Reading view
Understanding Cyberconflict in the Geopolitical Context
The Role of Misinformation and Disinformation in Cyberconflict
Misinformation and disinformation play a critical role in the landscape of cyberconflict, shaping public perception and influencing the dynamics of geopolitical tensions. A report by Full Fact highlights the detrimental impact of false information on democratic societies, emphasizing the need for informed citizenship to combat the spread of such information. Similarly, data from UNESCO underscores the pervasive risk of encountering disinformation across various media platforms, with statistics indicating a significant trust deficit in media and an increase in the manipulation of news consumption. The cybersecurity sector also recognizes disinformation as a substantial threat, with a study by the Institute for Public Relations revealing that 63% of Americans view disinformation as a major societal issue, and nearly half of cybersecurity professionals consider it a significant threat to security. These concerns are echoed globally, as a survey found that over 85% of people worry about the impact of online disinformation on their country's politics. The intertwining of misinformation, disinformation, and cyberconflict presents a complex challenge that requires a multifaceted approach, including media literacy, regulatory frameworks, and international cooperation to mitigate its effects and safeguard information integrity.The Role of Big Tech in Cyberconflict Interplay
The role of big tech companies in cyber conflict is a complex and evolving issue. These companies often find themselves at the forefront of cyber conflict, whether as targets, mediators, or sometimes even participants. For instance, during civil conflicts, digital technologies have been used to recruit followers, finance activities, and control narratives, posing additional challenges for peacemakers. The explosive growth of digital technologies has also opened new potential domains for conflict, with state and non-state actors capable of carrying out attacks across international borders, affecting critical infrastructure and diminishing trust among states. In response to the invasion of Ukraine, big tech companies played crucial roles in addressing information warfare and cyber-attacks, showcasing their significant influence during times of conflict. Moreover, the technological competition between major powers like the United States and China further highlights the geopolitical dimension of big tech's involvement in cyber conflict. These instances underscore the need for a robust framework to manage the participation of big tech in cyber conflict, ensuring that their capabilities are harnessed for peace and security rather than exacerbating tensions.Hedging the Risks of Using AI and Emerging Tech To Scaleup Misinformation and Global Cyberconflicts
In response to the growing threat of election misinformation, various initiatives have been undertaken globally. The World Economic Forum has identified misinformation as a top societal threat and emphasized the need for a concerted effort to combat it, especially in an election year with a significant global population going to the polls. The European Union has implemented a voluntary code of practice for online platforms to take proactive measures against disinformation, including the establishment of a Rapid Alert System and the promotion of fact-checking and media literacy programs. In the United States, the Brennan Center for Justice advocates for active monitoring of false election information and collaboration with internet companies to curb digital disinformation. Additionally, the North Carolina State Board of Elections (NCSBE) provides guidelines for the public to critically assess the credibility of election news sources and encourages the use of reputable outlets. These initiatives represent a multifaceted approach to safeguarding the integrity of elections by enhancing public awareness, improving digital literacy, and fostering collaboration between governments, tech companies, and civil society. In the ongoing battle against election misinformation, several key alliances and actions have been formed. Notably, the AI Elections Accord was proposed for public signature at the Munich Security Conference on February 16, 2024. This accord represents a commitment by technology companies to combat deceptive AI content in elections. In a similar vein, Meta established a dedicated team on February 26, 2024, to address disinformation and the misuse of AI leading up to the European Parliament elections. Furthermore, the Federal Communications Commission (FCC) in the United States took a decisive step by making AI-generated voices in robocalls illegal on February 8, 2024, to prevent their use in misleading voters. These measures reflect a growing recognition of the need for collaborative efforts to safeguard the integrity of elections in the digital age. The alliances and regulations are pivotal in ensuring that the democratic process remains transparent and trustworthy amidst the challenges posed by advanced technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.The Snowballing of the Snowflake Breach: All About the Massive Snowflake Data Breach
Why the Snowflake Breach Matters
Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.Ongoing Investigation and Preliminary Results in Snowflake Breach
On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.Compromised Employee Account
Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.Test Environments Targeted
Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.Attack Path
The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.Possible Reasons for the Breach
Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.Unconfirmed Threat Actor Claims
The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.Affected Customers from Snowflake Breach
The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:- Santander Group: The company confirmed a compromise without mentioning Snowflake.
- Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.
- TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
- Impact: 560 Million TicketMaster user details and card info potentially at risk.
- LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
- Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.
- Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
- Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.
- Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
- Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.
Security Measures and Customer Support
Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.Key Recommendations for Snowflake Customers:
- Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
- Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
- Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
- Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.
Using LLMs to Exploit Vulnerabilities
Interesting research: “Teams of LLM Agents can Exploit Zero-Day Vulnerabilities.”
Abstract: LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are unknown to the agent ahead of time (zero-day vulnerabilities).
In this work, we show that teams of LLM agents can exploit real-world, zero-day vulnerabilities. Prior agents struggle with exploring many different vulnerabilities and long-range planning when used alone. To resolve this, we introduce HPTSA, a system of agents with a planning agent that can launch subagents. The planning agent explores the system and determines which subagents to call, resolving long-term planning issues when trying different vulnerabilities. We construct a benchmark of 15 real-world vulnerabilities and show that our team of agents improve over prior work by up to 4.5×...
The post Using LLMs to Exploit Vulnerabilities appeared first on Security Boulevard.
Using LLMs to Exploit Vulnerabilities
Interesting research: “Teams of LLM Agents can Exploit Zero-Day Vulnerabilities.”
Abstract: LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are unknown to the agent ahead of time (zero-day vulnerabilities).
In this work, we show that teams of LLM agents can exploit real-world, zero-day vulnerabilities. Prior agents struggle with exploring many different vulnerabilities and long-range planning when used alone. To resolve this, we introduce HPTSA, a system of agents with a planning agent that can launch subagents. The planning agent explores the system and determines which subagents to call, resolving long-term planning issues when trying different vulnerabilities. We construct a benchmark of 15 real-world vulnerabilities and show that our team of agents improve over prior work by up to 4.5×.
The LLMs aren’t finding new vulnerabilities. They’re exploiting zero-days—which means they are not trained on them—in new ways. So think about this sort of thing combined with another AI that finds new vulnerabilities in code.
These kinds of developments are important to follow, as they are part of the puzzle of a fully autonomous AI cyberattack agent. I talk about this sort of thing more here.
Young Cyber Scammer Arrested, Allegedly Behind Cyberattacks on 45 U.S. Companies
Cyber Scammer Used Familiar Playbook
The modus operandi of the cybercriminal was simple: use phishing techniques to obtain access credentials from individuals,; use these credentials to infiltrate corporate work systems; exfiltrate sensitive company data that was likely monetized and put up for sale on dark web forums; and also access victims' cryptocurrency wallets to siphon them off. This modus operandi allowed the scammer to amass a significant amount of bitcoins. The Spanish police said the young cyber scammer managed to gain control over 391 bitcoins - approximately valued at over $27 million - from his victims. The arrest occurred at Palma airport as the suspect was preparing to leave Spain on a charter flight to Naples. The operation was conducted by agents of the Spanish National Police in collaboration with the FBI. The investigation, led by the Central Cybercrime Unit and supported by the Balearic Superior Headquarters, began in late May when the FBI’s Los Angeles office requested information about the suspect that they believed was in Spain. The FBI reported that an International Arrest Warrant had been issued by a Federal Court of the Central District of California, prompting intensified efforts to locate the suspect.Laptop, Phone Seized
The suspect was carrying a laptop and a mobile phone at the time of his arrest, which were seized. The judicial authority subsequently ordered the suspect to be placed in provisional prison. The FBI did not immediately provide a response on whether the young British man would be extradited to the U.S. to be tried, nor did they release details on an indictment, but many similar cases in the recent past show the possibility of that happening soon.Linked to Scattered Spider?
The cybercrime-focused vx-underground X account (formerly known as Twitter) said the U.K. man arrested was a SIM-swapper who operated under the alias “Tyler.” Fraudster's transfer the target’s phone number in a sim swapping attack to a device they control and intercept any text messages or phone calls to the victim. This includes one-time passcodes for authentication or password reset links sent over an SMS. “He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground tweeted. The details, however, could not be confirmed but independent journalist Brian Krebs said the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.“Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.” - vx-undergroundThe initial access vector in the attack on MGM included targeting of a help desk executive with social engineering tactics. Mandiant in its latest report found Scattered Spider aka UNC3944 using the same modus operandi, and although no victim names were stated, it now suggests the possible linkage between them. *Update (June 17 5:45 AM EST): Added details on the 22-year old young cyber scammer's identity and possible links to Scattered Spider group.
Hacktivist Group Launches Alleged Cyberattack on Unifi TV, Targeting Malaysian Internet Infrastructure
177 Members Team Claims Unifi TV Cyberattack
[caption id="attachment_77209" align="alignnone" width="525"]![Unifi TV cyberattack](https://thecyberexpress.com/wp-content/uploads/Unifi-TV-cyberattack.webp)
Previous Cybersecurity Incidents
While Unifi TV has yet to release an official statement regarding the cyberattack, concerns about data breaches have been previously raised. In July 2023, Telekom Malaysia issued a data breach alert to Unifi users, stating that personal information, including names, identification numbers, and contact details, may have been compromised. The company assured users that measures had been taken to contain the breach and protect customer data. In light of these incidents, cybersecurity experts emphasize the need for proactive measures to mitigate future threats. Collaborative efforts between government agencies, law enforcement, and private sector entities are crucial in addressing online threats that target Asian nations. As for the current Unifi TV cyberattack claims, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Microsoft in damage-control mode, says it will prioritize security over AI
![Brad Smith, vice chairman and president of Microsoft, is sworn in before testifying about Microsoft's cybersecurity work during a House Committee on Homeland Security hearing on Capitol Hill in Washington, DC, on June 13, 2024.](https://cdn.arstechnica.net/wp-content/uploads/2024/06/GettyImages-2156786701-800x534.jpg)
Enlarge / Brad Smith, vice chairman and president of Microsoft, is sworn in before testifying about Microsoft's cybersecurity work during a House Committee on Homeland Security hearing on Capitol Hill in Washington, DC, on June 13, 2024. (credit: SAUL LOEB / Contributor | AFP)
Microsoft is pivoting its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be "more important even than the company’s work on artificial intelligence."
Satya Nadella, Microsoft's CEO, "has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security," Smith told Congress.
His testimony comes after Microsoft admitted that it could have taken steps to prevent two aggressive nation-state cyberattacks from China and Russia.
City of Cleveland Scrambling to Restore Systems Following Cyberattack
The City of Cleveland says emergency services, utilities, and airport are unaffected by a recent cyberattack.
The post City of Cleveland Scrambling to Restore Systems Following Cyberattack appeared first on SecurityWeek.
Canada’s Largest District School Board Investigates Ransomware Incident
Toronto District School Board's Investigation Underway
The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"]![Toronto District School Board Ransomware Attack cyberattack 2](https://thecyberexpress.com/wp-content/uploads/Toronto-District-School-Board-Ransomware-Attack-cyberattack-2-scaled.webp)
![Toronto District School Board Ransomware Attack cyberattack](https://thecyberexpress.com/wp-content/uploads/Toronto-District-School-Board-Ransomware-Attack-cyberattack.webp)
Impact Unknown; More Details Expected Soon
Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.CISA Warns of Phone Scammers Impersonating Its Employees
CISA Impersonation Scam
The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:- Unsolicited phone calls that claim to be from CISA.
- Callers requesting personal information, such as passwords, social security numbers, or financial information.
- Callers demanding payment or transfer of money to "protect" your account.
- Callers creating a sense of urgency or pressuring you to take immediate action.
- Do not pay the caller.
- Take record of the numbers used.
- Hang up the phone immediately while ignoring further calls from suspicious numbers.
- Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).
FTC Observes Uptick in Impersonation Scams
The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:- Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
- Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
- Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
- Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
- Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.
Daily Blood Sampling in London Hospitals Down from 10,000 to 400 After Synnovis Ransomware Attack
“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - SynnovisServices including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.
Blood Testing Severely Impacted After Synnovis Ransomware Attack
The biggest challenge that Synnovis is currently facing is that all its automated end-to-end laboratory processes are offline since all IT systems have been locked down in response to the ransomware attack. “This means we are having to log all samples manually when they arrive, select each test manually on analyzers and, once tests have been processed, type in each result on the laboratory’s computer system (the Laboratory Information Management System - LIMS),” Synnovis said. And this is not the end of it. Synnovis then must manually deliver these results to the Trust’s IT system so that the results can be further electronically submitted back to the requester. But since the Synnovis’ LIMS is presently disconnected from the Trusts’ IT systems, “this extensive manual activity takes so much time that it severely limits the number of pathology tests we can process at the moment,” Synnovis explained. The pathology service provider normally processes around 10,000 primary care blood samples a day, but at the moment is managing only up to 400 from across all six boroughs. “Despite the measures we know colleagues are taking to prioritize the most urgent samples, we are receiving many more than we can process and we have an increasing backlog,” Synnovis said. The lab services provider last week was able to process around 3,000 Full Blood Count samples but could not export results due to the lack of IT connectivity. “Of those tests processed, we have phoned through all results that sit outside of critical limits, however, we have been unable to return any results electronically and are unlikely to be able to do so,” Synnovis said. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this week to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.Will Process only 'Clinically Critical' Blood Samples
To manage the inadequacy of the services, the service provider is momentarily only accepting blood samples that the requesting clinician considers to be “clinically critical.” Clinicians need to consider a test as “critical” only if a test result is needed within 24 hours to determine a patient’s urgent treatment or care plan. “As experts, your clinical view of what is considered ‘critical’ will be accepted by the laboratory, but we urge you to apply this definition carefully, given the severe capacity limitations we are facing,” Synnovis recommended. [caption id="attachment_77097" align="aligncenter" width="1024"]![Synnovis ransomware attack](https://thecyberexpress.com/wp-content/uploads/Synnovis-ransomware-Clinically-critical-1024x811.png)
Caregivers Working Overtime
Doctors and caregivers at Guy's and St Thomas' Hospital and King's College Hospital have been putting in extra hours since the Synnovis ransomware attack disrupted services last week. But this is not enough, as KCH has already cancelled some of its operations and is working only at about 70% capacity. Three of its 17 operating theatres remain shut, BBC reported.CyberDragon Hacking Group Shuts Down Multiple South Korean Sites for Support, Aid to Ukraine
Government, Financial Sites Attacked by CyberDragon Hacking Group
Irked by its support being garnered against Russia, CyberDragon launched an extensive cyberattack on key South Korean sites and criticized the country for its alleged promotion of Russophobia.![CyberDragon](https://thecyberexpress.com/wp-content/uploads/South-Korea-Hack.webp)
![CyberDragon Hacking Group](https://thecyberexpress.com/wp-content/uploads/South-Korean-Company-Hack.webp)
Previous Operations by CyberDragon Hacking Group
The CyberDragon group gained popularity after it took down the website and app for almost 24 hours after a massive data breach in March 2024. CyberDragon had then posted evidence of the attack on its TOR platform but LinkedIn didn’t comment on the attack. The peculiar hacking actor has both Chinese and Russian ties. It carries out cyberattacks with many pro-Russian hackers and most of its statements are posted in Russian. Both China and Russia are global allies and the targets of CyberDragon indicate their ideological and political affiliations. This scenario is, however, not new in the cybercrime world. Organizations around the world must deal with the fallout of cyberattacks by groups like CyberDragon. Their attacks indicate why it is crucial to remain vigilant and implement stringent security measures against cyberattacks.Grand Traverse County Faces Cyberattack: FBI and State Police Investigate
Decoding the Grand Traverse County Cyberattack
Subsequent investigations confirmed the severity of the cyberattack on Grand Traverse County, leading officials to label it as a ransomware attack. Collaboration between Grand Traverse County, Michigan State Police, FBI, and liability providers is underway to comprehend the scope of the attack and plan a strategic response. As of now, there's no confirmation of data transfer, but a thorough investigation is ongoing to safeguard the integrity of the system. While disruptions are inevitable, emergency services such as 911, law enforcement, and fire operations remain operational, ensuring public safety amid the crisis. Nate Alger, Grand Traverse County Administrator, assured the public of swift action, stating, "Our IT Department acted promptly to isolate the incident and shut down affected networks to contain the threat. We're working closely with our partners to minimize disruptions and resolve the situation efficiently."The Aftermath of the Cyberattack Grand Traverse County
The impact of the cyberattack on Grand Traverse County extends to in-person customer services at county and city offices, particularly those reliant on network connectivity. Citizens are urged to postpone non-urgent in-person payments at the treasurer's offices, although online payment services remain unaffected and secure. Despite the challenges posed by the attack, the county and city websites remain accessible, hosted on separate servers to ensure uninterrupted public access to essential information and services. While the situation unfolds, authorities are deploying alternative measures and collaborative efforts to mitigate the impact and restore services promptly. Grand Traverse County remains resilient in the face of adversity, prioritizing the safety and well-being of its residents throughout the recovery process. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Grand Traverse County cyberattack or any additional information from the county. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.SPIEF 2024 Allegedly Endures Cyberattack by IT Army of Ukraine
IT Army of Ukraine Claims SPIEF 2024 Cyberattack
[caption id="attachment_76981" align="alignnone" width="1000"]![SPIEF 2024 Cyberattack](https://thecyberexpress.com/wp-content/uploads/SPIEF-2024-Cyberattack-1.webp)
More Cyberattacks to Counter
In response to inquiries regarding the authenticity of these claims, Solar SC's General Director, Igor Lyapunov, reassured the public that despite the relentless onslaught, the forum's infrastructure remained resilient. The collaborative efforts of cybersecurity experts successfully repelled all attacks, safeguarding the integrity and functionality of SPIEF's digital ecosystem. However, concerns linger as to the broader implications of such cyber incursions, particularly in an era where economic forums serve as pivotal platforms for global cooperation and exchange. The sophistication and audacity demonstrated by threat actors underscore the pressing need for better cybersecurity measures and international collaboration to mitigate future risks. The Cyber Express reached out to SPIEF organizers for further insights into the incident and the authenticity of the IT Army of Ukraine's claims. As of the time of reporting, no official statement has been issued, leaving the allegations surrounding the SPIEF 2024 cyberattack unconfirmed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Single Click, Big Disruption: Employee Download Triggers Ascension Cyberattack
What Caused Ascension Cyberattack?
The cyberattack on Ascension was traced back to an innocent mistake by an employee who accidentally downloaded a malicious file, mistaking it for a legitimate one. "We have also identified how the attacker gained access to our systems. An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake," informed the spokesperson. This incident highlights the importance of continuous cybersecurity training and vigilance among all employees to prevent such occurrences in the future. Ascension has assured its patients and associates that there is no evidence suggesting any data was taken from the Electronic Health Records (EHR) system or other clinical systems where comprehensive patient records are securely stored. This means the most sensitive health information remains uncompromised, providing some relief amidst the ongoing investigation.Ongoing Review and Protective Measures
Ascension is currently conducting a detailed review and analysis of the potentially impacted files to determine precisely what data was affected and identify the individuals involved. This meticulous process is expected to take considerable time due to the volume and complexity of the data. In the meantime, Ascension is taking proactive steps to protect its patients and associates. The healthcare provider is offering free credit monitoring and identity theft protection services to all patients and associates, regardless of whether their data is eventually found to be compromised. This service is intended to provide immediate peace of mind and mitigate potential risks from the Ascension data breach. Individuals who wish to enroll in these protective services are encouraged to contact Ascension's dedicated call center at 1-888-498-8066.Commitment to Transparency and Legal Compliance
Ascension remains committed to transparency throughout this investigation. While specific details regarding whether an individual's data was affected cannot be provided, Ascension pledges to follow all applicable laws and regulations related to data breach notifications. "We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear that this offer does not mean we have determined that any specific individual patient’s data has been compromised. Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals’ data," the spokesperson explained. "Once our data analysis is complete, we are committed to following all applicable laws and regulations to notify affected individuals and the appropriate regulatory bodies. To our patients, associates, and the communities we serve, we regret any disruption or concern you may have experienced as a result of this incident," the spokesperson added.Background and Impact of Cyberattack on Ascension
On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Due to the cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.City of Moreton Bay Investigates Data Breach After Resident Discovered Leak of Private Information
Data Breach Discovered By Local Resident
City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers, complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."City of Moreton Bay Responses to Data Breach
After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"]![City of Moreton Bay Council Data Breach](https://thecyberexpress.com/wp-content/uploads/City-of-Moreton-Bay-Council-Data-Breach.webp)
We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Hack Alert: SN Blackmeta Claims Cyberattack on Snapchat Over Explicit Content and Alleged Political Bias!
Decoding the Snapchat Cyberattack by SN Blackmeta
[caption id="attachment_76796" align="alignnone" width="379"]![Snapchat Cyberattack claims](https://thecyberexpress.com/wp-content/uploads/Snapchat-Cyberattack-claims.webp)
![Snapchat cyberattack on dark web](https://thecyberexpress.com/wp-content/uploads/Snapchat-cyberattack-on-dark-web.webp)
Previous Cybersecurity Challenges
The current Snapchat cyberattack is not the first time that the Snap INC-owned platform has faced cybersecurity challenges. The most recent controversy with Snapchat was reported by Vice in May 2019 wherein researchers discovered that Snapchat employees were misusing their access privileges to spy on users. This breach of trust raised concerns about user privacy and data security within the platform. Between January 2014 and February 2018, Snapchat faced a series of cybersecurity challenges. In July 2017, a phishing attack compromised over 55,000 accounts by luring users to a fake login page. The attackers then published stolen credentials, granting unauthorized access. In February 2016, a phishing scam targeted Snapchat employees, resulting in the disclosure of payroll information. The October 2014 incident involved a third-party app hack, leaking 200,000 explicit images. Though Snapchat denied system compromise, blame was placed on the app providers. In January 2014, a security vulnerability led to the exposure of 4.6 million user details, despite Snapchat's claim of addressing the issue promptly. As for the current Snapchat cyberattack claim, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged cyberattack on the social media platform or any official confirmation from Snap INC. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Pure Storage Confirms Data Breach in Snowflake Workspace
Pure Storage Data Breach: Investigation Ongoing
Upon knowing about the cybersecurity incident, Pure Storage took immediate action to block any further unauthorized access to the workspace. The company emphasized that no unusual activity has been detected on other elements of its infrastructure. “We see no evidence of unusual activity on other elements of the Pure infrastructure. Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems,” reads the official statement. Preliminary findings from a cybersecurity firm engaged by Pure Storage support the company's conclusions about the nature of the exposed information. Pure Storage simplifies data storage with a cloud experience that empowers organizations to maximize their data while reducing the complexity and cost of managing the infrastructure behind it. Thousands of customers, including high-profile companies like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast, use Pure Storage's data storage platform.Context of Recent Snowflake Cybersecurity Incidents
Before the Pure Storage data breach, Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, allegedly suffered a massive data breach. A threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of three terabytes of data from the company’s Snowflake cloud storage, which is reportedly being sold for $1.5 million. Live Nation, the parent company of Ticketmaster, also confirmed "unauthorized activity" on its database hosted by Snowflake, a Boston-based cloud storage and analytics company. In a joint advisory with Mandiant and CrowdStrike, Snowflake revealed that attackers used stolen customer credentials to target accounts lacking multi-factor authentication protection. Mandiant linked these attacks to a financially motivated threat actor tracked as UNC5537 since May 2024. This malicious actor gains access to Snowflake customer accounts using credentials stolen in historical infostealer malware infections dating back to 2020. These cyberattacks have targeted hundreds of organizations worldwide, extorting victims for financial gain. So far, the cybersecurity firm has identified hundreds of customer Snowflake credentials exposed in Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer malware attacks. Snowflake and Mandiant have notified around 165 organizations potentially exposed to these ongoing cyberattacks.City of Wichita Recovers from Cyberattack: Water Services Back Online, More Progress Expected
City of Wichita Cyberattack Update
Water Services Restored Customers can expect to receive updated statements this week. Auto-payments have resumed normal operations, and customers now have full access to their utility accounts online. Bills can be paid by credit card, cash, check, and money order at City Hall, online at City's payment portal, by calling (316) 265-1300, or through the mail. Due to the cyberattack on City of Wichita, some June bills may cover more than 60 days of service. Customers needing help with these bills are encouraged to contact a representative at (316) 265-1300 to arrange a payment plan. Library Services Update The Wichita Public Library has also seen progress, though some services remain affected. Public Wi-Fi is available at all locations, and patrons can access Libby for eBooks, audiobooks, and digital magazines. Additionally, materials can be checked in and out manually. However, hold requests and renewals, customer account information, the online catalog, the automated materials handler at the Advanced Learning Library, and online databases like Kanopy and LinkedIn Learning are still unavailable. Airport and Court Systems At the Wichita Dwight D. Eisenhower National Airport, public flight and gate display information is not yet available online but is expected to be restored soon. The Municipal Court has made strides in recovery, with most systems operational. The public search of warrants is anticipated to be online by Monday, June 10. The City’s Information Technology team is working to fix the remaining system outages. The city appreciates residents' patience as there may be occasional service interruptions during ongoing recovery efforts.What Happened During the City of Wichita Cyberattack
The Cyber Express reported that the cyberattack occurred on May 5, leading to the shutdown of several online city services, including water bill payments, some city-building Wi-Fi, and electronic payments. LockBit, a known ransomware group, claimed responsibility for the cyberattack. This followed an earlier notification from the City of Wichita regarding a ransomware incident, although the responsible group was not initially disclosed. The ransomware attack has shown the vulnerabilities in the city's IT systems and the importance of strong cybersecurity measures. Despite the challenges, the city has worked hard to restore essential services to its residents. The City of Wichita urges residents to stay informed through official updates and to reach out to the provided contact points for help. The city remains committed to being transparent and providing the necessary support to its residents during this recovery period.South Korean Researchers Observe Remcos RAT Distributed Through Fake Shipping Lures
Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware
Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"]![AhnLab Remcos RAT UUEncoding (UUE) .UUE](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-1.webp)
![](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-2.webp)
Remcos RAT malware
The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"]![AhnLab Remcos RAT UUEncoding (UUE) .UUE 3](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-3.webp)
- b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
- 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
- fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
- eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)
- Downloader/VBS.Agent (2024.05.17.01)
- Data/BIN.Encoded (2024.05.24.00)
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
- Refrain from accessing emails from unknown sources.
- Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
- Update anti-malware engines to their latest versions.
Cleveland Closes City Hall After Unspecified Cyberattack
Cleveland Essential Services Functioning
City Hall and offices at Erieview Plaza are closed to the public and non-essential employees, but the city sought to reassure residents that key services and data remain safe. Emergency services, such as 911, Police, Fire, and EMS are operational, along with other essential services such as water, pollution control, power services, ports and airports. The update said that “certain City data is confirmed to be unaffected, including: - Taxpayer information held by the CCA. - Customer information held by Public Utilities.” That still leaves other data sources that could be affected, however, such as city employees’ personal data. In its initial announcement on X, the city said, “We have shut down affected systems to secure and restore services. Emergency services and utilities are not affected. Updates will be provided as available.” The city hasn’t said whether the incident is ransomware or another cyber attack type, but that will presumably be revealed in later updates. Cleveland itself is home to 362,000 residents, while the surrounding metropolitan area has a population of more than 2 million.Cleveland Cyberattack Follows Wichita Ransomware; Healthcare Network Hit
Cleveland isn’t the biggest U.S. city to be hobbled by a cyber attack, as at least a few bigger cities have been hit by cyber incidents. The 394,000-resident city of Wichita, Kansas was hit by a ransomware attack last month in an attack linked to the LockBit ransomware group, but Baltimore was perhaps the biggest U.S. city hit by a cyberattack in a crippling 2019 incident that closely followed an Atlanta cyberattack. All of that pales in comparison to the U.S. government, which got hit by more than 32,000 cybersecurity incidents in fiscal 2023, up 10% from fiscal 2022, according to a new White House report on federal cybersecurity readiness. Threat actors seemingly have no end of targets, as a healthcare network in Texas, Arkansas and Florida is also reporting recent cyber troubles that the BlackSuit ransomware group is claiming responsibility for. The Special Health Resources network posted a notice on its website (copied below) that states, “We are currently experiencing a network incident that has caused a temporary disruption to our phones and computer systems. During this time, we are STILL OPEN and ready to serve our patients and community!” [caption id="attachment_76662" align="alignnone" width="750"]![Special Health Resources website notice](https://thecyberexpress.com/wp-content/uploads/Special-Health-Resources-750x209.png)
Switzerland Walks Tightrope as Cyberattacks, Disinformation Threaten Peace Summit
Switzerland Disruption Efforts and Cybersecurity
Foreign Minister Ignazio Cassis also spoke at the press conference, noting a clear "interest" in disrupting the talks. However, he refrained from directly accusing any particular entity, including Russia, when questioned about the source of the cyberattacks. This restraint highlights the delicate diplomatic balancing act Switzerland is attempting as host. Switzerland agreed to host the summit at the behest of Ukrainian President Volodymyr Zelenskyy and has been actively seeking support from countries with more neutral or favorable relations with Moscow compared to leading Western powers. This strategic outreach aims to broaden the coalition backing the peace efforts and mitigate the polarized dynamics that have characterized the conflict thus far.Agenda and Key Issues
The summit will address several critical areas of international concern, including nuclear and food security, freedom of navigation, and humanitarian issues such as prisoner of war exchanges. These topics are integral to the broader context of the Ukraine conflict and resonate with the international community's strategic and humanitarian interests. Turkey and India are confirmed participants, though their representation level remains unspecified. There is still uncertainty regarding the participation of Brazil and South Africa. Switzerland noted that roughly half of the participating countries would be represented by heads of state or government, highlighting the summit's high profile and potential impact. The summit aims to conclude with a final declaration, which ideally would receive unanimous backing. This declaration is expected to outline the next steps in the peace process. When asked about potential successors to Switzerland in leading the next phase, Foreign Minister Cassis indicated ongoing efforts to engage regions beyond the Western sphere, particularly the Global South and Arabian countries. Such inclusion could foster a more comprehensive and globally supported peace initiative.To Wrap Up
The summit represents a significant diplomatic effort to address the Ukraine conflict. However, the surge in cyberattacks on Switzerland and disinformation campaigns, highlights the complexities of such high-stakes international dialogue. In March 2024, Switzerland’s district court in the German-speaking district of March, home to around 45,000 residents, fell victim to a cyberattack. While details are scarce, the court’s website suggests it could potentially be a ransomware attack. As Switzerland navigates these challenges, the outcomes of this summit could set important precedents for future peace efforts and international cooperation.Central Securities Corporation Faces Cyberattack Claims By Underground Team Ransomware Group
Underground Team Ransomware Claims Central Securities Corporation Cyberattack
[caption id="attachment_76481" align="alignnone" width="1319"]![Central Securities Corporation cyberattack](https://thecyberexpress.com/wp-content/uploads/Central-Securities-Corporation-cyberattack.webp)
Researchers Highlight Underground Team Ransomware Group
Security experts from Cyble have previously warned of the growing prevalence of targeted attacks, where hackers tailor their strategies to infiltrate specific targets with devastating consequences. The emergence of new ransomware variants highlights the constant battle organizations face in safeguarding their digital assets against evolving threats. One such variant, the Underground Team ransomware, has caught the attention of researchers for its unique ransom note and sophisticated techniques. Offering more than just decryption services, the ransom note promises insights into network vulnerabilities and data recovery assistance, signaling a new level of sophistication in ransomware operations. Technical analysis of the ransomware reveals intricate mechanisms employed to identify and encrypt system files, demonstrating the attackers' proficiency in exploiting vulnerabilities. By selectively targeting files and directories while bypassing certain extensions and folders, the ransomware achieves its malicious objectives with alarming efficiency. As for the cyberattack on Central Securities Corporation, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Central Securities Corporation cyberattack or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Ascension Makes Progress in Restoring Systems After Cyberattack, Patients to See Improved Wait Times
Ascension cyberattack: What All Have Restored?
According to the latest update on the Ascension cyberattack, officials have successfully restored EHR access in Florida, Alabama, Tennessee, Maryland, Central Texas (Ascension Seton and Dell Children's hospitals), and Oklahoma markets. Ascension Via Christi further informed that its hospitals, including St. Francis and St. Joseph hospitals, and Ascension Medical Group clinics in Wichita, have restored the primary technology used for electronic patient documentation in care settings. "This will allow most hospital departments, physician offices, and clinics to use electronic documentation and charting. Patients should see improved efficiencies and shorter wait times. Our team continues to work tirelessly to restore other ancillary technology systems," Ascension Via Christi explained on its website, providing cybersecurity updates for its Kansas facilities. [caption id="attachment_76455" align="aligncenter" width="1024"]![Ascension cyberattack](https://thecyberexpress.com/wp-content/uploads/Ascension-cyberattack-1-1024x435.webp)
Ascension cyberattack: What Happened?
On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Consequently, access to certain systems has been interrupted during the ongoing investigation process. Due to the massive cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.Cyberattack on ControlNET: INC Ransom Group Claims Breach of Building Technology Provider
Understanding the ControlNET Cyberattack
The ramifications of this breach extend beyond ControlNET with operations disrupted and data compromised for the organization. However, the claims for this cyberattack on ControlNET have not been verified. The hacker group’s post on the dark web shed light on their motives, citing ControlNET's alleged negligence in safeguarding customer data. [caption id="attachment_76431" align="alignnone" width="1357"]![ControlNET Cyberattack](https://thecyberexpress.com/wp-content/uploads/ControlNET-Cyberattack.webp)
Who is the INC Ransom Hacker Group?
The Cyber Express has reached out to the organization to learn more about this ControlNET cyberattack and the authenticity of the claims made by the threat actor. However, at the time of writing this, no official statement or response has been received, leaving the claims for the cyberattack on ControlNET unverified. Moreover, the company's website appears to be operational, suggesting that the attack may have targeted the backend infrastructure rather than the front-end interface. The threat actor in this attack, INC Ransom, is a ransomware group that emerged in August 2023, employing double and triple extortion tactics on victims, leaking data on their blog. Victims, mainly from Western countries, face threats and coercion during negotiations, with evidence packs published to pressure payment. The group's leaked blog includes light and dark UI options, a feedback box, and a Twitter link. While similar to LockBit 3.0's blog, INC Ransom does not charge for leaked data. Victims, spanning private sector businesses, a government organization, and a charity association, hail mostly from the United States and Europe, emphasizing the widespread impact of this cyber threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Microsoft and Google Announce Plans to Help Rural U.S. Hospitals Defend Against Cyberattacks
Microsoft and Google Cybersecurity Plans for Rural Hospitals
Microsoft has launched a full-fledged cybersecurity program to meet the needs of rural hospitals, which are often more vulnerable to cyberattacks due to more limited IT security resources, staff and training than their urban peers. The program will deliver free and low-cost technology services, including:- Nonprofit pricing and discounts of up to 75% on Microsoft's security products for independent Critical Access Hospitals and Rural Emergency Hospitals.
- Larger rural hospitals already equipped with eligible Microsoft solutions will receive free advanced security suites for free.
- Free Windows 10 security updates for participating rural hospitals for at least one year.
- Cybersecurity assessments and training are being made free to hospital employees to help them better manage system security.
“Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses. President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we’re excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America’s rural hospitals be safe online.”Alongside Microsoft's efforts, Google also announced that it will provide free cybersecurity advice to rural hospitals and non-profit organizations while also launching a pilot program to match its cybersecurity services with the specific needs of rural healthcare facilities.
Plans Are Part of Broader National Effort
Rural hospitals remain one of the most common targets for cyberattacks, according to data from the National Rural Health Association. Rural hospitals in the U.S. serve over 60 million people living in rural areas, who sometimes have to travel considerable distance for care even without the inconvenience of a cyberattack. Neuberger stated, “We’re in new territory as we see ... this wave of attacks against hospitals.” Rick Pollack, president of the American Hospital Association, said, “Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America’s healthcare safety net.” The plans are a part of a broader effort by the United States government to direct private partners and tech giants such as Microsoft and Google to use their expertise to plug significant gaps in the defense of the healthcare sector. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.NHS Makes Urgent Request for Blood Donations After Ransomware Attack Interrupts Blood Transfusions
NHS Blood and Transplant's Urgent Appeal for Blood Donations
The recent cyberattack on the pathology firm Synnovis, believed to have been orchestrated by the Russian cybercriminal group Qilin, caused significant disruption to several London hospitals. As a result, affected hospitals have been unable to match patients' blood at the usual rates, leading to the declaration of a critical incident and the cancellation of scheduled blood transfusions. Gail Miflin, chief medical officer at NHS Blood and Transplant, emphasized the importance of O blood-type donations during this critical time. She called on existing O blood donors to book urgent appointments and encouraged potential new donors to find out their blood type and contribute to solving the shortage. During NHS National Blood Week, it was revealed that hospitals require three blood donations every minute. With around 13,000 appointments available nationwide this week, and 3,400 specifically in London, there are many opportunity for donors to come forward and contribute to blood availability. Stephen Powis, the medical director for NHS England, praised the resilience of NHS staff amid the cyberattack and urged eligible donors to come forward to one of the 13,000 available appointments in NHS blood donor centers across the country. To learn more and find details on how to donate, interested individuals are encouraged to search 'GiveBlood' online and on social media or visit Blood.co.uk. [caption id="attachment_76310" align="alignnone" width="2562"]![NHS Blood and Transplant (NHSBT) Ransomware Blood Donations](https://thecyberexpress.com/wp-content/uploads/NHS-Blood-and-Transplant-NHSBT-Ransomware-Blood-Donations.webp)
Impact of the Cyberattack on London Hospitals
Several prominent London hospitals, including the King's College Hospital, Guy's and St Thomas', the Royal Brompton, and the Evelina London Children's Hospital, declared a critical incident following the cyberattack on the pathology firm Synnovis, which provides blood-testing facilities to these hospitals and several others in southeast London. The attack forced hospital staff to cancel health procedures such as cancer surgeries and transplants due to the unavailability of blood transfusion services after facing severe disruption. In a statement on its official website, an NHS London spokesperson stressed the importance of pathology services to health treatment procedures:“NHS staff are working around the clock to minimise the significant disruption to patient care following the ransomware cyber-attack and we are sorry to all those who have been impacted. Pathology services are integral to a wide range of treatments and we know that a number of operations and appointments have been cancelled due to this attack. We are still working with hospitals and local GP services to fully assess the disruption, and ensure the data is accurate. In the meantime our advice to patients remains, if you have not been contacted please do continue to attend your appointments.”A senior NHS manager disclosed to the Health Service Journal (HSJ) that the incident was “everyone’s worst nightmare.” As blood has a limited shelf life of 35 days, it is critical that these hospital stocks are continually replenished. More units of O-negative and O-positive blood will be required over the coming weeks to accommodate an anticipated increase in surgeries and procedures due to earlier delays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Alleged RCE Vulnerability Threatens Subdomains of Italian Ministry of Defence
The RCE Vulnerability and Possible Cyberattack on the Italian Ministry of Defence
[caption id="attachment_76184" align="alignnone" width="1240"]![RCE Vulnerability](https://thecyberexpress.com/wp-content/uploads/RCE-Vulnerability.webp)
No Confirmation of Intrusion
Efforts to ascertain the authenticity of the alleged cyberattack on the Italian Ministry have been initiated, with inquiries directed towards the Ministry of Defence of Italy. As of the time of this report, official confirmation or denial from the ministry is pending, leaving the status of the Italian Ministry of Defence cyberattack unresolved. Despite the alarming nature of the disclosure, there are indications that the Ministry of Defence website remains operational and unaffected by any apparent cyber intrusion. This suggests that either the threat actor has refrained from exploiting the vulnerability or that the website's security measures have effectively thwarted any attempted attacks. Nevertheless, the potential threat posed by the RCE vulnerability cannot be understated, warranting proactive measures to mitigate risks and fortify cyber defenses. Organizations, especially those in the government and law enforcement sectors, must remain vigilant and employ robust security protocols to safeguard against emerging cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Hacker Claims Cyberattack on China’s Massive Power Grid SGCC, Selling Stolen Data
![Cyberattack on SGCC](https://thecyberexpress.com/wp-content/uploads/Cyberattack-on-SGCC.webp)
Potential Implications of Cyberattack on SGCC
Established on December 29, 2002, SGCC is the largest utility company in the world and consistently ranks second on the Fortune Global 500 list. SGCC operates as a group with RMB 536.3 billion in registered capital and employs 1.72 million people. It provides power to over 1.1 billion people across 26 provinces, autonomous regions, and municipalities, covering 88% of China's national territory. Additionally, SGCC owns and operates overseas assets in countries such as the Philippines, Brazil, Portugal, Australia, and Italy. If the claims of the cyberattack on SGCC made by Desec0x are proven to be true, the implications could be far-reaching. The sensitive nature of the data allegedly stolen, including personal and departmental information of SGCC employees, could have serious consequences for the company and its stakeholders. However, upon accessing the official SGCC website, no signs of foul play were detected, and the website appeared to be functioning normally.Global Context of Cyberattacks in the Energy Sector
The energy sector has been increasingly targeted by cyberattacks, often involving third-party data breaches. According to Security Intelligence, 90% of the world’s top energy companies suffered from third-party data breaches in 2023. Additionally, nearly 60% of cyberattacks in the energy sector are attributed to state-affiliated actors. In late 2023, 22 energy firms were targeted in a large-scale coordinated attack on Danish infrastructure. In April 2024, a group called Cyber Army Russia claimed responsibility for a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. This cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. In March 2024, a dark web actor was reportedly selling access to an Indonesian energy company, believed to be the same threat actor who targeted an American manufacturer. In 2023, a suspected cyberattack on Petro-Canada was officially confirmed. Suncor Energy, the holding company of Petro-Canada, acknowledged that an IT outage over the weekend was indeed a cyberattack. The company stated that it took immediate action upon discovering the attack, collaborating with third-party experts to investigate and address the situation. This incident caused significant disruptions to Petro-Canada's operations, affecting gas stations and preventing customers from accessing the Petro-Canada app and website. In the case of the State Grid Corporation of China, the claims made by Desec0x remain unverified until an official statement is released by SGCC. Without confirmation from the company, the alleged cyberattack on SGCC and data breach cannot be substantiated. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Cyberattack Disrupts Services on Popular Japanese Video-Sharing Site Niconico
![Cyberattack on Niconico](https://thecyberexpress.com/wp-content/uploads/Niconico.webp)
![Niconico Cyberattack](https://thecyberexpress.com/wp-content/uploads/Niconico-Cyberattack.webp)
![Cyberattack on Kadokawa](https://thecyberexpress.com/wp-content/uploads/Cyberattack-on-Kodokawa-.webp)
How Cyberattack on Niconico Happened
Beginning in the early hours of Saturday, June 8th, an issue arose that prevented access to multiple servers within the group. In response, Kadokawa immediately shut down the relevant servers to protect data. Based on the internal analysis and investigation conducted that same day, it was determined that there was a high possibility of a cyberattack. Kadokawa is investigating the impact of the attack, including "whether there have been leaks of information," and is cooperating with external experts and the police. Niconico, known for its diverse content and live-streaming capabilities, plays a crucial role in the digital landscape of Japan. The suspension of its services has undoubtedly caused widespread concern among its user base, which spans millions of people who rely on the platform for entertainment, information, and community engagement.Concern Over Niconico Cyberattack
Users have taken to social media to express their support and concern. One user tweeted, “I’ll wait until it’s back. I can’t be of much help, but I’m rooting for you. Niconico saved my life. I can’t imagine life without it.” Another user wrote, “Thank you for your hard work. We will wait patiently, so please don’t push yourself too hard and be patient.” [caption id="attachment_76115" align="aligncenter" width="622"]![Cyberattack on Niconico](https://thecyberexpress.com/wp-content/uploads/Cyberattack-on-Niconico-1.webp)
![Niconico](https://thecyberexpress.com/wp-content/uploads/Niconico-.webp)
‘Commando Cat’ Cryptojacking Campaign Exploits Remote Docker API Servers
Commando Cat Initial Access and Attack Sequence
The Commando Cat campaign identified by researchers from Trend Micro has been active since early 2024. The attack begins with a probe to the Docker Remote API server. If the server responds positively, the attackers create a container using the "cmd.cat/chattr" image. Once a suitable target is located, the attacker deploys a docker image named cmd.cat/chattr, which appears harmless at first glance but serves as a stepping stone for the subsequent stages of the attack. The "cmd.cat/chattr" image allows the attackers to employ techniques like chroot and volume binding to escape the docker container and bind the host system's root directory to the container's own/hs
directory, thereby gaining unrestricted access to the host file system.
The attackers also bind the Docker socket to the container, allowing them to manipulate Docker as if they were on the host machine itself. If the "cmd.cat/chattr" image isn't found, the attackers pull it from the cmd.cat repository.
Once the image is in place, they create a Docker container, executing a base64-encoded script that downloads and executes a malicious binary from their command-and-control (C&C) server. The researchers identified the downloaded binary file as ZiggyStarTux, an open-source IRC botnet based on the Kaiten malware.
Commando Cat Detection and Mitigation
While the researchers noted that the campaign's C&C server was down during analysis, they noted several technical specifics from attack operations. Researchers have advised that potential misuse of DropBear SSH on TCP port 3022, along with use of the 1219 port for its C&C server, can help detect the presence of the malware. Unauthorized IRC communications along with these specific User-Agent strings are other indicators:- HackZilla/1.67 [en] (X11; U; Linux 2.2.16-3 x64)
- Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
- Properly configuring Docker containers and APIs.
- Utilizing only official or certified Docker images.
- Running containers with non-root privileges.
- Limiting container access to trusted sources.
- Regularly performing security audits and scanning for suspicious docker containers.
Akira Ransomware Group Claims Attack on Panasonic Australia; Singapore Tells Victims to Not Pay Ransom
Akira Ransomware Group Attack on Panasonic Australia
The ransomware group alleged that it had exfiltrated sensitive project information and business agreements from the electronics manufacturer Panasonic Australia. No sample documents were posted to verify the authenticity of the breach claims. The potential impact of the breach on Panasonic Australia is unknown but could present a serious liability for the confidentiality of the company's stolen documents.Cyber Security Agency of Singapore Issues Advisory
Singapore's Cyber Security Agency (CSA) along with the country's Personal Data Protection Commission (PDPC) issued an advisory to organizations instructing them to report Akira ransomware attacks to respective authorities rather than paying ransom demands. The advisory was released shortly after an Akira ransomware group attack on the Shook Lin & Bok law firm. While the firm still continued to operate as normal, it had reportedly paid a ransom of US$1.4 million in Bitcoin to the group. The Akira ransomware group had demanded a ransom of US$2 million from the law firm earlier, which was then negotiated down after a week, according to the SuspectFile article. The Cyber Security Agency of Singapore (CSA) stated that it was aware of the incident and offered assistance to the law firm. However, it cautioned against similar payments from other affected victims. "Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data," the agency stated. "Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims." The Singaporean authorities offered a number of recommendations to organizations:- Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
- Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
- Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
- Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
- Migrate from unsupported applications to newer alternatives.
- Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
- Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
- Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
- Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.
University of Arkansas Leads Initiative to Improve Security of Solar Inverters
University of Arkansas Solar Inverter Cybersecurity Initiative
The new project led by the University of Arkansas is funded by the U.S. Department of Energy's Solar Energy Technologies Office (SETO) and aims to strengthen the cybersecurity measures of solar inverters. Solar inverters are used to convert direct current (DC) generated from solar panels into alternating current (AC) that can be used in households and within the energy grid. This effort involves collaboration among multiple universities, laboratories, and industry partners to develop custom-designed controls infused with multiple layers of cybersecurity protocols. [caption id="attachment_75768" align="alignnone" width="800"]![University of Arkansas Solar Inverter Cybersecurity Initiative](https://thecyberexpress.com/wp-content/uploads/University-of-Arkansas-Solar-Inverter-Cybersecurity-Initiative.webp)
Securing Renewable Energy and Electric Grids
As electric grids become increasingly digitized and connected, securing these grids becomes a top priority for the U.S. Department of Energy (DOE). The department has stated that while some cyberattacks target information technology (IT) systems, attacks on operating technology (OT) devices such as solar photovoltaic inverters could have potential physical impact, such as loss of power and creation of fires. The department cited an incident in March 2019 in which hackers managed to breach through a utility’s web portal firewall. The attack caused random interruptions to the visibility of segments of the grid from its operators for a period of 10 hours. The DOE's Solar Energy Technologies Office (SETO) is working to ensure that the electric grid is secure and capable of integrating more solar power systems and other distributed energy resources. The agency developed a roadmap for Photovoltaic Cybersecurity, supports ongoing efforts in Distributed Energy Resources (DER) cybersecurity standards, and participates in the Office of Energy Efficiency and Renewable Energy's Cybersecurity Multiyear Program Plan, along with the Department of Energy's broader cybersecurity research activities. The Solar Energy Technologies Office has recommended the use of dynamic survival strategy based on defense-in-depth measures that functional as additional layers of security to secure individual components as well as entire systems. These layers include installing anti-virus software on DER systems (solar inverters and battery controllers) and maintaining virus protection and detection mechanisms on the firewalls and servers integrating these individual systems to the broader system of grid operation. The Office admits that implementation of this strategy into DER technologies can be complex, with different owners, operators, and systems typically involved, but maintains the strategy's importance in reducing potential cyberattacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.First Priority Restoration Hit by Alleged Ransomware Attack
![Cactus Ransomware](https://thecyberexpress.com/wp-content/uploads/Cactus-Ransomware-1024x771.webp)
What Will be The Implication of the FPR Cyberattack
Ransomware attacks typically involve the encryption of critical data, rendering it inaccessible to the affected organization. The cybercriminals then demand a ransom, usually in a cryptocurrency, in exchange for the decryption key. Failure to pay the ransom often leads to the publication or destruction of the stolen data. In this case, the ransomware attack on FPR could lead to substantial operational disruptions, financial losses, reputational damage, and potential legal and regulatory repercussions. Critical data may become inaccessible, hindering the company's ability to provide timely disaster restoration services. Additionally, the exposure of sensitive client information could result in identity theft and fraud. However, upon accessing the official website, no signs of foul play were detected, and the website was fully functional. To verify the claim further, The Cyber Express Team (TCE) reached out to FPR officials. However, as of this writing, no response or statement has been received, leaving the Cactus Ransomware claim about the FPR cyberattack unverified.Cactus Ransomware Previous Cyberattacks Claims
The Cactus Ransomware group is a notorious cybercriminal organization known for its complex and targeted ransomware campaigns. Previously, the group claimed responsibility for the cyberattack on Petersen Health Care, which compromised the company’s digital infrastructure and exposed sensitive information. Petersen Health Care subsequently filed for bankruptcy, burdened by a staggering $295 million in debt. Another example is the Schneider Electric data breach, where the Cactus group claimed to have stolen 1.5 TB of personal documents, confidential agreements, and non-disclosure agreements. Ransomware attacks have become increasingly predominant, with cybercriminals continuously evolving their tactics to exploit vulnerabilities in organizations. In the first quarter of 2024 alone, 1,075 ransomware victims were posted on leak sites, despite the disruption of major ransomware groups like LockBit and ALPHV/BlackCat, which accounted for 22% and 8% of the activity, respectively. As cybercriminals continue to refine their tactics, organizations must remain vigilant and proactive in safeguarding their data and operations. For First Priority Restoration, TCE is closely monitoring the situation and will provide updates as soon as a response is received regarding the alleged FPR cyberattack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UAE Ministry of Education Faces Alleged Cyberattack from Pro-Palestinian Hacktivist Group
Understanding UAE Ministry of Education Cyberattack
The UAE Ministry of Education is a crucial federal government organization that oversees all matters pertaining to education within the country. The Ministry is crucial to the growth and management of the UAE's educational system. It was established in accordance with Sheikh Zayed's Federal Law No. of 1972. This is not an isolated incident; DarkStormTeam has been aggressively launching cyberattacks against a various governmental and commercial sector institutions worldwide. In March 2024, the group turned its attention to organizations, focusing on the US, Brazil, Denmark, Egypt, France, Israel, and the United Arab Emirates, among other countries. Although their precise intentions are still unknown, they might be anything from anti-Israel bigotry to political grievances.The Rise of DarkStormTeam Hacker Group
It's worth noting that DarkStormTeam's activities often include promoting hacking services for hire, suggesting potential financial motivations alongside their ideological objectives. This blend of ideological and potentially profit-driven motives adds complexity to their operations and highlights the challenges in addressing cyber threats posed by hacktivist groups. This is an ongoing story and The Cyber Express will be closely monitoring the situation. TCE will update this post once it receive more information on the alleged UAE Ministry of Education cyberattack or any official confirmation from the ministry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Patch Now! Center for Cybersecurity Belgium Warns About Critical Vulnerabilities in Telerik Report Server
Progress Telerik Vulnerabilities Overview
The CCB detailed all four vulnerabilities, associated risks and working exploits, and provided links that contain additional details about each vulnerability.Insecure Deserialization Vulnerabilities
The first two vulnerabilities (CVE-2024-1801 and CVE-2024-1856) are insecure deserialization vulnerabilities in Progress Telerik Reporting. Attackers could exploit these vulnerabilities to run arbitrary code. An attacker with local access could potentially exploit CVE-2024-1801, while CVE-2024-1856 may be exploited remotely if specific web application misconfigurations are in place.Remote Code Execution Vulnerability
The third vulnerability (CVE-2024-1800) is an insecure deserialization vulnerability in the Progress Telerik Report Server. Successfully exploitation of the vulnerability could allow for remote execution of arbitrary code on affected systems. Progress Telerik Report Server versions prior to 2024 Q1 (10.0.24.130) are vulnerable to this issue.Authentication Bypass Vulnerability
An additional vulnerability, CVE-2024-4358, that was disclosed later affects the Telerik Report Server. This is an authentication bypass vulnerability that could allow an unauthenticated attacker to gain access to restricted functionality within the Progress Telerik Report Server. The issue affects Progress Telerik Report Server versions up to 2024 Q1 (10.0.24.305).Recommended Actions for Telerik Vulnerabilities
The Centre for Cybersecurity Belgium strongly recommends applying, after thorough testing, the latest available software updates of Progress Telerik on vulnerable devices. Progress Telerik has explicitly stated that the only way to remediate the earlier three reported vulnerabilities was by updating to the latest available version (10.1.24.514). For the authentication bypass vulnerability (CVE-2024-4358), Progress Telerik has published a temporary mitigation. This mitigation involves applying a URL Rewrite rule in IIS to deny access to the vulnerable "startup/register" path. The Centre for Cybersecurity Belgium urges organizations to bolster their monitoring and detection capabilities to be alert for any malicious activities associated with these vulnerabilities. Organizations are further advised to check the list of users within the Progress Telerik Report Server to ensure that there is no addition of unauthorized accounts while responding quickly to detected intrusions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Researchers Warn About Phishing Emails That Trick Users Into Pasting Malicious Commands
'Paste and Run' Phishing Technique
The attackers behind the campaign send emails to potential victims purporting to be from legitimate businesses or organizations. Researchers from AhnLab stated that these emails often involve topics such as fee processing or operational instructions to entice recipients into opening attached files. The emails contain a file attachment with disguised intent, as in the examples below. [caption id="attachment_75497" align="alignnone" width="1200"]![Phishing Ctrl+V Email cybersecurity_3 (Phishing Ctrl+V Email cybersecurity)](https://thecyberexpress.com/wp-content/uploads/Phishing-CtrlV-Email-cybersecurity_3-Phishing-CtrlV-Email-cybersecurity.webp)
![Phishing Cybersecurity](https://thecyberexpress.com/wp-content/uploads/Phishing-Cybersecurity.webp)
Phishing Scheme Installs DarkGate Malware
The PowerShell script downloaded and executed by the scheme is a component of the DarkGate malware family. Once the script is run, it downloads and executes an HTA (HTML Application) file from a remote command-and-control server. The HTA file then executes additional instructions to launch an AutoIt3.exe file while passing a malicious AutoIt script (script.a3x) as an argument. The script appears to load the DarkGate malware to infect the system while also clearing the user's clipboard to conceal the execution of malicious commands. "The overall operation flow from the reception of the email to the infection is quite complex, making it difficult for users to detect and prevent," the researchers noted. [caption id="attachment_75496" align="alignnone" width="1200"]![Email Phishing Ctrl+ V](https://thecyberexpress.com/wp-content/uploads/Email-Phishing-Ctrl-V.webp)
Protecting Against the Phishing Campaign
The researchers advised email recipients to remain cautious when handling unsolicited emails, even if they appear to be from legitimate sources, to avoid falling victim to the phishing campaign. Recipients should refrain from opening attachment files or clicking on links until they can verify the email sender and its content. "Users must take extra caution when handling files from unknown sources, especially the URLs and attachments of emails," the researchers emphasized. Additionally, recipients should also be wary of any messages that prompt them to execute commands, as it is a common tactic used by attackers to compromise systems. Upon receiving such requests, it is recommended to either ignore the email or report it to your organization's IT security team. The researchers also shared various indicators of compromise (IOCs) such as Base64-encoded PowerShell commands, HTA files, and Autoit scripts, download URLs, file signatures and behavioral indicators associated with the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Akira Ransomware Claims Cyberattack on German Manufacturer E-T-A
![Akira ransomware group](https://thecyberexpress.com/wp-content/uploads/Akira-ransomware-group-2-1-1024x127.webp)
Akira Ransomware: Previous Track Record
The Akira ransomware gang has arisen as a danger to small and medium-sized organizations (SMBs), mostly in Europe, North America, and Australia. The group uses advanced tactics to infiltrate systems, frequently acquiring illegal access to a company's virtual private networks (VPNs). Sophos X-Ops research shows that Akira often uses compromised login credentials or exploits weaknesses in VPN technologies such as Cisco ASA SSL VPN or Cisco AnyConnect. Recently, in May 2024, Akira targeted Western Dovetail, a well-known woodworking shop. In April 2024, Akira was identified as the gang responsible for a series of cyberattacks against businesses and key infrastructure in North America, Europe, and Australia. According to the US Federal Bureau of Investigation (FBI), Akira has hacked over 250 firms since March 2023, collecting roughly $42 million in ransom payments. Initially, Akira's attacks targeted Windows systems. However, the gang has since broadened its tactics to include Linux computers, causing anxiety among international cybersecurity agencies. These cyberattacks show Akira's strategy of targeting a wide range of industries and businesses of all sizes, frequently resulting in major operational interruptions and financial losses. As it stands, the Akira ransomware group's claims against E-T-A Cyberattack are unsubstantiated. The lack of an official response from the company creates a vacuum in the confirmation of these claims. While the company's website is still operational, signaling no immediate disruption, a data breach might have serious consequences, compromising client confidentiality, financial integrity, and employee privacy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.ARRL Cyberattack Update: Frustrations Linger Despite Restoration Efforts
ARRL Cyberattack: Lack of Information
Despite ARRL's efforts, many members felt that the company was not forthcoming enough with information. A Facebook user posted a lengthy note criticizing ARRL's communication strategy. The Facebook user post read, "We still don’t know what they haven’t told us and maybe it is important, maybe not. The point is very clear that the communication to the membership about the incident is very unprofessional and limited in its scope. Nobody needed critical details, they needed to be treated like they are members of an organization, not subjects to the king." [caption id="attachment_74996" align="aligncenter" width="1015"]![ARRL Cyberattack](https://thecyberexpress.com/wp-content/uploads/ARRL-Cyberattack-1.webp)
Timeline of ARRL Cyberattack Updates and Service Restoration
May 17, 2024: ARRL assured members that their personal information, such as credit card numbers and social security numbers, was not stored on their systems. The organization only holds publicly available information like names, addresses, and call signs. However, there was still no mention of the phone systems being down or alternative communication paths for assistance. May 22, 2024: ARRL provided an update stating that the LoTW data was secure and not affected by the server issue. They also mentioned the upcoming July issue of QST magazine, which would be delayed for print subscribers but on time digitally. Yet again, there was no mention of the phone systems or email service disruptions. May 29, 2024: The ARRL Volunteer Examiner Coordinator resumed processing Amateur Radio License applications with the FCC. Voice bulletins at W1AW, the Hiram Percy Maxim Memorial Station, also resumed. ARRL's store orders resumed shipping, and the e-newsletter services were back online. Finally, the organization acknowledged the phone system outage. May 31, 2024: ARRL announced that their phone system was back in service, and provided contact information for members. They also shared details about upcoming contests and magazine issues, including limited functionality of the Contest Portal. Members were reminded that they could renew their memberships online or by phone.Ongoing Communication Issues
Despite these updates on ARRL cyberattack, members continued to express dissatisfaction with ARRL's handling of the situation. The Facebook post that critiqued ARRL's communication was particularly poignant, summarizing the frustration felt by many. While ARRL has taken significant steps to address the data breach and reassure its members, there is a clear need for more consistent and detailed communication moving forward.TSCOP App Cyberattack: Police Officers, Criminals’ Data Allegedly Leaked in India’s Telangana State
Understanding the TSCOP App Cyberattack
TSCOP app was launched on January 1, 2018, to ensure better collaboration and operational efficiency of the police at all levels across the state of Telangana. The app received a boost when it was equipped with the Facial Recognition System (FRS) whereby the police could identify criminals in a few seconds by comparing a suspect's face with lakhs of digital photographs of people, including previous offenders, wanted and those missing stored in the central database. The App was also adjudged the ‘Best IT Project’ in India, for empowering police with information technology. [caption id="attachment_74941" align="alignnone" width="1200"]![TSCOP App Cyberattack](https://thecyberexpress.com/wp-content/uploads/TSCOP-APP.webp)
![TSCOP App Cyberattack](https://thecyberexpress.com/wp-content/uploads/Telangana-Police-App.webp)
TSCOP App Cyberattack Samples
To substantiate the claims of cyberattack, the thread actor shared a few samples which revealed the phone number, name and designation of police officers. In a few cases, the district and zone of the concerned police officer were also leaked, along with the cop’s IMEI mobile number.![TSCOP Cyberattack](https://thecyberexpress.com/wp-content/uploads/2.webp)
![TSCOP App Cyberattack](https://thecyberexpress.com/wp-content/uploads/3-2.webp)
Experts Site Weak System Behind TSCOP App Cyberattack
When the Telangana Police’s website was hacked last week, cybersecurity experts had warned the cops of multiple attacks in the future. India’s popular data security researcher Srinivas Kodali said, “It is easy to hack into their system as they used basic authentication and encoding.” He condemned the state police for not hiring proper developers and putting the privacy of several thousand users at risk. [caption id="attachment_74951" align="alignnone" width="687"]![TSCOP App Cyberattack](https://thecyberexpress.com/wp-content/uploads/TSCOP-Cyberattack.webp)
London Hospitals Report Service Disruption from Synnovis Ransomware Attack
Synnovis Ransomware Attack Has 'Significant Impact'
"The immediate impact was reported on patients using NHS services within the two partner hospitals, as well as GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs."
"We are currently experiencing disruption to our pathology services, particularly blood tests.""This is following a cyber attack affecting our pathology service provider Synnovis," said the NHS statement. "Very regrettably we have had to cancel some procedures and operations. We apologise unreservedly to all patients who are affected." The disruption in the blood transfusion IT system poses a risk to trauma cases, with only urgent blood components being transfused when critically necessary for patients. Efforts are underway by the Department of Health and Social Care, NHS England, and the National Cyber Security Centre to address the cyber incident and support affected organizations while prioritizing patient safety. The uncertainty surrounding the duration of the disruption raises concerns about resource availability and potential further critical incidents. The attack follows a similar one that hit NHS services in Scotland in March.
CEO's Statement on Synnovis Ransomware Attack
Mark Dollar, the CEO of Synnovis, acknowledged the severity of the situation, emphasizing the collaborative efforts between IT experts from Synnovis and the NHS to assess the extent of the damage and implement necessary measures. Patient care has been disrupted, leading to some activities being canceled or redirected to alternative providers to prioritize urgent needs, Dollar said."It is still early days and we are trying to understand exactly what has happened."A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had, and to take the appropriate action needed. We are working closely with NHS Trust partners to minimise the impact on patients and other service users."
"Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.""We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected. We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments," Dollar added. Synnovis has invested heavily in ensuring that IT arrangements are of the highest order of safety but Dollar, citing the ransomware attack, said, "This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect." As the healthcare sector continues to navigate the evolving landscape of cyber threats, stakeholders must remain vigilant, prioritize cybersecurity protocols, and collaborate to fortify defenses against ransomware attacks. Safeguarding patient data and preserving the trust of individuals relying on healthcare services are critical imperatives in the ongoing battle against cybercrime in the healthcare industry.
Australian Government Orders Chinese Divestment from Northern Minerals Amid Cybersecurity Concerns
Decoding the Northern Minerals Cyberattack Claims
[caption id="attachment_74717" align="alignnone" width="765"]![Northern Minerals Cyberattack](https://thecyberexpress.com/wp-content/uploads/Northern-Minerals-Cyberattack-claims.webp)
Strategic Implications of the Cyberattack on the Mining Industry
The cyberattack on Northern Minerals highlights the broader vulnerabilities within the critically important mining industry, which is becoming an increasingly attractive target for cybercriminals. The attack on Northern Minerals, along with similar incidents like one involving Rio Tinto in 2023, illustrates the critical need for enhanced cybersecurity protocols across the sector. These attacks not only threaten the operational integrity of mining companies but also pose significant risks to national security, given the strategic importance of rare earth elements. As the mining sector becomes increasingly vital to global supply chains, particularly for green energy technologies and defense applications, it is imperative to protect these resources from cyber threats. The suspected involvement of the hacker group BianLian in the Northern Minerals cyberattack has further intensified concerns. The group claims to have stolen extensive data, including corporate email archives and shareholder information, which was then posted on the dark web. Australia's proactive stance in managing foreign investment in its critical minerals sector, coupled with its efforts to mitigate cyber threats, sets an example for other nations facing similar challenges. By prioritizing national security and strengthening cybersecurity, Australia aims to ensure the sustainable and secure development of its strategic mineral resources. The cyberattack on Northern Minerals and the subsequent divestment orders by the Australian government highlights the intertwined nature of cybersecurity and national security in the mining industry. As cyber threats continue to evolve, so too must the strategies to defend against them, ensuring the resilience and security of critical industries worldwide. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.State-Sponsored Hackers Likely Accessed Employee Emails in British Columbia Government Network Cyberattack
"At this time, we have no indication that the general public's information was accessed."
British Columbia Cyberattacks Timeline
Initial Detection and Investigation
- April 10: The B.C. government detected potential cyberattack. - April 11: Government security experts confirmed the cyberattack after initiating an investigation.Federal Involvement and Expert Consultation
- The incident was reported to the Canadian Centre for Cyber Security, which then engaged Microsoft's Diagnostics and Recovery Toolset (DaRT) due to the attack's sophistication. - April 17: Premier David Eby was briefed on the cyberattack.Continued Threat and Security Measures
- April 29: Evidence of another hacking attempt by the same “threat actor” was discovered. - Same day, provincial employees were instructed to immediately change their passwords to 14 characters. The Office of the Chief Information Officer (OCIO) described this as part of routine security updates, though it was likely linked to the cyberattack.Third Attempt and Final Disclosure
- May 6: Another cyberattack was identified, with the same threat actor responsible for all three incidents. - May 8: After briefing the B.C. NDP cabinet on May 8, the cybersecurity centre concurred that the public could be notified, leading to the eventual public announcement of the cyberattacks. The cyberattacks were not disclosed to the public until late evening on May 8, and was eventually announced during an ice hockey game, leading to accusations from B.C. United MLAs that the government was trying to conceal the attack. Opposition MLA Todd Stone questioned the delay in public disclosure, asking, “How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” Salter explained, at the time, that the cybersecurity centre advised against immediate public disclosure to prevent other hackers from exploiting vulnerabilities in government networks. Throughout these incidents, the government emphasized that the ongoing nature of the investigation required careful management of information to ensure system security and prevent further exploits.Is Beijing Involved?
Although the sophistication of this hacking campaign made clear that it is likely a work of a state or state-sponsored hackers, authorities have remained tight-lipped and not attributed these cyberattacks to any particular country. The latest updates in the B.C. cyberattack, however, came on the same day that the Canadian Centre for Cyber Security warned of China's increased targeting of Canadian citizens and its organizations through the scale and scope of its cyber operations. The Cyber Centre said China’s cyber operations surpass other nation-state cyber threats in terms of volume, sophistication, and breadth of targeting. China’s cyber threat actors have targeted a wide range of sectors in Canada, including all levels of government, critical infrastructure, and the Canadian research and development sector. The Cyber Centre said the government networks have been compromised multiple times by Chinese actors, who still frequently attempt reconnaissance against these networks. Government entities at all levels, including federal, provincial, territorial, municipal, and indigenous are the prime targets of Chinese actors, and thus, should be aware of the espionage risk.China Increasingly Targeting Canadians with Cyber Operations
“The threat from China [to Canadian organizations] is very likely the most significant by volume, capability, and assessed intent. China-sponsored cyber threat actors will very likely continue targeting industries and technologies in Canada that contribute to the state’s strategic priorities.”
China Increasingly Targeting Canadians through Cyberespionage
Chinese cyber threat actors often operate under the directives of PRC intelligence services, targeting information that aligns with the national policy objectives of Beijing. This includes economic and diplomatic intelligence relevant to the PRC-Canada bilateral relationship and technologies prioritized in PRC's central planning, Canada said. Government of Canada networks have been compromised multiple times by Chinese actors, the Cyber Centre said. With all known compromises addressed, Chinese cyber threat actors still frequently conduct reconnaissance against federal networks, and other government organizations should be aware of the espionage risk. Last month, British Columbia, the westernmost province in Canada, reported facing multiple “sophisticated cybersecurity incidents” on government networks. Public Safety Minister and Solicitor General Mike Farnworth later told reporters that an unnamed state actor made three attempts to breach B.C. government networks. Chinese threat actors also target large datasets containing personal information for bulk data analysis and profiling, the Cyber Centre warned. Online services often collect personal information from their users to function. When personal information is exposed through data breaches or willingly released by the user, it can be used by cyber threat actors to facilitate identity theft or targeted fraud against the user. Cyber threat actors can collect financial details and social information, information on habits, health, and home security, and location and travel data. The targets include:- Government entities at all levels, including federal, provincial, territorial, municipal, and Indigenous.
- Organizations or individuals in close partnership with government entities.
- Universities, labs, and technology companies involved in research and development of PRC-prioritized technologies.
- Individuals or organizations perceived as threats by the PRC, especially those advocating for Taiwan and Hong Kong independence and Chinese democracy.
![Cyberespionage, China Increasingly Targeting Canadians](https://thecyberexpress.com/wp-content/uploads/Cyberespionage-1024x608.webp)
Elections, Critical Infrastructure Targeted
Canada recently revealed unsuccessful Chinese attempts to interfere in past elections too. Beijing has refuted these allegations but the Canadian Security Intelligence Service (CSIS) in an annual report warned of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.The report identified China as a state-based threat conducting widespread cyberespionage across various sectors, including government, academia, private industry, and civil society organizations. The Cyber Centre also shares concerns with the U.S. about PRC cyber threat groups pre-positioning network access for potential attacks on North American critical infrastructure in case of conflict in the Indo-Pacific.
"The Cyber Centre assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well due to interoperability and interdependence in the sectors of greatest concern."Sectors of greatest concern include energy, telecommunications, and transportation. However, the prelude to the attacks on the provincial government networks also saw the targeting of the healthcare sector in the country, which makes it a cause of concern too. The first of the attacks in this sector was on the retail and pharmacy chain London Drugs, followed by a cyberattack on the First Nations Health Authority (FNHA), which compromised its employee information and limited personal data.
Threat Tactics Detailed
PRC cyber threat actors are known for several sophisticated techniques, the report said:- Co-opting compromised small office and home office (SOHO) routers to conduct activity and avoid detection.
- Using built-in network administration tools for malicious activity, blending into normal system traffic.
- Compromising trusted service providers to access client information or networks.
- Rapidly weaponizing and proliferating exploits for newly revealed vulnerabilities, posing a continuous risk.
Mitigating the Chinese Threat
The Cyber Centre advises the Canadian cybersecurity community, especially provincial, territorial, and municipal governments, to enhance their awareness and protection against PRC cyber threats. Recommended measures include:- Isolate Critical Infrastructure: Isolate critical components and services from the Internet and internal networks and test manual controls for operational continuity.
- Increase Vigilance: Monitor networks for tactics, techniques, and procedures (TTPs) reported by the Cyber Centre and partners. Focus on identifying and assessing unusual network behavior.
- Restrict Movement: Pay attention to vulnerable entry points, such as third-party systems. Disable remote access from third-party systems during incidents.
- Enhance Security Posture: Patch systems focusing on vulnerabilities identified by the U.S. Cybersecurity and Infrastructure Security Agency. Enable logging, deploy network and endpoint monitoring, and implement multi-factor authentication. Create and test offline backups.
- Incident Response Plan: Have a cyber incident response plan and continuity of operations and communications plans ready and tested.
Cyberattack Risks Keep Small Business Security Teams on Edge
![Silhouette of businesswoman against black wall with key hole](https://securityboulevard.com/wp-content/uploads/2024/06/Businesswoman-and-business-plan_iStock_000027067407Small-copy.jpeg)
Three-quarters of SMBs fear that a cyberattack could put them out of business. For good reason: 96% of them have already been the victims of a cyberattack.
The post Cyberattack Risks Keep Small Business Security Teams on Edge appeared first on Security Boulevard.
Researcher Uncovers Exploited Flaw in Cox Modems That May Have Impacted Millions of Customers
Unfamiliar IP Address Replaying Cox Modems HTTP Requests
Curry discovered that an unfamiliar IP address (159.65.76.209) had been intercepting web traffic requests on his home network while attempting to test out his network's HTTP traffic setup. This suspicious behavior was not tied to a single device, affecting the researcher's iPhone in addition to his computer. [caption id="attachment_74339" align="alignnone" width="2800"]![159.65.76.209 COX MODEMS COX ROUTERS](https://thecyberexpress.com/wp-content/uploads/159.65.76.209-COX-MODEMS-COX-ROUTERS-scaled.webp)
![COX modems cox routers domains](https://thecyberexpress.com/wp-content/uploads/COX-modems-cox-routers-domains.webp)
Hidden API Calls and Extent of Compromise
Diving further, the researcher looked for publicly known vulnerabilities in the model of the Cox modem that he owned, but discovered that even three years later there were no known exploits. The researcher confirmed remote management facility within the router while helping a friend set up their Cox Modem, calling the ISP's support number and inquiring if they would be able to remotely push an update to the device in the new location. The support agent disclosed this remote management ability included updating device settings, changing WiFi passwords, and information on connected devices. The researcher theorized a potential backdoor in the router's remote management, focusing on the TR-069 protocol that allows ISPs to remotely administer devices. The researcher had a strong suspicion that this feature or tools that were utilized by the ISP's support teams were being exploited. Upon examination of Cox Business portal’s API, the researcher uncovered numerous unprotected endpoints with potential for extensive unauthorized access from attackers. The researcher believed that the vulnerable API may have access to both residential and business services offered by Cox. [caption id="attachment_74342" align="alignnone" width="2800"]![Hidden API Calls Sam Curry COX ROUTERS MODEMS](https://thecyberexpress.com/wp-content/uploads/Hidden-API-Calls-Sam-Curry-COX-ROUTERS-MODEMS-scaled.webp)
Ticketmaster Data Breach Confirmed; Stolen Data Hosted on Snowflake’s Cloud Storage
Company Mitigating Ticketmaster Data Breach
The company further informed in the filing that they are working to mitigate risk to their users and the Company, and have notified and are cooperating with law enforcement. "As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information," reads the filling. The Ticketmaster data breach was initially identified on May 20, 2024. This is when Live Nation detected unauthorized activity within a third-party cloud database environment primarily housing data from its subsidiary, Ticketmaster L.L.C. On knowing this, Live Nation immediately launched an investigation with forensic investigators to determine the extent and nature of the data breach. According to the filing, the company is working diligently to mitigate risks to both its users and its overall operations. The company said in the filing that as of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. “We continue to evaluate the risks and our remediation efforts are ongoing,” said the Officials of Live Nations in the filling.Snowflake Coming Into Picture
What is more interesting is that a spokesperson for Ticketmaster told TechCrunch that its stolen database was hosted on a Boston-based cloud storage and analytics company, Snowflake. The Cyber Express earlier reported that a threat actor had allegedly taken responsibility for data breaches of Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake. However, at that time, Snowflake shot down these data breach claims, attributing the breaches to poor credential hygiene in customer accounts instead. But now in light of the data breach, Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, provided a joint statement related to their ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts. Snowflake said in a post that it had informed a “limited number of customers who we believe may have been impacted” by attacks “targeting some of our customers’ accounts.” However, Snowflake did not describe the nature of the cyberattacks, or if data had been stolen from customer accounts. “We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity. To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” reads the Snowflakes bog.Some of the Key Findings of Snowflake’s Investigation
- No evidence suggests that the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.
- There is no evidence pointing to compromised credentials of current or former Snowflake personnel.
- The campaign appears to be targeted at users with single-factor authentication.
- Threat actors have leveraged credentials obtained through infostealing malware.
- A threat actor accessed demo accounts of a former Snowflake employee, which did not contain sensitive data and were not connected to Snowflake’s production or corporate systems. The accounts were not protected by Multi-Factor Authentication (MFA).
Recommendations for Enhanced Security
- Enforce Multi-Factor Authentication (MFA) on all accounts.
- Set up Network Policy Rules to allow access only to authorized users or from trusted locations (e.g., VPN, Cloud workload NAT).
- Reset and rotate Snowflake credentials for impacted organizations.