In response to heightened cyber threats targeting political candidates, election officials and civil society groups, the National Cyber Security Centre (NCSC) in the UK, a part of GCHQ, has introduced a new initiative called the Personal Internet Protection (PIP) service. The service that was unveiled at CYBERUK 2024 in Birmingham, aims to provide an additional layer of security to individuals at “high-risk” of cyberattacks like spear-phishing, malware and other threats, ahead of the upcoming election year. The Personal Internet Protection service works by alerting users when attempting to access malicious domains known to the NCSC and by blocking outgoing traffic to these domains. The PIP offered to high-risk individuals is built on the NCSC’s Protective DNS service that was developed primarily for use by organizations. Since its inception in 2017, PDNS has provided protection at scale for millions of public sector users, handling more than 2.5 trillion site requests and preventing access to 1.5 million malicious domains, the NCSC said.

Cyber Threats Targeting Political Candidates

The Personal Internet Protection service is part of a broader effort by the UK government to enhance cyber support for individuals and organizations crucial to the democratic process, especially considering recent attempts by Russian and Chinese state-affiliated actors to disrupt UK's government and political institutions as well as individuals. While the Russian intelligence services had attempted to use cyberattacks to target prominent persons and organizations in the UK for meddling in the electoral processes, China is likely seen targeting various government agencies including the Ministry of Defence (MoD), whose payroll system was recently breached. Although both, Moscow and Beijing have rejected the use of hacking for political purposes, the relations between them remain strained over these allegations. Jonathon Ellison, NCSC Director for National Resilience and Future Technology, noted the importance of protecting individuals involved in democracy from cyber threats, highlighting the attractiveness of their personal accounts to espionage operations.

“Individuals who play important roles in our democracy are an attractive target for cyber actors seeking to disrupt or otherwise undermine our open and free society. That’s why the NCSC has ramped up our support for people at higher risk of being targeted online to ensure they can better protect their accounts and devices from attacks,” Ellison said.

Ahead of the major election year where more than 50 countries around the world cast their vote, Ellison urged individuals eligible for the Personal Internet Protection services to sign up and to follow their guidance to bolster defenses against various cyber threats. The initiative also extends support to civil society groups facing a heightened risk of cyber threats. A new guide, "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," which offers practical advice for individuals such as elected officials, journalists, activists, academics, lawyers and dissidents was released on Tuesday. This guide, developed by the U.S. Cybersecurity and Infrastructure Security Agency in collaboration with international partners, aims to empower high-risk civil society communities with limited resources to combat cyber threats effectively. These include customized risk assessment tools, helplines for digital emergencies and free or discounted cybersecurity services tailored to the needs of civil society organizations. The launch of the Personal Internet Protection service and the release of the guidance for civil society mark significant steps in bolstering the cybersecurity posture of individuals and organizations critical to the democratic process. By enhancing protection against cyber threats, the UK aims to safeguard the integrity of its democracy and promote collective resilience against global threats to democracy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Google has brought together its Gemini AI model with its Mandiant cybersecurity unit and VirusTotal threat Intelligence to enhance threat landscape accessibility and efficiency. The company also plans to use its Gemini 1.5 Pro large language model, released in February, to ease the understanding of threat reports for a broader audience. At the RSA Conference in San Francisco, Google unveiled their latest AI-based solution to add more value to threat intelligence. Tackling the long-standing challenges of fragmented threat landscapes and cumbersome data collection processes, Google Threat Intelligence integrates Mandiant's frontline expertise, real-time contributions from VirusTotal's global community and Google's visibility into extensive user and device footprint to deliver a comprehensive defense against evolving cyber threats. Bernardo Quintero, founder of VirusTotal called this initiative a “sharing knowledge, protecting together” mission, which it has embraced with Google and Mandiant.

“I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats,” Quintero said.

“VirusTotal remains committed to a level playing field, ensuring all partners, including Google Threat Intelligence, have equal access to the crowdsourced data VirusTotal collects. We also want to assure you that the core features and functionalities of VirusTotal will remain free and accessible to everyone, as always,” he added, clearing the air around VirusTotal’s future. “The strength of VirusTotal lies in its network of contributors and the vast amount of data they provide. This data serves as a valuable resource for the entire security industry, empowering our partners and others to enhance their products and contribute to a more secure digital world. This collaborative approach, based on transparency and equal access, strengthens the industry as a whole, ultimately leading to better protection for everyone.”

Challenges Addressed and Google’s Gemini AI Integration

For years, organizations have grappled with two primary hurdles in threat intelligence: a lack of holistic visibility into the threat landscape and the arduous task of collecting and operationalizing intelligence data. Google's new offering aims to address these challenges head-on providing insights and operational efficiency to security teams worldwide. The integration of Gemini, Google's AI-powered agent, enhances the operationalization of threat intelligence, streamlining the analysis process and accelerating response times. Using the Gemini 1.5 Pro large language model, Google claims to significantly reduce the time required to analyze malware attacks. For instance, the model took only 34 seconds to dissect the WannaCry virus and identify a kill switch, demonstrating its efficacy in threat analysis. Another key feature of Gemini AI is its ability to summarize threat reports into natural language, aiding companies in assessing potential attacks' impact and prioritizing responses. Threat Intelligence also offers a comprehensive threat monitoring network, empowering users to gain insights into the cybersecurity landscape and prioritize their defense strategies. Mandiant's experts, acquired by Google in 2022, play a vital role in assessing security vulnerabilities in AI projects through the Secure AI Framework. They conduct rigorous testing to fortify AI models against potential threats like data poisoning, ensuring their resilience against malicious exploitation. While Google is pioneering the integration of AI into cybersecurity, other tech giants like Microsoft are also exploring similar avenues, underscoring the growing significance of AI in safeguarding digital assets against evolving threats. As cyber threats continue to evolve, proactive defense strategies are more critical than ever. With Google Threat Intelligence, organizations can leverage cutting-edge technology to detect, analyze, and mitigate threats effectively, ensuring the security and resilience of their digital infrastructure in an increasingly complex threat landscape.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Secretary of State Antony Blinken unveiled an International Cyberspace and Digital Policy Strategy on Monday, outlining the Biden administration's plan to engage the global community on various technological security issues. Blinken introduced this robust international cyber strategy while delivering a keynote at the RSA cybersecurity conference in San Francisco. The strategic blueprint outlined in the latest strategy displayed the federal government's multifaceted approach to engaging the global community on a wide array of technological security issues, aiming to foster collaboration and cooperation among allies, partners and stakeholders worldwide.

What’s at the Core of the International Cyberspace and Digital Policy Strategy

At the heart of the plan lies the concept of "digital solidarity," characterized by mutual assistance to victims of malicious cyber activity and other digital harms. Digital solidarity entails collaborating on shared goals, capacity building, and mutual support to enhance security, resilience, self-determination, and prosperity. Against the backdrop of ongoing cyberattacks targeting U.S. allies by foreign actors like Russia, China, North Korea and Iran, efforts focus on supporting allies and partners, particularly emerging economies, in harnessing the benefits of digital technologies while sustaining economic and development objectives. The strategy emphasizes alignment with international partners on technology governance, fostering strong partnerships with civil society and the private sector, and promoting cybersecurity resilience through diverse products and services from trusted technology vendors. Moreover, it underscores cooperative efforts to defend and advance human rights and build digital and cyber capacity for long-term resilience and responsiveness. The Department of State, in collaboration with other federal agencies, will advance digital solidarity through four key areas of action supported by three guiding principles:

1. Promoting an open, inclusive, secure, and resilient digital ecosystem.
2. Aligning rights-respecting approaches to digital and data governance with international partners.
3. Advancing responsible state behavior in cyberspace and countering threats through coalition-building and engagement.
4. Strengthening international partner digital and cyber capacity.

Efforts to forge digital solidarity will be reinforced by active participation in international fora to shape obligations, norms, standards, and principles impacting cyberspace and digital technology issues. Leadership in these venues is crucial to safeguarding U.S. interests and values in the evolving digital landscape. Recognizing the significance of digital diplomacy, the Department of State will lead interagency efforts to coordinate cyber and digital technology diplomacy to advance U.S. national interests and values in the coming decade.

Cybersecurity Threats from Nation States

The strategy addresses the malign activities of nations such as Russia, China, Iran, and North Korea, condemning their exploitative use of technology for nefarious purposes, including hacking and espionage campaigns. It highlights concerns about these countries' efforts to undermine international regulatory frameworks and undercut U.S. technology manufacturers through state-sponsored subsidies. “Cyber criminals and criminal syndicates operating in cyberspace now represent a specific threat to the economic and national security of countries around the world,” the International Cyberspace and Digital Strategy said. “Cybercrime and online fraud cause significant harm to economic development, with small- to medium-sized enterprises and financial service providers especially at risk. According to one estimate, the global cost of cybercrime is estimated to top $23 trillion in 2027.”

AI Technology Governance

The landscape of AI technology governance is intricate, as per the latest strategy. While AI systems offer promising avenues for societal progress, the complexities of geopolitics further compound the challenges and uncertainties in their regulation and management. AI technologies hold immense potential to drive knowledge expansion, boost prosperity, enhance productivity, and tackle pressing global issues. However, the rapid proliferation of AI technologies also presents substantial risks and ethical considerations. These encompass a spectrum of concerns ranging from exacerbating inequality and economic instability to privacy breaches, discriminatory practices, and amplification of malicious cyber activities. Moreover, the dual-use nature of many AI applications poses challenges in ensuring that emerging technologies are not leveraged for nefarious purposes, including disinformation campaigns and military advancements lacking adequate human rights safeguards. Balancing risks and rewards requires safeguarding democratic values, human rights, and fostering international collaboration to harness AI's benefits while mitigating destabilizing impacts. The strategy also warns against complacency in critical technological domains, cautioning that failure to act could enable authoritarian states to shape the future of technology in a manner detrimental to U.S. interests and values. By advocating for concerted efforts to uphold a rights-respecting, open, and secure cyberspace, the United States aims to advance a vision of global governance that safeguards democratic principles and promotes innovation and prosperity.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Finland has warned of an ongoing Android malware campaign that targets banking details of its victims by enticing them to download a malicious counterfeit McAfee app. Finland's Transport and Communications Agency – Traficom - issued a warning last week about an ongoing Android malware campaign that aims to withdraw money from the victim's online bank accounts. Traficom said this campaign exclusively targets Android devices, with no separate infection chain identified for Apple iPhone users. The agency has identified multiple cases of SMS messages written in Finnish language, instructing recipients to call a specified number. These messages often impersonate banks or payment service providers like MobilePay and utilize spoofing technology to appear as if they originate from domestic telecom operators or local networks. [caption id="attachment_66875" align="aligncenter" width="1024"] Finnish language smishing message (Credit: Traficom)[/caption] The scammers answering these calls direct victims to install a McAfee app under the guise of providing protection. However, the McAfee app being promoted is, in fact, malware designed to compromise victims' bank accounts. According to reports received by the Cyber Security Center, targets are prompted to download a McAfee application via a link provided in the message. This link leads to the download of an .apk application hosted outside the app store for Android devices. Contrary to expectations, this is not antivirus software but malware intended for installation on the phone. The OP Financial Group, a prominent financial service provider in Finland, also issued an alert on its website regarding these deceptive messages impersonating banks or national authorities. The police have similarly emphasized the threat posed by this malware, warning that it enables operators to access victims' banking accounts and initiate unauthorized money transfers. In one reported case, a victim lost 95,000 euros (approximately $102,000) due to the scam.

Vultur Android Malware Campaign Trademarks

While Finnish authorities have not definitively identified the type of malware involved or shared specific hashes or IDs for the APK files, the attacks bear a striking resemblance to those reported by Fox-IT analysts in connection with a new version of the Vultur trojan. [caption id="attachment_66873" align="alignnone" width="1024"] Vultur Trojan infection chain (Credit: Fox-IT)[/caption] The new iteration of the Vultur trojan employs hybrid smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app. This app introduces the final payload in three separate parts for evasion purposes. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, app blocking, disabling Keyguard, and serving custom notifications in the status bar.

Things to Do If You Suspect Being Victim

If you suspect that your device has been infected with the malware, it is advisable to contact your bank immediately to enable protection measures. Additionally, restoring "factory settings" on the infected Android device to wipe all data and apps is recommended. OP Financial Group emphasizes that they do not request customers to share sensitive data over the phone or install any apps to receive or cancel payments. “We will never send you messages with a link to the online bank login page. The bank also never asks you for your ID or card information via messages. Such messages are scams and you should not click on the links in them,” the OP Financial Group said. “Even in order to receive or cancel a payment, you do not need to log in from a link, confirm with codes or provide your information. If you are asked to do this, contact the bank's customer service.” Any similar requests should also be promptly reported to the police. The news of the online banking fraud comes days after a multi-national police operation crack opened a massive fraudulent call center network run across Europe that targeted especially senior citizens with an intent to dupe them of thousands of dollars. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Six Australian Members of the Parliament confirmed today that they were targeted by Chinese-state hackers APT31 in a brazen cyberattack whose aim was to gather intelligence on these individuals. The Inter-Parliamentary Alliance on China whose members were victims of this hacking attempt said, “The politicians confirmed details with both the IPAC Secretariat and the Australian Government.”

“The apparent intention [of the cyberattack] was to garner sufficient information to mount more sophisticated follow-on attacks, escalating in severity.”

Those targeted included Senator James Paterson, Senator Claire Chandler, Senator Alex Antic, David Smith MP, Daniel Mulino MP and Tim Wilson MP.

Security Agencies Chose to Remain Tight-Lipped

Australia’s security agencies reportedly received two warnings about Chinese hackers targeting Australian MPs, but they chose not to inform the lawmakers about the cyberattacks. “It is staggering that both the targeted members of parliament and the broader Australian public have been kept in the dark about a direct attempt at cyber interference against Australian parliamentarians,” Senator Claire Chandler said.

“Incredibly, despite Australian authorities being notified of this hacking attempt in 2022, agencies did not alert my colleagues and I that we had been targeted.It’s unacceptable that this information was withheld from us for two years,” Chandler added.

The Five Eyes intelligence agency reportedly alerted Australia’s security agencies in mid-2021 about attacks that occurred earlier in January. Then, in June 2022, the FBI officially notified Australian authorities about attempts by the Chinese hacking group APT31 to target six Australian MPs. However, the agencies opted against informing the Government or the affected MPs. The IPAC, consisting of 20 Australian MPs, only became aware of the attempted attack when the US Department of Justice indicted seven Chinese hackers in April this year -three years after the initial warning. The National Cyber Security Centre of the United Kingdom also called out the Chinese APT31 actors for their malicious cyber targeting of UK’s democratic institutions and parliamentarians earlier in March. Following this revelation, MPs demanded an explanation from the Australian Security Intelligence Organisation regarding the lack of notification. After receiving a briefing, they released a joint statement today expressing outrage and demanding a robust response to protect Australian sovereignty. “We were not informed by Australian agencies at any time since 2021 about this targeting,” the statement from IPAC members targeted by APT31 said.

“This was not an attack on any single party or House of Parliament. This was an attack on Australian parliamentarians from both Houses and both parties who have dared to exercise their legitimate democratic right to criticize Beijing. As such, it was an attack on Parliament as a whole and demands a robust and proportionate response,” the IPAC members’ statement said.

“It is very worrying for our democracy that elected members of parliament have been targeted by PRC-state sponsored hacking attempts specifically because we have expressed concern about the behavior of the PRC, including human rights violations in Xinjiang and coercive behavior against Australia,” Senator Claire Chandler said. “It is in Australia’s national interest for Australians to be properly informed about the behavior of the PRC government. The withholding of information about the targeting of Australian elected representatives by state-affiliated cyber criminals means that Australians have been given a misleading impression of the PRCs behavior towards our country,” Chandler added. The targeted IPAC members insisted on being informed about future attempts to target them by state-sponsored groups, for which they have received an assurance from the government.

“I welcome the assurance that in future agencies will inform MPs about any attempts by state-sponsored cyber actors to target parliamentarians,” Senator Claire Chandler said.

The Australian agencies likely refrained from informing MPs because they considered the attacks crude and unsuccessful, according to Austrlian news agency The Nightly. Moreover, they occurred during a period when MPs and the public were already being cautioned to enhance their cybersecurity. Paterson, who is also the co-chair of IPAC Australia, denounced the attempted hack.

“Targeting parliamentarians, as the CCP has done, is not the act of a friend. It is yet another obstacle to a normal bilateral relationship. We should never hesitate to call out this behavior or be afraid to impose real costs to deter it,” he tweeted.

APT31 Used Pixel Tracking Emails

APT31 hackers targeted MPs with pixel tracking emails from a domain pretending to be a news outlet. If opened, these emails tracked the recipients' online behavior. According to the FBI's indictment released last month, the hackers spammed various government individuals worldwide associated with IPAC, with more than 10,000 malicious emails that also exploited zero-days and resulted in potential compromise of economic plans, intellectual property and trade secrets. Last month, FBI Director Christopher Wray highlighted the magnitude of Chinese hacking, stating that it surpassed that of every other major nation combined. He underscored the overwhelming scale of Chinese cyber operations, indicating the challenges faced by law enforcement in countering these threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A cyberattack targeting a Victorian company has resulted in the exposure of personal data belonging to thousands of victims of family violence and sexual assault, as well as about 60,000 current and former students at Melbourne Polytechnic.

Monash Health Data Breach

Monash Health, the state's largest health service, confirmed it was caught in the cross-hairs of a data breach, which also affected government entities that were clients of the company ZircoDATA.

A multi-national police operation cracked opened a massive fraudulent call center network run across Europe. A coordinated effort involving law enforcement agencies from Germany, Albania, Bosnia-Herzegovina, Kosovo and Lebanon has successfully dismantled a criminal network responsible for orchestrating thousands of scam calls targeting individuals worldwide. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money.

"In December 2023 a customer asked to withdraw over EUR 100,000 in cash, the bank teller grew suspicious and quickly learned the customer had fallen victim to a ‘fake police officer scam’. He informed the real police, which prevented the victim from handing the money over to the fraudsters," said Europol, the law enforcement cooperation agency of the European Union.

This initial breakthrough led investigators to uncover a vast network of fraudulent activities spanning multiple countries. Thomas Strobl, interior minister in the southwestern German state of Baden-Württemberg, dubbed the operation as the takedown of "the largest call center fraud scheme in Europe." Strobl said such scams "are particularly perfidious and unscrupulous because they play on peoples' fears and needs." He vowed that authorities would for that reason seek legal recourse "with the utmost severity. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. In response, German authorities established a dedicated call center to monitor and intercept scam calls in real-time, with the aim of preventing further financial losses. More than 100 police personnel were tasked with listening in on the fraudulent call centre calls in real-time, working around the clock and monitoring up to 30 conversations at the same time. Over 1.3 million conversations were tracked, leading to the prevention of over EUR 10 million in potential damages, Europol said. [caption id="attachment_66315" align="aligncenter" width="300"] Assets seized in during police raids. (Credit: Europol)[/caption] During the raids, conducted across multiple countries, law enforcement officers arrested 21 individuals and seized extensive evidence, including cash, assets, and electronic devices. Total assets worth EUR 1 million were recovered in these raids. This operation marks a significant milestone in the fight against telephone fraud and demonstrates the effectiveness of international cooperation in combating transnational criminal networks. Last year, European law enforcement authorities dismantled several call centers across the continent under the control of a criminal syndicate engaged in online investment fraud, commonly referred to as 'pig butchering' cryptocurrency scams. At the time, investigators calculated that victims in Germany alone had suffered losses exceeding EUR 2 million, with individuals from various other countries, including Switzerland, Australia, and Canada, also falling prey to the fraudulent schemes. In March 2022, Europol disclosed the disruption of a large-scale call center operation perpetrating investment scams. The operation, which employed 200 "traders" to bilk victims of a minimum of EUR 3,000,000 monthly, was brought down following the arrest of 108 suspects in Latvia and Lithuania.

U.S. Target of Fraudulent Call Centers from India

The issue of fraudulent call centers is not limited to just Europe but Asian economic power house India too. Since 2022, the Department of Justice (DOJ), the FBI Legal Attaché in New Delhi, the Washington Field Office (WFO), and the Internet Crime Complaint Center (IC3) have been collaborating with Indian law enforcement agencies, including the Central Bureau of Investigation in New Delhi and local authorities in various Indian states, to combat cyber-enabled financial crimes and transnational call center fraud. In 2023, Indian law enforcement agencies conducted multiple raids on fraudulent call centers, leading to disruptions, seizures, and arrests of individuals suspected of involvement in these crimes. Through 13 joint operations with Indian authorities, the FBI facilitated 26 arrests. Additionally, the WFO conducted numerous interviews and continues to provide support to Indian law enforcement in their efforts to prosecute call centers engaged in fraudulent activities. As was seen in the case of Operation Pandora, fraudulent call centers overwhelmingly target older adults, with devastating effects. Almost half the complainants that reported to the IC3 were over 60 (40%), and experience 58% of the losses (over $770 million). Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Julius Kivimäki, one of Europe's most sought-after cyber criminals, has been sentenced to more than six years jail for attempting to blackmail more than 30,000 individuals whose confidential therapy notes he pilfered. Kivimäki, also known online under the moniker "Zeekill" obtained these notes by breaching the databases of Finland's largest psychotherapy company, Vastaamo in late 2018 and early 2019. Following a failed attempt to extort the company for 40 Bitcoins, which were equivalent to about 450,000 Euros at the time, Kivimäki resorted to directly reaching the patients via email and threatened them to expose the private information they had shared with their therapists. Vastaamo data breach is considered as the largest and one of the most disturbing breaches in Finnish history with regards to the sheer overall impact of the hacking incident. Despite maintaining his innocence throughout the proceedings, Kivimäki now aged 26, evaded authorities and was arrested in Paris under an assumed identity. Even during the trial, he absconded for over a week after refusing to return to prison as ordered by the court. The judges, upon rendering their verdict, found Kivimäki guilty on all counts, condemning his blackmail as "ruthlessly taking advantage of another person's vulnerability." The BBC first reported the conviction. The severity of Kivimäki’s sentence—six years and three months—marks the culmination of a cybercrime spree that commenced when he was merely 13 years old. Kivimäki was a prominent figure amongst teenage cyber gangs that operated between 2009 and 2015. He was arrested in 2013 at the age of 15, but received a juvenile non-custodial two-year suspended sentence. The lenient punishment likely failed to dissuade him, as Kivimäki was swiftly implicated in several other hacks carried out with adolescent cohorts before vanishing for years. Kivimäki’s name resurfaced in 2020, in connection to the Vastaamo hack, where after failed negotiations with the company he demanded $240 from the patients in exchange of deleting their sensitive information. Kivimäki himself led back law enforcement to him. Finnish investigators from the National Bureau of Investigation (KRP), in collaboration with Binance, followed the trail of payments to Kivimäki, who exchanged the funds for Monero and then exchanged them back to Bitcoin. The digital forensics and cryptocurrency tracing played pivotal roles in securing his conviction. Taking into account Vastaamo's position as a company producing mental health services, Kivimäki has caused great suffering or the risk of it to the interested parties," BBC cited the verdict document saying. Vastaamo's CEO, Ville Tapio, was also found guilty of failing to safeguard customers' confidential data. Investigations revealed that the company's databases were susceptible to exploitation due to inadequate safeguards. Tapio received a suspended three-month prison sentence last year, while the Office of the Data Protection Ombudsman imposed an administrative financial sanction of 608,000 euros on Vastaamo. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A complaint lodged by privacy advocacy group Noyb with the Austrian data protection authority (DSB) alleged that ChatGPT's generation of inaccurate information violates the European Union’s privacy regulations. The Vienna-based digital rights group Noyb, founded by known activist Max Schrems, said in its complaint that ChatGPT's failure to provide accurate personal data and instead guessing it, violates the GDPR requirements. Under GDPR, an individual's personal details, including date of birth, are considered personal data and are subject to stringent handling requirements. The complaint contends that ChatGPT breaches GDPR provisions on privacy, data accuracy, and the right to rectify inaccurate information. Noyb claimed that OpenAI, the company behind ChatGPT, refused to correct or delete erroneous responses and has withheld information about its data processing, sources, and recipients. Noyb's data protection lawyer, Maartje de Graaf said, "If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around." Citing a report from The New York Times, which found that "chatbots invent information at least 3% of the time - and as high as 27%," noyb emphasized the prevalence of inaccurate responses generated by AI systems like ChatGPT.

OpenAI’s ‘Privacy by Pressure’ Approach

Luiza Jarovsky, chief executive officer of Implement Privacy, has previously said that artificial intelligence-based large language models follow a "privacy by pressure" approach. Meaning: “only acting when something goes wrong, when there is a public backlash, or when it is legally told to do so,” Jarovsky said. She explained this further citing an incident involving ChatGPT in which people's chat histories were exposed to other users. Jarovsky immediately noticed a warning being displayed to everyone accessing ChatGPT, thereafter. Jarovsky at the beginning of 2023, prompted ChatGPT to give information about her and even shared the link to her LinkedIn profile. But the only correct information that the chat bot responded with was that she was Brazilian. [caption id="attachment_65919" align="aligncenter" width="1024"] Prompt given by Luiza Jarovsky to ChatGPT bot followed by the incorrect response. (Credit:Luiza Jarovsky)[/caption] Although the fake bio seems inoffensive, “showing wrong information about people can lead to various types of harm, including reputational harm,” Jarovsky said. “This is not acceptable,” she tweeted. She argued that if ChatGPT has "hallucinations," then prompts about individuals should come back empty, and there should be no output containing personal data. “This is especially important given that core data subjects' rights established by the GDPR, such as the right of access (Article 15), right to rectification (Article 16), and right to erasure (Article 17), don't seem feasible/applicable in the context of generative AI/LLMs, due to the way these systems are trained,” Jarovsky said.

Investigate ChatGPT’s GDPR Violations

The complaint urges the Austrian authority to investigate OpenAI's handling of personal data to ensure compliance with GDPR. It also demands that OpenAI disclose individuals' personal data upon request and seeks imposition of an "effective, proportionate, dissuasive, administrative fine. The potential consequences of GDPR violations are significant, with penalties amounting to up to 4% of a company's global revenue. OpenAI's response to the allegations remains pending, and the company faces scrutiny from other European regulators as well. Last year, Italy's data protection authority temporarily banned ChatGPT's operations in the country over similar GDPR concerns, following which the European Data Protection Board established a task force to coordinate efforts among national privacy regulators regarding ChatGPT. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Federal Communications Commission has fined the largest phone carriers in the country - AT&T, Sprint, T-Mobile and Verizon - $200 million over illegal data sharing of its customers location with third parties, and that with inadequate safeguards in place. Of the four, T-Mobile was fined the most with more than $80 million but it will pay another $12 million as Sprint, which was acquired by them in April 2020 was fined separately for its malpractices prior to the acquisition. AT&T was fined more than $57 million and Verizon nearly $47 million. The FCC Enforcement Bureau investigations of the four carriers found that each of them sold access to its customers’ location information to aggregators, who then resold access of such information to third-party location-based service providers. For example, AT&T had arrangements with two location information aggregators: LocationSmart and Zumigo, which in turn, had arrangements with location-based service providers.  “In total, AT&T sold access to its customers’ location information (directly or indirectly) to 88 third-party entities,” the FCC said.

“The largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors,” said FCC Chair Jessica Rosenworcel.

The agency stated, "Each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained." Furthermore, when the carriers became aware of the inadequacy of their procedures, they failed to halt the sale of access to location information or adequately safeguard it from unauthorized access. AT&T and Verizon revealed their intention to appeal the FCC's decision, citing legal and factual discrepancies in the agency's order, while T-Mobile planned to challenge the decision, emphasizing its commitment to safeguarding customer data and labeling the fine as excessive. All three companies highlighted that the program for which they were fined ended approximately five years ago.

Views of the Illegal Data Sharing Whistleblower

Senator Ron Wyden (D-OR), commenting on Monday's action praised the FCC for penalizing wireless carriers.

“No one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card ,” Wyden said. “I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk.”

The issue first came to light in 2018 when Wyden discovered the carriers' practices, revealing instances of abuse by government officials and others who obtained location data without proper authorization. The FCC found the telecom companies' practices in violation of section 222 of the Federal Communications Act, which mandates confidentiality of customer information and affirmative consent before sharing or accessing customer location data. FCC’s action comes weeks after the House of Representatives passed the Fourth Amendment Is Not For Sale Act, which would prohibit law enforcement agencies from buying location data and other sensitive information about Americans, without a court order. Privacy advocates cheered the bill’s passage but it now faces an uphill task in the Senate and the White House. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Department of Homeland Security (DHS), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and the Countering Weapons of Mass Destruction Office (CWMD), has announced a suite of initiatives aimed at securing critical infrastructure and guarding against AI threats.

This announcement comes as the DHS marks the 180-day milestone of President Biden’s Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI)”.

Secretary of Homeland Security Alejandro N. Mayorkas emphasized the dual nature of AI, stating, “AI can present transformative solutions for U.S. critical infrastructure, and it also carries the risk of making those systems vulnerable in new ways to critical failures, physical attacks, and cyber attacks. Our Department is taking steps to identify and mitigate those threats."

Securing Critical Infrastructure from AI Threats

DHS, in partnership with CISA, released comprehensive safety and security guidelines designed to address AI threats to critical infrastructure. These guidelines categorize risks into three main areas:

• Attacks Using AI: This includes the use of AI to plan or execute physical or cyber attacks on critical infrastructure.
• Attacks Targeting AI Systems: Targeted attacks on AI systems supporting critical infrastructure.
• Failures in AI Design and Implementation: Deficiencies or inadequacies in AI systems leading to malfunctions or unintended consequences.

To tackle these risks, DHS proposes a four-part mitigation strategy:

• Govern: Establish an organizational culture prioritizing AI risk management.
• Map: Understand individual AI use contexts and risk profiles.
• Measure: Develop systems to assess, analyze, and track AI risks.
• Manage: Prioritize and act upon AI risks to safety and security.

CISA Director Jen Easterly emphasized the importance of these guidelines, stating, “Based on CISA’s expertise as National Coordinator for critical infrastructure security and resilience, DHS’ Guidelines are the agency’s first-of-its-kind cross-sector analysis of AI-specific risks to critical infrastructure sectors and will serve as a key tool to help owners and operators mitigate AI risk."

The CBRN Threat: Preparing for the Unthinkable

The DHS, working closely with its CWMD Office, has produced a report analyzing the potential misuse of AI in the development or production of chemical, biological, radiological, and nuclear (CBRN) threats. Assistant Secretary for CWMD Mary Ellen Callahan highlighted the importance of this report, stating, “The responsible use of AI holds great promise for advancing science, solving urgent and future challenges, and improving our national security, but AI also requires that we be prepared to rapidly mitigate the misuse of AI in the development of chemical and biological threats,

All Hands on Deck: Department Unites for Goal

In addition to these initiatives, Secretary Mayorkas has spearheaded various efforts to expand DHS’s leadership on AI:

• Artificial Intelligence Safety and Security Board (AISSB): Established to advise DHS and the critical infrastructure community on the safe and secure development and deployment of AI.
• AI Roadmap: A detailed plan for using AI technologies while protecting individuals’ privacy, civil rights, and civil liberties.
• AI Corps: An accelerated hiring initiative aimed at leveraging AI expertise across strategic areas of the homeland security enterprise.

These efforts highlight DHS’s commitment to advancing the responsible use of AI for homeland security missions while mitigating its associated risks. In the face of evolving threats, DHS remains steadfast in its dedication to safeguarding the nation’s critical infrastructure and ensuring the safe and secure integration of AI technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hacktivists claimed breaching the network of Belarusian intelligence agency and allegedly leaked their data in response to the intelligence chief’s recent public remarks accusing the group of plotting attacks on the country’s critical infrastructure, including a nuclear power plant. The hacktivist group known as the Belarusian Cyber-Partisans, purportedly accessed personnel files of over 8,600 employees of the Belarusian Committee for State Security, also known as the Belarus KGB. To substantiate their claim, the Belarusian Cyber-Partisans published a list of the website's administrators, alongside its database and server logs, on their Telegram channel. Yuliana Shemetovets, the group's spokesperson based in New York, asserted that the attack on the KGB network was prompted by the agency chief Ivan Tertel's recent public accusation against the group. Tertel accused the Cyber-Partisans of plotting attacks on a nuclear power plant.

“We do not. We never have. Because we are working to save the lives of Belarusians, not to destroy them unlike the Lukashenko regime,” the Cyber-Partisans said.

More Details on the Belarusian Intelligence Agency Hack

Shemetovets told the Associated Press the group had gained access to the KGB network "several years ago" and was attempting to breach its website and database ever since. The hacktivists in a Sunday Telegram post shared more details from the Belarusian intelligence agency hack, publishing excerpts from the 40,000 contact forms filled by informants and whistle-blowers on the Belarus KGB website over the last nine years. The informants’ data published has come from several countries including Poland, Germany, Azerbaijan, Lithuania and Ukraine the hacktivists said. In one such instance a Ukrainian citizen said he had “information about the concept and some technical details of a fundamentally new rifle complex ... and the possibility of using a similar system as a modernization of tanks of the T-64, T-72, T-80, T-90 family." With the help of the data exfiltrated from the Belarusian intelligence agency hack, the Cyber-Partisans launched a Telegram chat bot called “facement_bot” that allows identification of KGB operatives. “Send a good quality photo with single face to the bot, and if there is a KGB officer in the image, the bot will return information on them,” the Cyber-Partisans said. Shemetovets emphasized that the group's objective is to unveil the truth about political repressions and hold those responsible accountable. While authorities have not issued any official statements regarding the hacktivist claims, the website of the Belarusian KGB said “THE SITE IS UNDER CONSTRUCTION.” The Cyber-Partisans last week claimed infiltration of computers at Belarus' largest fertilizer plant, Grodno Azot, as part of efforts to pressure the government into releasing political prisoners. The state-run plant has not commented on the claim, but its website has been inaccessible since April 17. The Cyber-Partisans claimed to have deliberately disrupted only the boiler unit of the plant, as there were backup sources for power generation.

“We had a good understanding of the internal processes of the plant and knew that this would not lead to dangerous consequences for people. But at the same time, we demonstrated our capabilities that we could really manage [with] the operation on Grodno Azot,” the Cyber-Partisans said.

Cyber-Partisans have previously also targeted Belarusian state media and, in 2022, launched attacks on Belarusian Railways, disrupting transit routes for Russian military equipment destined for Ukraine. Belarus has been a close ally of the Kremlin and has supported its eastern neighbour in the Russian invasion of Ukraine. Before the start of the offensive, Belarus allowed the Russian Armed Forces to perform weeks-long military drills on its territory. It also allowed Russian missile launchers to be stationed in its territory, which drew a lot of flak from its own people and Ukraine’s allies. "We're sending a clear message to the Belarusian authorities," Shemetovets said. "If they continue political repressions, the consequences will escalate. We will persist with our attacks to undermine the Lukashenko regime." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Okta reported an "unprecedented scale" of credential stuffing attacks targeting its identity and access management solutions, resulting in the breach of some customer accounts. Threat actors employ credential stuffing techniques like password-spraying and brute-forcing to compromise user accounts by systematically trying lists of usernames and passwords in an automated fashion. These lists are often obtained from other data leaks, phishing and infostealer campaigns, or from underground cybercriminal forums where it is sold from a few tens to thousands of dollars.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools,” Okta said in a Saturday advisory.

The identity and access management provider said the attacks appear to stem from the same infrastructure used in previously reported brute-force and password-spraying attacks targeting VPNs and SSH services identified by Cisco Talos.

Use of TOR in Credential Stuffing Attacks

Okta noted that in all observed attacks the requests originated from a TOR anonymization network and various residential proxies, such as NSOCKS, Luminati and DataImpulse. Residential proxies are a network of proxy servers that use IP addresses from residential users. They are useful for anonymous browsing, bypassing geo-restrictions and accessing secure websites. Providers rent access to real users' devices to anonymize traffic sources. They don't usually disclose how they build these networks, sometimes enrolling users knowingly or via malware, “what we would typically describe as a botnet,” Okta said. This results in traffic appearing to originate from everyday users' devices, not VPS providers. FBI had earlier warned of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks. Okta observed that the attacks were notably effective against organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, rather than Log and Enforce mode. Additionally, organizations failing to block access from anonymizing proxies experienced a higher success rate in these attacks. The attacks, however, succeeded for only a small percentage of Okta's customers, the IAM provider said. To counter these threats, Okta recommended:

• Enabling of ThreatInsight in Log and Enforce Mode to proactively block IP addresses associated with credential stuffing attempts before authentication is attempted.
• Denying access from anonymizing proxies to preemptively block requests originating from suspicious anonymizing services.
• Transition to enhanced security features such as CAPTCHA challenges for risky sign-ins and password-less authentication.
• Implementing Dynamic Zones to manage access based on criteria like geolocation and selectively block or allow certain IPs.

Why Credential Stuffing Attacks are Still Effective

Credential stuffing attacks traditionally have a very low success rate, which is estimated at around 0.1%, according to Cloudflare. Despite this, it remains profitable due to the vast number of credentials attackers possess. Collections contain millions or billions of credentials, with even a small fraction leading to profitable data. The prevalence of password or credential reuse, observed in up to 85% of digital users, also facilitates the recurrence and the effectiveness of these attacks. Adding to this the advancements in bot technology enables attackers to circumvent security measures like time delays and IP bans. Credential stuffing accounts for 24.3% of all login attempts in 2023, as per Okta. Retail and e-commerce companies account for more than half (51.3%) of all credential-stuffing incidents, the findings stated. It is likely due to the value associated with accounts in that industry, Okta said. Geographically, the Americas region has the highest rate of credential-stuffing attacks at 28%, which aligns with previous findings as some of the largest retail and media companies are based in the United States. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

With more than 2 billion voters ready to cast a vote this year across 60 plus nations -including the U.S., U.K. and India - Russian state hackers are posing the biggest cyber threat to election security, researchers said. Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest.

“Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” Mandiant said.

Why Russia is the Biggest Cyber Threat to Election Security

Russia's approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. State-sponsored cyber threat actors, such as APT44, better known as the cyber sabotage unit Sandworm, and APT28 have a history of targeting elections in the U.S., and Europe. These actors employ hybrid operations, combining cyber espionage with hack-and-leak tactics to achieve their objectives. The 2016 U.S. presidential election is a prime example of Russia's cyber interference capabilities, as per Mandiant. APT28, linked to Russia intelligence unit - the GRU, compromised Democratic Party organizations and orchestrated a leak campaign to influence the election's outcome. Similarly, in Ukraine, APT44 conducted disruptive cyber operations during the 2014 presidential election, aiming to undermine trust in the electoral process. Jamie Collier, Mandiant senior threat intelligence advisor said, “One group to watch out for is UNC5101 that has conducted notable hybrid operations in the past.” Mandiant reports UNC5101 engaging in cyber espionage against political targets across Europe, Palestinian Territories, and the U.S. The actor has also used spoofed Ukrainian government domains to spread false narratives directly to government employees' inboxes. Before Russia's 2023 and 2024 elections, UNC5101 registered domains related to opposition figures like Alexei Navalny and conducted likely information operations to deceive voters. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia's national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said.

Beijing’s Interest in Information Operations

Collier noted that state threats to elections are far more than just a Russia problem.

“For instance, we have seen pro-China information operations campaigns carry out election-related activity in the US, Taiwan, and Hong Kong,” Collier said.

China's approach to election cybersecurity focuses on intelligence collection and influence operations that promote narratives favorable to the Chinese Communist Party (CCP). State-sponsored actors like TEMP.Hex have targeted elections in Taiwan, using cyberespionage to gather critical information and using information operations to shape public discourse, Mandiant’s analysis found. In the lead-up to Taiwan's 2024 presidential election, Chinese threat actors intensified cyber espionage activities, targeting government, technology, and media organizations. Concurrently, pro-PRC information operations sought to discredit candidates perceived as unfriendly to China, using fabricated leaks and disinformation campaigns to sway public opinion, which even the Taiwanese government confirmed.

Watch-Out for Iran’s Espionage and Influence Campaigns

Iranian state hackers are another group of threat actors to keep an eye on for their cyber espionage and influence campaigns, Mandiant noted.

“[Irans’s] campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza,” Mandiant said.

During the 2020 U.S. presidential election, Iran attempted to compromise state voter registration websites and disseminate false information. The U.S. Department of Justice charged two Iranian nationals in 2021 for their involvement in this campaign. Pro-Iranian influence campaigns, including Liberty Front Press and Roaming Mayfly, target global audiences with anti-U.S. and anti-Israeli propaganda, amplifying partisan divisions and fostering distrust in democracies, Mandiant said.

Diverse Targets Multiple Vectors

Securing elections requires protecting not only voting machines and voter registries but also a wide range of entities involved in the electoral process. Political parties, news media, and social media platforms are frequent targets of cyber operations, which also comes under the attack surface of elections. [caption id="attachment_65433" align="aligncenter" width="551"] Credit: Mandiant[/caption] Cyber threat actors are increasingly employing hybrid operations, combining multiple tactics to amplify their impact. Examples from past elections, such as the Ukrainian presidential election in 2014, illustrate how they are using a combination of cyber intrusions, data leaks, and DDoS attacks to disrupt electoral processes. Owing to this Mandiant detailed likely threat vectors that could be used in the upcoming election season: [caption id="attachment_65432" align="aligncenter" width="819"] Credit: Mandiant[/caption] The threats posed by Russian, Chinese, and Iranian state actors to election cybersecurity are complex and multifaceted. By understanding the tactics and objectives of these actors, election organizations can develop effective mitigation strategies to safeguard democratic processes. However, addressing these threats requires a concerted effort involving international cooperation and a commitment to upholding the integrity of democratic elections worldwide. In-line with this, the U.S. agencies recently released guidance to defending the integrity of democratic processes. The guidance extensively details common tactics seen in foreign malign influence operations, offering real-world instances and suggesting possible countermeasures for stakeholders in election infrastructure. Though many of these tactics aren't new, the widespread use of generative artificial intelligence (AI) has notably amplified adversaries' ability to produce and spread persuasive malicious content, the guidance said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.