This week on TCE Cyberwatch, we are looking at legal controversies that are now on the rise due to the introduction of new features in AI. Famous actors like Scarlett Johansson face the burnt of it, along with Governments who are getting together to discuss the impact of AI on important world events. Staying informed to know what is going on behind the scenes of things you may be using, watching, or partaking in is important. Vulnerabilities and breaches are constantly being found and occurring. In very common and large companies like Medisecure, it is important to ensure you know if something like that can be on its way to affect you. So, to stay updated, The Cyber Express has compiled the weekly happening in the cybersecurity world in the form of TCE Cyberwatch. Read on to find out what are they:

TCE Cyberwatch: A Weekly Round-Up

AI's Dark Side: Experts Warn of Cybercrime, Election Attacks at Congressional Hearing

At a U.S. congressional hearing on AI misuse, data security and privacy experts discussed AI’s diverse threats, including cybercrime, election interference, and nation-state attacks. The House Committee on Homeland Security announced their aim of incorporating AI into upcoming legislation, and panelists emphasized that AI has empowered cybercriminals, making it crucial to integrate AI into cybersecurity measures. The spokesperson from Palo Alto Networks stressed the need for secure AI development and oversight. Concerns about election security were raised, and the Centre for Democracy and Technology proposed guidelines for responsible AI use, emphasizing proper training data, independent testing, and human rights safeguards. They warned against the hasty deployment of AI, advocating for a careful approach to ensure long-term benefits. Read More

Courtroom Recording Software Hit by Supply Chain Attack, Thousands Potentially Affected

Hackers compromised Justice AV Solutions (JAVS), a widely-used courtroom recording platform, by inserting a backdoor in a software update. JAVS software, installed in over 10,000 locations globally, was affected when hackers replaced the Viewer 8.3.7 software with a compromised file. JAVS responded by removing the affected version from its website, resetting passwords, and auditing its systems. The company assured that current files are malware-free and urged users to verify their software is digitally signed. Cybersecurity firm Rapid7 identified the backdoor as linked to the GateDoor and Rustdoor malware families, often used by the ShadowSyndicate cybercrime group. They advised users to reimage affected systems and reset credentials, as merely uninstalling the software is insufficient. Read More

Australian Regulator Sues Optus Over Massive Data Breach of 10 Million Customers

Australia's media regulator is suing telecom carrier Optus, owned by Singapore Telecommunications, over a massive data breach in September 2022. The breach exposed the personal information of 10 million Australians, including addresses, passports, and phone numbers. Following the breach, Prime Minister Anthony Albanese advocated for stricter privacy laws to ensure companies notify banks quickly in such incidents. The Australian Communications and Media Authority claims Optus failed to protect customer data from unauthorized access. Optus, which has been cooperating with authorities, stated it cannot yet determine potential penalties and plans to defend itself in court. The company has been under scrutiny recently due to a separate 12-hour network blackout affecting over 10 million customers. Read More

Critical WordPress Vulnerabilities: Update Plugins Immediately!

The Cyber Security Agency of Singapore has issued an urgent alert regarding critical vulnerabilities in several WordPress plugins. These vulnerabilities pose significant security risks, potentially allowing unauthorized access and exploitation. To address these issues, security updates have been released. SingCERT has identified nine critical vulnerabilities, including those allowing arbitrary file uploads and SQL injection, and has provided mitigation strategies. Users are strongly advised to update to the latest plugin versions immediately. Additional measures, such as virtual patching, can offer temporary protection. Regular updates and monitoring are essential for safeguarding WordPress websites against potential threats. For more details, users should consult the respective plugin documentation and developer updates. Read More

Ransomware Attack on Spanish Bioenergy Plant Highlights ICS Vulnerabilities

A ransomware attack by the Ransomhub group on the Industrial Control Systems (ICS) of a Spanish bioenergy plant underscores the risks of cyberattacks on critical infrastructure. The attack targeted the SCADA system, crucial for managing the plant's operations, encrypting over 400 GB of data and disrupting essential functions. Organizations must fortify defenses by implementing robust network segmentation, regular software updates, secure remote access, and diligent monitoring. Developing and testing incident response plans are essential to minimize the impact of such attacks. This incident highlights the need for heightened vigilance and proactive measures to protect critical infrastructure from cyber threats. Read More 

Islamabad's Safe City Project Exposed: Hack Highlights Security Failures

Islamabad’s Safe City Authority faced a severe disruption after hackers breached its online system, forcing an immediate shutdown. The project, launched with Chinese financial support, aimed to enhance security with advanced technology, including CCTV cameras and facial recognition. The hack exposed vulnerabilities, as hackers accessed sensitive databases and compromised crucial systems like criminal records and human resources. Despite a firewall alert, the lack of backup servers necessitated a complete shutdown. The breach affected key services, revealing weak security practices, such as simple login credentials and outdated software. The isolated camera management system remained secure. Police confirmed the breach and have taken steps to improve security. The project, controversial due to transparency issues and cost overruns, has faced criticism for not achieving its security goals. Financial difficulties and operational setbacks further marred its effectiveness, and the recent hack has intensified scrutiny of the initiative. Read More 

Massive Data Breach at Pharma Giant Cencora Exposes Millions

The Cencora data breach has impacted more than a dozen pharmaceutical companies, including Novartis and GlaxoSmithKline, leaking personal and health data of hundreds of thousands. Cencora, formerly AmerisourceBergen, and its Lash Group affiliate revealed the breach to the SEC, indicating data exfiltration from its systems. With operations in 50 countries and significant revenue, Cencora did not initially detail the breach's scope but later notifications identified 15 affected companies. At least 542,000 individuals' data, including names, addresses, birthdates, health diagnoses, and prescriptions, were compromised. Despite the breach, no misuse or public disclosure of the data has been reported. The company has offered affected individuals credit monitoring and identity theft protection services and is enhancing its security measures. This incident highlights ongoing vulnerabilities in the healthcare sector, which has seen several recent cyberattacks. Read More

MediSecure Ransomware Breach: 6.5 TB of Patient Data Listed for Sale on Dark Web

MediSecure, an Australian digital prescription service provider, confirmed that data stolen in a recent ransomware attack is for sale on the dark web. The breach, originating from a third-party provider, exposed personal and health information of patients and healthcare providers up to November 2023. The hacker, Ansgar, began selling the data for $50,000 on May 23, claiming to possess 6.5 terabytes of sensitive information. MediSecure alerted the public, urging them not to seek out the stolen data, which includes names, addresses, emails, phone numbers, insurance numbers, prescriptions, and login details. Australia's National Cyber Security Coordinator and police are investigating. MediSecure emphasized that the breach does not affect the Australian healthcare system's ongoing operations or access to medication. They are working to notify affected individuals and assure them of measures to protect against further risks. Read More

OpenAI Backtracks on Voice Assistant After Scarlett Johansson Raises Concerns

OpenAI's new voice assistant debuts with a voice similar to actress Scarlett Johansson's, who expresses shock and anger, as she had previously declined an offer to voice ChatGPT, especially given her role in the 2013 film *Her*. OpenAI's CEO, Sam Altman, seemingly acknowledged this connection in a social media post. Despite OpenAI's claim that the voice belonged to another actress, Johansson's concerns highlight broader tensions between AI and the creative industries. OpenAI has since dropped the controversial voice and is working on tools for content creators to manage their work's use in AI training. The incident underscores the need for stronger legal protections, like the No Fakes Act, to safeguard personal likenesses. Legal experts believe Johansson might have grounds for a lawsuit, referencing similar past cases like Bette Midler's against Ford. As AI technology advances, such legal disputes are expected to increase. Read More

To Wrap Up

Here at TCE, we hope these weekly roundups continue to keep you informed about the latest in the cybersecurity industry. Our coverage not only includes cyberattacks but also developments in the legal aspects of AI, which are becoming increasingly important as technology evolves. We aim to keep you updated on new developments in the industry, including impacts on companies and the general public, such as recent events involving Medicare. Our goal is to ensure everyone stays safe and knows the appropriate responses if affected by these situations.

The U.S. National Institute of Standards and Technology (NIST) has taken a big step to address the growing backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). The institute has hired an external contractor to contribute additional processing support in its operations. The contractor hasn't been named, but NIST said it expects that the move will allow it to return to normal processing rates within the next few months.

Clearing the National Vulnerability Database Backlog

NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."

CISA's 'Vulnrichment' Initiative

In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor has reportedly taken responsibility for recent data breaches involving Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake, a third-party cloud storage company. Snowflake, however, has shot down these breach claims, attributing the breaches to poor credential hygiene in customer accounts instead.

"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product," the cloud storage giant said in a statement today.

Snowflake's AI Data Cloud platform serves more than 9,000 customers, including major companies such as Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others.

Alleged Snowflake Breach Details

According to cybersecurity firm Hudson Rock, the threat actor claims to have accessed data from additional high-profile companies using Snowflake's services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. The method described involved bypassing Okta's authentication by using stolen credentials to log into a Snowflake employee's ServiceNow account. From there, they allegedly generated session tokens to extract data from Snowflake customers. Hudson Rock reported that the threat actor claimed the breach affected up to 400 companies, showing evidence of access to over 2,000 customer instances related to Snowflake's Europe servers.

Extortion Attempt and Malware Involvement

The threat actor claimed to have attempted to extort Snowflake for $20 million to buy back the stolen data, but Snowflake did not respond. Hudson Rock noted that a Snowflake employee was infected with a Lumma-type Infostealer in October, which stole their corporate credentials. The malware infection was supported by screenshots shared by the threat actor.

Snowflake Responds

Snowflake has confirmed breaches of customer accounts but denied that any vulnerability or misconfiguration in its products was exploited. The cloud storage company stated that they observed unauthorized access to certain customer accounts , which they said is likely unrelated to any flaws in Snowflake's infrastructure.

"We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.

Snowflake has notified the "limited" number of customers about these attacks and urged them to enhance their account security by enabling multi-factor authentication (MFA).

Tools and Indicators of Compromise

The company published a security bulletin containing Indicators of Compromise (IoCs), investigative queries, and guidance for securing affected accounts. One IoC indicates that the threat actors used a custom tool named "RapeFlake" to exfiltrate data from Snowflake's databases. Another showed the use of "DBeaver Ultimate" data management tools, with logs indicating connections from the "DBeaver_DBeaverUltimate" user agent. Snowflake also shared query to identify access from suspected clients and how to disable a suspected user. But this might not be enough. A very important step here is: "If you have enabled the ALLOW_ID_TOKEN parameter on your account, the user must be left in the disabled state for 6 hours to fully invalidate any possible unauthorized access via this ID token feature.  If the user is re-enabled before this time the attacker may be able to generate a new session using an existing ID token, even after the password has been reset or MFA has been enabled." While a threat actor claims to have breached Snowflake and accessed data from numerous high-profile companies, Snowflake maintains that these breaches resulted from compromised customer accounts rather than any inherent vulnerabilities in their systems. Snowflake continues to investigate the incidents and has taken steps to improve customer account security.

Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution. The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.

Multiple Vulnerabilities in Carrier's LenelS2 NetBox

Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"] Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:

• CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
• CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
• CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.

The Center of Internet Security stated that these vulnerabilities pose higher risks to large and medium government or business entities, while posing lower risks to small businesses and individual home owners. [caption id="attachment_73896" align="alignnone" width="1128"] Source: cisecurity.org[/caption]

Vulnerability Remediation

Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer. As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox's built-in help menu. The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources. The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure. While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new Microsoft Windows feature dubbed Recall planned for Copilot+ PCs has been called a security and privacy nightmare by cybersecurity researchers and privacy advocates. Copilot Recall will be enabled by default and will capture frequent screenshots, or “snapshots,” of a user’s activity and store them in a local database tied to the user account. The potential for exposure of personal and sensitive data through the new feature has alarmed security and privacy advocates and even sparked a UK inquiry into the issue.

Copilot Recall Privacy and Security Claims Challenged

In a long Mastodon thread on the new feature, Windows security researcher Kevin Beaumont wrote, “I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade. Good luck to my parents safely using their PC.” In a blog post on Recall security and privacy, Microsoft said that processing and storage are done only on the local device and encrypted, but even Microsoft’s own explanations raise concerns: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.” Security and privacy advocates take issue with assertions that the data is stored securely on the local device. If someone has a user’s password or if a court orders that data be turned over for legal or law enforcement purposes, the amount of data exposed could be much greater with Recall than would otherwise be exposed. Domestic abuse situations could be worsened. And hackers, malware and infostealers will have access to vastly more data than they would without Recall. Beaumont said the screenshots are stored in a SQLite database, “and you can access it as the user including programmatically. It 100% does not need physical access and can be stolen.” He posted a video (republished below) he said was of two Microsoft engineers gaining access to the Recall database folder with apparent ease, “with SQLite database right there.” [videopress izzNn3K5]

Does Recall Have Cloud Hooks?

Beaumont also questioned Microsoft’s assertion that all this is done locally. “So the code underpinning Copilot+ Recall includes a whole bunch of Azure AI backend code, which has ended up in the Windows OS,” he wrote on Mastodon.  “It also has a ton of API hooks for user activity monitoring. “It opens a lot of attack surface. ... They really went all in with this and it will have profound negative implications for the safety of people who use Microsoft Windows.”

Data May Not Be Completely Deleted

And sensitive data deleted by users will still be saved in Recall screenshots. “There's no feature to delete screenshots of things you delete while using your PC,” Beaumont said. “You would have to remember to go and purge screenshots that Recall makes every few seconds. If you or a friend use disappearing messages in WhatsApp, Signal etc, it is recorded regardless.” One commenter said Copilot Recall seems to raise compliance issues too, in part by creating additional unnecessary data that could survive deletion requests. “[T]his comprehensively fails PCI and GDPR immediately and the SOC2 controls list ain't looking so good either,” the commenter said. Leslie Carhart, Director of Incident Response at Dragos, replied that “the outrage and disbelief are warranted.” A second commenter noted, “GDPR has a very simple concept: Data Minimization. Quite simply, only store data that you actually have a legitimate, legal purpose for; and only for as long as necessary. Right there, this fails in spectacular fashion on both counts. It's going to store vast amounts of data for no specific purpose, potentially for far longer than any reasonable use of that data.” It remains to be seen if Microsoft will make any modifications to Recall to quell concerns before it officially ships. If not, security and privacy experts may find themselves busier than ever.

Researchers have uncovered new attacks by a North Korean advanced persistent threat actor – Andariel APT group – targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors. The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC). The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions. Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said. [caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]

Malware Used by Andariel APT in this Campaign

The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.

Additional Malware Strains

• Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
• Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
• Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.

The Andariel group, part of the larger Lazarus umbrella, has shifted from targeting national security information to also pursuing financial gains. Last month, the South Korean National Police Agency revealed a targeted campaign of the Andariel APT aimed at stealing the country’s defense technology. Andariel APT hackers gained access to defense industry data by compromising an employee account, which was used in maintaining servers of a defense industry partner. The hackers injected malicious code into the partner’s servers around October 2022, and extracted stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. Andariel APT's initial attack methodology primarily includes spear phishing, watering hole attacks, and exploiting software vulnerabilities. Users should remain cautious with email attachments from unknown sources and executable files from websites. Security administrators are advised to keep software patched and updated, including operating systems and browsers, to mitigate the risk of malware infections, the researchers recommended.

IoCs to Watch for Signs of Andariel APT Attacks

IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RAT

South Korean researchers have observed the malicious use of pirated copies and cracked activators of legitimate productivity and office utility programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs. The malware maintains persistence by scheduling regular upgrades on affected systems, leading to consistent installation of newer strains of the malware multiple times every week.

Malicious Pirated Copies of Microsoft Office and Other Programs

Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee. When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques. The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads. These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim's system. The malware strains loaded on the infected systems include:

• OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
• XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
• 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
• PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
• AntiAV: Disrupts security products by repeatedly modifying their configuration files.

The commands include an updater that contains instructions to maintain persistence over the system through the use of the native Windows Task Scheduler present on the Windows operating system. C&C server addresses shared by the researchers also indicate that they have been disguised as a minecraft rpg server.

Continuous Reinfection and Distribution

The researchers said systems may remain infected even after the initial infection has been removed, due to the malware's ability to update itself as well as download additional malware payloads. They stated that the attackers had distributed new malware on affected systems multiple times each week to bypass file detection. The researchers said the number of systems that had been compromised in these attacks continued to increase as the registered task scheduler entries loaded additional malicious components on affected systems despite the removal of previous underlying malware. The researchers advised South Korean users to download software and programs from their official sources rather than file-sharing sites. Users who suspect that their systems may already have been infected should remove associated task scheduler entries to block the download of additional malware components, and update their antivirus software to the latest available versions. The researchers have additionally shared indicators of compromise, categories that have been detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behaviors that have been observed during the attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hawk Eye, a popular citizen-friendly crime reporting app of Telangana State Police in India, appears to have been hit by a massive data breach, a claim that sources have unofficially confirmed for The Cyber Express. The Hawk Eye app data breach was reportedly masterminded by a threat actor who goes by the name "Adm1nFr1end." The claim that the Hawk Eye app had been hacked emerged May 29 on the data leak site BreachForums. The threat actor claimed that they were revealing the stolen database, which consists of the Personally Identifiable Information (PII) of users, including the names, email addresses, phone numbers, physical addresses, IMEI numbers, and their location coordinates. To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of May 2024, while disclosing that the database includes 130,000 SOS records, 70,000 incident reports, and 20,000 travel detail records (screenshot below).

Login Data Exposes Hawk Eye App Data Breach

The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. While logging into the App, users are required to share their personal details, including name, email ID, mobile number and password for registration. The app currently has a 4.4 rating on the Google Play Store, with more than 500,000 downloads on Android alone. [caption id="attachment_73712" align="alignnone" width="720"] Source: Hawk Eye App on Android[/caption]

Hawk Eye App Data Breach Samples

A few of the samples exposed by the threat actor revealed that one woman had filed a complaint on the Hawk Eye App to share that a man had initially promised to marry her and is now facing threats from him and his family. Alarmingly, the data leak revealed her name, mobile number, location, date, and time of complaint, potentially putting her at risk. In several other cases, citizens had filed complaints of traffic violations, and their data used initially to login to the App, including name, email address, and phone numbers, were revealed in the data breach. What is noteworthy about the above examples is that all these users had filed complaints only in May 2024, which suggests that the data from the Hawk Eye App was hacked this month.

Cops Wary of Hawk Eye App Data Breach

When The Cyber Express downloaded the “Hawk Eye -Telangana Police” app on Android on May 31, the app remained non-functional after the tester entered the primary details. Surprisingly, the app did not appear when the user tried to download it from the Apple Store. Sources in the Telangana Police have confirmed to The Cyber Express that there was a failure to upgrade the app and the process for updating a patch is an ongoing exercise. Police sources in the Telangana IT wing shared that they were working with vendors to install an updated patch. This, the police officials shared, could be a reason for the app details being breached. Additional Director General of Police (Technical Services) VV Srinivasa Rao of the Telangana Police shared that the task of upgrading Hawk Eye has been given to developers and that it should be available for the latest Android versions shortly. DGP Shikha Goel, who is also the director of the Telangana State Cyber Security Bureau, was unavailable for comment. We update this story as we get more information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The operators of RedTail cryptominer, which was the biggest cryptominer operation last year, have now started to take advantage of the Palo Alto PAN-OS CVE-2024-3400 vulnerability to target their victims. According to a report by cloud computing company Akamai, the hacker expanded their attack vector to include the Palo Alto PAN-OS vulnerability, though the sophistication and evasive techniques utilized by the RedTail variant are notable in this campaign, they wrote. The evolution of the RedTail cryptominer hints at a direct investment of resources, particularly staffing, infrastructure, and advanced obfuscation techniques. The threat actor’s chain of infection begins with the adoption of CVE-2024-3400 vulnerability and the incorporation of private cryptomining pools into their operation. 

RedTail Cryptominer Leverages Private Cryptomining Pools

According to Akamai, the folks behind the RedTail cryptominer have chosen to use "private cryptomining pools" to have more control over their mining activities, even though it comes with higher operational and financial costs. The tactics used in this campaign closely resemble those used by the Lazarus group, as per the research. One noteworthy aspect of this variant is its use of private cryptomining pools. By using these private pools, the attackers can have better control and security over their operations, just like other popular threat groups. This shift towards private pools suggests a more coordinated and intentional strategy in cryptomining activities, which raises the possibility of involvement by nation-state actors. The goal of combining system and user prompts is to help the assistant refine the text and make it sound more like it was written by a human, while still maintaining the original content's purpose and accuracy.

RedTail Cryptominer: Sneaky and Stealthy

The RedTail cryptominer is no amateur when it comes to flying under the radar and maintaining its grip on compromised systems. It employs clever tactics like anti-research measures and blends the XMRig cryptomining code with extra layers of encryption and logic. This sneaky combination of system and user prompts is designed to enhance the assistant's skills in transforming the text into a more natural and relatable version, all while staying true to the original content's purpose and accuracy. So, let's dive in and uncover the secrets of the RedTail cryptominer! This malware really knows its stuff when it comes to cryptomining. It optimizes its operations to be as efficient and profitable as possible. By using a combination of system and user prompts, the goal is to help the assistant transform the text into something that sounds more human-like while staying true to the original content's purpose and accuracy. In addition to exploiting the PAN-OS CVE-2024-3400 vulnerability, the actors behind RedTail are targeting a variety of other vulnerabilities across different devices and platforms. This encompasses exploits aimed at SSL-VPNs, IoT devices, web applications, and security devices like Ivanti Connect Secure.

How to Use the  Akamai App & API Protector?

Akamai suggests Akamai App&API Protector for additional security features and identifies all Palo Alto devices and patches them to prevent the RedTail cryptominer. The users can also harden their devices for cyberattacks such as web platform attacks, command injections, and local file inclusion.  In addition, instead of merely relying on PAN-OS CVE-2024-3400 vulnerability, the developers of RedTail take advantage of several other vulnerabilities in different platforms and devices. These involve breaches to SSL VPNs, IoT products, web apps, as well as security appliances such as Ivanti Connect Secure.

As per recent reports a new social engineering attack attributed to the North Korea-linked Kimsuky hacking group is targeting human rights activists using fake Facebook accounts. This tactic, involving fictitious identities, marks a significant shift from their typical email-based spear-phishing strategies. According to a report by South Korean cybersecurity firm Genians, the attackers pose as […]

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on TuxCare.

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on Security Boulevard.

"I write to request that your agencies investigate UnitedHealth Group’s (UHG) negligent cybersecurity practices, which caused substantial harm to consumers, investors, the healthcare industry, and U.S. national security. The company, its senior executives, and board of directors must be held accountable," declared Senator Ron Wyden, Chairman of the Senate Committee on Finance, in a letter to federal regulators on May 30. This urgent plea follows the devastating cyberattack on Change Healthcare, a subsidiary of UHG, raising critical questions about the company's cybersecurity integrity. In a four-page letter, Senator Wyden linked the recent cyberattack on Change Healthcare to the infamous SolarWinds data breach, blaming UHG's leadership for a series of risky decisions that ended in this tragic cyberattack. [caption id="attachment_73457" align="aligncenter" width="1024"] Source: SEC[/caption]

Broader Context of Cyberattack on Change Healthcare

At the heart of the criticism is the appointment of a Chief Information Security Officer (CISO) who had no prior full-time experience in cybersecurity before assuming the role in June 2023. This, according to Wyden, epitomizes the corporate negligence that has placed countless stakeholders at risk. Wyden argues that Martin's appointment exemplifies a broader pattern of poor decision-making by UHG’s senior executives and board of directors, who should be held accountable for the company’s cybersecurity lapses. The comparison to SolarWinds is particularly telling. The SolarWinds incident exposed vulnerabilities in software supply chains, leading to widespread consequences across multiple sectors. Similarly, UHG's data breach, if proven to result from preventable lapses, highlights the critical need for stringent cybersecurity practices in healthcare, an industry that handles sensitive personal and medical data.

The Incident and Initial Reactions

The incident in question involved hackers exploiting a remote access server at Change Healthcare, which lacked multi-factor authentication (MFA). This basic cybersecurity lapse allowed the attackers to gain an initial foothold, leading to a ransomware infection that crippled UHG’s operations. During testimony before the Senate Finance Committee on May 1, 2024, UHG CEO Andrew Witty admitted that the company’s MFA policy was not uniformly implemented across all external servers. Witty's revelations highlighted a broader issue of inadequate cybersecurity defenses at UHG, despite the industry's reliance on MFA as a fundamental safeguard.

Industry Standards and Regulatory Expectations

Wyden’s letter points out that the Federal Trade Commission (FTC) has mandated MFA for financial services companies under the Safeguards Rule and has enforced its use in cases against companies like Drizly and Chegg. These precedents establish MFA as a non-negotiable standard for protecting consumer data. UHG's failure to implement this basic security measure on all its servers is a glaring oversight, suggesting a disconnect between its stated policies and actual practices. Moreover, Wyden highlights the necessity of multiple lines of defense in cybersecurity. The fact that hackers could escalate their access from one compromised server to the entire network indicates a lack of network segmentation and other best practices designed to contain breaches. This deficiency exacerbates the initial failure to secure remote access points.

Consequences and Broader Implications

The implications of UHG’s cybersecurity failures are profound. The immediate aftermath saw significant disruptions, with some of UHG's systems taking weeks to restore. Witty admitted that while cloud-based systems were quickly recovered, many critical services running on UHG's own servers were not engineered for rapid restoration. This lack of resilience in UHG’s infrastructure planning highlights a failure to anticipate and mitigate the risk of ransomware attacks, a known and escalating threat. Wyden’s letter also addresses the financial fallout. UHG has already estimated the breach's cost at over a billion dollars, reflecting the significant economic impact of the cyberattack. This financial burden, coupled with negative media coverage, exposes UHG to substantial political and market risks. The case echoes the SEC’s stance in the SolarWinds case, where cybersecurity practices were deemed crucial for investor decisions. Investors in UHG would similarly consider enhanced cybersecurity practices essential, given the potential for massive breaches to affect stock value and company reputation.

Accountability and Regulatory Action

Senator Wyden calls for the FTC and SEC to investigate UHG’s cybersecurity and technology practices, aiming to determine if any federal laws were violated and to hold senior officials accountable. This push for accountability highlights the role of corporate governance in cybersecurity. The Audit and Finance Committee of UHG’s board, responsible for overseeing cybersecurity risks, is criticized for its apparent failure to fulfill its duties. Wyden suggests that the board's lack of cybersecurity expertise likely contributed to the oversight failures, a critical point in an era where cybersecurity threats are increasingly sophisticated and pervasive.

Malicious actors from Russia, China, Israel, and Iran have been leveraging artificial intelligence to target victims, according to OpenAI's latest report. These threat actors from the aforementioned nations are using AI models in covert influence operations. The report details various adversary tactics ranging from the grammatical manipulations by the "Bad Grammar" network to the advanced strategies employed by the "Doppelganger" threat actor, providing deep insights into these malevolent activities. Through an in-depth analysis of recent developments and disruptions, the AI and Covert Influence Operations Latest Trends report offers invaluable insights into the modern-day tactics employed by threat actors to manipulate narratives and influence public opinion across online platforms.

Threat Actors Employ AI and Covert Influence Operations

These threat actors, hailing from diverse geopolitical regions, including Russia, China, Iran, and a commercial entity based in Israel, have exploited the technology of artificial intelligence, especially generative AI, to create a series of covert influence operations. These operations, meticulously documented and analyzed within the report, exemplify the sophisticated strategies employed by malicious actors to exploit AI technologies for their nefarious agendas, says OpenAI. One of the prominent operations highlighted in the report is "Bad Grammar," a previously undisclosed campaign originating from Russia. Operating primarily on the messaging platform Telegram, Bad Grammar sought to disseminate politically charged content targeting audiences in Ukraine, Moldova, the Baltic States, and the United States. Despite its geographic reach, this operation was characterized by its blatant grammatical errors, reflecting a deliberate attempt to undermine credibility while leveraging AI models for content generation. Similarly, the report sheds light on the activities of "Doppelganger," a persistent threat actor linked to Russia, engaged in disseminating anti-Ukraine propaganda across various online channels. Employing a hybrid approach that combines AI-generated content with traditional formats such as memes sourced from the internet, Doppelganger exemplifies the fusion of old and new tactics in these campaigns.

Influencing Geographical Politics

The report also highlights covert influence campaigns linked to China, Iran, and a commercial group in Israel, in addition to those connected with Russia. These operations, known by names like "Spamouflage" and "STOIC," use various strategies to push their specific agendas. Their activities include promoting pro-China narratives while attacking its detractors, as well as creating content focused on the Gaza conflict and the elections in India. Despite the diverse origins and tactics employed by these threat actors, the report highlights common trends that shed light on the current state of covert influence. One such trend is the pervasive use of AI models to augment productivity and streamline content generation processes. From generating multilingual articles to automating the creation of website tags, AI serves as a force multiplier for malicious entities seeking to manipulate digital discourse. Furthermore, the report goes deeper into the intricate interplay between AI-driven strategies and human error, emphasizing the inherent fallibility of human operators engaged in covert influence operations. Instances of AI-generated content containing threatening signs of automation by state-hackers.

Researchers discovered a new data theft campaign, active since at least 2021, attributed to an advanced persistent threat (APT) actor dubbed "LilacSquid." This campaign, observed by researchers at Cisco Talos, targets a diverse set of industries, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. This broad victimology suggests that LilacSquid is agnostic to industry verticals, aiming to steal data from various sectors.

Use of Open-Source Tools and Customized Malware

The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as "PurpleInk," as primary implants after compromising vulnerable application servers exposed to the internet. LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.

LilacSquid's Long-Term Access for Data Theft through Persistence

Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers. The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology. LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials. [caption id="attachment_73284" align="aligncenter" width="1024"] LilacSquid Initial Access and Activity. (Credit: Cisco Talos)[/caption] Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. [caption id="attachment_73286" align="aligncenter" width="1024"] LilacSquid's Lateral Movement via RDP. (Credit: Cisco Talos)[/caption] MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants. On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.

PurpleInk Implant of LilacSquid

PurpleInk, derived from QuasarRAT, has been customized extensively since 2021.

"Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family."

It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection. InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader. [caption id="attachment_73282" align="aligncenter" width="1024"] PurpleInk Activation Chain (Credit: Cisco Talos)[/caption] Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.

Parallels with North Korean APT Groups

The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers. The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide. IoCs to detect LilacSquid's PurpleInk infection:

PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

Network IOCs 

67[.]213[.]221[.]6 192[.]145[.]127[.]190 45[.]9[.]251[.]14 199[.]229[.]250[.]142

A 25-year-old man from Kawasaki, Japan was arrested this week for allegedly using generative AI tools to create ransomware in an AI jailbreaking case that may be the first of its kind in Japan. The arrest of Ryuki Hayashi, widely reported in Japan, is the latest example of an attacker defeating AI guardrails, which has become something of an obsession for hackers and cybersecurity researchers alike. Just this week, researchers from Germany’s CISPA Helmholtz Center for Information Security reported on their efforts to jailbreak GPT-4o, the latest multimodal large language model (MLLM) released by OpenAI a little more than two weeks ago. Concerns raised by those researchers and others led OpenAI to establish a safety and security committee this week to try to address AI risks.

AI Jailbreak Tools and Methods Unclear

News reports on Hayashi’s arrest have been lacking in details on the tools and methods he used to create the ransomware. The Japan Times reported that Hayashi, a former factory worker, “is not an expert on malware. He allegedly learned online how to ask AI tools questions that would elicit information on how to create malware.” Hayashi came under suspicion after police arrested him in March “for allegedly using fake identification to obtain a SIM card registered under someone else's name,” the paper reported. The Japan News, which reported that Hayashi is unemployed, said police found “a homemade virus on a computer” following the March arrest. The News said police suspect he “used his home computer and smartphone to combine information about creating malware programs obtained after giving instructions to several generative AI systems in March last year.” Hayashi “allegedly gave instructions to the AI systems while concealing his purpose of creating the virus to obtain design information necessary for encrypting files and demanding ransom,” the News reported. “He is said to have searched online for ways to illegally obtain information.” Hayashi reportedly admitted to charges during questioning, and told police, “I wanted to make money through ransomware. I thought I could do anything if I asked AI.” There have been no reports of damage from the ransomware he created, the News said.

LLM Jailbreak Research Heats Up

The news comes as research on AI jailbreaking and attack techniques has grown, with a number of recent reports on risks and possible solutions. In a paper posted to arXiv this week, the CISPA researchers said they were able to more than double their attack success rate (ASR) on GPT-4o’s voice mode with an attack they dubbed VOICEJAILBREAK, “a novel voice jailbreak attack that humanizes GPT-4o and attempts to persuade it through fictional storytelling (setting, character, and plot).” Another arXiv paper, posted in February by researchers at the University of California at Berkeley, looked at a range of risks associated with GenAI tools such as Microsoft Copilot and ChatGPT, along with possible solutions, such as development of an “AI firewall” to monitor and change LLM inputs and outputs if necessary. And earlier this month, OT and IoT security company SCADAfence outlined a wide range of AI tools, threat actors and attack techniques. In addition to general use case chatbots like ChatGPT and Google Gemini, the report looked at “dark LLMs” created for malicious purposes, such as WormGPT, FraudGPT, DarkBERT and DarkBART. SCADAfence recommended that OT and SCADA organizations follow best practices such as limiting network exposure for control systems, patching, access control and up to date offline backups. GenAI uses and misuses is also expected to be the topic of a number of presentations at Gartner’s Security and Risk Management Summit next week in National Harbor, Maryland, just outside the U.S. capital.

Toshiba America Business Solutions reached out to customers to inform them of a potential data security incident in which their personal information may have been compromised. Toshiba America Business Solutions is an American subsidiary of the Toshiba TEC Corporation. The company said that it was committed to protecting the confidentiality and security of personal data, and offered credit monitoring services to affected individuals.

Toshiba America Data Breach

After conducting a preliminary investigation, Toshiba reported that an attacker may have compromised its email environment. The attacker may have obtained unauthorized access to sensitive personally identifiable information such as names and Social Security numbers from the email compromise. The investigation confirmed that the breach could have impacted numerous individuals, leading Toshiba to contact affected individuals, as legally required. Toshiba America Business Solutions advised customers to remain cautious over the incident. The firm advised customers to regularly review their credit reports, financial account statements, and payment card statements for any unauthorized activity. Any suspicious activity could be reported to Toshiba or law enforcement agencies. Toshiba apologized to the affected individuals for any inconvenience stemming from the incident and said that additional measures had been implemented since then to enhance the security of its email environment and prevent similar occurrences in the future. To assist the affected individuals in safeguarding their personal information, Toshiba has arranged for a complimentary, two-year membership of identity monitoring services offered through Kroll. This membership offering includes triple bureau credit monitoring, fraud consultation, and identity theft restoration. The fraud consultation option allows affected individuals  to reach out to Kroll fraud specialists for advice and assistance relating to identity protection, legal rights, and detection of suspicious activity. The identity theft restoration option lets affected individuals work with a licensed Kroll investigator to resolve potential identity theft issues. Toshiba stated that these services would be provided for free to the affected individuals and would not negatively impact their credit scores. Affected individuals were encouraged to use the services as well as to contact Toshiba or Kroll for additional assistance.

Law Firm Announces Investigation

Strauss Borrelli PLLC, a data breach law firm, announced on its website that it would be investigating Toshiba American Business Solutions, Inc. with regard to the recent data breach that exposed sensitive personally identifiable information. While the full extent of the data breach is unknown, the Toshiba America Business Solutions division operates offices across the U.S. and Latin America. The law firm encouraged customers who received a breach notification letter from Toshiba American Business Solutions to contact Strauss Borrelli PLLC to discuss their rights and potential legal remedies in response to the incident. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In one of the largest mass bricking events in history, at least 600,000 routers belonging to subscribers of the same ISP service were essentially destroyed last October. The incident has been dubbed "Pumpkin Eclipse," with researchers still unclear on how the routers became infected. The affected devices displayed a steady red light and were unresponsive to troubleshooting attempts, and had to be replaced. Now new research is shedding light on the attack, which involved unusually sophisticated and stealthy attack methods.

'Pumpkin Eclipse' Router Attack

The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling.

Researchers Unsure Over Initial Attack Vector but Theorize Possibilities

Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Internet Archive, one of the oldest online directories of websites, movies, books, software and more, is facing a cyberattack that has disrupted its services for over three days. The Internet Archive cyberattack, identified as a distributed denial-of-service (DDoS) assault, has besieged the service and inundated its servers with repeated requests. While the organization is reassuring users that its collections remain secure, the accessibility of its Wayback Machine, a tool allowing users to explore historical web pages, has been compromised.

Internet Archive Cyberattack Targets Multiple Systems

According to a blog post shared by Internet Archive on May 28, intermittent service disruptions have been reported over the past few days, confirmed by updates shared by Archive officials on social media platforms. Despite efforts to mitigate the attack, the exact source remains undisclosed. In response to the DDoS attack, Brewster Kahle, the founder and digital librarian of the Internet Archive, expressed gratitude for the outpouring of support while reaffirming the organization's commitment to fortify its defenses. Kahle characterized the attack as "sustained, impactful, targeted, adaptive, and importantly, mean" in the blog post.

Mitigation Against the Internet Archive DDoS Attack

The Internet Archive serves as a valuable resource for users seeking access to a diverse range of media content, both historical and contemporary, free of charge. However, its mission to democratize access to knowledge has encountered legal challenges, with the organization facing lawsuits from the U.S. book publishing and recording industry associations in the last year. The legal actions alleged copyright infringement and sought significant damages, casting a shadow over the future operations of libraries worldwide. The cyberattack on the Internet Archive echoes a troubling trend of attacks targeting libraries and knowledge institutions globally. Recent victims include the British Library, the Solano County Public Library in California, the Berlin Natural History Museum, Ontario’s London Public Library, and just this week, the Seattle Public Library. In light of the ongoing cyberattack and legal battles, Kahle emphasized the broader implications for libraries everywhere. He warned that the actions of publishing and recording industries threaten to undermine the very existence of libraries, posing a grave concern for patrons worldwide. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Internet Archive cyberattack or any further communication from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Pharmaceutical giant Johnson & Johnson recently announced a data breach that may stem from a larger data breach affecting Lash Group, a division of Cencora. In February, Cencora reported a data breach incident to the U.S. Securities and Exchange Commission (SEC) after learning that data had been exfiltrated from its information systems, some of which contained personal information. The breach may have compromised some sensitive information of patients registered with Johnson & Johnson Patient Assistance Foundation, Inc.

Johnson & Johnson Data Breach Notice

On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.

Link to Cencora Data Breach

The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:

• AbbVie: 54,344 Texans affected
• Acadia Pharmaceuticals: 753 Texans affected
• Bayer: 8,822 Texans affected
• Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
• Dendreon: 2,923 Texans affected
• Endo: no numbers provided
• Genentech: 5,805 Texans affected
• GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
• Incyte Corporation: 2,592 Texans affected
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
• Novartis Pharmaceuticals: 12,134 Texans affected
• Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
• Regeneron Pharmaceuticals: 91,514 Texans affected
• Sumitomo Pharma America, Inc.: 24,102 Texans affected
• Tolmar: 1 New Hampshire resident

Data breach notices have also been filed with California officials too. While the full extent of the damage has yet to be determined, it has affected over 540,000 patients so far. Cencora stated in its notification to the Securities and Exchange Commission that it had not yet been able to determine if the incident had a material impact on its operations. In in a notice on its website, the Leash Group indicated that personal information as well as personal health information had been potentially affected, including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions. The Leash Group said in a statement that no personal data appears to have been exposed because of the incident:

“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”

The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Media reports claim that cybersecurity experts have recently unveiled new details about a remote access trojan (RAT) named Deuterbear, employed by the China-linked hacking group BlackTech. This sophisticated Deuterbear RAT malware is part of a broader cyber espionage operation targeting the Asia-Pacific region throughout the year.   Advancements Over Waterbear Deuterbear exhibits notable advancements over […]

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on TuxCare.

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on Security Boulevard.

Multiple vulnerabilities have recently been discovered in Fortinet FortiSIEM, raising concerns over potential remote code execution exploits. FortiSIEM, renowned for its real-time infrastructure and user awareness capabilities facilitating precise threat detection, analysis, and reporting, faces significant risks due to this FortiSIEM vulnerability. The identified vulnerabilities, if successfully exploited, could grant remote attackers the ability to execute code within the context of the affected service account. This could lead to a range of malicious activities, including the installation of unauthorized programs, manipulation of data, or even the creation of new accounts with extensive user rights. 

Understanding the Fortinet FortiSIEM Vulnerability

The severity of the Fortinet FortiSIEM vulnerability varies based on the privileges associated with the compromised service account, with administrative accounts posing the highest risk. According to SingCERT, proof of concept exploits are already available for CVE-2024-23108 and CVE-2023-34992, indicating an immediate threat to vulnerable systems. Fortinet FortiSIEM versions 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, and 6.4.0 through 6.4.2 are all affected by the vulnerabilities.  The risks associated with these vulnerabilities vary across different sectors, with large and medium government entities and businesses facing high risks, while small government entities and businesses face a medium level of risk. Home users, however, are considered to have a low-risk exposure.

Technical Analysis of FortiSIEM Vulnerability

Technical analysis of these FortiSIEM vulnerabilities reveals that the flaw primarily exploits the execution tactic, specifically targeting the Command and Scripting Interpreter technique. Multiple instances of improper neutralization of special elements used in OS Command have been identified in the FortiSIEM supervisor. These vulnerabilities could be exploited by remote, unauthenticated attackers via specially crafted API requests. To mitigate the risks associated with these FortiSIEM vulnerabilities, it is recommended to promptly apply patches provided by FortiNet after thorough testing. Other measures, include establishing and maintaining a documented vulnerability management process for enterprise assets, performing regular automated application updates, enforcing network-based URL filters to limit access to potentially malicious websites, implementing the Principle of Least Privilege for privileged account management, blocking unauthorized code execution through application control, and script blocking, establishing and maintaining a secure configuration process for enterprise assets and software, and address penetration test findings according to the enterprise's remediation policy. By adhering to these recommendations, organizations can effectively mitigate the vulnerabilities in Fortinet FortiSIEM, safeguarding their systems against potential remote code execution exploits. Stakeholders must prioritize these actions to ensure the security and integrity of their IT infrastructure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a joint international law enforcement action dubbed “Operation Endgame,” the agencies and judicial authorities dismantled major botnet infrastructure, targeting notorious malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and TrickBot. In a Thursday announcement Europol said that between May 27 and 29, Operation Endgame led to four arrests and the takedown of over 100 servers worldwide.

“This is the largest ever operation against botnets, which play a major role in the deployment of ransomware,” Europol said.

Botnets are used for different types of cybercrime including ransomware, identity theft, credit card scams, and several other financial crimes. “The dismantled botnets consisted of millions of infected computer systems,” a joint press statement from the Operation Endgame team said. Led by France, Germany, and the Netherlands, and supported by Eurojust, the operation involved countries including Denmark, the United Kingdom, the United States, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Operation Endgame resulted in:

• 4 arrests - 1 in Armenia and 3 in Ukraine.
• 16 location searches - 1 in Armenia, 1 in the Netherlands, 3 in Portugal, and 11 in Ukraine.
• Over 100 servers dismantled or disrupted in countries such as Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the US, and Ukraine.
• Over 2,000 domains seized and brought under law enforcement control.
• 8 summons were also served against other suspects.

Targeting the Cybercrime Infrastructure

Operation Endgame focused on high-value targets, their criminal infrastructure behind various malware and the freezing of illicit proceeds. “The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software,” according to Europol. One primary suspect, the Europol said, earned at least €69 million in cryptocurrency by renting out sites for ransomware deployment. Authorities are closely monitoring these transactions and have secured permissions to seize the assets. The infrastructure and financial seizures had a global impact on the dropper ecosystem, the authorities believe.

Key Dropper Malware Dismantled in Operation Endgame

- SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers. - Bumblebee: Delivered via phishing campaigns or compromised websites, enabling further payload execution. - Smokeloader: Used primarily to download and install additional malicious software. - IcedID (BokBot): Evolved from a banking trojan to a multi-purpose tool for various cybercrimes. - Pikabot: Enabled ransomware deployment, remote takeovers, and data theft through initial system access.

“All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol said.

[caption id="attachment_72953" align="aligncenter" width="1920"] Operation Endgame seizure notice (Credit: Europol)[/caption]

The Role of Dropper Malware in Cyberattacks

Droppers are essential tools in cyberattacks, acting as the initial vector to bypass security and install harmful software such as ransomware and spyware. They facilitate further malicious activities by enabling the deployment of additional malware on compromised systems.

How Droppers Operate

1. Infiltration: Enter systems through email attachments, compromised websites, or bundled with legitimate software.
2. Execution: Install additional malware on the victim's computer without the user's knowledge.
3. Evasion: Avoid detection by security software through methods like code obfuscation and running in memory.
4. Payload Delivery: Deploy additional malware, potentially becoming inactive or removing itself to evade detection.

The success of the operation was bolstered by private partners such as Bitdefender, Sekoia, Shadowserver, Proofpoint, and Fox-IT, among others. Their support was crucial in disrupting the criminal networks and infrastructure, the authorities said.

Wait for Operation Endgame Season 2

Operation Endgame signifies a major victory, but this is not really the end of it. Taking cue from the Marvel cinematic movie ‘Avengers – Endgame,’ the law enforcement is set to to release a part two of this operation in a few hours from now as they said their efforts continue.

“This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways,” the authorities said.

“Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.” Future actions will be announced on the Operation Endgame website, possibly targeting suspects and users, and ensuring accountability. The news of this massive botnet takedown operation comes a day after the announcement of the dismantling of “likely the world’s largest botnet ever” – the 911 S5 botnet. The botnet’s alleged administrator Yunhe Wang, was arrested last week and a subsequent seizure of infrastructure and assets was announced by the FBI. The recent law enforcement actions represent a historic milestone in combating cybercrime, dealing a significant blow to the dropper malware ecosystem that supports ransomware and other malicious activities. The operation's success underscores the importance of international cooperation and the need for robust cybersecurity measures to tackle evolving threats.

The British Broadcasting Corporation (BBC) is investigating a data breach that exposed sensitive information belonging to over 25,000 present and past employees. The BBC data breach, which occurred within the corporation's pension scheme, has triggered a reaction from authorities regarding cybersecurity protocols. The pension scheme, in an email dispatched to its members, highlighted the gravity of the BBC employee data breach, emphasizing that the incident is being treated with the utmost seriousness. Approximately 25,290 individuals have been impacted by this breach, according to statements made by scheme representatives. Talking about this cybersecurity incident and its legal repercussions with The Cyber Express, Lauren Wills-Dixon, data privacy expert at law firm Gordons, stated that data breaches that lead to "unauthorised access to personal data is classed as a personal data breach under data protection laws".

BBC Data Breach Impacts Current and Former Employees

According to Birmingham Live, the security incident is being taken "extremely seriously” by the BBC and there is “no evidence of a ransomware attack.” Despite speculation of a possible ransomware attack, the British public service broadcaster has dispelled any conjecture, asserting that there is currently no evidence supporting this theory. The BBC clarified that the breach stemmed from private records being illicitly accessed from an online data storage service. Catherine Claydon, Chair of the BBC Pension Trust, assured employees that swift action had been taken to address the breach and secure the affected data source, The Guardian reported.  In an email sent to the staff, Claydon reassured the employees that “BBC have taken immediate steps to assess and contain the incident.” Talking about the mitigation strategies, the organization stated “We are working at pace with specialist teams internally and externally to understand how this happened and take appropriate action. As a precaution, we have also put in place additional security measures and continue to monitor the situation.”  The legal obligation of this data breach are far reaching and in cases where the incident impacts individual rights and freedoms, "this comes with a regulatory obligation to notify the Information Commissioner, and where people are at "high risk" the affected organisation must notify those individuals too without undue delay", said Lauren.

BBC Employee Data Breach and Ongoing Investigation

Despite assurances from the BBC, concerns linger regarding the potential misuse of the compromised information. Employees have been advised to remain vigilant and report any suspicious activity promptly. The breach, though attributed to a third party cloud storage provider, threatens the security of the impacted individuals, and "BBC - and any ‘data controller’ under data protection laws - remains primarily responsible for the security measures it adopts and external providers it engages to store and protect its personal data", added Lauren. Moreover, no passwords or bank details "appear to have been compromised, but the advice for those individuals involved is to be vigilant of any unusual activity or requests". Acknowledging the severity of the breach, a spokesperson for the BBC pension scheme issued a sincere apology to affected members. Reassurances were offered regarding the swift response and containment of the breach, coupled with ongoing efforts to upgrade security measures and monitor the situation closely. Inquiries into the incident are ongoing, with external cybersecurity experts collaborating with internal teams to dissect the breach and its implications thoroughly. However, as of now, no official statement has been issued regarding the involvement of ransomware groups in the breach. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the BBC employee data breach or any official response from the organization.

The FBI, in collaboration with international partners, has successfully dismantled the 911 S5 botnet's massive network that infected over 19 million IP addresses across 200 countries and facilitated several cybercriminal activities, including cyberattacks, financial frauds, identity theft, and child exploitation. In addition to the infrastructural takedown of the 911 S5 botnet, Chinese national YunHe Wang, the alleged administrator of the botnet, was also arrested on May 24, U.S. Attorney General Merrick Garland said in a Wednesday press briefing.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators,” Wray added. Wang and two of his associates, along with three Thailand-based businesses linked to the botnet, were sanctioned by the U.S. Treasury Department on Tuesday. Wang faces up to 65 years in prison on charges that include computer fraud, wire fraud, and money laundering.

911 S5 Botnet Operations

Beginning in 2014, Wang allegedly developed and distributed malware that compromised millions of Windows operating systems worldwide, including over 600,000 IP addresses in the U.S. Wang allegedly spread malware through malicious VPN programs like MaskVPN and DewVPN, as well as through pirated software bundled with malware. Wang managed and controlled approximately 150 dedicated servers worldwide.

“Using the dedicated servers, Wang was able to deploy and manage applications, command and control the infected devices, operate his 911 S5 service and provide to paying customers access to the proxied IP addresses associated with the infected devices,” Wang's indictment said.

The residential proxy service that Wang developed and operated allowed subscribers to access the more than 19 million compromised IP addresses, which helped them mask their online activities. This service generated approximately $99 million for Wang. The 911 S5 botnet facilitated a range of cybercrimes, including cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations, Garland said. One such example is that of customers using the botnet's services for fraudulently filing 560,000 unemployment insurance claims that resulted in a confirmed loss of $5.9 billion from federal pandemic relief programs. In another instance, the 911 S5 botnet customers used the service to file more than 47,000 Economic Injury Disaster Loan applications, which again resulted in the loss of millions of dollars.

Infrastructure and Assets Seized

Authorities seized 23 internet domains and more than 70 servers, which formed the core of the 911 S5 botnet and its successor services. This action effectively shut down the botnet and prevented Wang from reconstituting the service under a new name, Clourouter.io. The U.S. Department of Justice emphasized that this seizure closed existing malicious backdoors used by the botnet. Wang allegedly used the proceeds from the botnet to purchase properties across the globe, including the U.S., China, Singapore, Thailand, the United Arab Emirates, and St. Kitts and Nevis, where he also holds a citizenship. Authorities have moved to forfeit his assets, which include 21 properties and a collection of luxury cars such as a Ferrari F8, several BMWs, and a Rolls Royce.

Investigation Triggered by Ecommerce Incident

The investigation into the 911 S5 botnet was initiated following a probe into more than 2,000 fraudulent orders placed with stolen credit cards on ShopMyExchange, an e-commerce platform linked to the Army and Air Force Exchange Service. The perpetrators in Ghana and the U.S. were found to be using IP addresses acquired from 911 S5.

“Although approximately 2,525 fraudulent orders valued at $5.5 million were submitted, credit card fraud detection systems and federal investigators were able to thwart the bulk of the attempted purchases, reducing the actual loss to approximately $254,000,“ the Justice Department said.

The latest takedown is part of a broader effort of the Justice Department to combat nation-state hacking and international cybercrime. At the beginning of the year, the Justice Department dismantled botnets linked to the China-affiliated hacking group Volt Typhoon, followed by the disruption of botnet controlled by the Russian APT28 group associated with the Russian military intelligence, the GRU. Google-owned cybersecurity firm Mandiant also warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. Garland highlighted the global collaboration in this operation, underscoring the Justice Department's commitment to disrupting cybercrime networks that pose a significant threat to individuals and national security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A GitHub project that disables Windows Defender and firewall is generating buzz among cybersecurity researchers. Will Dormann, a senior vulnerability analyst at CERT, posted about the GitHub project on a Mastodon cybersecurity instance. “Somebody figured out the secret technique that 3rd-party AV uses to disable Microsoft Defender so that they themselves can run without interference,” Dormann wrote. “This tool uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender.” Dormann included a screen recording of the tool in action, and it appears to work effectively (screenshot below). [caption id="attachment_72709" align="alignnone" width="1057"] 'No Defender' Windows Defender bypass[/caption] The GitHub project, simply called “No Defender,” is billed as “A fun way to disable windows defender + firewall.” In a note on the project, repository owner “es3n1n” said they essentially reverse-engineered the API that antivirus vendors use to disable Windows Defender. “There's a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there's some other antivirus in the hood and it should disable Windows Defender,” the note states. “This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation, so I decided to take an interesting approach for such a thing and used an already existing antivirus called Avast. This AV engine includes a so-called wsc_proxy.exe service, which essentially sets up the WSC API for Avast. With a little bit of reverse engineering, I turned this service into a service that could add my own stuff there.” One limitation noted by es3n1n is that “to keep this WSC stuff even after reboot, no-defender adds itself (not really itself but rather Avast's module) to the autorun. Thus, you would need to keep the no-defender binaries on your disk.”

Windows Defender Bypass Requires Admin Privileges

EDR (endpoint detection and response) and antivirus software bypasses aren’t uncommon, as hackers and researchers alike have found ways to disable security defenses. Security researchers and testers often turn off security defenses in the course of research and testing, so such tools have legitimate uses too. As one commenter noted on the ycombinator Hacker News feed, "Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later...For the vast majority of people this is a good thing!" Dormann noted that elevated admin privileges are all that’s required to run the No Defender tool, so Windows users have yet another reason not to run Windows as an admin. “If you don't log in to Windows as an admin, as we security-conscious people do, then you won't have as much to worry about,” Dormann wrote. One Mastodon commenter saw the GitHub tool as an Avast flaw rather than Microsoft’s, noting that “it requires an executable signed with AuthentiCode SigningLevel 7 ("Signed by an Antimalware vendor whose product is using AMPPL"). “I see this more as a vulnerability of the Avast wsc_proxy.exe component misused here that allows untrusted/unsigned code to interact with it,” said the commenter, who goes by the handle “faebudo.” The Cyber Express reached out to Microsoft and Avast for comment and will update this article with any response. But Dormann told The Cyber Express the issue is "more of a novelty than a vulnerability per se. Admin-privileged users can do admin things. Which includes reconfiguring the system they're on. Including kernel-level access."

Following the seizure of the BreachForums domain and the arrest of Baphomet, its new owner ShinyHunters seems to have fully regained control over the site after a recent announcement that the forum will be open for account registration. While the domain itself appeared to have been seized back from law enforcement, the site remained dysfunctional for a while as staff redirected visitors to a new Telegram channel. The site slowly resumed operations while initially disabling account registration. However, the arrests and law enforcement activity connected to the operation of the domain, as well as its quick return to operations, have led cybercriminals to fear possible compromise of the forum infrastructure by law enforcement.

BreachForums Seizure and Return

BreachForums, widely recognized as the successor to RaidForums, has faced several downtimes, seizures and disruptions in its eventful history. The original owner, Conor Brian Fitzpatrick AKA "Pompompurin," was arrested last year on cybercrime and device fraud charges. BreachForums administrator "Baphomet" announced that he would step in as successor and opened a new domain to resume forum activity. However, Baphomet himself feared site compromise by law enforcement and temporarily shut down the forums, expressing that "nothing is safe anymore." [caption id="attachment_72568" align="alignnone" width="1536"] Source: Cyble[/caption] However, Baphomet later announced that he would be working on a new domain and resuming forum operations. The forum soon returned with regular facilitation of data leak sharing and discussion. A year later, Baphomet himself faced arrest after a joint operation from law enforcement, which also seized the BreachForums domain and official Telegram channel. The administrator ShinyHunters emerged as the successor, confirming Baphomet's arrest. However, the domain seizure was short-lived, and was soon redirecting users to a new Telegram channel. An allegedly leaked conversation from an FBI operative to BreachForum's previous domain name registrar and hosting provider NiceNic also appeared to indicate that ShinyHunters had regained control over domain ownership despite its court-ordered seizure. [caption id="attachment_72579" align="alignnone" width="326"] Source: Telegram[/caption] After a period of dysfunction, BreachForums has now resumed operations, with threat actors already claiming new victims on its forum postings.

Emerging Alternatives and Criminal Suspicion Over BreachForums

In the wake of the recent seizure, several other individuals expressed their doubts over BreachForums and its possible usage as a "honeypot" by law enforcement to entrap cybercriminals and disrupt operations. The owner of Secretforums and former owner of Blackforums expressed his belief over Telegram that Baphomet was possibly an informant to law enforcement, citing the latter's interest in maintaining the infrastructure of Blackforums. Prominent threat actor USDoD also cast doubt over the succession of BreachForums to the administrator Shiny Hunters, citing his low stats on the previous domain. These concerns were followed by the self-promotion of SecretForum's and USDoD's announced project "Breach Nation" as possible alternatives. More recently, the CyberNi***rs threat actor group also announced its intention to start a new site to coordinate its operations. Despite these activities and the surrounding suspicion, new owner Shiny Hunters seems eager to return to earlier activities and operations, as judged by their claim of responsibility for an attack impacting Live Nation Entertainment Inc., the parent company of Ticketmaster. The results of these events, their effect on the cybercriminal ecosystem, as well as the viability of emerging forums as alternatives to the relaunched BreachForums led by ShinyHunters, remain unclear. But given how vocal the participants are, the picture will almost certainly get clearer with time. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Treasury Department sanctioned three Chinese nationals on Tuesday for their alleged involvement in operating the 911 S5 proxy botnet widely used for fraudulent activities, including credit card theft and Coronavirus Aid, Relief, and Economic Security program frauds. The sanctions are aimed at curbing the operations linked to the botnet, which caused major financial losses amounting to "billions" of dollars to the U.S. government.

The Rise and Demise of 911 S5 Botnet

The botnet in question played a critical role in executing numerous fraudulent schemes through stolen residential IP addresses.

"The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government."

911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses they can use to connect to the internet using intermediary, internet-connected computers that have been compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to conceal their originating location, effectively defeating fraud detection systems, the U.S. Treasury explained. The 911 S5 botnet was also implicated in a series of bomb threats made in July 2022, according to the Treasury. Investigators found links of IP addresses within the proxy botnet network being used in this incident. The network was connected to 911 S5, a residential proxy service that allowed users to mask their IP addresses by routing their web activity through compromised devices. The 911 S5 service went offline in July 2022, following a purported hacking incident that damaged essential data. The disruption was reported by independent journalist Brian Krebs. Despite its shutdown, the impacts of its previous operations continued to reverberate, leading to the current sanctions.

The Individuals and Businesses Sanctioned

The sanctioned individuals include Yunhe Wang, allegedly the administrator of the botnet; Jingping Liu, accused of laundering proceeds for Wang; and Yanni Zheng, who reportedly acted as power of attorney for Wang and facilitated business transactions on his behalf through the company Spicy Code Company Limited. The men are believed to reside in Singapore and Thailand, countries that were acknowledged as partners in the sanctions announcement. Three businesses registered in Thailand were also sanctioned for their connections to Wang. These sanctions require that any property and interests owned by the three men within the U.S. be reported to the Treasury, and prohibit U.S. citizens or residents from engaging in business with them. Only these three individuals and the businesses implicated in their fraudulent schemes were sanctioned by the Treasury, but no indictments or legal actions were revealed by the U.S. Department of Justice (DOJ), as is the case in many other instances.

Broader Ongoing Cybersecurity Concerns

The sanctions against these individuals are part of a broader effort by the U.S. government to address cybersecurity threats linked to state-sponsored hacking groups. Google-owned cybersecurity firm Mandiant warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. In January, the DOJ announced the takedown of a botnet associated with Volt Typhoon, a hacking group with ties to the Chinese government. This group was known for infecting home and office routers with malware to obscure its hacking activities. The concerted actions by U.S. authorities and private defenders highlight the ongoing challenges and complexities in combating cybercrime and protecting critical financial and infrastructural systems from sophisticated malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Fans of Bring Me The Horizon have been fervently searching for secrets and clues hidden within an 'M8 Artificial Reality game' subtly teased in a recent music video by the band. Near the video's conclusion, a character emerges, briefly greets viewers, and then abruptly instructs them to search for a specific code. Although the discovery of the hidden game thrilled many, excitement was momentarily dampened when the game's website was swapped out for a warning urging visitors not to hack into the system.

Bring Me The Horizon Hidden M8 Artificial Reality Game

Bring Me the Horizon, a British rock band formed in Sheffield in 2004, is celebrated for embedding hidden meanings, easter eggs, and clues in their music. With the release of their latest album, 'POST HUMAN: NeX GEn,' the band has notably deepened this practice, incorporating even more intricate layers of secrets into their songs. In one of the music videos from this album, a character named 'M8' appears and begins to greet the viewer but is abruptly stopped by a 'fatal-error'. M8 then directs the viewer to find the 'serial number' located on the side of its head. A curious listener appeared to have further analyzed the video segment in the video and discovered a hidden spectrogram containing a QR Code, sharing an image file on the rock band's subreddit. Fans further discovered that the QR code led to the URL domain of a hidden clandestine hacking-themed website, containing the M8 Artificial Reality Game. [caption id="attachment_72429" align="alignnone" width="233"] Source: /r/BringMeTheHorizon subreddit[/caption] The M8 Artificial Reality domain then instructed users to enter a hidden serial code, which fans discovered through the use of several other clues. The site contained unreleased tracks, password-protected files, and various mysteries for fans to uncover. [caption id="attachment_72432" align="alignnone" width="2800"] Source: multidimensionalnavigator8.help[/caption] As news of the hidden website spread, fans swiftly set up a dedicated Discord server and collaborated using a Google Doc to unearth all the site’s secrets. However, their excitement was brief. Hackers soon tried to extract further secrets from the website using unconventional methods, leading developers to temporarily shut down the site and issue a warning to fans.

Warnings Over Hacking Attempts

After the hacking attempts, cautionary messages from M8, the album's virtual guide, expressed dismay at the intrusion, stressing on how such actions undermined the spirit of collective exploration. These messages were delivered through both the website which was temporarily replaced with the warning for 2 hours as well as through email. [caption id="attachment_72445" align="alignnone" width="2800"] Source: archive.org[/caption] [caption id="attachment_72448" align="alignnone" width="276"] Source: BringMeTheHorizon ARG Discord[/caption] The developers appeared to indirectly condemn these attempts through the creative  use of the M8 character, without specifying the nature of the intrusion or identifying the perpetrators. Some fans however, upon receiving the email after their explorations, found the message warnings unexpected for what they believed were legitimate interactions. The community believed that these selective few hackers ruined the experience for others, with it's discord server noting the downtime in it's FAQ. 0 Bring Me The Horizon's foray into alternate reality gaming showcases the creative potential of digital media in music and album promotion. As fans continue to work together to unravel the remaining mysteries and solve the puzzles within the ARG, it remains to be seen what other surprises await them on the hidden website. The hacking attempts and the subsequent warnings serves as a reminder that while ARGs can be an engaging and immersive experience, it is essential to respect the developers' intentions and play fair to ensure everyone can enjoy the journey together. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft has uncovered a new “FakePenny” ransomware variant being deployed by a North Korean threat actor to target organizations in the software, information technology, education and defense industrial base sectors for both espionage and monetary gains. The threat actor, which Microsoft tracks as Moonstone Sleet, was first observed delivering a new custom ransomware variant in April, to an undisclosed company whose networks it compromised a couple of months earlier. The ransomware is straightforward and contains a loader and an encryptor module. North Korean threat actor groups have previously developed such custom ransomware, but “this is the first time we have observed this threat actor deploying ransomware,” the tech giant said.

“Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation.”

FakePenny ransomware demands exorbitant ransoms, with recent demands reaching $6.6 million in Bitcoin. “This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st,” Microsoft said. Notably, the ransom note used by FakePenny ransomware closely resembles the one employed in the infamous NotPetya ransomware attack, which is attributed to the North Korean group Seashell Blizzard. This continuity in tactics highlights the interconnected nature of North Korean cyber operations.

Moonstone Sleet’s Strategy and Tradecraft

Moonstone Sleet has a diverse set of operations supporting its financial and espionage objectives. This group has been observed creating fake companies, employing trojanized versions of legitimate tools, and even developing malicious games to infiltrate targets. Their ability to conduct concurrent operations and quickly evolve and adapt their techniques is notable. The threat actor, as noted earlier, has several different tradecrafts under its belt. In early August 2023, Moonstone Sleet delivered a compromised version of PuTTY, an open-source terminal emulator, through platforms like LinkedIn, Telegram, and freelancing websites. The trojanized software decrypted and executed the embedded malware when the user provided an IP and password mentioned in a text document contained in the malicious Zip file that the threat actor sent. The same technique was used by another North Korean actor Diamond Sleet. Moonstone Sleet has also targeted victims using malicious “npm” packages distributed through freelancing sites and social media. These packages often masqueraded as technical assessments, lead to additional malware downloads when executed. Since February 2024, Moonstone Sleet has also taken a different approach by using a malicious game called DeTankWar to infect devices. The group approached targets posing as a game developer or fake company, presenting the game as a blockchain project. Upon launching the game, additional malicious DLLs were loaded, executing a custom malware loader known as “YouieLoad.” This loader performs network and user discovery and browser data collection.

Fake Companies and Work-for-Hire Schemes

Since January 2024, Moonstone Sleet has created several fake companies, including StarGlow Ventures and C.C. Waterfall, to deceive targets. These companies posed as software development and IT service firms, often related to blockchain and AI, to establish trust and gain access to organizations. Moonstone Sleet has also pursued employment opportunities in legitimate companies, which is consistent with reports of North Korea using remote IT workers to generate revenue. Recently, U.S. charged North Korean job fraud nexus that was amassing funds to support its nuclear program. The nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million. This employment tactic could also provide another avenue for gaining unauthorized access to organizations. Moonstone Sleet’s notable attacks include compromising a defense technology company to steal credentials and intellectual property and deploying ransomware against a drone technology firm.

“Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.”

Defending Against Moonstone Sleet

To defend against Moonstone Sleet, Microsoft recommends endpoint detection and response (EDR), implementing attack surface reduction rules to block executable content from email clients and webmail, preventing executable files from running unless they meet specific criteria, use advanced protection against ransomware, and block credential stealing from LSASS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

TRC Staffing is at the center of a concerning data breach, leaving personal information vulnerable to cybercriminals. Murphy Law Firm has taken action on behalf of the victims, investigating legal avenues for those affected by this security incident. The TRC Staffing data breach was discovered on April 12, 2024, and exposed a security flaw within TRC's network.  Cybercriminals exploited this vulnerability between March 25, 2024, and April 12, 2024, gaining unauthorized access to sensitive data belonging to approximately 158,593 individuals. Names and Social Security numbers were among the compromised information, heightening concerns about potential identity theft and fraud. Explaining the lawsuit to interested parties, Murphy Law Firm, stated that they are "evaluating legal options, including a potential class action lawsuit, to recover damages for individuals who were affected by the data breach.

Understanding the Full Extent of the TRC Staffing Data Breach

In response to this TRC Staffing breach, Murphy Law Firm is actively engaging on behalf of those impacted. Their investigation aims to uncover the full extent of damages and explore avenues for legal recourse, including the possibility of a class action lawsuit. Individuals who have received notifications of the breach or suspect their information may have been compromised are urged to take action. By visiting the dedicated page at https://murphylegalfirm.com/cases/trc-data-breach/, affected parties can access information regarding their rights and legal options. The repercussions of this breach extend beyond mere inconvenience. With personal and highly confidential information potentially circulating on the dark web, the identity of users is at risk. Murphy Law Firm recognizes the urgency of addressing these concerns and is advocating for the rights of those affected.

How Can Victims Join the TRC Staffing Lawsuit?

To join the lawsuit and seek potential compensation, individuals can fill out a contact form provided by Murphy Law Firm. This form requires essential details such as name, contact information, and whether a breach notification letter was received. Additionally, users can provide any relevant information regarding fraud or suspicious activity they may have experienced. For those seeking guidance or further assistance, Murphy Law Firm can be reached directly via email at abm@murphylegalfirm.com or by phone at (405) 389-4989. Protecting the rights and interests of individuals affected by the TRC Staffing data breach is important, and Murphy Law Firm represents the victims with a legal process.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Check Point researchers have observed a surge in threat actor groups targeting remote-access VPN environments as an entry point for gaining access to enterprise networks. In response to these threats, Check Point has been monitoring unauthorized access attempts on Check Point VPNs and has released a preventative solution to address the issue. While the researchers suggested that the issue is broader than Check Point VPNs, the fix applies solely to Check Point environments.

Identification of Unauthorized Access Attempts to Check Point VPN

On May 24, Check Point identified a small number of login attempts using old VPN local accounts that relied on an unrecommended password-only authentication method. The company assembled special teams of Incident Response, Research, Technical Services, and Products professionals to thoroughly investigate these attempts and any other potentially related incidents. Within 24 hours, the teams identified several potential customers who were subject to similar attempts and notified them accordingly. The teams consider password-only authentication methods insecure and more susceptible to the compromise of network infrastructure, recommending against solely relying on these methods when logging into network infrastructure. Several points were advised by the teams as preventative measures, such as:

• Reviewing and disabling unused local accounts.
• Implementing an additional layer of authentication, such as certificates, to password-only accounts.
• Deploying additional solutions on Security Gateways to automatically block unauthorized access.
• Contacting the Check Point technical support team or a local representative for additional guidance and assistance.

In case of suspected unauthorized access attempts, Check Point researchers recommend that organizations analyze all remote access connections of local accounts with password-only authentication, monitor connection logs from the past 3 months, and verify the familiarity of user details, time, source IP address, client name, OS name, and application based on configured users and business needs. Check Point has also released a hotfix to prevent users with password-only authentication from connecting to Security Gateways. After implementation, password-only authentication methods for local accounts will be prevented from logging into the Check Point Remote Access VPN. If any connections or users are not validated, invoking the incident response playbook or contacting Check Point Support or a local Check Point representative is advised. The company stated that it witnessed the compromise of several VPN solutions, including those of various cybersecurity vendors.

Implementing Check Point VPN Hotfix

Check Point released a script to identify potential risks of compromise in its VPN environment. Enterprises can download the VPNcheck_v2.zip archive file and follow the steps mentioned on the solution page. If the script identifies local accounts with password-only authentication, users can proceed with the installation of the Security Gateway Hotfix as an option. The hotfix is available via the Check Point Upgrade Service Engine (CPUSE) or through manual download. The Hotfix implements a new command, blockSFAInternalUsers, to the Security Gateway, allowing admins to block or grant access to internal users with password-only authentication. The default value is set to block internal users from connecting with password-only authentication. After installing the hotfix, users who attempt to connect using the weak password-only authentication method will receive a security log indicating the blocked attempt as failed. As remote operations and online threats rise, organizations must prioritize the implementation of tougher VPN authentication methods while monitoring for unauthorized attempts to access these environments. Failure to do so can lead to compromised network infrastructure or assets, data breaches, and significant financial and reputational damage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

OpenAI announced a new safety and security committee as it begins training a new AI model intended to replace the GPT-4 system that currently powers its ChatGPT chatbot. The San Francisco-based startup announced the formation of the committee in a blog post on Tuesday, highlighting its role in advising the board on crucial safety and security decisions related to OpenAI’s projects and operations. The creation of the committee comes amid ongoing debates about AI safety at OpenAI. The company faced scrutiny after Jan Leike, a researcher, resigned, criticizing OpenAI for prioritizing product development over safety. Following this, co-founder and chief scientist Ilya Sutskever also resigned, leading to the disbandment of the "superalignment" team that he and Leike co-led, which was focused on addressing AI risks. Despite these controversies, OpenAI emphasized that its AI models are industry leaders in both capability and safety. The company expressed openness to robust debate during this critical period.

OpenAI's Safety and Security Committee Composition and Responsibilities

The safety committee comprises company insiders, including OpenAI CEO Sam Altman, Chairman Bret Taylor, and four OpenAI technical and policy experts. It also features board members Adam D’Angelo, CEO of Quora, and Nicole Seligman, a former general counsel for Sony.

"A first task of the Safety and Security Committee will be to evaluate and further develop OpenAI’s processes and safeguards over the next 90 days." 

The committee's initial task is to evaluate and further develop OpenAI’s existing processes and safeguards. They are expected to make recommendations to the board within 90 days. OpenAI has committed to publicly releasing the recommendations it adopts in a manner that aligns with safety and security considerations. The establishment of the safety and security committee is a significant step by OpenAI to address concerns about AI safety and maintain its leadership in AI innovation. By integrating a diverse group of experts and stakeholders into the decision-making process, OpenAI aims to ensure that safety and security remain paramount as it continues to develop cutting-edge AI technologies.

Development of the New AI Model

OpenAI also announced that it has recently started training a new AI model, described as a "frontier model." These frontier models represent the most advanced AI systems, capable of generating text, images, video, and human-like conversations based on extensive datasets. The company also recently launched its newest flagship model GPT-4o ('o' stands for omni), which is a multilingual, multimodal generative pre-trained transformer designed by OpenAI. It was announced by OpenAI CTO Mira Murati during a live-streamed demo on May 13 and released the same day. GPT-4o is free, but with a usage limit that is five times higher for ChatGPT Plus subscribers. GPT-4o has a context window supporting up to 128,000 tokens, which helps it maintain coherence over longer conversations or documents, making it suitable for detailed analysis. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have observed a significant increase in attempts to spread the Anatsa Banking Trojan under the veil of legitimate-looking PDF and QR code reader apps on the Google Play store. Also known as TeaBot, the malware employs dropper applications that appear harmless to users, deceiving them into unwittingly installing the malicious payload, said researchers at cybersecurity firm Zscaler. Once installed, Anatsa extracts sensitive banking credentials and financial information from various global financial applications. It achieves this through overlay and accessibility techniques, allowing it to discreetly intercept and collect data.

Distribution and Impact of Anatsa Banking Trojan

Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications' legitimacy. Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack.

Anatsa Infection Steps

The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities. Dropper Application:

• The fake QR code application downloads and loads the DEX file.
• The application uses reflection to invoke code from the loaded DEX file.
• Configuration for loading the DEX file is downloaded from the C&C server.

Payload Execution:

• After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes.
• Upon successful verification, it downloads the third and final stage payload from the remote server.

Malicious Activities:

• The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis.
• Upon execution, the malware decodes all encoded strings, including those for C&C communication.
• It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections.

Data Theft:

• After receiving a list of package names for financial applications, Anatsa scans the device for these applications.
• If a targeted application is found, Anatsa communicates this to the C&C server.
• The C&C server then supplies a counterfeit login page for the banking operation.
• This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server.

[caption id="attachment_71735" align="aligncenter" width="1038"] Anatsa Banking Trojan Attack Chain (Source: Zscaler)[/caption] The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security.

Best Practices to Stop the Anatsa Trojan

To protect against such threats, Cyble's Research and Intelligence Labs suggests following essential cybersecurity best practices:

• Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store.
• Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software.
• Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible.
• Be Cautious with Links: Be careful when opening links received via SMS or emails.
• Enable Google Play Protect: Always have Google Play Protect enabled on Android devices.
• Monitor App Permissions: Be wary of permissions granted to applications.
• Regular Updates: Keep devices, operating systems, and applications up to date.

By adhering to these practices, users can establish a robust first line of defense against malware and other cyber threats, Cyble researchers said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: securityboulevard.com – Author: Wajahat Raja Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details […]

La entrada Black Basta Ransomware Attack: Microsoft Quick Assist Flaw – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

A cybercriminal going by the alias "SpidermanData" has claimed to breach and advertise a massive database purportedly linked to Ticketmaster Entertainment, LLC. The claim of the Ticketmaster data breach, dated May 27, 2024, was posted on the cybercrime forum Exploit and shares threatening information about the organization, including database of “560M Users + Card Details”. The threat actor has also claimed to have access to 1.3TB of stolen data and is currently selling it for $500k. The post, accompanied by sample data, suggests that the data indeed belongs to Ticketmaster Entertainment. However, the American ticket sales and distribution company has yet to share any information about this alleged Ticketmaster data breach.  Additionally, apart from the Ticketmaster data breach, the company is also facing a lawsuit from The Justice Department for anti-competitive practices, limiting venue options, and threatening financial consequences. The lawsuit follows public outcry, including ticketing issues during Taylor Swift's tour. High prices, fueled by post-pandemic demand, have intensified scrutiny. Live Nation denies monopolistic behavior, but the lawsuit contends their dominance drives up prices. The Ticketmaster data breach poses another threat to the organization since databases of this caliber are usually the hot-selling items on the dark web. 

Ticketmaster Data Breach: The Worst Time to Have a Cybersecurity Incident

SpidermanData claims to have access to a staggering 560 million records brimming with personally identifiable information (PII) of customers, including sensitive payment card details. This breach couldn't have come at a worse time for Ticketmaster, coinciding with the onset of several major music festivals scheduled between May 2024 and January 2025.  Among these highly anticipated events is the FOREIGNER concert, featuring legendary rock acts led by Mick Jones and Kelly Hansen. The musical act will begin on June 11, 2024, in the United States and will conclude on November 9, 2024. Following suit is the iconic band HEART, set to perform across the United States from July to November 2024, culminating in an international concert in Calgary, AB, Canada. Meanwhile, Allison Russell and Hozier are primed to perform from May to August 2024. Adding to this list of bands performing this year, artists like Ian Munsick, Prateek Kuhad, and Kathleen Hanna will also go on tours across North America between 2024 and 2025. However, the jubilant atmosphere surrounding these events is now overshadowed by the threat of, one of the biggest data breaches, threatening millions of users globally.  The purportedly compromised data, amounting to a staggering 1.3 terabytes, has been divided into 15 parts, with the hacker offering samples from two segments. One dataset, extracted from a 'PATRON' database, contains a plethora of personal information, including names, addresses, emails, and phone numbers. Meanwhile, the other dataset includes information about customer sales, encompassing crucial details like event IDs and payment methods.

The Aftermath and Industry Implications

SpidermanData has listed the entire dataset for sale, quoting a hefty price tag of USD 500,000, and restricting the sale to a single buyer. The gravity of this situation cannot be overstated, with the compromised data posing significant risks of identity theft, financial fraud, and other criminal activities - something we've already seen in previous data breaches like the MOVEit File Transfer incident.  Live Nation Entertainment, the parent company of Ticketmaster, stands as a global juggernaut in the live entertainment domain, organizing and promoting thousands of shows annually across more than 40 countries. Meanwhile, Ticketmaster's pivotal role in facilitating ticket sales for musical and non-musical events highlights its significance within the industry, making it a prime target for cybercriminals seeking to exploit vulnerabilities for personal gain. The current Ticketmaster data breach is not the first time that the organization has faced a cyberattack. In November 2020, the company faced a hefty £1.25 million fine from the Information Commissioner's Office (ICO) following a payment data breach in 2018. The breach, stemming from a vulnerability in a third-party chatbot, compromised the personal and payment details of over nine million customers in Europe, triggering widespread fraud and financial losses. Whether the current data breach represents a resurgence of previously compromised data or the acquisition of freshly stolen data, the premise origin of the information about the databases remains unclear. Nevertheless, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the Ticketmaster data leak or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The impact of the Cencora data breach is far more widespread than earlier thought as more than a dozen pharmaceutical giants including Novartis and GlaxoSmithKline disclose personal and health information data leaks stemming from the February breach incident. Cencora Inc., formerly recognized as AmerisourceBergen, and its Lash Group affiliate announced in a February filing with the Securities and Exchange Commission (SEC) that the company faced a cybersecurity incident where “data from its information systems had been exfiltrated.” Cencora is a major pharmacy company with over 46,000 employees and approximately $262.2 billion in revenue in 2023. Based in Pennsylvania, it operates in around 50 countries globally. The popular American drug wholesaler did not disclose the extent of the data breach in its February SEC filing but did confirm at the time that some of the data exfiltrated in the attack could contain personal information. Last week, however, Cencora and The Lash Group clients began notifying state Attorneys General about a data breach that stemmed from the February cybersecurity incident at Cencora. At least 15 pharmaceutical companies reported that the personal data of hundreds of thousands of individuals were compromised. Notifications identified the following affected companies:

• AbbVie Inc.
• Acadia Pharmaceuticals Inc.
• Bayer Corporation
• Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
• Dendreon Pharmaceuticals LLC
• Endo Pharmaceuticals Inc.
• Genentech, Inc.
• GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
• Incyte Corporation
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
• Novartis Pharmaceuticals Corporation
• Pharming Healthcare, Inc.
• Regeneron Pharmaceuticals, Inc.
• Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
• Tolmar

State Attorneys General often announce data breaches without specifying the number of affected people but AG’s office in Texas does disclose the number impacting the state residents. Based on these partial numbers, at least 542,000 individuals seem to be impacted from the Cencora data breach, till date. The Cyber Express reached out to Cencora for confirming the total number of individuals impacted to understand the full extent of the data breach but did not receive any communication till the time of publishing the article.

Cyber Forensic Findings from the Cencora Data Breach

Cencora detected the cyberattack on February 21, and took immediate action to contain and prevent further unauthorized access. Based on the investigation that likely concluded in April, Cencora said personal information including first name, last name, address, date of birth, health diagnosis, and medications and prescriptions was compromised in the attack. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said Friday the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. Further details on how the supply program was exploited remain unclear. U.S. has been rocked by a host of cybersecurity breaches linked to the healthcare industry in recent days. While Change Healthcare cyberattack was one of the most notable ones, the Medstar and Ascension breaches have displayed the vulnerability of the healthcare sector to cyberattacks. The latest in the list of healthcare data breaches is the Sav-Rx data breach that compromised the health data of more than 2.8 million people. Cencora’s investigation, however, found no connection with other major healthcare cyberattacks and, in its notifications, said they were unaware of any actual or attempted misuse of the stolen data. The company said it has not seen any public disclosure of the stolen data, till date. The affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost and steps have also been taken to harden defenses to prevent such security breaches in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Greek Personal Data Protection Authority (PDPA) has imposed significant fines on the Greek Ministry of Interior and New Democracy MEP Anna-Michelle Asimakopoulou for their roles in violating data protection regulations in the 'email-gate' scandal. The fines come after an investigation into the "email-gate" scandal, in which Asimakopoulou was accused of sending unsolicited emails to Greeks living abroad ahead of the European Parliament elections in June.

Ministry of Interior Violations and Consequences

The authority found that a file of 25,000 voters registered for the June 2023 elections had been leaked between June 8 and 23, 2023. The list, which included voter emails, was sent to New Democracy's then Secretary for Diaspora Affairs, Nikos Theodoropoulos, by an unknown individual. Theodoropoulos forwarded the file to MEP Asimakopoulou, who used it to send mass campaign emails in violation of data protection laws and basic principles of legality. [caption id="attachment_71501" align="alignnone" width="1000"] Source: Shutterstock (MEP Anna-Michelle Asimakopoulou)[/caption] On receiving the unsolicited emails to their private accounts, several Greek diaspora voters living abroad expressed their surprise on social media and accused the New Democracy MEP of violating the European Union’s General Data Protection Regulation (GDPR). The expats questioned how the addresses were obtained by the MEP for use in the email campaigns. Asimakopoulou earlier attempted to refute allegations of violating these data protection laws but was found to provide contradictory explanations regarding the source from which these addresses were obtained for usage in the mass email campaign. As a result, the Ministry of Interior faces a 400,000-euro fine, while Asimakopoulou faces a 40,000-euro fine. The authority also postponed its verdict on Theodoropoulos and the New Democracy party  to examine new claims related to the investigation. The PDPA stated in its investigation that the use of the emails, “was in violation of the basic principle of legality, objectivity and transparency of processing, as it was in violation of a series of provisions of the electoral legislation and furthermore could not reasonably be expected.” The ministry said it will "thoroughly study" the authority's decision to consider further legal actions. The "email-gate" scandal has led to significant consequences, including the resignation of the general secretary of the Interior Ministry, Michalis Stavrianoudakis, and the dismissal of Theodoropoulos by New Democracy. Asimakopoulou has announced she will not run in the European Parliament elections. Asimakopoulou is also facing 75 lawsuits by citizens and over 200 lawsuits from the Interior Ministry, over the scandal.

Reaction of Opposition Parties to the Investigation Results

Opposition parties are now demanding the resignation of Interior Minister Niki Kerameos following the outcome of the investigation into the unsolicited emails. [caption id="attachment_71241" align="alignnone" width="1000"] Source: Shuttertock (Interior Minister Niki Kerameos)[/caption] The main opposition party SYRIZA released a statement asserting that “private data were being passed around for months among the Interior Ministry, ND, and at least one election candidate,” questioning whether the email list had been leaked to other New Democracy candidates by the Interior Ministry. While the Interior Minister might not have been directly involved, SYRIZA claimed that “Kerameos did not have the guts to show up at the Committee on Institutions and Transparency.” The Socialist PASOK Party also demanded Kerameos’ resignation, adding that the violation demonstrates the government as “incapable of fulfilling the self-evident, as proven by the high fines.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details about how this financially motivated group […]

The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on TuxCare.

The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on Security Boulevard.

In a recent disclosure by ONEKEY Research Lab, a critical vulnerability in the TP-Link Archer C5400X gaming router was exposed, leading to remote command execution. The TP-Link Archer C5400X is a gaming router, with integrated malware defense, and has compatibility with Alexa voice commands and IFTTT applets. This TP-Link Archer C5400X vulnerability, tracked as CVE-2024-5035, was rooted in command injection, a format string vulnerability, and buffer overflows within components such as rftest and libshared.  The vulnerability, known to affect versions before 1_1.1.7, posed a grave risk to users, potentially allowing malicious actors to execute arbitrary commands remotely with elevated privileges. While the format string vulnerability requires specific conditions for exploitation, the focus of this revelation centered around the rftest binary, integral to the device's wireless functionality. In the patch update by TP-Link, the Archer C5400X vulnerability has been fixed in version 1_1.1.7.

The Timeline of TP-Link Archer C5400X Vulnerability Exposure

According to ONEKEY Research Lab, the TP-Link Archer C5400X vulnerability was initially reported on February 16, 2024, with the submission of a detailed report to TP-Link's PSIRT. Following the report, TP-Link promptly initiated a case on February 19. [caption id="attachment_71171" align="alignnone" width="1096"] Source: ONEKEY[/caption] After collaborative efforts and validation processes, TP-Link shared a beta version of 1.1.7p1 on April 10 for further testing, culminating in the confirmation and release of the patch by ONEKEY on May 27, 2024. The vulnerability exposed a critical flaw in the TP-Link Archer C5400X gaming router, rendering it susceptible to remote command execution. This exploit granted unauthorized users the ability to execute arbitrary commands on the device, posing security risks to users' data and network integrity. “It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices”, said OneKey in the advisory. 

Understanding the TP-Link Archer C5400X Vulnerability

[caption id="attachment_71174" align="alignnone" width="822"] Source: TP-Link[/caption] Central to this TP-Link Archer C5400X vulnerability is the rftest binary, launched during the device's initialization sequence. This binary, responsible for wireless interface self-assessment, inadvertently exposes a network service vulnerable to unauthenticated command injection. Attackers can leverage this vulnerability to remotely execute commands with elevated privileges, potentially compromising the device and its connected network. To mitigate the risk posed by this vulnerability, users are strongly advised to upgrade their devices to version 1_1.1.7. TP-Link has implemented fixes to prevent command injection through shell meta-characters, thereby enhancing the security posture of affected devices. However, users must remain vigilant and proactive in ensuring their devices are up to date with the latest firmware releases to safeguard against emerging threats.

Exposing Recent Vulnerabilities in Routers

The TP-Link Archer C5400X router vulnerability is just one of the cases where a flaw was exploited without a third-party breach. Previously, CISA flagged two end-of-life D-Link routers, adding them to their Known Exploited Vulnerabilities catalog.  The router vulnerabilities, CVE-2014-100005 and CVE-2021-40655, affected three main products, DIR-600, DIR-605, and DIR-605L. Exploitation of these vulnerabilities allowed unauthorized configuration changes and the theft of usernames and passwords.  The Cyber Security Agency of Singapore also stressed these two vulnerabilities, stating that the mitigation strategy to avoid exploitation is to “retire and replace their devices with products that are supported by the manufacturer.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In recent cybersecurity news, Google has swiftly addressed a critical security concern by releasing an emergency update for its Chrome browser. This update targets the third zero-day vulnerability detected in less than a week. Let’s have a look at the details of this Google Chrome zero-day patch and understand its implications for user safety.   […]

The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on TuxCare.

The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on Security Boulevard.

Islamabad's Safe City Authority experienced a significant disruption when its online system was breached by hackers, prompting an immediate shutdown. The Safe City Islamabad Project, initiated by the PPP-led government and backed by a Chinese government concessional loan, aimed to enhance the capital's surveillance and security capabilities with the installation of 1,950 CCTV cameras, a bomb-proof command center, a 4G communication network, and advanced monitoring systems such as facial recognition technology. This unforeseen event has raised concerns over the security and the vulnerability of the system, as law enforcement officials scramble to assess the damage and restore operations.

Islamabad's Safe City Authority Breach and Initial Response

The breach revealed several systemic weaknesses within the Safe City Authority's digital infrastructure. Hackers successfully infiltrated the primary server, gaining unauthorized access to databases containing criminal records and sensitive information. While the system's firewall did issue an alert upon detecting the intrusion, the absence of backup servers and contingency plans forced a complete shutdown of the affected software and applications. The assault compromised several integral systems, including the Complaint Management System, Criminal Management Record System, and Human Resource Management System, along with software and applications vital for the Operation Division. [caption id="attachment_70433" align="alignnone" width="2800"] Source: china.aiddata.org[/caption] The compromise of these systems impacted several critical services tied to the Safe City initiative. This includes mobile applications, smart police vehicle records, police station data, video analytics, Islamabad Traffic Police, e-challan systems, and records from the operations division. Approximately 13 to 15 servers provided by the police facilitation center F-6 were also affected. An officer highlighted to Dawn, Pakistan's largest English newspaper, that this incident was not a typical hacking scenario involving stolen login credentials. Instead, the system's vulnerability stemmed from the use of simple and common login IDs and passwords by officials, making it easier for hackers to gain access. Additionally, many of the software and applications were found to be outdated or with expired licenses, further compromising the system's security. Despite the breach of several systems, the Safe City cameras' management system that operated independently through offline direct lines, remained secure, demonstrating the effectiveness of isolated systems in safeguarding against such attacks. Police spokesperson Taqi Jawad confirmed the intrusion as an attempted breach that triggered the firewall's alarm but stated that appropriate precautionary measures had been taken. "All logins have been closed for the past two days to change them, including those of police stations and officers at various ranks," he stated. Jawad refrained from sharing further specifics on the server shutdowns as he stated they were still pending technical feedback

Controversy Over Islamabad's Safe City Authority

Islamabad's Safe City project has been a source of serious controversy, with several litigations over contract transparency and cost inflation, leading the Supreme Court's order to cancel the initial contract with Huawei in 2012. The contract was later renegotiated, and the project resumed under the PMLN (Pakistan Muslim League)  government, with the command center becoming operational in 2016. By 2016, 1,805 cameras were installed, and as of 2021, 95% remained functional. Despite the extensive infrastructure, police sources claimed in 2022 that the system had not prevented any incidents or facilitated any arrests, raising questions about its effectiveness. Due to financial strain, Pakistan and China Eximbank signed several debt suspension agreements from July 2020 to December 2021, temporarily suspending principal and interest payments under the concessional loan agreement. Tragically, the project's director was found dead in July 2022 in an apparent suicide. The successful breach of the authority's systems draws additional controversy towards the project, which was intended to be a cornerstone of Islamabad's security infrastructure but has encountered several operational, legal, and financial setbacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Optus, one of Australia's largest telecommunications companies, has lost a legal battle in the Federal Court. The Australian Federal Court has ordered the company to release an external review performed by Deloitte to investigate the cause of a significant 2022 cyberattack that led to the release of sensitive customer data. The Optus 2022 data breach resulted in the exposure of the names, dates of birth, phone numbers, and email addresses of over 10 million customers with addresses, driver's licence or passport numbers being exposed for a portion of the affected customers.

Optus Appeal Against Sharing External Deloitte Report

The data breach incident along with 14-hour outage of its telecommunication services, frustrations over the availability of information/credit monitoring services and attempts of attackers to exploit the compromised data for use in SMS phishing attacks, led to intense scrutiny towards the company. [caption id="attachment_70354" align="alignnone" width="2230"] Source: www.optus.com.au/support/cyberresponse[/caption] The company commissioned an independent external forensic review of the cyberattack from Deloitte over its security systems, controls and processes under the advise of the then CEO Kelly Bayer Rosmarin and the approval of its board. Bayer made the following statement over the decision:

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.

Kelly, later resigned over the incident with Optus now being led by a new CEO, who is working to rebuild trust with customers in a 'challenging' market. Despite the efforts of the company to deal with the data breach, the recent court decision comes after Optus appealed an earlier ruling that it must hand over the report to Slater & Gordon, the law firm pursuing a class action against the company for allegedly failing to protect its customers' personal information. Optus has not yet made a public statement regarding the Federal Court's decision. However, the company had previously argued that the Deloitte report was commissioned to provide legal advice and therefore it was privileged. The court, however, decided that Optus had failed to prove that the dominant purpose of the report was for legal advice.

Class Action Law Suit Against Optus and Implications of Court Ruling

Slater & Gordon, the law firm representing the affected Optus customers, has welcomed the court's decision. The law firm's class actions practice group leader, Ben Hardwick, criticized Optus's efforts to keep the report confidential, stating that it indicates the company's refusal to accept responsibility for its role in the data breach and its impact on millions of its customers. In it's April 2023 press release, the law firm's leader had stated that more than 100,000 of Optus’s current and former customers had registered for the class action, with some notable examples among the group group such as:

• a domestic violence victim who spent money that was intended for counselling for her children on increasing security measures around the house, including installing video cameras and extra locks on doors and windows

• a former Optus customer who had previously been burgled and had his identity stolen who now suffers severe anxiety after learning his personal information had been shared online

• a stalking victim who takes extreme measure to maintain her privacy, especially her address, who fears her life has genuinely been put in danger by the data breach

• a woman who is now too fearful to answer the telephone after noticing an increase in scam phone calls following the Optus cyberattack, and

• a retired police officer concerned that his home address may have been shared with criminals he was involved in the prosecution and incarceration of.

The press release also cited the frustration several customers expressed over alleged delays by Optus in providing details over the data breach, and reported inconsistencies in how the telecommunications giant had been treating affected customers Some Optus registrants claimed to the law firm that they were dismissed when they sought further information from Optus, while others informed that the company refused to pay for credit monitoring services under the basis that they were no longer Optus customers. “There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same." The Federal Court's decision sets a significant precedent for companies involved in data breaches. It underscores the importance of transparency and accountability in such situations, and it may encourage other companies to take stronger measures to protect their customers' personal information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Cyber Express World CyberCon 3.0 META cybersecurity conference in Dubai was a standout event, showcasing significant achievements in cybersecurity with its prestigious META Awards. Hosted at Al Habtoor Palace, the awards ceremony gathered top talent from the cybersecurity sector, honoring individuals and organizations that have significantly enhanced cyber defenses across the META region. Among the esteemed awardees, Thomas Heuckeroth from Emirates Group and Dr. Hoda A. Alkhzaimi from EMaratsec were recognized as The Cyber Express Cybersecurity Persons of 2024 for their exceptional contributions. Here is the complete list of all other winners:

The Cyber Express Cybersecurity Person of 2024 (META): Man

• Thomas Heuckeroth, SVP IT Infrastructure & Digital Platforms, Emirates Group

[caption id="attachment_70293" align="aligncenter" width="2800"] (L-R: Beenu Arora, Co-Founder and CEO, Cyble Inc., Thomas Heuckeroth, SVP IT Infrastructure & Digital Platforms, Emirates Group and Jo Mikleus, Senior Vice President, Cyble Inc.)[/caption]

The Cyber Express Cybersecurity Person of 2024 (META): Woman

• Dr. Hoda A Alkhzaimi, EMaratsec

The Cyber Express Cybersecurity Diversity and Inclusion Advocates of 2024

• Yana Li, WebBeds

• Dina AlSalamen, Bank ABC (Jordan)

• Rudy Shoushany, DxTalks

• Aus Alzubaidi, MBC Group
• Saltanat Mashirova, Honeywell

The Cyber Express Infosec Guardians of 2024 (BFSI)

• Anthony Sweeney, Deribit

• Bipin Mehta, HSBC Bank
• Syed Muhammad Ali Naqvi, HBL Bank
• Kiran Kumar PG, Alpheya
• Ahmed Nabil Mahmoud, Abu Dhabi Islamic Bank

The Cyber Express Infosec Guardians of 2024 (Government & Critical Entities)

• Talal AlBalas from Abu Dhabi Quality and Conformity Council (ADQCC)

• Abdulwahab Abdullah Algamhi, UAE ICP 
• Vinoth Inbasekaran, Dubai Government Entity - Alpha Data 
• Dr Hamad Khalifa Alnuaimi, Abu Dhabi Police 
• Dr Saeed Almarri, Dubai Police 

The Cyber Express Top Cybersecurity Influencers of 2024

• Dr. Mohammad Al Hassan, Abu Dhabi University
• Maryam Eissa Alhammadi, Ministry of Interior
• Hadi Anwar, CPX
• Waqas Haider, HBL Microfinance Bank
• Chenthil Kumar, Red Sea International
• Nishu Mittal, Emirates NBD
• Nisha Rani, Emirates Leisure Retail

The Cyber Express Top InfoSec Leaders 2024

• Mohamad Mahjoub, Veolia Near and Middle East
• Ankit Satsangi, Beeah Group
• Gokul Vasudev, Dubai Health Authority
• Ashish Khanna, SHARAF GROUP
• Abhilash Radhadevi, Oq Trading
• Prashant Nair, Airtel Africa PLC

The Cyber Express Top Infosec Entrepreneurs 2024

• May Brooks Kempler, Helena
• Illyas Kooliyankal, CyberShelter
• Kazi Monirul, Spider Digital
• Muneeb Anjum, AHAD
• Craig Bird, CloudTech24
• Zaqiuddin Khan, Tech Experts LLC
• Alireza Shaban ghahrod, Diyako Secure Bow

Insightful Discussions and Networking

The awards set a celebratory tone that carried through the rest of the conference. The day commenced with a vibrant atmosphere as attendees gathered for registration and explored the exhibition area, setting the stage for a day of insightful discussions and networking opportunities. Augustin Kurian, Editor-in-Chief of The Cyber Express, extended a warm welcome, emphasizing the importance of collaborative efforts in cultivating a secure cyber environment.

Keynote and Panel Sessions

Irene Corpuz, Co-Founder of Women in Cybersecurity Middle East, delivered the opening keynote, shedding light on the imperative of incubating security and nurturing a cyber-aware culture, particularly within startup ecosystems. Corpuz's address highlighted the significance of proactive measures in addressing cybersecurity challenges from the outset. Panel discussions served as focal points for in-depth exploration of key cybersecurity issues. From navigating cyber threats to leveraging innovative approaches for threat detection, industry experts provided valuable insights into emerging trends and strategic investments in cybersecurity. Notable panelists included Waqas Haider of HBL Microfinance Bank, Beenu Arora of Cyble, and Azhar Zahiruddin of Chalhoub Group, among others.

Diversity and Inclusion

The Cyber Express's World CyberCon Meta Edition event also celebrated diversity and inclusion in cybersecurity, honoring advocates who have championed these principles within their respective domains. Yana Li of WebBeds and Dina AlSalamen of Bank ABC were among the esteemed recipients of The Cyber Express Cybersecurity Diversity and Inclusion Advocates of 2024 award, acknowledging their efforts in fostering an inclusive cyber community. Strategic insights were further highlighted during panel discussions focusing on fortifying against ransomware and the role of AI and ML in enhancing threat detection. Expert moderators facilitated engaging conversations, addressing critical challenges and sharing best practices for prevention, mitigation, and swift recovery.

Conclusion

The Cyber Express World Cybercon 3.0 META Cybersecurity Conference successfully raised the bar for the collective dedication of cybersecurity professionals in the META region. By fostering dialogue, sharing insights, and recognizing excellence, the event played an important role in advancing cybersecurity resilience and shaping the future of cybersecurity across industries. The Cyber Express awards recognized the hard work and innovative solutions of the finest brains in cybersecurity, emphasizing the message that collaborative and proactive actions are critical to protecting our digital future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Russian hackers were found using legitimate remote monitoring and management software to spy on Ukraine and its allies. The malicious scripts required for downloading and running the RMM program on the victims’ computers are hidden among the legitimate Python code of the “Minesweeper” game from Microsoft. The Government Computer Emergency Response Team of Ukraine (CERT-UA), operating under the State Special Communications Service, warned that Russian cybercriminals are using the legitimate SuperOps RMM software program to gain unauthorized access to Ukrainian organizations’ information systems, particularly those in the financial sector. The Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and CERT-UA recorded and analyzed phishing emails sent to victims with a Dropbox link containing an executable file (.SCR) that was about 33 megabytes in size. The emails were sent from the address “support@patient-docs-mail.com,” which impersonated a medical center and had the subject line “Personal Web Archive of Medical Documents.” The .SCR file contained a Python clone of the Minesweeper game along with malicious Python code that downloads additional scripts from a remote source “anotepad.com.” The Minesweeper code contained a function named “create_license_ver” which is repurposed to decode and execute the hidden malicious code. The legitimate SuperOps RMM program is eventually downloaded and installed from a ZIP file, granting attackers remote access to the victim’s computer. The CERT-UA found five similar files, named after financial and insurance institutions in Europe and the USA, indicating that these cyberattacks, which took place between February and March 2024, have a wide geographic reach. CERT-UA tracked this threat activity to an actor it identified as UAC-0188. UAC-0118, also known as FRwL or FromRussiaWithLove, is a Russian state-aligned hacktivist threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily targeted critical infrastructure, media, energy and government entities. FRwL has been previously linked to the use of the Vidar stealer and Somnia ransomware, which they employ as a data wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.

Possible Defense Against Ongoing Remote Monitoring Campaign

CERT-UA recommends the following:

• Organizations not using SuperOps RMM should verify the absence of network activity associated with the domain names: [.]superops[.]com, [.]superops[.]ai.
• Improve employee cyber hygiene.
• Use and constantly update anti-virus software.
• Regularly update operating systems and software.
• Use strong passwords and change them regularly.
• Back up important data.

Ukrainian Financial Institutions Also on Smokeloader’s Radar

The financially motivated group UAC-0006 has actively launched phishing attacks targeting Ukraine through 2023. CERT-UA reported the resurfacing of UAC-0006 in spring 2024, with hackers attempting to distribute Smokeloader, a common malware in the group’s toolkit. This threat group’s goal has primarily been to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. SmokeLoader is a malicious bot application and trojan that can evade security measures to infect Windows devices. It can then install other malware, steal sensitive data and damage files, among other issues. Throughout 2023, UAC-0006 conducted several phishing campaigns against Ukraine, exploiting financial lures and using ZIP and RAR attachments to distribute Smokeloader CERT-UA last week issued another warning about a significant surge in UAC-0006 activity. Hackers have conducted at least two campaigns to distribute Smokeloader, displaying similar patterns to previous attacks. The latest operations involve emails with ZIP archives containing images that include executable files and Microsoft Access files with macros that execute PowerShell commands to download and run other executable files. After initial access, the attackers download additional malware, including TALESHOT and RMS. The botnet currently consists of several hundred infected computers. CERT-UA anticipates an increase in fraudulent operations involving remote banking systems and thus, strongly recommends enhancing the security of accountants’ automated workstations and ensuring the implementation of necessary policies and protection mechanisms to reduce infection risks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Bitdefender has launched the AI scam detector, Scamio, on WhatsApp in Australia. This innovative integration empowered Australians to utilize WhatsApp as a platform for efficiently verifying online scams and fraud instances. Bitdefender Scamio aims to address rising concerns surrounding online scams by providing a highly accessible and user-friendly tool directly within WhatsApp. Users could interact with the chatbot by submitting questionable content and conversationally describing the context. 

Bitdefender’s Scamio is Now Available on WhatsApp in Australia

Bitdefender Scamio is an AI-driven chatbot that analyzes data and provides a verdict within seconds, along with recommendations for further action. Additionally, with this latest integration with WhatsApp, over 7.4M Australian users can use Scamio as their personal scam checker. [caption id="attachment_70308" align="alignnone" width="1200"] Source: Bitdefender[/caption] The integration of Bitdefender’s Scamio with WhatsApp was a strategic response to the increasing use of artificial intelligence by malicious actors. Scammers were exploiting popular messaging apps and online services to steal money, credentials, and personal data. By integrating Scamio into WhatsApp, Bitdefender aimed to disrupt these criminal activities by offering a sophisticated tool capable of keeping pace with online scam tactics. The enhanced accessibility provided by this feature aimed to provide an additional layer of security for Australians, who were disproportionately targeted by online fraudsters. Having Scamio available within WhatsApp streamlined the scam verification process for everyday users, reducing the time and effort required to identify potential scams.

How to use Bitdefender’s Scamio for Scam Detection?

In the USA and other countries, online scams remained a major concern, with the number of internet fraud reports rising in recent years. Phishing and online shopping scams were among the most common types reported. To combat this issue, governments intensified efforts to inform the public and assist in preventing internet fraud and scams. Scamio, Bitdefender's next-gen AI chatbot, combined artificial intelligence with exceptional threat-detection algorithms, machine learning, pattern recognition, and advanced data analysis techniques to identify even the most sophisticated scams. Accessible on any device without requiring installation, Scamio helped users quickly verify suspicious links, text messages, emails, and QR codes—all for free. To use this chatbot, users could access the web app or add it as a contact on WhatsApp or Facebook Messenger. Once logged in, users could describe scam details, copy and paste texts or links, or upload pictures or screenshots of deceptive messages. Scamio then analyzed the material and provided recommendations to ensure users didn't fall victim to cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

One of the most critical yet often overlooked aspects of cybersecurity is the timely patching of vulnerabilities. While much attention is given to sophisticated phishing attacks and the menace of password brute-forcing, the importance of addressing unpatched vulnerabilities cannot be overstated. These vulnerabilities represent low-hanging fruit for cybercriminals, offering a relatively straightforward path into systems. […]

The post The Importance of Patching Vulnerabilities in Cybersecurity appeared first on TuxCare.

The post The Importance of Patching Vulnerabilities in Cybersecurity appeared first on Security Boulevard.

By Reuben Koh, Director, Security Strategy - Asia Pacific & Japan, Akamai Technologies  The cybersecurity landscape is rife with evolving threats, as highlighted by recent reports and surveys. External actors remain a predominant force, accounting for 83% of breaches, with stolen credentials being their weapon of choice in nearly half of these incidents. DNS attacks continue to plague organizations, causing app downtime of targeted entities, and web application attacks follow closely behind. Ransomware emerges as a formidable threat, dominating cybercrime with over 72% of attacks motivated by extortion. As cyber threats continue to escalate in sophistication and frequency, organizations must prioritize proactive security measures to safeguard their data, systems, and financial stability. Data breaches are a prevalent theme in today's headlines — posing significant risks to businesses, their customers, and partners. One of the first steps to safeguarding your organization’s sensitive data is understanding the primary causes of data breaches. Despite these risks, the adoption of robust security measures lags, with less than 1% of businesses currently employing a mature zero-trust model.

Critical weaknesses behind Data Breaches

Weak and stolen credentials

Although hacking attacks are frequently cited as the leading cause of data breaches, it's often the vulnerability of compromised or weak passwords or personal data that opportunistic hackers exploit. Statistics show that four out of five breaches are partially attributed to the use of weak or stolen passwords. To mitigate the risk of hackers executing an account takeover on sensitive accounts, businesses should consider deploying fraud protection tools. These act as proactive defenses, significantly reducing the likelihood of unauthorized access and enhancing the overall security of your accounts. Bot Managers also address challenges associated with bot traffic on websites and applications. It’s designed to identify, manage, and mitigate both malicious and non-malicious bot traffic, ensuring a more secure and efficient online experience. To further protect your organization, it’s also advisable to implement enterprise single sign-on (SSO), establish strong password hygiene, and set up phishing-resistant multi-factor authentication (MFA) across computer systems — this way, you can prevent personally identifiable information from getting into the wrong person’s hands.

Backdoor and application vulnerabilities

Exploiting backdoor and application vulnerabilities is a favored strategy among cybercriminals. When software applications are poorly written or network systems are inadequately designed, hackers will continuously probe for weaknesses to find open doors that grant them direct access to valuable data and confidential information. Ensuring your web application firewall (WAF) is regularly updated and well-managed helps mitigate these vulnerabilities. Due to constantly shifting attack techniques, organizations should also use advanced artificial intelligence (AI) powered security solutions to identify vulnerabilities and protect against unauthorized access. The WAF should be a robust security solution designed to protect web applications from a variety of cyber threats, including data breaches. It can serve as a barrier between web applications and the internet, scrutinizing and filtering HTTP traffic to identify and mitigate potential vulnerabilities and attacks.

Malware

The prevalence of both direct and indirect malware is increasing. Malware (inherently malicious software) is loaded onto a system by unsuspecting victims, providing hackers with opportunities to not only exploit the affected system but also potentially spread to other connected systems. This type of malware poses a significant security threat as it allows malicious insiders access to confidential information and provides the ability to steal data for financial gain. Implementing an advanced malware protection solution at multiple ingress points in the network can significantly enhance your security posture, reducing the risk that employees will fall victim to malicious software. By leveraging cutting-edge data security in malware detection and prevention, organizations can fortify their data protection defenses against evolving cyber threats and security breaches.

Social Engineering

Cybercriminals and hackers can shorten the effort of establishing unauthorized access by persuading individuals with legitimate data access to do it for them.  Phone calls, phishing scams, malicious links (often sent via email, text, or social media), and other forms of social engineering such as deep fakes are now commonly used to manipulate individuals into unwittingly granting access or divulging sensitive information like login credentials to cybercriminals. Such information can result in a data leak, in which hackers recycle, reuse, and trade-sensitive data like Social Security numbers or personal data for the purpose of identity theft and other illicit activities. Exercising vigilance in sharing sensitive information with external parties is quintessential. Awareness of the information being shared, and verification of legitimacy can serve as a simple yet effective defense against social engineering tactics.

Ransomware

Ransomware is a type of malicious software designed to restrict access to a computer system or files until a sum of money, or ransom, is paid. It typically encrypts the victim's files or locks their system, rendering it inaccessible, and then demands payment (often in cryptocurrency) in exchange for restoring access. Ensuring the safety and protection of your infrastructure against external threats is paramount. Organizations must be confident that attackers haven’t gained access to their systems and aren’t using them for malicious activities. Implementing a robust visibility and protection solution, such as microsegmentation will be helpful in this scenario. Microsegmentation offers a straightforward, fast, and intuitive approach to enforce Zero Trust principles within your network. This solution is designed to prevent lateral movement by visualizing activity in your IT environments, implementing precise microsegmentation policies, and swiftly detecting potential breaches.

Improper configuration and exposure via APIs

Misconfigured settings or parameters encompass various issues such as default passwords, open ports, or weak encryption. Such inadequacies can create vulnerabilities that hackers may exploit to gain unauthorized access to systems or data, leading to security breaches and other malicious activities. Inadequate configuration settings and vulnerabilities in APIs can expose them to a large number of security risks. Addressing and rectifying these issues is crucial to prevent unauthorized access and potential data breaches. Consider implementing proper API security and governance from code time to runtime, including regularly auditing API security measures, which are critical steps to enhance overall protection. To address misconfiguration and exposure via APIs, businesses must rely not just on their WAF but also on deploying an advanced API security solution to protect against evasive API abuses. This solution can offer comprehensive visibility, identifying vulnerabilities and detecting potential threats and abuses related to APIs. Moreover, it assists in helping organizations establish a more proactive approach to security by lowering the overall attack surface of critical APIs from secure development to runtime protection, effectively reinforcing their overall API security posture.

DNS attacks

Domain Name System (DNS) attacks are malicious activities that target the DNS infrastructure to disrupt or manipulate the resolution of domain names into IP addresses. These attacks can have various objectives, including causing service disruptions using distributed denial of service (DDoS), redirecting users to malicious websites, or gaining unauthorized access to sensitive information. Organisations must deploy a strong cloud-based authoritative DNS Service ensuring 100% availability and protection against multi-vector DNS attacks like flooding and water torture attacks. Implementing best practices and deploying security countermeasures that are able to withstand the attack volume, are crucial steps to take when mitigating these attacks.

Conclusion

Data breaches continue to pose a pervasive risk across various sectors, affecting organizations of all sizes and types — from healthcare and finance to e-commerce and retail. By proactively identifying potential vulnerabilities, organizations can reduce the likelihood of successful cyberattacks. Investing in robust security measures that enforce a Zero Trust Security model and ensuring their applications, APIs, and DNS services are continuously protected against cyber threats, helps mitigate financial risks associated with breaches, such as regulatory fines, legal fees, and revenue loss. By minimizing the impact of breaches, organizations can also maintain business continuity — and avoid disruptions to normal operations or damaged reputations. Overall, a comprehensive understanding of breach causes, and the implementation of appropriate security measures are vital for protecting data, minimizing risk, and ensuring the long-term success of all organizations. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.

This week on TCE Cyberwatch, we bring you news of new vulnerabilities that have cropped up, along with threats of cyberattacks and new cybercrime forums that have opened up.  With the U.S. elections around the corner, worries about cyberattacks have become more prevalent. There are also developments in the world of tech this week from other countries like Australia.  TCE Cyberwatch hopes all readers feel informed reading this article and realize the impact of cybercrimes. This recap aims to educate readers on the importance of staying vigilant in the current climate. We will also cover critical vulnerabilities, data breaches, and the evolving tactics of cybercriminals.

TCE Cyberwatch Weekly Update

Explore the newest updates and empower yourself with the information needed with TCE Cyberwatch. 

USDoD announces plans to resurrect BreachForum’s community 

The FBI's takedown of BreachForums, a key cybercrime marketplace, marked a significant victory against cybercrime. However, less than 24 hours later, the cybercriminal known as USDoD announced plans to resurrect the forum’s community.  BreachForums had been central for trading stolen data and hacking tools, and its removal was a major achievement, but USDoD and another administrator, ShinyHunters, claimed that they would revive the site. USDoD vowed to launch a new forum, Breach Nation, with domains breachnation.io and databreached.io, which is set to go live on July 4, 2024. Robust infrastructure, enhanced security, and upgraded memberships to the first 200,000 users were some of the things that were offered. Read More

Generative AI and its impact on the insurance industry 

Generative AI has become a major topic in AI discussions, especially with advanced models like OpenAI’s GPT-4 and Google’s Gemini 1.5 Pro. Bloomberg predicts that the Generative AI market will reach USD 1.3 trillion by 2032, holding potential across industries, but specifically insurance.   In insurance, Generative AI is expected to revolutionize operations, streamline claims by analyzing images and documents, speed up settlements and enhance customer satisfaction, improve decision-making, and reduce errors and cases of fraud through its data analysis capabilities.  Generative AI can also provide tailored recommendations and engage with customers in conversations. While Generative AI offers significant advantages, its adoption must address concerns about data privacy and ethical AI usage. Read More

Kyrgyzstan faces cyberattacks on government entities as mob violence occurs against foreign students 

Bishkek, the capital of Kyrgyzstan, is currently experiencing severe mob violence and cyberattacks. The turmoil began with a viral video showing a fight between Kyrgyz and Egyptian medical students, which led to widespread violence against foreign students. Simultaneously though, Kyrgyzstan is facing severe cyberattacks from various hacktivist groups.   The attackers, calling themselves Team Insane PK, have allegedly attacked multiple governmental platforms, including the Ministry of Agriculture and the Education Portal of the Ministry of Emergency Situations, as well as private entities like Saima Telecom and several universities. Additionally, Silent Cyber Force, another Pakistan-based group, has allegedly targeted Kyrgyzstan’s Ministry of Defence and Ministry of Agriculture. Read More

U.S. election causes worry surrounding several cyberattacks, specifically those of foreign interference 

With the 2024 U.S. elections approaching, foreign interference, particularly through cyberattacks, has intensified. Democratic Senator Mark Warner noted the involvement of both state and non-state actors, including hacktivists and cybercriminals, who find it increasingly easy to disrupt U.S. politics.  The Cybersecurity and Infrastructure Security Agency (CISA) is at the forefront of defending against these threats. CISA Director Jen Easterly emphasized that while election infrastructure is more secure than ever, the threat environment has become more complex, with foreign adversaries and generative AI capabilities posing significant risks. In response, CISA has ramped up its efforts, offering cybersecurity assessments, physical security evaluations, and training sessions to election stakeholders. Read More 

New Vulnerability Llama Drama spotted in Python package widely used by AI application developers 

A critical vulnerability, CVE-2024-34359, dubbed Llama Drama, was recently discovered in a Python package widely used by AI application developers. Discovered by researcher Patrick Peng, the vulnerability affects the llama_cpp_python package, which integrates AI models with Python and is related to the Jinja2 template rendering tool used for generating HTML.  Checkmarx, a cybersecurity firm, explained that the issue arises from llama_cpp_python using Jinja2 for processing model metadata without implementing proper security measures like sandboxing. This oversight enables template injection attacks, allowing for arbitrary code execution on systems using the affected package. More than 6,000 AI models that use llama_cpp_python and Jinja2 are impacted by this.  Read More

Europol investigating a black hat hacker who claims to have stolen classified data from their systems 

Europol is investigating a black hat hacker, IntelBroker, who claims to have stolen classified data from their system. The hacker allegedly accessed classified information, like employee data and source codes, from various branches of Europol, like the Europol Platform for Experts (EPE). IntelBroker posted screenshots as proof and later claimed to have sold the data.  Europol confirmed the incident and assured that no operational data was compromised. The agency has taken initial actions, and the EPE website is temporarily down for maintenance. Additionally, IntelBroker claimed to have hacked Zscaler, a cybersecurity firm, offering to sell access to their systems. Zscaler is investigating but has not found evidence of impact, other than a test environment exposed to the internet, though it's unclear if it was involved in the breach. Read More

Palo Alto Networks' forecast falls short of investor expectations  

Palo Alto Networks' fourth-quarter billings forecast fell short of investor expectations, signaling restrained corporate spending on cybersecurity amid economic uncertainty and persistent inflation. This caution has driven companies to diversify their cybersecurity investments to avoid reliance on a single vendor, leading to a reduced growth outlook for firms like Palo Alto Networks.   The company projected fourth-quarter billings between $3.43 billion and $3.48 billion, aligning closely with analysts' estimates but reflecting broader concerns about slowed growth in the sector. Analysts highlighted the lack of significant positive momentum in the revised forecasts put out by Palo Alto following this. However, the forecasts follow similar cautionary predictions from rivals like Fortinet, which hint at a broader trend of cautious spending in the cybersecurity industry. Read More

Australia passes its first legislation for a national digital ID 

Australia has passed its first legislation for a national digital ID, called myGovID, set to come into effect in November. This eliminates the need for multiple forms of physical ID. Lauren Perry from the UTS Human Technology Institute explains that the digital ID will streamline the cumbersome process of collecting and verifying multiple ID documents. The system acts as an intermediary between the user and organizations requiring identity verification.  Users will interact with organizations through an app, inputting a government-registered number to confirm their identity. Currently, the myGovID app serves this purpose, but private providers like MasterCard or Visa could join the system, enhancing security and reducing fraud risks. Read More

Western Sydney University faces a cybersecurity breach affecting 7,500 individuals. 

Western Sydney University faced a cybersecurity breach that affected around 7,500 individuals. The breach, first identified in January 2024, was traced back to May 2023 and involved unauthorized access to the university’s Microsoft Office 365 platform, including SharePoint files and email accounts., and their Solar Car Laboratory infrastructure.  WSU swiftly shut down its IT network and implemented security measures upon discovering the breach. The university has assured that no ransom demands have been made for the compromised information. The NSW Police and Information and Privacy Commission are helping to investigate the incident. The NSW Supreme Court has issued an injunction to prevent the unauthorized use of the compromised data, highlighting the legal implications of such breaches. Read More

ICO releases warning about data protection risks associated with generative AI for Snapchat 

The UK's Information Commissioner’s Office (ICO) has warned about the data protection risks associated with generative AI. The ICO found that the company that owned Snapchat, Snap, had not adequately assessed the data protection risks for its chatbot, which interacts with Snapchat’s 414 million daily users. The ICO issued a Preliminary Enforcement Notice to Snap-on October 6, highlighting a failure to properly evaluate privacy risks, especially for users aged 13 to 17.   This led to Snap undertaking a comprehensive risk assessment and implementing the necessary steps, which the ICO then deemed to fit data protection laws. Snapchat has integrated prevention of harmful responses from the chatbot and is working on additional tools to give parents more control over their children’s use of 'My AI'. The ICO will continue to monitor Snapchats generative AI developments and enforce compliance to protect public privacy rights. Read More

New malware named GhostEngine to exploit vulnerable drivers and install crypto mining software 

A novel malware campaign dubbed "REF4578" uses a malware called GhostEngine to disable endpoint detection and response (EDR) solutions and install crypto mining software. The malware exploits vulnerable drivers to terminate EDR agents, ensuring the persistence of the XMRig miner, which is used to mine Monero cryptocurrency without detection. The malware also installs a backdoor and includes an EDR agent controller and miner module to tamper with security tools and enable remote command execution via a PowerShell script.  Researchers at Antiy Labs, despite extensive analysis, were unable to identify specific targets or the threat actor behind the campaign. To detect GhostEngine, organizations should monitor for initial suspicious activities such as unusual PowerShell execution, execution from uncommon directories, privilege elevation, and vulnerable driver deployment. Key indicators include abnormal network traffic, DNS lookups pointing to mining pool domains, and specific behavior prevention events like unusual process execution and tampering with Windows Defender. Read More

Wrap Up

The ever-evolving landscape of cybersecurity requires constant vigilance. By staying informed about the latest threats and taking proactive measures, we can minimize the impact of cyberattacks and protect ourselves online.  As always, we can see that there is unrest present everywhere and cybercrimes play a huge role in that. TCE Cyberwatch is committed to keeping you informed about the latest developments in cybersecurity. Stay tuned for more in-depth analysis and actionable advice. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A U.S. Cyber Force moved a step closer to reality this week after the House Armed Services Committee approved language authorizing a National Academy of Sciences (NAS) study of the issue. The amendment, proposed by Rep. Morgan Luttrell (R-TX), was included in the committee’s markup of the fiscal 2025 defense bill, which now goes to the full House for a vote. The amendment – which can be found as log 4401 in the Chairman’s En Bloc – gives the Defense Department 60 days after enactment to engage the Academy, which then has 270 days to submit the report to Congress, so the U.S. is unlikely to get the new armed services branch before fiscal 2027 at the earliest, if it happens at all. But as Sen. Kirsten Gillibrand (D-NY) unsuccessfully pushed a similar measure last year, the study appears to have a better chance of approval this year.

CYBERCOM Under Siege

Cyber defense has been under the U.S. Cyber Command, or CYBERCOM, since 2010. CYBERCOM brings together personnel from the separate service branches, but that arrangement has come under increasing scrutiny as an inadequate solution to a growing global threat. A 2022 GAO study noted problems with cyber training, staffing and retention across the service branches, and a Foundation for Defense of Democracies (FDD) study in March of this year detailed problems with the lack of a singular approach to cyber defense.   “The inefficient division of labor between the Army, Navy, Air Force, and Marine Corps prevents the generation of a cyber force ready to carry out its mission,” the FDD report said.

“Recruitment suffers because cyber operations are not a top priority for any of the services, and incentives for new recruits vary wildly. The services do not coordinate to ensure that trainees acquire a consistent set of skills or that their skills correspond to the roles they will ultimately fulfill at CYBERCOM.”

Promotion systems often hold back skilled cyber personnel because the systems were designed to evaluate service members who operate on land, at sea, or in the air, not in cyberspace. Retention rates for qualified personnel are low because of inconsistent policies, institutional cultures that do not value cyber expertise, and insufficient opportunities for advanced training. “Resolving these issues requires the creation of a new independent armed service – a U.S. Cyber Force – alongside the Army, Navy, Air Force, Marine Corps, and Space Force.” The FDD report concluded, “America’s cyber force generation system is clearly broken. Fixing it demands nothing less than the establishment of an independent cyber service.”

CYBERCOM Retools for the Future

CYBERCOM, which was elevated to a unified command in 2018, is taking its own steps to address the growing cyber warfare threat. In testimony last month before the Senate Armed Services Committee, Air Force General Timothy D. Haugh, who serves as CYBERCOM’s commander and director of the NSA, noted some of the ways CYBERCOM is addressing those challenges. “CYBERCOM 2.0” is an initiative under way “to develop a bold set of options to present to the Secretary of Defense on the future of USCYBERCOM and DoD cyber forces,” Haugh told the committee. “To maximize capacity, capability, and agility, we are addressing readiness and future force generation.” Enhanced Budgetary Control (EBC) authority granted by Congress gave more than $2 billion in DoD budget authority to CYBERCOM for the current fiscal year, and “streamlines how we engage the Department’s processes,” Haugh said. “EBC is already paying dividends in the form of tighter alignments between authorities, responsibility, and accountability in cyberspace operations. Greater accountability, in turn, facilitates faster development and fielding of capabilities.” It remains to be seen whether the U.S. will get a seventh military service branch – after the Army, Navy, Marine Corps, Air Force, Coast Guard, and Space Force – or if current initiatives will be enough to address cyber defense challenges. But it seems likely that the issue will get a lot more scrutiny before it’s settled. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A ransomware attack of Ransomhub group on the Industrial Control Systems of a Spanish bioenergy plant has once again brought to the fore the imperils of cyberattacks on Industrial Control Systems (ICS).  The latest threat intelligence report from the Cyble Research & Intelligence Labs (CRIL) said that the attack targeted the Supervisory Control and Data Acquisition (SCADA) system, a pivotal component for managing operations at the Spanish facility. Ransomhub's modus operandi involves encrypting data and leveraging access to SCADA systems to disrupt essential functions, as evidenced in their recent breach. Their claim of accessing and encrypting over 400 GB of data, coupled with persistent control over SCADA systems, highlights the severity of the threat posed by this ransomware group. 

Ransomhub Group Targets Industrial Control Systems (ICS) 

[caption id="attachment_69992" align="alignnone" width="811"] Ransomhub posts on their DLS.(Source: Cyble)[/caption] The origins of Ransomhub trace back to February 2024 when it emerged as a Ransomware-as-a-Service (RaaS) on cybercrime forums. Employing sophisticated encryption techniques and targeting organizations predominantly in the IT & ITES sector, particularly in the United States, Ransomhub quickly garnered notoriety within the underground cyber community. [caption id="attachment_69994" align="alignnone" width="728"] Alleged SCADA control of Gijón Bio-Energy Plant Digestor Tank (Source: Cyble)[/caption] The group's aggressive recruitment of affiliates, coupled with attempts to exploit vulnerabilities in SCADA systems, signify a strategic shift towards targeting Operational Technology (OT) environments. This shift aligns with broader trends in the ransomware landscape, wherein malicious actors seek to exploit weaknesses in interconnected systems for maximum impact. CRIL's investigation into Ransomhub's activities reveals a concerning association with Initial Access Brokers (IABs) on Russian-language forums, indicating a sophisticated network for procuring compromised access to victims' networks. Such alliances highligh the need for heightened vigilance and proactive defense mechanisms to thwart potential breaches.

Precautions Against Industrial Control Systems (ICS) Ransomware Attack

Recent ransomware attacks, like the one orchestrated by Ransomhub on Industrial Control Systems (ICS), highlight the pressing need for organizations to fortify their cybersecurity defenses. Key recommendations include implementing robust network segmentation to reduce exposure to external threats and ensuring regular software updates through patch management protocols.  Secure remote access, facilitated by methods like Virtual Private Networks (VPNs), coupled with diligent monitoring of network logs, aids in early detection and response to potential breaches Furthermore, meticulous asset management practices, such as maintaining detailed inventories of OT/IT assets and deploying continuous monitoring solutions, enhance overall security posture. Developing and testing incident response plans are vital to minimize downtime and data loss in the event of a ransomware attack. The incident involving Ransomhub serves as a stark reminder of the escalating risks faced by ICS environments. Heightened awareness and proactive security measures are crucial to mitigate these threats and protect critical infrastructure from online cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.