GhostSec, a threat actor group previously involved in financially motivated cybercrimes, announced a significant shift in their focus to depart from the cybercrime and ransomware operations to their original hacktivist aims. The announcement detailing GhostSec returns to hacktivism roots, would mark a notable change in the group's priorities and operational strategies, leading several to speculate that the stated departure comes after recent law enforcement efforts against international ransomware groups. The GhostSec group identifies itself as part of the Anonymous collective and is known to have been active in their operations since 2015. The group used hashtags such as #GhostSec or #GhostSecurity to promote their activities. The group was previously involved in the #OpISIS, #OpNigeria, and #OpIsrael campaigns.

GhostSec Will Transfer Existing Ransomware Clients to Stormous

In an announcement made on its Telegram channel, the GhostSec group stated that they had gathered sufficient funds from their ransomware operations to support other activities moving forward. Rather than completely abandoning their previous work, this transition includes transferring existing clients to the new Stormous locker by Stormous, a partner organization to whom they will also share the source code of the V3 Ghostlocker ransomware strain. [caption id="attachment_68783" align="alignnone" width="483"] Source: GhostSec Telegram Channel[/caption] They claim that these efforts will ensure a smooth transition to Stormous' services, while avoiding the exit scams or disruption risks typically associated with ransomware exits. Stormous will also take over GhostSec's associates within the Five Families collective, which previously consisted of GhostSec, ThreatSec, Stormous, BlackForums, and SiegedSec. While GhostSec will halt some of its earlier services, the group intends to maintain its private channel and chat room. The group announced a discount offer starting today and lasting until May 23rd for lifetime access to its private channel and chat room, reducing the price from $400 to $250. The group also suggested the possibility of offering a hacking course, although they are still debating the details.

GhostSec Returns to Hacktivism

The announcement expressed GhostSec's intentions to focus solely on hacktivism, a form of activism that employs hacking to promote social or politically driven agendas. GhostSec had a record of intense hacktivist operations and campaigns such as their successful efforts back in 2015 to taken down hundreds of ISIS-associated websites or social media accounts, reportedly halting potential terrorist attacks. The group used social media hashtags like #GhostSec, #GhostSecurity, or #OpISIS to promote their activities and participate in hacktivist initiatives against the terrorist group. GhostSec also promoted a project ("New Blood") to assist newcomers in picking up hacking skills to participate in their campaigns and provided resources to assist activists in anonymizing their identities such as WeFreeInternet, a project that sought to offer free VPN facilities to Iranian activists. The group had stated its intent to expand the project to support activists in similar circumstances who found their internet to be restricted by the governments worldwide. The official GhostSec Telegram channel where the announcement took place had been created on October 25, 2020, and the group is known to utilize its social media handles on various websites to promote its activities. It is important to note that the group's decision to depart from the cybercrime scene does not necessarily imply a shift towards more ethical practices. Furthermore, the group's involvement in financially motivated cybercrimes raises questions about their true motivations and the potential for their hacktivism to be used for personal gain or dubious political agenda rather than genuine social change. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious DragonForce ransomware group has expanded its list of victims, adding two new names to their dark web portal — Malone & Co and Watt Carmicheal. In a dark web post on their platform, the threat actor boasted about their latest conquests.  The first victim, Malone & Co, a prominent accounting firm based in Ireland, seemed to have fallen prey to the DragonForce cyberattack. The post provided details about the company's services and location, indicating a breach of sensitive information. Similarly, Watt Carmichael, a reputable investment management firm in Toronto, Canada, found itself ensnared in a similar situation by the DragonForce ransomware attack. However, despite their claims, both the cyberattacks are unverified.

DragonForce Cyberattack Targets Two New Victims

The Cyber Express has reached out to both organizations to learn more about this alleged DragonForce cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the DragonForce ransomware attack unverified.  [caption id="attachment_68487" align="alignnone" width="355"] Source: X[/caption] Interestingly, both victims' websites remain operational, showing no immediate signs of the cyberattacks. This discrepancy adds another layer of mystery to the unfolding situation.  Moreover, along with the cyberattack post, the DragonForce ransomware group stated that it had access to 15.34 GB of data associated with Malone & Co. The hacker group has shared a deadline of 16 days before the data gets published.  [caption id="attachment_68490" align="alignnone" width="353"] Source: X[/caption] As for the second alleged victim, Watt Carmicheal, the hacker group claims access to 27.3 GB of data, and no ransom deadline was shared. The threat actor, DragonForce, has used the same modus operandi to target similar victims in the past. 

Who is the DragonForce Ransomware Group?

DragonForce, a hacktivist group hailing from Malaysia, is infamous for its relentless cyberattacks on government institutions and commercial entities, primarily in India. Their targets extend beyond geographical borders, with a particular focus on websites affiliated with Israel while advocating for pro-Palestinian causes. Utilizing a variety of tactics such as defacement attacks, distributed denial-of-service (DDoS) attacks, and data leaks, DragonForce demonstrates a high level of adaptability and sophistication in their operations. This versatility has enabled them to evolve their strategies over time, staying one step ahead of their adversaries. Embracing their role as vigilantes for the people, DragonForce Malaysia boldly proclaims its mission on various online platforms, including social media giants like Facebook, YouTube, and X (formerly Twitter). Through these channels, they amplify their voice, connecting with like-minded individuals and fostering a sense of community among Malaysian cybersecurity enthusiasts. Central to DragonForce's ideology is their staunch advocacy for the Palestinian cause. Their actions speak volumes, from high-profile hacks targeting Israeli networks to broadcasting messages of solidarity through unconventional mediums like TikTok. Despite their formidable capabilities, DragonForce does not operate in isolation. Collaborative efforts with other local hacker threat groups have been reported, highlighting the interconnected nature of the hacktivist groups. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) researchers have uncovered a new SideCopy campaign. The threat actor group has previously been observed targeting South Asian nations with a particular focus on government and military targets in India and Afghanistan. Active since May 2023, the campaign targets university students through sophisticated infection chains involving malicious LNK files, HTAs, and loader DLLs disguised as legitimate documents. Ultimately, the campaign deploys malware payloads such as Reverse RAT and Action RAT, granting attackers extensive control over infected devices. The research explores the tactics employed by SideCopy, such as their recent focus on university students, and potential overlap in activities with the Transparent Tribe APT group.

Technical Analysis of the SideCopy Campaign Infection Chain

In early May, CRIL identified a malicious domain employed by the SideCopy group in their operations. The website was discovered hosting a ZIP archive file named "files.zip" that contained sub-directories labeled as "economy," "it," and "survey." The survey directory included files similar to those previously employed by SideCopy in their earlier campaigns. [caption id="attachment_68383" align="alignnone" width="1228"] Source: Cyble[/caption] The campaign likely employs spam emails to distribute the malicious ZIP archive hosted through the compromised website as the initial infection vector. These archives contain malicious LNK files disguised as legitimate documents, such as "IT Trends.docx.lnk." Upon execution, the LNK files trigger a series of commands that proceeds to download and execute a malicious HTA file. The downloaded HTA files contain embedded payloads within additional lure documents and DLL files. The lure documents are typically themed around current affairs or relevant academic topics to appear legitimate to the targeted demographic. [caption id="attachment_68384" align="alignnone" width="604"] Source: Cyble Blog[/caption] [caption id="attachment_68385" align="alignnone" width="894"] Source: Cyble Blog[/caption] The malware is crafted with the functionality to adopt to the presence of different antivirus software such as Avast, Kaspersky and Bitdefender, which further amplifies its ability to evade detection and ensure persistence by placing the LNK shortcut files in the startup folder. The attack process ultimately leads to the deployment of malicious payloads such as Reverse RAT and Action RAT on to the victim system, which then connect to a remote Command-and-Control (C&C) server to commence malicious activities.

Intersection with Transparent Tribe Activities

The research further suggests a potential overlap or collaboration between SideCopy and Transparent Tribe, another APT group known for targeting Indian military and academic institutions. This intersection hints at a possible collaborative efforts or shared objectives between the two groups with researchers previously noting that SideCopy may function as a sub-division of Transparent Tribe. SideCopy is also known to emulate tactics of the Sidewinder APT group in the distribute of malware files, such as the use of disguised LNK files to initiate a complex chain of infections. CRIL researchers have advised the use of strong email filtering systems, exercise of caution, the deployment of network-level monitoring and the disabling of scripting languages such as PowerShell, MSHTA, cmd.exe to prevent against this potential threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor using the alias qpwomsx has claimed responsibility for an alleged data breach affecting the popular Indian online shopping platform, Meesho. However, the legitimacy of this Meesho data breach is under scrutiny, as the threat actor seems to have reposted data from 2020 and only joined the platform in May 2024, raising questions about their credibility. On Nuovo BreachForums, qpwomsx displayed what they claimed was a database from Meesho, presenting snippets of data as proof. These excerpts, which included names, email addresses, and phone numbers, initially raised concerns. However, upon closer examination, a twist emerged: the sample records provided were identical to those from the 2020 IndiaMART database leak, which affected about 38 million user records. This discovery casts significant doubt on the credibility of qpwomsx's claims about a Meesho data breach.

Unconfirmed Meesho Data Breach Surfaces on Dark Web

[caption id="attachment_68336" align="alignnone" width="1333"] Source: Dark Web[/caption] The discrepancies didn't end there. The Cyber Express further analyzed the claims and found inconsistencies within the data itself. Specifically, discrepancies between names and associated phone numbers raised red flags. Given qpwomsx's brief tenure on the platform and apparent credibility issues, discerning the authenticity of the Meesho data breach becomes a daunting task. However, examining the stolen data paints a perplexing situation as the majority of the email addresses are valid and deliverable. Along with the emails, the data appears to be a compilation of personal information belonging to individuals, predominantly based in India.  Alongside names, email addresses, and phone numbers, additional details such as location and workplace affiliations were also included. However, the presence of "null" values suggests potential gaps or inaccuracies within the dataset.

The IndiaMART Data Breach Link

The Cyber Express has reached out to the e-commerce giant to learn more about this alleged Meesho data leak. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the data breach unverified.  Moreover, parallels emerge between the purported Meesho breach and the 2020 IndiaMART data leak, which exposed sensitive information from over 40,000 suppliers. IndiaMART, a prominent business-to-business e-commerce platform, was also targeted in a cyberattack in 2020. Despite assertions from the company that only basic contact information is publicly available, cybersecurity researchers found an extensive exposure of sensitive data. Interestingly, the stolen data from the IndiaMART data leak is similar to the current Meesho data breach, raising concerns about the authenticity of the leak and the motives behind it.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Meesho data breach or any official confirmation from the Indian e-commerce giant. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The IntelBroker hacker has allegedly leaked a database belonging to the National Parent Teacher Association (PTA), a cornerstone of child advocacy in America since its establishment in 1897. The National Parent Teacher Association breach, which occurred in March, was posted by the threat actor on May 13, 2024.  Over 70,000 records of registered users, comprising a wealth of sensitive data, were reportedly compromised in this PTA data breach. The leaked data, disclosed on nuovo BreachForums, includes a trove of information ranging from personal identifiers to financial details. 

Dark Web Hacker Discloses National Parent Teacher Association Breach 

Among the exposed data are insured data, college information, client lists, medical insurance records, and payment information. This PTA data breach not only poses a threat to the privacy and security of individuals but also raises concerns about the misuse of such sensitive information. [caption id="attachment_68309" align="alignnone" width="861"] Source: X[/caption] The impact of this breach extends beyond the confines of the PTA itself, affecting individuals across the United States, particularly in the North American region. With PTA.org being the primary platform for engagement, the breach, if true, can have severe consequences.  The post on BreachForums by the IntelBroker hacker, titled "Parent Teacher Association Database, Leaked - Download!" and timestamped May 13, 2024, provides insights into the extent of the PTA data breach. The threat actor proudly claims responsibility for the breach alongside an entity named GodLike. The data dump shared by IntelBroker reveals intricate details, including identifiers, addresses, contact information, and policy-related data.

Cyberattack on Educational Institutions

The Cyber Express reached out to the National Parent Teacher Association for clarification and response regarding the breach. However, at the time of writing this, no official statement or response has been received. Moreover, this isn’t the first time a student-centric organization was targeted in a cyberattack. Educational institutions, from K-12 schools to universities, store vast amounts of personal data, making them prime targets for cyberattacks. The educational sector witnessed a 258% surge in incidents in 2023, with 1,537 confirmed data disclosures, often attributed to vulnerabilities like MOVEit. Ransomware remains a major external threat, while internal risks stem from uninformed users and overworked staff.  Attacks, primarily financially motivated, exploit the emotionally fraught nature of personal data exposure. Common attacks include data breaches, ransomware, BEC, DDoS, and online invasions. Recent high-profile attacks, like those on the University of Manchester and the University of California, highlight the urgent need for enhanced cybersecurity measures in educational institutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In the latest twist of the cyber warfare between Anonymous Egypt group and R00TK1T hackers, the latter has turned up the heat on Egyptian soil, accusing the Anonymous Egypt group of content theft. In a dark web post, R00TK1T has vowed to intensify cyberattacks on Egypt, targeting major infrastructure and organizations within the nation.  The retaliation was swift and severe — starting the attacks with cyber assaults on the Ministry of Supply and Internal Trade in Egypt and a prominent software company with operations in Egypt.  The hacker used the same methods to target all the alleged victims and left several messages on their data leak channel, condemning the Anonymous Egypt group, stating, “Anonymous Egypt made a grave mistake thinking they could outsmart us. Now, it's time to show them the true power of our skills. ”

R00TK1T's Cyberattacks on Egypt Post Anonymous Egypt Confrontation

[caption id="attachment_68271" align="alignnone" width="431"] Source: Dark Web[/caption] In a declaration on dark web, R00TK1T proclaimed, "Security Is Just An Illusion, Privacy Is Just Another Illusion." They warned of impending chaos, signaling their determination to disrupt the status quo. Their message resonated with defiance: "F*ck Society & The System! We Are R00TK1T Will Be Anywhere Anytime!" The Ministry of Supply and Internal Trade was among the first victims that allegedly fell prey to R00TK1T's infiltration, with the group proudly flaunting evidence of their access to the ministry's most secure networks.  [caption id="attachment_68095" align="alignnone" width="522"] Source: X[/caption] As images surfaced, showcasing the depth of their intrusion, it became clear that R00TK1T's retaliation was not against the hacker group but the whole of Egypt. 

R00TK1T Cyberattacks Intensifies 

[caption id="attachment_68274" align="alignnone" width="443"] Source: X[/caption] But these cyberattacks on Egyptian companies didn't end there. CorporateStack, a renowned company specializing in digital transformation solutions, also fell victim to an alleged cyberattack by the hacker group.  With clients like Bentley, Vodafone, and Hexa, CorporateStack was a prime target for R00TK1T's message: no entity was beyond their reach. The group's infiltration into CorporateStack's systems sent a clear message to businesses operating in Egypt.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Egypt by the hacker group or any official confirmation from the organizations listed by R00TK1T hackers.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web hacker, known as "makishimaaaa," has recently advertised a significant data breach on the Nuovo BreachForums. The compromised data originates from Hosocongty, a prominent Vietnamese job search platform. According to makishimaaaa's post on May 12, 2024, the hacker claims to have exfiltrated a PII (Personally Identifiable Information) database from the Hosocongty data breach in 2024. The database, offered for sale at the price of $320, contains approximately 160,000 records. These records include sensitive information such as company names, passwords, contact details, and various other personal identifiers. Interested buyers are instructed to contact the hacker privately, with the option of using escrow systems for transactions.

Hosocongty Data Breach Exposes Thousands of Job Seekers

Hosocongty.vn, the affected platform, serves as a crucial link between job seekers and employers across Vietnam. Its rapid growth highlights its significance in the country's job market. However, this data breach raises concerns about the security and privacy of the platform's users. [caption id="attachment_68133" align="alignnone" width="1622"] Source: Dark Web[/caption] Makishimaaaa's relatively low ransom demand and status as a new member of the hacking forum suggest a developing situation. The hacker joined the platform in March 2024 and has since posted 38 times. This calculated move indicates a deliberate attempt to minimize suspicion while maximizing profits from the stolen data. The compromised database contains a wealth of personal information, including company details, contact numbers, email addresses, and more. Makishimaaaa emphasizes the quality and active rate of the data, reassuring potential buyers of its reliability. However, the ethical implications of purchasing stolen data remain a cause for concern. The Cyber Express has reached out to the recruitment firm to learn more about this Hosocongty data breach. However, at the time of writing this, no official statement or response has been released, leaving the claims for the Hosocongty data leak unverified. 

Cyberattack on the Recruitment Sector

The Hosocongty data breach is indicative of a broader trend of increasing cyberattack on the recruitment sector. In February 2024, Das Team Ag, a prominent job placement agency in Switzerland and Liechtenstein, fell victim to the Black Basta ransomware group, highlighting the vulnerability of recruitment platforms.  Cyber risks in the digital hiring process have intensified over the years, with cybercriminals targeting sites housing sensitive data, such as employment platforms. The surge in digitalization has exacerbated these threats, necessitating enhanced security measures across industries.  Polymorphic attacks, phishing, and malware are among the most prevalent cyber threats facing the recruitment sector, posing risks to both job seekers and companies. As such, users of Hosocongty are urged to exercise vigilance and implement necessary security measures to safeguard personal information.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Hosocongty data breach or any official confirmation from the Vietnamese job portal.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hacktivist collective R00TK1T ISC CyberTeam has claimed responsibility for breaching the Ministry of Supply and Internal Trade in Egypt. The group's announcement, posted on their platform, boldly declares their successful infiltration into the ministry's systems, accompanied by purported evidence of their access to highly secure networks. This Ministry of Supply and Internal Trade breach claims come on the heels of previous announcements by R00TK1T ISC, including their intention to target the BreachForums and the subsequent closure of their official Telegram channel.  The group cited security considerations for their shift back to operating in secrecy, leaving their private data channel as the sole means of communication for their activities.

Ministry of Supply and Internal Trade Breach Claims

[caption id="attachment_68095" align="alignnone" width="212"] Source: X[/caption] The Cyber Express has tried reaching out to the Egyptian ministry to learn more about this alleged Ministry of Supply and Internal Trade data breach claims. However, efforts to verify the intrusion were hampered by communication difficulties, preventing direct contact with the ministry. As a result, the claims made by R00TK1T ISC remain unconfirmed. The website for the Ministry of Supply and Internal Trade seems to be operational at the moment and doesn’t show any immediate sign of the intrusion. The threat actor has shared several screenshots of the document pilfered through this intrusion.  Talking about the Ministry of Supply and Internal Trade breach in their post, the threat actor said, “We have successfully hacked into The Ministry of Supply and Internal Trade in Egypt, showcasing our deep infiltration into their systems.”

R00TK1T ISC CyberTeam Hacking Spree

Meanwhile, in a separate incident on January 30, 2024, R00TK1T ISC CyberTeam launched an attack on Malaysia's digital infrastructure, further highlighting the global reach and impact of such malicious activities. Their claim to have accessed sensitive information from prominent companies like L'Oreal and Qatar Airways highlights the sophistication and persistence of cyber threats faced by businesses worldwide. In Egypt, the corporate sector has witnessed a surge in ransomware attacks in recent weeks, posing a significant risk to businesses across various industries. This escalating threat necessitates urgent action to bolster cybersecurity measures and mitigate potential damages. Amid ongoing political and security challenges in the Middle East, Egyptian businesses remain prime targets for cyberattacks, with ransomware emerging as a prevalent threat. The consequences of such attacks, including data loss and reputational damage, highlight the critical need for better defense mechanisms to safeguard against cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following Australia's vocal support for Ukraine, the nation finds itself targeted by a Cyber Army Russia Reborn cyberattack. The recent alleged Distributed Denial of Service (DDoS) attacks on Australian entities, including two prominent organizations in Australia — Auditco and Wavcabs. The DDoS attacks, orchestrated by Cyber Army Russia Reborn, seem to be a response to Australia's solidarity with Ukraine. While the precise motives behind these attacks remain unclear, the timing suggests a correlation between Australia's stance and the cyber onslaught.

Cyber Army Russia Reborn Cyberattack Targets Australia

[caption id="attachment_68069" align="alignnone" width="641"] Source: X[/caption] Wavcabs, a transportation service, and Auditco, an auditing company, were among the targets of these Cyber Army Russia Reborn cyberattacks. Wavcabs' online services were disrupted, with users encountering connection timeouts when attempting to access the website. Similarly, Auditco faced technical difficulties, as indicated by error code 522 on their site earlier.  [caption id="attachment_68071" align="alignnone" width="656"] Source: X[/caption] The Cyber Express has reached out to both organizations to learn more about this Cyber Army Russia Reborn cyberattack. Despite the severity of these cyber incidents, both Wavcabs and Auditco have not issued official statements regarding the attacks.  The lack of response leaves the claims of Cyber Army Russia Reborn's involvement unverified, highlighting the complexity of attributing cyberattacks to specific actors.

Australia's Support for Ukraine

These assaults on Australian companies occur as the nation reaffirms its support for Ukraine. The Albanese Government's commitment to aiding Ukraine was recently reinforced with a $100 million assistance package. Deputy Prime Minister and Minister for Defence, Richard Marles, revealed the assistance during a visit to Ukraine, where he witnessed firsthand the impact of Russia's aggression. Australia's $100 million aid package to Ukraine includes $50 million for military assistance, prioritizing Australian defense industry support for uncrewed aerial systems and essential equipment. Another $50 million is designated for short-range air defense systems, alongside the provision of air-to-ground precision munitions.  Amidst ongoing cyberattacks on Australia, the nation’s unwavering support for Ukraine highlights the complexities of modern warfare and the critical need for cybersecurity measures. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on these cyberattacks on Australian companies or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Dell has issued a warning to its customers regarding a data breach following claims by a threat actor of pilfering information for roughly 49 million customers. In an email sent to customers, the computer manufacturer disclosed that a Dell portal containing customer data associated with purchases had been compromised. "We are presently investigating an incident involving a Dell portal, housing a database containing limited types of customer information linked to Dell purchases," stated a Dell data breach notification. Dell clarified that the accessed information encompassed:

• Names
• Physical addresses
• Dell hardware and order details, comprising service tags, item descriptions, order dates, and relevant warranty information

The company said the stolen data did not encompass financial or payment data, email addresses or phone numbers. Dell assured customers that they are collaborating with law enforcement and a third-party forensics firm to probe the matter. [caption id="attachment_67595" align="aligncenter" width="687"] Dell data breach notification[/caption] Dell Technologies is a publicly traded company that operates in 180 countries and is headquartered in Round Rock, Texas. Dell is the third-largest personal computer vendor in the world by unit sales, behind Lenovo and HP and serves more than 10 million small and medium-sized businesses and receives 500 million annual eCommerce visits. The tech giant generated a revenue of $102.3 billion in 2023 and has over 500,000 commercial customers and 2,500 enterprise accounts.

Dell Data Breach Set Appeared on Dark Web

Despite Dell's reassurances, the breach data was purportedly put up for sale on an underground hacker forum by a threat actor named “Menelik” on April 28. The threat actor claimed this data set contained an up-to-date details of registered Dell servers including vital personal and company information such as full names, addresses, cities, provinces, postal codes, countries, unique 7-digit service tags of systems, system shipment dates (warranty start), warranty plans, serial numbers (for monitors), Dell customer numbers and Dell order numbers. The threat actor asserted that he was the sole possessor of this data that entailed approximately 7 million records of individual/personal purchases, while 11 million belong to consumer segment companies. The remaining data pertained to enterprise, partners, schools or unidentified entities. The threat actor also highlighted the top five countries with the most systems represented in the database, which included the United States, China, India, Australia and Canada. The data, claimed to be sourced from Dell and containing 49 million customers and other systems details between 2017 and 2024, aligned with the details outlined in Dell's breach notification. However, The Cyber Express could not confirm if the two data sets are the same as Dell did not immediately respond to our request for confirmation. Although the sale of the database appears to have ceased, the possibility of further exploitation remains. Although Dell refrained from disclosing the specific impact of the breach, it remains vigilant about potential risks associated with the stolen information. While the compromised data lacks email addresses, threat actors could exploit it for targeted phishing and smishing attacks against Dell customers. They could contact Dell customers as fake customer service executives and lead them into downloading malware or infostealers as is seen in many previous campaigns. Dell advises customers to exercise caution regarding any communications purportedly from Dell, especially those urging software installations, password changes or other risky actions and encourages customers to verify the legitimacy of such communications directly with Dell. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

IntelBroker has asserted a massive breach, and has now sold the access to a cybersecurity entity with a hefty annual revenue of USD 1.8 billion. The threat actor has traded USD 20,000 in XMR or ETH to an unknown entity on a dark web forum.  The initial offer touted access to a trove of sensitive information, including SSL keys, SMTP access, PAuth/Pointer Authentication, and various login credentials. Despite the lack of concrete evidence, a conversation surfaced on social media platforms purportedly involving IntelBroker, further fueling speculation.  While the forum post rumors hinted at the US-based cloud security giant, Zscaler Inc., the actual target remains unconfirmed due to the absence of corroborating proof. However, Zscaler's recent security update on its website hints at a possible connection between the two events. 

Alleged Zscaler Data Breach Threatens the Cybersecurity Community

[caption id="attachment_67457" align="alignnone" width="1765"] Source: Dark Web[/caption] The gravity of the alleged Zscaler data breach escalated when rumors emerged surrounding a possible breach within the organization's infrastructure. Allegations circulated that a threat actor was peddling access to the company's systems. In response, Zscaler swiftly took its "test environment" offline for analysis, aiming to ascertain the authenticity of the claims. However, the current update from the hacker stated that the unauthorized access has now been sold. Apart from the update, no further information was provided on the receiver who allegedly purchased the unauthorized access for USD 20,000. Zscaler has updated its security page, stating, "Zscaler continues to investigate and reiterates there is no impact or compromise to our customer, production, and corporate environments. During the afternoon of May 8, we engaged a reputable incident response firm that initiated an independent investigation. We continue to monitor the situation and will provide additional updates through the completion of the investigation". [caption id="attachment_67460" align="alignnone" width="1330"] Source: Zscaler[/caption] Initially, Zscaler reassured stakeholders that their investigation yielded no evidence of compromise within their customer or production environments. However, concerns persisted as discussions around the purported Zscaler data breach proliferated online. Users on various platforms debated the authenticity of the claims, with some expressing skepticism while others confirmed the breached organization is cybersecurity giant.

Zscaler Responds to the Alleged Breach Claims 

Amid the uncertainty, Zscaler remained positive, emphasizing its commitment to safeguarding customer and production environments. Updates from Zscaler's Trust site reiterated their dedication to thorough investigation and transparency. While it confirmed the discovery of an isolated test environment exposed to the internet, they highlighted its lack of connectivity to critical systems and absence of customer data. Talking about the rumors, Zscaler stated that the organization is aware of the claims and they are currently investigating the data. “Zscaler is aware of a public X (formerly known as Twitter) post by a threat actor claiming to have potentially obtained unauthorized information from a cybersecurity company. There is an ongoing investigation we initiated immediately after learning about the claims. We take every potential threat and claim very seriously and will continue our rigorous investigation”, added Zscaler. 

Who is IntelBroker?

https://www.youtube.com/watch?v=wXuurLlu25I IntelBroker is a solo hacker who gained infamy in 2023 for breaching Weee! and leaking data of 11M customers. Allegations hint at its connection to Iranian state entities, though IntelBroker denies it, claiming independence from Serbia. The hacker's focus on US defense suggests state cooperation. In an exclusive interview with The Cyber Express, the hacker shared information about these operations and himself as a person. Instead of being a full-fledged member of a ransomware group, IntelBroker has been working alone but has collaborated with other hackers in the industry. IntelBroker's targets span national security, government, critical infrastructure, and commerce sectors, executing extensive data breaches without traditional ransomware tactics. The hacker's methods include exploiting vulnerabilities and utilizing the "Endurance-wiper" tool. Transactions predominantly occur in XMR cryptocurrency, ensuring anonymity. The hacker breaches extend to companies like Razer, AT&T, and Verizon, sparking debates on corporate cybersecurity practices. Despite lucrative gains, IntelBroker advocates transparency in reporting breaches to maintain credibility. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

💾

SigningHub has denied the allegations of the cyberattack orchestrated by the IntelBroker hacker. The UK-based online document signing and digital signature creation service provider has shared a blog post, detailing the false claims made by the threat actor.  The organization stated that "this claim has been found to be 100% false", and upon analysis of the file purported to be the source code of Ascertia SigningHub, the organization denoted that the file does not include any source code or executable related to SigningHub or any other Ascertia product. The SigningHub data leak, initially posted on the nuovo BreachForums, shared insights into the operation of the organization. IntelBroker, a known entity in the hacker community, revealed the breach on May 8, 2024, shedding light on an incident that allegedly occurred in December 2023. The leaked source code encompasses crucial elements of SigningHub's infrastructure, including API services, docker container files, certificates, libraries, and other sensitive data. 

Ascertia Denies Allegations of the SigningHub Data Leak

Following the SigningHub data leak claims, Ascertia responded to the claims via a blog post, stating the SigningHub data breach and source code leak to be false. Allegations arose on May 8th via Twitter/X, claiming unauthorized access to Ascertia's network in December 2023. After thorough investigation, Ascertia confirmed no breach or access to SigningHub's source code. The file posted online purported to be SigningHub's source code was analyzed, revealing no related content. The Ascertia IT team simultaneously began a thorough investigation of the Ascertia network security systems and logs. At this time, Ascertia can confirm that there is no unauthorised access from bad actors and has concluded that the claims of a data breach are also false", stated Ascertia. Simultaneously, Ascertia's IT team examined network security systems and logs, confirming no unauthorized access. Ascertia emphasizes its dedication to information security, GDPR compliance, and robust security measures. Ongoing analysis of network access points and systems ensures product, staff, and client data security."

IntelBroker Claims SigningHub Data Leak

[caption id="attachment_67397" align="alignnone" width="1402"] Source: Dark Web[/caption] The announcement of the SigningHub data breach paints a grim picture of the intrusion and its alleged impact. The post, titled "SigningHub - File Signing SRC Leaked, Download!", was shared by the threat actor while other users commended the hacker for this intrusion, stating the SigningHub code leak was “another great hit”, “top release” and other words of praise.  The Cyber Express has reached out to Ascertia to learn more about this SigningHub data leak. However, at the time of writing this, no official statement or response has been shared apart from the blog post by the parent company Ascertia. In an attempt to shed light on the operation associated with the hacker, The Cyber Express reached out to IntelBroker for insights into their motivations and methods. In a recent interview, IntelBroker shared details of their hacking journey, affiliations, and previous exploits, highlighting the scale and sophistication of their operations.

The IntelBroker Modus Operandi and Recent Attacks

[embed]https://youtu.be/wXuurLlu25I?si=FQYqB3byG3-0lgyr[/embed] IntelBroker's track record includes a series of high-profile breaches targeting organizations across various sectors, ranging from aviation and technology to government agencies. Notable breaches attributed to IntelBroker include infiltrations at the Los Angeles International Airport, Acuity, General Electric, DC Health Link, and others, each revealing the extent of vulnerabilities in digital infrastructure. The alleged breach at SigningHub adds another layer of complexity to the IntelBroker operations as the hacker has claimed multiple data breaches in 2024, highlighting the pressing issue of security. The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the SigningHub source code leak or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

💾

Hackers IntelBroker and Sanggiero have claimed a data breach allegedly impacting HSBC Bank and Barclays Bank. The HSBC Bank data breach, along with the breach at Barclays reportedly occurred in April 2024, involving a security incident through a third-party contractor, ultimately leading to the leak of sensitive data.  The compromised data, which was being offered for sale on Breachforums, allegedly includes a wide array of files such as database files, certificate files, source code, SQL files, JSON configuration files, and compiled JAR files. Preliminary analysis suggests that the data may have been sourced from the services provided by Baton Systems Inc., a post-trade processing platform, potentially impacting both HSBC Bank and Barclays Bank. However, Baton Systems has not shared any update on this alleged attack or any connection with the sample data provided by the threat actor.

Hacker Duo Claims Barclays and HSBC Bank Data Breach

Barclays Bank PLC and The Hong Kong and Shanghai Banking Corporation Limited (HSBC) are the primary organizations reportedly affected by this breach. With operations spanning across the United Kingdom, United States, and regions including Europe and North America, the threat actor threatens the banking systems and probably targets customers' data, however, there has been no evidence of such data getting leaked.  [caption id="attachment_67347" align="alignnone" width="2084"] Source: Dark Web[/caption] In a post on Breachforums, one of the threat actors, IntelBroker, shared details of the Barclays and HSBC Bank data breach, offering the compromised data for download. The post, dated May 8, 2024, outlined the nature of the breach and the types of data compromised, including database files, certificate files, source code, and more. The post also provided a sample of the leaked data, revealing a mixture of CSV data representing financial transactions across different systems or entities.

While talking about the stolen data, IntelBroker denoted that he is "uploading the HSBC & Barclays data breach for you to download. Thanks for reading and enjoy! In April 2024, HSBC & Barclays suffered a data breach when a direct contractor of the two banks was breached. Breached by @IntelBroker & @Sanggiero".

A Closer Look at the Sample Data 

A closer look at the sample data reveals three distinct datasets, each containing transaction records with detailed information about financial activities. These records encompass a range of information, from transaction IDs and timestamps to descriptions and account numbers involved. The datasets provide a comprehensive view of various transactions, offering valuable insights for financial analysis and tracking. The Cyber Express has reached out to both the banks to learn more about these alleged data breaches. HSBC Bank has denied these allegations about the breach, stating, "We are aware of these reports and confirm HSBC has not experienced a cybersecurity incident and no HSBC data has been compromised.” However, at the time of writing this, no official statement or response has been shared by Barclays, leaving the claims of the data breach related to Barclays stand unverified. Moreover, the two hackers in question, IntelBroker and Sanggiero, have claimed similar attacks in the past, targeting various global organizations. In an exclusive interview with The Cyber Express, one of the hackers, IntelBroker shed light on their hacking activities and the motivations behind their operations. IntelBroker had also praised Sanggiero from BreachForums for “his exceptional intellect and understated contributions to the field are deserving of far greater recognition and respect.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Despite the major collaborative effort by law enforcement agencies resulting in the exposure and sanctioning of Dmitry Yuryevich Khoroshev, the Russian national thought to be at the helm of LockBit's widespread hacking operations, the hacker group shows no signs of ceasing its activities. LockBit has reportedly launched a cyberattack on Wichita, Kansas, targeting state government and various local entities. The news of the Wichita cyberattack emerged on LockBit's previously inactive platforms, which were reactivated after the shutdown of their official website.

Cyberattack on Wichita Post LockBit Leader Arrest

[caption id="attachment_67202" align="alignnone" width="402"] Source: Dark Web[/caption] The Wichita cyberattack targeted the official website (wichita.gov), prompting concerns over the security of critical municipal systems. While the ransomware group has not yet released any compromised data, they have set a deadline of May 15, 2024, for its publication.  The announcement by LockBit ransomware follows closely on the heels of an earlier notification by the city of Wichita regarding a ransomware attack on May 5, 2024, although the responsible ransomware gang was not initially disclosed. Wichita, the largest city in the state of Kansas, serves as the county seat of Sedgwick County and is a populous urban center in the region.  The Cyber Express has reached out to the state government to learn more about this cyberattack on Wichita. However, at the time of writing this, no official statement or response has been received. However, the city of Wichita denoted a ransomware attack that targeted various government and private organizations within the city. 

Security Update from Wichita: Ransomware Group Remains Unnamed!

According to a press release by the city of Wichita, the recent posts from the state's Cyber Security Incident Update indicate ongoing efforts by the city's information technology department and security partners to address the cyberattack.  “Many City systems are down as security experts determine the source and extent of the incident. There is no timetable for when systems could be coming back online. We appreciate your patience as we work through this incident as quickly and as thoroughly as possible”, reads the official press release.  In the meantime, various city services and amenities have been impacted by the cyber incident, prompting adjustments to normal operations. Water systems remain secure and functional, with provisions in place for those experiencing difficulties paying bills or facing water shut-offs.  Transit services, city vendors, park and recreation facilities, licensing procedures, and municipal court operations have all been affected to varying degrees, necessitating alternative arrangements such as cash payments and in-person transactions. Similarly, services provided by cultural institutions, resource centers, planning departments, and housing and community services are also subject to modifications and delays as the city works to address the cyberattack. The city's airport and library services have experienced disruptions to Wi-Fi access and digital infrastructure, although essential operations continue with minimal impact on services provided to the public. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the cyberattack on Wichita or any new updates from the government.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

SpaceX, the aerospace manufacturer and space transport services company founded by Elon Musk, has allegedly met with a cybersecurity incident, involving a data breach with Hunters International, a notorious hacking group that reportedly posted samples of SpaceX data breach. The Space X data breach seems to involve relatively old data from SpaceX, with Hunters International employing name-dropping tactics to exert extortion pressure. Interestingly, these same samples were involved in an earlier data breach that SpaceX faced in early 2023, attributed to the LockBit ransomware group.

Hunters International shared samples and databases supposedly linked to SpaceX, including access to 149.9 GB of data. This database, originally associated with the initial SpaceX data breach linked to LockBit, was traced back to a third-party supplier within SpaceX's supply chain, specifically a manufacturing contractor based in Texas.

Through infiltration of the vendor's systems, LockBit allegedly gained control of 3,000 drawings or schematics verified by SpaceX engineers.

SpaceX Data Breach Resurfaces on the Dark Web

[caption id="attachment_65258" align="alignnone" width="1170"] Source: X[/caption] Interestingly, the threat actor sheds light on the SpaceX data breach's infiltration including an undisclosed GoPro development environment. Adding another layer to the intrigue, recent events in April 2024 reveal the Cactus ransomware group's purported targeting of Aero Dynamic Machining, Inc., a US-based aerospace equipment manufacturer.  The group alleges to have extracted a staggering 1.1 TB of data, encompassing confidential, employee, and customer information from industry giants like Boeing, SpaceX, and Airbus. Subsequently, the group leaked 5.8 MB of compressed data, containing agreements, passports, shipping orders, and engineering drawings, further intensifying the gravity of the situation. The Cyber Express has reached out to SpaceX to learn more about the data breach claims made by the Hunters International group. However, at the time of writing this, no official statement or response has been received, leaving the claims for the SpaceX data breach stand unverified.  Moreover, the website for SpaceX seems to be operational at the moment and doesn’t show any immediate sign of the attack or data breach suggesting a likelihood that the data shared by Hunters International may indeed stem from the breach of 2023.

How LockBit Ransomware Group Breached SpaceX?

In March 2023, the LockBit Ransomware group infiltrated a third-party manufacturing contractor in Texas, part of SpaceX's supply chain, seizing 3,000 certified drawings and schematics created by SpaceX engineers.  LockBit directly addressed SpaceX CEO Elon Musk, demanding ransom payment within a week under the threat of selling the stolen blueprints. The gang's audacious move aimed to profit from the sensitive data, regardless of the vendor's response. Despite concerns over compromised national security and the potential for identity theft, SpaceX has not confirmed the breach, leaving the claims unresolved.  This breach, along with the reappearance of leaked data from previous incidents, highlights the persistent threat of cyberattacks on critical infrastructure. It sheds light on the urgent need for robust cybersecurity measures to safeguard against such breaches, as the ramifications extend beyond financial loss to encompass broader security implications.  The reappearance of data from last year's SpaceX data breach is raising significant concerns. This recurrence poses a serious threat to the personal and financial security of millions, potentially exposing them to the risks of identity theft and fraud. Notably, despite the breach being initially reported last year and now resurfacing, SpaceX has yet to confirm the incident, leaving the claims unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In late 2023, concerns surfaced regarding a potential data breach at Bharat Sanchar Nigam Limited (BSNL), a major telecommunications provider owned by the Indian government. However, BSNL did not confirm these reports at the time. Recently, the issue has resurfaced after data purportedly from the unconfirmed BSNL data breach has again appeared on the dark web. On April 24, 2024, a known threat actor named 'Perell', who was previously linked to the alleged 2023 BSNL data breach, released a database that reportedly belongs to BSNL. This database contains more than 2.9 million records and was originally part of an extortion scheme. In December last year, Perell claimed to have obtained sensitive BSNL data and threatened to use it against the company on the now-defunct BreachForums. Despite the time elapsed, the threat to user privacy remains significant as Perell has made the supposedly stolen data publicly available, intensifying worries about the security of information and the potential implications for BSNL’s customers.

The 2024 BSNL Data Breach Claims Surfaces on BreachForums

[caption id="attachment_64986" align="alignnone" width="1747"] Source: Dark Web[/caption] The leaked data, according to Perell's post on the forum, includes sensitive information from BSNL, a major player in India's telecommunications sector. While the exact reason for the resurfacing of data from 2023 is unknown, Perell shared a link on BreachForums for the stolen data, stating that the "following list of databases would be exfiltrated.” Discussions on BreachForums suggest that the recently leaked data, claimed to be from BSNL in 2024, actually dates back to 2023. Despite its age, the data remains a significant concern due to its large volume and sensitive nature. The decision to leak the same data again in 2024 is puzzling and raises questions about the motives behind this move. [caption id="attachment_65015" align="alignnone" width="1701"] The earlier post shared by the threat actor in December 2023.[/caption] The seriousness of the situation is highlighted by the fact that the compromised data from 2023 was posted on the same forum without any clear evidence of communication between the hacker and Bharat Sanchar Nigam Limited (BSNL), and it's uncertain whether a ransom was demanded or paid. Like the current incident, the original post focused solely on revealing the data of 2.9 million users, indicating a deliberate effort to exploit and profit from the breach. The Cyber Express has reached out to the Indian telecommunication giant to learn more about the authenticity of the data being shared by the threat actor. However, at the time of writing this, no official statement or response has been shared, leaving the claims made by the threat actor stand unverified. 

The Far-reaching Consequences of the BSNL Database Leak

Following initial reports of the BSNL data leak in December last year, experts expressed concerns about the implications of the incident. Saket Modi, CEO of the cyber risk management startup Safe Security, commented to the Economic Times that the nature of the hack suggested it was likely carried out by an individual rather than an organization. Modi pointed out that the claim of approximately 2.9 million records being compromised suggested that the breach might involve a single website. Additionally, Kanishk Gaur, founder of India Future Foundation, spoke to the Indian media about the wider consequences of the breach, emphasizing its significant impact on both BSNL and its customers. The reappearance of data from last year's BSNL data breach raises serious concerns. This leak threatens the personal and financial security of millions, potentially leading to identity theft and fraud. Notably, despite the breach first surfacing last year and reemerging now, BSNL has yet to confirm the incident, leaving the claims unverified. The Cyber Express has contacted BSNL for comment and is currently awaiting their response. Updates to this story will be provided as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research & Intelligence Labs (CRIL) recently discovered evidence suggesting that the threat actors behind the DragonForce ransomware group might have leveraged a leaked LockBit 3.0 (Black) builder to craft their own ransomware builder. Detailed analysis revealed striking similarities between the binaries generated by the leaked LockBit 3.0 builder and DragonForce's own ransomware builder.  The findings come as part of a larger trend where newer threat actor groups are observed relying on previously-existing malware to form their own operational tools to deploy in campaigns.

DragonForce Ransomware Binary Likely Based on LockBit 3.0 Build

[caption id="attachment_64928" align="alignnone" width="660"] Source: Cyble[/caption] The DragonForce ransomware group began its operations on November 2023, employing double extortion tactics to target victims. The group is potentially linked to the Malaysian hacktivist group 'DragonForce' known for conducting campaigns against various government agencies and organizations present in the Middle East and Asia during 2021 and 2022.  While the group is known to have announced its intention to launch ransomware operations in 2022, proper attribution remains difficult due to limited information. CRIL Researchers recently came across a DragonForce ransomware binary based on a LockBit Black (third-known LockBit variant) binary. The LockBit ransomware builder was known to have been shared on X (Twitter) on September 2022. Ransomware builders allow ransomware operators specific options and customizability while generating ransomware payloads. The builder included a “config.json” file to customize payloads for functionalities such as encryption, filename encryption, impersonation, file/folder exclusion, exclusion based on languages spoken in CIS (Commonwealth of Independent States) countries, and ransom note templates. [caption id="attachment_64931" align="alignnone" width="938"] Source: Cyble[/caption] Comparison between a LockBit builder-generated ransomware binary to that of a DragonForce builder generated ransomware binary revealed several similarities in code structure, functions and process termination. These similarities suggest a strong likelihood that the DragonForce ransomware binary was developed based on the utilisation of the leaked LockBit binary file.

DragonForce Ransomware Operations

[caption id="attachment_64935" align="alignnone" width="936"] Source: Cyble[/caption] Earlier this year in February 2024, DragonForce listed two American companies, 'Westward360' and 'Compression Leasing Services' as victims on its leak site. Earlier in December 2023, the group claimed responsibility for an attack where over 600 GB of data was stolen from the Ohio Lottery. The stolen data consisted of both player and employee records with sensitive information such as names, addresses, winnings, dates of birth, and social security numbers. The Ohio Lottery confirmed the cyber-incident and stated that it involved significant data theft. In the same month, Yakult Australia fell victim to the DragonForce ransomware gang's operations impacting its Australia and New Zealand divisions with over 95GB of data being stolen in the attack. The Yakult Australia data breach is believed to contain business documents, spreadsheets, credit applications, employee records, and copies of identity documents, including passports. The company later acknowledged the incident and disclosed details relating to the incident to relevant authorities such as the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre. It is notable that in both attacks, the impacted systems continued to operate normally suggesting the group employs stealthy techniques. The discovery of DragonForce's use of a leaked LockBit builder underscores the general conduct of newer ransomware groups employing existing ransomware tools and the interconnected nature of cybercriminal operations. Last year in July 2023, researchers from VMware discovered similarities between the 8Base Ransomware and earlier ransomware groups such as RansomHouse and Phobos. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web user has allegedly leaked a database containing employee records linked to Glints, an online job recruitment platform in Singapore. This Glints data breach, reported on April 23, 2024, was added to a dark web forum where the sample data was leaked, specifically highlighting sensitive employee information.  According to a post shared on the nuovo BreachForums platform, the data breach purportedly contains approximately 1,000 records with personally identifiable information (PII) of Glint's employees. 

Understanding the Glints Data Breach Claims

The exposed data includes sensitive details such as names, employee IDs, designations, email addresses, dates of birth, physical addresses, national ID numbers, and even bank account information. Samples of these records were provided by the threat actor, adding weight to the claims. [caption id="attachment_64570" align="alignnone" width="1713"] Source: Dark Web[/caption] The impact of this Glints data leak extends to Glints Pte Ltd and Glints Singapore Pte Ltd, two entities closely associated with the recruitment platform. With Singapore as the focal point of this incident, concerns are raised about the potential misuse of this data, especially within the professional services industry. The post attributed to sedapmalam on the BreachForums explicitly lists a vast array of information, including employee IDs, job positions, bank details, and even personal contact details. This comprehensive data dump highlights the severity of the alleged breach and the potential risks faced by those affected.

Response to the Breach and Vulnerability Assessment Program

The Cyber Express has reached out to the requirement platform to learn more about the authenticity of the Glints data leak. However, at the time of writing this, no official statement or response has been shared, leaving the claims by sedapmalam largely unverified. Interestingly, while the Glints website appears to be operational, there are no immediate indications of a cyberattack on the front end. This suggests that the threat actor may have targeted the organization's database directly, circumventing traditional security measures. Notably, Glints has a dedicated service page inviting security researchers to identify vulnerabilities within its platform. While the recruitment firm data breach and any possible connection between the vulnerability assessment platform has not been verified, the alleged leak raises questions about the stolen data being part of the program or is simply republished on the dark web platform. As the investigation into the Glints data breach unfolds, The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Glints data breach or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ted Brown Music, a longstanding family-owned full-service music store established in 1931, has allegedly been targeted by the MEDUSA ransomware group. The Ted Brown Music cyberattack, marked by a post from the threat actors, further explains the depth of the attack and its repercussions.  The dark web post, laden with countdown timers and cryptic codes, presents a harrowing scenario for Ted Brown Music. Beginning with a countdown of "DAYS", "HOURS", "MINUTES", and "SECONDS", it sets a tone of urgency, suggesting a deadline of 7 days before the stolen data gets published. 

Decoding the Ted Brown Music Cyberattack Claims

[caption id="attachment_64315" align="alignnone" width="1030"] Source: X[/caption] Transitioning to more tangible information, the post provides details about Ted Brown Music, including its rich history, family ownership, and corporate address in Tacoma, Washington. With 95 employees and a distressing disclosure of 29.4 GB of leaked data, the magnitude of the alleged breach becomes all too apparent. The ransom demands escalate, starting at $10,000 to add one more day before the data gets published. Similarly, by paying $300,000, the threat actor will “delete all data” or the organization can “download all data” again. The message concludes with the numeral "23", adding the list of viewers who saw the data.  The Cyber Express has reached out to the organization to learn more about this cyberattack on Ted Brown Music. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Ted Brown Music cyberattack stand unverified. 

The Rise of MEDUSA Ransomware Group

The cyberattack on Ted Brown Music follows a list of cyberattacks faced by the music industry. According to Gitnux, the sector grapples with an alarming rate of cyber attacks, with breach detection often taking months and the average cost of an attack skyrocketing.  Among these cyberattacks, the MEDUSA ransomware group has manifested into a sophisticated cybercrime group. Emerging as a ransomware-as-a-service (RaaS) platform in late 2022, Medusa gained infamy in 2023, primarily targeting Windows environments.  The threat actors operate a site where they expose sensitive data from organizations that refuse to meet their ransom demands. Employing a multi-extortion approach, they offer victims choices like extending deadlines, deleting data, or downloading it, each option coming with a price. In addition to their Onion site, they use a Telegram channel named “information support” to publicly share compromised files, making them more accessible. As for the cyberattack on Ted Brown Music, this is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged attack or any confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Cyber Army Russia has claimed a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. The Consol Energy cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. However, the website is now back online and functioning normally. Consol Energy, with its presence in the Agriculture and Mining industry, plays a crucial role in the nation's energy supply chain, contributing over $1 billion in revenue and providing employment to thousands. The cyberattack on the energy company highlights the growing nature of targeted cyberattacks in the energy sector. 

Alleged Consol Energy Cyberattack Claims by Pro-Russian Hackers

[caption id="attachment_64266" align="alignnone" width="450"] Source: Falcon Feeds on X[/caption] The threat actor's post suggests a motive behind the attack, citing Consol Energy's role as a competitor in the European energy market and its alleged benefits from the conflict in Ukraine. The Cyber Express has reached out to the organization to verify the authenticity of the Alleged Consol cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Alleged Consol cyberattack stand unverified.  [caption id="attachment_64268" align="alignnone" width="712"] Source: X[/caption] Interestingly, this isn't the first time Consol Energy has been targeted by cyber threats. In 2023, the Cl0p ransomware group claimed responsibility for a similar attack on the company. Despite these incidents, Consol Energy continues to post on its social media channels and is contributing to the country's power supply. In the wake of the cyberattack, financial analysts are observing the impact on Consol Energy's stock performance. Justin Spittler, Chief Trader at Hedge_Your_Risk, notes insights into coal stocks, highlighting CONSOL Energy's resilience despite a recent decline. [caption id="attachment_64269" align="alignnone" width="990"] Source: Justin Spittler on X[/caption] However, the extent to which the cyberattack influenced this decline remains uncertain, pending official statements from the company.

Cyber Army Russia Reborn and Ongoing Investigation 

The cyberattack on Consol Energy is part of a broader trend of cyber threats targeting energy companies worldwide. Just last month, Cyber Army Russia Reborn claimed responsibility for cyberattacks in Slovenia, targeting government bodies and the public broadcaster.  In a video message, group implied that attacks were due to Slovenia's backing of Ukraine. Voiced in Slovenian and circulated by local news, the message urged Russians and Slovenians not to harbor animosity, citing shared heritage. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from Consol Energy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web user has allegedly claimed a breach involving Luxor International Private Limited, a prominent Indian manufacturer of stationery products. The Luxor data breach was first detected on April 19, 2024, when postmaster, operating within the nuovo BreachForums, disclosed the leak of a database purportedly belonging to Luxor.  The leaked data, initially shared on the Telegram channel Leakbase, comprises 692 MB of SQL data, encompassing a trove of sensitive information. Among the data elements exposed are first names, middle names, last names, dates of birth, hashed passwords, billing and shipping details, tax information, and more.

Alleged Luxor Data Breach Exposes Sensitive Database

[caption id="attachment_64173" align="alignnone" width="1757"] Source: Dark Web[/caption] The Luxor data breach included information about individuals registered on the Luxor's website, implying that the leaked data could be authentic. If the stolen data turns out to be true, the Luxor data leak can lead to loss of trust, financial losses, reputational damage, identity theft, operational disruption, and potential fraud, impacting not only the company but also its customers and stakeholders. Luxor Writing Instruments Private Limited and Luxor International Private Limited, the entities allegedly affected by the breach, are notified about the breach. With operations spanning the Indian subcontinent, Luxor's breach has ramifications not only for its domestic clients but also for its customers and partners across Asia & Pacific (APAC). Moreover, the postmaster's motives remain unclear as the hacker has not shared any intent or motivation regarding the breach, and the stolen data seems to be limited to customers only as it only contains data from Gmail accounts instead of the organization’s business accounts. 

Decoding the Luxor Data Breach Leak

In a public post attributed to postmaster, the threat actor provided insights into the Luxor data breach, describing Luxor as the "brand leader in the Indian Writing Instrument Industry." The post included details such as the file name (luxor.in.sql) and size (692 MB uncompressed), offering a glimpse into the scale of the data compromised. The leaked data appears to consist of billing information or transaction records, organized into distinct entries featuring various fields. These fields likely include identifiers, timestamps, numerical values, and textual data, indicating a comprehensive system for managing billing-related activities. The Cyber Express has reached out to the organization to learn more about the authenticity of this Luxor data leak. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Luxor data breach stand unverified.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Luxor data breach or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

TransparentTribe is an Advanced Persistent Threat (APT) group with a large appetite for targeting Indian government organizations, military personnel, and defense contractors. The threat actor recently came into the spotlight and was seen levering the notorious Crimson RAT (Remote Access Trojan), among other sophisticated tools and tactics. [caption id="attachment_63905" align="alignnone" width="627"] Source: Cyble[/caption] The threat actor’s modus operandi is as complex as its name — starting with gathering sensitive information, conducting cyber espionage, and compromising the security of its targets. They are adept at exploiting various platforms, from Windows to Android, often masquerading as legitimate government entities or organizations through fake websites and documents.  These deceptive maneuvers aim to deceive unsuspecting users into sharing credentials or unwittingly downloading malware onto their systems.

Decoding the New Threat Actor: TransparentTribe

According to the Cyble Vision Threat Library, TransparentTribe, also known as APT 36 or Project Mythic Leopard, has been active, with its last sighting dated April 1, 2023. Their activities extend beyond traditional cyber espionage, with recent investigations uncovering connections to watering hole sites focused on Indian military personnel. [caption id="attachment_63901" align="alignnone" width="662"] Source: Cyble Vision Threat Library[/caption] Moreover, TransparentTribe's reach spans across borders, with primary targets including India and Afghanistan, along with various other nations such as Australia, Japan, and the USA, among others. Their relentless pursuit of sensitive information knows no bounds, targeting sectors ranging from defense to education and governmental organizations. [caption id="attachment_63902" align="alignnone" width="442"] Source: Cyble Vision[/caption] Operating out of Pakistan, TransparentTribe poses a significant threat to national security, employing aliases like Green Havildar and APT-C-56. Suspected ties with other APT groups like SideCopy and SideWinder further underscore the complexity of the threat landscape.

The Mechanics of TransparentTribe Hacker Group

[caption id="attachment_63903" align="alignnone" width="1378"] Source: Cyble[/caption] The lifecycle of TransparentTribe's attacks involves multiple infection vectors, including phishing emails, malvertising, and social engineering. Their persistence is evident in the continuous monitoring of developments within targeted sectors, exploiting them as lures for their campaigns. Windows, Linux, and Android systems alike fall prey to TransparentTribe's tactics, with tailored approaches for each platform. Exploiting vulnerabilities like CVE-2012-0158 and CVE-2010-3333, they deliver their payloads, including a diverse range of RATs like Crimson RAT, DarkComet, and QuasarRAT, each with its specific capabilities and functionalities. Their network activities are intricate, utilizing well-crafted phishing URLs and registering domains on servers associated with Hostinger ASN. Moreover, the overlap in command and control (C&C) infrastructure and the use of platforms like Google Drive for hosting malware further complicate detection and mitigation efforts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Akira ransomware group has been identified as the culprit behind a series of cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia. According to the latest advisory by the U.S. Federal Bureau of Investigation (FBI), since March 2023, the Akira ransomware group has successfully breached over 250 organizations, amassing a staggering $42 million in ransomware payments. Initially focusing on Windows systems, Akira's tactics have recently expanded to include Linux variants, intensifying concerns among global cybersecurity agencies. The FBI, in collaboration with key players such as the Cybersecurity and Infrastructure Security Agency (CISA), Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), has issued a joint advisory on Akira ransomware to raise awareness and disseminate crucial threat information.

The Hidden Modus Operandi of the Akira Ransomware Group

The FBI revealed the modus operandi of the Akira ransomware group that involves a multi-faceted approach to infiltrate and compromise targeted organizations. Leveraging vulnerabilities in Cisco systems, particularly CVE-2020-3259 and CVE-2023-20269, Akira actors exploit weaknesses in virtual private networks (VPNs) lacking multifactor authentication (MFA), alongside other entry points such as Remote Desktop Protocol (RDP) and spear phishing. Once inside the network, Akira operatives establish persistence by creating new domain accounts and employing post-exploitation techniques like credential scraping and credential scraping tools like Mimikatz and LaZagne. This enables them to escalate privileges and navigate the network undetected, utilizing reconnaissance tools like SoftPerfect and Advanced IP Scanner to map out the infrastructure. Moreover, the threat actor has evolved over the years and has been using multiple ransomware variants “against different system architectures within the same compromise event”. This strategy differs from what was previously reported in the Akira affiliate partners and their hacking processes.  “Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”)”, says the FBI.

Defense Evasion, Encryption and Mitigation

Apart from upgrades in its offensive side, the Akira ransomware group has next-gen stealth to evade detection. The group, according to the FBI, has been deploying a variety of tactics, including disabling security software and deploying multiple ransomware variants simultaneously.  The ransomware encryption process is sophisticated, employing a hybrid encryption scheme combining ChaCha20 stream cipher with RSA public-key cryptosystem, tailored to file types and sizes. Encrypted files are marked with either a .akira or .powerranges extension, with the ransom note strategically placed in directories. In response to the threat posed by Akira ransomware, cybersecurity authorities like CISA advocate for proactive measures to mitigate risks and enhance organizational resilience. Recommendations include implementing multifactor authentication, maintaining up-to-date software patches, segmenting networks, and employing robust endpoint detection and response (EDR) tools. Furthermore, organizations are advised to conduct regular audits of user accounts, disable unused ports, and enforce the principle of least privilege to limit unauthorized access. Backup strategies should include offline, encrypted backups covering the entire data infrastructure, ensuring rapid recovery in the event of a ransomware attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious HelloKitty ransomware has rebranded itself as HelloGookie ransomware. This transformation is accompanied by strategic maneuvers and community engagement that shed light on the adaptability and agility of this ransomware operator. This rebranding comes with more than just a change in name; it signifies a shift in tactics and possibly a response to the competitive environment within the cybercriminal community. HelloGookie's emergence was accompanied by the release of decryption keys and the establishment of a new blog, signaling a proactive approach to engaging with potential victims.

HelloKitty Ransomware Rebranded to HelloGookie Ransomware

[caption id="attachment_63762" align="alignnone" width="1447"] Source: 3xp0rt on X[/caption] Behind the scenes, the creator behind HelloGookie, known simply as Gookee/Gookie, has made strategic overtures to the LockBit ransomware group. This gesture, while seemingly diplomatic, hints at a desire to avoid direct competition and potentially collaborate for mutual benefit. Such an alliance highlights the collaborative nature of ransomware groups, where operators navigate a fine line between cooperation and rivalry. Moreover, Gookie's successful reclamation of their account on the Exploit forum further represents the shift in technology and authority in the ransomware group where the group has claimed credibility over the years. [caption id="attachment_63763" align="alignnone" width="1539"] Source: 3xp0rt on X[/caption] The forum serves as a hub for cybercriminal activity, facilitating discussions, collaboration, and the exchange of tools and techniques. Gookie's return to the forum also represents a resurgence in their activities and potentially newly added victims.

Forum Conversations Reveals HelloGookie’s Plan

[caption id="attachment_63760" align="alignnone" width="1422"] Source: 3xp0rt on X[/caption] Forum conversations provide insights into HelloGookie's tactics and capabilities. Updates targeting both Linux and Windows systems suggest a commitment to expanding its reach across diverse platforms. Additionally, calls for collaboration and the recruitment of individuals with access to high-value targets indicate a strategic shift towards more sophisticated and lucrative operations. The HelloGookie website further highlights the ransomware's impact, listing new victims and showcasing the breadth of its reach. From prominent organizations like CD PROJEKT to industry giants like CISCO, the ransomware group has started expanding its reach to various sectors. The passwords for leaked encrypted source code archives, including Witcher 3 and Thronebreaker, previously priced at $10k each, are also available on the new data leak site. The divulgence of private keys adds another layer of complexity wherein the threat actor is openly sharing private keys on its blog, commencing new levels of threat for the affected parties. The original HelloKitty ransomware group was identified in 2020, specializing in infiltrating networks, encrypting data, and demanding ransoms. It targets organizations with sensitive data, posing a serious threat to businesses. Now, the threat is bigger and more capable that goes beyond mere encryption and extortion. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The clearnet domain of the notorious BreachForums data leak and hacking forum has been taken down by rival threat actors. The threat actor group, R00TK1T, along with the pro-Russian gang Cyber Army of Russia, announced a breach of user data following the BreachForums take down. R00TK1T was previously responsible for an attack campaign targeting the Malaysian government and various private entities including one of one of Malaysia’s leading telecommunications operators. The hackers responsible for the attack on BreachForums also claimed that they would leak a list of the forum's users, IP addresses and emails. Despite the attack, the TOR version of the site remains operational.

Groups Claim More Surprises for Hacker Community and Active Users

[caption id="attachment_63054" align="aligncenter" width="2144"] Source: R00TK1TOFF Telegram channel[/caption] R00TK1TOFF claimed on Telegram, that the site 'has currently crashed due to the extent of our attack, which was executed with extreme precision and efficiency.' The DDoS campaign against the site had been conducted in a joint-effort operation of both groups. However, the BreachForums TOR address remains active and is known to implement DDoS protection. Cybersecurity firm Hackmanac claimed in a note on X (Twitter) that:

R00TK1T is known for making grand claims about significant data breaches, which more often than not turn out to be merely a collection of publicly available data. Given the group's reputation, the threat to publish the IP and email addresses is likely to be a mere republishing of user details that were leaked last year by more credible threat actors.

Baphomet Issues Statement Regarding BreachForums Take Down

Baphomet, the administrator of BreachForums, made a statement about the incident on Telegram: 'The domain is currently suspended. We're working on it. We apologize for any inconvenience.' He further advised its users to access the forums through via the TOR site until the issue was sorted. In a later post via Telegram, Baphomet joked that the action must have been the work of the Five Eyes network along with various other large nations 'working together to silence our forums.' He then downplayed the takedown of the .cx domain, recommending users to switch to a temporary new domain (breachforums.st). [caption id="attachment_63041" align="aligncenter" width="785"] Source: Baphomet Official  Telegram channel[/caption] He stated that the .st domain would temporarily function as their main site while the admins work on 'protection over the next week that'll make these one-time suspensions less effective' while emphasizing on the availability of the TOR domain at all times. He then claimed that nothing had been 'seized, hacked, or even reasonably attacked.' Noting that while their site might experience DDoS attacks and downtime, they would always come back. He advised users to be patient while thanking the community for being patient with such incidents. R00TK1T, later responded in its own channel that Baphomet was denying the attacks and that together with the Cyber Army of Russia would 'unleash a torrent of chaos that will leave you (Baphomet) reeling. BreachForums has faced a series of troubles in recent times, including the arrest of its former owner Conor Brian Fitzpatrick (pompompurin), followed by an official seizure of the site by the Federal Bureau of Investigation(FBI) in cooperation with several U.S. agencies. The FBI stated in an affidavit that during the time of seizure, it had access to the BreachForums database. A forum administrator operating under the screen name "Baphomet" took ownership of the website and its operations after the arrest of Fitzapatrick. The site was temporarily shut down after Baphomet's suspicion of the forum still being compromised. However, Baphomet later reopened the forum to the public with the aid of black-hat hacking group ShinyHunters. ShinyHunters was previously responsible for several large-scale data breach attacks, obtaining about 200 million records of stolen data from various companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

IntelBroker has claimed the Channel Logistics LLC data breach, operating under the brand Space-Eyes. The breach was announced on the BreachForums platform, however, the black hat–hacking crime forum is facing its own set of issues from other hacking groups and is currently down.  According to IntelBroker’s claims, the leaked database, accompanied by Java source codes, was purportedly stolen from Channel Logistics LLC. The incident is said to have taken place in April 2024. The leaked data comprises three files, namely “CASUALTY_202404150045.csv,” “DENIED_PERSON.csv,” and “PTUSER.csv.” Notably, the “DENIED_PERSON.csv” file contains personally identifiable information (PII) of users, including names, addresses, contact details, and more.

IntelBroker Alleges Channel Logistics LLC Data Breach

[caption id="attachment_62981" align="alignnone" width="2098"] Source: Dark Web[/caption] Among the sample files shared by the hacker, one particular concern is the discovery of email addresses linked to various US government entities within the leaked data. However, due to limited information, it has been challenging to ascertain the precise extent of the breach and its implications for these organizations. Space-Eyes, a division of Channel Logistics LLC, specializes in technology services, with a focus on national security. The leaked documents reportedly include highly confidential information related to services provided to prominent US government agencies such as the Department of Justice, Department of Homeland Security, and the US military branches. The Cyber Express has reached out to Channel Logistics LLC to learn more about this alleged Space-Eyes data leak. However, at the time of writing this, no official confirmation or denial has been shared, leaving the claims for this Channel Logistics LLC data leak unconfirmed. 

Cyberattack on BreachForums' Clearnet Site

Upon further investigation, The Cyber Express found that the organization's website appears to be operational, showing no immediate signs of the reported breach. Moreover, BreachForums, the platform where IntelBroker disclosed the alleged breach, has faced its own set of challenges. The clearnet site of BreachForums is currently inaccessible, with the administrator, Baphomet, issuing a statement acknowledging the suspension of the domain. Users have been advised to access the platform via TOR until the issue is resolved — leaving the clearnet users out of the sample data provided by the hacker.  Additionally, BreachForums may have been targeted by a distributed denial-of-service (DDoS) attack. R00TK1T, in conjunction with the CyberArmyofRussia, has claimed responsibility for the attack and threatened to publish the IP and email addresses of users. Despite this, the TOR address of BreachForums remains functional and is accessible to Tor users.  As for the Channel Logistics LLC data breach, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Channel Logistics LLC data leak.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.