Normal view
- Cybersecurity News and Magazine
- Data Virtualization: Optimising Access and Utilisation in Enterprise AI Systems
TCE Cyberwatch: This Week’s Cybersecurity Rundown
This week on TCE Cyberwatch, we delve into the recent hackings of major organizations, including the International Baccalaureate, Boeing, and BetterHelp, which have sparked widespread concern online. We also highlight ongoing developments in enhancing cybersecurity measures.
National governments are also grappling with cybersecurity challenges. TCE Cyberwatch examines how these issues have affected countries and the proactive steps organizations are taking to stay ahead in the evolving landscape of cybersecurity. Keep reading for the latest updates.TCE Cyberwatch: A Weekly Round-Up
IB Denies Exam Leak Rumors, Points to Student Sharing
The International Baccalaureate Organization (IBO) faced allegations of exam paper leaks, but it denied any involvement in a cheating scandal. Instead, the organization acknowledged experiencing a hacking incident, unrelated to the current exam papers circulating online.
The breach was attributed to students sharing exam materials on social media platforms. Concurrently, the IBO detected malicious activity within its computer networks.
The act of students sharing exam content online is commonly known as "time zone cheating," wherein students who have already completed their exams disclose details about the questions before others take the test. Additionally, the malicious activity targeted data from 2018, including employee names, positions, and emails. Screenshots of this leaked information surfaced online. Read MoreBoeing Hit by $200 Million Ransomware Attack, Data Leaked
The aeronautical and defense corporation, Boeing, recently confirmed that it had been targeted by the LockBit ransomware gang in October 2023. They also acknowledged receiving a $200 million demand from the attackers to prevent the publication of leaked data. On November 10, approximately 40GB of data was leaked by LockBit, though Boeing has not yet addressed the situation. The ransomware group initially identified Dmitry Yuryevich Khoroshev as the principal administrator and developer behind the LockBit ransomware operation. However, this claim has since been denied by the actual developer. Additionally, Boeing has not announced whether it paid the $200 million extortion demand. Read MoreLenovo Pledges Stronger Cybersecurity with "Secure by Design" Initiative
Lenovo recently joined the Secure by Design pledge initiated by the US Cybersecurity and Infrastructure Security Agency (CISA) to enhance its cybersecurity measures. This announcement was made on May 8th, and the initiative covers various areas including multi-factor authentication and vulnerability reduction. Doug Fisher, Lenovo’s Chief Security Officer, emphasized the importance of industry collaboration in driving meaningful progress and accountability in security. "It’s good for the industry that global technology leaders are able to share best practices," he stated. Many other tech companies have also joined this effort to ensure their security. Read More UK’s AI Safety Institute releases public platform which furthers safety testing on AI models. UK’s AI Safety Institute has recently made its AI testing and evaluation platform available publicly. Inspect, the platform that aims to start more safety tests surrounding AI and ensuring secure models. It works by assessing capabilities of models and then producing a score. It is available to AI enthusiasts, start-up businesses and international governments, as it is released through an open-source licence. Ian Hogarth, the Chair of the AI Safety Institute, has stated that, “We have been inspired by some of the leading open-source AI developers - most notably projects like GPT-NeoX, OLMo or Pythia which all have publicly available training data and OSI-licensed training and evaluation code, model weights, and partially trained checkpoints.” Inspect works by evaluating models in areas such as their autonomous abilities, abilities to reason, and overall core knowledge. Read MoreNASA Names First Chief Artificial Intelligence Officer
NASA announced its first Chief Artificial Intelligence (AI) Officer. David Salvagnini, who previously served as the Chief Data Officer, has now expanded his role to incorporate AI. His responsibilities included developing strategic vision and planning NASA's AI usage in research projects, data analysis, and system development.
NASA Administrator Bill Nelson stated, “Artificial intelligence has been safely used at NASA for decades, and as this technology expanded, it accelerated the pace of discovery.” Salvagnini also worked alongside government agencies, academic institutions, and others in the field to ensure they remained up to date with the AI revolution. Read More. Read MoreDDoS Attacks Target Australia Amidst Ukraine Support
The Cyber Army Russia Reborn launched Distributed Denial of Service (DDoS) attacks targeting prominent Australian companies like Auditco and Wavcabs. While the exact motive remains unclear, the timing suggests a political backlash against Australia's solidarity with Ukraine.
Wavcabs experienced disruptions to its online services, while Auditco encountered technical difficulties believed to be linked to these attacks. Despite the cyber onslaught, Australia remained steadfast in its support for Ukraine, announcing a $100 million aid package comprising military assistance and defense industry support. Read MoreBritish Columbia Thwarts Government Cyberattack, Strengthens Defenses
British Columbia’s government recently confirmed an attempt to infiltrate their information systems. The incidents were identified as “sophisticated cybersecurity incidents” by B.C.’s solicitor-general and public safety minister. There is no current evidence suggesting that personal information, such as health records, was compromised. The government's proactive measures in 2022 played a significant role in detecting the breach.
The government ensured to further secure systems, including requiring government employees to change their passwords. Officials and cybersecurity experts continue to work to ensure sensitive information remains secure and to prevent unauthorized access. The country appears to be using this incident to prepare itself for future cyber threats. Read MoreUrgent Chrome Update: Google Patches Sixth Zero-Day of 2024
A new vulnerability in Google Chrome was uncovered, marking their sixth zero-day incident in 2024. Google swiftly released an emergency update to patch the issue, ensuring users' safety. Updates were promptly distributed across Mac, Windows, and Linux platforms.
For those concerned about their security, updating their devices is crucial. Users can navigate to Settings > About Chrome to initiate the update process. While Google has not disclosed specific details about the breach, the urgency conveyed by their release of an "emergency patch" underscores the severity of the situation. Read MoreTo Wrap Up
Cyberattacks continue to dominate headlines, but this week's TCE Cyberwatch report also reveals positive developments. Governments are taking action, with proactive measures in British Columbia and the UK's AI safety testing platform. Organizations are prioritizing security, as seen in Lenovo's "Secure by Design" initiative.
Individuals play a crucial role too. The recent Google Chrome update reminds us to prioritize software updates. While cyber threats persist, these advancements offer a reason for cautious optimism. By working together, we can build a more secure digital future.
Remember, vigilance is key. Update your software regularly and follow best practices to minimize vulnerabilities. TCE Cyberwatch remains committed to keeping you informed.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.SugarGh0st RAT Campaign Targets U.S. AI Experts
Spear-Phishing SugarGh0st Campaign Targets AI Experts
Proofpoint researchers discovered that the targets of this campaign were all connected to a leading US-based AI organization and were lured with distinct AI-themed emails. The infection chain began with a seemingly innocuous email from a free account, claiming to seek technical assistance with an AI tool. The attached zip file contained a shortcut file (LNK) that deployed a JavaScript dropper upon access. This dropper included a decoy document, an ActiveX tool for sideloading, and an encrypted binary, all encoded in base64. The infection chain ended with SugarGh0st RAT being deployed on the victim's system and communication being established with the attacker's command and control server. Analysis of the attack stages revealed that the group had shifted their C2 communications from an earlier domain to a new one, indicating their detection evasion motives. While the malware itself is relatively unsophisticated in it's attack chain, the targeted nature of AI the campaign makes it significant, the researchers noted. The SugarGh0st RAT was previously used in targeted campaigns in Central and East Asia.Potential Motivations, Attribution and Context
Although direct attribution to a specific nation-state is challenging, researchers concluded the presence of Chinese language artifacts and the precise targeting of AI experts suggest a possible link to China-linked threat actors. The campaign also coincides with the U.S. government's efforts to restrict Chinese access to generative AI technologies. The new regulations established by the Biden administration would likely restrict the export of AI models, and their data to countries it deemed hostile to U.S. interests, such as Russia, China, North Korea and Iran. The Chinese Embassy labeled the action as economic coercion and unilateral bullying. Earlier in February, Microsoft reported observing Chinese, Russian, North Korean and Iranian threat actors' attempting to leverage AI tools from big tech AI companies like OpenAI for their campaigns. The report indicated that Chinese threat actors used AI tools to boost their technical prowess such as the development of tools and phishing content, while the Russian threat actors were observed researching satellite and radar technologies possibly related to the war in Ukraine. With the regulatory efforts aimed at restricting proprietary/closed-source AI models, researchers theorize that this campaign is likely an attempt by a China-affiliated actor to harvest generative AI secrets via cyber theft before the policies are enacted. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- SEC Updates 24-Year-Old Rule to Scale Customers’ Financial Data Protection
SEC Updates 24-Year-Old Rule to Scale Customers’ Financial Data Protection
The Debate on SEC's Tight Guidelines
The introduction of these amendments coincides with the implementation of new incident reporting regulations for public companies, compelling timely disclosure of “material“ cybersecurity incidents to the SEC. Public companies in the U.S. now have four days to disclose cybersecurity breaches that could impact their financial standing. SEC’s interest in the matter stems from a major concern: breach information leads to a stock market activity called informed trading, currently a grey area in the eyes of law. Several prominent companies including Hewlett Packard and Frontier, have already submitted requisite filings under these regulations, highlighting the increasing scrutiny on cybersecurity disclosures. Despite pushback from some quarters, including efforts by Rep. Andrew Garbarino to The SEC’s incident reporting rule has however received pushback from close quarters including Congressman Andrew Garbarino, Chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee and a Member of the House Financial Services Committee. Garbarino in November introduced a joint resolution with Senator Thom Tillis to disapprove SEC’s new rules. “This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” Garbarino said, at the time. Senator Tillis added to it saying the SEC was doing its “best to hurt market participants by overregulating firms into oblivion.” Businesses and industry leaders across the spectrum have expressed intense opposition to the new rules but the White House has signaled its commitment to upholding the regulatory framework. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Patch Now! CISA Adds Critical Flaws to Exploited Vulnerabilities Catalog
Patch Now! CISA Adds Critical Flaws to Exploited Vulnerabilities Catalog
CISA Adds Three Known Exploited Vulnerabilities
Exploiting the D-Link router vulnerability, malicious actors can hijack administrative privileges, allowing them to execute unauthorized actions remotely. Another D-Link router vulnerability listed is CVE-2021-40655, affecting the DIR-605 model. This flaw enables attackers to obtain sensitive information like usernames and passwords through forged requests, posing a significant risk to affected users. Additionally, CISA's catalog includes the CVE-2024-4761, concerning Google Chromium's V8 engine. This Chromium vulnerability, marked with a severity rating of 'High,' involves an out-of-bounds memory write issue. Exploiting this flaw, remote attackers can execute malicious code via crafted HTML pages, potentially compromising user data and system integrity.Importance of Catalog Vulnerabilities
These exploited vulnerabilities, once exploited, can lead to severe consequences, making them prime targets for cybercriminals. Notably, these entries are part of CISA's ongoing effort to maintain an updated list of significant threats facing federal networks. The known exploited vulnerabilities catalog aligns with Binding Operational Directive (BOD) 22-01, aimed at mitigating risks within the federal enterprise. While BOD 22-01 specifically targets Federal Civilian Executive Branch (FCEB) agencies, CISA emphasizes the importance of all organizations prioritizing vulnerability remediation. By promptly addressing cataloged vulnerabilities, organizations can bolster their cybersecurity posture and reduce the risk of successful cyberattacks.The Exploited Vulnerability Dilemma
According to Bitsight's analysis, global companies struggle to address critical vulnerabilities promptly. The report draws from data from 1.4 million organizations, revealing that critical vulnerabilities take an average of 4.5 months to remediate, with over 60% unresolved past CISA's deadlines. Despite their prevalence, known exploited vulnerabilities (KEVs) remain a challenge for organizations. Derek Vadala, Chief Risk Officer at Bitsight, urges prioritization of vulnerability remediation, citing an average resolution time of 4.5 months for critical KEVs. Ransomware vulnerabilities, constituting 20% of the KEV catalog, prompt remediation efforts 2.5 times faster than non-ransomware KEVs. While federal agencies fare better in meeting CISA's deadlines, technology companies face the highest exposure to critical KEVs, with a faster remediation turnaround of 93 days. Roland Cloutier, a Bitsight advisor, stresses the need for enhanced vulnerability management, citing organizational challenges in assigning responsibility and ensuring visibility. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Ascension Faces Multiple Lawsuits Following Ransomware Attack
Class-Action Lawsuit Arises from Ascension Ransomware Attack
While Ascension has not confirmed any compromise of patient data, investigations are ongoing. Plaintiffs contend that had proper encryption measures been in place, data stolen by the cybercriminal group Black Basta would have been rendered useless, highlighting the negligence they claim Ascension displayed. We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement," an Ascension spokesperson stated. "If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations”, reported Healthcare Dive on Thursday. The lawsuits, filed shortly after the Ascension ransomware attack, target the healthcare provider's alleged failure to implement adequate cybersecurity measures, a move plaintiffs argue could have prevented the incident. Both cases, represented by the same legal counsel, highlight the harm suffered by patients due to the exposure of their private information, which they assert was foreseeable and preventable.Ascension Lawsuit and Mitigation Tactics
Despite ongoing investigations and assurances of cooperation with authorities, Ascension has yet to disclose whether patients' sensitive information was compromised during the cyber incident. “Ascension continues to make progress towards restoration and recovery following the recent ransomware attack. We continue to work with industry leading forensic experts from Mandiant to conduct our investigation into this attack and understand the root cause and how this incident occurred”, stated Ascension on its Cybersecurity Event Update page. In parallel, additional cybersecurity experts from Palo Alto Networks Unit 42 and CYPFER have been brought in to supplement the rebuilding and restoration efforts. The focus is on safely and swiftly bringing systems back online. “We are also working on reconnecting with our vendors with the help of our recovery experts. Please be aware that it may still take some time to return to normal operations”, added Ascension. The Catholic health system, which spans 140 hospitals and 40 senior living facilities nationwide, employs a workforce of approximately 132,000 individuals. Despite the financial strain imposed by the Ascension ransomware attack, industry analysts note Ascension's robust liquidity and leverage position, offering a significant rating cushion against such one-off events. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Threat Actor USDoD Announces Creation of ‘Breach Nation’, Following BreachForums Take Down
Threat Actor USDoD Announces Creation of ‘Breach Nation’, Following BreachForums Take Down
USDoD Announces Creation of Breach Nation Forum
In a bold statement following the takedown, USDoD assured the community that he had already been working on rebuilding BreachForums, promising that the forum's legacy and user data would be preserved. He emphasized his dedication to creating a new community, presenting the takedown as not the end but an opportunity for a fresh start. [caption id="attachment_69063" align="alignnone" width="523"] Source: X.com (@EquationCorp)[/caption] His announcement also detailed the allocation of resources and infrastructure to support the new forum. The new domains, breachnation.io and databreached.io, are set to launch on July 4, 2024, symbolically coinciding with Independence Day. This new community, dubbed "Breach Nation," aims to offer enhanced features and security. [caption id="attachment_69064" align="alignnone" width="544"] Source: X.com (@EquationCorp)[/caption] USDoD’s vision for BreachForums 3.0 includes robust infrastructure, with separate servers to ensure optimal performance and security. He has assured the community that he is not driven by profit and aims to offer an upgraded member rank to the first 200,000 users as a token of goodwill. He acknowledged the challenges ahead, including potential opposition from law enforcement as well as possible competition from the BreachForums administrator ShinyHunters. He also addressed concerns about compromise within the forum's administration, stating that he would initially manage it alone to ensure security and build trust.USDoD's Earlier Activities
USDoD's bold promise to create the new Breach Nation forum highlights the persistence of the cybercriminal underworld. The threat actor is a notable figure in the cybercriminal community and was previously known as NetSec on RaidForums. USDoD is known to employ sophisticated social engineering and impersonation techniques to penetrate secure systems. His activities included exposing data related to several high-profile organizations such as InfraGard, Airbus, and several, the U.S. Army, NATO Cyber Center, and CEPOL. He also claimed responsibility for alleged data leaks from the defense contractor Thales as well the Communist Party of China. A newer CDN created by USDoD was first publicized around the same time as the alleged China data leak, this CDN is stated to be incorporated for the new domain's infrastructure and seemingly being reworked and shifted to a new domain. [caption id="attachment_69068" align="alignnone" width="566"] Source: X.com (@EquationCorp)[/caption] While the potential impact of the new forum remains unclear, it may be a key development to watch in the ongoing struggle between law enforcement and cybercrime in the aftermath of the BreachForums domain seizure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Norwegian National Cyber Security Centre Recommends Moving Away from SSLVPN and WebVPN
Norwegian National Cyber Security Centre Recommends Moving Away from SSLVPN and WebVPN
Replacement of SSLVPN and WebVPN With Secure Alternatives
The NCSC's recommendation is underpinned by the recognition that SSL VPN and WebVPN, while providing secure remote access over the internet via SSL/TLS protocols, have been repeatedly targeted due to inherent vulnerabilities. These solutions create an "encryption tunnel" to secure the connection between the user's device and the VPN server. However, the exploitation of these vulnerabilities by malicious actors has led the NCSC to advise organizations to migrate to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2). IPsec with IKEv2 is the NCSC's recommended alternative for secure remote access. This protocol encrypts and authenticates each packet of data, using keys that are refreshed periodically. Despite acknowledging that no protocol is entirely free of flaws, the NCSC believes that IPsec with IKEv2 significantly reduces the attack surface for secure remote access incidents, especially due to its reduced tolerance for configuration errors compared to SSLVPN. The NCSC emphasizes the importance of initiating the transition process without delay. Organizations subject to the Safety Act or classified as critical infrastructure are encouraged to complete the transition by the end of 2024, with all other organizations urged to finalize the switch by 2025. The recommendation to adopt IPsec over other protocols is not unique to Norway; other countries, including the USA and the UK, have also endorsed similar guidelines, underscoring the global consensus on the enhanced security offered by IPsec with IKEv2. As a preventative measure, the NCSC also recommended the use of 5G from mobile or mobile broadband as an alternative in locations where it was not possible to implement an IPsec connection.Recommendation Follows Earlier Notice About Exploitation
Last month, the Norwegian National Cyber Security Centre had issued a notice about a targeted attack campaign against SSLVPN products in which attackers exploited multiple zero-day vulnerabilities in Cisco ASA VPN used to power critical infrastructure facilities. The campaign had been observed since November 2023. This notice intended primarily towards critical infrastructure businesses warned that while the entry vector in the campaign was unknown, the presence of at least one or more zero-day vulnerabilities potentially allowed external attackers under certain conditions to bypass authentication, intrude devices and and grant themselves administrative privileges. The notice shared several recommendations to protect against the attacks such as blocking access to services from insecure infrastructure such as anonymization services (VPN providers and Tor exit nodes) and VPS providers. Cisco released important security updates to address these vulnerabilities. The earlier notice also recommended that businesses switch from from the SSLVPN/clientless VPN product category to IPsec with IKEv2, due to the presence of critical vulnerabilities in such VPN products, regardless of the VPN provider. The NCSC recommends businesses in need of assistance to contact their sector CERT or MSSP. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Chicago Fire FC Data Breach: Exposed Fan Info? Here’s What’s at Risk!
Chicago Fire FC Data Breach: Exposed Fan Info? Here’s What’s at Risk!
Decoding the Chicago Fire FC Data Breach
According to the official press release, personal data that may have been accessed includes names, social security numbers, driver’s license and passport information, medical records (including Covid test results and injury reports), health insurance details, financial account information, and dates of birth. While there is no current indication of misuse, the club is taking proactive steps to address the Chicago Fire FC data breach. In response to the cyberattack on the football club, Chicago Fire FC has initiated several actions. These include providing affected individuals access to credit monitoring services through Cyberscout, a TransUnion company specializing in fraud assistance. Instructions for enrollment in these complimentary services have been made available, and affected individuals are encouraged to confirm eligibility by contacting the club. Individuals who believe they may have been affected but have not received notification are urged to reach out to Chicago Fire FC for assistance and to receive a credit monitoring code. Additionally, the club has reported the incident to law enforcement for further investigation.Mitigation Against the Chicago Fire FC Cyberattack
To safeguard against potential identity theft and fraud, affected individuals are advised to monitor their accounts and credit reports for any suspicious activity. They can obtain free credit reports annually from major credit reporting bureaus and are entitled to place fraud alerts or credit freezes on their accounts. For further information and support regarding identity theft and fraud prevention, individuals can contact the credit reporting bureaus, the Federal Trade Commission (FTC), or their state Attorney General. The FTC encourages victims of identity theft to file a complaint with them and provides resources for reporting instances of misuse. Chicago Fire FC emphasizes its commitment to data security and the protection of individuals' information. The club remains dedicated to maintaining trust and providing support to those affected by the cyberattack.Chicago Fire FC Offers Credit Monitoring Services
[caption id="attachment_68968" align="alignnone" width="1280"] Source: Chicago Fire FC[/caption] To enroll in the Credit Monitoring services provided by Chicago Fire FC at no charge, individuals are instructed to visit https://bfs.cyberscout.com/activate and follow the provided instructions. It's essential to enroll within 90 days from the date of the notification letter to receive the monitoring services. However, minors under 18 years of age may not be eligible for this service. During the enrollment process, individuals may need to verify personal information to confirm their identity for security purposes. It's strongly advised to monitor accounts and credit reports regularly to detect any suspicious activity or errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: TransUnion, Experian, and Equifax. These reports can be ordered at www.annualcreditreport.com or by calling 1-877-322-8228. Upon receiving the report, individuals should carefully review it for any discrepancies, unauthorized accounts, or inquiries. Individuals also have the right to place a fraud alert on their credit file at no cost. This alert lasts for one year and requires businesses to verify the individual's identity before extending new credit. Victims of identity theft can request an extended fraud alert lasting seven years. Alternatively, individuals can opt for a "credit freeze," which restricts access to their credit report without their explicit authorization. While this prevents unauthorized access, it may also delay or interfere with legitimate credit applications. To request a fraud alert or credit freeze, individuals need to provide specific information to the three major credit reporting bureaus, including their full name, social security number, date of birth, address history, and proof of identity. Additionally, victims of identity theft should file a police report and notify law enforcement, their state Attorney General, and the Federal Trade Commission (FTC). Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Rockford Public Schools Restores Systems After Ransomware Attack
Systems Restored After Rockford Public Schools Ransomware Attack
On the morning of the incident, district leaders were alerted to computer system failures within the school district disrupting its phones and internet services. While it was initially suspected to be a vendor issue, it soon became clear that the district was struck by a ransomware attack after ransom notes were discovered on various printers. Superintendent Steve Matthews promptly ordered the shutdown of all network connections, including Wi-Fi, to contain the threat. He anticipated that it would take at least a couple of days for the district to return to normal operations. The official website of the school district displayed emergency phone numbers for various buildings within the school district during the time of the attack. [caption id="attachment_68941" align="alignnone" width="1768"] Source: rockfordschools.org[/caption] Despite the attack, there was no immediate threat to student safety. Classes continued as usual, albeit with a return to traditional, technology-free teaching methods. Superintendent Matthews reassured that security systems for school doors remained functional, and emergency cell phones were made available for parental contact. The FBI was also involved in the investigation, working alongside district staff to assess the extent of the breach. Superintendent Matthews acknowledged the initial challenge but noted that staff were quickly adjusting to the incident. Students reported a unique experience of engaging in learning without digital tools, while some found the situation disconcerting. Parents were informed about the situation through emergency communication channels. While some parents chose to pick up their children early, the overall response was one of cautious adaptation. Following the preventative measures, the public school district restored its computer systems 24 hours later, with the district superintendent stating that the incident had been isolated and contained. The school issued a letter to parents, indicating that says students and staff could resume using district-provided school equipment or their own personal devices.Expert Indicates Educational Institutes as Common Ransomware Target
Cybersecurity expert Greg Gogolin from Ferris State University noted in response to the incident, that school districts are common targets for ransomware attacks due to inadequate preventive measures and limited cybersecurity staff. Gogolin highlighted that the end of the school year is a particularly vulnerable time for such attacks, as the urgency to resolve the situation increases with grades due and other academic deadlines approaching. Affluent districts are particularly targeted due to attackers perceiving them as having more resources available. To mitigate such risks, Gogolin advises districts to invest in advanced email filtering while educating staff about phishing emails. Additionally, teachers and students should maintain backups of essential data, such as grades and assignments, outside of school networks. The return to the traditional schooling method following the Rockford Public Schools ransomware attack is reminiscent to an earlier incident affecting Cannes Hospital, which forced its staff to resort to pen-and-paper techniques to keep services running. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- US Charged North Korean Job Fraud Nexus Amassing Funds for Nuclear Program
US Charged North Korean Job Fraud Nexus Amassing Funds for Nuclear Program
“They also attempted - but failed - to gain similar employment at two U.S. government agencies,” the State Department said.In pursuit of running the job fraud scheme, Chapman and her co-conspirators took help of identity fraud. “They compromised more than 60 identities of (legitimate) U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to the Department of Homeland Security on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers,” the Justice Department said.
Chapman’s Role in Job Fraud
Chapman hosted a “laptop farm,” for the North Korean IT workers at her residence, so that the computers appeared to be located within the United States on a daily basis.“She also helped launder the proceeds from the scheme by receiving, processing, and distributing paychecks from the U.S. firms to these IT workers and others,” the State Department said.Chapman was arrested on Wednesday in her hometown in Arizona and faces a litany of counts including conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money transmitting business, and unlawful employment of aliens.
Didenko, the Facilitator
The Justice department also named a Ukrainian national Oleksandr Didenko, 27, in the unsealed charges. Didenko allegedly run a multi-year scheme to create accounts at U.S.-based freelance IT job search platforms under false identities and sold these accounts to overseas IT workers. Remote workers used these false identities to apply for jobs with unsuspecting companies. To facilitate this fraudulent activity, Didenko hosted a website “UpWorkSell”, which advertised the ability for remote IT workers to buy or rent accounts on various platforms using identities other than their own. The complaint alleged that Didenko offered a full array of services to allow an individual to pose under a false identity and market themselves for remote IT work, and that he knew that some of his customers were North Korean. Didenko managed approximately 871 proxy identities, provided proxy accounts for three freelance IT hiring platforms and for three different money service transmitters, the complaint against Didenko said. Together with the co-conspirators, Didenko facilitated the operation of at least three U.S.-based “laptop farms,” hosting approximately 79 computers. The Justice Department said it raided four U.S. residences under Didenko’s control where he ran laptop farms. He also laundered $920,000 worth payments since July 2018 in the job fraud scheme. Didenko was arrested in Poland on May 7, and the State Department is seeking his extradition.The North Korean Trio
The three North Korean workers "are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs," the State Department said. The department said the workers tried to get hired at two unnamed U.S. government agencies but failed three separate times. Details about the three North Korean IT workers are scarce but the State Department released an image of Jiho Han on its Rewards for Justice platform where it also announced a bounty of up to $5 million for information on any of these North Korean IT workers that leads to the disruption of financial mechanisms of the people engaged. [caption id="attachment_68911" align="aligncenter" width="1024"] Credit: U.S. Department of State[/caption] The FBI also released an alert about North Korean IT workers and their scheme to defraud U.S. businesses and fund Pyongyang’s illicit activities.Targeting of Illicit IT Worker Activities
The latest announcement comes almost a year after the U.S. Treasury announced sanctions on four entities that employed thousands of North Korean IT workers that help illicitly finance the regime's missile and weapons of mass destruction programs. The treasury, at the time, said North Korea had scores of “highly skilled” IT workers around the globe who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.” These individuals, who can earn up to $300,000 annually, “deliberately” obscure their identities, locations and nationalities, using proxy accounts, stolen identities and falsified or forged documentation to apply for jobs, the Treasury said. The 15-member United Nations Security Council has long prohibited North Korea from engaging in nuclear tests and ballistic missile launches. Since 2006, the country has been under stringent UN sanctions, continuously bolstered by the Council to sever financial support for its weapons of mass destruction (WMD) development endeavors. Yet, Pyongyang has amassed a staggering $3 billion funding for its nuclear program from cyberattacks particularly on cryptocurrency related companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Gone in 12 Seconds: Siblings Siphon $25M from Ethereum Blockchain
“This alleged scheme was novel and has never before been charged.”Through the Exploit, which is believed to be the very first of its kind, Peraire-Bueno brothers manipulated and tampered with the process and protocols by which transactions are validated and added to the Ethereum blockchain.
The MEV Conundrum from Ethereum Blockchain Exploit
According to the indictment, the Pepaire-Bueno brothers initiated their scheme in December 2022, targeting specific traders on the Ethereum platform through what investigators term a "baiting" operation. At the heart of the indictment lies the concept of MEV-Boost, a software tool utilized by Ethereum validators to optimize transaction processing and maximize profitability. MEV, or maximal extractable value, has long been a subject of controversy within the cryptocurrency community, with proponents arguing its economic necessity and critics highlighting its potential for abuse. They exploited a critical flaw in MEV-Boost's code, granting them unprecedented access to pending transactions before their official validation by Ethereum validators. Leveraging this loophole, the siblings embarked on a sophisticated campaign targeting specific traders utilizing MEV bots. The indictment elucidates the modus operandi employed by the accused duo. The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. By establishing their own Ethereum validators and deploying bait transactions, they enticed MEV bots from these traders for their illicit scheme. Subsequently, through a series of meticulously orchestrated maneuvers, including frontrunning and transaction tampering, they siphoned off $25 million of cryptocurrency from unsuspecting victims – all in just 12 seconds. Following the successful execution of their nefarious scheme, the brothers allegedly laundered the ill-gotten gains through a network of shell companies. Converting the stolen funds into more liquid cryptocurrencies such as DAI and USDC, they attempted to rebuff attempts of victims and Ethereum representatives to recover the stolen cryptocurrency. Following their arrest on Tuesday, the brothers are set to appear in federal courts in New York and Boston to face charges. If convicted the brothers face a maximum sentence of up to 20 years in prison for each count. Deputy Attorney General Lisa Monaco lauded the Justice Department’s prosecutors and IRS agents, “who unraveled this first-of-its kind wire fraud and money laundering scheme.”“As cryptocurrency markets continue to evolve, the Department will continue to root out fraud, support victims, and restore confidence to these markets.”
Cryptocurrency Heists and Convictions Growing Every Day
The news of the arrest comes on the heels of another crypto heist from Sonne Finance, the cryptocurrency lending protocol. The team at Sonne Finance is offering an undisclosed bounty to a hacker responsible for a $20 million theft on Tuesday evening. Sonne Finance facilitates lending and borrowing without intermediaries like banks. The theft, tracked by blockchain security companies, involved digital coins like ether and USDC. Developers paused all markets and later detailed the attack in a postmortem, offering a bounty for the return of funds. They detected the attack within 25 minutes, with some users preventing $6.5 million theft. The hacker has since been exchanging stolen cryptocurrency for bitcoin and others. Law enforcement focus on crypto theft has intensified in 2024, with notable convictions including a $110 million theft from Mango Markets resulting in up to 30 years in prison and sentences for individuals involved in crypto scams and market manipulation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Beyond Borders: CISA Addresses the Global Influence on US Election Cybersecurity
Beyond Borders: CISA Addresses the Global Influence on US Election Cybersecurity
Potential Cyberattack on the US Election: A Pressing Concern!
https://www.youtube.com/watch?v=WphVoguvVd8 At the forefront of defending against this potential cyberattack on the US election is the Cybersecurity and Infrastructure Security Agency (CISA). In a recent update on foreign threats to the 2024 elections, CISA Director Jen Easterly outlined the agency's efforts to safeguard election infrastructure since its designation as critical infrastructure in 2017. "While our election infrastructure is more secure than ever, today’s threat environment is more complex than ever. And we are very clear eyed about this. As the DNI noted, our foreign adversaries remain a persistent threat to our elections, intent on undermining Americans’ confidence in the foundation of our democracy and sowing partisan discord, efforts which could be exacerbated by generative AI capabilities", said Jen Easterly. Despite these persistent threats, Easterly highlighted the successful conduct of secure federal elections in 2018, 2020, and 2022, with no evidence of vote tampering. However, Easterly cautioned against complacency, noting the complexity of ransomware groups/threat actors and their unconventional modus operandi. Moreover, foreign hackers remain intent on undermining confidence in U.S. democracy, compounded by the proliferation of generative AI capabilities. Moreover, Easterly highlighted the rise in large-scale attacks on US elections, targeting political leaders and other election officials — fueled by baseless claims of electoral fraud.CISA’s Plan To Bolster Cybersecurity in the Upcoming US Election
In response to these cyberattacks on the upcoming US elections, CISA has intensified its efforts, expanding its services and outreach to election stakeholders across the nation. From cybersecurity assessments to physical security evaluations and training sessions, CISA has been actively engaged in fortifying security in the upcoming election and its infrastructure. The agency has also ramped up efforts to combat disinformation, providing updated guidance and amplifying the voices of state and local election officials. Despite the political nature of elections, Easterly emphasized that election security remains apolitical. CISA remains steadfast in its commitment to preserving the integrity of the electoral process and looks to the support of leaders in this endeavor. As the nation prepares for future elections, bolstering cybersecurity measures and defending against foreign influence operations remain central priorities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Russian Hackers Used Two New Backdoors to Spy on European Foreign Ministry
Russian Hackers Used Two New Backdoors to Spy on European Foreign Ministry
LunarWeb Backd: Used to Navigate the Digital Terrain
LunarWeb backdoor stealthily infiltrates servers, establishing its foothold within the targeted infrastructure. Operating covertly, it communicates via HTTP(S) while mirroring legitimate traffic patterns to obfuscate its presence. Concealment is key in LunarWeb's playbook. For this the backdoor used steganography technique. This backdoor covertly embeds commands within innocuous images, effectively evading detection mechanisms. LunarWeb's loader, aptly named LunarLoader, showcases remarkable versatility, the researchers noted. Whether masquerading as trojanized open-source software or operating in standalone form, this entry point demonstrates the adaptability of the adversary's tactics.LunarMail: Used to Infiltrate Individual Workstations
LunarMail takes a different approach as compared to LunarWeb. It embeds itself within Outlook workstations. Leveraging the familiar environment of email communications, this backdoor carries out its spying activities remaining hidden amidst the daily deluge of digital correspondence that its victims receive on their workstations. [caption id="attachment_68881" align="aligncenter" width="1024"] LunarMail Operation (credit: ESET)[/caption] On first run, the LunarMail backdoor collects information on the environment variables, and email addresses of all outgoing email messages. It then communicates with the command and control server through the Outlook Messaging API to receive further instructions. LunarMail is capable of writing files, setting email addresses for C&C communication, create arbitrary processes and execute them, take screenshots and more. Similar to its counterpart, LunarMail harnesses the power of steganography albeit within the confines of email attachments. By concealing commands within image files, it perpetuates its covert communication channels undetected. LunarMail's integration with Outlook extends beyond mere infiltration. It manipulates email attachments, seamlessly embedding encrypted payloads within image files or PDF documents which facilitates unsuspicious data exfiltration.Initial Access and Discovery
The initial access vectors of the Turla hackers, though not definitively confirmed, point towards the exploitation of vulnerabilities or spearphishing campaigns. The abuse of Zabbix network monitoring software is also a potential avenue of compromise, the researchers said. The compromised entities were primarily affiliated with a European MFA, which meant the intrusion was of a strategic nature. The investigation first began with the detection of a loader decrypting and running a payload from an external file, on an unidentified server. This was a previously unknown backdoor, which the researchers named LunarWeb. A similar attack chain with LunarWeb was then found deployed at a diplomatic institution of a European MFA but with a second backdoor – named LunarMail. In another attack, researchers spotted simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. “The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network,” the researchers noted. The threat actors displayed varying degrees of sophistication in the compromises. The coding errors and different coding styles used to develop the backdoors suggested that “multiple individuals were likely involved in the development and operation of these tools.”Russian State Hackers Biggest Cyber Threat
Recently, Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest including the European Union, the United Kingdom and the United States. Russia’s approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia’s national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Josh Krueger of Project Hosts, Inc. Appointed to Federal Secure Cloud Advisory Committee
Josh Krueger of Project Hosts, Inc. Appointed to Federal Secure Cloud Advisory Committee
FSCAC Appointment Includes New Chair and Three Members
Along with Josh Krueger's appointment, Lawrence Hale, the deputy assistant commissioner within the Office of Information Technology Category Management for GSA's Federal Acquisition Service, will serve as the new chair of the FSCAC. In this capacity, Hale will act as a liaison and spokesperson for the committee's work products, in addition to his oversight responsibilities. Josh Krueger, and Kayla Underkoffler, the lead security technologist of HackerOne, will fill the vacant seats. Krueger's term will run through July 9, 2026, while Underkoffler's term will end on May 14, 2025. Carlton Harris, the senior vice president of End to End Solutions, has been appointed as the third new member of the FSCAC, with a three-year term ending on May 14, 2027. While not among the recent appointees, Michael Vacirca, a senior engineering manager at Google, has been reappointed to the federal panel for a full three-year term after serving for one year. His term will conclude on May 14, 2027. As an appointed Representative Member of the FSCAC, Mr. Josh Krueger is expected to bring unique perspectives towards the delivery of FedRAMP's Compliance-as-a-Service solutions. The role at the committee will involve representing the needs and viewpoints of businesses both small and large in the cloud-computing industry, and ensuring their interests are considered in the federal discussions and strategies around cloud adoption.Responsibilities of the Federal Secure Cloud Advisory Committee
The FSCAC was formed by the General Services Administration in February 2023, in compliance with the FedRAMP Authorization Act of 2022, which is part of the National Defense Authorization Act for fiscal year 2023. The committee's primary responsibilities include advising and providing recommendations to the GSA Administrator, the FedRAMP Board, and various agencies on technical, financial, programmatic, and operational matters related to the secure and effective adoption of cloud computing products and services across different sectors. The committee also plays a significant role in examining the operations of FedRAMP, seeking ways to continually improve authorization processes, and collecting information and feedback on agency compliance with the implementation of FedRAMP requirements. Additionally, the FSCAC serves as a forum for communication and collaboration among all stakeholders within the FedRAMP community. The FSCAC will hold an open meeting on May 20th to discuss its next priorities, which are expected to further enhance the security and adoption of cloud computing solutions across the federal government. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- A New WiFi Vulnerability in IEEE 802.11 Standard Protocol Leads to SSID Confusion Attack
A New WiFi Vulnerability in IEEE 802.11 Standard Protocol Leads to SSID Confusion Attack
New IEEE 802.11 Standard WiFi Vulnerability Links to SSID Confusion Attack
According to security researcher Mathy Vanhoef, the IEEE 802.11 standard WiFi vulnerability is set to be presented at the WiSec ’24 conference in Seoul, sheds light on the inner workings of the SSID confusion Attack, highlighting its potential impact on enterprise, mesh, and home WiFi networks. At the core of this WiFi vulnerability lies a fundamental flaw in the IEEE 802.11 standard, which fails to enforce authentication of network names (SSIDs) during the connection process. This oversight paves the way for attackers to lure unsuspecting victims onto less secure networks by spoofing legitimate SSIDs, leaving them vulnerable to cyberattacks. The SSID confusion attack targets WiFi clients across diverse platforms and operating systems. From home users to corporate networks, no device using the IEEE 802.11 standard WiFi protocol is immune to these attacksIEEE 802.11 Standard Vulnerability Even Targets Virtual Private Networks (VPNs)
The collaboration between Top10VPN and Vanhoef shares insights into the inner workings on the vulnerability, touted as projection of online privacy and security, are not impervious to this threat, with certain clients susceptible to automatic disablement when connected to "trusted" WiFi networks. Universities, often hotbeds of network activity, emerge as prime targets for exploitation due to prevalent credential reuse practices among staff and students. Institutions in the UK, US, and beyond have been identified as potential breeding grounds for SSID Confusion Attacks, highlighting the urgent need for proactive security measures, said Top10VPN. To defend against this insidious threat, concerted efforts are required at multiple levels. From protocol enhancements mandating SSID authentication to client-side improvements for better protection, the SID confusion attack is still an ongoing issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- GhostSec Announces Shift in Operations from Ransomware to Hacktivism
GhostSec Announces Shift in Operations from Ransomware to Hacktivism
GhostSec Will Transfer Existing Ransomware Clients to Stormous
In an announcement made on its Telegram channel, the GhostSec group stated that they had gathered sufficient funds from their ransomware operations to support other activities moving forward. Rather than completely abandoning their previous work, this transition includes transferring existing clients to the new Stormous locker by Stormous, a partner organization to whom they will also share the source code of the V3 Ghostlocker ransomware strain. [caption id="attachment_68783" align="alignnone" width="483"] Source: GhostSec Telegram Channel[/caption] They claim that these efforts will ensure a smooth transition to Stormous' services, while avoiding the exit scams or disruption risks typically associated with ransomware exits. Stormous will also take over GhostSec's associates within the Five Families collective, which previously consisted of GhostSec, ThreatSec, Stormous, BlackForums, and SiegedSec. While GhostSec will halt some of its earlier services, the group intends to maintain its private channel and chat room. The group announced a discount offer starting today and lasting until May 23rd for lifetime access to its private channel and chat room, reducing the price from $400 to $250. The group also suggested the possibility of offering a hacking course, although they are still debating the details.GhostSec Returns to Hacktivism
The announcement expressed GhostSec's intentions to focus solely on hacktivism, a form of activism that employs hacking to promote social or politically driven agendas. GhostSec had a record of intense hacktivist operations and campaigns such as their successful efforts back in 2015 to taken down hundreds of ISIS-associated websites or social media accounts, reportedly halting potential terrorist attacks. The group used social media hashtags like #GhostSec, #GhostSecurity, or #OpISIS to promote their activities and participate in hacktivist initiatives against the terrorist group. GhostSec also promoted a project ("New Blood") to assist newcomers in picking up hacking skills to participate in their campaigns and provided resources to assist activists in anonymizing their identities such as WeFreeInternet, a project that sought to offer free VPN facilities to Iranian activists. The group had stated its intent to expand the project to support activists in similar circumstances who found their internet to be restricted by the governments worldwide. The official GhostSec Telegram channel where the announcement took place had been created on October 25, 2020, and the group is known to utilize its social media handles on various websites to promote its activities. It is important to note that the group's decision to depart from the cybercrime scene does not necessarily imply a shift towards more ethical practices. Furthermore, the group's involvement in financially motivated cybercrimes raises questions about their true motivations and the potential for their hacktivism to be used for personal gain or dubious political agenda rather than genuine social change. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- MediSecure Data Breach Confirms Impact on Personal and Health Information of Individuals
MediSecure Data Breach Confirms Impact on Personal and Health Information of Individuals
Government Response to MediSecure Data Breach
Authorities, including the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), are actively engaged in probing the MediSecure data breach. However, details remain scarce as investigators navigate the complexities of the incident. The absence of a known threat actor claiming responsibility further complicates the situation, heightening concerns about the sophistication of cyber threats targeting the healthcare sector. Cyber Security Minister Clare O’Neil said the government was commited to address the breach, convening a National Coordination Mechanism to coordinate efforts and mitigate the breach's impact effectively. “I have been briefed on this incident in recent days, and the government convened a National Coordination Mechanism regarding this matter today,” Minister O’Neil said in a LinkedIn post.“Speculation at this stage risks undermining significant work underway to support the company's response,” O'Neil added.The Shadow Home Affairs and Cyber Security Minister James Paterson told Sky News in an interview that the latest breach was a reminder of the currently “dangerous” cyber threat landscape, especially for the health sector. Paterson said healthcare is a lucrative sector both for cybercriminals and nation-state actors.
“Criminal actors like to use it for ransomware because the health sector is often vulnerable to those targets, and sometimes they do pay. And nation state backed actors use it as an opportunity to gather intelligence and information about us,” Paterson explained.Australia has been hit in the past few years by some of the largest data breaches in the form of Medibank and Optus data breaches, that impacted millions across Australia. The scope of the current breach is reportedly unlike the earlier ones, but it is still some of the most personally and privately significant information that exists about a person, Paterson said. “This is very distressing for Australians when it is released publicly. And it is important that the federal government get on top of this straight away and do whatever they can to stop the proliferation of this information online,” he added. MediSecure has taken proactive measures, including taking its website offline, as it works to contain the breach's fallout. In a statement, the company acknowledged the incident and stated, “We have taken immediate steps to mitigate any potential impact on our systems. While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors”, reads the statement. The Cyber Express has reached out to MediSecure to learn more about this data breach. However, at the time of writing this, no official statement or response has been shared. The organization did share a statement on its website, stating “MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.”
Cyberattacks on the Healthcare Sector
This cyberattack on MediSecure echoes previous breaches in Australia's healthcare sector, including the 2022 data breach involving Medibank, which compromised the personal data of millions of Australians. In 2023, healthcare organizations globally faced an unprecedented wave of cyberattacks, affecting over 116 million individuals in the US alone, more than double the previous year's count. Notable incidents include data breaches at Delta Dental of California, Fred Hutch Cancer Center, Norton Healthcare, and HCA Healthcare, among others. German hospitals also fell victim to ransomware attacks, disrupting medical services. The European Union Agency for Cybersecurity reported that the majority of attacks targeted healthcare providers, with financial motives driving 83% of incidents. India witnessed a surge in cybercrime, with significant financial losses and high-profile attacks during the G20 summit. The recurrence of such incidents highlights the persistent cybersecurity vulnerabilities plaguing the healthcare industry, necessitating comprehensive strategies to fortify defenses against evolving cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Nissan Cybersecurity Incident Update: 53,000 Employees Affected
Nissan Data Breach Update: 53,000 Employees Affected
Upon discovering the Nissan data breach, the Japanese automaker notified law enforcement and engaged cybersecurity experts to contain and neutralize the threat. The company also conducted an internal investigation, informing employees during a town hall meeting held in December 2023, a month after the Nissan cyberattack. To mitigate potential harm, Nissan is offering complimentary identity theft protection services for two years to those impacted by the breach. The company's positive response to safeguarding employee privacy is highlighted by these proactive measures. The official communication emphasized Nissan's dedication to reinforcing its security infrastructure and practices. Following the incident, the company has implemented additional security measures and enlisted cybersecurity specialists to conduct a thorough review, ensuring enhanced protection against future threats. Despite the Nissan breach, the automotive maker has not detected any instances of fraud or identity theft resulting from the incident. Nonetheless, as a precautionary measure, affected individuals are urged to take advantage of the complimentary credit monitoring services provided by Experian IdentityWorks.No Identity Fraud Detected
“This is in addition to the employee benefit you may have elected with Nissan. These complimentary credit services are being provided to you for 24 months from the date of enrollment. Finally, Nissan is providing you with proactive fraud assistance to help with any questions you might have or if you become a victim of fraud. These services are provided by Experian, a company specializing in fraud assistance and remediation services”, said Nissan. To activate the identity protection service, recipients are instructed to enroll by a specified deadline and utilize the provided activation code. Additionally, individuals are encouraged to remain vigilant against potential fraud by monitoring their credit reports and promptly reporting any suspicious activity. Recipients are assured of assistance for 90 days from the letter's date in enrolling for the complimentary credit monitoring services. They are encouraged to contact the dedicated helpline at 833-931-6266, with the engagement number B120412 ready for reference. Nissan highlights its commitment to employee welfare and the seriousness with which it regards the protection of personal information, expressing regret for any inconvenience caused by the incident. The letter concludes with signatures from Leon Martinez, Vice President of Human Resources, and William Orange, Vice President of IS/IT and Chief Information Officer. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- UK NCSC to Defend ‘High-Risk’ Political Candidates from Cyberattacks
UK NCSC to Defend ‘High-Risk’ Political Candidates from Cyberattacks
Cyber Threats Targeting Political Candidates
The Personal Internet Protection service is part of a broader effort by the UK government to enhance cyber support for individuals and organizations crucial to the democratic process, especially considering recent attempts by Russian and Chinese state-affiliated actors to disrupt UK's government and political institutions as well as individuals. While the Russian intelligence services had attempted to use cyberattacks to target prominent persons and organizations in the UK for meddling in the electoral processes, China is likely seen targeting various government agencies including the Ministry of Defence (MoD), whose payroll system was recently breached. Although both, Moscow and Beijing have rejected the use of hacking for political purposes, the relations between them remain strained over these allegations. Jonathon Ellison, NCSC Director for National Resilience and Future Technology, noted the importance of protecting individuals involved in democracy from cyber threats, highlighting the attractiveness of their personal accounts to espionage operations.“Individuals who play important roles in our democracy are an attractive target for cyber actors seeking to disrupt or otherwise undermine our open and free society. That’s why the NCSC has ramped up our support for people at higher risk of being targeted online to ensure they can better protect their accounts and devices from attacks,” Ellison said.Ahead of the major election year where more than 50 countries around the world cast their vote, Ellison urged individuals eligible for the Personal Internet Protection services to sign up and to follow their guidance to bolster defenses against various cyber threats. The initiative also extends support to civil society groups facing a heightened risk of cyber threats. A new guide, "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," which offers practical advice for individuals such as elected officials, journalists, activists, academics, lawyers and dissidents was released on Tuesday. This guide, developed by the U.S. Cybersecurity and Infrastructure Security Agency in collaboration with international partners, aims to empower high-risk civil society communities with limited resources to combat cyber threats effectively. These include customized risk assessment tools, helplines for digital emergencies and free or discounted cybersecurity services tailored to the needs of civil society organizations. The launch of the Personal Internet Protection service and the release of the guidance for civil society mark significant steps in bolstering the cybersecurity posture of individuals and organizations critical to the democratic process. By enhancing protection against cyber threats, the UK aims to safeguard the integrity of its democracy and promote collective resilience against global threats to democracy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Tornado Cash Co-Founder Gets Over 5 Years for Laundering $1.2Bn
“Tornado Cash does not pose any barrier for people with criminal assets who want to launder them. That is why the court regards the defendant guilty of the money laundering activities as charged.”Tornado Cash functioned as a decentralized cryptocurrency mixer, also known as a tumbler, allowing users to obscure the blockchain transaction trail by mixing illegally and legitimately obtained funds, making it an appealing option for adversaries seeking to cover their illicit money links. Tornado Cash laundered $1.2 billion worth of cryptocurrency stolen through at least 36 hacks including the theft of $625 million from the Axie Infinity hack in March 2022 by North Korea’s Lazarus Group hackers. The Court used certain undisclosed parameters in selecting these hacks due to which only 36 of them were taken into consideration. Without these parameters, more than $2.2 billion worth of illicit proceeds from Ether cryptocurrency were likely laundered. The Court also did not rule out the possibility of Tornado Cash laundering cryptocurrency derived from other crimes. The Court further described Tornado Cash as combining “maximum anonymity and optimal concealment techniques” without incorporating provisions to “make identification, control or investigation possible.” It failed to implement Know Your Customer (KYC) or anti-money laundering (AML) programs as mandated by U.S. federal law and was not registered with the U.S. Financial Crimes Enforcement Network (FinCEN) as a money-transmitting entity. "Tornado Cash is not a legitimate tool that has unintentionally been abused by criminals," it concluded. "The defendant and his co-perpetrators developed the tool in such a manner that it automatically performs the concealment acts that are needed for money laundering." In addition to the prison term, Pertsev was ordered to forfeit cryptocurrency assets valued at €1.9 million (approximately $2.05 million) and a Porsche car previously seized.
Other Tornado Cash Co-Founders Face Trials Too
A year after Pertsev’s arrest, the U.S. Department of Justice unsealed an indictment where the two other co-founders, Roman Storm and Roman Semenov, were charged with conspiracy to commit money laundering, conspiracy to operate an unlicensed money-transmitting business and conspiracy to violate the International Emergency Economic Powers Act. Storm goes to trial in the Southern District of New York later in September, while Semenov remains at large. The case has drawn a debate amongst two sides – privacy advocates and the governments. Privacy advocates argue against the criminalization of anonymity tools like Tornado Cash as it gives users a right to avoid financial surveillance, while governments took a firm stance against unregulated offerings susceptible to exploitation by bad actors for illicit purposes. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- DragonForce Cyberattack Strikes Again: Malone & Co and Watt Carmicheal Added as Victims
DragonForce Cyberattack Strikes Again: Malone & Co and Watt Carmicheal Added as Victims
DragonForce Cyberattack Targets Two New Victims
The Cyber Express has reached out to both organizations to learn more about this alleged DragonForce cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the DragonForce ransomware attack unverified. [caption id="attachment_68487" align="alignnone" width="355"] Source: X[/caption] Interestingly, both victims' websites remain operational, showing no immediate signs of the cyberattacks. This discrepancy adds another layer of mystery to the unfolding situation. Moreover, along with the cyberattack post, the DragonForce ransomware group stated that it had access to 15.34 GB of data associated with Malone & Co. The hacker group has shared a deadline of 16 days before the data gets published. [caption id="attachment_68490" align="alignnone" width="353"] Source: X[/caption] As for the second alleged victim, Watt Carmicheal, the hacker group claims access to 27.3 GB of data, and no ransom deadline was shared. The threat actor, DragonForce, has used the same modus operandi to target similar victims in the past.Who is the DragonForce Ransomware Group?
DragonForce, a hacktivist group hailing from Malaysia, is infamous for its relentless cyberattacks on government institutions and commercial entities, primarily in India. Their targets extend beyond geographical borders, with a particular focus on websites affiliated with Israel while advocating for pro-Palestinian causes. Utilizing a variety of tactics such as defacement attacks, distributed denial-of-service (DDoS) attacks, and data leaks, DragonForce demonstrates a high level of adaptability and sophistication in their operations. This versatility has enabled them to evolve their strategies over time, staying one step ahead of their adversaries. Embracing their role as vigilantes for the people, DragonForce Malaysia boldly proclaims its mission on various online platforms, including social media giants like Facebook, YouTube, and X (formerly Twitter). Through these channels, they amplify their voice, connecting with like-minded individuals and fostering a sense of community among Malaysian cybersecurity enthusiasts. Central to DragonForce's ideology is their staunch advocacy for the Palestinian cause. Their actions speak volumes, from high-profile hacks targeting Israeli networks to broadcasting messages of solidarity through unconventional mediums like TikTok. Despite their formidable capabilities, DragonForce does not operate in isolation. Collaborative efforts with other local hacker threat groups have been reported, highlighting the interconnected nature of the hacktivist groups. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Banco Santander Confirms Data Breach, Assures Customers’ Transactions Remain Secure
Banco Santander Confirms Data Breach, Assures Customers’ Transactions Remain Secure
Customer and Employee Data Compromised in Santander Data Breach
The bank reported that upon becoming aware of the data breach, it had immediately implemented measures to contain the incident, such as blocking access to its database from the compromised source as well as establishing additional fraud prevention mechanisms to protect impacted customers and affected parties. After conducting an investigation, the bank had determined that the leaked information stemmed from a thid-party database and consisted of details of customers from Santander Chile, Spain and Uruguay regions along with some data on some current and former Santander employees. Despite the third-party database breach, customer data from Santander markets and businesses operating in different regions were not affected. [caption id="attachment_68444" align="alignnone" width="2422"] Source: santander.com[/caption] The bank apologized for the incident and acknowledged concerns arising from the data breach, taking action to directly notify the affected customers and employees. The security team also informed regulators and law enforcement of the incident details, stating that the bank would continue to work with them during the investigation. Santander assured its customers that no transactional data, nor transaction-facilitating credentials such as banking details and passwords were contained in the database. The statement reported that neither the bank's operations nor systems were affected, and that customers could continue with secure transaction operations. Along with the official statement in response to the data breach, the bank had provided additional advice on its site on dealing with the data breach:
- Santander will never ask you for codes, OTPs or passwords.
- Always verify information your receive and contact us through official bank channels.
- If you receive any suspicious message, email or SMS report it to your bank directly or by contacting reportphishing@gruposantander.com.
- Never access your online banking via links from suspicious emails or unsolicited emails.
- Never ignore security notifications or alerts from Santander related to your accounts.
Financial and Banking Sector Hit By Data Breaches
Increased cyber threats or third-party database exposure as in the Santander data breach pose serious concerns for stability within the financial and banking. The International Monetary Fund noted in a blog post last months that these incidents could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. In March, the European Central Bank instructed banks within the European region to implement stronger measures in anticipation of cyber attacks. Earlier, the body had stated that it would conduct a resilience stest on at least 109 of its directly supervised banks in 2024. The initiatives come as part of broader concern about the security of European banks. Last year, data from the Deutsche Bank AG, Commerzbank AG and ING Groep NV were compromised after the CL0P ransomware group had exploited a security vulnerability in the MOVEit file transfer tool. The European Central Bank's site states that its banking supervisors rely on the stress tests to gather information on and assess how well the banks would able to cope, respond to and recover from a cyberattack, rather than just their ability to prevent attacks. The response and recovery assessments are described to include the activation of emergency procedures and contingency plans as well as the restoration of usual operations. The site states that these test results would then be used to aid supervisors in identifying weaknesses to be discussed in dialogue with the banks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- CISA, FBI, and DHS Releases Cybersecurity Blueprint for Civil Society
CISA, FBI, and DHS Releases Cybersecurity Blueprint for Civil Society
CISA, FBI, and DHS Collaborate to Support Cybersecurity for Civil Society
Civil society organizations play a crucial role in upholding democratic values, making them prime targets for malicious cyber activities orchestrated by state-sponsored actors. These threats, often originating from countries like Russia, China, Iran, and North Korea, include sophisticated tactics such as social engineering and spyware deployment. The security guide emphasizes proactive measures and best practices tailored to the unique challenges faced by civil society entities. Recommendations include regular software updates, the adoption of phishing-resistant multi-factor authentication, and the implementation of the principle of least privilege to minimize vulnerabilities. Furthermore, the guide stresses the importance of cybersecurity training, vendor selection diligence, and the development of incident response plans. It also guides individual members of civil society, advising on password security, privacy protection, and awareness of social engineering tactics. The release of this security guidance highlights a broader effort to empower high-risk communities with the knowledge and tools needed to safeguard against cyber threats. International collaboration, as evidenced by partnerships with entities from Canada, Estonia, Japan, and the United Kingdom, further enhances the effectiveness of these initiatives. John Scott-Railton, senior researcher at CitizenLab, emphasized the need for cybersecurity for civil societies on X (previously Twitter). Talking about this new initiative, John stated, “Historically law enforcement & governments in democracies have been achingly slow to recognize this issue and help out groups in need.” Despite some exceptions, the lack of prioritization has resulted in damages, including missed opportunities for accountability and diminished trust. “That's why I'm glad to see this @CISAgov & UK-led joint initiative come to fruition”, added John.Aiming for Better Protection Against Cyber Threats
Government agencies and cybersecurity organizations worldwide have joined forces to support civil society against online threats. For instance, the FBI, in conjunction with its partners, aims to equip organizations with the capacity to defend against cyber intrusions, ensuring that entities dedicated to human rights and democracy can operate securely. "The FBI and its partners are putting out this guidance so that civil society organizations have the capacity to mitigate the threats that they face in the cyber realm,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. Similarly, international partners like Japan's National Center of Incident Readiness and Strategy for Cybersecurity and Estonia's State Information Authority stress the importance of collective action in addressing global cyber threats. These collaborations reflect a shared commitment to bolstering cybersecurity resilience on a global scale. The guide also provides valuable insights into the tactics and techniques employed by state-sponsored actors, enabling organizations to make informed decisions regarding cybersecurity investments and resource allocation. In addition to the guidance document, a range of resources and tools are available to assist high-risk communities in enhancing their cyber defenses. These include customized risk assessment tools, helplines for digital emergencies, and free or discounted cybersecurity services tailored to the needs of civil society organizations. By leveraging these resources and fostering international cooperation, civil society can better defend against cyber threats and continue their vital work in promoting democracy, human rights, and social justice. Through collective efforts and ongoing collaboration, the global community can build a more resilient and secure cyber environment for all. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Microsoft Addresses Zero-Day Vulnerability Exploited by QakBot Malware
Microsoft Addresses Zero-Day Vulnerability Exploited by QakBot Malware
“These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware (actors),” said Dustin Childs of the Zero Day Initiative.Introduced in Windows Vista, the Desktop Window Manager (dwm.exe) is a compositing window manager that renders all GUI effects in Windows like transparent windows, live taskbar thumbnails, Flip3D, and even high-resolution monitor support. Applications do not draw directly on the screen. Instead, they write their window images to a specific spot in memory. Windows then combines and creates a “composite” of all these windows into one view before sending it to the monitor. This allows Windows to add effects like transparency and animations while displaying the windows. Kaspersky researchers uncovered this vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033, also exploited as a zero-day in attacks. While analyzing data related to recent exploits and associated attacks, Kaspersky researchers discovered an intriguing file uploaded to VirusTotal on April 1. The file's name hinted that it contained details on a Windows vulnerability. The file had information regarding a Windows DWM vulnerability – written in broken English - that could be exploited to escalate privileges to SYSTEM level, with the exploitation process nearly mirroring the one used in CVE-2023-36033 attacks, “but the vulnerability was different,” researchers said. Initially skeptical due to the document's quality and lack of crucial details on exploiting the vulnerability, further investigation confirmed the legitimacy of another zero-day vulnerability capable of privilege escalation. Kaspersky promptly reported it to Microsoft, leading to its designation as CVE-2024-30051 and subsequent patching in this month’s Patch Tuesday.
Zero-Day Exploited by QakBot
Following the reporting to Microsoft, Kaspersky continued monitoring for exploits and attacks leveraging this flaw.“In mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware and believe that multiple threat actors have access to it,” Kaspersky said.Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google-owned Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks, Childs said.
“Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer,” said Childs.The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2024-30051 to its Known Exploited Vulnerabilities catalog and directed all federal agencies to complete the patching process by June 4. Kaspersky plans to disclose technical specifics of CVE-2024-30051 once users have had adequate time to update their Windows systems.
QakBot’s Journey from Banking Trojan to Initial Access Broker
QakBot, also known as Qbot, emerged as a banking trojan in 2008 and was used to steal credentials, website cookies, and credit cards to commit financial fraud. QakBot operators evolved over the years into initial access brokers, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, and data theft. QakBot’s infrastructure was taken down in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as “Operation Duck Hunt.” But Microsoft identified the resurgence of QakBot in phishing campaigns targeting the hospitality industry in December. Law enforcement linked QakBot infections to 700,000 victim computers which included ransomware attacks targeting businesses, healthcare providers, and government agencies worldwide, which according to conservative estimates caused hundreds of millions of dollars in damage. Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently Black Basta.Another Zero-Day Fix
Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, with one rated “critical,” 57 rated as “important” and one rated as “moderate.” The patch also contains a fix for another zero-day flaw other that the one exploited by QakBot. The other bug, tracked as CVE-2024-30040, is rated "important" on the CVSS scale and is a Windows MSHTML platform security feature bypass vulnerability. MSHTML is a proprietary browser engine for the Microsoft Windows version of Internet Explorer.“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said.A hacker who socially-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- Chrome Vulnerability Alert: Google’s Rapid Response to 6th Zero-Day Exploit
Chrome Vulnerability Alert: Google’s Rapid Response to 6th Zero-Day Exploit
Decoding the New Google Chrome Vulnerability
Specifically, the flaw involves an out-of-bounds write problem, a type of issue where a program oversteps its designated memory boundaries, potentially leading to unauthorized data access or even arbitrary code execution. Google acted promptly upon becoming aware of the exploit, rolling out updates to address the vulnerability across different platforms, including Mac, Windows, and Linux. While the fix is being progressively deployed to users worldwide, those keen on ensuring their safety can manually check for updates by navigating to Settings > About Chrome and initiating the update process. This Chrome vulnerability follows closely on the heels of another zero-day exploit, CVE-2024-4671, which Google addressed just days prior. This recurrent pattern highlights the shift in vulnerability management where the most secure products are facing crises due to active exploitation by ransomware groups and dark web actors.Multiple Zero-day Chrome Vulnerabilities
Notably, Google has refrained from divulging specific details regarding the exploits, a common practice aimed at preventing further exploitation until a majority of users have applied the necessary patches. Despite the lack of explicit details, the severity of these Google Chrome vulnerabilities is apparent, with Google's designation of an "emergency patch" signaling the urgency of the matter. The string of zero-day vulnerabilities identified in 2024 highlights the persistent efforts of threat actors to exploit weaknesses in popular software like Google Chrome. From out-of-bounds memory access to use-after-free issues, these vulnerabilities represent various avenues through which attackers can compromise user security. Several critical vulnerabilities have been identified in Google Chrome throughout the year 2024. These include CVE-2024-0519, an out-of-bounds memory access issue in the Chrome JavaScript engine discovered in January. In March, CVE-2024-2887, a type confusion flaw in WebAssembly, was demonstrated by Manfred Paul during Pwn2Own 2024, alongside CVE-2024-2886, a use-after-free problem in WebCodecs, highlighted by Seunghyun Lee. Additionally, CVE-2024-3159, another out-of-bounds memory access flaw in the V8 JavaScript engine, was showcased by Edouard Bochin and Tao Yan of Palo Alto Networks during the same event. Finally, in May, CVE-2024-4671, a use-after-free issue within the Visuals component, was uncovered, further emphasizing the ongoing challenges in securing the Chrome browser against various vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.SideCopy APT Campaign Found Targeting Indian Universities
Technical Analysis of the SideCopy Campaign Infection Chain
In early May, CRIL identified a malicious domain employed by the SideCopy group in their operations. The website was discovered hosting a ZIP archive file named "files.zip" that contained sub-directories labeled as "economy," "it," and "survey." The survey directory included files similar to those previously employed by SideCopy in their earlier campaigns. [caption id="attachment_68383" align="alignnone" width="1228"] Source: Cyble[/caption] The campaign likely employs spam emails to distribute the malicious ZIP archive hosted through the compromised website as the initial infection vector. These archives contain malicious LNK files disguised as legitimate documents, such as "IT Trends.docx.lnk." Upon execution, the LNK files trigger a series of commands that proceeds to download and execute a malicious HTA file. The downloaded HTA files contain embedded payloads within additional lure documents and DLL files. The lure documents are typically themed around current affairs or relevant academic topics to appear legitimate to the targeted demographic. [caption id="attachment_68384" align="alignnone" width="604"] Source: Cyble Blog[/caption] [caption id="attachment_68385" align="alignnone" width="894"] Source: Cyble Blog[/caption] The malware is crafted with the functionality to adopt to the presence of different antivirus software such as Avast, Kaspersky and Bitdefender, which further amplifies its ability to evade detection and ensure persistence by placing the LNK shortcut files in the startup folder. The attack process ultimately leads to the deployment of malicious payloads such as Reverse RAT and Action RAT on to the victim system, which then connect to a remote Command-and-Control (C&C) server to commence malicious activities.Intersection with Transparent Tribe Activities
The research further suggests a potential overlap or collaboration between SideCopy and Transparent Tribe, another APT group known for targeting Indian military and academic institutions. This intersection hints at a possible collaborative efforts or shared objectives between the two groups with researchers previously noting that SideCopy may function as a sub-division of Transparent Tribe. SideCopy is also known to emulate tactics of the Sidewinder APT group in the distribute of malware files, such as the use of disguised LNK files to initiate a complex chain of infections. CRIL researchers have advised the use of strong email filtering systems, exercise of caution, the deployment of network-level monitoring and the disabling of scripting languages such as PowerShell, MSHTA, cmd.exe to prevent against this potential threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cybersecurity Alert: Frotcom International Faces Alleged Data Breach
Cybersecurity Alert: Frotcom International Faces Alleged Data Breach
Alleged Frotcom Data Breach Surfaces on Dark Web
DuckyMummy's post on the forum detailed the extent of the Frotcom data breach, indicating access to internal systems across more than 40 countries and over 5,000 companies. The compromised data encompassed a wealth of information crucial to Frotcom's operations, from GPS tracking data to customer billing information. [caption id="attachment_68365" align="alignnone" width="1732"] Source: Dark Web[/caption] As proof of their claims, the threat actor shared sample records showcasing live GPS vehicle information sorted by country and offered the compromised database for sale at a staggering price of USD 5,000.“These days I have breached the company security, and I have dumped all information and got access to all internal systems of the company, more than 40 countries, more than 5,000 COMPANIES !”, stated the hacker.The Cyber Express has reached out to Frotcom for official confirmation and further details regarding the breach. However, as of the time of writing, no official statement or response has been received, leaving the claims surrounding the Frotcom data leak unverified.
Cyberattacks on Freight Companies
The Frotcom data leak is not an isolated event and is a reminder of the growing threats faced by the transportation sector in an increasingly digitized world. With transportation systems becoming more reliant on interconnected digital technologies, they have become lucrative targets for cyber threat actors seeking to disrupt operations, extort sensitive data, or inflict financial harm. The ramifications of cyberattacks on transportation infrastructure are profound, ranging from supply chain disruptions to the compromise of sensitive passenger data. Recent incidents such as the ransomware attack on Japan's Port of Nagoya, which halted operations for two days, highlight the real-world impact of such breaches on global trade and commerce. Moreover, the nature of cyber threats poses a significant challenge to the transportation sector. Attack vectors are becoming increasingly diversified, with intrusions often originating from third-party supply chain partners or software vendors. Additionally, the rise of politically motivated threat actors further complicates the domain, as evidenced by the DDoS attacks on US airports claimed by Russian-speaking hackers. Looking back at historical events, cyber incidents targeting transportation infrastructure have resulted in widespread disruption and societal harm. From DDoS attacks on Czech railways and airports to ransomware incidents affecting Italian State Railways, these incidents highlight the vulnerability of transportation systems to malicious cyber activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cybersecurity Concerns Surround ChatGPT 4o’s Launch; Open AI Assures Beefed up Safety Measure
Cybersecurity Concerns Surround ChatGPT 4o’s Launch; Open AI Assures Beefed up Safety Measure
Features of GPT-4o
Enhanced Speed and Multimodality: GPT-4o operates at a faster pace than its predecessors and excels at understanding and processing diverse information formats – written text, audio, and visuals. This versatility allows GPT-4o to engage in more comprehensive and natural interactions. Free Tier Expansion: OpenAI is making AI more accessible by offering some GPT-4o features to free-tier users. This includes the ability to access web-based information during conversations, discuss images, upload files, and even utilize enterprise-grade data analysis tools (with limitations). Paid users will continue to enjoy a wider range of functionalities. Improved User Experience: The blog post accompanying the announcement showcases some impressive capabilities. GPT-4o can now generate convincingly realistic laughter, potentially pushing the boundaries of the uncanny valley and increasing user adoption. Additionally, it excels at interpreting visual input, allowing it to recognize sports on television and explain the rules – a valuable feature for many users. However, despite the new features and capabilities, the potential misuse of ChatGPT is still on the rise. The new version, though deemed safer than the previous versions, is still vulnerable to exploitation and can be leveraged by hackers and ransomware groups for nefarious purposes. Talking about the security concerns regarding the new version, OpenAI shared a detailed post about the new and advanced security measures being implemented in GPT-4o.Security Concerns Surround ChatGPT 4o
The implications of ChatGPT for cybersecurity have been a hot topic of discussion among security leaders and experts as many worry that the AI software can easily be misused. Since its inception in November 2022, several organizations such as Amazon, JPMorgan Chase & Co., Bank of America, Citigroup, Deutsche Bank, Goldman Sachs, Wells Fargo and Verizon have restricted access or blocked the use of the program citing security concerns. In April 2023, Italy became the first country in the world to ban ChatGPT after accusing OpenAI of stealing user data. These concerns are not unfounded.OpenAI Assures Safety
OpenAI reassured people that GPT-4o has "new safety systems to provide guardrails on voice outputs," plus extensive post-training and filtering of the training data to prevent ChatGPT from saying anything inappropriate or unsafe. GPT-4o was built in accordance with OpenAI's internal Preparedness Framework and voluntary commitments. More than 70 external security researchers red teamed GPT-4o before its release. In an article published on its official website, OpenAI states that its evaluations of cybersecurity do not score above “medium risk.” “GPT-4o has safety built-in by design across modalities, through techniques such as filtering training data and refining the model’s behavior through post-training. We have also created new safety systems to provide guardrails on voice outputs. Our evaluations of cybersecurity, CBRN, persuasion, and model autonomy show that GPT-4o does not score above Medium risk in any of these categories,” the post said. “This assessment involved running a suite of automated and human evaluations throughout the model training process. We tested both pre-safety-mitigation and post-safety-mitigation versions of the model, using custom fine-tuning and prompts, to better elicit model capabilities,” it added. OpenAI shared that it also employed the services of over 70 experts to identify risks and amplify safety. “GPT-4o has also undergone extensive external red teaming with 70+ external experts in domains such as social psychology, bias and fairness, and misinformation to identify risks that are introduced or amplified by the newly added modalities. We used these learnings to build out our safety interventions in order to improve the safety of interacting with GPT-4o. We will continue to mitigate new risks as they’re discovered,” it said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Credibility in Question: Meesho Data Breach Claims Echo 2020 Leak
Unconfirmed Meesho Data Breach Surfaces on Dark Web
[caption id="attachment_68336" align="alignnone" width="1333"] Source: Dark Web[/caption] The discrepancies didn't end there. The Cyber Express further analyzed the claims and found inconsistencies within the data itself. Specifically, discrepancies between names and associated phone numbers raised red flags. Given qpwomsx's brief tenure on the platform and apparent credibility issues, discerning the authenticity of the Meesho data breach becomes a daunting task. However, examining the stolen data paints a perplexing situation as the majority of the email addresses are valid and deliverable. Along with the emails, the data appears to be a compilation of personal information belonging to individuals, predominantly based in India. Alongside names, email addresses, and phone numbers, additional details such as location and workplace affiliations were also included. However, the presence of "null" values suggests potential gaps or inaccuracies within the dataset.The IndiaMART Data Breach Link
The Cyber Express has reached out to the e-commerce giant to learn more about this alleged Meesho data leak. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the data breach unverified. Moreover, parallels emerge between the purported Meesho breach and the 2020 IndiaMART data leak, which exposed sensitive information from over 40,000 suppliers. IndiaMART, a prominent business-to-business e-commerce platform, was also targeted in a cyberattack in 2020. Despite assertions from the company that only basic contact information is publicly available, cybersecurity researchers found an extensive exposure of sensitive data. Interestingly, the stolen data from the IndiaMART data leak is similar to the current Meesho data breach, raising concerns about the authenticity of the leak and the motives behind it. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Meesho data breach or any official confirmation from the Indian e-commerce giant. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Dark Web Hacker Claims to Expose 70K National Parent Teacher Association Records
Dark Web Hacker Claims to Expose 70K National Parent Teacher Association Records
Dark Web Hacker Discloses National Parent Teacher Association Breach
Among the exposed data are insured data, college information, client lists, medical insurance records, and payment information. This PTA data breach not only poses a threat to the privacy and security of individuals but also raises concerns about the misuse of such sensitive information. [caption id="attachment_68309" align="alignnone" width="861"] Source: X[/caption] The impact of this breach extends beyond the confines of the PTA itself, affecting individuals across the United States, particularly in the North American region. With PTA.org being the primary platform for engagement, the breach, if true, can have severe consequences. The post on BreachForums by the IntelBroker hacker, titled "Parent Teacher Association Database, Leaked - Download!" and timestamped May 13, 2024, provides insights into the extent of the PTA data breach. The threat actor proudly claims responsibility for the breach alongside an entity named GodLike. The data dump shared by IntelBroker reveals intricate details, including identifiers, addresses, contact information, and policy-related data.Cyberattack on Educational Institutions
The Cyber Express reached out to the National Parent Teacher Association for clarification and response regarding the breach. However, at the time of writing this, no official statement or response has been received. Moreover, this isn’t the first time a student-centric organization was targeted in a cyberattack. Educational institutions, from K-12 schools to universities, store vast amounts of personal data, making them prime targets for cyberattacks. The educational sector witnessed a 258% surge in incidents in 2023, with 1,537 confirmed data disclosures, often attributed to vulnerabilities like MOVEit. Ransomware remains a major external threat, while internal risks stem from uninformed users and overworked staff. Attacks, primarily financially motivated, exploit the emotionally fraught nature of personal data exposure. Common attacks include data breaches, ransomware, BEC, DDoS, and online invasions. Recent high-profile attacks, like those on the University of Manchester and the University of California, highlight the urgent need for enhanced cybersecurity measures in educational institutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Hackers Exploit Unpatched Bug in Helsinki Education Division Data Breach
Hackers Exploit Unpatched Bug in Helsinki Education Division Data Breach
“Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” Heikkinen said.“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel,” said City Manager Jukka-Pekka Ujula. “We regret this situation deeply.”
Helsinki Education Division Data Breach Linked to Remote Access Bug
The preliminary investigation found out that the Helsinki Education Division data breach was possible due to a vulnerability in a remote access server.“The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.”The city authorities did not reveal the name of the remote access server but said a hotfix patch was available at the time of exploitation, but why it was not installed on the server is currently unknown.
“Our security update and device maintenance controls and procedures have been insufficient,” said Heikkinen.The breach targeted an extensive group, with most of the network drive data – comprising of tens of millions of files - containing non-identifying information or ordinary personal data, minimizing potential abuse, according to the city authorities. However, some files include confidential or sensitive personal data such as fees for early childhood education customers, children's status information like information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, and sick leave records of Education Division personnel. The data breach also includes historical customer and personnel data. Meaning, even if an individual is not currently a customer or a member of staff at the Education Division, the hacker may still have accessed their data.
“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians,” Ujula said.Satu Järvenkallas, executive director of the Education Division, said the authorities are currently unable to provide an accurate assessment of what data the hacker may have accessed as “the volume of data under investigation is significant.”
VPN Gateways, Network Edge Devices Need ‘Special Attention’
The City officials immediately notified the Data Protection Ombudsman, the Finnish Police, and Traficom’s National Cyber Security Centre after the discovery of the data breach at the Helsinki’s Education Division. Traficom’s cybersecurity center acknowledged the notification and said it was supporting the City of Helsinki in investigating the case. “The data breach that targeted the City of Helsinki is exceptionally large for its size in the municipal sector. The case affects many Finns and causes great concern,” it said on platform X (formerly known as Twitter). Critical vulnerabilities in network edge devices like this pose a risk to organizations' cybersecurity, said Traficom’s NCSC. Exploiting the vulnerabilities of VPN products intended for establishing secure remote connections, it is also possible for parties outside the organization to gain access to the internal networks, “especially if other measures to limit the attack are not in use,” it added.“Severe and easy-to-exploit vulnerabilities have been detected in the network edge devices of many major device manufacturers, such as VPN gateways, in the past six months,” said Samuli Bergström, the director of the cybersecurity center. “That is why it is important that special attention is paid to resources and expertise in organizations.”A very recent example of one such VPN appliance abuse is the zero-day exploitation in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. Chinese state-backed hackers used two zero-day vulnerabilities in these products: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug to compromise several organizations including MITRE. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city’s senior management,” Ujula said. “After the breach, we have taken measures to ensure that a similar breach is no longer possible,” Heikkinen added.
“We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”Information for affected individuals is available via the Traficom’s Cybersecurity Centre website, data breach customer service, crisis emergency services and MIELI Mental Health Finland. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- R00TK1T Group Intensifies Cyberattacks on Egyptian Firms After Clash with Anonymous Egypt
R00TK1T Group Intensifies Cyberattacks on Egyptian Firms After Clash with Anonymous Egypt
R00TK1T's Cyberattacks on Egypt Post Anonymous Egypt Confrontation
[caption id="attachment_68271" align="alignnone" width="431"] Source: Dark Web[/caption] In a declaration on dark web, R00TK1T proclaimed, "Security Is Just An Illusion, Privacy Is Just Another Illusion." They warned of impending chaos, signaling their determination to disrupt the status quo. Their message resonated with defiance: "F*ck Society & The System! We Are R00TK1T Will Be Anywhere Anytime!" The Ministry of Supply and Internal Trade was among the first victims that allegedly fell prey to R00TK1T's infiltration, with the group proudly flaunting evidence of their access to the ministry's most secure networks. [caption id="attachment_68095" align="alignnone" width="522"] Source: X[/caption] As images surfaced, showcasing the depth of their intrusion, it became clear that R00TK1T's retaliation was not against the hacker group but the whole of Egypt.R00TK1T Cyberattacks Intensifies
[caption id="attachment_68274" align="alignnone" width="443"] Source: X[/caption] But these cyberattacks on Egyptian companies didn't end there. CorporateStack, a renowned company specializing in digital transformation solutions, also fell victim to an alleged cyberattack by the hacker group. With clients like Bentley, Vodafone, and Hexa, CorporateStack was a prime target for R00TK1T's message: no entity was beyond their reach. The group's infiltration into CorporateStack's systems sent a clear message to businesses operating in Egypt. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Egypt by the hacker group or any official confirmation from the organizations listed by R00TK1T hackers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Alleged Hosocongty Data Breach Exposes Vietnamese Job Seekers
Hosocongty Data Breach Exposes Thousands of Job Seekers
Hosocongty.vn, the affected platform, serves as a crucial link between job seekers and employers across Vietnam. Its rapid growth highlights its significance in the country's job market. However, this data breach raises concerns about the security and privacy of the platform's users. [caption id="attachment_68133" align="alignnone" width="1622"] Source: Dark Web[/caption] Makishimaaaa's relatively low ransom demand and status as a new member of the hacking forum suggest a developing situation. The hacker joined the platform in March 2024 and has since posted 38 times. This calculated move indicates a deliberate attempt to minimize suspicion while maximizing profits from the stolen data. The compromised database contains a wealth of personal information, including company details, contact numbers, email addresses, and more. Makishimaaaa emphasizes the quality and active rate of the data, reassuring potential buyers of its reliability. However, the ethical implications of purchasing stolen data remain a cause for concern. The Cyber Express has reached out to the recruitment firm to learn more about this Hosocongty data breach. However, at the time of writing this, no official statement or response has been released, leaving the claims for the Hosocongty data leak unverified.Cyberattack on the Recruitment Sector
The Hosocongty data breach is indicative of a broader trend of increasing cyberattack on the recruitment sector. In February 2024, Das Team Ag, a prominent job placement agency in Switzerland and Liechtenstein, fell victim to the Black Basta ransomware group, highlighting the vulnerability of recruitment platforms. Cyber risks in the digital hiring process have intensified over the years, with cybercriminals targeting sites housing sensitive data, such as employment platforms. The surge in digitalization has exacerbated these threats, necessitating enhanced security measures across industries. Polymorphic attacks, phishing, and malware are among the most prevalent cyber threats facing the recruitment sector, posing risks to both job seekers and companies. As such, users of Hosocongty are urged to exercise vigilance and implement necessary security measures to safeguard personal information. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Hosocongty data breach or any official confirmation from the Vietnamese job portal. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Hacker Offers Data Allegedly Stolen from the City of New York
Alleged City of New York Data Breach Claimed to Include Sensitive Data
The stolen database is allegedly stated to include 199 PDF files, approximately 70MB in size in total. The exposed data includes a wide range of personally identifiable information (PII), such as: Licensee Serial Number, Expiration Date, Applicant or Licensee Name, Trade Name, Street Address, City, Zip Code, Phone Number of Applicant, and Business Email of Applicant. Moreover, the data also reveals sensitive details about building owners, attorneys, and individuals, including their EIN, SSN, and signature. The threat actor is selling this sensitive information for a mere $30, and interested buyers are instructed to contact them through private messages within BreachForums or through their Telegram handle. The post seemingly includes links to download samples of the data allegedly stolen in the attack. [caption id="attachment_68084" align="alignnone" width="1872"] Source: BreachForums[/caption] The alleged data breach has far-reaching implications, as it puts the personal information of numerous individuals at risk. The leak of personally identifiable information (PII) and sensitive documents exposes individuals to potential risks of identity theft, fraud, and other malicious activities. The Cyber Express team has reached out to the New York City mayor's official press contact email for confirmation. However, no response has been received as of yet.pwns3c Earlier Claimed to have Hacked Virginia Department of Elections
In an earlier post on BreachForums, pwns3c claimed an alleged data breach against the Virginia Department of Elections, compromising of at least 6,500 records. The earlier stolen data was also offered for USD 30 in Bitcoin (BTC), Litecoin (LTC), or Monero (XMR) on the dark web. The Virginia Department of Elections is responsible for providing and overseeing open and secure elections for the citizens of the Commonwealth of Virginia. It is responsible for voter registration, absentee voting, ballot access for candidates, campaign finance disclosure and voting equipment certification in coordination with about 133 of Virginia's local election offices. The compromised data was allegedly stated to have included sensitive information such as timestamps, usernames, election data, candidate information, and voting method details. However, there has been no official confirmation of the stated incident as of yet. The breaches claimed by pwns3c, despite their alleged nature highlight the persistent challenges of securing the websites of government institutions. The sensitive nature of the stolen data that may allegedly include Social Security Numbers (SSNs), contact information, election-related details, and signatures, underscores the urgency for government websites to strengthen their security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Hacktivist Group R00TK1T ISC Claims Breach of Egyptian Ministry’s Systems
Hacktivist Group R00TK1T ISC Claims Breach of Egyptian Ministry’s Systems
Ministry of Supply and Internal Trade Breach Claims
[caption id="attachment_68095" align="alignnone" width="212"] Source: X[/caption] The Cyber Express has tried reaching out to the Egyptian ministry to learn more about this alleged Ministry of Supply and Internal Trade data breach claims. However, efforts to verify the intrusion were hampered by communication difficulties, preventing direct contact with the ministry. As a result, the claims made by R00TK1T ISC remain unconfirmed. The website for the Ministry of Supply and Internal Trade seems to be operational at the moment and doesn’t show any immediate sign of the intrusion. The threat actor has shared several screenshots of the document pilfered through this intrusion. Talking about the Ministry of Supply and Internal Trade breach in their post, the threat actor said, “We have successfully hacked into The Ministry of Supply and Internal Trade in Egypt, showcasing our deep infiltration into their systems.”R00TK1T ISC CyberTeam Hacking Spree
Meanwhile, in a separate incident on January 30, 2024, R00TK1T ISC CyberTeam launched an attack on Malaysia's digital infrastructure, further highlighting the global reach and impact of such malicious activities. Their claim to have accessed sensitive information from prominent companies like L'Oreal and Qatar Airways highlights the sophistication and persistence of cyber threats faced by businesses worldwide. In Egypt, the corporate sector has witnessed a surge in ransomware attacks in recent weeks, posing a significant risk to businesses across various industries. This escalating threat necessitates urgent action to bolster cybersecurity measures and mitigate potential damages. Amid ongoing political and security challenges in the Middle East, Egyptian businesses remain prime targets for cyberattacks, with ransomware emerging as a prevalent threat. The consequences of such attacks, including data loss and reputational damage, highlight the critical need for better defense mechanisms to safeguard against cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Australia Faces Unprecedented Cyber Threats Amid Support for Ukraine
Australia Faces Unprecedented Cyber Threats Amid Support for Ukraine
Cyber Army Russia Reborn Cyberattack Targets Australia
[caption id="attachment_68069" align="alignnone" width="641"] Source: X[/caption] Wavcabs, a transportation service, and Auditco, an auditing company, were among the targets of these Cyber Army Russia Reborn cyberattacks. Wavcabs' online services were disrupted, with users encountering connection timeouts when attempting to access the website. Similarly, Auditco faced technical difficulties, as indicated by error code 522 on their site earlier. [caption id="attachment_68071" align="alignnone" width="656"] Source: X[/caption] The Cyber Express has reached out to both organizations to learn more about this Cyber Army Russia Reborn cyberattack. Despite the severity of these cyber incidents, both Wavcabs and Auditco have not issued official statements regarding the attacks. The lack of response leaves the claims of Cyber Army Russia Reborn's involvement unverified, highlighting the complexity of attributing cyberattacks to specific actors.Australia's Support for Ukraine
These assaults on Australian companies occur as the nation reaffirms its support for Ukraine. The Albanese Government's commitment to aiding Ukraine was recently reinforced with a $100 million assistance package. Deputy Prime Minister and Minister for Defence, Richard Marles, revealed the assistance during a visit to Ukraine, where he witnessed firsthand the impact of Russia's aggression. Australia's $100 million aid package to Ukraine includes $50 million for military assistance, prioritizing Australian defense industry support for uncrewed aerial systems and essential equipment. Another $50 million is designated for short-range air defense systems, alongside the provision of air-to-ground precision munitions. Amidst ongoing cyberattacks on Australia, the nation’s unwavering support for Ukraine highlights the complexities of modern warfare and the critical need for cybersecurity measures. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on these cyberattacks on Australian companies or any official confirmation from the listed organizations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Researchers Observe Potential Ties between Trinity and Venus Ransomware Strains
Researchers Observe Potential Ties between Trinity and Venus Ransomware Strains
Uncovering Tactical and Technical Details of Trinity Ransomware
CRIL researchers observed a new ransomware variant called Trinity, that employs common double extortion tactics such as exfiltrating data from victim's systems before encrypting them, and the intent to use both a support and leak site in their operations. The support site allows victims to upload sample files less than 2MB in size for decryption, while the leak site though currently empty, threatens to expose victim data. [caption id="attachment_68024" align="alignnone" width="940"] Source: Cyble Blog[/caption] Upon initial stages of the investigation, researchers observed similarities between the Trinity ransomware and the 2023Lock ransomware which has been active since early 2024. The deep similarities between the two variants such as identical ransom notes, and code suggest that Trinity might be a newer variant of the 2023Lock ransomware. Researchers noted an intricate execution process in the ransomware's operations such as a search for a ransom note within its binary file and immediately terminates if the file is unavailable. The ransomware collects system information such as the processor count, the pool of threads, and existing drives to prepare its multi-threaded encryption process. The ransomware then attempts privilege escalation by impersonating a legitimate process's token for its own usage, enabling the ransomware to bypass security measures. The ransomware deploys network enumeration activity along with lateral movement, demonstrating broad attack capability. [caption id="attachment_68025" align="alignnone" width="547"] Source: Cyble Blog[/caption] The Trinity variant employs the ChaCha20 algorithm to encrypt of victim files. After encryption, filenames are appended with “.trinitylock,” while ransom notes are left in both text and .hta formats in. The ransomware also modifies the desktop wallpaper to the ransomware note and uses a specific registry key to facilitate this change.Similarities Between Trinity Ransomware and Venus Ransomware
The connections between Trinity and Venus go beyond mere similarities in their ransom notes and registry usage. Venus, an established ransomware operation with a global reach, emerged around mid-2022. The similarities between Venus and Trinity extend to their usage of identical registry values and consistency in their mutex naming conventions and code base. Additionally, the ransom notes used by both ransomware variants exhibit a similar format. The shared tactics and techniques indicate a possible collaboration between the two groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns. CRIL researchers have advised organizations to stay vigilant and implement robust cybersecurity measures to protect against these evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- TCE Cyberwatch: Weekly Wrap on AI, Deepfakes, Cybersecurity Challenges Affecting Nations Worldwide
TCE Cyberwatch: Weekly Wrap on AI, Deepfakes, Cybersecurity Challenges Affecting Nations Worldwide
Dropbox Sign data breached; Customers authentication information Stolen
Dropbox, a popular drive and file sharing service, revealed that they had recently faced a security breach which led to sensitive information being endangered. Specifically, Dropbox Sign, a service used to sign documents, was targeted. The data stolen was of Dropbox Sign users, which had information such as passwords, account settings, names, emails, and other authentication information. Rotation and generation of OAuth tokens and API keys are steps that have been taken by Dropbox to control fallout. Dropbox has assured that “from a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.” Read MoreCyberattacks on organizations in the UAE claimed by Five Families Alliance member, Stormous Ransomware
Stormous Ransomware has claimed responsibility for cyberattacks that have attacked several UAE entities. A ransomware group linked to the Five Families alliance which is known for targeting the UAE entities, Stormous Ransomware has targeted organisations like the Federal Authority for Nuclear Regulation (FANR); Kids.ae, the government’s digital platform for children; the Telecommunications and Digital Regulatory Authority (TDRA), and more. After announcing alleged responsibility for the attacks, the ransomware group demanded 150 BTCs, which comes to around $6.7 million USD. They had threatened to leak stolen data if the ransom was not paid. The organisations targeted by the group are yet to speak up about the situation and tensions are high due to the insurmountable damage these claims could cause. Read MoreRussian bitcoin cybercriminal pleads guilty in the U.S. after arrest in France
Alexander Vinnik, a Russian cybercrime suspect, recently pleaded partially guilty to charges in the U.S. Previously arrested in Greece in 2017 on charges of money laundering of $4 billion through the digital currency bitcoin in France, Vinnik is now set to face a trial in California. Vinnik’s lawyer, Arkady Bukh, predicted that Vinnik could get a prison term of less than 10 years due to the plea bargain. The U.S. Department of Justice accused Vinnik of having "allegedly owned, operated, and administrated BTC-e, a significant cybercrime and online money laundering entity that allowed its users to trade in bitcoin with high levels of anonymity and developed a customer base heavily reliant on criminal activity." Read MoreMany Android apps on Google Play store now have vulnerabilities that infiltrate them
Popular Android applications have faced a path traversal-affiliated vulnerability. Called the Dirty Stream attack, it can be exploited by one of these flagged applications leading to overwriting files. The Microsoft Threat Intelligence team stated that, “the implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation.” The apps who have faced this vulnerability are popular, with 500 million to 1 billion downloads. Exploitation would have led to the attacker having control of the app and being able to access the user’s data, like accounts used. Microsoft is worried about it being a bigger issue and has asked developers to focus on security to protect sensitive information. Read MoreDepartment of Social Welfare, Ladakh, in India, allegedly hacked, but no proof provided
Recently, a threat actor had allegedly hacked the database of the Department of Social Welfare Ladakh, Government of India. Their claims, however, seemed to have no support. No information was disclosed from their side and no breaching of sorts was sensed on the department’s website. However, if the claims are true, the fallout is predicted to be very damaging. Investigations into the claims are currently happening. As no motive or even the authenticity has been confirmed, for the individuals whose data resides in the departments database and national security, it’s important to detect and respond in a swift manner as to preserve the nation’s cyber security. Read MoreU.K. military data breach endangers information of current, veteran military personnel
The U.K. military faced a data breach where the information of serving UK military personnel was obtained. The attack was of Ministry of Defence’s payroll system and so information like names and bank details, sometimes addresses, were gathered. The hacker behind it was unknown until now but the Ministry has taken immediate action. The "personal HMRC-style information" of members in the Royal Navy, Army and Royal Air Force was targeted, some current and some past. The Ministry of Defence is currently providing support for the personnel whose information was exfiltrated, and this also requires informing veterans’ organisations. Defence Secretary Grant Shapps is expected to announce a "multi-point plan” when he updates the MPs on the attack. Read MoreIndia’s current election sees deepfakes, Prime Minister Modi calls for arrests of political parties responsible
India’s current Prime Minister Modi has announced that fake videos of him and other leaders making “statements that we have never even thought of”, have been circulating. This election, with its new name of being India’s first AI election, has led to police investigations of opposition parties who have made these videos with Modi calling for arrests. Prior to this, investigations regarding fake videos of Bollywood actors criticising Modi were also taking place. However, in this situation, around nine people have been arrested - six of whom are members of Congress’ social media teams. Five of them have managed to be released on bail, but arrests of higher-ranking social media members have been made. There has been a trending tag #ReleaseArunReddy for Congress national social media co-ordinator, Arun Reddy, who had shared the fake videos.Germany and Poland accuse Russian Military Service of cyber-attacks
Germany has come out stating that an attack on their Social Democratic Party last year was done by a threat group believed to be linked to Russian Military Services. German Foreign Minister Annalena Baerbock said at a news conference in Australia that APT28, a threat group also known as Fancy Bear, has been “unambiguously” confirmed to have been behind the cyberattack. Additionally, Poland has joined in support of Germany and said that they were targeted by ATP28 too. Poland has not revealed any details about the attack they faced but Germany shares that they are working to rebuild damage faced by it. Baerbock stated that, “it was a state-sponsored Russian cyber-attack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”Ukraine unveils new AI-generated foreign ministry spokesperson
Ukraine has just revealed an AI spokesperson who has been generated to deliver official statements for the foreign ministry. The messages being delivered are written by humans, but the AI is set to deliver them, moving animatedly and presenting herself as an individual through introducing herself as Victoria Shi. Victoria is modelled based on a Ukrainian celebrity, Rosalie Nombre, who took part in her development and helped to model the AIs appearance and voice after her. Ukraine’s foreign minister has said that she was developed for “saving time and resources,” along with it being a “technological leap that no diplomatic service in the world has yet made.” Read MoreSingapore passes new amendment to their cybersecurity bill which regulates temporary, high-risk attacks
A new amendment to Singapore’s Cybersecurity Law was made by its Parliament to keep up with the country’s evolving critical infrastructure and to adapt to technological advancements. The changes made regulate the Systems of Temporary Cybersecurity Concern (STCC), which encompass systems most vulnerable to attacks in a limited period. This means the Cyber Security Agency of Singapore (CSA) can oversee Entities of Special Cybersecurity Interest (ESCIs), due to their error disposition affecting the nation’s security as a whole. With the country’s defence, public health and safety, foreign relations, and economy in danger, the Bill is set to target critical national systems only, leaving businesses and such as they are. Read MoreEurovision becomes susceptible to cyberattacks as the world’s largest music competition takes place during conflict
The 68th Eurovision Song Contest is being held in Sweden, Malmö, this year due to current tensions surrounding conflicts like Israel and Gaza, and Russia and Ukraine. Security has been tightened as in 2019, hackers had infiltrated the online stream of the semi-finals in Israel by warning a missile strike and showed images of attacks in Tel Aviv, the host city. There are several reports about hackers hijacking the broadcast as over 167 million people tuned in to watch last year. The voting system can also be an issue with the finals coming up, but Malmö’s police chief claims to be more worried about disinformation. The spokesperson for the contest stated that “We are working closely with SVT's security team and the relevant authorities and expert partners to ensure we have the appropriate measures in place to protect from such risks.” Read MoreWrap Up
This week we’ve seen militaries and governments being cyber-attacked and that truly reminds us how interconnected everything is. If big organisations are vulnerable to attacks, then so are we. TCE Cyberwatch hopes that everyone stays vigilant in the current climate of increased cyberattack risks and ensure they stay protected and are on the lookout for any threats which could affect them. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.The Top 10 Cybersecurity Unicorns in The World
Top 10 Cybersecurity Companies with Revenue over $1B
Understanding the strengths and specializations of these leading cybersecurity companies empowers stakeholders to make informed decisions when selecting solutions to safeguard their valuable digital assets.1) Palo Alto Networks
- Revenue: US $7.52 billion
- Founded: 2005 by Nir Zuk (former Check Point engineer)
- Headquarters: Santa Clara, California
- Key Products/Services: Advanced firewalls, cloud-based security solutions
2) Fortinet
- Revenue: US $5.3 billion
- Founded: 2000 by Ken Xie and Michael Xie
- Headquarters: Sunnyvale, California
- Key Products/Services: Network security platform, firewalls, endpoint security
3) Leidos
- Revenue: US $3.98 billion
- Founded: 1969
- Headquarters: Reston, Virginia
- Key Products/Services: IT security services, government contracting
4) CrowdStrike
- Revenue: US $3.4 billion
- Founded: 2011
- Headquarters: Sunnyvale, California
- Key Products/Services: Endpoint security platform, XDR, MDR, vulnerability management
5) F5 Networks
- Revenue: US $2.81 billion (2023)
- Founded: 1996
- Headquarters: Seattle, Washington, USA
- Key Products/Services: Application security, multi-cloud management, application delivery networking (ADN) solutions
6) Check Point
- Revenue: US $2.4 billion
- Founded: 1993
- Headquarters: Tel Aviv, Israel, and San Carlos, California
- Key Products/Services: Firewalls, network security solutions
7) Okta
- Revenue: US $2.3 billion
- Founded: 2009
- Headquarters: San Francisco
- Key Products/Services: Identity and access management (IAM), zero-trust security solutions
8) Zscaler
- Revenue: US $1.9 billion
- Founded: 2007
- Headquarters: San Jose, California
- Key Products/Services: Cloud security platform, zero-trust security solutions
9) Trend Micro
- Revenue: US $1.3 billion
- Founded: 1988
- Headquarters: Tokyo, Japan
- Key Products/Services: Cloud and enterprise cybersecurity solutions, antivirus, endpoint security
10) Proofpoint
- Revenue: US $1.1 billion (pre-acquisition)
- Founded: 2002
- Headquarters: Sunnyvale, California
- Acquired by: Thoma Bravo in 2021 (Acquisition price: $12.3 billion)
- Key Products/Services: Email Security, Advanced Threat Protection, Security Awareness Training, Archiving and Compliance, Digital Risk Protection
- Cybersecurity News and Magazine
- British Columbia Discloses Multiple ‘Cybersecurity Incidents’ Impacting Government Networks
British Columbia Discloses Multiple ‘Cybersecurity Incidents’ Impacting Government Networks
Opposition’s Spar in the House
B.C.'s political adversaries engaged in heated debate during the question period on Thursday morning, a day after the province disclosed the multiple cybersecurity incidents within its networks. British Columbia United MLA Todd Stone criticized the government, alleging it "concealed a massive cyberattack on the provincial government for eight days." Stone’s accusations came on the backdrop of a memo from The Office of the Chief Information Officer that directed all provincial employees to immediately change passwords. British Columbians are rightly concerned about their sensitive information, questioning whether it has been compromised by a foreign, state-sponsored cyberattack. So, I ask the premier today: Will he reveal who was responsible for this attack?" Stone demanded. Stone pointed out the timing of Eby's Wednesday statement, suggesting it was issued discreetly "while everyone was preoccupied with last night’s Canucks game." [caption id="attachment_67963" align="aligncenter" width="256"] BC United MLA Todd Stone arguing in the House during the QP on Thursday morning. (Credit: Legislative Assembly of B.C.)[/caption]“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” the Opposition MLA asked.In response to BC United's criticisms, Public Safety Minister Mike Farnworth accused Stone of "playing politics." “We take our advice from the Canadian Cyber Security Service, who deal with these kinds of things on an ongoing basis. That’s who we will take the advice from in terms of protecting public information, every single time. We will never take advise from the opposition — all they ever want to do is play politics,” Farnworth retorted amid uproar in the House. [caption id="attachment_67981" align="aligncenter" width="271"] Public Safety Minister Mike Farnworth addressing opposition queries. (Credit: Legislative Assembly of B.C.)[/caption]
“When an incident like this happens, the first thing that happens is the protection of the system, honourable speaker. The protection of the information that’s done by technical experts, honourable speaker, who work on the advice of the Canadian Cyber Security System,” Farnworth explained.“And, honourable speaker, the reason they do that is because if you go out and give information before that’s done, you actually end up compromising people’s information, potentially.”
Multiple Cybersecurity Incidents Rock B.C. in Last Few Weeks
The latest revelation of cyberattacks on government networks comes on the heels of a string of cyberattacks that the westernmost province in Canada is facing. B.C. headquartered retail and pharmacy chain London Drugs announced April 28, closure of its stores across Western Canada after falling victim to a cybersecurity incident. The impact was such that they were forced to even take their phones offline and pharmacies could only satisfy “urgent” needs of patients on-site. Addressing reporters later Thursday afternoon, Farnworth clarified that there was no evidence linking the multiple cybersecurity incidents targeting the province networks to the event that led to the closure of London Drugs locations in the west for several days. "At present, we lack any information suggesting a connection. Once an incident is detected, technical security teams work swiftly to secure the system and ensure its integrity, while closely coordinating with the Canadian Cyber Security Service to address the situation," he explained. "While a comprehensive investigation involving multiple agencies is ongoing, we currently have no indication of any link to the London Drugs incident." The same day as the London Drugs cyberattack came to light, another western province entity BC Libraries reported a cybersecurity incident where a hacker attempted to extort payment for data exfiltrated from its newly commissioned server and threatening to release that data publicly if no payment was received.China’s Involved?
This development follows an official inquiry in Canada, revealing unsuccessful Chinese attempts to interfere in past elections. Beijing has refuted these allegations. The Canadian Security Intelligence Service (CSIS) recently published an annual report, warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.
Cyberattack Paralyzes 4 Quebec CEGEPs: Classes and Exams Cancelled
Decoding the Cégep de Lanaudière Cyberattack
In a Sunday communication to students and staff, college management emphasized the need for external cybersecurity expertise to investigate the attack's origins and, if feasible, patch the breach. "The investigation is ongoing. Data compromise is not a current concern," said Marilyn Sansregret, spokesperson for Cégep régional de Lanaudière, reported CBC. However, hopes for a swift resolution were dashed when students were informed on Tuesday evening that the class hiatus would extend until at least Friday. Sansregret affirmed that the IT department is working tirelessly to reinforce the college's digital defenses, but it is too early to anticipate a return to normalcy. The Cyber Express has sought a response from Cégep de Lanaudière regarding the cyber attack. However, at the time of writing this, no official statement or response has been shared, leaving the identity of the threat actor unknown.Cyberattacks on Education Institutions and Universities
Meanwhile, Academica Group weighed in on the crisis, highlighting the profound impact of the cyberattack. Cégep de Lanaudière temporarily closed its campuses in Joliette, L’Assomption, Terrebonne, and Repentigny as it grappled with the aftermath of the intrusion. While the full extent of the Cégep de Lanaudière cyberattack is unknown, a music school on the Joliette campus reported disruptions to essential services like lighting, heating, ventilation, and fire alarms. In a broader context, the surge in cyber assaults against educational institutions highlights the acute vulnerability of academic infrastructure to digital threats. Verizon's 2024 Data Breach Investigations Report reveals a staggering increase in attacks targeting the educational services sector. With ransomware emerging as a preeminent external threat and internal vulnerabilities compounding the security measures in education institutions, the need for preemptive cybersecurity measures cannot be overstated. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Cégep de Lanaudière cyberattack or any further information from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- LockBitSupp Denies Identification of Group ‘Admin’, Opens Contest to Find Named Dmitry Yuryevich
LockBitSupp Denies Identification of Group ‘Admin’, Opens Contest to Find Named Dmitry Yuryevich
LockBitSupp Opens Contest to Seek Contact with Individual
The Lockbit admin made a post within the group's leak site about a new contest (contest.omg) in order to encourage individuals to attempt to contact Dmitry Yuryevich Khoroshev. The announcement asserts that the FBI is wrong in its assessment and that the named individual is not LockBitSupp. The announcement seems to try and attribute the alleged identification mistake as a result of an unfortunate cryptocurrency mixing with the ransomware admin's own cryptocurrency funds, which they claim must have attracted the attention of the FBI. Cryptocurrency mixing is activity done to blend different streams of potentially identifiable cryptocurrency to provide further anonymity of transactions. The contest, brazenly invites participants to reach out to the individual believed to be Dmitry Yuryevich Khoroshev and report back on his wellbeing for $1000. The ransomware admin then claimed that the first person to provide evidence such as videos, photos, or screenshots confirming contact with the the "poor guy," as LockBitSupp refers to him, would receive the reward. [caption id="attachment_67621" align="alignnone" width="1055"] Source: X.com (@RedHatPentester)[/caption] Participants were instructed to send their findings through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.LockBitSupp Shares Details of Named Individual
In addition to the contest details, LockBitSupp shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive gathered details and submit as contest entries. They also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address, passport and tax identification numbers Amid the defiance and contest announcement, LockBitSupp expressed concern for the well-being of the person they claim has been mistakenly identified as them, urging Dmitry Yuryevich Khoroshev, if alive and aware of the announcement, to make contact. This unusual move by LockBitSupp attempts to challenge the statement made by law enforcement agencies and underscores the complex dynamics of the cyber underworld, where hackers taunt their pursuers openly. LockBitSupp emphasized that the contest will remain relevant as long as the announcement is visible on the blog. The admin hinted that there may be similar contests in the future with more substantial rewards, urging followers to stay tuned for updates. The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and the cybersecurity community watching closely for further developments. In a recent indictment Khoroshev was identified to behind LockBit's operations and functioned as the group's administrator since September 2019. Khoroshev and the LockBit group was stated to have extorted at least $500 million from victims in 120 countries across the world. Khoroshev was stated to have received around $100m from his part in this activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Lenovo Joins Secure by Design Pledge, Enhancing Cybersecurity Standards
Lenovo Joins Secure by Design Pledge, Enhancing Cybersecurity Standards
Lenovo Joins CISA’s Secure by Design Pledge
The Secure by Design pledge targets key facets of enterprise technology, including software products and services, on-premises solutions, cloud services, and SaaS features. Participating companies, including Lenovo, pledge to make tangible strides across seven core focus areas. These encompass critical aspects such as multi-factor authentication (MFA), default password protocols, vulnerability reduction, security patching, vulnerability disclosure policies, common vulnerabilities and exposures (CVE), and intrusion evidence. Doug Fisher, Lenovo's Chief Security Officer, expressed profound support for the pledge, emphasizing the critical of industry-wide collaboration in fortifying cybersecurity frameworks. "We commend CISA’s initiative to drive an industry-wide ‘secure by design’ pledge and welcome the opportunity to align our own well-established security by design approach with other industry best practices," stated Fisher. "It’s good for the industry that global technology leaders are able to share best practices, driving meaningful progress and accountability in security." Lenovo's commitment to the Secure by Design pledge dovetails seamlessly with its existing security protocols. The company boasts a robust security infrastructure encompassing best-in-class practices across product development, supply chain management, and privacy initiatives. These include the implementation of the Security Development Lifecycle, a vigilant Product Security Incident Response Team (PSIRT), and stringent global supply chain security measures. "Our pledge transcends geographies and benefits all our global customers who face the same industry-wide security challenges US CISA seeks to address, including continued alignment with emerging security regulations around the world," remarked Fisher, underlining Lenovo's global outlook towards cybersecurity enhancement.Global Cybersecurity Initiative
Lenovo's proactive stance positions it as a pioneer among the initial group of 68 companies committing to the Secure by Design pledge. These companies, range from tech titans like Amazon Web Services, Cisco, Google, IBM, Microsoft, Palo Alto Networks, and Trend Micro to cybersecurity specialists such as Claroty, CrowdStrike, Cybeats, Finite State, Forescout, Fortinet, Rapid7, SentinelOne, Sophos, Tenable, Trend Micro, and Zscaler, have all endorsed the Secure by Design pledge. The Secure by Design pledge highlights a voluntary commitment to advancing security measures within enterprise software realms, aligning with CISA’s overarching principles. While physical products like IoT devices and consumer goods fall outside the pledge's scope, participating companies pledge to diligently pursue the outlined goals over the ensuing year. Furthermore, the pledge encourages radical transparency, urging manufacturers to publicly document their progress and challenges encountered. This fosters a culture of accountability and knowledge sharing within the cybersecurity domain. In acknowledging the diversity of approaches, the pledge empowers software manufacturers to devise bespoke strategies tailored to their product portfolios. Companies exceeding the outlined goals are encouraged to share their methodologies, fostering an environment of continuous improvement and innovation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- International Baccalaureate Exam Hack Speculation Sparks Student Outrage
International Baccalaureate Exam Hack Speculation Sparks Student Outrage
Exam Cheating Concerns Amidst International Baccalaureate Hack
Earlier last week, the International Baccalaureate had released an update stating that it was investigating online speculation about potential cheating by some students in the ongoing exams. The organization stated that while there was no evidence of widespread cheating, some students might have engaged in "time zone cheating". The organization defined time zone cheating as an action where students "who have completed their examinations share what they can recall from memory about the exam questions on social media before other students take the examination." Citing its own academic integrity policy which forbids such behaviour, the organization stated that students engaging in such activity would not receive their Diploma certificates or grades and may potentially be banned from future exam retests. [caption id="attachment_67556" align="alignnone" width="2800"] Source: Official Update[/caption] After its initial investigations, the organization stated that it had experienced an increase in attempted malicious activity aiming to interfere with its systems. It also confirmed that some data from 2018, including employee names, positions, and emails, had been breached through a third-party vendor, and screenshots of this leaked data were shared online. However, the organization again clarified that at the time of the investigation, no recent exam material was found to be compromised. The notice further stated that IB was continuing to assess the incident and had taken steps to contain the incident. The organization mentioned that it would provide further information on the incident as the situation evolved. The Cyber Express team has reached out to the International Baccalaureate for further details, and a spokesman responded with a link to the second update notification.Students Petition For Exam Cancellation
The exam is taken by nearly 180,000 students internationally. However, recent speculations over the hacking incident and cheating allegations have raised concerns among students and their parents, leading to an online petition demanding exam cancellation or re-test. Amidst the speculation, the International Baccalaureate took action to remove leaked content and stated that cheaters would face severe consequences. Some condemned the leaks as failures in governance and urged for improved exam security, prompting the IB to affirm its intention to stay ahead of technological threats while promoting academic integrity in the exam process. The IB further cautioned its authorized network of schools about data breaches and phishing attempts. The leaked materials from the International Baccalaureate data breach were observed to have been downloaded over 45,000 times. The leaked content, allegedly included mathematics and physics papers which were widely circulated online, further raising doubts about exam integrity. It remains to be seen, if the student petition demand's for justice or the organization's observation of increased hacking attempts will lead to a further escalation of the situation. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cybersecurity Alert: F5’s Next Central Manager Under Attack by Remote Exploits
Cybersecurity Alert: F5’s Next Central Manager Under Attack by Remote Exploits
Understanding the Next Central Manager Vulnerabilities
[caption id="attachment_67545" align="alignnone" width="1732"] Source: Eclypsium[/caption] F5 promptly responded to the Next Central Manager vulnerabilities in software version 20.2.0, urging organizations to upgrade to the latest version immediately to mitigate potential risks. However, it's crucial to note that while five vulnerabilities were reported, CVEs were only assigned to two of them. The Next Central Manager serves as the centralized point of control for managing all tasks across the BIG-IP Next fleet. Despite F5's efforts to enhance security with the Next generation of BIG-IP software, these vulnerabilities highlight the persistent challenges in safeguarding network and application infrastructure. The vulnerabilities enabled attackers to exploit various aspects of the Central Manager's functionality. For instance, one vulnerability allowed attackers to inject malicious code into OData queries, potentially leading to the leakage of sensitive information, including administrative password hashes. Another vulnerability involved an SQL injection flaw, providing attackers with a means to bypass authentication measures.Technical Details and Responses to Next Central Manager Vulnerabilities
Furthermore, an undocumented API vulnerability facilitated Server-Side Request Forgery (SSRF) attacks, enabling attackers to call API methods on any BIG-IP Next device. This allowed them to create unauthorized accounts on individual devices, evading detection by the Central Manager. Additionally, inadequate Bcrypt cost and a flaw allowing administrators to reset their passwords without prior knowledge posed further security risks. These weaknesses significantly lowered the barrier for attackers to compromise the system and maintain unauthorized access. The implications of these vulnerabilities were profound, as they could be exploited in various attack scenarios. Attackers could exploit the vulnerabilities to gain administrative control, manipulate account credentials, and create hidden accounts on managed devices, undermining the integrity and security of the entire network infrastructure. In response to these findings, security experts emphasized the importance of proactive security measures and vigilant monitoring of management interfaces. They advised organizations to enforce access control policies and adopt a zero-trust approach to mitigate the risks associated with such vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Boeing Confirms $200M Cyber Extortion Attempt of LockBit
Boeing Cyber Extortion Saga
LockBit first listed Boeing as its victim on October 27 and set a ransom payment deadline for November 2. Boeing had chosen not to provide any comments or statements regarding the incident, at that time, leaving the LockBit claims unverified. Three days later LockBit took down Boeing’s name from the victims’ list fueling further speculations that it was a hoax or the company likely paid ransom. Following this incident, Boeing eventually confirmed falling victim to LockBit’s cyberattack. But as ransom negotiations reportedly failed, LockBit re-listed Boeing on its leak site and threatened to publish 4 gigabytes of sample data as proof of the Boeing data breach. The post also warned that, “All available data will be published!” in coming days. Following on the threat, LockBit published more than 40GB of data on November 10, as the company likely did not agree to pay the ransom demand. Boeing is yet to address the stolen data publicly.Ransom Demands Getting Exorbitant
The indictment's reference to the unnamed company highlights the exorbitant ransom demands made by Khoroshev and his cohorts, totaling over $500 million in ransoms extorted from victims since late 2019. Of this, he got nearly $100 million from a 20% share on the ransom payments, which was further “used to continue funding the LockBit operation and its infrastructure.” Ransomware analysts are now calling the Boeing cyber extortion as one of the largest ransom demands from a ransomware gang till date. Researchers suspects LockBit likely made an inflated demand, without realistic expectations of receiving the full amount, merely to test the waters. Between September 2019 and February 2024, Khoroshev grew LockBit into a massive global criminal operation in which along with his affiliates he attacked approximately 2,500 victims, which included nearly 1,800 in the U.S. alone, the indictment said. Apart from Boeing LockBit’s victim list also contains law enforcement agencies, security firms, municipalities, schools, financial institutions and even multinational fast-food chains.Who is LockBit Ransomware Gang?
The LockBit ransomware gang emerged in 2019, primarily targeting thousands of global companies, with a focus on those headquartered in the United States. Linked to Russian entities, LockBit has amassed tens of millions of dollars in ransom payments since its inception. According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit has executed over 1700 attacks in the United States, often by compromising and threatening to release sensitive data for financial gain. The recent Boeing data breach highlights the persistent threat posed by cyberattacks to major corporations. LockBit's aggressive tactics and specific targeting of Boeing, a key player in aerospace and defense, highlight the urgent need for robust cybersecurity measures. The ransomware group's imposed deadline heightens the urgency, highlighting the severe consequences of data breaches and the critical importance of safeguarding sensitive information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Ascension Healthcare Hit by Cyberattack: Patients Wait Hours, Chaos Ensues
Ascension Healthcare Hit by Cyberattack: Patients Wait Hours, Chaos Ensues
Patients Say Chaos on Display at Ascension Healthcare
Talking about the disruptions at the healthcare facility, Ascension said, “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible.” But the ground reality seems to be different, as per a patient account. Talking to local news media Fox 2, a patient named Zackery Lopez said “chaos” was on display this Wednesday in Ascension Providence Southfield hospital where he had to wait nearly seven hours to get a pain medication for his cancer resurgence.“Right now it is crazy. Nurses are running around. Doctors are running around. There’s no computers whatsoever they can use," Lopez said. "So, they’re actually using charts.”Lisa Watson, a nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, told another local news outlet that the hospital shut down its operating rooms on Wednesday following the cybersecurity issue. She also said that system’s, which the hospital uses to scan medications of patients was down, along with their electronic charts.
“We are paper-charting all medications, and all lab orders are being hand-written and sent by pneumatic tube systems to the unit they’re supposed to go to,” said Watson.
“No one knew where the forms were. Thank god we have a separate sign out with our pts (patients) meds. Nurses were writing them down from memory. This is a new reality we need to be better prepared,” Sirianni wrote on platform X.
“We have endless incessant modules about stupid policies to save hospitals money but never about downtime protocol,” she added.Lopez is also concerned that his personal information was possibly at risk but said he has not received a convincing answer from the authorities yet. "They really didn’t tell me if it was protected or not," he said. "They really kind of just brushed it off when I asked them. They say they’re trying to get everything back on, back on track." **Update on May 10, 1 AM ET** The company in a Thursday update said that it did not have a definite timeline to restore systems that were pulled offline as a result of the cybersecurity incident.
“Systems that are currently unavailable include our electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications.”It added that patient care was being provided with established downtime protocols and procedures, in which Ascension's workforce is well trained. “It is expected that we will be utilizing downtime procedures for some time. Patients should bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies,” the update said. As a precautionary measure, some non-emergent elective procedures, tests and appointments have been temporarily paused and patients appointments or procedures will need to be rescheduled.
“Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.”
Healthcare Breaches on the Rise
This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients’ personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. In a related development, the U.S. Department of Health and Human Services (HHS) recently cautioned about threat actors employing social engineering tactics to target IT help desks in the Healthcare and Public Health (HPH) sector. These attackers employ deception to enroll new multi-factor authentication (MFA) devices under their control, thereby gaining access to corporate resources, the HHS warned. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Medusa Ransomware Claims UK-based Defense Solutions Provider Chemring Group as Victim
Medusa Ransomware Claims UK-based Defense Solutions Provider Chemring Group as Victim
Medusa Hackers Demand $3.5 Million Following Chemring Group Data Breach
On the leak site, the ransomware group demanded a ransom of 3.5 million USD with a negotiation deadline of 16th May 2024. The group allegedly exfiltrated 186.78 GB of confidential documents, databases, and SolidWorks design files. However no sample data had been shared making it harder to verify the group's claims. Additionally, the leak site provided the victim with the options to add an additional day to make ransom negotiations for 1 million, to delete all the data for 3.5 million or download/delete the exfiltrated data for 3.5 million. [caption id="attachment_67453" align="alignnone" width="944"] Source: X.com / @H4ckManac[/caption] The Chemring Group PLC listing was also accompanied by the listing of three alleged victim organizations, including One Toyota of Oakland, Merritt Properties and Autobell Car Wash. After being reached out for additional details by The Cyber Express team, a Chemring Group spokesman made the following statements about the alleged ransomware attack:Chemring has been made aware of a post that has appeared on X (formerly Twitter) alleging that the Group has been subject to a ransomware attack. An investigation has been launched, however there is currently nothing to indicate any compromise of the Group’s IT systems, nor have we received any communication from a threat actor suggesting that we have been breached. We confirm that all Chemring businesses are operating normally. Our preliminary investigations lead us to believe that this attack was on a business previously owned by Chemring but where there is no ongoing relationship or connection into our IT systems. As this is subject to an ongoing criminal investigation we cannot comment further at this stage.