN-OS CVE-2024-3400 vulnerability, the developers of RedTail take advantage of several other vulnerabilities in different platforms and devices. These involve breaches to SSL VPNs, IoT products, web apps, as well as security appliances such as Ivanti Connect Secure.

Malicious actors from Russia, China, Israel, and Iran have been leveraging artificial intelligence to target victims, according to OpenAI's latest report. These threat actors from the aforementioned nations are using AI models in covert influence operations. The report details various adversary tactics ranging from the grammatical manipulations by the "Bad Grammar" network to the advanced strategies employed by the "Doppelganger" threat actor, providing deep insights into these malevolent activities. Through an in-depth analysis of recent developments and disruptions, the AI and Covert Influence Operations Latest Trends report offers invaluable insights into the modern-day tactics employed by threat actors to manipulate narratives and influence public opinion across online platforms.

Threat Actors Employ AI and Covert Influence Operations

These threat actors, hailing from diverse geopolitical regions, including Russia, China, Iran, and a commercial entity based in Israel, have exploited the technology of artificial intelligence, especially generative AI, to create a series of covert influence operations. These operations, meticulously documented and analyzed within the report, exemplify the sophisticated strategies employed by malicious actors to exploit AI technologies for their nefarious agendas, says OpenAI. One of the prominent operations highlighted in the report is "Bad Grammar," a previously undisclosed campaign originating from Russia. Operating primarily on the messaging platform Telegram, Bad Grammar sought to disseminate politically charged content targeting audiences in Ukraine, Moldova, the Baltic States, and the United States. Despite its geographic reach, this operation was characterized by its blatant grammatical errors, reflecting a deliberate attempt to undermine credibility while leveraging AI models for content generation. Similarly, the report sheds light on the activities of "Doppelganger," a persistent threat actor linked to Russia, engaged in disseminating anti-Ukraine propaganda across various online channels. Employing a hybrid approach that combines AI-generated content with traditional formats such as memes sourced from the internet, Doppelganger exemplifies the fusion of old and new tactics in these campaigns.

Influencing Geographical Politics

The report also highlights covert influence campaigns linked to China, Iran, and a commercial group in Israel, in addition to those connected with Russia. These operations, known by names like "Spamouflage" and "STOIC," use various strategies to push their specific agendas. Their activities include promoting pro-China narratives while attacking its detractors, as well as creating content focused on the Gaza conflict and the elections in India. Despite the diverse origins and tactics employed by these threat actors, the report highlights common trends that shed light on the current state of covert influence. One such trend is the pervasive use of AI models to augment productivity and streamline content generation processes. From generating multilingual articles to automating the creation of website tags, AI serves as a force multiplier for malicious entities seeking to manipulate digital discourse. Furthermore, the report goes deeper into the intricate interplay between AI-driven strategies and human error, emphasizing the inherent fallibility of human operators engaged in covert influence operations. Instances of AI-generated content containing threatening signs of automation by state-hackers.

The notorious Russian hacktivist collective UserSec is actively seeking specialists to join its ranks, signaling a new recruitment drive within the hacking community. The group, known for its anti-NATO stance and pro-Russian sentiments, recently posted a UserSec recruitment drive plan on Telegram channels, emphasizing the need for individuals skilled in multiple hacking techniques and virus handling. In addition to traditional hacking roles, UserSec is also launching a specialized training program focused on website defacement techniques. This initiative includes updated materials, new tools, and bonus resources for recruits. The group aims to expand its capabilities and bolster its operations through this recruitment effort.

UserSec Recruitment Drive for Hackers

[caption id="attachment_73253" align="alignnone" width="972"] Source: Dark Web[/caption] The UserSec recruitment drive plan comes amidst ongoing tensions between Russia and NATO, with UserSec previously declaring a cyber campaign targeting NATO member states. Notably, the group has collaborated with other pro-Russian hacking groups, such as KillNet, to orchestrate coordinated attacks against NATO. Talking about the recruitment plan, the threat actor stated they are “looking for promising specialists” to join their teams, including individuals who are interested in pen testing, social engineering, reverse engineers, and “people who know how to work with viruses”. UserSec, a pro-Russian hacking group active since at least 2022, has gained notoriety for its Distributed Denial of Service (DDoS) attacks and collaboration with other like-minded groups. In May 2023, UserSec made headlines by declaring a cyber campaign aimed at NATO member states, forming an alliance with KillNet to carry out coordinated attacks.

UserSec’s Plans for Unified Collaborative Environment 

The recent recruitment drive highlights UserSec's plan to create a unified environment for hackers. By seeking specialists in various hacking techniques and offering training in website defacement, UserSec aims to attract individuals who can contribute to its objectives of disrupting adversaries and advancing its pro-Russian agenda. The collaboration between UserSec and KillNet further highlights a concerning trend in cyber warfare, where hacking groups align themselves to target politically significant entities. By leveraging Distributed Denial of Service (DDoS) attacks, UserSec demonstrates its disruptive capabilities and willingness to engage in cyber warfare for geopolitical purposes. The targeting of NATO member states raises questions about the potential implications for international security, emphasizing the urgent need for enhanced cybersecurity measures. As hacking groups continue to evolve and collaborate to launch large-scale attacks, governments and organizations must prioritize cybersecurity to mitigate the threat posed by groups like UserSec. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Internet Archive, one of the oldest online directories of websites, movies, books, software and more, is facing a cyberattack that has disrupted its services for over three days. The Internet Archive cyberattack, identified as a distributed denial-of-service (DDoS) assault, has besieged the service and inundated its servers with repeated requests. While the organization is reassuring users that its collections remain secure, the accessibility of its Wayback Machine, a tool allowing users to explore historical web pages, has been compromised.

Internet Archive Cyberattack Targets Multiple Systems

According to a blog post shared by Internet Archive on May 28, intermittent service disruptions have been reported over the past few days, confirmed by updates shared by Archive officials on social media platforms. Despite efforts to mitigate the attack, the exact source remains undisclosed. In response to the DDoS attack, Brewster Kahle, the founder and digital librarian of the Internet Archive, expressed gratitude for the outpouring of support while reaffirming the organization's commitment to fortify its defenses. Kahle characterized the attack as "sustained, impactful, targeted, adaptive, and importantly, mean" in the blog post.

Mitigation Against the Internet Archive DDoS Attack

The Internet Archive serves as a valuable resource for users seeking access to a diverse range of media content, both historical and contemporary, free of charge. However, its mission to democratize access to knowledge has encountered legal challenges, with the organization facing lawsuits from the U.S. book publishing and recording industry associations in the last year. The legal actions alleged copyright infringement and sought significant damages, casting a shadow over the future operations of libraries worldwide. The cyberattack on the Internet Archive echoes a troubling trend of attacks targeting libraries and knowledge institutions globally. Recent victims include the British Library, the Solano County Public Library in California, the Berlin Natural History Museum, Ontario’s London Public Library, and just this week, the Seattle Public Library. In light of the ongoing cyberattack and legal battles, Kahle emphasized the broader implications for libraries everywhere. He warned that the actions of publishing and recording industries threaten to undermine the very existence of libraries, posing a grave concern for patrons worldwide. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Internet Archive cyberattack or any further communication from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Multiple vulnerabilities have recently been discovered in Fortinet FortiSIEM, raising concerns over potential remote code execution exploits. FortiSIEM, renowned for its real-time infrastructure and user awareness capabilities facilitating precise threat detection, analysis, and reporting, faces significant risks due to this FortiSIEM vulnerability. The identified vulnerabilities, if successfully exploited, could grant remote attackers the ability to execute code within the context of the affected service account. This could lead to a range of malicious activities, including the installation of unauthorized programs, manipulation of data, or even the creation of new accounts with extensive user rights. 

Understanding the Fortinet FortiSIEM Vulnerability

The severity of the Fortinet FortiSIEM vulnerability varies based on the privileges associated with the compromised service account, with administrative accounts posing the highest risk. According to SingCERT, proof of concept exploits are already available for CVE-2024-23108 and CVE-2023-34992, indicating an immediate threat to vulnerable systems. Fortinet FortiSIEM versions 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, and 6.4.0 through 6.4.2 are all affected by the vulnerabilities.  The risks associated with these vulnerabilities vary across different sectors, with large and medium government entities and businesses facing high risks, while small government entities and businesses face a medium level of risk. Home users, however, are considered to have a low-risk exposure.

Technical Analysis of FortiSIEM Vulnerability

Technical analysis of these FortiSIEM vulnerabilities reveals that the flaw primarily exploits the execution tactic, specifically targeting the Command and Scripting Interpreter technique. Multiple instances of improper neutralization of special elements used in OS Command have been identified in the FortiSIEM supervisor. These vulnerabilities could be exploited by remote, unauthenticated attackers via specially crafted API requests. To mitigate the risks associated with these FortiSIEM vulnerabilities, it is recommended to promptly apply patches provided by FortiNet after thorough testing. Other measures, include establishing and maintaining a documented vulnerability management process for enterprise assets, performing regular automated application updates, enforcing network-based URL filters to limit access to potentially malicious websites, implementing the Principle of Least Privilege for privileged account management, blocking unauthorized code execution through application control, and script blocking, establishing and maintaining a secure configuration process for enterprise assets and software, and address penetration test findings according to the enterprise's remediation policy. By adhering to these recommendations, organizations can effectively mitigate the vulnerabilities in Fortinet FortiSIEM, safeguarding their systems against potential remote code execution exploits. Stakeholders must prioritize these actions to ensure the security and integrity of their IT infrastructure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The LockBit ransomware group has targeted Heras UK, a prominent European provider of end-to-end perimeter protection solutions. The threat actor claimed the Heras cyberattack and shared a website status displaying the downtime alongside a countdown, ticking away the time until the data breach is potentially exploited. Heras, operating across 24 countries with a workforce of over 1100 skilled professionals, reportedly faces a data breach.  The Cyber Express, in pursuit of clarity on the attack, reached out to the organization for comments. However, at the time of writing this, no official statement has been issued, leaving the alleged Heras data breach unconfirmed. Despite the claims, Heras' website remains functional, showing no immediate signs of the cyber attack. It's plausible that the attackers targeted the website's backend, opting for stealth over a frontal assault like DDoS or defacement.

Alleged Heras Cyberattack Surfaces on Dark Web

[caption id="attachment_72935" align="alignnone" width="422"] Source: Dark Web[/caption] The cyberattack on Heras comes amidst a spree of cyber attacks orchestrated by the LockBit ransomware group. Notably, the group targeted Allied Telesis, Inc., a leading American telecommunication equipment supplier. While the Heras data breach purportedly occurred on May 27, 2024, the authenticity of the claims and the leaked data remains unverified.  In a bold move earlier this year, the United States imposed sanctions on affiliates of the Russia-based LockBit ransomware group. This decisive action, led by the U.S. Department of Justice and the Federal Bureau of Investigation, signals a unified stance against cyber threats. LockBit, notorious for its Ransomware-as-a-Service (RaaS) model, employs double extortion tactics to extort hefty ransoms from its victims.

Who is the LockBit Ransomware Group?

The LockBit ransomware group is a sophisticated cybercrime organization that targets enterprises and government organizations. Formerly known as "ABCD" ransomware, LockBit operates as a crypto-virus, demanding financial payment in exchange for the decryption of encrypted files. Unlike some ransomware that targets individuals, LockBit primarily focuses on large entities, seeking hefty sums from viable targets. Since its inception in September 2019, LockBit has targeted organizations globally, including those in the United States, China, India, Indonesia, Ukraine, France, the UK, and Germany. It strategically selects targets likely to have both the financial means and the urgency to resolve the disruption caused by the attack. Notably, LockBit avoids attacking systems within Russia and the Commonwealth of Independent States, possibly to evade prosecution. As for the Heras data breach, this is an ongoing story and The Cyber Express will be closely monitoring the situation and we'll update this post once we have more information on the attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The British Broadcasting Corporation (BBC) is investigating a data breach that exposed sensitive information belonging to over 25,000 present and past employees. The BBC data breach, which occurred within the corporation's pension scheme, has triggered a reaction from authorities regarding cybersecurity protocols. The pension scheme, in an email dispatched to its members, highlighted the gravity of the BBC employee data breach, emphasizing that the incident is being treated with the utmost seriousness. Approximately 25,290 individuals have been impacted by this breach, according to statements made by scheme representatives. Talking about this cybersecurity incident and its legal repercussions with The Cyber Express, Lauren Wills-Dixon, data privacy expert at law firm Gordons, stated that data breaches that lead to "unauthorised access to personal data is classed as a personal data breach under data protection laws".

BBC Data Breach Impacts Current and Former Employees

According to Birmingham Live, the security incident is being taken "extremely seriously” by the BBC and there is “no evidence of a ransomware attack.” Despite speculation of a possible ransomware attack, the British public service broadcaster has dispelled any conjecture, asserting that there is currently no evidence supporting this theory. The BBC clarified that the breach stemmed from private records being illicitly accessed from an online data storage service. Catherine Claydon, Chair of the BBC Pension Trust, assured employees that swift action had been taken to address the breach and secure the affected data source, The Guardian reported.  In an email sent to the staff, Claydon reassured the employees that “BBC have taken immediate steps to assess and contain the incident.” Talking about the mitigation strategies, the organization stated “We are working at pace with specialist teams internally and externally to understand how this happened and take appropriate action. As a precaution, we have also put in place additional security measures and continue to monitor the situation.”  The legal obligation of this data breach are far reaching and in cases where the incident impacts individual rights and freedoms, "this comes with a regulatory obligation to notify the Information Commissioner, and where people are at "high risk" the affected organisation must notify those individuals too without undue delay", said Lauren.

BBC Employee Data Breach and Ongoing Investigation

Despite assurances from the BBC, concerns linger regarding the potential misuse of the compromised information. Employees have been advised to remain vigilant and report any suspicious activity promptly. The breach, though attributed to a third party cloud storage provider, threatens the security of the impacted individuals, and "BBC - and any ‘data controller’ under data protection laws - remains primarily responsible for the security measures it adopts and external providers it engages to store and protect its personal data", added Lauren. Moreover, no passwords or bank details "appear to have been compromised, but the advice for those individuals involved is to be vigilant of any unusual activity or requests". Acknowledging the severity of the breach, a spokesperson for the BBC pension scheme issued a sincere apology to affected members. Reassurances were offered regarding the swift response and containment of the breach, coupled with ongoing efforts to upgrade security measures and monitor the situation closely. Inquiries into the incident are ongoing, with external cybersecurity experts collaborating with internal teams to dissect the breach and its implications thoroughly. However, as of now, no official statement has been issued regarding the involvement of ransomware groups in the breach. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the BBC employee data breach or any official response from the organization.

Bharat Sanchar Nigam Limited (BSNL), a prominent Indian telecommunications company, has once again found itself at the center of a massive data security breach. The BSNL data breach, orchestrated by a threat actor known as kiberphant0m, shares sensitive data about the organization, highlighting the vulnerability of sensitive information. The claim for the BSNL data leak emerged on May 27, 2024, revealing that kiberphant0m was offering unauthorized access to databases stolen from BSNL, along with data from undisclosed Asian telecom organizations. Among the compromised data are IMSI records, SIM details, home location register (HLR) data, DP security key data, and a snapshot of the Oracle Solaris server.  Additionally, the threat actor claimed to possess login credentials for various digital infrastructures and applications of BSNL.

A Massive BSNL Data Breach Surfaces on Dark Web

The BSNL data leak poses a severe threat to the privacy and security of BSNL customers and highlights the potential risks associated with cyberattacks on telecom infrastructure. The stolen data, advertised for sale on underground forums like XSS and Telegram, could fetch significant sums on the black market, highlighting the lucrative nature of cybercrime. [caption id="attachment_72569" align="alignnone" width="1080"] Source: Dark Web[/caption] The major concern for this BSNL data leak is the inclusion of sensitive customer information, which, if exploited, could lead to identity theft, financial fraud, and other malicious activities. The urgency of the situation is further emphasized by kiberphant0m's warning to potential buyers and Indian authorities, suggesting that the data could be sold to other parties if not addressed promptly. “India if you want to secure your data and do not want it to be sold you must buy it first, contact me BEFORE someone purchases this data. It could be 3 hours to 24 hours, who knows”, says the hacker. 

Big Threats, Yet No Response 

Despite the gravity of the situation, BSNL has yet to issue an official statement or response regarding the breach, leaving the claims unverified. This lack of transparency further compounds the uncertainty surrounding the extent of the breach and the measures being taken to mitigate its impact. Talking about the BSNL data breach, the threat actor says, “This is not the same data as the previous telecom post! we have breached over 15 Asian telecoms! Information is worth several million dollars but I'm selling for pretty cheap. Negotiate a deal on telegram. State Threat Actors are also welcome to buy this data, I will sell to anyone who wants it.” Moreover, this incident is not the first time BSNL has faced cybersecurity challenges. In 2023, the company experienced a massive data breach affecting over 2.9 million lines, with leaked data of landline users being sold on the dark web by a hacker known as 'Perell.' The recurrence of such breaches highlights the rise of cyberattacks on telecom companies, especially those located in Asia.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious hacker group 888 has claimed responsibility for a Shell data breach targeting the British multinational oil and gas company. According to their claims, approximately 80,000 individuals could be affected by this breach across several countries, including the United States, United Kingdom, Australia, France, India, Singapore, the Philippines, the Netherlands, Malaysia, and Canada. The compromised data, shared by the threat actor on a hacking forum, includes a range of sensitive information related to Australian users. The sample data contained information about shopper codes, first and last names, email addresses, contact mobile numbers, postcodes, Nectar information, site addresses, and transaction details. Notably, these transactions appear to be associated with Reddy Express (Formerly Coles Express) locations in Australia.

An Alleged Claim of Shell Data Breach Surfaces

[caption id="attachment_72512" align="alignnone" width="1080"] Source: Dark Web[/caption] The claims of this Shell data leak were shared on a popular hacking forum by the user Kingpin and shared glimpses into sample data allegedly related to the organization. The Cyber Express has reached out to the oil and gas company to learn more about this Shell data breach and the authenticity of the hackers over the claimed data.  However, at the time of writing this, no official statement or response has been received. This lack of confirmation leaves the claims regarding the Shell data breach unverified, although the potential implications are threatening for the customers and stakeholders associated with the organization.  Talking about the cyberattack on Shell, the hacker Kingpin states that the organization suffered a data breach in May 2024 and this data breach allegedly contained "Shopper Code, First Name, Last Name, Status, Shopper Email, Contact Mobile, Postcode, Nectar, Suburb, State, Site Address, Suburb 1, Country, Site Name, Last Login, Pay and Association Number".

A Similar Incident from the Past

This purported breach is not the first time Shell has been targeted by cyberattacks. In the past, the company has faced similar security incidents, including a ransomware attack and a data security incident involving Accellion’s File Transfer Appliance. These incidents highlight the persistent threat posed by cybercriminals to organizations, particularly those in the energy sector. In response to previous incidents, Shell had emphasized its commitment to cybersecurity and data privacy. The company has initiated investigations into the recent breaches and is working to address any potential risks to affected individuals and stakeholders. Additionally, Shell had previously contacted relevant regulators and authorities to ensure compliance with data protection regulations and to mitigate the impact of the previous breach. The current Shell data leak is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on this alleged Shell data breach or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The RansomHub group has claimed a cyberattack on PSG BANATSKI DVOR D.O.O., a gas storage services provider based in Serbia. The claims for this RansomHub cyberattack were posted on May 28, 2024, and revealed sensitive data about the organization, targeting the security of critical infrastructure and the integrity of sensitive data. According to the threat actor post, the RansomHub exfiltrated a substantial amount of data totaling 80 GB. Among the stolen information are critical files encompassing IT, Accounting, Finance, Projects, Client database (in SQL format), Budgets, Taxes, Logistics and supply chain management, Production data, HR, Legal data, KPI, and R&D documents.  Additionally, the threat actors has allegedly disabled the SCADA (Supervisory Control and Data Acquisition) systems, further exacerbating the operational impact of the attack.

RansomHub Cyberattack Allegedly Targets PSG BANATSKI DVOR

[caption id="attachment_72377" align="alignnone" width="612"] Source: Dark Web[/caption] The cybercriminals have set a deadline of 5 days for the potential leak of the stolen data, adding urgency to the situation. The implications of such a breach extend beyond PSG BANATSKI DVOR, affecting not only the company but also its clients and stakeholders. The Cyber Express has reached out to the Serbian gas service provider to learn more about the authenticity of this alleged PSG BANATSKI DVOR cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for this RansomHub cyberattack stand unconfirmed. Moreover, the PSG BANATSKI DVOR website is currently nonfunctional and is displaying a "took too long to respond" error. This error, often associated with cyberattacks, suggests disruptions in the normal functioning of the website, possibly due to overwhelming server loads or exploitation of vulnerabilities in the site's infrastructure.

Threat Actor Blames Employee for the PSG BANATSKI DVOR Cyberattack

Apart from allegedly claiming a cyberattack on PSG BANATSKI DVOR, the threat actor is demanding cooperation, or else they'll expose it.  “We have all the important files, such as: IT, Accounting, Finance, Projects, Client database (in SQL format) Budgets, Taxes, Logistics and supply chain management, Production data, HR, Legal data, KPI, R&D. Over 80 GB of sensational information has been downloaded”, says the hacker.  Additionally, the group blames an employee named Dejan Belić for the breach. The threat actors have previously targeted similar victims and share similarities with traditional Russian ransomware groups while refraining from targeting certain countries and non-profits. Their victims span various countries, including the US and Brazil, with healthcare institutions being particularly targeted. While major corporations haven't been hit yet, the breadth of targeted sectors is concerning.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

TRC Staffing is at the center of a concerning data breach, leaving personal information vulnerable to cybercriminals. Murphy Law Firm has taken action on behalf of the victims, investigating legal avenues for those affected by this security incident. The TRC Staffing data breach was discovered on April 12, 2024, and exposed a security flaw within TRC's network.  Cybercriminals exploited this vulnerability between March 25, 2024, and April 12, 2024, gaining unauthorized access to sensitive data belonging to approximately 158,593 individuals. Names and Social Security numbers were among the compromised information, heightening concerns about potential identity theft and fraud. Explaining the lawsuit to interested parties, Murphy Law Firm, stated that they are "evaluating legal options, including a potential class action lawsuit, to recover damages for individuals who were affected by the data breach.

Understanding the Full Extent of the TRC Staffing Data Breach

In response to this TRC Staffing breach, Murphy Law Firm is actively engaging on behalf of those impacted. Their investigation aims to uncover the full extent of damages and explore avenues for legal recourse, including the possibility of a class action lawsuit. Individuals who have received notifications of the breach or suspect their information may have been compromised are urged to take action. By visiting the dedicated page at https://murphylegalfirm.com/cases/trc-data-breach/, affected parties can access information regarding their rights and legal options. The repercussions of this breach extend beyond mere inconvenience. With personal and highly confidential information potentially circulating on the dark web, the identity of users is at risk. Murphy Law Firm recognizes the urgency of addressing these concerns and is advocating for the rights of those affected.

How Can Victims Join the TRC Staffing Lawsuit?

To join the lawsuit and seek potential compensation, individuals can fill out a contact form provided by Murphy Law Firm. This form requires essential details such as name, contact information, and whether a breach notification letter was received. Additionally, users can provide any relevant information regarding fraud or suspicious activity they may have experienced. For those seeking guidance or further assistance, Murphy Law Firm can be reached directly via email at abm@murphylegalfirm.com or by phone at (405) 389-4989. Protecting the rights and interests of individuals affected by the TRC Staffing data breach is important, and Murphy Law Firm represents the victims with a legal process.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A cybercriminal going by the alias "SpidermanData" has claimed to breach and advertise a massive database purportedly linked to Ticketmaster Entertainment, LLC. The claim of the Ticketmaster data breach, dated May 27, 2024, was posted on the cybercrime forum Exploit and shares threatening information about the organization, including database of “560M Users + Card Details”. The threat actor has also claimed to have access to 1.3TB of stolen data and is currently selling it for $500k. The post, accompanied by sample data, suggests that the data indeed belongs to Ticketmaster Entertainment. However, the American ticket sales and distribution company has yet to share any information about this alleged Ticketmaster data breach.  Additionally, apart from the Ticketmaster data breach, the company is also facing a lawsuit from The Justice Department for anti-competitive practices, limiting venue options, and threatening financial consequences. The lawsuit follows public outcry, including ticketing issues during Taylor Swift's tour. High prices, fueled by post-pandemic demand, have intensified scrutiny. Live Nation denies monopolistic behavior, but the lawsuit contends their dominance drives up prices. The Ticketmaster data breach poses another threat to the organization since databases of this caliber are usually the hot-selling items on the dark web. 

Ticketmaster Data Breach: The Worst Time to Have a Cybersecurity Incident

SpidermanData claims to have access to a staggering 560 million records brimming with personally identifiable information (PII) of customers, including sensitive payment card details. This breach couldn't have come at a worse time for Ticketmaster, coinciding with the onset of several major music festivals scheduled between May 2024 and January 2025.  Among these highly anticipated events is the FOREIGNER concert, featuring legendary rock acts led by Mick Jones and Kelly Hansen. The musical act will begin on June 11, 2024, in the United States and will conclude on November 9, 2024. Following suit is the iconic band HEART, set to perform across the United States from July to November 2024, culminating in an international concert in Calgary, AB, Canada. Meanwhile, Allison Russell and Hozier are primed to perform from May to August 2024. Adding to this list of bands performing this year, artists like Ian Munsick, Prateek Kuhad, and Kathleen Hanna will also go on tours across North America between 2024 and 2025. However, the jubilant atmosphere surrounding these events is now overshadowed by the threat of, one of the biggest data breaches, threatening millions of users globally.  The purportedly compromised data, amounting to a staggering 1.3 terabytes, has been divided into 15 parts, with the hacker offering samples from two segments. One dataset, extracted from a 'PATRON' database, contains a plethora of personal information, including names, addresses, emails, and phone numbers. Meanwhile, the other dataset includes information about customer sales, encompassing crucial details like event IDs and payment methods.

The Aftermath and Industry Implications

SpidermanData has listed the entire dataset for sale, quoting a hefty price tag of USD 500,000, and restricting the sale to a single buyer. The gravity of this situation cannot be overstated, with the compromised data posing significant risks of identity theft, financial fraud, and other criminal activities - something we've already seen in previous data breaches like the MOVEit File Transfer incident.  Live Nation Entertainment, the parent company of Ticketmaster, stands as a global juggernaut in the live entertainment domain, organizing and promoting thousands of shows annually across more than 40 countries. Meanwhile, Ticketmaster's pivotal role in facilitating ticket sales for musical and non-musical events highlights its significance within the industry, making it a prime target for cybercriminals seeking to exploit vulnerabilities for personal gain. The current Ticketmaster data breach is not the first time that the organization has faced a cyberattack. In November 2020, the company faced a hefty £1.25 million fine from the Information Commissioner's Office (ICO) following a payment data breach in 2018. The breach, stemming from a vulnerability in a third-party chatbot, compromised the personal and payment details of over nine million customers in Europe, triggering widespread fraud and financial losses. Whether the current data breach represents a resurgence of previously compromised data or the acquisition of freshly stolen data, the premise origin of the information about the databases remains unclear. Nevertheless, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the Ticketmaster data leak or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious LockBit has claimed an alleged cyberattack on Allied Telesis, Inc., a prominent American telecommunication equipment supplier. The purported Allied Telesis data breach incident involves the infiltration of the company's systems by the ransomware group, known for its sophisticated cyber operations. The claimed breach, dated May 27, 2024, suggests that the Allied Telesis data breach exposed sensitive data about the organization. However, the claims have not been verified nor is the sample data posted by the threat actor. 

Alleged Allied Telesis Data Breach Exposes Sensitive Information

The information supposedly exfiltrated includes confidential project details dating back to 2005, passport information, and various product specifications. As a demonstration of their intrusion, the threat actors purportedly disclosed blueprints, passport details, and confidential agreements, issuing a deadline of June 3, 2024, for the full release of the compromised data. [caption id="attachment_71414" align="alignnone" width="748"] Source: Dark Web[/caption] Despite the gravity of the allegations, Allied Telesis has yet to confirm or refute the purported cyberattack. The Cyber Express reached out to the company for clarification, but as of this writing, no official statement has been issued. Consequently, the authenticity of the alleged breach remains unverified, leaving the situation shrouded in uncertainty. Interestingly, the timing of these allegations coincides with significant organizational changes within Allied Telesis. On May 27, 2024, the company reportedly relocated its China branch to a new address. Moreover, the recent re-appointment of Jon Wilner as the Vice President of Customer Success highlights some of the big changes within the organization and possibly deciphering the “why” of the alleged data. 

Collaborative Ventures Amid Uncertainty

In the midst of this alleged security breach, Allied Telesis has been actively engaged in strategic partnerships aimed at upgrading its security features. Just last month, the company announced a collaboration with Hanwha Vision America, integrating cutting-edge video surveillance technology with its networking infrastructure. This alliance aims to deliver secure and scalable surveillance solutions to organizations seeking enhanced security measures. Key highlights of this partnership include interoperability, enhanced security features, scalability, and simplified management of surveillance systems. By leveraging Allied Telesis' expertise in secure networking alongside Hanwha Vision America's advanced surveillance technology, customers can expect comprehensive solutions tailored to their security needs. While the motives behind the alleged Allied Telesis cyberattack remain unclear, previous actions against the LockBit ransomware group shed light on the severity of the hacker group. Law enforcement agencies have previously taken down servers associated with LockBit operations, confiscating crucial details such as admin panel credentials, affiliate network information, and cryptocurrency transactions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a recent disclosure by ONEKEY Research Lab, a critical vulnerability in the TP-Link Archer C5400X gaming router was exposed, leading to remote command execution. The TP-Link Archer C5400X is a gaming router, with integrated malware defense, and has compatibility with Alexa voice commands and IFTTT applets. This TP-Link Archer C5400X vulnerability, tracked as CVE-2024-5035, was rooted in command injection, a format string vulnerability, and buffer overflows within components such as rftest and libshared.  The vulnerability, known to affect versions before 1_1.1.7, posed a grave risk to users, potentially allowing malicious actors to execute arbitrary commands remotely with elevated privileges. While the format string vulnerability requires specific conditions for exploitation, the focus of this revelation centered around the rftest binary, integral to the device's wireless functionality. In the patch update by TP-Link, the Archer C5400X vulnerability has been fixed in version 1_1.1.7.

The Timeline of TP-Link Archer C5400X Vulnerability Exposure

According to ONEKEY Research Lab, the TP-Link Archer C5400X vulnerability was initially reported on February 16, 2024, with the submission of a detailed report to TP-Link's PSIRT. Following the report, TP-Link promptly initiated a case on February 19. [caption id="attachment_71171" align="alignnone" width="1096"] Source: ONEKEY[/caption] After collaborative efforts and validation processes, TP-Link shared a beta version of 1.1.7p1 on April 10 for further testing, culminating in the confirmation and release of the patch by ONEKEY on May 27, 2024. The vulnerability exposed a critical flaw in the TP-Link Archer C5400X gaming router, rendering it susceptible to remote command execution. This exploit granted unauthorized users the ability to execute arbitrary commands on the device, posing security risks to users' data and network integrity. “It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices”, said OneKey in the advisory. 

Understanding the TP-Link Archer C5400X Vulnerability

[caption id="attachment_71174" align="alignnone" width="822"] Source: TP-Link[/caption] Central to this TP-Link Archer C5400X vulnerability is the rftest binary, launched during the device's initialization sequence. This binary, responsible for wireless interface self-assessment, inadvertently exposes a network service vulnerable to unauthenticated command injection. Attackers can leverage this vulnerability to remotely execute commands with elevated privileges, potentially compromising the device and its connected network. To mitigate the risk posed by this vulnerability, users are strongly advised to upgrade their devices to version 1_1.1.7. TP-Link has implemented fixes to prevent command injection through shell meta-characters, thereby enhancing the security posture of affected devices. However, users must remain vigilant and proactive in ensuring their devices are up to date with the latest firmware releases to safeguard against emerging threats.

Exposing Recent Vulnerabilities in Routers

The TP-Link Archer C5400X router vulnerability is just one of the cases where a flaw was exploited without a third-party breach. Previously, CISA flagged two end-of-life D-Link routers, adding them to their Known Exploited Vulnerabilities catalog.  The router vulnerabilities, CVE-2014-100005 and CVE-2021-40655, affected three main products, DIR-600, DIR-605, and DIR-605L. Exploitation of these vulnerabilities allowed unauthorized configuration changes and the theft of usernames and passwords.  The Cyber Security Agency of Singapore also stressed these two vulnerabilities, stating that the mitigation strategy to avoid exploitation is to “retire and replace their devices with products that are supported by the manufacturer.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Russian Cyber Army hacker group has allegedly claimed the Bulgarian Ports Infrastructure Company cyberattack. The threat actor asserts a targeted assault on the organization’s website. While the hacker group asserts the website's downtime, initial observations contradict this claim, indicating that the site remains operational without visible signs of a cyber onslaught. The Cyber Express has reached out to the  Bulgarian Ports Infrastructure Company to verify the claims of the cyberattack incident. However, at the time of writing this, no official statement or response has been forthcoming, leaving the veracity of the claims surrounding the Bulgarian Ports Infrastructure Company cyberattack unconfirmed.

Russian Cyber Army Assets Bulgarian Ports Infrastructure Company Cyberattack

Contrary to typical cyberattacks that result in website defacements or distributed denial-of-service (DDoS) disruptions, the purported assault by the Russian Cyber Army appears to have had minimal impact, if any, on the targeted website's operations. This suggests a potentially brief and ineffective attack, diverging from the more disruptive tactics commonly associated with cyber warfare. [caption id="attachment_70364" align="alignnone" width="462"] Source: X[/caption] Talking about the Bulgarian Ports Infrastructure Company cyberattack in its post, the Russian Cyber Army states that they are attacking the “State Enterprise “Port Infrastructure” (IF)”, which is the territorial authority of the Bulgarian ports, for public transport, providing traffic management and delivery information services. The Russian Cyber Army's recent activities have garnered attention, including a peculiar interview conducted by WIRED with a purported spokesperson known as "Julia." The interview sheds light on the group's motivations, which ostensibly revolve around defending Russian interests in the face of perceived external pressure from the United States, the European Union, and Ukraine.

Who is the Russian Cyber Army Hacker Group?

While the Russian Cyber Army portrays itself as a formidable force in the information warfare arena, experts caution against overestimating its influence, suggesting that the group's actions may primarily serve to bolster nationalist sentiments domestically rather than exert significant influence abroad. Moreover, the group's exposure by cybersecurity firms and government agencies highlights its emergence as a noteworthy entity on the global stage. Despite the hype surrounding the Russian Cyber Army's activities, analysts warn against succumbing to fear-mongering tactics, emphasizing the need for measured responses to cyber threats. As for the Bulgarian Ports Infrastructure Company cyberattack, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on the alleged Bulgarian Ports Infrastructure Company cyberattack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Bitdefender has launched the AI scam detector, Scamio, on WhatsApp in Australia. This innovative integration empowered Australians to utilize WhatsApp as a platform for efficiently verifying online scams and fraud instances. Bitdefender Scamio aims to address rising concerns surrounding online scams by providing a highly accessible and user-friendly tool directly within WhatsApp. Users could interact with the chatbot by submitting questionable content and conversationally describing the context. 

Bitdefender’s Scamio is Now Available on WhatsApp in Australia

Bitdefender Scamio is an AI-driven chatbot that analyzes data and provides a verdict within seconds, along with recommendations for further action. Additionally, with this latest integration with WhatsApp, over 7.4M Australian users can use Scamio as their personal scam checker. [caption id="attachment_70308" align="alignnone" width="1200"] Source: Bitdefender[/caption] The integration of Bitdefender’s Scamio with WhatsApp was a strategic response to the increasing use of artificial intelligence by malicious actors. Scammers were exploiting popular messaging apps and online services to steal money, credentials, and personal data. By integrating Scamio into WhatsApp, Bitdefender aimed to disrupt these criminal activities by offering a sophisticated tool capable of keeping pace with online scam tactics. The enhanced accessibility provided by this feature aimed to provide an additional layer of security for Australians, who were disproportionately targeted by online fraudsters. Having Scamio available within WhatsApp streamlined the scam verification process for everyday users, reducing the time and effort required to identify potential scams.

How to use Bitdefender’s Scamio for Scam Detection?

In the USA and other countries, online scams remained a major concern, with the number of internet fraud reports rising in recent years. Phishing and online shopping scams were among the most common types reported. To combat this issue, governments intensified efforts to inform the public and assist in preventing internet fraud and scams. Scamio, Bitdefender's next-gen AI chatbot, combined artificial intelligence with exceptional threat-detection algorithms, machine learning, pattern recognition, and advanced data analysis techniques to identify even the most sophisticated scams. Accessible on any device without requiring installation, Scamio helped users quickly verify suspicious links, text messages, emails, and QR codes—all for free. To use this chatbot, users could access the web app or add it as a contact on WhatsApp or Facebook Messenger. Once logged in, users could describe scam details, copy and paste texts or links, or upload pictures or screenshots of deceptive messages. Scamio then analyzed the material and provided recommendations to ensure users didn't fall victim to cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Cyber Security Agency of Singapore has issued a critical alert concerning vulnerabilities in several WordPress plugins, highlighting the urgency for users to take immediate action. These WordPress plugin vulnerabilities, deemed critical, pose significant risks to website security, potentially allowing unauthorized access and exploitation by malicious actors. Security updates have been promptly released to address these critical vulnerabilities in multiple WordPress plugins. SingCERT has reported 9 critical WordPress plugin vulnerabilities and has shared the mitigation strategies to avoid exploration by threat actors. 

SingCERT Flagged Multiple WordPress Plugin Vulnerabilities

SingCERT flagged these critical WordPress vulnerabilities, including those allowing arbitrary file uploads and SQL injection. These vulnerabilities are as follows: 

WordPress Copymatic 

AI Content Writer & Generator: Exploitation of this vulnerability (CVE-2024-31351) could enable an unauthenticated attacker to upload arbitrary files to a website, potentially compromising its integrity. The severity of this vulnerability is highlighted by its maximum CVSSv3.1 score of 10 out of 10, affecting plugin versions prior to 1.7.

Pie Register 

Social Sites Login (Add on): Identified with CVE-2024-4544, this plugin vulnerability allows for authentication bypass, potentially enabling unauthorized access to user accounts. With a CVSSv3.1 score of 9.8 out of 10, versions of the plugin before 1.7.8 are affected.

Hash Form Drag & Drop Form Builder

The Hash Form Drag & Drop Form Builder vulnerability (CVE-2024-5084) permits unauthenticated attackers to upload arbitrary files, facilitating remote code execution on affected sites. Its severity, rated 9.8 out of 10, affects versions of the plugin before 1.1.1.

Country State City Dropdown CF7 Plugin

The vulnerability (CVE-2024-3495) identified in this plugin allows for SQL injection, potentially compromising sensitive data stored in the website's database. The vulnerability is rated at 9.8 out of 10 and versions before 2.7.3 are affected.

WPZOOM Addons for Elementor (Templates, Widgets)

This vulnerability (CVE-2024-5147) enables unauthenticated attackers to upload and execute arbitrary files on the server, posing a severe threat to website security. Versions of the plugin before 1.1.38 are vulnerable, with a CVSSv3.1 score of 9.8 out of 10.

Business Directory Plugin

Easy Listing Directories: Vulnerable to SQL injection (CVE-2024-4443), this plugin allows unauthenticated attackers to extract sensitive information from the website's database. With a CVSSv3.1 score of 9.8 out of 10, versions before 6.4.3 are at risk.

UserPro Plugin

This vulnerability (CVE-2024-35700) enables attackers to escalate privileges, potentially gaining full control of the affected website. Versions of the plugin before 5.1.9 are affected, with a CVSSv3.1 score of 9.8 out of 10.

Fluent Forms Contact Form Plugin

Vulnerable versions of this plugin (CVE-2024-2771) permit privilege escalation, posing significant risks to website security. The versions prior to 5.1.17 are affected, with a CVSSv3.1 score of 9.8 out of 10. It's worth noting that this vulnerability is actively exploited.

Web Directory Free Plugin

This plugin vulnerability (CVE-2024-3552) allows unauthenticated attackers to interact directly with the website's database through SQL injection, potentially leading to data theft. Versions before 1.7.0 are affected, with a CVSSv3.1 score of 9.3 out of 10.

Mitigation Strategies for WordPress Vulnerabilities

Users and administrators using the affected versions of these WordPress plugins are strongly advised to update to the latest versions immediately to mitigate these vulnerabilities and safeguard their websites against potential exploitation. For further details and guidance on mitigation for these WordPress plugin vulnerabilities, users can refer to the respective plugin documentation and updates provided by the developers. Additionally, employing security measures such as virtual patching can provide interim protection while awaiting updates. Ensuring the security of WordPress websites requires proactive measures, including regular updates and monitoring for vulnerabilities. By staying informed and promptly addressing security concerns, website owners can effectively protect their online assets from potential threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A ransomware attack of Ransomhub group on the Industrial Control Systems of a Spanish bioenergy plant has once again brought to the fore the imperils of cyberattacks on Industrial Control Systems (ICS).  The latest threat intelligence report from the Cyble Research & Intelligence Labs (CRIL) said that the attack targeted the Supervisory Control and Data Acquisition (SCADA) system, a pivotal component for managing operations at the Spanish facility. Ransomhub's modus operandi involves encrypting data and leveraging access to SCADA systems to disrupt essential functions, as evidenced in their recent breach. Their claim of accessing and encrypting over 400 GB of data, coupled with persistent control over SCADA systems, highlights the severity of the threat posed by this ransomware group. 

Ransomhub Group Targets Industrial Control Systems (ICS) 

[caption id="attachment_69992" align="alignnone" width="811"] Ransomhub posts on their DLS.(Source: Cyble)[/caption] The origins of Ransomhub trace back to February 2024 when it emerged as a Ransomware-as-a-Service (RaaS) on cybercrime forums. Employing sophisticated encryption techniques and targeting organizations predominantly in the IT & ITES sector, particularly in the United States, Ransomhub quickly garnered notoriety within the underground cyber community. [caption id="attachment_69994" align="alignnone" width="728"] Alleged SCADA control of Gijón Bio-Energy Plant Digestor Tank (Source: Cyble)[/caption] The group's aggressive recruitment of affiliates, coupled with attempts to exploit vulnerabilities in SCADA systems, signify a strategic shift towards targeting Operational Technology (OT) environments. This shift aligns with broader trends in the ransomware landscape, wherein malicious actors seek to exploit weaknesses in interconnected systems for maximum impact. CRIL's investigation into Ransomhub's activities reveals a concerning association with Initial Access Brokers (IABs) on Russian-language forums, indicating a sophisticated network for procuring compromised access to victims' networks. Such alliances highligh the need for heightened vigilance and proactive defense mechanisms to thwart potential breaches.

Precautions Against Industrial Control Systems (ICS) Ransomware Attack

Recent ransomware attacks, like the one orchestrated by Ransomhub on Industrial Control Systems (ICS), highlight the pressing need for organizations to fortify their cybersecurity defenses. Key recommendations include implementing robust network segmentation to reduce exposure to external threats and ensuring regular software updates through patch management protocols.  Secure remote access, facilitated by methods like Virtual Private Networks (VPNs), coupled with diligent monitoring of network logs, aids in early detection and response to potential breaches Furthermore, meticulous asset management practices, such as maintaining detailed inventories of OT/IT assets and deploying continuous monitoring solutions, enhance overall security posture. Developing and testing incident response plans are vital to minimize downtime and data loss in the event of a ransomware attack. The incident involving Ransomhub serves as a stark reminder of the escalating risks faced by ICS environments. Heightened awareness and proactive security measures are crucial to mitigate these threats and protect critical infrastructure from online cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

FIRST Heritage Co-operative Credit Union is updating its customers regarding any irregular financial activities in the coming weeks following a recent FHC cyberattack that disrupted its database. The credit union disclosed in a member advisory issued on Wednesday that it had been grappling with resolving a system disruption since April 3, 2024. This cyberattack on the credit union had hampered FHC's access to certain information, causing delays in processing members' financial requests.

Understanding the FHC Cyberattack

According to FHC, personal data such as member contact details and other documents submitted to facilitate transactions may have been affected by the attack. Despite this, investigations suggest that the credit union's IT security measures effectively mitigated the risk of unauthorized access to its core systems. Fortunately, assessments have shown no compromise to the integrity of members' financial accounts or those of affiliated organizations. FHC acted swiftly upon detecting the breach, collaborating with technology partners to investigate and contain the threat. Subsequent steps included activating data backup and recovery protocols alongside implementing additional security measures. “However, our investigations so far indicate that our IT security mechanisms were helpful in significantly minimising the risk of access to data on our core systems,” reads the statement by FHC, as reported by Jamaica Observer.

Mitigation Against Fraudulent Activities

As part of its ongoing efforts to upgrade security practices, FHC has initiated a password reset prompt for users of its iTransact banking platform. Additionally, automated tools are being employed to detect and prevent any suspicious activities across accounts and IT infrastructure. The credit union is actively cooperating with cybersecurity and law enforcement authorities in response to the incident. Members are advised to remain vigilant for any suspicious financial activities and are encouraged to regularly update their iTransact banking passwords. FHC highlighted the importance of using unique passwords for online services and urged caution against phishing emails or unsolicited communications that may follow a data breach. The cyberattack on FHC coincided with a report by global cybersecurity firm Fortinet, which highlighted Jamaica's exposure to 43 million attempted cyberattacks in 2023. The Latin American and Caribbean region collectively faced 200 billion attempted attacks, with Mexico, Brazil, and Colombia topping the list. The Cyber Express has reached out to FIRST Heritage Co-operative Credit Union to learn more about this FHC cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving additional information about the incident pending verification. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Australian telco Optus faces legal battle with the country's communications and media watchdog over the 2022 data breach. The Optus data breach resulted in the theft of personal information of over 10 million - about 40% of the population - current and former customers. The Australian Communications and Media Authority (ACMA) has taken action against the country's second-largest telecommunications company, alleging negligence in safeguarding customer data as mandated by the Telecommunications (Interception and Access) Act 1979 (Cth).

Parent company Singtel, Faces Legal Action Following the Optus Data Breach

The Cyber Express has reached out to Optus to learn more about this legal action by the Australian Communications and Media Authority (ACMA). In response, a Optus spokesperson stated that they are aware of the proceedings in the Federal Court of Australia in relation to the cyberattack in September 2022. "At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise. Optus has previously apologised to its customers and has taken significant steps, including working with the police and other authorities, to protect them. It also reimbursed customers for the cost of replacing identity documents. Optus intends to defend these proceedings. As the matter is now before the courts, Optus is unable to make any further comment", denoted the Optus spokesperson. In the Optus cyberattack, which occurred between September 17 and 20, 2022, hackers infiltrated Optus's security measures, gaining unauthorized access to sensitive customer information. ACMA's move to file Federal Court proceedings signifies a significant step in holding Optus accountable for the breach, highlighting the regulatory emphasis on data protection and privacy. “The ACMA has filed proceedings in the Federal Court against Optus Mobile Pty Ltd (Optus). We allege that during a data breach that occurred between 17 to 20 September 2022, Optus failed to protect the confidentiality of its customers’ personal information from unauthorized interference or unauthorized access as required under the Telecommunications (Interception and Access) Act 1979 (Cth)”, ACMA's statement read.  Optus, owned by Singaporean company Singtel, has expressed its intention to defend itself against the allegations while acknowledging the severity of the incident. “At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise,” a spokesperson told local media. The company has previously issued apologies to affected customers and taken proactive measures, including collaboration with law enforcement agencies, to mitigate further risks. Moreover, Optus has reimbursed customers for expenses incurred in replacing compromised identity documents, reflecting its commitment to addressing the aftermath of the breach.

Optus on the Road to Recovery but Legal Headache Ensues

Following the cyberattack, Optus disclosed that approximately 2.1 million Australians had their identification numbers compromised, including details from driver's licenses and passports. Additionally, around 10,000 customers had their information exposed on the dark web, exacerbating concerns regarding the extent of the breach's impact on individuals' privacy and security. Financially, the repercussions of the cyberattack have been substantial for Optus and its parent company, Singtel. The latter reported cyberattack-related costs amounting to 142 million Singapore dollars ($159 million) for the fiscal year ending March 31, 2023. These costs encompass various expenses, including regulatory investigations and potential litigation. The telecommunications company even on the back of the challenges faced post the cyberattack, reported stable earnings and mobile growth in FY24. Optus added 116,000 subscribers to its mobile customer base including growth of 108,000 prepaid customers. Interim CEO and CFO Michael Venter said the results demonstrated a solid performance in a difficult environment, as Optus remained focussed on enhancing customer experience. “Optus is working hard to rebuild the trust of customers after a challenging 18 months and these results demonstrate we are on the right track,” Venter said. “We’re listening to our customers and in the year ahead we’ll be continuing to prioritise what we know is important to them – a resilient network that delivers seamless connectivity, great value products and services, and simple, efficient customer service.” This strong performance, however, does not lessen the legal woes for Optus. Legal proceedings have further intensified with the commencement of class action proceedings by law firm Slater and Gordon on behalf of affected individuals. The lawsuit alleges Optus's violation of privacy, telecommunication, and consumer laws, signaling a broader legal battle over accountability and corporate responsibility in safeguarding customer data. In response to escalating cyber threats, the Australian government has ramped up investments in cybersecurity initiatives, imposing stricter penalties for companies failing to address privacy breaches adequately. The Office of the Australian Information Commissioner (OAIC) has been empowered with enhanced authority to expedite breach resolutions and notify affected individuals promptly, signaling a concerted effort to enhance data protection measures nationwide. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The prestigious Habtoor Palace in Dubai is currently hosting the highly anticipated The Cyber Express World Cybercon 3.0 META Cybersecurity Conference. This event has drawn cybersecurity professionals and enthusiasts from around the globe, eager to engage in discussions and gain insights into the evolving landscape of digital security in the META region. The conference commenced with a welcome note from The Cyber Express Editor-in-Chief, Augustin Kurian, setting an enthusiastic tone for the proceedings. A standout moment of the conference so far has been the keynote address by Irene Corpuz, a distinguished cybersecurity expert and co-founder of Women in Cyber Security Middle East. Corpuz delivered a compelling speech highlighting the increasing risks that cyberattacks pose to startup organizations, stressing that even small startups are prime targets for cybercriminals.

The Vulnerability of Startups to Cyber Threats

Irene Corpuz emphasized that startups, despite their smaller size and often limited resources, possess valuable intellectual property that can be highly appealing to cybercriminals. “Even small startups are enticing prey to cybercriminals,” Corpuz remarked, underlining the critical need for startups to embed cybersecurity measures from the very beginning of their journey. Her warning comes at a time when the cybersecurity landscape is witnessing a surge in attacks targeting startups. 

The Imperative of Security by Design (SBD)

Corpuz introduced the concept of Security by Design (SBD) as a crucial strategy for startups to safeguard their operations. SBD involves integrating security measures into every phase of a startup’s lifecycle, from ideation through to scaling and beyond.  “Every startup should integrate security into the startup lifestyle - do SBD,” she urged. This proactive approach ensures that potential security risks are identified and mitigated early, thereby reducing the likelihood of breaches as the company grows.

Key Practices of Security by Design

Early Identification of Risks: From the initial stages of ideation and prototyping, startups should assess potential security vulnerabilities in their products or services. By addressing these issues early, they can prevent them from becoming significant threats later on. Implementing Robust Security Measures: As startups move towards launching their products or services, it’s critical to incorporate comprehensive security protocols to protect systems and data from external threats. This includes encryption, secure coding practices, and regular security audits. Continuous Monitoring and Improvement: Once operational, startups must maintain a proactive stance by continuously monitoring their security posture. Regular updates and improvements to security measures are essential to stay ahead of evolving cyber threats.

Rising Awareness and Adoption of Cyber Insurance

The increasing frequency of cyberattacks has made startup founders acutely aware of the risks they face. As a result, there is a growing trend of startups viewing cyber insurance as an indispensable component of their risk management strategy. A recent survey highlighted that many startup leaders are now prioritizing cybersecurity and actively seeking ways to navigate the volatile threat landscape.

Conclusion: A Call to Action for Startups

Irene Corpuz’s keynote at the ongoing World Cybercon 3.0 META Cybersecurity Conference serves as a crucial reminder of the vulnerabilities that startups face in today’s digital landscape. By advocating for Security by Design and highlighting the importance of continuous monitoring and improvement, Corpuz provided a clear roadmap for startups to enhance their cybersecurity posture. The rising awareness among startup founders about the necessity of robust cybersecurity measures and the adoption of cyber insurance are positive trends. However, as cyber threats continue to evolve, it is imperative for startups to remain vigilant and proactive in safeguarding their intellectual property and customer data. As The Cyber Express World Cybercon 3.0 continues, the insights shared by experts like Irene Corpuz will undoubtedly play a pivotal role in shaping the cybersecurity strategies of startups across the Middle East and beyond. This conference stands as a testament to the critical importance of cybersecurity in an increasingly digital world. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Police Service of Northern Ireland (PSNI) is bracing for a hefty £750,000 fine following last year’s data breach. The PSNI data breach saw the exposure of approximately 10,000 officers and staff who had their personal information inadvertently exposed online.  The PSNI data breach occurred last August when details, including surnames, initials, ranks, and roles of all serving police personnel, were mistakenly published in response to a Freedom of Information (FOI) request.

PSNI Data Breach and £750,000 Fine

The gravity of the situation became apparent when it was revealed that this sensitive information remained accessible online for two-and-a-half hours before being removed. Worse, it was confirmed that the data had fallen into the hands of dissident republicans, posing what the Information Commissioner's Office (ICO) described as a "tangible threat to life. In response to this PSNI data leak, the ICO has announced its intention to levy a £750,000 fine on the PSNI, citing inadequate internal procedures and sign-off protocols for the safe disclosure of information. However, it's worth noting that this fine has been mitigated by the organization's public sector approach, which aims to avoid undue impact on public services. Had this approach not been applied, the PSNI could have been facing a staggering fine of £5.6 million. John Edwards, the UK Information Commissioner, emphasized the severity of the breach, highlighting the "perfect storm of risk and harm" it created, particularly given the sensitivities in Northern Ireland. Edwards noted that during the investigation, numerous accounts emerged of the distressing consequences faced by those affected, including having to relocate, sever ties with family members, and drastically alter their daily routines due to genuine fears for their safety.

Understanding the Depth of the PSNI Data Leak

The proposed fine remains provisional, allowing the PSNI to make representations before a final decision is made. Edwards stressed that while the potential fine could have been significantly higher, discretion was exercised to ensure that public funds were not diverted from essential services. In addition to the fine, the PSNI has been issued a preliminary enforcement notice mandating improvements in personal information security protocols when responding to FOI requests. Edwards pointed out that simple and practical policies could have prevented this incident and urged all organizations to review and enhance their disclosure procedures to safeguard entrusted personal information. A previous independent review concluded that the breach was not an isolated incident but rather the culmination of systemic shortcomings in data security measures within the PSNI. This underscores the need for proactive measures to better secure and protect sensitive data. Despite the financial implications, the PSNI remains committed to addressing the fallout from the breach. Deputy Chief Constable Chris Todd affirmed ongoing efforts to identify and prosecute those responsible for the data loss, with several arrests already made in connection to the investigation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The First Nations Health Authority (FNHA) in British Columbia is currently grappling with the aftermath of a recent cyberattack on its corporate network. This First Nations Health Authority cyberattack, discovered on May 13, 2024 has prompted swift investigation and action from the authority. FNHA, renowned as the first and sole provincial health authority of its kind across Canada, detected what it termed as "unusual activity" within its corporate network. Acting promptly, the authority intercepted an unauthorized entity that had breached its network perimeter.  Although certain employee information and limited personal data were compromised, FNHA assures that its clinical information systems remained unaffected.

Understanding the First Nations Health Authority Cyberattack

[caption id="attachment_69815" align="alignnone" width="631"] Source: First Nations Health Authority[/caption] This cyber intrusion marks the latest in a string of cybersecurity incidents across British Columbia. While FNHA asserts no direct link between this attack and previous breaches, the province has been on high alert following similar incidents, including attempted ransomware attacks on B.C. libraries and a cybersecurity breach impacting the operations of a major retailer, London Drugs. In response to the cyberattack, FNHA has mobilized a comprehensive response strategy. The authority has engaged third-party cybersecurity experts to contain and remediate the breach while conducting a thorough forensic investigation to gauge the extent of the incident. Moreover, FNHA has promptly notified law enforcement and the Office of the Information and Privacy Commissioner of British Columbia. Acknowledging the severity of the situation, Premier David Eby highlighted earlier in the month the presence of "sophisticated cybersecurity incidents" targeting government networks. This sentiment highlights the urgent need for heightened vigilance and robust cybersecurity measures across all sectors, particularly within critical infrastructure like healthcare.

Mitigation Against the FNHA Cyberattack

In light of these developments, Caelan Drayer, a solutions architect at Dyrand Systems, emphasized the vulnerability of health authorities to cyber threats due to the sensitive nature of the data they handle.  Drayer noted that cyber attackers often target health authorities due to perceived weaknesses in cybersecurity practices and the valuable personal information they possess. He further advised individuals potentially affected by the FNHA cyberattack to secure their email accounts, employ strong passwords, and enable two-factor authentication to mitigate risks. As investigations continue and the fallout from the cyberattack on FNHA unfolds, affected individuals have been urged to remain vigilant, monitor their financial accounts, and report any suspicious activity promptly. While the FNHA endeavors to restore normalcy and bolster its cybersecurity posture, the First Nations Health Authority cyberattack is one of the latest string of cyberattacks on the healthcare industry.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

El Centro Del Barrio, operating as CentroMed, an integrated primary care clinic, confirms a recent cyberattack marking its second breach in a year. The earlier breach disclosed in August 2023, involved unauthorized access by the Karakurt threat group but data remained unreleased. The current data breach saw hackers infiltrating their systems and gaining access to the personal data of around 400,000 current and former patients. The CentroMed data breach raised concerns about the security of patient information and prompted the healthcare provider to take immediate action. According to CentroMed's data breach notice, the breach was discovered on May 1, after unusual activity was detected in their information technology (IT) network. Upon this discovery, CentroMed swiftly initiated measures to secure their systems and launched an investigation into the matter.  The preliminary investigation revealed that an unauthorized actor infiltrated their IT network on or around April 30, and accessed files containing sensitive information related to current and former patients.

Decoding the CentroMed Data Breach

The compromised data included patient names, addresses, dates of birth, Social Security numbers, financial account details, medical records, health insurance information, diagnosis and treatment data, as well as claims information. This breach posed significant risks to the privacy and security of individuals whose information was compromised. In response to the CentroMed cyberattack, the healthcare provider took several steps to mitigate the impact on affected individuals. CentroMed began notifying individuals whose information may have been compromised, starting on May 17. Additionally, a dedicated toll-free call center was established to address any questions or concerns from affected individuals. Expressing deep regret for the incident and the resulting concerns it may have caused, CentroMed assured the public that they were taking the matter seriously. To prevent similar incidents in the future, the healthcare provider stated that they had implemented additional safeguards and technical security measures to enhance the protection and monitoring of their systems.

Mitigation Against the Cyberattack on CentroMed

Individuals whose information may have been affected by the CentroMed data breach were advised to take proactive measures to safeguard their personal information. This included reviewing statements from healthcare providers for any unfamiliar services, monitoring financial account statements for suspicious activity, and promptly reporting any suspicious activity to their financial institutions. Furthermore, CentroMed provided additional guidance on steps individuals could take to protect their information, such as obtaining free credit reports and placing fraud alerts or security freezes on their credit files. They also offered specific instructions for parents or guardians concerned about their child's information security in light of the breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The CyberNiggers hacker group plans to set up a new web domain of their own after they lost the ability to publicly communicate following the seizure of the BreachForums. The group on Tuesday shared intentions of taking forward the legacy of the leak forum and possibly creating a similar illicit forum of their own.  Initially active on ShinyHunter's BreachForums, CyberNiggers members have been using various platforms for coordination, including a Telegram channel known as 'Jacuzzi'. However, with the recent seizure of BreachForums by the FBI, the group is evolving its strategies and contemplating the launch of a new forum to address the void left by the closure of BreachForums.

The Aftermath of the BreachForums Seizure 

The seizure of BreachForums by the FBI marks a significant development in the ongoing battle against cybercrime. The platform used by ransomware criminals to sell stolen corporate data has now been brought under law enforcement scrutiny. With potential access to sensitive data such as email addresses, IP addresses, and private messages, law enforcement agencies aim to expose and investigate members involved in criminal activities associated with the cybercriminal forum. The FBI's appeal to victims and individuals for information highlights the gravity of the situation, seeking cooperation from the public to aid in their investigations. Dedicated channels have been established for reporting, including email, Telegram, TOX, and a page on the FBI’s Internet Crime Complaint Center (IC3) portal. Despite debates surrounding the forum's status as a potential HoneyPot, CyberNiggers' activities have transcended speculation. Notably, the group gained attention for allegedly offering General Electrics data for sale towards the end of 2023, showcasing their capacity to target critical entities, particularly in the US.

CyberNiggers Takes Aim at Numerous Targets Within a Short Span

Although the CyberNiggers group is perceived as a relatively small group, their impact cannot be underestimated. Operating within BreachForums, they have attracted the attention of global surveillance agencies, including Five-Eyes. A prominent figure within the group, the Serbian hacker IntelBroker, has assumed a pivotal role, taking many data breaches under his name.  The leaked data and cyberattacks claimed by the hacker group pose multifaceted risks to targeted organizations and individuals alike. Potential consequences encompass reputational damage, financial losses, and legal repercussions. Moreover, the exposure of sensitive data, such as military files, highlights the broader national security implications of CyberNiggers' activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Veeam, a leading provider of data management solutions, issued a critical warning to its customers regarding a vulnerability discovered in its Backup Enterprise Manager (VBEM) platform. Tracked as CVE-2024-29849, this Veeam vulnerability allows unauthorized attackers access to any account through the VBEM system. VBEM serves as a vital web-based tool for administrators, offering a centralized platform to manage Veeam Backup and Replication installations. It streamlines backup operations and facilitates restoration tasks across extensive backup infrastructures and organizational deployments.

Understanding the Veeam Vulnerability List

According to the official report, VBEM is not activated by default, meaning not all environments are vulnerable to exploits targeting CVE-2024-29849. However, Veeam has rated this vulnerability with a CVSS base score of 9.8, depending on the severity of its exploitability. Alongside CVE-2024-29849, several other vulnerabilities have been identified in VBEM, including CVE-2024-29850, CVE-2024-29851, and CVE-2024-29852. These vulnerabilities vary in severity, with some allowing account takeovers and unauthorized access to sensitive data. To address these security concerns, Veeam released a fix in its Veeam Backup Enterprise Manager version 12.1.2.172. This updated version is packaged with Veeam Backup and Replication 12.1.2 (build 12.1.2.172), providing a comprehensive solution to mitigate the identified vulnerabilities.

Mitigation Against the Veeam Vulnerabilities

Although immediate patching is recommended but for customers unable to so, Veeam recommends halting the VBEM software and disabling specific services associated with it. This temporary workaround helps minimize the risk of exploitation until the system is fully patched. When uninstalling Veeam Backup Enterprise Manager, only the application is removed, leaving the configuration database and stored data intact. Reinstallation is easy with preconfigured settings, but manual deletion of the database is recommended if it won't be reused.  Following are the steps to uninstall VBEM:

• From the Control Panel, navigate to Programs and Features.
• Find Veeam Backup and Replication, right-click, and select Uninstall.
• Ensure the checkbox next to Veeam Backup Enterprise Manager is selected, then click Remove.

Veeam also emphasized the importance of regular vulnerability testing, particularly against actively supported versions of Veeam Backup & Replication. By staying vigilant and proactive in addressing security vulnerabilities, organizations can enhance their overall cybersecurity posture and safeguard against potential threats. It's worth noting that additional vulnerabilities have been reported in Veeam products, such as the Veeam Service Provider Console (VSPC) server and Veeam Recovery Orchestrator. These vulnerabilities, including CVE-2024-29212 and CVE-2024-22022, highlight the importance of ongoing security assessments and prompt patching to mitigate potential risks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ukraine's leading mobile operator, Kyivstar, is facing the aftermath of last year’s cyberattack. In December 2023, the telecom provider faced, what is described by the CEO as, the “biggest cyberattack on telecoms infrastructure in the world”, which left several operations down.  CEO Oleksandr Komarov revealed the impact on Kyivstar's growth trajectory, stating, "Before the cyberattack, we were moving with an increase of 11%-12% quarter-on-quarter in 2023. The cyberattack ate up about 3% of annual growth." While specifics on the affected growth aspects were not provided, Komarov emphasized the significant setback faced by the company.

Kyivstar Cyberattack Update

According to Reuters, the $90 Million allocation is earmarked for repairing infrastructure damage, fortifying the system against future breaches, and implementing a loyalty program for clients. Kyivstar, a subsidiary of Amsterdam-listed Veon, boasts 24.3 million mobile subscribers and over 1.1 million home internet subscribers, highlighting its significant presence in the Ukrainian telecommunications market. The cyberattack on Kyivstar was not an isolated incident but rather part of a broader pattern of cyber aggression. According to Illia Vitiuk, the head of Ukraine's cybersecurity department, Russian hackers had infiltrated Kyivstar's infrastructure months before the December attack.  The attack, attributed to the Russian state-controlled hacker group Sandworm, left a trail of destruction, wiping out crucial network functions and disrupting services for an extended period.

The Technical Details of the Kyivstar Cyberattack

Vitiuk's assessment suggests that the attackers may have gained full access to Kyivstar's network as early as November 2023, indicating a prolonged period of vulnerability. The attack's severity prompted concerns about potential data theft, interception of communications, and the compromise of sensitive information. While Kyivstar maintains that no personal or subscriber data was leaked, the incident highlights the grave cybersecurity risks faced by telecommunications operators. The attack's objectives, according to Vitiuk, extended beyond mere disruption, aiming to deliver a psychological blow and gather intelligence. He emphasized the attack's significance as a warning to the Western world, highlighting the escalating cyber threats posed by state-sponsored actors. Despite the challenges posed by the cyberattack, Kyivstar remains committed to restoring normalcy and strengthening its cybersecurity posture. The allocation of substantial resources highlights the company's determination to overcome the aftermath of the attack and safeguard its operations against future threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Western Sydney University (WSU) finds itself grappling with a cybersecurity challenge as a recent data breach affects approximately 7,500 individuals associated with the institution. Situated in the western suburbs of Sydney, WSU boasts multiple campuses, but this Western Sydney University data breach has sent ripples of concern throughout its community. The cyberattack on Western Sydney University, initially identified in January 2024, prompted swift action from WSU, which promptly shut down its IT network and implemented security measures. Subsequent investigations revealed that the breach originated as far back as May 17, 2023, infiltrating WSU's Microsoft Office 365 platform. 

Understanding the Western Sydney University Data Breach

This WSU data breach led to unauthorized access to certain SharePoint files and email accounts. Even more concerning, WSU's Solar Car Laboratory infrastructure was found to have been utilized as part of the breach, indicating a sophisticated intrusion. Despite the breach, WSU has assured its community that there have been no direct threats made regarding the compromised information. In a statement, the university emphasized, "The University has not received any demands in exchange for maintaining privacy." This statement aims to alleviate fears of potential ransom demands or further exploitation of the breached data. In response to the breach, WSU has initiated a collaborative effort with NSW Police and the NSW Information and Privacy Commission to investigate the incident thoroughly. The university's Interim Vice-Chancellor, Professor Clare Pollock, expressed regret over the breach and extended heartfelt apologies to those affected. "On behalf of the University, I unreservedly apologize for this incident and its impact on our community," Professor Pollock stated, acknowledging the disruption and concern caused by the breach.

Supporting Students and Teachers Against Data Breach

To support individuals affected by the breach, WSU has established dedicated communication channels, including a dedicated phone line and website, to address inquiries and provide assistance. This proactive approach demonstrates WSU's commitment to transparency and accountability in addressing the aftermath of the breach. Beyond the immediate impact on WSU's community, the breach underscores broader concerns surrounding cybersecurity and the protection of sensitive data. In response to the severity of the breach, the NSW Supreme Court has granted an injunction to prevent the unauthorized use of the compromised data, signaling the legal ramifications of such breaches. In conclusion, the Western Sydney University data breach serves as a stark reminder of the ever-present cybersecurity risks faced by institutions and individuals alike. Through collaborative efforts and a commitment to transparency, WSU aims to address the breach's impact and strengthen its cybersecurity posture to prevent future incidents. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Medusa ransomware group has allegedly claimed a cyberattack on Comwave, a Canadian communications giant. The ransomware actors listed Comwave as its latest victim after a likely attack on May 18, which targeted critical information contained on the company's customer database. Comwave Networks Inc., claims to be the largest independent communications company in Canada and is renowned for providing internet, network security solutions, and customer support services. Based in the Toronto district of North York and run by president and CEO Yuval Barzakay, Comwave was established in 1999 and serves across Canada. The company also provides some wholesale services in the United States. In 2023, Comwave was acquired by Rogers Communications.

Comwave Cyberattack Allegedly Targets Sensitive Data

[caption id="attachment_69372" align="alignnone" width="1381"] Source: Dark Web[/caption] Among the information exfiltrated are scanned copies of various personal documents - likely belonging to its customers - such as driving licenses, birth certificates, identity cards, passports, invoices, screenshots of email correspondence, and an internal Excel database. The Medusa ransomware group has issued a deadline, giving Comwave  nine days to comply with their demands, failing which they threatened to publicly release the compromised data. The severity of the situation cannot be overstated, with implications reaching far beyond Comwave Networks Inc. itself. As a leading player in Canada's telecommunications, the cyberattack on Comwave potentially impacts hundreds of thousands of users in 1,100 Canadian and 1,600 U.S. cities that use their services. The Cyber Express has tried reaching out to the organization to learn more about this Comwave Networks cyberattack. However, due to communication issues, contact was not possible, leaving the claims for the Comwave Networks cyberattack unverified. 

Who is the Medusa Ransomware Group?

The operational status of Comwave's website appears unaffected, suggesting that the attack may have targeted backend systems rather than launching a frontal assault. This modus operandi aligns with Medusa's established tactics, which often involve exploiting vulnerable Remote Desktop Protocols (RDP) and deploying deceptive phishing campaigns.  By utilizing PowerShell for command execution and systematically erasing shadow copy backups, Medusa disrupts data restoration efforts, leaving victims in a precarious position. The Medusa ransomware, which first emerged in June 2021, has grown increasingly audacious over time. Its latest iteration, marked by the creation of the "Medusa Blog," serves as a repository for data leaked from non-compliant victims. Operating within the dark recesses of the internet, Medusa's TOR website serves as a grim reminder of the far-reaching consequences of cybercrime. As organizations grapple with the fallout from cyberattacks like the one targeting Comwave Networks Inc., it becomes imperative to remain vigilant and implement stringent security measures. Detecting and mitigating the threat posed by Medusa and similar ransomware strains requires a concerted effort, one that extends beyond individual companies to encompass collaborative industry-wide initiatives. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Kansas City faced significant disruptions following a cyberattack, particularly affecting its crucial KC Scout camera system, which monitors Metro highways. The Kansas City cyberattack, occurring over the weekend of May 4, 2024, resulted in widespread system shutdowns, leaving various services offline for an extended period. As a consequence of the attack, the KC Scout camera system, maintained by the Missouri State Highway Patrol, suffered extensive downtime, potentially lasting for months. 

Kansas City Cyberattack Shuts Down Major Operations

This outage directly impacted crash investigations, as authorities relied heavily on the video footage captured by these cameras. Without this vital resource, the investigative process for accidents became considerably more challenging, particularly in cases with potential criminal implications. Furthermore, the broader implications of the cyberattack extended to essential city services, such as online bill payments and building permits, which remained unavailable nearly two weeks after the initial incident. Despite efforts to restore these services, the city faced logistical issues in bringing systems back online promptly. Kansas City Mayor Quinton Lucas acknowledged the challenges posed by the cyberattack, emphasizing the city's commitment to conducting a thorough investigation while striving to restore services efficiently. Despite the setbacks, essential services such as emergency response, wastewater treatment, and trash pickup remained operational, ensuring minimal disruption to residents' daily lives. "Last week, the city became aware of suspicious activity on our IT network. In response, we proactively shut down parts of the network to secure our systems. This proactive measure resulted in outages to certain operations but was necessary to help to protect the security and integrity of our systems — and to allow us to further our investigation into the cause and potential impact of the issue", said Lucas.

Cyberattack on Kansas City is Impacting Citizens

The impact of the cyberattack reverberated beyond administrative inconveniences, affecting individuals like Leia Sanders, whose car accident on May 10 highlighted the critical role of KC Scout cameras. Sanders, involved in a collision on Highway 71, discovered that the outage of the surveillance system hindered efforts to determine the accident's cause, leaving her without crucial evidence for insurance purposes, reported Fox 4 Kansas City. “I had no time to do anything, there were cars on both sides of me. I just sat there and was like okay, this has to happen. “After I figured out what was wrong with my car, I called the police department to ask about any cameras that would be on the interstate. They told me that the KC Scout cameras are down right now and there was no way that we could figure out where the tire had come from or anything like that,” Sanders said. The prolonged downtime of the KC Scout cameras elicited frustration among residents and visitors alike, prompting questions about the delay in restoring critical infrastructure. With the timeline for service restoration extending into months, concerns regarding public safety and efficient accident response mechanisms loomed large. As authorities work tirelessly to address the aftermath of the cyberattack, residents are urged to remain patient and vigilant. Despite the challenges posed by the disruption, efforts to restore normalcy are underway, with a concerted focus on bolstering cybersecurity measures to prevent future incidents of this nature. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) has discovered a sophisticated cyber campaign employing malicious LNK files, potentially distributed through spam emails. This intricate operation, possibly orchestrated by the notorious Turla Advanced Persistent Threat (APT) group, employs human rights seminar invitations and public advisories as bait to infiltrate users' systems with a nefarious payload. The threat actors (TAs) showcase a high level of sophistication by embedding lure PDFs and MSBuild project files within the .LNK files, ensuring a seamless execution process. Leveraging the Microsoft Build Engine (MSBuild), the TA executes these project files to deploy a stealthy, fileless final payload, acting as a backdoor to facilitate remote control over the compromised system.

Turla APT Group Infection Chain

[caption id="attachment_69293" align="alignnone" width="1024"] Source: Cyble[/caption] The attack unfolds with a malicious .LNK file concealed within a ZIP archive, potentially delivered via phishing emails. Upon execution, the .LNK file triggers a PowerShell script, initiating a sequence of operations. These operations include extracting content from the .LNK file and creating three distinct files in the %temp% location: a lure PDF, encrypted data, and a custom MSBuild project. [caption id="attachment_69295" align="alignnone" width="1024"] Source: Cyble[/caption] The disguised .LNK file triggers a PowerShell script, which then opens the lure PDF while silently executing the embedded MSBuild project. [caption id="attachment_69299" align="alignnone" width="783"] Source: Cyble[/caption] This project file, containing encrypted content, employs the Rijndael algorithm to decrypt data, subsequently executing a final backdoor payload. [caption id="attachment_69296" align="alignnone" width="1119"] Source: Cyble[/caption] The decrypted MSBuild project file, when executed using MSBuild.exe, runs an inline task directly in memory. This task enables the backdoor to initiate various operations, including monitoring processes, executing commands, and communicating with a Command and Control (C&C) server for further instructions.

Threat Actor Attribution to Turla APT Group

According to CRIL, the threat actor behind this campaign is the Turla APT group due to Russian-language comments in the code and behavioral similarities with previous Turla campaigns. The group's focus on targeting NGOs aligns with the lure documents referencing human rights seminars. The utilization of MSBuild and other legitimate applications highlights the persistent nature of the threat actor. By exploiting inherent functionalities, the Turla APT group can evade conventional security measures. Organizations must adopt a multi-layered security approach to mitigate risks effectively. To fortify defenses against sophisticated threats like the Turla APT group, organizations should adopt key cybersecurity measures. This includes implementing robust email filtering to block malicious attachments and exercising caution when handling email attachments from unknown sources.  Limiting access to development tools such as MSBuild to authorized personnel helps prevent misuse while disabling unnecessary scripting languages like PowerShell reduces the risk of exploitation. Establishing network-level monitoring is crucial for detecting and responding to anomalous activities swiftly. These practices collectively enhance security posture, safeguarding sensitive data and systems from cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a move to enhance international cooperation on the regulation of Artificial Intelligence (AI), Britain's AI Safety Institute is set to establish a new office in the United States. The decision aims to reinforce collaboration in managing the rapid advancement of AI technology, signaling a proactive step toward addressing global concerns. Scheduled to open this summer in San Francisco, the new office will assemble a team of technical experts, complementing the institute's existing operations in London. By strengthening ties with its American counterparts, the institute seeks to facilitate knowledge exchange and harmonize regulatory efforts across borders.

Britain's AI Safety Institute Opens in San Francisco, USA

The urgency of regulating AI technology has been highlighted by experts who liken its potential threats to existential challenges such as nuclear weapons and climate change. Geoffrey Hinton, a prominent figure in AI development,  emphasized the pressing need for action, suggesting that AI may present a more immediate danger than climate change. Hinton's remarks highlight the complexities involved in managing AI risks, contrasting it with the relatively straightforward mitigation strategies for climate change. This highlights the importance of coordinated international efforts in shaping AI policies and safeguards.

With AI Safety Institute’s presens in the US, the move aims to bolster international collaboration and solidify the Institute's role in AI safety. “The office is expected to open this summer, recruiting the first team of technical staff headed up by a Research Director. It will be a complementary branch of the Institute’s London HQ, which continues to grow from strength to strength and already boasts a team of over 30 technical staff”, denoted AI Safety Institute in a press release. 

Simultaneously, the Institute released its first AI safety testing results and announced a partnership with Canada, emphasizing its commitment to global AI safety. These initiatives mark significant progress since the inaugural AI Safety Summit, highlighting the collaborative nature of multiple organizations for rigorous evaluation on artificial intelligence.

Global Leaders Responds to Threat of Artificial Intelligence (AI)

The announcement of the institute's expansion coincides with the upcoming global AI safety summit, jointly hosted by the British and South Korean governments. This collaborative platform aims to address emerging challenges and chart a course for responsible AI governance on a global scale. The initiative comes in the wake of growing concerns raised by technology leaders and experts regarding the unbridled development of powerful AI systems. Calls for a temporary halt in the advancement of AI technology have been echoed by various stakeholders, emphasizing the need for prudent and transparent regulatory frameworks. The inaugural AI safety summit held at Britain's Bletchley Park served as a motivation for constructive dialogue among world leaders, industry executives, and academics. Notable participants, including U.S. Vice President Kamala Harris and representatives from leading AI research institutions, engaged in discussions aimed at shaping ethical guidelines and policy frameworks for AI development and deployment. The collaborative spirit exhibited at the summit, exemplified by China's endorsement of the "Bletchley Declaration," highlights the importance of collective action in addressing AI-related challenges. By fostering inclusive dialogue and cooperation, stakeholders can mitigate the complexities of AI governance while maximizing its societal benefits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Just Evil/Killmilk hacker group has claimed the Hamburg Airport cyberattack, asserting access to certain parts of the airport's premises. The claim, posted in cryptic messages on social media platforms, suggests a breach of security protocols with detailed descriptions of airport locations and systems. The post, which includes snippets of code and references to specific areas within the airport, has raised concerns about the vulnerability of critical infrastructure to cyber threats. However, as of now, there has been no official confirmation or response from Hamburg Airport authorities regarding the alleged cyberattack.

Unverified Hamburg Airport Cyberattack Claims

[caption id="attachment_69180" align="alignnone" width="535"] Source: X[/caption] The Cyber Express reached out to the airport authorities for clarification on the alleged cyberattack on Hamburg Airport. However, at the time of writing this, no official statement of response has been received. This lack of response leaves the claims of a cyberattack on Hamburg Airport unverified at present. While the airport's website appears to be functioning normally, with no visible signs of disruption, the possibility of a targeted cyberattack on the backend systems cannot be ruled out. If indeed an attack occurred, it may have been limited in scope or duration, as indicated by similar attacks in the past.  Adding to the intrigue surrounding these claims is the background of the individual behind Just Evil/Killmilk. Identified as Nikolai Serafimov, a 30-year-old Russian citizen, he is purportedly the leader of the infamous hacktivist group Killnet. Serafimov's past involvement in criminal activities, including narcotics-related offenses and a stint in a Russian prison, adds a layer of complexity to the situation.

Who is the Killnet Hacker Group?

On August 1, 2022, "Killmilk" and its founder launched a cyber-attack on Lockheed Martin, citing retaliation for the U.S. supplying HIMARS systems to Ukraine. Accusing Lockheed Martin of sponsoring terrorism, the group targeted production systems and employee information. This marked a shift from their previous tactics of Distributed Denial-of-Service (DDoS) attacks.  Led by Serafimov, Killmilk had been involved in various cyber activities, including operating "Black Listing," a DDoS-for-pay platform. Serafimov introduced "Black Skills," a Private Military Hacking Company, indicating the increasing threat of cyber warfare by non-state actors.  The emergence of new tactics and entities like "Black Skills" highlights the new threat actor and its immovable plans for creating cyber conflict. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this story once we have more information on the alleged Hamburg Airport cyberattack or any official confirmation from the authorities.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Antidot Android banking trojan is a new threat on the surface web, disguising itself as a Google Play update, targeting Android users worldwide. The android banking trojan is a stealthy malware strategically designed to infiltrate devices, harvest sensitive information, and wreak havoc across diverse language-speaking regions. Revealed by cybersecurity experts at Cyble Research and Intelligence Labs (CRIL), the Antidot banking trojan represents a sophisticated evolution in mobile malware. Unlike its predecessors, Antidot employs a range of malicious tactics, including overlay attacks, keylogging, and VNC features, to compromise devices and extract valuable data.

Decoding the Antidot Android Banking Trojan Campaign

[caption id="attachment_68993" align="alignnone" width="1447"] Source: Cyble[/caption] At its core, Antidot masquerades as a legitimate Google Play update application, luring unsuspecting users into its trap. Upon installation, it presents counterfeit Google Play update pages meticulously crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This strategic approach indicates a broad spectrum of targets, spanning multiple regions and demographics. [caption id="attachment_68994" align="alignnone" width="1536"] Source: Cyble[/caption] Behind its deceptive façade, Antidot operates with alarming sophistication. Leveraging overlay attacks as its primary modus operandi, the Trojan seamlessly overlays phishing pages onto legitimate applications, capturing sensitive credentials without the user's knowledge.  Additionally, Antidot integrates keylogging functionality, surreptitiously recording keystrokes to further enhance its data harvesting capabilities.

Sophisticated Communication and Control (C&C) Server

[caption id="attachment_68996" align="alignnone" width="1232"] Source: Cyble[/caption] Antidot maintains a stealthy line of communication with its Command and Control (C&C) server, facilitating real-time interaction for executing commands and transmitting stolen data. Through WebSocket communication, the malware establishes bidirectional connections, enabling seamless coordination between the infected devices and the malicious actors behind the scenes. [caption id="attachment_68998" align="alignnone" width="1071"] Source: Cyble[/caption] One of Antidot's most insidious features is its implementation of VNC (Virtual Network Computing), enabling remote control of infected devices. By leveraging the MediaProjection feature, the Trojan captures and transmits display content to the C&C server, allowing attackers to remotely execute commands and manipulate device functions. [caption id="attachment_69000" align="alignnone" width="1483"] Source: Cyble[/caption] To combat the growing threat posed by Antidot and similar Android banking trojans, cybersecurity experts from Cyble recommend adhering to essential best practices. These include downloading software from official app stores like Google Play or the iOS App Store.  Users can also utilize reputable antivirus and internet security software on all connected devices. Other precautionary methods include enforcing strong passwords and enabling multi-factor authentication whenever possible. Exercise caution when clicking on links received via SMS or email. Keep devices, operating systems, and applications up to date to mitigate potential vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its known exploited vulnerabilities catalog to include three new entries, including flaws within D-Link routers and Google Chromium.  According to a post shared by CISA, among the listed vulnerabilities, one affects D-Link routers, a common target for cyberattacks. The CVE-2014-100005 is related to the D-Link DIR-600 router series, specifically revolving around Cross-Site Request Forgery (CSRF) concerns. 

CISA Adds Three Known Exploited Vulnerabilities

Exploiting the D-Link router vulnerability, malicious actors can hijack administrative privileges, allowing them to execute unauthorized actions remotely.  Another D-Link router vulnerability listed is CVE-2021-40655, affecting the DIR-605 model. This flaw enables attackers to obtain sensitive information like usernames and passwords through forged requests, posing a significant risk to affected users. Additionally, CISA's catalog includes the CVE-2024-4761, concerning Google Chromium's V8 engine. This Chromium vulnerability, marked with a severity rating of 'High,' involves an out-of-bounds memory write issue. Exploiting this flaw, remote attackers can execute malicious code via crafted HTML pages, potentially compromising user data and system integrity.

Importance of Catalog Vulnerabilities

These exploited vulnerabilities, once exploited, can lead to severe consequences, making them prime targets for cybercriminals. Notably, these entries are part of CISA's ongoing effort to maintain an updated list of significant threats facing federal networks. The known exploited vulnerabilities catalog aligns with Binding Operational Directive (BOD) 22-01, aimed at mitigating risks within the federal enterprise.  While BOD 22-01 specifically targets Federal Civilian Executive Branch (FCEB) agencies, CISA emphasizes the importance of all organizations prioritizing vulnerability remediation.  By promptly addressing cataloged vulnerabilities, organizations can bolster their cybersecurity posture and reduce the risk of successful cyberattacks.

The Exploited Vulnerability Dilemma 

According to Bitsight's analysis, global companies struggle to address critical vulnerabilities promptly. The report draws from data from 1.4 million organizations, revealing that critical vulnerabilities take an average of 4.5 months to remediate, with over 60% unresolved past CISA's deadlines.  Despite their prevalence, known exploited vulnerabilities (KEVs) remain a challenge for organizations. Derek Vadala, Chief Risk Officer at Bitsight, urges prioritization of vulnerability remediation, citing an average resolution time of 4.5 months for critical KEVs. Ransomware vulnerabilities, constituting 20% of the KEV catalog, prompt remediation efforts 2.5 times faster than non-ransomware KEVs.  While federal agencies fare better in meeting CISA's deadlines, technology companies face the highest exposure to critical KEVs, with a faster remediation turnaround of 93 days. Roland Cloutier, a Bitsight advisor, stresses the need for enhanced vulnerability management, citing organizational challenges in assigning responsibility and ensuring visibility.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the recent Ascension ransomware attack, legal challenges are mounting for the healthcare giant. Just days after the cyberattack disrupted operations across its extensive network of 140 hospitals, Ascension is facing two proposed class-action lawsuits. The lawsuits, filed in the District Courts of Illinois and Texas, allege negligence on Ascension's part, citing the failure to encrypt patient data as a critical oversight. This, plaintiffs argue, has exposed them to the risk of identity theft for years to come, following the Ascension cyberattack that forced the diversion of ambulances and the suspension of elective care services.

Class-Action Lawsuit Arises from Ascension Ransomware Attack

While Ascension has not confirmed any compromise of patient data, investigations are ongoing. Plaintiffs contend that had proper encryption measures been in place, data stolen by the cybercriminal group Black Basta would have been rendered useless, highlighting the negligence they claim Ascension displayed. We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement," an Ascension spokesperson stated. "If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations”, reported Healthcare Dive on Thursday. The lawsuits, filed shortly after the Ascension ransomware attack, target the healthcare provider's alleged failure to implement adequate cybersecurity measures, a move plaintiffs argue could have prevented the incident. Both cases, represented by the same legal counsel, highlight the harm suffered by patients due to the exposure of their private information, which they assert was foreseeable and preventable.

Ascension Lawsuit and Mitigation Tactics

Despite ongoing investigations and assurances of cooperation with authorities, Ascension has yet to disclose whether patients' sensitive information was compromised during the cyber incident.  “Ascension continues to make progress towards restoration and recovery following the recent ransomware attack. We continue to work with industry leading forensic experts from Mandiant to conduct our investigation into this attack and understand the root cause and how this incident occurred”, stated Ascension on its Cybersecurity Event Update page.  In parallel, additional cybersecurity experts from Palo Alto Networks Unit 42 and CYPFER have been brought in to supplement the rebuilding and restoration efforts. The focus is on safely and swiftly bringing systems back online. “We are also working on reconnecting with our vendors with the help of our recovery experts. Please be aware that it may still take some time to return to normal operations”, added Ascension.  The Catholic health system, which spans 140 hospitals and 40 senior living facilities nationwide, employs a workforce of approximately 132,000 individuals. Despite the financial strain imposed by the Ascension ransomware attack, industry analysts note Ascension's robust liquidity and leverage position, offering a significant rating cushion against such one-off events. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recent cyberattack on Chicago Fire FC has come to light, with the football club officially confirming the data breach. The club released a statement addressing the incident, highlighting the importance of privacy and security for all involved parties.  The Chicago Fire FC data breach, discovered on October 25, 2023, involved unauthorized access to the club's systems, potentially compromising personal information. Immediate measures were taken upon detection, including securing systems and launching an investigation with legal and forensic experts.  The unauthorized access occurred between October 22 and October 25, 2023.

Decoding the Chicago Fire FC Data Breach

According to the official press release, personal data that may have been accessed includes names, social security numbers, driver’s license and passport information, medical records (including Covid test results and injury reports), health insurance details, financial account information, and dates of birth. While there is no current indication of misuse, the club is taking proactive steps to address the Chicago Fire FC data breach. In response to the cyberattack on the football club, Chicago Fire FC has initiated several actions. These include providing affected individuals access to credit monitoring services through Cyberscout, a TransUnion company specializing in fraud assistance. Instructions for enrollment in these complimentary services have been made available, and affected individuals are encouraged to confirm eligibility by contacting the club. Individuals who believe they may have been affected but have not received notification are urged to reach out to Chicago Fire FC for assistance and to receive a credit monitoring code. Additionally, the club has reported the incident to law enforcement for further investigation.

Mitigation Against the Chicago Fire FC Cyberattack

To safeguard against potential identity theft and fraud, affected individuals are advised to monitor their accounts and credit reports for any suspicious activity. They can obtain free credit reports annually from major credit reporting bureaus and are entitled to place fraud alerts or credit freezes on their accounts. For further information and support regarding identity theft and fraud prevention, individuals can contact the credit reporting bureaus, the Federal Trade Commission (FTC), or their state Attorney General. The FTC encourages victims of identity theft to file a complaint with them and provides resources for reporting instances of misuse. Chicago Fire FC emphasizes its commitment to data security and the protection of individuals' information. The club remains dedicated to maintaining trust and providing support to those affected by the cyberattack.

Chicago Fire FC Offers Credit Monitoring Services 

[caption id="attachment_68968" align="alignnone" width="1280"] Source: Chicago Fire FC[/caption] To enroll in the Credit Monitoring services provided by Chicago Fire FC at no charge, individuals are instructed to visit https://bfs.cyberscout.com/activate and follow the provided instructions. It's essential to enroll within 90 days from the date of the notification letter to receive the monitoring services. However, minors under 18 years of age may not be eligible for this service. During the enrollment process, individuals may need to verify personal information to confirm their identity for security purposes. It's strongly advised to monitor accounts and credit reports regularly to detect any suspicious activity or errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: TransUnion, Experian, and Equifax. These reports can be ordered at www.annualcreditreport.com or by calling 1-877-322-8228. Upon receiving the report, individuals should carefully review it for any discrepancies, unauthorized accounts, or inquiries. Individuals also have the right to place a fraud alert on their credit file at no cost. This alert lasts for one year and requires businesses to verify the individual's identity before extending new credit. Victims of identity theft can request an extended fraud alert lasting seven years. Alternatively, individuals can opt for a "credit freeze," which restricts access to their credit report without their explicit authorization. While this prevents unauthorized access, it may also delay or interfere with legitimate credit applications. To request a fraud alert or credit freeze, individuals need to provide specific information to the three major credit reporting bureaus, including their full name, social security number, date of birth, address history, and proof of identity. Additionally, victims of identity theft should file a police report and notify law enforcement, their state Attorney General, and the Federal Trade Commission (FTC). Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

During a recent Senate committee hearing, Director of National Intelligence Avril Haines emphasized state hackers' continued prominence as a threat, citing its aims to undermine trust in U.S. democratic institutions and exacerbate societal divisions. The hearing follows the rise of potential cyberattack on the US election, which has intensified over the last few months, and foreign interference has peaked with many state actors aiming to launch cyberattacks on the upcoming US elections in 2024.  The upcoming 2024 United States elections are slated to take place on Tuesday, November 5, 2024. In this crucial presidential election cycle, the nation will elect its president and vice president. Leveraging the attention to these events, several state-back hackers are running multiple threat campaigns to target the integrity of the US election and possibly accomplish their personal agendas.  Democratic Senator Mark Warner, chairman of the Senate Intelligence Committee, expanded on the scope of foreign influence efforts, including not only state actors but also non-state entities like hacktivists and cybercriminals. Warner stressed the ease with which these actors can now infiltrate and disrupt U.S. politics, emphasizing the increasingly low barriers to entry for such malicious activities. 

Potential Cyberattack on the US Election: A Pressing Concern!

https://www.youtube.com/watch?v=WphVoguvVd8 At the forefront of defending against this potential cyberattack on the US election is the Cybersecurity and Infrastructure Security Agency (CISA). In a recent update on foreign threats to the 2024 elections, CISA Director Jen Easterly outlined the agency's efforts to safeguard election infrastructure since its designation as critical infrastructure in 2017.  "While our election infrastructure is more secure than ever, today’s threat environment is more complex than ever. And we are very clear eyed about this. As the DNI noted, our foreign adversaries remain a persistent threat to our elections, intent on undermining Americans’ confidence in the foundation of our democracy and sowing partisan discord, efforts which could be exacerbated by generative AI capabilities", said Jen Easterly. Despite these persistent threats, Easterly highlighted the successful conduct of secure federal elections in 2018, 2020, and 2022, with no evidence of vote tampering. However, Easterly cautioned against complacency, noting the complexity of ransomware groups/threat actors and their unconventional modus operandi.  Moreover, foreign hackers remain intent on undermining confidence in U.S. democracy, compounded by the proliferation of generative AI capabilities. Moreover, Easterly highlighted the rise in large-scale attacks on US elections, targeting political leaders and other election officials — fueled by baseless claims of electoral fraud.

CISA’s Plan To Bolster Cybersecurity in the Upcoming US Election

In response to these cyberattacks on the upcoming US elections, CISA has intensified its efforts, expanding its services and outreach to election stakeholders across the nation. From cybersecurity assessments to physical security evaluations and training sessions, CISA has been actively engaged in fortifying security in the upcoming election and its infrastructure.  The agency has also ramped up efforts to combat disinformation, providing updated guidance and amplifying the voices of state and local election officials. Despite the political nature of elections, Easterly emphasized that election security remains apolitical. CISA remains steadfast in its commitment to preserving the integrity of the electoral process and looks to the support of leaders in this endeavor.  As the nation prepares for future elections, bolstering cybersecurity measures and defending against foreign  influence operations remain central priorities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

💾

A new WiFi vulnerability is reportedly leading users to a SSID confusion attack. The vulnerability has been identified in the very fabric of the IEEE 802.11 standard. This newly discovered vulnerability targets the foundation of  WiFi security protocols and potentially places millions of users at risk worldwide. The SSID confusion attack, identified under the identifier CVE-2023-52424, capitalizes on a critical oversight in WiFi design, allowing malicious actors to deceive WiFi clients across various operating systems into connecting to untrusted networks unwittingly.  The ramifications of this vulnerability extend beyond mere inconvenience, opening potential games for a host of malicious activities, including traffic interception and manipulation.

New IEEE 802.11 Standard WiFi Vulnerability Links to SSID Confusion Attack

According to security researcher Mathy Vanhoef, the IEEE 802.11 standard WiFi vulnerability is set to be presented at the WiSec ’24 conference in Seoul, sheds light on the inner workings of the SSID confusion Attack, highlighting its potential impact on enterprise, mesh, and home WiFi networks. At the core of this WiFi vulnerability lies a fundamental flaw in the IEEE 802.11 standard, which fails to enforce authentication of network names (SSIDs) during the connection process. This oversight paves the way for attackers to lure unsuspecting victims onto less secure networks by spoofing legitimate SSIDs, leaving them vulnerable to cyberattacks. The SSID confusion attack targets WiFi clients across diverse platforms and operating systems. From home users to corporate networks, no device using the IEEE 802.11 standard WiFi protocol is immune to these attacks

IEEE 802.11 Standard Vulnerability Even Targets Virtual Private Networks (VPNs)

The collaboration between Top10VPN and Vanhoef shares insights into the inner workings on the vulnerability, touted as projection of online privacy and security, are not impervious to this threat, with certain clients susceptible to automatic disablement when connected to "trusted" WiFi networks. Universities, often hotbeds of network activity, emerge as prime targets for exploitation due to prevalent credential reuse practices among staff and students. Institutions in the UK, US, and beyond have been identified as potential breeding grounds for SSID Confusion Attacks, highlighting the urgent need for proactive security measures, said Top10VPN.  To defend against this insidious threat, concerted efforts are required at multiple levels. From protocol enhancements mandating SSID authentication to client-side improvements for better protection, the SID confusion attack is still an ongoing issue.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A ransomware attack has compromised MediSecure, a leading Australian script provider facilitating electronic prescribing and dispensing of prescriptions. The MediSecure data breach was reported by the national cyber security coordinator — the healthcare provider believes that the breach stems from a third-party vendor. The Australian government, through its National Cyber Security Coordinator (NCSC), has shared updates on the MediSecure data breach, initiating a comprehensive investigation and a "whole-of-government response" to address the incident's ramifications.  Lieutenant General Michelle McGuinness, the national cyber security coordinator, confirmed MediSecure as the victim of this cyberattack in a statement on LinkedIn, describing it as a 'large-scale ransomware data breach incident.'

Government Response to MediSecure Data Breach

Authorities, including the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), are actively engaged in probing the MediSecure data breach.  However, details remain scarce as investigators navigate the complexities of the incident. The absence of a known threat actor claiming responsibility further complicates the situation, heightening concerns about the sophistication of cyber threats targeting the healthcare sector.  Cyber Security Minister Clare O’Neil said the government was commited to address the breach, convening a National Coordination Mechanism to coordinate efforts and mitigate the breach's impact effectively. “I have been briefed on this incident in recent days, and the government convened a National Coordination Mechanism regarding this matter today,” Minister O’Neil said in a LinkedIn post.

“Speculation at this stage risks undermining significant work underway to support the company's response,” O'Neil added.

The Shadow Home Affairs and Cyber Security Minister James Paterson told Sky News in an interview that the latest breach was a reminder of the currently “dangerous” cyber threat landscape, especially for the health sector. Paterson said healthcare is a lucrative sector both for cybercriminals and nation-state actors.

“Criminal actors like to use it for ransomware because the health sector is often vulnerable to those targets, and sometimes they do pay. And nation state backed actors use it as an opportunity to gather intelligence and information about us,” Paterson explained.

Australia has been hit in the past few years by some of the largest data breaches in the form of Medibank and Optus data breaches, that impacted millions across Australia. The scope of the current breach is reportedly unlike the earlier ones, but it is still some of the most personally and privately significant information that exists about a person, Paterson said. “This is very distressing for Australians when it is released publicly. And it is important that the federal government get on top of this straight away and do whatever they can to stop the proliferation of this information online,” he added. MediSecure has taken proactive measures, including taking its website offline, as it works to contain the breach's fallout. In a statement, the company acknowledged the incident and stated, “We have taken immediate steps to mitigate any potential impact on our systems. While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors”, reads the statement. The Cyber Express has reached out to MediSecure to learn more about this data breach. However, at the time of writing this, no official statement or response has been shared. The organization did share a statement on its website, stating “MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.”

Cyberattacks on the Healthcare Sector

This cyberattack on MediSecure echoes previous breaches in Australia's healthcare sector, including the 2022 data breach involving Medibank, which compromised the personal data of millions of Australians. In 2023, healthcare organizations globally faced an unprecedented wave of cyberattacks, affecting over 116 million individuals in the US alone, more than double the previous year's count.  Notable incidents include data breaches at Delta Dental of California, Fred Hutch Cancer Center, Norton Healthcare, and HCA Healthcare, among others. German hospitals also fell victim to ransomware attacks, disrupting medical services.  The European Union Agency for Cybersecurity reported that the majority of attacks targeted healthcare providers, with financial motives driving 83% of incidents. India witnessed a surge in cybercrime, with significant financial losses and high-profile attacks during the G20 summit.  The recurrence of such incidents highlights the persistent cybersecurity vulnerabilities plaguing the healthcare industry, necessitating comprehensive strategies to fortify defenses against evolving cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the massive Nissan data breach from November last year that exposed the Social Security numbers of thousands of former and current employees, the Japanese automaker has shared new updates on the cybersecurity incident.  In a new letter sent on May 15, 2024, Nissan shared details of the cyberattack, stating the incident has affected Nissan North America. The letter disclosed that a threat actor targeted the company's virtual private network, demanding payment. Nissan has not confirmed whether it acquiesced to the ransom demands.

Nissan Data Breach Update: 53,000 Employees Affected

Upon discovering the Nissan data breach, the Japanese automaker notified law enforcement and engaged cybersecurity experts to contain and neutralize the threat. The company also conducted an internal investigation, informing employees during a town hall meeting held in December 2023, a month after the Nissan cyberattack. To mitigate potential harm, Nissan is offering complimentary identity theft protection services for two years to those impacted by the breach. The company's positive response to safeguarding employee privacy is highlighted by these proactive measures. The official communication emphasized Nissan's dedication to reinforcing its security infrastructure and practices. Following the incident, the company has implemented additional security measures and enlisted cybersecurity specialists to conduct a thorough review, ensuring enhanced protection against future threats. Despite the Nissan breach, the automotive maker has not detected any instances of fraud or identity theft resulting from the incident. Nonetheless, as a precautionary measure, affected individuals are urged to take advantage of the complimentary credit monitoring services provided by Experian IdentityWorks.

No Identity Fraud Detected

“This is in addition to the employee benefit you may have elected with Nissan. These complimentary credit services are being provided to you for 24 months from the date of enrollment. Finally, Nissan is providing you with proactive fraud assistance to help with any questions you might have or if you become a victim of fraud. These services are provided by Experian, a company specializing in fraud assistance and remediation services”, said Nissan. To activate the identity protection service, recipients are instructed to enroll by a specified deadline and utilize the provided activation code. Additionally, individuals are encouraged to remain vigilant against potential fraud by monitoring their credit reports and promptly reporting any suspicious activity. Recipients are assured of assistance for 90 days from the letter's date in enrolling for the complimentary credit monitoring services. They are encouraged to contact the dedicated helpline at 833-931-6266, with the engagement number B120412 ready for reference.  Nissan highlights its commitment to employee welfare and the seriousness with which it regards the protection of personal information, expressing regret for any inconvenience caused by the incident. The letter concludes with signatures from Leon Martinez, Vice President of Human Resources, and William Orange, Vice President of IS/IT and Chief Information Officer. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The ever-evolving landscape of cybersecurity is shaped by a dedicated group of individuals. These pioneers, through their research, entrepreneurship, and tireless efforts, have left a significant mark on the industry.  From seasoned security leaders steering the helm of major companies, to passionate bloggers, journalists, podcasters, and authors, this diverse group offers a wealth of perspectives on the ever-present fight against cybercrime.  Veterans with decades of experience share the stage with innovative minds constantly pushing boundaries. Whether it's investigative journalists uncovering cybercrime rings, ethical hackers forging new defensive strategies, or company founders shaping the future of online safety, these influencers are united in a common cause.   They leverage social media to not only stay updated on the latest threats but also advocate for increased awareness and education. This list compiles the top 30 most influential cybersecurity influencers who actively share their expertise online. If you're interested in cybersecurity, following and engaging with these influential figures is a surefire way to stay informed and inspired.

Top 30 Cybersecurity Influencers of 2024

30. Alexandre Blanc - President and Owner at Alexandre Blanc Cyber

[caption id="attachment_68576" align="alignnone" width="541"] Source: LinkedIn[/caption] Alexandre Blanc is a renowned Cybersecurity dvisor, ISO/IEC 27001 and 27701 Lead Implementer, and a recognised security expert. With a track record of holding successful cybersecurity events, Blanc serves as an Independent Strategic and Security Advisor, providing invaluable counsel to various organisations. His expertise spans incident response management, digital transformations, and dark web investigations. Recognised as a LinkedIn Top Voice in Technology and named among the top security experts with over 75k followers on LinkedIn, Blanc's insights are highly sought-after in the cybersecurity community. Through publications, speaking engagements, and advisory roles, he continues uplift the IT and security industry. 

29. Alissa Abdullah - Deputy CSO at Mastercard

[caption id="attachment_68502" align="alignnone" width="541"] Source: LinkedIn[/caption] Alissa Abdullah, PhD, is a distinguished senior information technology and cybersecurity executive with a rich background spanning Fortune 100 companies, the White House, and the government intelligence community. Currently serving as Deputy Chief Security Officer for Mastercard, she brings over 20 years of experience in IT strategy, fiscal management, and leading large government programmes. Abdullah's strategic leadership extends beyond her corporate role; she serves as a board member for organisations like Girls in Tech, Inc. and Smartsheet, while also lecturing at the University of California, Berkeley. With a PhD in Information Technology Management, and over 17k followers on LinkedIn, she is a recognised authority in cybersecurity and IT leadership.

29. Jane Frankland - CEO at KnewStart

[caption id="attachment_68503" align="alignnone" width="541"] Source: LinkedIn[/caption] Jane Frankland is a prominent figure in cybersecurity with a career spanning over two decades of experience in the field. As a cybersecurity influencer and LinkedIn Top Voice, she has established herself as an award-winning leader, coach, board advisor, author, and speaker. Frankland's expertise lies in bridging the gap between business strategy and technical cybersecurity needs, enabling smoother and more effective engagements. With a portfolio career, she works with major brands as an influencer, leadership coach, and board advisor. Additionally, Frankland is deeply involved in initiatives promoting diversity and inclusion in cybersecurity, aligning her work with the UN Sustainable Development Goals.

27. Mark Lynd - Head of Executive Advisory & Corporate Strategy at NETSYNC

[caption id="attachment_68504" align="alignnone" width="541"] Source: LinkedIn[/caption] Mark Lynd is a globally recognised cybersecurity strategist, and keynote speaker in cybersecurity and AI. With over 25 years of experience, including four stints as a CIO & CISO for global companies, he excels in technology, cybersecurity, and AI. Currently, he serves as the Head of Executive Advisory & Corporate Strategy at Netsync, a global technology reseller, where he concentrates on cybersecurity, AI, data center, IoT, and digital transformation. Lynd's accolades include being ranked globally for security and AI thought leadership, and he's authored acclaimed books and eBooks. He holds a Bachelor of Science from the University of Tulsa and is a proud military veteran.

26. Naomi Buckwalter - Director of Product Security at Contrast Security

[caption id="attachment_68505" align="alignnone" width="541"] Source: LinkedIn[/caption] Naomi Buckwalter is an accomplished Information Security Leader, Nonprofit Director, Keynote Speaker, and LinkedIn Learning Instructor. With extensive experience in directing information security programmes, she has notably served as Director of Product Security at Contrast Security and Director of Information Security & IT at Beam Dental. Buckwalter's expertise encompasses compliance, risk management, and security operations. She is also the Founder & Executive Director of the Cybersecurity Gatebreakers Foundation, aiming to revolutionise cybersecurity hiring practices. With a background in computer science and over 99K followers on LinkedIn, she is recognised for her contributions as a cybersecurity thought leader and advocate for diversity in tech.

25. Raj Samani- Chief Scientist for Cybersecurity

[caption id="attachment_68506" align="alignnone" width="541"] Source: Australian Cyber Conference 2024[/caption] Raj Samani is currently a Chief Scientist at Rapid7 and has experience in this industry spanning 20 years. He has worked with law enforcement and is also advisor to the European Cybercrime Centre. Samani is a sought-after speaker at industry conferences, a published author, and continues to make appearances in podcasts where he discusses his expertise surrounding threat intelligence, cyber defence strategies, and emerging threats. With his following of over 15.2k followers on LinkedIn and 14.4k on Twitter, Samani is influential to his followers due to the cybersecurity related articles, updates and insights he shares, often engaging not only cybersecurity enthusiasts but also professionals.

24. Tyler Cohen Wood- Co- Founder of Dark Cryptonite

[caption id="attachment_68507" align="alignnone" width="541"] Source: BankInfoSecurity[/caption] Tyler Cohen Wood is a prominent and respected figure in the cybersecurity field. Currently the co-founder of Dark Cryptonite, a Special Comms method of cybersecurity, Woods has over 20 years of experience in the intelligence community. Woods previously served as Senior Intelligence Officer at the Defence Intelligence Agency (DIA) and Cyber Branch Chief at the DIA's Science and Technology Directorate. Woods is also a keynote speaker and provides insight into global cyber threats and national security due to her knowledge on digital privacy and national security.  Woods has a following of over 27k on LinkedIn, attention she’s garnered due to her ability to share insightful commentary on cybersecurity issues which explains complex technical concepts easily for all types of audiences.

23. Theresa Payton- CEO of Fortalice Solutions

[caption id="attachment_68509" align="alignnone" width="541"] Source: Experience McIntire[/caption] Theresa Payton was the first ever female Chief Information Officer for the White House from 2006-2008, serving under George W. Bush, and is now the CEO of her company Fortalice Solutions which she founded in 2008. Payton is best known for consulting as that is the purpose of her company, providing services like risk assessments, incident response, and digital forensics to government agencies and different industries and businesses about cybersecurity strategy and best IT practices. Payton has over 25k followers on LinkedIn and this is due to her continuous and avid blogging exposing cybercrimes and tackling cybersecurity on her companies page.

22. Bill Brenner-Vice President, Custom and Research Content Strategy, CyberRisk Alliance 

[caption id="attachment_68510" align="alignnone" width="541"] Source: SC Magazine[/caption] Bill Brenner is an experienced professional in the cybersecurity field and has ventured into many areas including journalist, editor, and community manager. His work has focused on cybersecurity education and awareness. Brenner is currently the Vice President of Custom and Research Content Strategy at CyberRisk Alliance. Brenners 15.7k followers on Twitter come from his influence surrounding articles posted on CS Media and Techtarget which are informative and relevant to cybersecurity professionals.

21. Brian Honan- CEO of BH Consulting

[caption id="attachment_68511" align="alignnone" width="541"] Source: BH Consulting[/caption] Brian Honan is the CEO of BH Consulting and has over 30 years of experience in  cybersecurity. He was formerly a special advisor on cyber security to Europol’s Cyber Crime Centre, along with being an advisor to the European Union Agency for Network and Information Security. Honan’s work in consultancy is not just aimed at government agencies but also multinational corporations, and small businesses. Honan advocates highly for education in the field and is a founding member of the Irish Reporting and Information Security Service (IRISS-CERT). His following of 36.2k on Twitter can be attested to the articles and blogs he’s written and posted along with presentations at industry conferences worldwide.

20. Magda Chelly- Senior Cybersecurity Expert

[caption id="attachment_68513" align="alignnone" width="541"] Source: LinkedIn[/caption] Magda Chelly is the first Tunisian woman to be on the advisory board of Blackhat. She has over 10 years of experience in security architecture, risk management, and incident response. Chelly is also a published author and is also known to be a keynote speaker who can deliver her talks in five different languages. She is currently the Managing Director at Responsible Cyber where she helps organisations implement effective cybersecurity strategies, while also being the founder of Women of Security (WoSEC) Singapore which aims to encourage women to join the field of cybersecurity. Chelly has over 57k followers on LinkedIn due to her posts on cybersecurity, but also her diversity initiatives which make her an advocate in the field. 

19. Marcus J. Carey- Principal Research Scientist at ReliaQuest, CEO of ThreatCare

[caption id="attachment_68514" align="alignnone" width="541"] Source: Facebook[/caption] Marcus J Carey is a former Navy Cryptologist who is now in cybersecurity innovation. He has worked many roles including penetration tester, security researcher, and security engineer, all of which helped to gain new and revolutionary insights into offensive and defensive cybersecurity techniques. Carey is famous for the books he has written surrounding hackers and cybersecurity and is an established CEO of Threatcare, a cybersecurity company focused on providing proactive threat detection and risk assessment solutions. His 52.4k Twitter followers stem from the expertise he shares on social media and his importance in educating future professionals in the field. He is also sought after for speaking in industry conferences. 

18. Andy Greenberg- Senior Writer at WIRED

[caption id="attachment_68515" align="alignnone" width="541"] Source: Penguin Random House[/caption] Andy Greenberg is currently a senior writer at Wired magazine, and has written many articles investigating high-profile cyber incidents, hacking groups, and emerging cybersecurity threats. Greenberg's reports often focus on the details of cyberattacks and looks at the broader implications for people, the government, and the industry as a whole. His 70.4k followers on Twitter are influenced by his updates and in-depth articles exploring the world of cybersecurity, not only informing the general public but also professionals about the hazards.

17. Paul Asadoorian- IT Security Engineer

[caption id="attachment_68516" align="alignnone" width="541"] Source: SC Magazine[/caption] Paul Asadoorian is a professional in the cybersecurity field for over 20 years, but his following comes from his blogs and podcasts. He’s best known as the founder and host of Security Weekly where Asadoorian brings together experts and practitioners from the cybersecurity field to discuss latest news and research in the field such as network security, application security, incident response, etc. Additionally, he is also the founder and CEO of Offensive Countermeasures, a company that helps cybersecurity professionals enhance their skills and stay ahead of evolving threats. His 77.3k followers on Twitter are mostly due to his large social media presence as a podcaster and his posts surrounding resources , opinions, and promotion of Security Weekly.

16. Nicole Perlroth- New York Times

[caption id="attachment_68518" align="alignnone" width="541"] Source:[/caption] Nicole Perlroth is a Pulitzer Prize-winning journalist who covers cybersecurity and digital espionage for The New York Times. She is regarded for her intensive reporting on cyber threats, hacking incidents, and the intersection of technology and national security. Perlroth has also written a book on the cyberweapons arms race. With 91.5k followers on Twitter, Perlroth shares her own articles, as well as insights and updates related to cybersecurity and technology which creates engagement for her from both cybersecurity professionals and general readers interested in security.

15. Graham Cluley- Smashing Security

[caption id="attachment_67630" align="alignnone" width="523"] Source: Smashing Security[/caption] Graham Cluley is an author and blogger who has written books on cybersecurity and continues to be avid in sharing news and stories on cybersecurity through the written word and speech. Currently, Graham Cluley is an independent cybersecurity analyst, writer, and public speaker. He also runs a podcast where he discusses internet threats and safety in an entertaining, engaging and informative way. Cluley’s 112.9k Twitter followers are updated with his podcast, tweets and YouTube videos which explain cybersecurity topics and how to tackle them in a way patented to the general users of the internet. 

14. Rachel Tobac- Hacker and CEO of SocialProof Security 

[caption id="attachment_68522" align="alignnone" width="541"] Source: LinkedIn[/caption] Rachel Tobac is an ethical hacker who helps companies keep safe through her work as CEO of SocialProof Security, which she co-founded. The company focuses on educating employees to recognize and deal with cyberattacks. She has a background in behavioural psychology and uses it to improve cybersecurity awareness and defences in the general public. Tobac also works with the non-profit Women in Security and Privacy (WISP) where she helps women advance in the security field and often speaks for underrepresented groups to pursue a career in cybersecurity. Tobac’s 106k strong following on Twitter is due to her activism and due to the tips and updates she shares related to the industry, with some posts being popular for starting debates amongst professionals.

13. Katie Moussouris- Founder of Luta Security

[caption id="attachment_68523" align="alignnone" width="541"] Source: SANS Cyber Security Certifications & Research[/caption] Katie Moussouris is the Founder of Luta Security which encompasses her aims surrounding vulnerability disclosure and safer and responsible research in security. She is a leading figure in both the aspects and has 20 years of experience on the field. Some of Moussouris’s leading work is the Microsoft's bug bounty programme, which she developed and was one of the first-of-its-kind in the industry. She also advocates for vulnerability disclosure, which merits more transparency between security researchers and organisations. Moussouris’s 115.5k followers come from her revolutionary developments. She is a frequent speaker at cybersecurity conferences and events. She often posts and talks about her advocacy for ethical hacking and responsible security practices along with her expertise on vulnerability disclosure and bug bounty programmes.

12. Chuck Brooks- President of Brooks Consulting International 

[caption id="attachment_68524" align="alignnone" width="541"] Source: The Official Cybersecurity Summit[/caption] Brooks is the president of his consulting company where he advises clients on cybersecurity strategy, risk assessment, and business development. Along with that, he is a featured author in many technology and cybersecurity blogs. Brooks has previously worked in advisory roles with corporations and also at government agencies, including the Department of Homeland Security and the Defence Intelligence Agency. Brooks’ 116k LinkedIn followers are due to his regular contributions to industry research and news, media articles. Along with that, he is a popular keynote speaker who shares his expertise on a wide range of cybersecurity topics.

11. Daniel Miessler- Founder of Unsupervised Learning

[caption id="attachment_68525" align="alignnone" width="541"] Source: The Official Cybersecurity Summit[/caption] Miessler is the founder and CEO of Unsupervised Learning where he writes informative articles and tackles relevant issues surrounding cybersecurity and what the world after AI means for human beings.  Miesslers following of 139.4k on Twitter comes from professionals in the field and novice enthusiasts engaging with his content and discussions due to his experience in the field. He also avidly shares articles, podcasts, bringing his audience up to speed with cybersecurity.

10. Kevin Beaumont- Internet Cyber Personality

[caption id="attachment_68526" align="alignnone" width="541"] Source: iTWire[/caption] Kevin Beaumont is an experienced professional who has worked in various cybersecurity roles, including security engineer and consultant. He also specialises in threat detection and incident response. Kevin is now the Head of Cybersecurity Operations at Arcadia Ltd. along with being a cybersecurity researcher who runs his own platform where he discusses cybersecurity. Beaumont appeals to newer, younger cybersecurity enthusiasts with around 150.9k followers on Twitter due to his engagement with trolling on the internet. Additionally, he writes articles for Medium where he informs about cybercrime issues such as Microsoft Windows vulnerability. 

9. Lesley Carhart- hacks4pancakes

[caption id="attachment_68527" align="alignnone" width="541"] Source: hacks4pancakes[/caption] Lesley Carhart is currently a threat analyst and principal responder at Dragos, a company which works to protect industrial control systems from cyber threats, and has experience as a security analyst, incident responder and threat hunter. Her work in both the public and private sectors allowed her to gain valuable insights into cybersecurity issues across different industries. Her following of 168k comes from her works such as blogger and speaker who offers career advice in the field of cybersecurity. She also speaks about topics such as industrial control, ransomware attacks and more.   

8. Bruce Schneier- Schneier on Security

[caption id="attachment_68528" align="alignnone" width="541"] Source: Wikipedia[/caption] Schneier is a specialist in computer security and privacy along with being a cryptographer. Schneier is regarded as one of the most influential people in his field of cryptography and has written numerous books on cybersecurity, some of which are considered seminal works in the field. He has also written articles about security and privacy for magazines such as Wired. Schneier’s following of 147.1k comes from being acknowledged as impactful in his field but also due to his blog where he addresses the prevalence of hacking and other cyber dangers intersecting with our everyday lives.

7. Eugene Kaspersky- CEO of Kaspersky Lab

[caption id="attachment_68530" align="alignnone" width="541"] Source: LinkedIn[/caption] Eugene Kaspersky is an individual most impactful in the cybersecurity, best known as the CEO of Kaspersky Lab, a company he co-founded in 1997 which identified government-sponsored cyberwarfare. Kaspersky’s following of 187.5k comes from how Kaspersky Lab has grown into a global cybersecurity powerhouse, offering a wide range of products and services, along with his advocacy for cybersecurity education. Kaspersky is also a keynote speaker on emerging threats, and the importance of cybersecurity awareness at industry conferences and events. Furthermore, he writes a blog where he regularly posts updates about his life in the industry. 

6. Eric Geller - Cybersecurity Journalist

[caption id="attachment_68532" align="alignnone" width="541"] Source: LinkedIn[/caption] Eric Geller is a freelance cybersecurity journalist recognised for his insightful coverage of digital security. With a comprehensive portfolio including esteemed publications like WIRED, Politico, and The Daily Dot, Geller offers in-depth analysis on cyber policy, encryption, and data breaches. His investigative reporting touches the intricate intersections of cybersecurity and everyday life, from election security to critical infrastructure protection. Geller's expertise extends to interviews with top officials and breaking news on government initiatives. With a Bachelor of Arts in Political Science from Kenyon College, Geller's accolades include induction into the Pi Sigma Alpha national political science Honors society.

5. Shira Rubinoff- The Futurum Group 

[caption id="attachment_68533" align="alignnone" width="541"] Source: The Futurum Group[/caption] Shira Rubinoff is a cybersecurity and blockchain advisor as well as being a popular keynote speaker and author. She is the President of SecureMySocial, a cybersecurity company that focuses on protecting organizations from social media risks such as data leakage, reputational damage, and insider threats. Her videos are many and impactful, consisting of interviews and conversations with other professionals. She is known to be one of the top businesswomen in the field and currently runs a cybersecurity consulting firm and serves as the Chair of the Women in Cybersecurity Council (WCI), aiming to influence more women to join the field. Her follower count of 190.4k isn’t only due to her experience as a businesswoman, but also her constant interaction on social media as she posts talks, videos, podcasts, written work and more about many topics in cybersecurity.

4. Mikko Hyppönen- Chief Research Officer at WithSecure 

[caption id="attachment_68535" align="alignnone" width="541"] Source: WithSecure[/caption] Miko Hyppönen has been in the world of cybersecurity since the late 1980s. Since then he has led researchers in identifying and eliminating emerging cyber threats, while providing insights and solutions to protect individuals, businesses, and governments from cybercrime. Hyppönen has written for many famous newspapers like the New York Times and has also appeared on international TV and lectured at universities like Oxford and Cambridge. His 230.5k followers is due to his engaging and informative presentations, which help raise awareness about cybersecurity threats. He also has a following for his blog posts and research papers detailing his expertise. 

3. Kim Zetter - Investigative Journalist and Book Author

[caption id="attachment_68536" align="alignnone" width="541"] Source: IMDb[/caption] Kim Zetter is an award-winning investigative journalist renowned for her expertise in cybersecurity and national security. With a distinguished career spanning publications like WIRED, Politico, and The New York Times Magazine, Zetter is a respected authority on topics ranging from election security to cyber warfare. Her book, "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon," offers a gripping narrative of covert cyber operations. As a sought-after speaker and social media personality with over 7K followers on LinkedIn, she shares insights at conferences worldwide. Zetter's relentless pursuit of truth has earned her acclaim and established her as a leading voice in the cybersecurity journalism.

2. Brian Krebs- Krebs on Security

[caption id="attachment_68537" align="alignnone" width="541"] Source: Keppler Speakers[/caption] Brian Krebs is an investigative journalist who wrote for The Washington post from 1995 to 2009 for the security fix blog. He now runs his own blog, Krebs on Security. In it, he provides in-depth analysis and reports, along with promptly posted breaking news on cybercrime, hacking, data breaches, etc. Krebs has received many awards for his investigative journalism, including the Pulitzer Prize finalist for his coverage of cybersecurity problems. Krebs’ 347.9k are due to the reputation his blog widely holds for being a first choice when looking for accurate, fast information, as well as the truth as he’s known to hold individuals and organisations accountable for in his work.

1. Robert Herjavec- CEO of Global Cybersecurity Firm - Cyderes

[caption id="attachment_68538" align="alignnone" width="541"] Source: Cyderes[/caption] Herjavec is the CEO of the Herjavec Group and the Global Cybersecurity Firm, Cyderes, which leads cybersecurity options and supports many security services including threat detection and response, identity and access management, and compliance solutions. Along with that, he features on BBC’s Shark Tank and also provides motivational business advice through his books and videos. His following of 2.2 million may be due to his appearance on the show, but he continues to actively post insights and gives commentary on cybersecurity trends and ever-changing threats. Most of his followers are there to witness what he shares on business and entrepreneurship. Herjavec frequently shares cybersecurity related articles and updates.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious DragonForce ransomware group has expanded its list of victims, adding two new names to their dark web portal — Malone & Co and Watt Carmicheal. In a dark web post on their platform, the threat actor boasted about their latest conquests.  The first victim, Malone & Co, a prominent accounting firm based in Ireland, seemed to have fallen prey to the DragonForce cyberattack. The post provided details about the company's services and location, indicating a breach of sensitive information. Similarly, Watt Carmichael, a reputable investment management firm in Toronto, Canada, found itself ensnared in a similar situation by the DragonForce ransomware attack. However, despite their claims, both the cyberattacks are unverified.

DragonForce Cyberattack Targets Two New Victims

The Cyber Express has reached out to both organizations to learn more about this alleged DragonForce cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the DragonForce ransomware attack unverified.  [caption id="attachment_68487" align="alignnone" width="355"] Source: X[/caption] Interestingly, both victims' websites remain operational, showing no immediate signs of the cyberattacks. This discrepancy adds another layer of mystery to the unfolding situation.  Moreover, along with the cyberattack post, the DragonForce ransomware group stated that it had access to 15.34 GB of data associated with Malone & Co. The hacker group has shared a deadline of 16 days before the data gets published.  [caption id="attachment_68490" align="alignnone" width="353"] Source: X[/caption] As for the second alleged victim, Watt Carmicheal, the hacker group claims access to 27.3 GB of data, and no ransom deadline was shared. The threat actor, DragonForce, has used the same modus operandi to target similar victims in the past. 

Who is the DragonForce Ransomware Group?

DragonForce, a hacktivist group hailing from Malaysia, is infamous for its relentless cyberattacks on government institutions and commercial entities, primarily in India. Their targets extend beyond geographical borders, with a particular focus on websites affiliated with Israel while advocating for pro-Palestinian causes. Utilizing a variety of tactics such as defacement attacks, distributed denial-of-service (DDoS) attacks, and data leaks, DragonForce demonstrates a high level of adaptability and sophistication in their operations. This versatility has enabled them to evolve their strategies over time, staying one step ahead of their adversaries. Embracing their role as vigilantes for the people, DragonForce Malaysia boldly proclaims its mission on various online platforms, including social media giants like Facebook, YouTube, and X (formerly Twitter). Through these channels, they amplify their voice, connecting with like-minded individuals and fostering a sense of community among Malaysian cybersecurity enthusiasts. Central to DragonForce's ideology is their staunch advocacy for the Palestinian cause. Their actions speak volumes, from high-profile hacks targeting Israeli networks to broadcasting messages of solidarity through unconventional mediums like TikTok. Despite their formidable capabilities, DragonForce does not operate in isolation. Collaborative efforts with other local hacker threat groups have been reported, highlighting the interconnected nature of the hacktivist groups. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CISA, in collaboration with DHS, FBI, and international cybersecurity entities, has revealed a comprehensive guide aimed at bolstering cybersecurity for civil society organizations, particularly those facing heightened risks from state-sponsored cyber threats.  The guide, titled "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," offers practical steps to enhance digital defenses for nonprofits, advocacy groups, academic institutions, journalists, and other high-risk groups. Talking about this cybersecurity plan for civil society organizations, Jen Easterly, Director of CISA, stated that threat actors aim to undermine democratic and humanitarian values upheld by civil society.  “These high-risk community organizations often lack cyber threat information and security resources. With our federal and international partners, we are providing this resource to help these organizations better understand the cyber threats they face and help them improve their cyber safety”, added Easterly.

CISA, FBI, and DHS Collaborate to Support Cybersecurity for Civil Society

Civil society organizations play a crucial role in upholding democratic values, making them prime targets for malicious cyber activities orchestrated by state-sponsored actors. These threats, often originating from countries like Russia, China, Iran, and North Korea, include sophisticated tactics such as social engineering and spyware deployment. The security guide emphasizes proactive measures and best practices tailored to the unique challenges faced by civil society entities. Recommendations include regular software updates, the adoption of phishing-resistant multi-factor authentication, and the implementation of the principle of least privilege to minimize vulnerabilities. Furthermore, the guide stresses the importance of cybersecurity training, vendor selection diligence, and the development of incident response plans. It also guides individual members of civil society, advising on password security, privacy protection, and awareness of social engineering tactics. The release of this security guidance highlights a broader effort to empower high-risk communities with the knowledge and tools needed to safeguard against cyber threats. International collaboration, as evidenced by partnerships with entities from Canada, Estonia, Japan, and the United Kingdom, further enhances the effectiveness of these initiatives. John Scott-Railton, senior researcher at CitizenLab, emphasized the need for cybersecurity for civil societies on X (previously Twitter). Talking about this new initiative, John stated, “Historically law enforcement & governments in democracies have been achingly slow to recognize this issue and help out groups in need.” Despite some exceptions, the lack of prioritization has resulted in damages, including missed opportunities for accountability and diminished trust. “That's why I'm glad to see this @CISAgov & UK-led joint initiative come to fruition”, added John.

Aiming for Better Protection Against Cyber Threats

Government agencies and cybersecurity organizations worldwide have joined forces to support civil society against online threats. For instance, the FBI, in conjunction with its partners, aims to equip organizations with the capacity to defend against cyber intrusions, ensuring that entities dedicated to human rights and democracy can operate securely. "The FBI and its partners are putting out this guidance so that civil society organizations have the capacity to mitigate the threats that they face in the cyber realm,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. Similarly, international partners like Japan's National Center of Incident Readiness and Strategy for Cybersecurity and Estonia's State Information Authority stress the importance of collective action in addressing global cyber threats. These collaborations reflect a shared commitment to bolstering cybersecurity resilience on a global scale. The guide also provides valuable insights into the tactics and techniques employed by state-sponsored actors, enabling organizations to make informed decisions regarding cybersecurity investments and resource allocation. In addition to the guidance document, a range of resources and tools are available to assist high-risk communities in enhancing their cyber defenses. These include customized risk assessment tools, helplines for digital emergencies, and free or discounted cybersecurity services tailored to the needs of civil society organizations. By leveraging these resources and fostering international cooperation, civil society can better defend against cyber threats and continue their vital work in promoting democracy, human rights, and social justice. Through collective efforts and ongoing collaboration, the global community can build a more resilient and secure cyber environment for all. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new Google Chrome vulnerability has been uncovered and exploited, marking the sixth zero-day incident in 2024 alone. In response, Google swiftly released an emergency update to patch the issue. This latest Chrome vulnerability, identified as CVE-2024-4761, targets Chrome's V8 JavaScript engine, a crucial component responsible for executing JavaScript code within the browser. 

Decoding the New Google Chrome Vulnerability 

Specifically, the flaw involves an out-of-bounds write problem, a type of issue where a program oversteps its designated memory boundaries, potentially leading to unauthorized data access or even arbitrary code execution. Google acted promptly upon becoming aware of the exploit, rolling out updates to address the vulnerability across different platforms, including Mac, Windows, and Linux.  While the fix is being progressively deployed to users worldwide, those keen on ensuring their safety can manually check for updates by navigating to Settings > About Chrome and initiating the update process. This Chrome vulnerability follows closely on the heels of another zero-day exploit, CVE-2024-4671, which Google addressed just days prior. This recurrent pattern highlights the shift in vulnerability management where the most secure products are facing crises due to active exploitation by ransomware groups and dark web actors.

Multiple Zero-day Chrome Vulnerabilities

Notably, Google has refrained from divulging specific details regarding the exploits, a common practice aimed at preventing further exploitation until a majority of users have applied the necessary patches. Despite the lack of explicit details, the severity of these Google Chrome vulnerabilities is apparent, with Google's designation of an "emergency patch" signaling the urgency of the matter. The string of zero-day vulnerabilities identified in 2024 highlights the persistent efforts of threat actors to exploit weaknesses in popular software like Google Chrome. From out-of-bounds memory access to use-after-free issues, these vulnerabilities represent various avenues through which attackers can compromise user security. Several critical vulnerabilities have been identified in Google Chrome throughout the year 2024. These include CVE-2024-0519, an out-of-bounds memory access issue in the Chrome JavaScript engine discovered in January.  In March, CVE-2024-2887, a type confusion flaw in WebAssembly, was demonstrated by Manfred Paul during Pwn2Own 2024, alongside CVE-2024-2886, a use-after-free problem in WebCodecs, highlighted by Seunghyun Lee.  Additionally, CVE-2024-3159, another out-of-bounds memory access flaw in the V8 JavaScript engine, was showcased by Edouard Bochin and Tao Yan of Palo Alto Networks during the same event.  Finally, in May, CVE-2024-4671, a use-after-free issue within the Visuals component, was uncovered, further emphasizing the ongoing challenges in securing the Chrome browser against various vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web actor named DuckyMummy claimed responsibility for an alleged data breach at Frotcom International, a prominent player in vehicle tracking and fleet management based in Carnaxide, Portugal.  The Frotcom data breach, disclosed on nuovo BreachForums, exposes a vulnerability in Frotcom's internal systems, potentially compromising sensitive information including GPS IMEI numbers, real-time vehicle tracking data, billing details, and customer account information.

Alleged Frotcom Data Breach Surfaces on Dark Web

DuckyMummy's post on the forum detailed the extent of the Frotcom data breach, indicating access to internal systems across more than 40 countries and over 5,000 companies. The compromised data encompassed a wealth of information crucial to Frotcom's operations, from GPS tracking data to customer billing information.  [caption id="attachment_68365" align="alignnone" width="1732"] Source: Dark Web[/caption] As proof of their claims, the threat actor shared sample records showcasing live GPS vehicle information sorted by country and offered the compromised database for sale at a staggering price of USD 5,000.

“These days I have breached the company security, and I have dumped all information and got access to all internal systems of the company, more than 40 countries, more than 5,000 COMPANIES !”, stated the hacker. 

The Cyber Express has reached out to Frotcom for official confirmation and further details regarding the breach. However, as of the time of writing, no official statement or response has been received, leaving the claims surrounding the Frotcom data leak unverified.

Cyberattacks on Freight Companies 

The Frotcom data leak is not an isolated event and is a reminder of the growing threats faced by the transportation sector in an increasingly digitized world. With transportation systems becoming more reliant on interconnected digital technologies, they have become lucrative targets for cyber threat actors seeking to disrupt operations, extort sensitive data, or inflict financial harm. The ramifications of cyberattacks on transportation infrastructure are profound, ranging from supply chain disruptions to the compromise of sensitive passenger data. Recent incidents such as the ransomware attack on Japan's Port of Nagoya, which halted operations for two days, highlight the real-world impact of such breaches on global trade and commerce. Moreover, the nature of cyber threats poses a significant challenge to the transportation sector. Attack vectors are becoming increasingly diversified, with intrusions often originating from third-party supply chain partners or software vendors. Additionally, the rise of politically motivated threat actors further complicates the domain, as evidenced by the DDoS attacks on US airports claimed by Russian-speaking hackers. Looking back at historical events, cyber incidents targeting transportation infrastructure have resulted in widespread disruption and societal harm. From DDoS attacks on Czech railways and airports to ransomware incidents affecting Italian State Railways, these incidents highlight the vulnerability of transportation systems to malicious cyber activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The field of Artificial Intelligence is rapidly evolving, and OpenAI's ChatGPT is a leader in this revolution. This groundbreaking large language model (LLM) redefined the expectations for AI. Just 18 months after its initial launch, OpenAI has released a major update: GPT-4o. This update widens the gap between OpenAI and its competitors, especially the likes of Google. OpenAI unveiled GPT-4o, with the "o" signifying "omni," during a live stream earlier this week. This latest iteration boasts significant advancements across various aspects. Here's a breakdown of the key features and capabilities of OpenAI's GPT-4o.

Features of GPT-4o

Enhanced Speed and Multimodality: GPT-4o operates at a faster pace than its predecessors and excels at understanding and processing diverse information formats – written text, audio, and visuals. This versatility allows GPT-4o to engage in more comprehensive and natural interactions. Free Tier Expansion: OpenAI is making AI more accessible by offering some GPT-4o features to free-tier users. This includes the ability to access web-based information during conversations, discuss images, upload files, and even utilize enterprise-grade data analysis tools (with limitations). Paid users will continue to enjoy a wider range of functionalities. Improved User Experience: The blog post accompanying the announcement showcases some impressive capabilities. GPT-4o can now generate convincingly realistic laughter, potentially pushing the boundaries of the uncanny valley and increasing user adoption. Additionally, it excels at interpreting visual input, allowing it to recognize sports on television and explain the rules – a valuable feature for many users. However, despite the new features and capabilities, the potential misuse of ChatGPT is still on the rise. The new version, though deemed safer than the previous versions, is still vulnerable to exploitation and can be leveraged by hackers and ransomware groups for nefarious purposes. Talking about the security concerns regarding the new version, OpenAI shared a detailed post about the new and advanced security measures being implemented in GPT-4o.

Security Concerns Surround ChatGPT 4o

The implications of ChatGPT for cybersecurity have been a hot topic of discussion among security leaders and experts as many worry that the AI software can easily be misused. Since its inception in November 2022, several organizations such as Amazon, JPMorgan Chase & Co., Bank of America, Citigroup, Deutsche Bank, Goldman Sachs, Wells Fargo and Verizon have restricted access or blocked the use of the program citing security concerns. In April 2023, Italy became the first country in the world to ban ChatGPT after accusing OpenAI of stealing user data. These concerns are not unfounded.

OpenAI Assures Safety

OpenAI reassured people that GPT-4o has "new safety systems to provide guardrails on voice outputs," plus extensive post-training and filtering of the training data to prevent ChatGPT from saying anything inappropriate or unsafe. GPT-4o was built in accordance with OpenAI's internal Preparedness Framework and voluntary commitments. More than 70 external security researchers red teamed GPT-4o before its release. In an article published on its official website, OpenAI states that its evaluations of cybersecurity do not score above “medium risk.” “GPT-4o has safety built-in by design across modalities, through techniques such as filtering training data and refining the model’s behavior through post-training. We have also created new safety systems to provide guardrails on voice outputs. Our evaluations of cybersecurity, CBRN, persuasion, and model autonomy show that GPT-4o does not score above Medium risk in any of these categories,” the post said. “This assessment involved running a suite of automated and human evaluations throughout the model training process. We tested both pre-safety-mitigation and post-safety-mitigation versions of the model, using custom fine-tuning and prompts, to better elicit model capabilities,” it added. OpenAI shared that it also employed the services of over 70 experts to identify risks and amplify safety. “GPT-4o has also undergone extensive external red teaming with 70+ external experts in domains such as social psychology, bias and fairness, and misinformation to identify risks that are introduced or amplified by the newly added modalities. We used these learnings to build out our safety interventions in order to improve the safety of interacting with GPT-4o. We will continue to mitigate new risks as they’re discovered,” it said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor using the alias qpwomsx has claimed responsibility for an alleged data breach affecting the popular Indian online shopping platform, Meesho. However, the legitimacy of this Meesho data breach is under scrutiny, as the threat actor seems to have reposted data from 2020 and only joined the platform in May 2024, raising questions about their credibility. On Nuovo BreachForums, qpwomsx displayed what they claimed was a database from Meesho, presenting snippets of data as proof. These excerpts, which included names, email addresses, and phone numbers, initially raised concerns. However, upon closer examination, a twist emerged: the sample records provided were identical to those from the 2020 IndiaMART database leak, which affected about 38 million user records. This discovery casts significant doubt on the credibility of qpwomsx's claims about a Meesho data breach.

Unconfirmed Meesho Data Breach Surfaces on Dark Web

[caption id="attachment_68336" align="alignnone" width="1333"] Source: Dark Web[/caption] The discrepancies didn't end there. The Cyber Express further analyzed the claims and found inconsistencies within the data itself. Specifically, discrepancies between names and associated phone numbers raised red flags. Given qpwomsx's brief tenure on the platform and apparent credibility issues, discerning the authenticity of the Meesho data breach becomes a daunting task. However, examining the stolen data paints a perplexing situation as the majority of the email addresses are valid and deliverable. Along with the emails, the data appears to be a compilation of personal information belonging to individuals, predominantly based in India.  Alongside names, email addresses, and phone numbers, additional details such as location and workplace affiliations were also included. However, the presence of "null" values suggests potential gaps or inaccuracies within the dataset.

The IndiaMART Data Breach Link

The Cyber Express has reached out to the e-commerce giant to learn more about this alleged Meesho data leak. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the data breach unverified.  Moreover, parallels emerge between the purported Meesho breach and the 2020 IndiaMART data leak, which exposed sensitive information from over 40,000 suppliers. IndiaMART, a prominent business-to-business e-commerce platform, was also targeted in a cyberattack in 2020. Despite assertions from the company that only basic contact information is publicly available, cybersecurity researchers found an extensive exposure of sensitive data. Interestingly, the stolen data from the IndiaMART data leak is similar to the current Meesho data breach, raising concerns about the authenticity of the leak and the motives behind it.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Meesho data breach or any official confirmation from the Indian e-commerce giant. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.