WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans.

The post North Korea IT Worker Scam Brings Malware and Funds Nukes appeared first on Security Boulevard.

Get results of and analysis on ESG's new survey on supply chain security. 

The post New Survey Finds a Paradox of Confidence in Software Supply Chain Security appeared first on Security Boulevard.

The Antidot Android banking trojan snoops on users and steals their credentials, contacts, and SMS messages.

The post New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data appeared first on SecurityWeek.

The Black Basta group abuses remote connection tool Quick Assist in vishing attacks leading to ransomware deployment.

The post Microsoft Quick Assist Tool Abused for Ransomware Delivery appeared first on SecurityWeek.

In response to heightened cyber threats targeting political candidates, election officials and civil society groups, the National Cyber Security Centre (NCSC) in the UK, a part of GCHQ, has introduced a new initiative called the Personal Internet Protection (PIP) service. The service that was unveiled at CYBERUK 2024 in Birmingham, aims to provide an additional layer of security to individuals at “high-risk” of cyberattacks like spear-phishing, malware and other threats, ahead of the upcoming election year. The Personal Internet Protection service works by alerting users when attempting to access malicious domains known to the NCSC and by blocking outgoing traffic to these domains. The PIP offered to high-risk individuals is built on the NCSC’s Protective DNS service that was developed primarily for use by organizations. Since its inception in 2017, PDNS has provided protection at scale for millions of public sector users, handling more than 2.5 trillion site requests and preventing access to 1.5 million malicious domains, the NCSC said.

Cyber Threats Targeting Political Candidates

The Personal Internet Protection service is part of a broader effort by the UK government to enhance cyber support for individuals and organizations crucial to the democratic process, especially considering recent attempts by Russian and Chinese state-affiliated actors to disrupt UK's government and political institutions as well as individuals. While the Russian intelligence services had attempted to use cyberattacks to target prominent persons and organizations in the UK for meddling in the electoral processes, China is likely seen targeting various government agencies including the Ministry of Defence (MoD), whose payroll system was recently breached. Although both, Moscow and Beijing have rejected the use of hacking for political purposes, the relations between them remain strained over these allegations. Jonathon Ellison, NCSC Director for National Resilience and Future Technology, noted the importance of protecting individuals involved in democracy from cyber threats, highlighting the attractiveness of their personal accounts to espionage operations.

“Individuals who play important roles in our democracy are an attractive target for cyber actors seeking to disrupt or otherwise undermine our open and free society. That’s why the NCSC has ramped up our support for people at higher risk of being targeted online to ensure they can better protect their accounts and devices from attacks,” Ellison said.

Ahead of the major election year where more than 50 countries around the world cast their vote, Ellison urged individuals eligible for the Personal Internet Protection services to sign up and to follow their guidance to bolster defenses against various cyber threats. The initiative also extends support to civil society groups facing a heightened risk of cyber threats. A new guide, "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," which offers practical advice for individuals such as elected officials, journalists, activists, academics, lawyers and dissidents was released on Tuesday. This guide, developed by the U.S. Cybersecurity and Infrastructure Security Agency in collaboration with international partners, aims to empower high-risk civil society communities with limited resources to combat cyber threats effectively. These include customized risk assessment tools, helplines for digital emergencies and free or discounted cybersecurity services tailored to the needs of civil society organizations. The launch of the Personal Internet Protection service and the release of the guidance for civil society mark significant steps in bolstering the cybersecurity posture of individuals and organizations critical to the democratic process. By enhancing protection against cyber threats, the UK aims to safeguard the integrity of its democracy and promote collective resilience against global threats to democracy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Phish Ahoy! Hacker took advantage of Dell’s lack of anti-scraping defense.

The post Dell Hell Redux — More Personal Info Stolen by ‘Menelik’ appeared first on Security Boulevard.

Russian-speaking threat actors are caught abusing a GitHub profile to distribute information stealers posing as legitimate software.

The post Threat Actors Abuse GitHub to Distribute Multiple Information Stealers appeared first on SecurityWeek.

The Ebury Linux botnet has ensnared over 400,000 Linux systems in 15 years, with roughly 100,000 still infected.

The post 400,000 Linux Servers Hit by Ebury Botnet  appeared first on SecurityWeek.

CISA, in collaboration with DHS, FBI, and international cybersecurity entities, has revealed a comprehensive guide aimed at bolstering cybersecurity for civil society organizations, particularly those facing heightened risks from state-sponsored cyber threats.  The guide, titled "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society," offers practical steps to enhance digital defenses for nonprofits, advocacy groups, academic institutions, journalists, and other high-risk groups. Talking about this cybersecurity plan for civil society organizations, Jen Easterly, Director of CISA, stated that threat actors aim to undermine democratic and humanitarian values upheld by civil society.  “These high-risk community organizations often lack cyber threat information and security resources. With our federal and international partners, we are providing this resource to help these organizations better understand the cyber threats they face and help them improve their cyber safety”, added Easterly.

CISA, FBI, and DHS Collaborate to Support Cybersecurity for Civil Society

Civil society organizations play a crucial role in upholding democratic values, making them prime targets for malicious cyber activities orchestrated by state-sponsored actors. These threats, often originating from countries like Russia, China, Iran, and North Korea, include sophisticated tactics such as social engineering and spyware deployment. The security guide emphasizes proactive measures and best practices tailored to the unique challenges faced by civil society entities. Recommendations include regular software updates, the adoption of phishing-resistant multi-factor authentication, and the implementation of the principle of least privilege to minimize vulnerabilities. Furthermore, the guide stresses the importance of cybersecurity training, vendor selection diligence, and the development of incident response plans. It also guides individual members of civil society, advising on password security, privacy protection, and awareness of social engineering tactics. The release of this security guidance highlights a broader effort to empower high-risk communities with the knowledge and tools needed to safeguard against cyber threats. International collaboration, as evidenced by partnerships with entities from Canada, Estonia, Japan, and the United Kingdom, further enhances the effectiveness of these initiatives. John Scott-Railton, senior researcher at CitizenLab, emphasized the need for cybersecurity for civil societies on X (previously Twitter). Talking about this new initiative, John stated, “Historically law enforcement & governments in democracies have been achingly slow to recognize this issue and help out groups in need.” Despite some exceptions, the lack of prioritization has resulted in damages, including missed opportunities for accountability and diminished trust. “That's why I'm glad to see this @CISAgov & UK-led joint initiative come to fruition”, added John.

Aiming for Better Protection Against Cyber Threats

Government agencies and cybersecurity organizations worldwide have joined forces to support civil society against online threats. For instance, the FBI, in conjunction with its partners, aims to equip organizations with the capacity to defend against cyber intrusions, ensuring that entities dedicated to human rights and democracy can operate securely. "The FBI and its partners are putting out this guidance so that civil society organizations have the capacity to mitigate the threats that they face in the cyber realm,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. Similarly, international partners like Japan's National Center of Incident Readiness and Strategy for Cybersecurity and Estonia's State Information Authority stress the importance of collective action in addressing global cyber threats. These collaborations reflect a shared commitment to bolstering cybersecurity resilience on a global scale. The guide also provides valuable insights into the tactics and techniques employed by state-sponsored actors, enabling organizations to make informed decisions regarding cybersecurity investments and resource allocation. In addition to the guidance document, a range of resources and tools are available to assist high-risk communities in enhancing their cyber defenses. These include customized risk assessment tools, helplines for digital emergencies, and free or discounted cybersecurity services tailored to the needs of civil society organizations. By leveraging these resources and fostering international cooperation, civil society can better defend against cyber threats and continue their vital work in promoting democracy, human rights, and social justice. Through collective efforts and ongoing collaboration, the global community can build a more resilient and secure cyber environment for all. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Patch Tuesday: Microsoft documents 60 security flaws in multiple software products and flags an actively exploited Windows zero-day for urgent attention.

The post Microsoft Warns of Active Zero-Day Exploitation, Patches 60 Windows Vulnerabilities appeared first on SecurityWeek.

Adobe documents multiple code execution flaws in a wide range of products, including the widely deployed Adobe Acrobat and Reader software.

The post Adobe Patches Critical Flaws in Reader, Acrobat appeared first on SecurityWeek.

Source: securelist.com – Author: Kaspersky GERT, Kaspersky Security Services SOC, TI and IR posts SOC, TI and IR posts 14 May 2024 minute read Incident response analyst report 2023 As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, […]

La entrada Incident response analyst report 2023 – Source: securelist.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Threat actors are using DNS tunneling to track victims’ interaction with spam and to scan network infrastructures.

The post Attackers Use DNS Tunneling to Track Victim Activity, Scan Networks appeared first on SecurityWeek.

Get key data points and takeaways from the 2024 Verizon Data Breach Investigations Report.

The post Verizon 2024 DBIR: Key Takeaways appeared first on Security Boulevard.

Apple documents another zero-day flaw being exploited on older iPhones and documents security problems in macOS, iOS and iPadOS.

The post Apple Patch Day: Code Execution Flaws in iPhones, iPads, macOS appeared first on SecurityWeek.

Source: securityboulevard.com – Author: Rohan Timalsina The joint alert from CISA and FBI highlights the continued exploitation of path traversal vulnerabilities in critical infrastructure attacks, impacting sectors like healthcare. The recent CVE-2024-1708 vulnerability in ConnectWise ScreenConnect is a prime example. This flaw was exploited alongside another vulnerability to deploy ransomware and compromise systems. What are […]

La entrada CISA and FBI Issue Alert on Path Traversal Vulnerabilities – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The joint alert from CISA and FBI highlights the continued exploitation of path traversal vulnerabilities in critical infrastructure attacks, impacting sectors like healthcare. The recent CVE-2024-1708 vulnerability in ConnectWise ScreenConnect is a prime example. This flaw was exploited alongside another vulnerability to deploy ransomware and compromise systems.   What are Path Traversal Vulnerabilities?   Path […]

The post CISA and FBI Issue Alert on Path Traversal Vulnerabilities appeared first on TuxCare.

The post CISA and FBI Issue Alert on Path Traversal Vulnerabilities appeared first on Security Boulevard.

Source: securityboulevard.com – Author: Richi Jennings Dark web sale of leaked data exposes Dell users to phishing phraud. Dell customer data from the past six or more years has been stolen. It looks like scrotes unknown broke into the company support portal and sold scads of personal information to the highest bidder. Again? In today’s […]

La entrada Dell Hell: 49 Million Customers’ Information Leaked – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

DUDE! You’re Getting Phished.

Dell customer data from the past six (or more?) years was stolen. It looks like someone sold scads of personal information to the highest bidder.

The post Dell Hell: 49 Million Customers’ Information Leaked appeared first on Security Boulevard.

Google has brought together its Gemini AI model with its Mandiant cybersecurity unit and VirusTotal threat Intelligence to enhance threat landscape accessibility and efficiency. The company also plans to use its Gemini 1.5 Pro large language model, released in February, to ease the understanding of threat reports for a broader audience. At the RSA Conference in San Francisco, Google unveiled their latest AI-based solution to add more value to threat intelligence. Tackling the long-standing challenges of fragmented threat landscapes and cumbersome data collection processes, Google Threat Intelligence integrates Mandiant's frontline expertise, real-time contributions from VirusTotal's global community and Google's visibility into extensive user and device footprint to deliver a comprehensive defense against evolving cyber threats. Bernardo Quintero, founder of VirusTotal called this initiative a “sharing knowledge, protecting together” mission, which it has embraced with Google and Mandiant.

“I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats,” Quintero said.

“VirusTotal remains committed to a level playing field, ensuring all partners, including Google Threat Intelligence, have equal access to the crowdsourced data VirusTotal collects. We also want to assure you that the core features and functionalities of VirusTotal will remain free and accessible to everyone, as always,” he added, clearing the air around VirusTotal’s future. “The strength of VirusTotal lies in its network of contributors and the vast amount of data they provide. This data serves as a valuable resource for the entire security industry, empowering our partners and others to enhance their products and contribute to a more secure digital world. This collaborative approach, based on transparency and equal access, strengthens the industry as a whole, ultimately leading to better protection for everyone.”

Challenges Addressed and Google’s Gemini AI Integration

For years, organizations have grappled with two primary hurdles in threat intelligence: a lack of holistic visibility into the threat landscape and the arduous task of collecting and operationalizing intelligence data. Google's new offering aims to address these challenges head-on providing insights and operational efficiency to security teams worldwide. The integration of Gemini, Google's AI-powered agent, enhances the operationalization of threat intelligence, streamlining the analysis process and accelerating response times. Using the Gemini 1.5 Pro large language model, Google claims to significantly reduce the time required to analyze malware attacks. For instance, the model took only 34 seconds to dissect the WannaCry virus and identify a kill switch, demonstrating its efficacy in threat analysis. Another key feature of Gemini AI is its ability to summarize threat reports into natural language, aiding companies in assessing potential attacks' impact and prioritizing responses. Threat Intelligence also offers a comprehensive threat monitoring network, empowering users to gain insights into the cybersecurity landscape and prioritize their defense strategies. Mandiant's experts, acquired by Google in 2022, play a vital role in assessing security vulnerabilities in AI projects through the Secure AI Framework. They conduct rigorous testing to fortify AI models against potential threats like data poisoning, ensuring their resilience against malicious exploitation. While Google is pioneering the integration of AI into cybersecurity, other tech giants like Microsoft are also exploring similar avenues, underscoring the growing significance of AI in safeguarding digital assets against evolving threats. As cyber threats continue to evolve, proactive defense strategies are more critical than ever. With Google Threat Intelligence, organizations can leverage cutting-edge technology to detect, analyze, and mitigate threats effectively, ensuring the security and resilience of their digital infrastructure in an increasingly complex threat landscape.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

PAFACA SueTok: U.S. Courts “likely” to rule whether new law is constitutional—or even practical.

The post TikTok Ban — ByteDance Sues US to Kill Bill appeared first on Security Boulevard.

Understanding a country's cybersecurity readiness is vital in today's environment. Using data analytics and machine learning, we can assess each nation's cybersecurity strengths, weaknesses, and areas needing improvement. Exploring the cybersecurity rankings of different countries can help us make informed decisions, encourage global cooperation, and work towards a safer digital world for everyone.

The post Global Cybercrime Report 2024: Which Countries Face the Highest Risk? appeared first on Security Boulevard.

The U.S. Secretary of State Antony Blinken unveiled an International Cyberspace and Digital Policy Strategy on Monday, outlining the Biden administration's plan to engage the global community on various technological security issues. Blinken introduced this robust international cyber strategy while delivering a keynote at the RSA cybersecurity conference in San Francisco. The strategic blueprint outlined in the latest strategy displayed the federal government's multifaceted approach to engaging the global community on a wide array of technological security issues, aiming to foster collaboration and cooperation among allies, partners and stakeholders worldwide.

What’s at the Core of the International Cyberspace and Digital Policy Strategy

At the heart of the plan lies the concept of "digital solidarity," characterized by mutual assistance to victims of malicious cyber activity and other digital harms. Digital solidarity entails collaborating on shared goals, capacity building, and mutual support to enhance security, resilience, self-determination, and prosperity. Against the backdrop of ongoing cyberattacks targeting U.S. allies by foreign actors like Russia, China, North Korea and Iran, efforts focus on supporting allies and partners, particularly emerging economies, in harnessing the benefits of digital technologies while sustaining economic and development objectives. The strategy emphasizes alignment with international partners on technology governance, fostering strong partnerships with civil society and the private sector, and promoting cybersecurity resilience through diverse products and services from trusted technology vendors. Moreover, it underscores cooperative efforts to defend and advance human rights and build digital and cyber capacity for long-term resilience and responsiveness. The Department of State, in collaboration with other federal agencies, will advance digital solidarity through four key areas of action supported by three guiding principles:

1. Promoting an open, inclusive, secure, and resilient digital ecosystem.
2. Aligning rights-respecting approaches to digital and data governance with international partners.
3. Advancing responsible state behavior in cyberspace and countering threats through coalition-building and engagement.
4. Strengthening international partner digital and cyber capacity.

Efforts to forge digital solidarity will be reinforced by active participation in international fora to shape obligations, norms, standards, and principles impacting cyberspace and digital technology issues. Leadership in these venues is crucial to safeguarding U.S. interests and values in the evolving digital landscape. Recognizing the significance of digital diplomacy, the Department of State will lead interagency efforts to coordinate cyber and digital technology diplomacy to advance U.S. national interests and values in the coming decade.

Cybersecurity Threats from Nation States

The strategy addresses the malign activities of nations such as Russia, China, Iran, and North Korea, condemning their exploitative use of technology for nefarious purposes, including hacking and espionage campaigns. It highlights concerns about these countries' efforts to undermine international regulatory frameworks and undercut U.S. technology manufacturers through state-sponsored subsidies. “Cyber criminals and criminal syndicates operating in cyberspace now represent a specific threat to the economic and national security of countries around the world,” the International Cyberspace and Digital Strategy said. “Cybercrime and online fraud cause significant harm to economic development, with small- to medium-sized enterprises and financial service providers especially at risk. According to one estimate, the global cost of cybercrime is estimated to top $23 trillion in 2027.”

AI Technology Governance

The landscape of AI technology governance is intricate, as per the latest strategy. While AI systems offer promising avenues for societal progress, the complexities of geopolitics further compound the challenges and uncertainties in their regulation and management. AI technologies hold immense potential to drive knowledge expansion, boost prosperity, enhance productivity, and tackle pressing global issues. However, the rapid proliferation of AI technologies also presents substantial risks and ethical considerations. These encompass a spectrum of concerns ranging from exacerbating inequality and economic instability to privacy breaches, discriminatory practices, and amplification of malicious cyber activities. Moreover, the dual-use nature of many AI applications poses challenges in ensuring that emerging technologies are not leveraged for nefarious purposes, including disinformation campaigns and military advancements lacking adequate human rights safeguards. Balancing risks and rewards requires safeguarding democratic values, human rights, and fostering international collaboration to harness AI's benefits while mitigating destabilizing impacts. The strategy also warns against complacency in critical technological domains, cautioning that failure to act could enable authoritarian states to shape the future of technology in a manner detrimental to U.S. interests and values. By advocating for concerted efforts to uphold a rights-respecting, open, and secure cyberspace, the United States aims to advance a vision of global governance that safeguards democratic principles and promotes innovation and prosperity.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A report found more than 40 million exposures are impacting 11.5 million critical business entities, with more than half related to cloud platforms.

The post Identity, Credential Misconfigurations Open Worrying Security Gaps appeared first on Security Boulevard.

The US government warns of a North Korean threat actor abusing weak email DMARC settings to hide spear-phishing attacks.

The post US Says North Korean Hackers Exploiting Weak DMARC Settings  appeared first on SecurityWeek.

A botnet dismantled in January and used by Russia-linked APT28 consisted of more than just Ubiquiti Edge OS routers.

The post Botnet Disrupted by FBI Still Used by Russian Spies, Cybercriminals appeared first on SecurityWeek.

Researchers can earn as much as $450,000 for a single vulnerability report as Google boosts its mobile vulnerability rewards program.

The post Google Boosts Bug Bounty Payouts Tenfold in Mobile App Security Push appeared first on SecurityWeek.

Cuttlefish malware platform roaming around enterprise SOHO routers capable of covertly harvesting public cloud authentication data from internet traffic.

The post Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data  appeared first on SecurityWeek.

The new Wpeeper Android trojan ceased operations after a week and has zero detections in VirusTotal.

The post Wpeeper Android Trojan Uses Compromised WordPress Sites to Shield Command-and-Control Server appeared first on SecurityWeek.

Three vulnerabilities in the Judge0 open source service could allow attackers to escape the sandbox and obtain root privileges on the host.

The post Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover appeared first on SecurityWeek.

New CISA guidelines categorize AI risks into three significant types and pushes a four-part mitigation strategy.

The post CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure appeared first on SecurityWeek.

In 2023, Google said it blocked 2.28 million bad applications from being published on Google Play and banned 333,000 developer accounts.

The post Google Says it Blocked 2.28 Million Apps from Google Play Store appeared first on SecurityWeek.

US healthcare giant is warning millions of current and former patients that their personal information was exposed to third-party advertisers.

The post Kaiser Permanente Data Breach Impacts 13.4 Million Patients appeared first on SecurityWeek.

A new Android trojan named Brokewell can steal user’s sensitive information and allows attackers to take over devices.

The post Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices appeared first on SecurityWeek.

More than 1,400 CrushFTP servers remain vulnerable to an actively exploited zero-day for which PoC has been published.

The post Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day appeared first on SecurityWeek.

More than 90,000 unique IPs are still infected with a PlugX worm variant that spreads via infected flash drives.

The post Self-Spreading PlugX USB Drive Malware Plagues Over 90k IP Addresses appeared first on SecurityWeek.

A North Korea-linked threat actor hijacked the update mechanism of eScan antivirus to deploy backdoors and cryptocurrency miners.

The post North Korean Hackers Hijack Antivirus Updates for Malware Delivery appeared first on SecurityWeek.

A threat actor tracked as CoralRaider has been using multiple infostealers to harvest credentials from users worldwide.

The post Threat Actor Uses Multiple Infostealers in Global Campaign appeared first on SecurityWeek.

Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations.

The post Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations  appeared first on SecurityWeek.

Shadowserver has identified roughly 6,000 internet-accessible Palo Alto Networks firewalls potentially vulnerable to CVE-2024-3400.

The post Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability  appeared first on SecurityWeek.

by Neelesh Kripalani, Chief Technology Officer, Clover Infotech As businesses grapple with an ever-changing and increasingly hostile threat environment, the emergence of AI and machine learning technologies introduces fresh challenges to cybersecurity. While these technologies offer the potential to transform our security strategies, they also introduce new risks and vulnerabilities that need effective management. Here are some of the latest cyber threats that businesses need to be aware of:

Cyber Threats Businesses Need to be Aware of

Targeted Ransomware Attacks - This type of malware is designed to hold a victim’s information at ransom. The tactics involve denying users and system administrators access to individual files or even entire digital networks, followed by a “ransom note” demanding payment to regain access. IoT Creates New Cybersecurity Threats - The Internet of Things (IoT) enables billions of physical devices around the globe to collect and share data over the Internet. This creates new cyber threats by expanding the attack surface with diverse and often inadequately secured devices. Common issues include default credentials, lack of regular updates, and data privacy concerns due to the extensive collection and transmission of sensitive information. Deepfake and Synthetic Media Attacks - Such cyberattacks use AI to manipulate content, such as pictures, videos, or audio recordings, to deceive individuals or influence public opinion. Credential Stuffing and Brute Force Attacks - Credential stuffing and brute force attacks involve automated attempts to gain unauthorized access to user accounts using stolen or guessed credentials.

Cybersecurity Best Practices

Here are some key strategies and best practices that businesses can implement to enhance their overall security posture: Risk Assessment and Management - Conduct a comprehensive risk assessment to identify vulnerabilities and prioritize them based on potential impact. Implement risk mitigation strategies to address identified vulnerabilities and reduce the overall risk level. Implement Strong Authentication and Access Control - Add an extra layer of security by mandating users to verify their identity through multiple factors, such as passwords, biometric data, and OTP. Additionally, role-based access control allows enterprises to restrict access to sensitive information and critical systems based on users’ roles and responsibilities. Regular Software Updates and Patch Management - Regularly update and patch all software, operating systems, and firmware to address known vulnerabilities and reduce the risk of exploitation. Implement Endpoint Security Measures - Deploy endpoint protection platforms and endpoint detection and response solutions to secure endpoints from malware attacks. Implement Data Encryption and Privacy Measures - Encrypt sensitive data at rest and in transit to protect it from unauthorized access and data breaches. Implement Security Awareness and Training Programs - Provide regular cybersecurity training and awareness programs to educate employees about cybersecurity best practices, phishing awareness, and the importance of strong passwords. Conduct periodic incident response training to prepare employees for potential security incidents and ensure a coordinated and effective response. In the face of evolving cybersecurity threats, businesses must adopt enhanced strategies, including comprehensive risk assessment, strong authentication, regular updates, and employee training, to safeguard their assets and critical systems. Proactive measures and a culture of cybersecurity awareness are essential to mitigate risks effectively, ensure compliance, and protect the organization's reputation and business continuity in an interconnected world. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

VulnCheck banks $8 million in early stage capital to build 'exploit intelligence' technologies and services.

The post Threat-Intelligence Startup VulnCheck Closes $8M Seed Financing appeared first on SecurityWeek.

Noteworthy stories that might have slipped under the radar: OpenSSF and OpenJS incidents similar to XZ backdoor, Moldovan botnet operator charged, US automotive company targeted by FIN7.

The post In Other News: OSS Backdooring Attempts, Botnet Operator Charged, Automotive Firm Attack appeared first on SecurityWeek.

Microsoft warns that several OpenMetadata vulnerabilities are being exploited to deploy cryptomining malware to Kubernetes environments.

The post OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining   appeared first on SecurityWeek.

Kapeka is a new backdoor that may be a new addition to Russia-link Sandworm’s malware arsenal and possibly a successor to GreyEnergy.

The post Kapeka: A New Backdoor in Sandworm’s Arsenal of Aggression appeared first on SecurityWeek.

Cisco has observed an increase in brute-force attacks targeting web application authentication, VPNs, and SSH services.

The post Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks appeared first on SecurityWeek.

Palo Alto Networks firewall vulnerability CVE-2024-3400 increasingly exploited after PoC code has been released. 

The post Exploitation of Palo Alto Firewall Vulnerability Picking Up After PoC Release appeared first on SecurityWeek.

The Change Healthcare ransomware attack has taken a third cruel twist. A new ransomware group, RansomHub, has listed the organisation as a victim on its dark web leak site, saying it has 4 TB of “highly selective data,” which relates to “all Change Health clients that have sensitive data being processed by the company.”

The announcement follows a series of events that require some unpacking.

Change Healthcare is one of the largest healthcare technology companies in the USA, responsible for the flow of payments between payers, providers, and patients. It was attacked on Wednesday February 21, 2024, by a criminal “affiliate” working with the ALPHV ransomware group, which led to huge disruptions in healthcare payments. Patients were left facing enormous pharmacy bills, small medical providers teetered on the edge of insolvency, and the government scrambled to keep the money flowing and the lights on.

American Hospital Association (AHA) President and CEO Rick Pollack described the attack as “the most significant and consequential incident of its kind against the US health care system in history.”

The notorious ALPHV ransomware group claimed responsibility, chalking up Change Healthcare as one of a raft of healthcare victims in what looked like a deliberate campaign against the sector at the start of 2024.

ALPHV used the ransomware-as-a-service (RaaS) business model, selling the software and infrastructure used to carry out ransomware attacks to criminal gangs known as affiliates, in return for a share of the ransoms they extorted.

On March 3, a user on the RAMP dark web forum claimed they were the affiliate behind the attack, and that ALPHV had stolen the entirety of a $22 million ransom paid by Change Healthcare. Shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the group’s website had been seized by the FBI.

ALPHV’s exit left Change Healthcare with nothing to show for its $22 million payment, a disgruntled affiliate looking for a ransom, and very possibly two different criminal gangs—ALPHV and its affiliate—in possession of a huge trove of stolen data.

Now, a month later, a newcomer ransomware group, RansomHub has listed Change Healthcare as a victim on its website.

While some have speculated that Change Healthcare has suffered a second attack, the RansomHub site itself makes the connection to the events surrounding February 21 quite clear:

As an introduction we will give everyone a fast update on what happened previously and on the current situation.

ALPHV stole the ransom payment (22 Million USD) that Change Healthcare and United Health payed in order to restore their systems and prevent the data leak.

HOWEVER we have the data and not ALPHV.

RansomHub first appeared in late February and its arrival dovetails neatly with ALPHV’s disappearance in very early March, leading some to think they are the same group under two different names.

The statement also pours water on the idea that RansomHub is a rebrand of the ALPHV group with its suggestion that “we have the data and not ALPHV.” However, any public statement like this has to be tempered by the fact that ransomware groups are prolific liars.

It’s not uncommon for affiliates to work with multiple RaaS providers, so the most likely explanation is that having lost its money to ALPHV, the affiliate that ransacked Change Healthcare has paired up with a different ransomware group.

Whatever the reason, there is no comfort in it for Change Healthcare. Having apparently already paid a ransom thirty times greater than the average demand, it now has to decide whether it’s going to pay out again.

For everyone else, it’s a lesson in how devastating ransomware can be, and how badly things can go even when you pay a ransom.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits. The gang’s novel approach challenged a bottleneck that makes it hard to scale ransomware attacks, and other gangs may try to replicate its approach in 2024.

Big game ransomware attacks are devastating but relatively rare compared to other forms of cyberattack. There were about 4,500 known ransomware attacks in 2023, although the true figure is probably twice that. These attacks extorted more than $1 billion in ransoms in 2023, according to blockchain data platform Chainalysis.

The potential riches are enormous and there’s no other form of cybercrime that’s so lucrative, so why aren’t we seeing more attacks? It doesn’t seem to be a lack of targets, in fact the evidence suggests that the gangs are picky about who they attack. The most likely reason is that each attack takes a lot of work. Broadly speaking, an attack requires a team of people that: Breaks in to an internet-connected computer, researches the target to see if they’re worth the effort of an attack, explores their network, elevates their privileges until they’re an all-conquering administrator, steals and stores terabytes of data, attacks security software and backups, positions ransomware, runs it, and then conducts negotiations.

Doing all of this efficiently requires people, tools, infrastructure, expertise, and experience, and that seems to make it a difficult business model to scale up. The number of known ransomware attacks a year is increasing steadily, by tens of percentage points rather than exploding by thousands. This suggests that most of the people who are drawn to this life of crime are probably already doing it, and there isn’t a vast pool of untapped criminal talent waiting in the wings.

Before 2023, cybercrime’s best answer to this scalability problem was Ransomware-as-a-Service (RaaS), which splits the work between vendors that provide the malware and infrastructure, and affiliates that carry out the attacks.

CL0P found another way. It weaponised zero-day vulnerabilities in file transfer software, notably GoAnywhere MFT and MOVEit Transfer, and created automated attacks that plundered data from them. Hundreds of unsuspecting victims were attacked in a pair of short, sharp campaigns lasting a few days, leaving Cl0P as the third most active gang of the year, beating ransomware groups that were active in every month of 2023.

It remains to be seen if other gangs can or will follow CL0P’s lead. The repeated use of zero-days signaled a new level of sophistication for a ransomware gang and it may take a while for its rivals to catch up. However, the likes of LockBit—the most prolific group of them all—don’t want for resources so this is probably a matter of time and will, rather than a fundamental barrier.

There is also a question mark about how successful the attacks were. While automation allowed CL0P to increase its reach, it’s reported that a much lower percentage of victims paid a ransom than normal. However, ransomware incident response firm Coveware believes the group managed to compensate by demanding higher ransoms, earning the gang as much as $100 million.

Because of CL0P’s actions, the shape of ransomware in 2024 is in flux and organisations need to be ready. To learn more about how big game ransomware is evolving, the threat of zero-day ransomware, and how to protect against them, read our 2024 State of Malware report.