Normal view
- Cybersecurity News and Magazine
- Chicago Fire FC Data Breach: Exposed Fan Info? Here’s What’s at Risk!
- Cybersecurity News and Magazine
- MediSecure Data Breach Confirms Impact on Personal and Health Information of Individuals
MediSecure Data Breach Confirms Impact on Personal and Health Information of Individuals
Government Response to MediSecure Data Breach
Authorities, including the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), are actively engaged in probing the MediSecure data breach. However, details remain scarce as investigators navigate the complexities of the incident. The absence of a known threat actor claiming responsibility further complicates the situation, heightening concerns about the sophistication of cyber threats targeting the healthcare sector. Cyber Security Minister Clare O’Neil said the government was commited to address the breach, convening a National Coordination Mechanism to coordinate efforts and mitigate the breach's impact effectively. “I have been briefed on this incident in recent days, and the government convened a National Coordination Mechanism regarding this matter today,” Minister O’Neil said in a LinkedIn post.“Speculation at this stage risks undermining significant work underway to support the company's response,” O'Neil added.The Shadow Home Affairs and Cyber Security Minister James Paterson told Sky News in an interview that the latest breach was a reminder of the currently “dangerous” cyber threat landscape, especially for the health sector. Paterson said healthcare is a lucrative sector both for cybercriminals and nation-state actors.
“Criminal actors like to use it for ransomware because the health sector is often vulnerable to those targets, and sometimes they do pay. And nation state backed actors use it as an opportunity to gather intelligence and information about us,” Paterson explained.Australia has been hit in the past few years by some of the largest data breaches in the form of Medibank and Optus data breaches, that impacted millions across Australia. The scope of the current breach is reportedly unlike the earlier ones, but it is still some of the most personally and privately significant information that exists about a person, Paterson said. “This is very distressing for Australians when it is released publicly. And it is important that the federal government get on top of this straight away and do whatever they can to stop the proliferation of this information online,” he added. MediSecure has taken proactive measures, including taking its website offline, as it works to contain the breach's fallout. In a statement, the company acknowledged the incident and stated, “We have taken immediate steps to mitigate any potential impact on our systems. While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors”, reads the statement. The Cyber Express has reached out to MediSecure to learn more about this data breach. However, at the time of writing this, no official statement or response has been shared. The organization did share a statement on its website, stating “MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.”
Cyberattacks on the Healthcare Sector
This cyberattack on MediSecure echoes previous breaches in Australia's healthcare sector, including the 2022 data breach involving Medibank, which compromised the personal data of millions of Australians. In 2023, healthcare organizations globally faced an unprecedented wave of cyberattacks, affecting over 116 million individuals in the US alone, more than double the previous year's count. Notable incidents include data breaches at Delta Dental of California, Fred Hutch Cancer Center, Norton Healthcare, and HCA Healthcare, among others. German hospitals also fell victim to ransomware attacks, disrupting medical services. The European Union Agency for Cybersecurity reported that the majority of attacks targeted healthcare providers, with financial motives driving 83% of incidents. India witnessed a surge in cybercrime, with significant financial losses and high-profile attacks during the G20 summit. The recurrence of such incidents highlights the persistent cybersecurity vulnerabilities plaguing the healthcare industry, necessitating comprehensive strategies to fortify defenses against evolving cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Nissan Cybersecurity Incident Update: 53,000 Employees Affected
Nissan Data Breach Update: 53,000 Employees Affected
Upon discovering the Nissan data breach, the Japanese automaker notified law enforcement and engaged cybersecurity experts to contain and neutralize the threat. The company also conducted an internal investigation, informing employees during a town hall meeting held in December 2023, a month after the Nissan cyberattack. To mitigate potential harm, Nissan is offering complimentary identity theft protection services for two years to those impacted by the breach. The company's positive response to safeguarding employee privacy is highlighted by these proactive measures. The official communication emphasized Nissan's dedication to reinforcing its security infrastructure and practices. Following the incident, the company has implemented additional security measures and enlisted cybersecurity specialists to conduct a thorough review, ensuring enhanced protection against future threats. Despite the Nissan breach, the automotive maker has not detected any instances of fraud or identity theft resulting from the incident. Nonetheless, as a precautionary measure, affected individuals are urged to take advantage of the complimentary credit monitoring services provided by Experian IdentityWorks.No Identity Fraud Detected
“This is in addition to the employee benefit you may have elected with Nissan. These complimentary credit services are being provided to you for 24 months from the date of enrollment. Finally, Nissan is providing you with proactive fraud assistance to help with any questions you might have or if you become a victim of fraud. These services are provided by Experian, a company specializing in fraud assistance and remediation services”, said Nissan. To activate the identity protection service, recipients are instructed to enroll by a specified deadline and utilize the provided activation code. Additionally, individuals are encouraged to remain vigilant against potential fraud by monitoring their credit reports and promptly reporting any suspicious activity. Recipients are assured of assistance for 90 days from the letter's date in enrolling for the complimentary credit monitoring services. They are encouraged to contact the dedicated helpline at 833-931-6266, with the engagement number B120412 ready for reference. Nissan highlights its commitment to employee welfare and the seriousness with which it regards the protection of personal information, expressing regret for any inconvenience caused by the incident. The letter concludes with signatures from Leon Martinez, Vice President of Human Resources, and William Orange, Vice President of IS/IT and Chief Information Officer. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Banco Santander Confirms Data Breach, Assures Customers’ Transactions Remain Secure
Banco Santander Confirms Data Breach, Assures Customers’ Transactions Remain Secure
Customer and Employee Data Compromised in Santander Data Breach
The bank reported that upon becoming aware of the data breach, it had immediately implemented measures to contain the incident, such as blocking access to its database from the compromised source as well as establishing additional fraud prevention mechanisms to protect impacted customers and affected parties. After conducting an investigation, the bank had determined that the leaked information stemmed from a thid-party database and consisted of details of customers from Santander Chile, Spain and Uruguay regions along with some data on some current and former Santander employees. Despite the third-party database breach, customer data from Santander markets and businesses operating in different regions were not affected. [caption id="attachment_68444" align="alignnone" width="2422"] Source: santander.com[/caption] The bank apologized for the incident and acknowledged concerns arising from the data breach, taking action to directly notify the affected customers and employees. The security team also informed regulators and law enforcement of the incident details, stating that the bank would continue to work with them during the investigation. Santander assured its customers that no transactional data, nor transaction-facilitating credentials such as banking details and passwords were contained in the database. The statement reported that neither the bank's operations nor systems were affected, and that customers could continue with secure transaction operations. Along with the official statement in response to the data breach, the bank had provided additional advice on its site on dealing with the data breach:
- Santander will never ask you for codes, OTPs or passwords.
- Always verify information your receive and contact us through official bank channels.
- If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
- Never access your online banking via links from suspicious emails or unsolicited emails.
- Never ignore security notifications or alerts from Santander related to your accounts.
Financial and Banking Sector Hit By Data Breaches
Increased cyber threats or third-party database exposure as in the Santander data breach pose serious concerns for stability within the financial and banking. The International Monetary Fund noted in a blog post last months that these incidents could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. In March, the European Central Bank instructed banks within the European region to implement stronger measures in anticipation of cyber attacks. Earlier, the body had stated that it would conduct a resilience stest on at least 109 of its directly supervised banks in 2024. The initiatives come as part of broader concern about the security of European banks. Last year, data from the Deutsche Bank AG, Commerzbank AG and ING Groep NV were compromised after the CL0P ransomware group had exploited a security vulnerability in the MOVEit file transfer tool. The European Central Bank's site states that its banking supervisors rely on the stress tests to gather information on and assess how well the banks would able to cope, respond to and recover from a cyberattack, rather than just their ability to prevent attacks. The response and recovery assessments are described to include the activation of emergency procedures and contingency plans as well as the restoration of usual operations. The site states that these test results would then be used to aid supervisors in identifying weaknesses to be discussed in dialogue with the banks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cybersecurity Alert: Frotcom International Faces Alleged Data Breach
Cybersecurity Alert: Frotcom International Faces Alleged Data Breach
Alleged Frotcom Data Breach Surfaces on Dark Web
DuckyMummy's post on the forum detailed the extent of the Frotcom data breach, indicating access to internal systems across more than 40 countries and over 5,000 companies. The compromised data encompassed a wealth of information crucial to Frotcom's operations, from GPS tracking data to customer billing information. [caption id="attachment_68365" align="alignnone" width="1732"] Source: Dark Web[/caption] As proof of their claims, the threat actor shared sample records showcasing live GPS vehicle information sorted by country and offered the compromised database for sale at a staggering price of USD 5,000.“These days I have breached the company security, and I have dumped all information and got access to all internal systems of the company, more than 40 countries, more than 5,000 COMPANIES !”, stated the hacker.The Cyber Express has reached out to Frotcom for official confirmation and further details regarding the breach. However, as of the time of writing, no official statement or response has been received, leaving the claims surrounding the Frotcom data leak unverified.
Cyberattacks on Freight Companies
The Frotcom data leak is not an isolated event and is a reminder of the growing threats faced by the transportation sector in an increasingly digitized world. With transportation systems becoming more reliant on interconnected digital technologies, they have become lucrative targets for cyber threat actors seeking to disrupt operations, extort sensitive data, or inflict financial harm. The ramifications of cyberattacks on transportation infrastructure are profound, ranging from supply chain disruptions to the compromise of sensitive passenger data. Recent incidents such as the ransomware attack on Japan's Port of Nagoya, which halted operations for two days, highlight the real-world impact of such breaches on global trade and commerce. Moreover, the nature of cyber threats poses a significant challenge to the transportation sector. Attack vectors are becoming increasingly diversified, with intrusions often originating from third-party supply chain partners or software vendors. Additionally, the rise of politically motivated threat actors further complicates the domain, as evidenced by the DDoS attacks on US airports claimed by Russian-speaking hackers. Looking back at historical events, cyber incidents targeting transportation infrastructure have resulted in widespread disruption and societal harm. From DDoS attacks on Czech railways and airports to ransomware incidents affecting Italian State Railways, these incidents highlight the vulnerability of transportation systems to malicious cyber activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Hackers Exploit Unpatched Bug in Helsinki Education Division Data Breach
Hackers Exploit Unpatched Bug in Helsinki Education Division Data Breach
“Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” Heikkinen said.“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel,” said City Manager Jukka-Pekka Ujula. “We regret this situation deeply.”
Helsinki Education Division Data Breach Linked to Remote Access Bug
The preliminary investigation found out that the Helsinki Education Division data breach was possible due to a vulnerability in a remote access server.“The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.”The city authorities did not reveal the name of the remote access server but said a hotfix patch was available at the time of exploitation, but why it was not installed on the server is currently unknown.
“Our security update and device maintenance controls and procedures have been insufficient,” said Heikkinen.The breach targeted an extensive group, with most of the network drive data – comprising of tens of millions of files - containing non-identifying information or ordinary personal data, minimizing potential abuse, according to the city authorities. However, some files include confidential or sensitive personal data such as fees for early childhood education customers, children's status information like information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, and sick leave records of Education Division personnel. The data breach also includes historical customer and personnel data. Meaning, even if an individual is not currently a customer or a member of staff at the Education Division, the hacker may still have accessed their data.
“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians,” Ujula said.Satu Järvenkallas, executive director of the Education Division, said the authorities are currently unable to provide an accurate assessment of what data the hacker may have accessed as “the volume of data under investigation is significant.”
VPN Gateways, Network Edge Devices Need ‘Special Attention’
The City officials immediately notified the Data Protection Ombudsman, the Finnish Police, and Traficom’s National Cyber Security Centre after the discovery of the data breach at the Helsinki’s Education Division. Traficom’s cybersecurity center acknowledged the notification and said it was supporting the City of Helsinki in investigating the case. “The data breach that targeted the City of Helsinki is exceptionally large for its size in the municipal sector. The case affects many Finns and causes great concern,” it said on platform X (formerly known as Twitter). Critical vulnerabilities in network edge devices like this pose a risk to organizations' cybersecurity, said Traficom’s NCSC. Exploiting the vulnerabilities of VPN products intended for establishing secure remote connections, it is also possible for parties outside the organization to gain access to the internal networks, “especially if other measures to limit the attack are not in use,” it added.“Severe and easy-to-exploit vulnerabilities have been detected in the network edge devices of many major device manufacturers, such as VPN gateways, in the past six months,” said Samuli Bergström, the director of the cybersecurity center. “That is why it is important that special attention is paid to resources and expertise in organizations.”A very recent example of one such VPN appliance abuse is the zero-day exploitation in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. Chinese state-backed hackers used two zero-day vulnerabilities in these products: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug to compromise several organizations including MITRE. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city’s senior management,” Ujula said. “After the breach, we have taken measures to ensure that a similar breach is no longer possible,” Heikkinen added.
“We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”Information for affected individuals is available via the Traficom’s Cybersecurity Centre website, data breach customer service, crisis emergency services and MIELI Mental Health Finland. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Cyberattack Paralyzes 4 Quebec CEGEPs: Classes and Exams Cancelled
Decoding the Cégep de Lanaudière Cyberattack
In a Sunday communication to students and staff, college management emphasized the need for external cybersecurity expertise to investigate the attack's origins and, if feasible, patch the breach. "The investigation is ongoing. Data compromise is not a current concern," said Marilyn Sansregret, spokesperson for Cégep régional de Lanaudière, reported CBC. However, hopes for a swift resolution were dashed when students were informed on Tuesday evening that the class hiatus would extend until at least Friday. Sansregret affirmed that the IT department is working tirelessly to reinforce the college's digital defenses, but it is too early to anticipate a return to normalcy. The Cyber Express has sought a response from Cégep de Lanaudière regarding the cyber attack. However, at the time of writing this, no official statement or response has been shared, leaving the identity of the threat actor unknown.Cyberattacks on Education Institutions and Universities
Meanwhile, Academica Group weighed in on the crisis, highlighting the profound impact of the cyberattack. Cégep de Lanaudière temporarily closed its campuses in Joliette, L’Assomption, Terrebonne, and Repentigny as it grappled with the aftermath of the intrusion. While the full extent of the Cégep de Lanaudière cyberattack is unknown, a music school on the Joliette campus reported disruptions to essential services like lighting, heating, ventilation, and fire alarms. In a broader context, the surge in cyber assaults against educational institutions highlights the acute vulnerability of academic infrastructure to digital threats. Verizon's 2024 Data Breach Investigations Report reveals a staggering increase in attacks targeting the educational services sector. With ransomware emerging as a preeminent external threat and internal vulnerabilities compounding the security measures in education institutions, the need for preemptive cybersecurity measures cannot be overstated. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Cégep de Lanaudière cyberattack or any further information from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Boeing Confirms $200M Cyber Extortion Attempt of LockBit
Boeing Cyber Extortion Saga
LockBit first listed Boeing as its victim on October 27 and set a ransom payment deadline for November 2. Boeing had chosen not to provide any comments or statements regarding the incident, at that time, leaving the LockBit claims unverified. Three days later LockBit took down Boeing’s name from the victims’ list fueling further speculations that it was a hoax or the company likely paid ransom. Following this incident, Boeing eventually confirmed falling victim to LockBit’s cyberattack. But as ransom negotiations reportedly failed, LockBit re-listed Boeing on its leak site and threatened to publish 4 gigabytes of sample data as proof of the Boeing data breach. The post also warned that, “All available data will be published!” in coming days. Following on the threat, LockBit published more than 40GB of data on November 10, as the company likely did not agree to pay the ransom demand. Boeing is yet to address the stolen data publicly.Ransom Demands Getting Exorbitant
The indictment's reference to the unnamed company highlights the exorbitant ransom demands made by Khoroshev and his cohorts, totaling over $500 million in ransoms extorted from victims since late 2019. Of this, he got nearly $100 million from a 20% share on the ransom payments, which was further “used to continue funding the LockBit operation and its infrastructure.” Ransomware analysts are now calling the Boeing cyber extortion as one of the largest ransom demands from a ransomware gang till date. Researchers suspects LockBit likely made an inflated demand, without realistic expectations of receiving the full amount, merely to test the waters. Between September 2019 and February 2024, Khoroshev grew LockBit into a massive global criminal operation in which along with his affiliates he attacked approximately 2,500 victims, which included nearly 1,800 in the U.S. alone, the indictment said. Apart from Boeing LockBit’s victim list also contains law enforcement agencies, security firms, municipalities, schools, financial institutions and even multinational fast-food chains.Who is LockBit Ransomware Gang?
The LockBit ransomware gang emerged in 2019, primarily targeting thousands of global companies, with a focus on those headquartered in the United States. Linked to Russian entities, LockBit has amassed tens of millions of dollars in ransom payments since its inception. According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit has executed over 1700 attacks in the United States, often by compromising and threatening to release sensitive data for financial gain. The recent Boeing data breach highlights the persistent threat posed by cyberattacks to major corporations. LockBit's aggressive tactics and specific targeting of Boeing, a key player in aerospace and defense, highlight the urgent need for robust cybersecurity measures. The ransomware group's imposed deadline heightens the urgency, highlighting the severe consequences of data breaches and the critical importance of safeguarding sensitive information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Ascension Healthcare Hit by Cyberattack: Patients Wait Hours, Chaos Ensues
Ascension Healthcare Hit by Cyberattack: Patients Wait Hours, Chaos Ensues
Patients Say Chaos on Display at Ascension Healthcare
Talking about the disruptions at the healthcare facility, Ascension said, “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible.” But the ground reality seems to be different, as per a patient account. Talking to local news media Fox 2, a patient named Zackery Lopez said “chaos” was on display this Wednesday in Ascension Providence Southfield hospital where he had to wait nearly seven hours to get a pain medication for his cancer resurgence.“Right now it is crazy. Nurses are running around. Doctors are running around. There’s no computers whatsoever they can use," Lopez said. "So, they’re actually using charts.”Lisa Watson, a nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, told another local news outlet that the hospital shut down its operating rooms on Wednesday following the cybersecurity issue. She also said that system’s, which the hospital uses to scan medications of patients was down, along with their electronic charts.
“We are paper-charting all medications, and all lab orders are being hand-written and sent by pneumatic tube systems to the unit they’re supposed to go to,” said Watson.
“No one knew where the forms were. Thank god we have a separate sign out with our pts (patients) meds. Nurses were writing them down from memory. This is a new reality we need to be better prepared,” Sirianni wrote on platform X.
“We have endless incessant modules about stupid policies to save hospitals money but never about downtime protocol,” she added.Lopez is also concerned that his personal information was possibly at risk but said he has not received a convincing answer from the authorities yet. "They really didn’t tell me if it was protected or not," he said. "They really kind of just brushed it off when I asked them. They say they’re trying to get everything back on, back on track." **Update on May 10, 1 AM ET** The company in a Thursday update said that it did not have a definite timeline to restore systems that were pulled offline as a result of the cybersecurity incident.
“Systems that are currently unavailable include our electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications.”It added that patient care was being provided with established downtime protocols and procedures, in which Ascension's workforce is well trained. “It is expected that we will be utilizing downtime procedures for some time. Patients should bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies,” the update said. As a precautionary measure, some non-emergent elective procedures, tests and appointments have been temporarily paused and patients appointments or procedures will need to be rescheduled.
“Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.”
Healthcare Breaches on the Rise
This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients’ personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. In a related development, the U.S. Department of Health and Human Services (HHS) recently cautioned about threat actors employing social engineering tactics to target IT help desks in the Healthcare and Public Health (HPH) sector. These attackers employ deception to enroll new multi-factor authentication (MFA) devices under their control, thereby gaining access to corporate resources, the HHS warned. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.MedStar Health Reports Data Breach Impacting 183,000 Patients
Earlier MedStar Health Data Breach
The digital woes of the healthcare provider are not new. In fact, this is the second time in a decade that MedStar Health is facing a massive data breach scare. In 2016, a virus, likely a ransomware malware infected the computer network of MedStar Health. This prompted a complete shutdown of services for the healthcare giant, which resulted in diversion of new patients to other hospitals and the care givers had to resort to pen and paper to continue regular operations. The impact was such that the FBI was called in to investigate the MedStar Health data breach, which followed similar cyberattacks on at least three other medical institutions in California and Kentucky.Healthcare Breaches on the Rise
This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv – ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients' personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. Blackcat in September 2023 claimed a similar data breach on McLaren Healthcare, where nearly 6 terabytes worth of data was siphoned. Owing to such large scale healthcare data breaches, the U.S. Cybersecurity and Infrastructure Security Agency in March unveiled a cybersecurity toolkit for healthcare sector that would help them implement advanced tools, that fortify their defenses against evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Data Breach Victim Initiates Class Action Lawsuit Against J.P. Morgan for Security Lapses
Data Breach Victim Initiates Class Action Lawsuit Against J.P. Morgan for Security Lapses
J P Morgan Data Breach Compromised Thousands of Users
[caption id="attachment_67262" align="alignnone" width="971"] Source: Chase[/caption] According to documents filed in the U.S. District Court for the Southern District of New York on May 3, Valentine's case is detailed in a Class Action Complaint (Case 1:24-cv-03438-JLR). The lawsuit contends that J.P. Morgan, a significant player in the financial industry offering a wide array of services to millions of customers, failed to adequately safeguard the personal information of its clients' employees, resulting in substantial harm. Valentine's complaint outlines how J.P. Morgan collected and maintained sensitive personally identifiable information (PII) of its clients' employees, including names, addresses, payment details, and Social Security numbers. This information, crucial for financial transactions and security, was compromised in the J P Morgan data breach and fell into the hands of cybercriminals. The lawsuit asserts that as a consequence of the breach, Valentine and approximately 451,000 other affected individuals suffered tangible damages, including invasion of privacy, identity theft, and the loss of trust and value in their personal information. Moreover, the breach exposed them to ongoing risks of fraud and further misuse of their data.The Legal Action on J P Morgan
The legal action further alleges that J.P. Morgan's failure to implement adequate cybersecurity measures and its reckless handling of sensitive data contributed directly to the breach. Despite claims by J.P. Morgan that the breach was not the result of a cyberattack, the lawsuit argues that the company's negligence made it a target for such malicious activities. Valentine's complaint highlights J.P. Morgan's purported lack of transparency and timely notification regarding the breach, leaving affected individuals uninformed about the root cause and remedial actions taken. This, the lawsuit claims, exacerbates the emotional and financial distress experienced by victims. The Cyber Express has reached out to the organization to learn more about this J P Morgan data leak. However, J.P. Morgan has not provided an official statement regarding the cyber incident. Following the incident, a regulatory filing revealed that the breach stemmed from a software issue, which the company addressed promptly upon discovery. Valentine seeks various forms of relief through the lawsuit, including compensation for damages, injunctive relief, and reimbursement of legal fees. He is represented by the law firm Milberg Coleman Bryson Phillips Grossman LLC, based in Garden City, New York. As the legal proceedings unfold, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the data breach or any new updates about the lawsuit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Massive Data Breach Affects Victims of Family Violence and Sexual Assault in Victoria
Massive Data Breach Affects Victims of Family Violence and Sexual Assault in Victoria
Monash Health Data Breach
Monash Health, the state's largest health service, confirmed it was caught in the cross-hairs of a data breach, which also affected government entities that were clients of the company ZircoDATA.“The majority of these entities are still in the process of working with ZircoDATA to identify impacted data and any victims, and are yet to begin notifying impacted individuals,” newly appointed coordinator Lieutenant-General Michelle McGuinness said in a statement on X.In addition to Monash Health, other government entities that were clients of ZircoDATA have also been affected by the breach but “the impact for most government entities is likely to be minimal,” the National Cyber Security Coordinator said. The breach has prompted federal authorities, including the Australian Federal Police, to launch investigations and coordinate responses to address the scope of the incident and safeguard affected individuals.
ZircoDATA Breach Also Impacts Melbourne Polytechnic
Meanwhile, Melbourne Polytechnic, a prominent educational institution, announced that enrollment information for 60,000 past and present students, stored by ZircoDATA, had been accessed in the breach. Although the breach primarily involved "low-risk identity attributes," the institution has taken proactive steps to offer affected individuals access to cyber support and identity services. The cybersecurity landscape continues to evolve rapidly, with healthcare emerging as one of the sectors most vulnerable to cyberattacks. A recent report by cybersecurity firm Sophos revealed that healthcare was one of only five sectors to report an increase in cyberattacks over the last year, highlighting the urgent need for heightened vigilance and resilience in safeguarding sensitive data and critical infrastructure. As organizations grapple with the aftermath of data breaches, there is a pressing need to strengthen cybersecurity measures and response protocols to effectively mitigate risks and protect individuals' privacy and security. Collaborative efforts between government agencies, healthcare providers, educational institutions, and cybersecurity experts are essential in addressing the complex challenges posed by cyber threats and ensuring the resilience of our digital infrastructure. In the wake of this cyberattack, authorities have emphasized the importance of transparency, accountability, and support for those affected. By prioritizing the safety and well-being of individuals impacted by data breaches, we can collectively work towards building a more secure and resilient digital ecosystem that safeguards the privacy and security of all stakeholders. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- London Drugs Temporarily Closes All Western Canadian Stores After Cyberattack
London Drugs Temporarily Closes All Western Canadian Stores After Cyberattack
Retail and pharmacy chain London Drugs has announced the closure of its stores across Western Canada after falling victim to a cybersecurity incident. The company, headquartered in B.C., took the precautionary measure to temporarily close its doors until further notice following the discovery of the cyberattack on London Drugs.
London Drugs informed customers of the situation in a statement released on X, formerly known as Twitter. They stated, "On April 28, 2024, London Drugs discovered that it was a victim of a cybersecurity incident. Upon discovering the incident, London Drugs immediately undertook counter measures to protect its network and data, including retaining leading third-party cybersecurity experts to assist with containment, remediation and to conduct a forensic investigation. [caption id="attachment_65806" align="aligncenter" width="594"] Source: X[/caption]Cyberattack on London Drugs: Immediate Response to Protect Data
The closure of stores is out of an abundance of caution, with the company assuring customers that it is taking all necessary steps to address the cyberattack on London Drugs swiftly and effectively. Out of an abundance of caution, London Drugs is temporarily closing stores across Western Canada until further notice," reads notice. London Drugs emphasized that, at this time, there is no reason to believe that customer or employee data has been impacted by the cyber incident. While we deal with this cybersecurity incident, we want to assure our customers that pharmacists are standing by to support any urgent pharmacy needs," London Drugs stated. We advise customers to phone their local store’s pharmacy to make arrangements.Temporary Phone Line Shutdown
However, on April 30, London Drugs provided an update, informing customers that as part of its internal investigation, the company's phone lines have been temporarily taken down. This measure is expected to be in place until the investigation is complete. As a necessary part of its internal investigation, London Drugs phone lines have been temporary taken down and will be restored as soon as the investigation is complete," the notice reads. [caption id="attachment_65808" align="aligncenter" width="618"] Source: X[/caption] Despite the temporary closure of phone lines, London Drugs reassured customers that pharmacy staff are available on-site at all store locations to assist with urgent pharmacy needs. Customers are encouraged to visit their local store in-person for immediate support until the phone lines are restored. The cyberattack on London Drugs highlights the increasing threat of attacks facing businesses, including those in the retail and pharmacy sectors. As more and more transactions move online and data becomes increasingly valuable, organizations are increasingly targeted by malicious actors seeking to exploit vulnerabilities in their systems.Proactive Response
London Drugs' proactive response to the incident highlights the importance of having strong cybersecurity measures in place and the need for swift action in the event of a breach. By immediately engaging third-party cybersecurity experts and conducting a forensic investigation, the company is taking the necessary steps to contain the incident and mitigate any potential damage. For customers, the closure of London Drugs stores may cause inconvenience, but the company's commitment to ensuring the security of its systems and the safety of customer data is paramount. In the meantime, customers with urgent pharmacy needs can still access support from London Drugs by visiting their local store in person and speaking directly with pharmacy staff. The company apologizes for any inconvenience caused by the closure and appreciates the patience and understanding of its customers during this challenging time. As the investigation into the cybersecurity incident continues, London Drugs will provide further updates to keep customers informed of any developments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.‘Unprecedented Scale’ of Credential Stuffing Attacks Observed: Okta
“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools,” Okta said in a Saturday advisory.The identity and access management provider said the attacks appear to stem from the same infrastructure used in previously reported brute-force and password-spraying attacks targeting VPNs and SSH services identified by Cisco Talos.
Use of TOR in Credential Stuffing Attacks
Okta noted that in all observed attacks the requests originated from a TOR anonymization network and various residential proxies, such as NSOCKS, Luminati and DataImpulse. Residential proxies are a network of proxy servers that use IP addresses from residential users. They are useful for anonymous browsing, bypassing geo-restrictions and accessing secure websites. Providers rent access to real users' devices to anonymize traffic sources. They don't usually disclose how they build these networks, sometimes enrolling users knowingly or via malware, “what we would typically describe as a botnet,” Okta said. This results in traffic appearing to originate from everyday users' devices, not VPS providers. FBI had earlier warned of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks. Okta observed that the attacks were notably effective against organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, rather than Log and Enforce mode. Additionally, organizations failing to block access from anonymizing proxies experienced a higher success rate in these attacks. The attacks, however, succeeded for only a small percentage of Okta's customers, the IAM provider said. To counter these threats, Okta recommended:- Enabling of ThreatInsight in Log and Enforce Mode to proactively block IP addresses associated with credential stuffing attempts before authentication is attempted.
- Denying access from anonymizing proxies to preemptively block requests originating from suspicious anonymizing services.
- Transition to enhanced security features such as CAPTCHA challenges for risky sign-ins and password-less authentication.
- Implementing Dynamic Zones to manage access based on criteria like geolocation and selectively block or allow certain IPs.
Why Credential Stuffing Attacks are Still Effective
Credential stuffing attacks traditionally have a very low success rate, which is estimated at around 0.1%, according to Cloudflare. Despite this, it remains profitable due to the vast number of credentials attackers possess. Collections contain millions or billions of credentials, with even a small fraction leading to profitable data. The prevalence of password or credential reuse, observed in up to 85% of digital users, also facilitates the recurrence and the effectiveness of these attacks. Adding to this the advancements in bot technology enables attackers to circumvent security measures like time delays and IP bans. Credential stuffing accounts for 24.3% of all login attempts in 2023, as per Okta. Retail and e-commerce companies account for more than half (51.3%) of all credential-stuffing incidents, the findings stated. It is likely due to the value associated with accounts in that industry, Okta said. Geographically, the Americas region has the highest rate of credential-stuffing attacks at 28%, which aligns with previous findings as some of the largest retail and media companies are based in the United States. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Central Bank Argentina Data Breach: Hackers Allegedly Offer Customer Info for Sale
Central Bank Argentina Data Breach: Hackers Allegedly Offer Customer Info for Sale
A threat actor purports to be selling the database of the Central Bank of Argentina on a hackers' forum. The potential Central Bank of Argentina data breach, if proven true, poses serious implications for the financial security and privacy of countless individuals.
According to the dark web post, the database allegedly contains sensitive information, including full customer names, CUIL/DNI(ID) numbers, cities, and phone numbers. Such data, if compromised, could expose individuals to identity theft, financial fraud, and other malicious activities, leading to devastating consequences for both customers and the Central Bank of Argentina. However, amidst the claims, crucial details remain shrouded in mystery. The extent of the cyberattack on Central Bank of Argentina and the motive behind it have not been disclosed by the threat actor. Without clarity on these critical aspects, the true nature and severity of the Central Bank of Argentina data breach remains uncertain. [caption id="attachment_65538" align="aligncenter" width="1280"] Source: X[/caption] Adding to the uncertainty is the apparent functionality of the Central Bank of Argentina's official website. Despite the allegations made by the threat actor, the website remains operational, casting doubt on the authenticity of the claim. This discrepancy raises questions about the credibility of the purported database sale and highlights the complexity of navigating the murky waters of cyber threats and disinformation.Potential Ramifications on Central Bank of Argentina Data Breach
If the claim of a database data breach at the Central Bank of Argentina is indeed verified, the ramifications could be far-reaching. Beyond the immediate financial and reputational damage to the bank itself, the fallout may extend to the broader economy and society at large. The compromised data, containing the personal and financial information of individuals, could be exploited by cybercriminals for various nefarious purposes. From identity theft and fraudulent transactions to targeted phishing scams and extortion attempts, the potential threats are manifold and alarming. Moreover, the integrity and trustworthiness of financial institutions, particularly central banks, are paramount for maintaining stability and confidence in the banking system. Any breach or perceived vulnerability could undermine public trust, erode investor confidence, and destabilize financial markets, with ripple effects reverberating across the economy. The absence of concrete evidence and corroborating details complicates efforts to assess the veracity of the threat actor's claims and formulate an effective response.Other Cyberattack Claims on Argentina
This claim follows a series of cyber threats targeting Argentina's institutions. In April 2024, a dark web actor allegedly proposed the sale of Telecom Argentina access for $100 on a hacking forum. According to the threat actor’s post, interested buyers could acquire access enabling them to query personal information tied to individuals in Argentina. This included details on services registered under their names, such as routers, with access to data like Public IP and Private IP addresses.
Moreover, in February 2024, the Córdoba Judiciary in Argentina fell victim to the PLAY Ransomware attack. The ransomware impacted its websites and databases, making it one of the worst computer hacks on public institutions in the Argentine Republic. The hacker left the websites inaccessible, and to date, there have been no improvements on the compromised systems. Police and cybersecurity specialists are assisting with the investigation to identify the incident’s perpetrators. Local sources claim that the ransomware strain “PLAY” infected the government organization’s computers. This ransomware is a well-known threat actor (TA) specifically made to encrypt computer user data and demand ransom payments to unlock it.Understanding Argentina's Vulnerability
Argentina's susceptibility to cyber threats stems from various factors. Firstly, the country's heavy reliance on digital infrastructure for its financial and administrative operations makes it a prime target for cybercriminals. Institutions like the Central Bank, with vast databases containing sensitive customer information, are particularly attractive to threat actors seeking to exploit vulnerabilities. Additionally, the emergence of dark web forums and marketplaces has facilitated the sale and exchange of stolen data, providing cybercriminals with an avenue to profit from their illicit activities. The recent claims regarding the sale of the Central Bank's database and Telecom Argentina access underscore the growing sophistication of cyber threats facing the country. In the absence of definitive information, vigilance and caution are imperative. Heightened cybersecurity measures, including enhanced monitoring, threat detection, and incident response protocols, are essential for mitigating risks and safeguarding critical infrastructure and sensitive data. Furthermore, collaboration and information sharing within the cybersecurity community, both domestically and internationally, are vital for staying abreast of emerging threats, sharing intelligence, and coordinating responses to cyber incidents effectively. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Multi-Year Cyberattack: Chinese Hackers Suspected in Breaching Volkswagen
Multi-Year Cyberattack: Chinese Hackers Suspected in Breaching Volkswagen
Multi-year Volkswagen Cyberattack by Chinese Hackers
The timeline of the cyberattacks on Volkswagen, spanning from 2010 to 2015, highlights the meticulous planning and execution by the perpetrators. Reports suggest that the hackers meticulously analyzed Volkswagen's IT infrastructure before breaching its networks, leading to the exfiltration of approximately 19,000 documents. Among the stolen intellectual property were coveted insights into emerging technologies like electric and hydrogen cars, areas crucial for Volkswagen's competitiveness in the global market. While China is not directly accused, evidence points to its involvement, with IP addresses traced back to Beijing and the timing of the attacks aligning with the Chinese workday. Moreover, the hacking tools employed, including the notorious "China Chopper," further implicate Chinese origins, though conclusive proof remains elusive.The Implications of Volkswagen Data Breaches
The implications of these Volkswagen data breaches extend beyond corporate espionage, raising concerns about the integrity of fair competition in the automotive industry. Professor Helena Wisbert of Ostfalia University emphasizes the strategic advantage gained by those privy to competitors' plans, highlighting the significance of stolen data in shaping market dynamics. Volkswagen's acknowledgment of the incident highlights the gravity of the situation, with reassurances of bolstered IT security measures. However, the Federal Office for Information Security (BSI) warns of ongoing threats, stressing the attractiveness of German expertise as a target for espionage. As German companies gear up for the "Auto China" trade fair, the cyberattack on Volkswagen questions the intent of Chinese hackers and their targets in the automobile industry. The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the alleged attacks or any updates from Volkswagen.Cyberattacks on the Automotive Industry
As automotive technology advances, vehicles are increasingly vulnerable to cyberattacks, particularly with the rise of electronics, software, and internet connectivity. Experts warn that even electric vehicles (EVs) are at heightened risk due to their intricate electronic systems. Ransomware attacks could target critical functions like steering and braking systems, posing significant safety concerns. The abundance of software codes in modern vehicles creates ample opportunities for cyber threats, not only affecting the cars themselves but also their entire ecosystem. While cybersecurity defenses are improving, the automotive industry faces challenges in managing software lifecycles and ensuring end-to-end risk management. Collaboration between industry stakeholders, government, and private players is essential to address these challenges. As the global automotive cybersecurity market grows, the need for robust cybersecurity measures becomes increasingly critical, prompting software solution providers to offer localized and cost-effective solutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Qiulong Ransomware Group Targets Brazilian Surgeon Dr. Willian Segalin, Citing Privacy Concerns
Qiulong Ransomware Group Targets Brazilian Surgeon Dr. Willian Segalin, Citing Privacy Concerns
Dr Willian Segalin Cyberattack Claims Surfaces on Dark Web
The ransomware group's post on the dark web revealed sensitive information allegedly extracted from Dr Willian Segalin's website, including images of nude patients, confidential personal data, and financial information. The group's message admonished Dr Willian for purportedly neglecting patient privacy and urged him to take action to safeguard sensitive information. [caption id="attachment_64873" align="alignnone" width="1028"] Source: chum1ng0 on X[/caption] “Dr. Willian, if you care about your patients' data and privacy, stop driving your Mustang around like a negligent doctor and avoid remaining silent”, reads the threat actor post. [caption id="attachment_64877" align="alignnone" width="746"] Source: chum1ng0 on X[/caption] The cyberattack on Dr Willian Segalin is not an isolated incident. Within the same timeframe, the Qiulong ransomware group targeted three other Brazilian organizations including two related to plastic surgery and one car dealership. The Cyber Express has reached out to the plastic surgeon's office to learn more about the authenticity of the cyberattack on Dr Willian Segalin. However, at the time of writing this, no official statement or response has been received.Qiulong Ransomware Group Targets Multiple Victims in Brazil
The Qiulong ransomware group's recent cyberattacks extend beyond Dr. Willian Segalin, affecting three other Brazilian entities. The group's posts on the dark web highlight their grievances against these victims, accusing them of neglecting patient privacy and data protection. [caption id="attachment_64880" align="alignnone" width="1074"] Source: chum1ng0 on X[/caption] One victim, Dr. Andrea Rechia, a plastic surgeon, faced criticism for allegedly disregarding patient privacy despite numerous attempts to reach out. The group's post includes sensitive information about the clinic's operations and contact details. Similarly, Dr. Lincoln Graça Neto, another plastic surgeon, was targeted by the ransomware group. The post exposes the clinic's location and amenities but condemns Dr. Lincoln for purportedly neglecting patient data security. The final victim, Rosalvo Automóveis, a car dealership, faced data exposure threats, indicating potential repercussions from the cyberattack. While specific details about the data breach are not provided, the post suggests imminent data exposure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Central Power Systems & Services’ Website Down After Alleged Hunters Group Cyberattack
Central Power Systems & Services’ Website Down After Alleged Hunters Group Cyberattack
Central Power Systems & Services, a major distributor of industrial and power generation products in Kansas, Western Missouri, and Northern Oklahoma, has fallen victim to the notorious Hunters Ransomware Group.
The cyberattack on Central Power Systems & Services, disclosed by the ransomware group, has raised concerns about the safety of sensitive data and the integrity of critical infrastructure.
Central Power Systems & Services, the sole authorized distributor for Allison Transmissions, Detroit Diesel, MTU, Doosan, and Liebherr in the region, has been a stalwart in serving commercial equipment needs since 1954. However, the recent alleged cyberattack may have halted its official website as it displayed a disconcerting message: "Sorry you have been blocked. You are unable to access cpower.com."Uncertainty About Cyberattack on Central Power Systems & Services
The claim by the Hunters Ransomware Group has yet to be officially confirmed, leaving both the company and its clients in a state of uncertainty. While attempts to access the website raise suspicions, the possibility of a technical glitch cannot be ruled out until an official statement is released. If proven true, the implications of this Central Power Systems & Services cyberattack could be significant. The potential compromise of sensitive data poses a serious threat not only to the company but also to its clients and partners. With no details provided by the ransomware group regarding the extent of the breach or the nature of compromised data, the situation remains tense.Previous Incidents
This is not the first time the Hunters Ransomware Group has made headlines. Before this, the group targeted various organizations across different sectors and countries. In 2024 alone, the group claimed responsibility for cyberattacks on the Dalmahoy Hotel & Country Club in the UK, Double Eagle Energy Holdings IV, LLC in the US, and Gallup-McKinley County Schools in New Mexico, among others. The modus operandi of the Hunters Ransomware Group involves encrypting files and appending the ".LOCKED" extension, followed by demands for ransom in exchange for decryption keys. Additionally, the group often leaves instructions for negotiation in files named "Contact Us.txt" within compromised directories. The cyberattack on Central Power Systems & Services highlights the growing threat posed by ransomware groups to organizations worldwide. With cybercriminals continuously evolving their tactics and targeting critical infrastructure, businesses must remain vigilant and prioritize cybersecurity measures. As the investigation into this cyberattack continues, stakeholders await an official statement from the company regarding the breach and its impact. Until then, the industry remains on high alert, bracing for potential fallout from yet another audacious move by the Hunters Ransomware Group. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Nothing Admits to 2022 Data Breach Exposing Community Emails
Rediscovering the 2022 Nothing Data Breach in 2024
Recently, reports emerged on social media, notably on X (formerly Twitter), highlighting the discovery of personal information associated with Nothing Community accounts in an online database. While much of the leaked data, such as usernames, was already publicly available, the inclusion of private email addresses raised suspicions among the community members. [caption id="attachment_64648" align="alignnone" width="756"] Source: X[/caption] At the time of writing this, reports and tweets related to the Nothing data breach were removed to prevent further exploitation. Although investigations confirmed the existence of the leaked database, there was no evidence suggesting the compromise of user account passwords. However, official emails of Nothing employees were also found in the database, further exacerbating the security concerns. Despite efforts to obtain confirmation from Nothing regarding the data breach and potential implications of the leaked data, The Cyber Express has not yet received an official statement or response at the time of writing. Moreover, several community members and tech reporters removed the sample data and any other information from their social media accounts within 72 hours of reporting.Immediate Action and Enhanced Security Measures
Nothing responded to inquiries, acknowledging the breach and tracing it back to a vulnerability identified in December 2022. The phone manufacturer confirmed that while email addresses were affected, no other sensitive information such as names, addresses, passwords, or payment details were compromised. Immediate action was taken to address the vulnerability and enhance security measures. "In December 2022, Nothing discovered a vulnerability, which impacted email addresses belonging to community members at the time," the company said. "No names, personal addresses, passwords, or payment information were compromised. Upon this discovery nearly a year and half ago, Nothing took immediate action to remedy the situation and bolster its security features”, stated a Nothing spokesperson to Android Authority. Despite efforts to contain the situation, concerns lingered regarding the extent of the breach and its impact on community members. Although the breach is relatively minor, it adds to the series of security incidents surrounding Nothing, including the infamous Nothing Chats debacle wherein the phone company received backlash on inadequate security of its message systems. While users may experience an increase in spam emails with this data breach, the overall impact on Nothing Community users is expected to be limited. However, users are advised to remain vigilant and consider changing their passwords as a precautionary measure, although no account passwords were compromised in this breach. Notably, there were no indications that Nothing reached out to affected users regarding the breach, raising questions about communication and transparency. Nonetheless, internal changes were implemented to safeguard user data in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Cactus Ransomware Hits Singapore Garment Giant Ghim Li Global
Cactus ransomware has added Ghim Li Global Pte Ltd to its victim list, sparking concerns over data security and the vulnerability of businesses to cyberattacks.
Ghim Li Global is a prominent Singapore-based company specializing in garment manufacturing and distribution across the Asia-Pacific region.
While the extent of the Ghim Li Global cyberattack and the compromise of data remain undisclosed by the ransomware group, the potential implications of such an attack could be profound.
Claim of Ghim Li Global Cyberattack
The ransomware group's claim has raised skepticism, especially as Ghim Li Global's official website appears to be fully functional, casting doubts on the authenticity of the claim. Despite attempts to verify the Ghim Li Global cyberattack, no official response has been received from the company, leaving the claim unverified.
[caption id="attachment_64590" align="aligncenter" width="908"] Source: X[/caption]Emergence of Cactus Ransomware
Cactus ransomware has been a growing threat since March 2023, targeting commercial entities with considerable success. In a study conducted by the SANS Institute on the growth of ransomware, Cactus was identified as one of the fastest-growing threat actors of the year. Notably, 17% of all ransomware attacks in 2023 were attributed to new groups that did not exist in 2022, with Cactus ranking among the top five threats in this new group of threat actors. The name "Cactus" originates from the filename of the ransom note, "cAcTuS.readme.txt", with encrypted files being renamed with the extension.CTSx, where 'x' is a single-digit number that varies between attacks.Previous Cyberattacks Claims
Prior to targeting Ghim Li Global, Cactus ransomware made headlines in March 2024 for its cyberattack on Petersen Health Care. The attack compromised the company's digital infrastructure and led to the exposure of sensitive information. Petersen Health Care, a prominent Illinois-based company operating a network of nursing homes across the United States, was forced to file for bankruptcy under Chapter 11 protection in a Delaware court, burdened by a staggering $295 million in debt. Among this debt was a significant $45 million owed under healthcare facility loans insured by the U.S. Department of Housing and Urban Development. In February, Schneider Electric's Sustainability Business Division fell victim to a data breach, raising alarms about the security of sensitive information within the company's ecosystem. While details of the breach remain murky, the the ransomware group claimed responsibility, asserting that 1.5 TB of personal documents, confidential agreements, and non-disclosure agreements were among the information stolen. Before these incidents, in December, Cactus ransomware targeted Coop, a major supermarket chain in Sweden. Despite claiming responsibility for the attack, the group did not disclose the extent of the data accessed or the ransom amount demanded. Subsequently, in January 2024, Coop confirmed facing a severe cyberattack that rendered its payment checkouts useless, plunging the supermarket giant into chaos. With the alleged cyberattack on Ghim Li Global Pte Ltd, the ransomware group continues to pose a significant threat to organizations worldwide. The incident highlights the urgent need for businesses to strengthen their cybersecurity measures and remain vigilant against evolving cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- 8Base Ransomware Group Launches Cyberattack on Bieler Lang GmbH, Threatens Data Leak
8Base Ransomware Group Launches Cyberattack on Bieler Lang GmbH, Threatens Data Leak
Analyzing the Bieler Lang GmbH Cyberattack and Other Intrusions
This cyberattack has significant implications for Bieler Lang GmbH. However, other organizations, including FEB31st, Wasserkraft Volk AG, Speedy France, and The Tech Interactive are facing the same allegation from the threat actor, highlighting the scape of the breach and threat actor perplexing intentions. [caption id="attachment_64534" align="alignnone" width="991"] Source: X[/caption] The Bieler Lang GmbH cyberattack was posted on the threat actor’s data leak site and several screenshots were posted about the organization and the data stolen from the attack. In 8Base’s words, the threat actor said, they have uploaded “invoices, receipts, accounting documents, personal data, A huge amount of confidential information”, and other personal data about the organization. The Cyber Express reached out to Bieler Lang GmbH for further details regarding the incident. However, as of now, no confirmation or denial has been issued by the organization, leaving the claims of the cyberattack on Bieler Lang GmbH stand unverified.The Anonymity of the 8Base Ransomware Group
Despite the cyber intrusion, the website of Bieler Lang GmbH appears to be operational, showing no immediate signs of the attack. However, it's important to note that 8Base operates not solely as a ransomware operation but as a data-extortion cybercrime group. They have gained notoriety for targeting similar companies and posting about their exploits on data leak sites. While the origins and identities of the 8Base operators remain unknown, cybersecurity experts emphasize that their recent surge in activity indicates a well-established and mature organization. With a history of targeting companies that neglect data privacy, the group presents a challenge to cybersecurity efforts globally. As for the Bieler Lang GmbH cyberattack, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information about the attack or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Catholic Medical Center Hit by Data Breach, Affecting Nearly 2,792 Patients
Catholic Medical Center Hit by Data Breach, Affecting Nearly 2,792 Patients
Catholic Medical Center (CMC) in Manchester, New Hampshire, revealed on Monday that nearly 2,792 patients may have had their personal and health information compromised in a third-party data security incident. The hospital stated that affected individuals will be notified by mail this week as the hospital works to address the CMC data breach.
The CMC data breach is attributed to Lamont Hanley & Associates Inc. (LH), a vendor providing account receivable management services to CMC. The unauthorized access to certain files containing sensitive patient data occurred during an incident at LH, impacting not only CMC patients but also other clients of the vendor.Response to CMC Data Breach
According to the hospital, LH detected the breach on June 20, 2023, after an unauthorized party accessed an employee email account through a phishing attempt. Despite immediate action taken by LH to contain and secure the email environment, concerns lingered about potential data access or acquisition by unauthorized party. "On March 6, 2024, LH notified CMC that on June 20, 2023, it discovered one employee email account was accessed by an unauthorized party via a phishing attempt. Upon detecting the incident, LH commenced an immediate and thorough investigation, contained and secured the email environment, and changed the password to the affected email account," reads the official notice. Although LH's investigation did not definitively confirm data access, a comprehensive review conducted on February 28, 2024, identified specific personal information present within the compromised email account. "Out of an abundance of caution, LH conducted a comprehensive review of the affected email account, and on February 28, 2024, determined the specific personal information present within the account," the notice reads further. This information includes names, Social Security Numbers, dates of birth, medical and claim information, health insurance details, individual identification data, and financial account information. CMC emphasized its commitment to patient privacy and security, stressing ongoing efforts to understand the incident's cause and LH's assurances of enhanced cybersecurity measures. Additionally, LH is offering complimentary credit monitoring services to eligible individuals affected by the breach. While CMC's network remained unaffected by the cyber incident, the hospital maintains a strong cybersecurity program and mandates contracted vendors to implement stringent safeguards for securing sensitive information. Affected individuals will receive notification letters this week, with LH establishing a dedicated toll-free response line for inquiries and additional information. "For those individuals who have been identified, they will receive a letter in the mail this week. For those who have questions or need additional information regarding this incident, LH has established a dedicated toll-free response line at 1.833.792.8144," informed, the hospital. The response line operates Monday through Friday, 8 AM to 8 PM Eastern Time, excluding holidays, to assist those affected by the breach. As data breaches continue to pose significant risks to individuals' privacy and security, CMC and LH urge affected patients to remain vigilant by monitoring financial account statements, explanation of benefits, and credit reports for any fraudulent or irregular activity. Additionally, they encourage individuals to consider placing fraud alerts or security freezes on their credit files for added protection against identity fraud.Financial Challenges and Layoffs
The announcement comes amidst financial challenges faced by CMC, which recently laid off 54 employees and reduced hours for others.
President and CEO Alex Walker announced the layoffs to staff in a memo Thursday. The hospital will also cut some workers’ hours and eliminate a number of open positions, reducing overall staffing levels by the equivalent of 142 full-time positions. Walker said rising costs, lower reimbursement for services, shifting demographics and changes in the payor mix — the share of patient revenue that comes from Medicare and Medicaid vs. privately insured and self-paying patients — had all contributed to the hospital’s “financial stress.” This comes as Catholic Medical Center is in negotiations to be acquired by HCA Healthcare, the for-profit health care giant that also owns hospitals in Portsmouth, Rochester and Derry, and elsewhere across the country. Walker told NHPR last fall that the deal is necessary for the hospital’s long-term financial viability. Catholic Medical Center says it hopes to reach a final agreement with HCA soon. The deal would still need approval from state regulators. The New Hampshire Department of Justice blocked a proposed merger between Catholic Medical Center and Dartmouth Health in 2022, saying it would reduce competition and potentially drive up prices.Amidst these financial challenges, CMC faces yet another hurdle with the recent data breach incident, adding more troubles to its kitty.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- UnitedHealth Confirms Paying Ransom to Secure Patient Data After Change Healthcare Cyberattack
UnitedHealth Confirms Paying Ransom to Secure Patient Data After Change Healthcare Cyberattack
In a bid to safeguard patient data, UnitedHealth Group, a prominent healthcare conglomerate, confirmed that it has paid ransom to cyberthreat actors after its subsidiary, Change Healthcare, fell victim to a cyberattack in February. The company also acknowledged that files containing personal information were compromised in the Change Healthcare cyberattack.
According to a statement provided to CNBC, UnitedHealth stated, “This attack was conducted by malicious threat actors, and we continue to work with law enforcement and multiple leading cybersecurity firms during our investigation. A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”Ransom Payment Amount And Method
Though the exact ransom amount was not disclosed by UnitedHealth, Wired magazine reported on March 4 that the company likely paid around $22 million in bitcoin to the attackers, citing darknet forum posts and blockchain analysis. The Cyber Express Team contacted Change Healthcare officials to inquire about the reported ransom payment. However, at the time of publication, no official response has been received. UnitedHealth further disclosed that cyberthreat actors accessed files containing protected health information (PHI) and personally identifiable information (PII). The breached files could potentially affect a significant portion of the American population. However, the company clarified that, to date, there is no evidence of exfiltration of materials such as doctors’ charts or full medical histories among the compromised data. "Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data," reads the official release. Andrew Witty, CEO of UnitedHealth Group, expressed the company’s commitment to addressing the concerns raised by the attack, stating, “We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it.”Change Healthcare Cyberattack Details and Infiltration
The attackers, identified as the ALPHV ransomware gang or one of its affiliates, infiltrated Change Healthcare’s networks more than a week before launching the ransomware strike, as reported by The Wall Street Journal. They gained entry through compromised credentials on an application that allows staff to remotely access systems, as multifactor authentication protocols were not enabled on this particular application. In response to the breach, UnitedHealth has taken steps to mitigate the impact on affected individuals. The company has set up a dedicated website for patients to access resources and launched a call center offering free identity theft protection and credit monitoring for two years. However, due to the ongoing complexity of the data review, the call center is unable to provide specific details about individual data impact. Change Healthcare, which processes approximately 15 billion transactions a year and handles one in three medical records, suffered significant disruption from the attack. More than 100 systems were shut down, affecting numerous healthcare providers and leaving some reliant on loans and personal funds to stay operational. UnitedHealth reported that the attack has cost the company $872 million so far.Recovery Efforts and Assistance Programs
Despite the challenges, UnitedHealth has been steadily restoring systems since March, including pharmacy software, claims management, and other platforms. The company has also launched financial assistance programs, although some providers have expressed dissatisfaction with the amounts offered and reported feeling pressured to make positive public comments about the loans by UnitedHealth staff. As UnitedHealth continues its efforts to recover from the cyberattack, it remains vigilant in ensuring the security of patient data and strengthening its cybersecurity defenses to prevent future incidents. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- MITRE Hit in Massive Supply Chain Attack: State-Backed Hackers Exploit Zero-Days
MITRE Hit in Massive Supply Chain Attack: State-Backed Hackers Exploit Zero-Days
The MITRE Corporation revealed on April 19 that it was one of over 1700 organizations compromised by a state-backed hacking group in January 2024. The MITRE data breach, which involved chaining two Ivanti VPN zero-days, highlights the evolving nature of cyber threats and the challenges organizations face in defending against them.
The MITRE data breach was detected after suspicious activity was noticed on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. [caption id="attachment_63933" align="aligncenter" width="609"] Source: X[/caption]MITRE DATA Breach Discovery and Response
Following the detection, MITRE promptly took NERVE offline and launched an investigation with the assistance of both internal and external cybersecurity experts. "Following detection of the incident, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and quickly launched an investigation with the support of in-house and leading third-party experts. The investigation is ongoing, including to determine the scope of information that may be involved," reads the Official notice. MITRE CEO Jason Providakes emphasized that "no organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible." Providakes highlighted the importance of disclosing the incident in a timely manner to promote best practices and enhance enterprise security. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices,” said Providakes. Charles Clancy, MITRE's Chief Technology Officer, provided additional insights, explaining that the threat actor compromised the Ivanti Connect Secure appliance used to provide connectivity into trusted networks. Clancy stressed the need for the industry to adopt more sophisticated cybersecurity solutions in response to increasingly advanced threats. MITRE outlined four key recommendations:- Advance Secure by Design Principles: Hardware and software should be inherently secure.
- Operationalize Secure Supply Chains: Utilize software bill of materials to understand threats in upstream software systems.
- Deploy Zero Trust Architectures: Implement micro-segmentation of networks in addition to multi-factor authentication.
- Adopt Adversary Engagement: Make adversary engagement a routine part of cyber defense to provide detection and deterrence.
Details of the MITRE Data Breach
The MITRE data breach involved two zero-day vulnerabilities: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887). These vulnerabilities allowed threat actors to bypass multi-factor authentication defenses and move laterally through compromised networks using hijacked administrator accounts. The attackers utilized sophisticated webshells and backdoors to maintain access to hacked systems and harvest credentials. Since early December, the vulnerabilities have been exploited to deploy multiple malware families for espionage purposes. Mandiant has attributed these attacks to an advanced persistent threat (APT) known as UNC5221, while Volexity has reported signs of Chinese state-sponsored actors exploiting the zero-days. Volexity discovered over 2,100 compromised Ivanti appliances, affecting organizations of various sizes globally, including Fortune 500 companies. The scale and severity of the attacks prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive on January 19, instructing federal agencies to mitigate the Ivanti zero-days immediately. MITRE's disclosure serves as a reminder of the ongoing threat posed by cyber adversaries and the critical need for organizations to continually enhance their cybersecurity defenses. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Frontier Hit by Cyberattack, Customer Data Potentially Exposed
Frontier Communications, a prominent telecom provider in the United States, finds itself grappling with the aftermath of a recent cyberattack orchestrated by a nefarious cybercrime group. The cyberattack on Frontier Communications, which occurred on April 14, 2024, has thrown the company into disarray as it races to restore its compromised systems and reassure its millions of customers across 25 states.
The cyberattack on Frontier Communications, detected by the company's vigilant cybersecurity team, prompted the company to take swift action, partially shutting down affected systems to thwart further unauthorized access.
This proactive measure, while essential for containing the breach, resulted in operational disruptions, leaving many customers facing internet connection issues and encountering difficulties reaching support services.
Disclosure of Cyberattack on Frontier Communications
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, Frontier Communications divulged the unsettling details of the breach. The cybercriminals managed to infiltrate portions of the company's information technology infrastructure, gaining access to sensitive personally identifiable information (PII). While the specifics of the compromised data remain undisclosed, concerns linger regarding the potential exposure of customer and employee information. Despite the severity of the cyberattack on Frontier Communications, Company assures stakeholders that it has successfully contained the incident and restored its core IT systems affected during the attack. However, the road to recovery has been fraught with challenges, as evidenced by ongoing technical issues plaguing the company's website.Customer Conundrum: Support Snags and Communication Breakdowns
Customers attempting to access Frontier's online services are met with warnings of internal support technical difficulties, exacerbating frustrations amid the connectivity woes. Furthermore, reports have surfaced indicating that affected customers are experiencing prolonged internet outages, with support phone lines inundated with prerecorded messages instead of connecting to live operators. This breakdown in customer communication compounds the anxiety and uncertainty surrounding the situation, underscoring the urgency for Frontier to swiftly address the fallout from the cyberattack on Frontier Communications. [caption id="attachment_63730" align="aligncenter" width="594"] Source: X[/caption] [caption id="attachment_63731" align="aligncenter" width="594"] Source: X[/caption] In response to the breach, Frontier has mobilized a comprehensive investigative effort, enlisting the expertise of cybersecurity specialists and promptly notifying law enforcement authorities. Despite these concerted efforts, a Frontier spokesperson remained unavailable for comment when contacted by The Cyber Express Team, leaving concerned consumers clamoring for reassurance and transparency from the embattled telecom provider. Amid the chaos and disruption wrought by the cyberattack, Frontier remains steadfast in its commitment to safeguarding customer data and restoring normal business operations. While the company maintains that the incident is unlikely to have a significant impact on its financial standing, the full extent of the breach's ramifications is yet to be fully realized. As stakeholders await further updates from Frontier, the telecom giant faces a critical test of resilience and accountability in the wake of these brazen cyberattacks. Only time will tell whether Frontier can emerge from this trial stronger and more fortified against future threats or if lingering doubts and repercussions will continue to cast a shadow over its operations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Asantee Games Acknowledges Security Flaw in Magic Rampage, Assures it’s Been Contained
Asantee Games Acknowledges Security Flaw in Magic Rampage, Assures it’s Been Contained
Magic Rampage Data Breach Stemmed from a Vulnerability
The Magic Rampage breach at Asantee Games appears to stem from a misconfiguration within MongoDB, a popular document-oriented database platform. This oversight left the company's data repository devoid of password protection, rendering data from the organization accessible to the public for a short amount of time. A spokesperson for Asantee Games confirmed that the vulnerability was identified and contained a few weeks ago.In a statement shared with TCE, Asantee Games, stated that "our team took immediate action to secure our systems and further strengthen our database security to prevent such occurrences in the future. It is important to note that no other critical personal data was compromised. We do not store sensitive information such as names, birth dates, or addresses, hence minimizing the potential impact on our users."Moreover, MongoDB itself acknowledged a security incident on December 13, 2023, indicating unauthorized access to certain corporate systems. Investigations subsequently revealed that the breach was the result of a successful phishing attack. Fortunately, it appears that the breach did not compromise data stored within MongoDB Atlas, the company's fully managed cloud database service. Nonetheless, the incident affected other organizations using MongoDB for operations.
The MongoDB Data Breach and Cyberattacks on the Gaming Industry
The MongoDB data breach was contained as the company activated its incident response plan, however, the repercussions of the breach are still visible on the market — with the latest example being the Magic Rampage data leak. Moreover, the access to the Magic Rampage database was secured in a few hours. The leaked data, however, reportedly includes players' usernames, emails, device information, statistics, and admin credentials with encrypted passwords. Detailed logs reveal various categories of information, including prize counts, storage sizes, and timestamps, providing insights into the scope of the breach. However, the organization denies the involvement of any user data being compromised in this breach. Furthermore, the gaming industry at large faces persistent threats from hackers and ransomware groups, as evidenced by the recent breach affecting Void Interactive, developers of Ready or Not. With over 4TB of data allegedly stolen, including millions of files, the incident highlights the ongoing challenges posed by cybersecurity vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Void Interactive Data Breach: Developer of Popular SWAT Team Game Suffers Source Code Leak
Void Interactive Data Breach: Developer of Popular SWAT Team Game Suffers Source Code Leak
Void Interactive Data Breach Linked to TeamCity Cloud Vulnerabilities
The data was stated to include the entire Ready or Not PC source code. It also includes data from performance benchmark tests and development builds for console versions of Ready or Not, for the Xbox One, Xbox Series X|S, and PlayStation 5 platforms. Purported images of the PS4 build of the game running on a PlayStation 4 test kit was also revealed in the leak, as reported by Insider Gaming. In another report from Kotaku, a representative from Void Interactive stated that the hack was a result of “critical vulnerabilities” present in TeamCity’s cloud service component for build-management. The game developer added that the hackers obtained access to certain source code and screenshots involving an upcoming project. The Void Interactives spokesperson further claimed that no user-related data had been breached, as they 'do not capture any personal user information in the first place'. The developer again confirmed that some source code & directory information had been stolen as a part of the attack. However, development assets and proprietary code were not part of the breach. Void Interactive pointed the attack as being 'limited to the TeamCity services interface.' The Cyber Express has reached out to Void Interactive requesting information about the on-going investigation. [caption id="attachment_63453" align="alignnone" width="596"] Source: d0nutleaks leak site claim[/caption] [caption id="attachment_63457" align="alignnone" width="626"] Source: /u/DrinkMoreCodeMore's claim on /r/ReadyOrNotGame subreddit[/caption] While Kotaku and Insider Gaming seem to refuse to directly name the hacker group responsible, it is worth noting that around the same time the incident was stated to occur, a reddit user by the username "DrinkMoreCodeMore" claimed to have noticed the d0nutleaks ransomware group listing Void Interactive as a victim on its data leak site.Data Breaches, Source-Code Leaks, and Hacks Plague Gaming Industry
[caption id="attachment_63515" align="alignnone" width="1000"] Source: Shutterstock[/caption] The gaming industry has been rife with data breach and hacking incidents affecting both prominent studios and smaller development teams. Last month in March, the Apex Legends North American Finals had been postponed after two professional players had been hacked to provide 'aimbots' and 'wallhacks' mid-tournament. In December 2023, prominent game developers Insomaniac Games and RockStar Games suffered massive data breach attacks. The Ryhsida ransomware gang leaked 1.67 TB (1.3 million files) of data from Insomniac Games, while another group leaked two files— a 4 GB file and a 200 GB File from Rockstar Games. The smaller file mostly contained code, while the bigger one contained 3D models and assets. The leaked data included data of at least 1158 of Rockstar employees. The recent series of data breaches serves as a stark reminder that as developers continue to innovate and push boundaries in gaming, protecting intellectual property and sensitive data must remain a top priority in order to provide a secure environment for creators and players alike. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cannes Hospital Back to Basics: Pen and Paper Power Healthcare After Cyberattack
Cannes Hospital Back to Basics: Pen and Paper Power Healthcare After Cyberattack
Cannes Simone Veil Hospital Center (CHC-SV) is grappling with the aftermath of a cyberattack that struck the hospital on April 16. The cyberattack on CHC-SV has thrust the hospital into a state of heightened alert as it navigates the complexities of ensuring uninterrupted patient care while contending with the fallout of compromised digital systems.
The response to the cyberattack has been swift and decisive by CHC-SV. The hospital's crisis unit wasted no time in implementing stringent measures, including a general cyber containment protocol that swiftly severed all computer access while ensuring telephony services remained operational. "All computer access was consequently cut off. Telephony continues to work," reads the official notice on the Cannes Simone Veil Hospital Center website.Cyberattack on CHC-SV: Ongoing Investigations
Collaboration with expert partners such as ANSSI, Cert Santé, Orange CyberDéfense, and GHT06 has been instrumental in analyzing the cyberattack and formulating an effective response strategy. Despite the absence of ransom demands or identified data theft, investigations remain ongoing. "The cyberattack is currently being analyzed in conjunction with expert partners (ANSSI, Cert Santé, Orange CyberDéfense, GHT06). There have been no ransom demands or data theft identified at this stage. Investigations remain ongoing," informed the hospital. In the wake of the CHC-SV cyberattack, hospital professionals have seamlessly transitioned to so-called degraded procedures, relying on paper-based methods to maintain essential healthcare services. While these procedures may be more time-consuming, they ensure that critical medical needs across various specialties, including emergencies, surgery, obstetrics, and pediatrics, continue to be met with unwavering diligence. "Hospital professionals have been applying so-called degraded procedures since Tuesday morning (using paper kits). These procedures are more time-consuming and examination delivery times are longer. Everything is done to guarantee the continuation of care in complete safety across all fields of activity (emergencies, medicine, surgery, obstetrics, geriatrics, pediatrics, psychiatry, home hospitalization, rehabilitation)," notice reads further.Regional Collaboration for Patient Care Optimization
The coordination efforts extend beyond the confines of CHC-SV, with the establishment collaborating closely with regional health agencies and partner hospitals to regulate patient flow and optimize utilization of healthcare resources. Despite the disruptions caused by the cyberattack on CHC-SV, emergency services remain active. The solidarity demonstrated by partner institutions, including CHU Nice, CH Grasse, CH Antibes, and private sector collaborators, has been invaluable in navigating this challenging period. However, the impact of the cyberattack has been felt, with approximately a third of non-urgent interventions and consultations disrupted in the initial days following the incident. Efforts are underway to expedite the resumption of services, with the operating program expected to reach 90% capacity in the coming days. Importantly, CHC-SV's proactive approach to cybersecurity, including regular risk assessments and preparedness exercises, has ensured a swift and coordinated response to the cyberattack. Priority is being given to restoring IT systems directly linked to patient care processes, emphasizing the hospital's unwavering commitment to maintaining the highest standards of healthcare delivery. The road to recovery, however, remains fraught with uncertainties, as technical investigations and necessary catch-up efforts are anticipated to prolong the return to normalcy. Drawing from the experiences of other healthcare institutions that have faced similar challenges, CHC-SV is bracing for a protracted recovery process. Furthermore, the recent cyberattack on Change Healthcare in the United States highlights the pervasive nature of cyber threats in the healthcare sector. With disruptions reverberating across the country, the incident underlines the urgent need for enhanced cybersecurity measures to fortify healthcare systems worldwide. In response to the cyberattack on Change Healthcare, UnitedHealth Group has mobilized substantial financial support to mitigate the impact on healthcare providers, highlighting the far-reaching consequences of cyber incidents in the healthcare ecosystem. Against the backdrop of a global healthcare landscape increasingly vulnerable to cyber threats, the incident at CHC-SV serves as a poignant reminder of the critical importance of cybersecurity in safeguarding patient welfare. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Patients Sue Ernest Health After Data Breach of 94,747 Exposed
Ernest Health Data Breach Turns Into Class Action Lawsuit
Following an extensive investigation, Ernest Health commenced a process of notifying affected individuals about the breach, ensuring transparency about the compromised data. In response to the Ernest Health data breach, plaintiffs Joe Lara and Laurie Cook have initiated a class-action lawsuit against Ernest Health. Alleging negligence in safeguarding highly sensitive data, the lawsuit highlights Ernest Health's failure to adequately train employees on cybersecurity measures and maintain sufficient security protocols, leaving patient information vulnerable to cybercriminals. The lawsuit, filed in the United States District Court, Northern District of Texas, contends that Ernest Health's actions not only breached its duty to protect patient data but also violated state and federal laws governing data protection and breach notifications. Plaintiffs Lara and Cook, representing the class of over one hundred current and former patients affected by the breach, argue that Ernest Health's delayed notification deprived them of the opportunity to mitigate potential damages promptly. The exposed information places them at risk of identity theft and other harms, necessitating legal recourse to address the Ernest Health data breach and its repercussions.Decoding the Ernest Health Class Action Lawsuit
The Ernest Health class action lawsuit outlines various causes of action, including negligence, negligence per se under the FTC Act and HIPAA, and breach of implied contract, emphasizing Ernest Health's failure to fulfill its obligations in protecting patient information and mitigating damages resulting from the breach. In seeking relief, the plaintiffs and class members are pursuing certification of the case as a class action, along with declaratory and equitable relief, damages, coverage for attorneys' fees and costs, and other appropriate remedies deemed necessary by the court. With demands for a jury trial and a comprehensive legal strategy in place, plaintiffs aim to hold Ernest Health accountable for its role in the data breach and secure justice for those affected by the cyberattack. As the case unfolds, the Ernest Health lawsuit highlights the growing threat posed by cyberattacks on healthcare institutions. In a similar case, the recent cyberattack Change Healthcare is going to result in expenses of $1.6 billion this year. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.HHS Scrambles to Patch Security Hole After $7.5 Million Cyberattack
HHS Cybersecurity Incident and Removal of Login from Grantee Payment System
The perpetrators behind this HHS cybersecurity incident employed a sophisticated strategy, leveraging information gleaned from SAM.gov and publicly available data to impersonate legitimate employees within grant recipient organizations. This enabled them to alter banking details, facilitating the illicit transfer of funds. To strengthen its defenses, HHS has replaced HHS Login with the private sector tool ID.me within its Payment Management System, responsible for processing grant payments across government agencies. Notably, both HHS and the General Services Administration (GSA), overseers of Login.gov, assert that the identity system remained uncompromised and disconnected from the theft. Despite the proactive measures taken by HHS, questions linger regarding the specifics of the breach and subsequent security protocols. Efforts to obtain official statements or responses from relevant government entities regarding the removal of HHS Login from the grantee payment system remain unanswered at present.Response to the HHS Leak and Stolen Funds
This incident highlights the rise of cyberattacks on multiple sectors in the US, with data breaches and cyberattacks becoming increasingly prevalent. In 2023 alone, a staggering 133 million healthcare records were compromised, marking an escalation from previous years. The recent cyberattack on Change Healthcare in February 2024 further highlights the urgent need for enhanced cybersecurity measures within the industry. Responding to these challenges, the Biden administration unveiled a comprehensive federal strategy in December 2023 aimed at shoring up cybersecurity defenses within the healthcare sector. Titled "Health Care Sector Cybersecurity," this strategy delineates 20 Cybersecurity Performance Goals (CPGs), providing detailed guidelines for healthcare systems to fortify their defenses. Building upon existing initiatives such as the creation of the "wall of shame" and tailored training, this strategy represents a concerted effort to mitigate cyber vulnerabilities within the healthcare industry. By outlining clear expectations and performance goals, the plan aims to equip healthcare systems with the necessary tools to fight against cybercrime. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UNDP Hit by Cyberattack: HR and Procurement Data Breached
The United Nations Development Programme (UNDP) finds itself at the center of a cybersecurity storm as it grapples with the aftermath of a recent cyberattack targeting its local IT infrastructure in UN City, Copenhagen. The agency informed about the cyberattack on UNDP by issuing an official notice on their website.
According to the notification, in the last week of March 2024, the UNDP received a troubling threat intelligence notification, revealing that a data-extortion actor had breached its systems, pilfering sensitive data including human resources and procurement information."On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information," reads the notice.
[caption id="attachment_63166" align="aligncenter" width="1024"] Source: United Nations Development Programme[/caption]Swift Response and Vigilance on Cyberattack on UNDP
Upon knowing the incident, UNDP swiftly sprang into action, initiating a series of urgent measures aimed at identifying the source of the data breach and mitigating its impact. Immediate steps were taken to isolate the affected server, with meticulous efforts underway to ascertain the precise nature and extent of the compromised data, as well as to identify individuals affected by the breach. The organization has maintained transparent communication with those impacted by the cyberattack on UNDP, empowering them to safeguard their personal information against potential misuse. Moreover, UNDP has embarked on a comprehensive outreach initiative to apprise its partners within the UN system about the incident, underlining its commitment to transparency and accountability in the face of adversity. UNDP is currently conducting a thorough assessment of the nature and scope of the cyber-attack, and we have maintained ongoing communication with those affected by the breach so they can take steps to protect their personal information from misuse. Additionally, we are continuing efforts to contact other stakeholders, including informing our partners across the UN system," informed Officials.Potential Impact of the UNDP Cyberattack
As the United Nations' lead agency on international development, UNDP occupies a pivotal role in shaping the global agenda for sustainable development. Operating in 170 countries and territories, the organization spearheads initiatives aimed at eradicating poverty, reducing inequality, and fostering inclusive growth. Through its multifaceted approach, UNDP empowers nations to develop robust policies, enhance leadership capabilities, forge strategic partnerships, and bolster institutional capacities, thereby accelerating progress towards the attainment of the Sustainable Development Goals (SDGs). Therefore, the ramifications of this cyberattack on UNDP extend far beyond the confines of its digital infrastructure. Given the organization's indispensable role in driving global development efforts, the breach poses significant implications for the continuity and efficacy of vital initiatives aimed at addressing pressing socio-economic challenges. The compromised data, encompassing sensitive human resources and procurement information, could potentially undermine the confidentiality and integrity of crucial operations, impeding UNDP's ability to deliver essential services and support to communities worldwide. Moreover, the breach may erode trust and confidence in UNDP's ability to safeguard sensitive information, jeopardizing its partnerships and collaborative endeavors with governments, civil society organizations, and other stakeholders. In the aftermath of this cyberattack, UNDP remains steadfast in its mission to advance the cause of global development, undeterred by the challenges posed by malicious cyber actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UnitedHealth Beats Earnings Despite $1.6 Billion Cyberattack Hit
The Aftermath of the Change Healthcare Cyberattack
[caption id="attachment_60476" align="alignnone" width="1000"] Source: Shutterstock[/caption] The disruption caused by the cyberattack extended beyond financial transactions, leading to delays in claim submissions as healthcare providers grappled with manual paperwork due to the inability to access the Change Healthcare system. In response to the crisis, UnitedHealth Group's CEO, Andrew Witty, assured stakeholders of the company's unwavering commitment to resolving the connectivity issues faced by care providers, emphasizing progress in addressing the fallout of the Change Healthcare cyberattack during a recent conference call discussing the company's financial results. The impact of the cyberattack reverberated through UnitedHealth Group's financial performance in the first quarter of 2024, with total cyberattack-related costs amounting to $0.74 per share. Looking ahead, the company estimates a full-year impact ranging from $1.15 to $1.35 per share, encompassing both direct response costs and business disruption impacts. Despite the challenges posed by the cyberattack, UnitedHealth Group reported robust first-quarter earnings, surpassing expectations. The company's revenues for the quarter surged by nearly $8 billion year-over-year to reach $99.8 billion, fueled by strong growth in its Optum and UnitedHealthcare segments.Response to the UnitedHealth Group Cyberattack
While the Change Healthcare cyberattack did leave a notable dent in UnitedHealth Group's earnings from operations, which included $872 million in adverse effects, the company's adjusted earnings from operations remained resilient, excluding direct response costs attributed to the cyberattack. As per the latest press release, In light of the cyberattack's potential implications on claims receipt timing, UnitedHealth Group exercised prudence by allocating an additional $800 million towards claims reserves in the first quarter, reflecting a proactive approach to manage potential future impacts on its financial stability. Looking beyond the immediate financial repercussions, UnitedHealth Group remains focused on maintaining consistent care patterns and supporting its care providers through accommodations necessitated by the cyberattack, as evidenced by a medical care ratio of 84.3% in the first quarter of 2024. Despite the turbulence induced by the cyberattack on Change Healthcare, UnitedHealth Group reaffirmed its commitment to shareholder value by returning $4.8 billion through dividends and share repurchases in the first quarter. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cisco Duo Data Breach Exposes Customer MFA Data Through Telephony Provider
Cisco Duo Data Breach Exposes Customer MFA Data Through Telephony Provider
Cisco Duo's security team has issued a warning regarding a cyberattack that compromised some customers' VoIP and SMS logs, potentially exposing sensitive information used for multi-factor authentication (MFA) messages. This Cisco Duo data breach, occurring through their telephony provider, highlights the persistent threat posed by cybercriminals targeting communication channels vital for security measures.
Cisco Duo, a prominent multi-factor authentication and Single Sign-On service utilized by numerous corporations for secure network access found itself at the center of a cybersecurity incident. The Cisco Duo data breach, which occurred on April 1, 2024, involved the illicit access of employee credentials through a phishing attack. Subsequently, the threat actor leveraged these credentials to infiltrate the systems of a telephony provider responsible for handling SMS and VoIP MFA messages.Impact on Customers of Cisco Duo Data Breach
Affected customers received notifications revealing that SMS and VoIP MFA message logs associated with specific Duo accounts were compromised between March 1, 2024, and March 31, 2024. While the stolen logs did not include message content, they contained valuable metadata such as phone numbers, carriers, locations, and timestamps. This information could potentially be weaponized in targeted phishing attacks aimed at obtaining corporate credentials and other sensitive data. "We are writing to inform you of an incident involving one of our Duo telephony suppliers (the “Provider”) that Duo uses to send multifactor authentication (MFA) messages via SMS and VOIP to its customers. Cisco is actively working with the Provider to investigate and address the incident," reads the notice released by Cisco Duo. Upon discovering the breach, the telephony provider swiftly initiated an investigation and implemented mitigation measures. These efforts included invalidating compromised credentials, analyzing activity logs, and notifying Cisco Duo of the incident. Additionally, the provider enhanced security protocols and committed to reinforcing employee awareness through social engineering training programs.Customer Assistance and Vigilance
In response to the data breach, Cisco Duo offers affected customers access to the compromised message logs upon request. They advise customers to promptly notify impacted users and educate them about the risks of social engineering attacks. Heightened vigilance is encouraged, with users urged to report any suspicious activity to designated incident response teams or relevant points of contact. "The Provider has provided us with a copy of the message logs pertaining to your Duo account that the threat actor obtained, and we will provide you with a copy of those logs upon request. To request such a copy, or if you have any questions, please contact msp@duo.com," reads the notice further. "Because the threat actor obtained access to the message logs through a successful social engineering attack on the Provider, please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters," Cisco Duo requested employees. The Cyber Express team, while investigating the breach reached out to Cisco Duo to learn more about the cyber incident, however, as of writing this news report, the company's official response has not been revived. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Nexperia Confirms Data Breach, Launches Investigation with Cybersecurity Experts
Nexperia Confirms Data Breach, Launches Investigation with Cybersecurity Experts
Chinese-owned semiconductor giant Nexperia has fallen victim to a cyberattack, revealing a breach of sensitive documents and intellectual property. The cyberattack on Nexperia, which occurred in March 2024, has raised concerns about data security and the growing threat of ransomware in the tech industry.
Nexperia, headquartered in the Netherlands, confirmed the Nexperia cyberattack in a statement, acknowledging that an "unauthorized third party accessed certain Nexperia IT servers."