LoginAscension Faces Multiple Lawsuits Following Ransomware Attack
17 May 2024 at 07:23
Normal view
Yesterday — 17 May 2024Main stream
Before yesterdayMain stream
Nissan Cybersecurity Incident Update: 53,000 Employees Affected
16 May 2024 at 02:15
Nissan Data Breach Update: 53,000 Employees Affected
Upon discovering the Nissan data breach, the Japanese automaker notified law enforcement and engaged cybersecurity experts to contain and neutralize the threat. The company also conducted an internal investigation, informing employees during a town hall meeting held in December 2023, a month after the Nissan cyberattack. To mitigate potential harm, Nissan is offering complimentary identity theft protection services for two years to those impacted by the breach. The company's positive response to safeguarding employee privacy is highlighted by these proactive measures. The official communication emphasized Nissan's dedication to reinforcing its security infrastructure and practices. Following the incident, the company has implemented additional security measures and enlisted cybersecurity specialists to conduct a thorough review, ensuring enhanced protection against future threats. Despite the Nissan breach, the automotive maker has not detected any instances of fraud or identity theft resulting from the incident. Nonetheless, as a precautionary measure, affected individuals are urged to take advantage of the complimentary credit monitoring services provided by Experian IdentityWorks.No Identity Fraud Detected
“This is in addition to the employee benefit you may have elected with Nissan. These complimentary credit services are being provided to you for 24 months from the date of enrollment. Finally, Nissan is providing you with proactive fraud assistance to help with any questions you might have or if you become a victim of fraud. These services are provided by Experian, a company specializing in fraud assistance and remediation services”, said Nissan. To activate the identity protection service, recipients are instructed to enroll by a specified deadline and utilize the provided activation code. Additionally, individuals are encouraged to remain vigilant against potential fraud by monitoring their credit reports and promptly reporting any suspicious activity. Recipients are assured of assistance for 90 days from the letter's date in enrolling for the complimentary credit monitoring services. They are encouraged to contact the dedicated helpline at 833-931-6266, with the engagement number B120412 ready for reference. Nissan highlights its commitment to employee welfare and the seriousness with which it regards the protection of personal information, expressing regret for any inconvenience caused by the incident. The letter concludes with signatures from Leon Martinez, Vice President of Human Resources, and William Orange, Vice President of IS/IT and Chief Information Officer. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
Cybersecurity News and Magazine
- DragonForce Cyberattack Strikes Again: Malone & Co and Watt Carmicheal Added as Victims
DragonForce Cyberattack Strikes Again: Malone & Co and Watt Carmicheal Added as Victims
15 May 2024 at 07:40
DragonForce Cyberattack Targets Two New Victims
The Cyber Express has reached out to both organizations to learn more about this alleged DragonForce cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving the claims for the DragonForce ransomware attack unverified. [caption id="attachment_68487" align="alignnone" width="355"] Source: X[/caption]
Interestingly, both victims' websites remain operational, showing no immediate signs of the cyberattacks. This discrepancy adds another layer of mystery to the unfolding situation.
Moreover, along with the cyberattack post, the DragonForce ransomware group stated that it had access to 15.34 GB of data associated with Malone & Co. The hacker group has shared a deadline of 16 days before the data gets published.
[caption id="attachment_68490" align="alignnone" width="353"] Source: X[/caption]
As for the second alleged victim, Watt Carmicheal, the hacker group claims access to 27.3 GB of data, and no ransom deadline was shared. The threat actor, DragonForce, has used the same modus operandi to target similar victims in the past.
Who is the DragonForce Ransomware Group?
DragonForce, a hacktivist group hailing from Malaysia, is infamous for its relentless cyberattacks on government institutions and commercial entities, primarily in India. Their targets extend beyond geographical borders, with a particular focus on websites affiliated with Israel while advocating for pro-Palestinian causes. Utilizing a variety of tactics such as defacement attacks, distributed denial-of-service (DDoS) attacks, and data leaks, DragonForce demonstrates a high level of adaptability and sophistication in their operations. This versatility has enabled them to evolve their strategies over time, staying one step ahead of their adversaries. Embracing their role as vigilantes for the people, DragonForce Malaysia boldly proclaims its mission on various online platforms, including social media giants like Facebook, YouTube, and X (formerly Twitter). Through these channels, they amplify their voice, connecting with like-minded individuals and fostering a sense of community among Malaysian cybersecurity enthusiasts. Central to DragonForce's ideology is their staunch advocacy for the Palestinian cause. Their actions speak volumes, from high-profile hacks targeting Israeli networks to broadcasting messages of solidarity through unconventional mediums like TikTok. Despite their formidable capabilities, DragonForce does not operate in isolation. Collaborative efforts with other local hacker threat groups have been reported, highlighting the interconnected nature of the hacktivist groups. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Christie’s Auction Website Hacked Just Before Major Sales
13 May 2024 at 06:27
Christie’s Auction House Cyberattack Occurs Ahead of Major Auctions
[caption id="attachment_68140" align="alignnone" width="1000"] Source: Shutterstock[/caption]
The cyberattack came at an inopportune time for Christie's, with several high-stakes auctions estimated at around $850 million in worth scheduled to take place in New York and Geneva.
Art adviser Todd Levin highlighted the significance of the timing, expressing concern that the cyberattack was happening during a pivotal moment before the spring sales when buyers confirm their interest in artworks. He raised a pressing question: "How can potential bidders access the catalog?"
The auctions will include works by Warhol, Basquiat, and Claude Monet, and pieces from the Rosa de la Cruz Collection, that are expected to generate hundreds of millions of dollars in revenue.
Christie's website was taken offline following the hack which affected some of its systems. Despite the setback, Christie's has assured clients that the auctions will proceed as planned, with bidders able to participate in person, by phone, or through Christie's Live platform.
Despite the hack, Christie's CEO Guillaume Cerutti assured clients that all eight live auctions in New York and Geneva would proceed as scheduled, with the exception of the Rare Watches sale, which was postponed to May 14th. In a statement, Cerutti elaborated:
"I want to assure you that we are managing this incident according to our well-established protocols and practices, with the support of additional experts. This included, among other things, the proactive protection of our main website by taking it offline."
Growing Cybersecurity Concerns in the Art World
The incident is a sobering reminder of the increasing threat of cyberattacks in the art world. In recent years, several museums and art market platforms have fallen victim to hacking, highlighting the need for vigilance in protecting sensitive client information amidst slumbering sales. Earlier in January, a service provider managing the online collections of several prominent museums had been targeted, affecting institutions like The Museum of Fine Arts in Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art. Last year in 2023, Christie's had another security incident come to light when it was discovered inadvertently exposing the GPS location and co-ordinates of several art pieces purchased by some of the world’s biggest and wealthiest collectors, revealing their exact whereabouts. In 2017, hackers employed an email scam to intercept payments between dealers and clients, siphoning sums ranging from £10,000 to £1 million. These incidents underscore the art world's vulnerability to similar threats as the market becomes increasingly digital, auction houses and museums must take proactive steps to to invest in stronger defenses against a rapidly evolving cyber threat landscape and the risks it may pose to the art industry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- Australia Faces Unprecedented Cyber Threats Amid Support for Ukraine
Australia Faces Unprecedented Cyber Threats Amid Support for Ukraine
13 May 2024 at 02:22
Cyber Army Russia Reborn Cyberattack Targets Australia
[caption id="attachment_68069" align="alignnone" width="641"] Source: X[/caption]
Wavcabs, a transportation service, and Auditco, an auditing company, were among the targets of these Cyber Army Russia Reborn cyberattacks. Wavcabs' online services were disrupted, with users encountering connection timeouts when attempting to access the website. Similarly, Auditco faced technical difficulties, as indicated by error code 522 on their site earlier.
[caption id="attachment_68071" align="alignnone" width="656"] Source: X[/caption]
The Cyber Express has reached out to both organizations to learn more about this Cyber Army Russia Reborn cyberattack. Despite the severity of these cyber incidents, both Wavcabs and Auditco have not issued official statements regarding the attacks.
The lack of response leaves the claims of Cyber Army Russia Reborn's involvement unverified, highlighting the complexity of attributing cyberattacks to specific actors.
Australia's Support for Ukraine
These assaults on Australian companies occur as the nation reaffirms its support for Ukraine. The Albanese Government's commitment to aiding Ukraine was recently reinforced with a $100 million assistance package. Deputy Prime Minister and Minister for Defence, Richard Marles, revealed the assistance during a visit to Ukraine, where he witnessed firsthand the impact of Russia's aggression. Australia's $100 million aid package to Ukraine includes $50 million for military assistance, prioritizing Australian defense industry support for uncrewed aerial systems and essential equipment. Another $50 million is designated for short-range air defense systems, alongside the provision of air-to-ground precision munitions. Amidst ongoing cyberattacks on Australia, the nation’s unwavering support for Ukraine highlights the complexities of modern warfare and the critical need for cybersecurity measures. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on these cyberattacks on Australian companies or any official confirmation from the listed organizations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
CISO2CISO.COM & CYBER SECURITY GROUP
- New Attack Against Self-Driving Car AI – Source: www.schneier.com
New Attack Against Self-Driving Car AI – Source: www.schneier.com
11 May 2024 at 12:00
Source: www.schneier.com – Author: Bruce Schneier This is another attack that convinces the AI to ignore road signs: Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line […]
La entrada New Attack Against Self-Driving Car AI – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
New Attack Against Self-Driving Car AI
10 May 2024 at 12:01
This is another attack that convinces the AI to ignore road signs:
Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the diode flash and the line capture.
The result is the camera capturing an image full of lines that don’t quite match each other. The information is cropped and sent to the classifier, usually based on deep neural networks, for interpretation. Because it’s full of lines that don’t match, the classifier doesn’t recognize the image as a traffic sign...
The post New Attack Against Self-Driving Car AI appeared first on Security Boulevard.
State Actor Made Three Attempts to Breach B.C. Government Networks
10 May 2024 at 19:21
British Columbia Cyberattacks' Timeline
The B.C. government first detected a potential cyberattack on April 10. Government security experts initiated an investigation and confirmed the cyberattack on April 11. The incident was then reported to the Canadian Centre for Cyber Security, a federal agency, which engaged Microsoft’s Diagnostics and Recovery Toolset (DaRT) due to the sophistication of the attack, according to Salter. Premier David Eby was briefed about the cyberattack on April 17. On April 29, government cybersecurity experts discovered evidence of another hacking attempt by the same “threat actor,” Salter said. The same day, provincial employees were instructed to immediately change their passwords to 14 characters long. B.C.’s Office of the Chief Information Officer (OCIO) described it as part of the government's routine security updates. Considering the ongoing nature of the investigation, the OCIO did not confirm if the password reset was actually linked to the British Columbia government cyberattack but said, "Our office has been in contact with government about these incidents, and that they have committed to keeping us informed as more information and analysis becomes available."Another cyberattack was identified on May 6, with Salter saying the same threat actor was responsible for all three incidents.
The cyberattacks were not disclosed to the public until Wednesday late evening when people were busy watching an ice hockey game, prompting accusations from B.C. United MLAs that the government was attempting to conceal the attack.
“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?”the Opposition MLA Todd Stone asked. Salter clarified that the cybersecurity centre advised against public disclosure to prevent other hackers from exploiting vulnerabilities in government networks. She revealed three separate cybersecurity incidents, all involving efforts by the hackers to conceal their activities. Following a briefing of the B.C. NDP cabinet on May 8, the cyber centre concurred that the public could be notified. Salter said that over 40 terabytes of data was being analyzed but she did not specify if the hackers targeted specific areas of government records such as health data, auto insurance or social services. The province stores the personal data of millions of British Columbians, including social insurance numbers, addresses and phone numbers. Public Safety Minister and Solicitor General Mike Farnworth told reporters Friday that no ransom demands were received, making the motivation behind the multiple cyberattacks unclear.Farnworth said that the CCCS believes a state-sponsored actor is behind the attack based on the sophistication of the attempted breaches.
Government sources told CTV News that various government ministries and agencies, and their respective websites, networks and servers, face approximately 1.5 billion “unauthorized access” or hacking attempts daily. The number has increased over the last few years and the reason why the province budgets millions of dollars per year to cybersecurity. Salter confirmed the government spends more than $25 million a year to fortify its defenses and added that previous investments in B.C.'s cybersecurity infrastructure helped detect the multiple attacks last month. Microsoft last month alerted several U.S. federal agencies that Russia-backed hackers might have pilfered emails sent by the company to those agencies, including sensitive information like usernames and passwords. However, Salter did not confirm if Russian-backed hackers are associated with the B.C. security breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information."Being able to do what we are seeing, and covering up their tracks, is the hallmarks of a state actor or a state-sponsored actor." - Farnworth
New Attack Against Self-Driving Car AI
10 May 2024 at 12:01
This is another attack that convinces the AI to ignore road signs:
Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the diode flash and the line capture.
The result is the camera capturing an image full of lines that don’t quite match each other. The information is cropped and sent to the classifier, usually based on deep neural networks, for interpretation. Because it’s full of lines that don’t match, the classifier doesn’t recognize the image as a traffic sign.
So far, all of this has been demonstrated before.
Yet these researchers not only executed on the distortion of light, they did it repeatedly, elongating the length of the interference. This meant an unrecognizable image wasn’t just a single anomaly among many accurate images, but rather a constant unrecognizable image the classifier couldn’t assess, and a serious security concern.
[…]
The researchers developed two versions of a stable attack. The first was GhostStripe1, which is not targeted and does not require access to the vehicle, we’re told. It employs a vehicle tracker to monitor the victim’s real-time location and dynamically adjust the LED flickering accordingly.
GhostStripe2 is targeted and does require access to the vehicle, which could perhaps be covertly done by a hacker while the vehicle is undergoing maintenance. It involves placing a transducer on the power wire of the camera to detect framing moments and refine timing control.
Research paper.
-
- British Columbia Discloses Multiple ‘Cybersecurity Incidents’ Impacting Government Networks
British Columbia Discloses Multiple ‘Cybersecurity Incidents’ Impacting Government Networks
10 May 2024 at 07:18
Opposition’s Spar in the House
B.C.'s political adversaries engaged in heated debate during the question period on Thursday morning, a day after the province disclosed the multiple cybersecurity incidents within its networks. British Columbia United MLA Todd Stone criticized the government, alleging it "concealed a massive cyberattack on the provincial government for eight days." Stone’s accusations came on the backdrop of a memo from The Office of the Chief Information Officer that directed all provincial employees to immediately change passwords. British Columbians are rightly concerned about their sensitive information, questioning whether it has been compromised by a foreign, state-sponsored cyberattack. So, I ask the premier today: Will he reveal who was responsible for this attack?" Stone demanded. Stone pointed out the timing of Eby's Wednesday statement, suggesting it was issued discreetly "while everyone was preoccupied with last night’s Canucks game." [caption id="attachment_67963" align="aligncenter" width="256"] BC United MLA Todd Stone arguing in the House during the QP on Thursday morning. (Credit: Legislative Assembly of B.C.)[/caption]
“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” the Opposition MLA asked.In response to BC United's criticisms, Public Safety Minister Mike Farnworth accused Stone of "playing politics." “We take our advice from the Canadian Cyber Security Service, who deal with these kinds of things on an ongoing basis. That’s who we will take the advice from in terms of protecting public information, every single time. We will never take advise from the opposition — all they ever want to do is play politics,” Farnworth retorted amid uproar in the House. [caption id="attachment_67981" align="aligncenter" width="271"]
Public Safety Minister Mike Farnworth addressing opposition queries. (Credit: Legislative Assembly of B.C.)[/caption]
“When an incident like this happens, the first thing that happens is the protection of the system, honourable speaker. The protection of the information that’s done by technical experts, honourable speaker, who work on the advice of the Canadian Cyber Security System,” Farnworth explained.“And, honourable speaker, the reason they do that is because if you go out and give information before that’s done, you actually end up compromising people’s information, potentially.”
Multiple Cybersecurity Incidents Rock B.C. in Last Few Weeks
The latest revelation of cyberattacks on government networks comes on the heels of a string of cyberattacks that the westernmost province in Canada is facing. B.C. headquartered retail and pharmacy chain London Drugs announced April 28, closure of its stores across Western Canada after falling victim to a cybersecurity incident. The impact was such that they were forced to even take their phones offline and pharmacies could only satisfy “urgent” needs of patients on-site. Addressing reporters later Thursday afternoon, Farnworth clarified that there was no evidence linking the multiple cybersecurity incidents targeting the province networks to the event that led to the closure of London Drugs locations in the west for several days. "At present, we lack any information suggesting a connection. Once an incident is detected, technical security teams work swiftly to secure the system and ensure its integrity, while closely coordinating with the Canadian Cyber Security Service to address the situation," he explained. "While a comprehensive investigation involving multiple agencies is ongoing, we currently have no indication of any link to the London Drugs incident." The same day as the London Drugs cyberattack came to light, another western province entity BC Libraries reported a cybersecurity incident where a hacker attempted to extort payment for data exfiltrated from its newly commissioned server and threatening to release that data publicly if no payment was received.China’s Involved?
This development follows an official inquiry in Canada, revealing unsuccessful Chinese attempts to interfere in past elections. Beijing has refuted these allegations. The Canadian Security Intelligence Service (CSIS) recently published an annual report, warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.
Cyberattack Paralyzes 4 Quebec CEGEPs: Classes and Exams Cancelled
10 May 2024 at 05:16
Decoding the Cégep de Lanaudière Cyberattack
In a Sunday communication to students and staff, college management emphasized the need for external cybersecurity expertise to investigate the attack's origins and, if feasible, patch the breach. "The investigation is ongoing. Data compromise is not a current concern," said Marilyn Sansregret, spokesperson for Cégep régional de Lanaudière, reported CBC. However, hopes for a swift resolution were dashed when students were informed on Tuesday evening that the class hiatus would extend until at least Friday. Sansregret affirmed that the IT department is working tirelessly to reinforce the college's digital defenses, but it is too early to anticipate a return to normalcy. The Cyber Express has sought a response from Cégep de Lanaudière regarding the cyber attack. However, at the time of writing this, no official statement or response has been shared, leaving the identity of the threat actor unknown.Cyberattacks on Education Institutions and Universities
Meanwhile, Academica Group weighed in on the crisis, highlighting the profound impact of the cyberattack. Cégep de Lanaudière temporarily closed its campuses in Joliette, L’Assomption, Terrebonne, and Repentigny as it grappled with the aftermath of the intrusion. While the full extent of the Cégep de Lanaudière cyberattack is unknown, a music school on the Joliette campus reported disruptions to essential services like lighting, heating, ventilation, and fire alarms. In a broader context, the surge in cyber assaults against educational institutions highlights the acute vulnerability of academic infrastructure to digital threats. Verizon's 2024 Data Breach Investigations Report reveals a staggering increase in attacks targeting the educational services sector. With ransomware emerging as a preeminent external threat and internal vulnerabilities compounding the security measures in education institutions, the need for preemptive cybersecurity measures cannot be overstated. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Cégep de Lanaudière cyberattack or any further information from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- LockBit Ransomware Targets Wichita City Following Unmasking of Group Leader
LockBit Ransomware Targets Wichita City Following Unmasking of Group Leader
8 May 2024 at 03:45
Cyberattack on Wichita Post LockBit Leader Arrest
[caption id="attachment_67202" align="alignnone" width="402"] Source: Dark Web[/caption]
The Wichita cyberattack targeted the official website (wichita.gov), prompting concerns over the security of critical municipal systems. While the ransomware group has not yet released any compromised data, they have set a deadline of May 15, 2024, for its publication.
The announcement by LockBit ransomware follows closely on the heels of an earlier notification by the city of Wichita regarding a ransomware attack on May 5, 2024, although the responsible ransomware gang was not initially disclosed. Wichita, the largest city in the state of Kansas, serves as the county seat of Sedgwick County and is a populous urban center in the region.
The Cyber Express has reached out to the state government to learn more about this cyberattack on Wichita. However, at the time of writing this, no official statement or response has been received. However, the city of Wichita denoted a ransomware attack that targeted various government and private organizations within the city.
Security Update from Wichita: Ransomware Group Remains Unnamed!
According to a press release by the city of Wichita, the recent posts from the state's Cyber Security Incident Update indicate ongoing efforts by the city's information technology department and security partners to address the cyberattack. “Many City systems are down as security experts determine the source and extent of the incident. There is no timetable for when systems could be coming back online. We appreciate your patience as we work through this incident as quickly and as thoroughly as possible”, reads the official press release. In the meantime, various city services and amenities have been impacted by the cyber incident, prompting adjustments to normal operations. Water systems remain secure and functional, with provisions in place for those experiencing difficulties paying bills or facing water shut-offs. Transit services, city vendors, park and recreation facilities, licensing procedures, and municipal court operations have all been affected to varying degrees, necessitating alternative arrangements such as cash payments and in-person transactions. Similarly, services provided by cultural institutions, resource centers, planning departments, and housing and community services are also subject to modifications and delays as the city works to address the cyberattack. The city's airport and library services have experienced disruptions to Wi-Fi access and digital infrastructure, although essential operations continue with minimal impact on services provided to the public. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the cyberattack on Wichita or any new updates from the government. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.New Attack on VPNs
7 May 2024 at 11:32
This attack has been feasible for over two decades:
Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.
TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then...
The post New Attack on VPNs appeared first on Security Boulevard.
New Attack on VPNs
7 May 2024 at 11:32
This attack has been feasible for over two decades:
Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.
TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.
[…]
The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself.
-
- Hooker Furniture Faces Potential Data Breach as LockBit Claims Cyberattack
Hooker Furniture Faces Potential Data Breach as LockBit Claims Cyberattack
3 May 2024 at 02:56
The LockBit ransomware group, known for its disruptive cyberattacks, is back in the spotlight by claiming a cyberattack on Hooker Furniture. The US-based Hooker Furniture is a prominent player in the furniture industry, known for its designs catering to the hospitality and other sectors.
The LockBit alleges they have exfiltrated customer and business data, setting a deadline of May 08, 2024, to publish the compromised information.
Unverified Cyberattack on Hooker Furniture Claim
The Cyber Express team attempted to reach Hooker Furniture officials for comment, but as of now, there has been no response. The company's website also appears to be functioning normally, raising questions about the legitimacy of the Hooker Furniture cyberattack claim. However, considering LockBit's past activities, complete dismissal would be premature.
LockBit's history of targeting organizations with ransomware attacks further complicates the situation.
In March 2024, the group resurfaced with claims of adding eight new victims to their dark web portal, including prominent companies such as STOCK Development, Smulders, and United Notions Inc. This followed earlier claims of listing 12 new victims on their data leak page and engaging in discussions about seizing their websites.
The resurgence of LockBit comes in the wake of significant law enforcement actions aimed at disrupting the group's operations. In a coordinated effort involving the Department of Justice and international law enforcement agencies, authorities dealt a blow to LockBit's infrastructure. However, the recent claims suggest that the group has adapted and evolved, returning with enhanced techniques and capabilities.LockBit Resurgence with Enhanced Techniques
In response to the takedown, LockBit administrators released a provocative message, offering insights into their activities and motivations. The message not only highlights the group's defiance but also highlights the challenges faced by law enforcement agencies in combating cybercrime. With attempts to discredit authorities and speculate on the methods of compromise, LockBit's message serves as a reminder of the ongoing battle between cybercriminals and those tasked with enforcing the law. The situation surrounding Hooker Furniture serves as a cautionary tale for businesses worldwide, highlighting the ever-present threat posed by ransomware attacks and the importance of enhanced cybersecurity measures. While the claims made by LockBit remain unverified, the incident highlights the need for vigilance and preparedness in the face of evolving cyber threats. As investigations continue and the deadline looms, all eyes are on Hooker Furniture and its response to the alleged breach. In the meantime, the cybersecurity community remains on high alert, closely monitoring developments and working tirelessly to combat the scourge of ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- Hacktivists Claim Cyberattack on Columbia University After Police Crackdown on Protests
Hacktivists Claim Cyberattack on Columbia University After Police Crackdown on Protests
2 May 2024 at 01:56
Anonymous Arabia, a notorious group of hacktivists, has allegedly launched a cyberattack on Columbia University in response to the recent police crackdown on its students. The Columbia University cyberattack, purportedly initiated as retaliation for the police intervention, has sparked concerns and debates over the appropriate response to protests and the use of digital warfare.
The group, known for its activities in the dark corners of the internet, posted a message with the tagline "HUGE USA UNIVERSITY CYBERATTACK" on a dark web forum.The Alleged Cyberattack on Columbia University
The message boldly declares, "We have now started an unprecedented cyberattack on the University of Columbia in the US in retaliation to the police raid on the student occupation of the university building. We took down the whole network of Columbia and most of the University websites and Eservices (including Email servers). [caption id="attachment_66004" align="aligncenter" width="557"] Source: X[/caption]
This cyberattack comes in the wake of a recent incident where police forces intervened to dismantle protests staged by students who were occupying university premises as a form of demonstration.
Campus Tensions: Background and Response
The incident at Columbia University involved a group of protesters breaking into Hamilton Hall, barricading themselves inside, and occupying it throughout the day. The escalation prompted the university administration to call for police assistance, leading to the removal of the protesters. Minouche Shafik, President of Columbia University in the City of New York, expressed deep sadness over the events, stating that the university had been patient in tolerating unauthorized demonstrations for several months. Efforts were made to engage in dialogue with the protesters, including considerations for their demands, but a resolution could not be reached. Our efforts to find a solution went into Tuesday evening, but regrettably, we were unable to come to resolution. Because my first responsibility is safety, with the support of the University’s Trustees, I made the decision to ask the New York City Police Department to intervene to end the occupation of Hamilton Hall and dismantle the main encampment along with a new, smaller encampment," said Shafik. Shafik emphasized the university's commitment to free speech and activism but condemned the acts of violence and destruction carried out during the protests. The decision to involve law enforcement was made to ensure the safety of the campus community and to restore order. The aftermath of the police intervention has seen a wave of arrests and clashes on various university campuses across the United States. New York City Mayor Eric Adams reported 300 arrests at Columbia University and the City College of New York. Similar incidents occurred at the University of Texas at Dallas and Fordham University, among others. Former President Donald Trump, during a campaign rally in Wisconsin, applauded the police action at Columbia University, describing it as "a beautiful thing to watch." However, the response to the protests has not been without criticism. California Governor Gavin Newsom's office labeled the law enforcement response at the University of California, Los Angeles (UCLA), as "limited and delayed," with clashes between rival protesters resulting in numerous injuries.Alleged Columbia University Cyberattack: Uncertainty and Verification
Amidst the chaos, the alleged cyberattack on Columbia University by Anonymous Arabia has raised further concerns. However, upon accessing the university's official website, no evidence of foul play was detected. The Cyber Express Team reached out to Columbia University for verification, but as of writing this report, no response has been received, leaving the claim unverified. Whether this cyberattack is a genuine act of hacktivism or a tactic to gain attention remains uncertain. Only an official statement from Columbia University can confirm the legitimacy of the claim. Meanwhile, the incident highlights the growing intersection between digital warfare and real-world activism, highlighting the complex dynamics of modern protests and their consequences. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- Ransomware Group LockBit Claims Responsibility for Cannes Hospital Cyberattack
Ransomware Group LockBit Claims Responsibility for Cannes Hospital Cyberattack
30 April 2024 at 05:10
Staff Forced to Degrade Services After Cannes Hospital Cyberattack
After the cyberattack, medical professionals were forced to switch to pen, paper, and manual processes to continue to provide essential healthcare services such as emergency care, surgery, obstetrics, and pediatrics to patients. Telephony services continue to work normally. Even weeks after the attack, the site still maintains a notice of the cybersecurity attack. The notice reads that the hospital staff is investigating the cyberattack in conjunction with experts (ANSSI, Cert Santé, Orange CyberDéfense, GHT06). Further, the notice stated that while the investigation remains ongoing, there have not yet been any ransom demands or identification of data theft operations. [caption id="attachment_65802" align="alignnone" width="683"] Source: ch-cannes.fr[/caption]
Cybersecurity analyst Dominic Alvieri, on X(Twitter), shared an alleged LockBit claim of responsibility for the earlier incident.
[caption id="attachment_65735" align="alignnone" width="1200"] (Source: Dominic Alvieri/ @AlvieriD / x.com)[/caption]
If the claims are true, the Cannes Simone Veil Hospital Center would be one of the latest victims in a series of recent cyberattacks claimed by LockBit after the ransomware group's operations were disrupted following joint-effort action from the FBI, NCA the UK, and the Europol.
LockBit Ransomware Group Apologised for Earlier Cyberattack on Children's Hospital
Since healthcare targets remain a sensitive target for cyberattacks, many threat actor groups have made claims or suggested they would avoid such targets in their operations. During the Covid-19 pandemic, the Maze ransomware group announced that they would not target healthcare organizations. Later the group was found to continue targeting healthcare units in its operations. Last year in January 2023, LockBit apologized for an attack on Toronto's Hospital for Sick Children, blamed a partner for the attack, in its data leak site, claiming to have blocked the partner allegedly responsible for the attack, and offered code to restore the affected systems. The cyberattack had significant consequences for the pediatric firm such as delayed lab and imaging results, shut down of phone lines, and the staff payroll system. These incidents highlight that the healthcare system remains vulnerable to cyberattacks and can prove to have unwelcome effects on patient health, staff functioning, and morale. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Moldova Government Hit by NoName Ransomware: Websites Down
29 April 2024 at 02:15
The notorious NoName ransomware group this time has allegedly set its sights on Moldova, targeting key government websites in what appears to be a strategic cyberattack. The recent alleged cyberattack on Moldova digital infrastructure has raised concerns over cybersecurity and geopolitical tensions in the region.
The reportedly affected entities in Moldova include vital governmental organs such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry, among others. The Moldova cyberattack has left these websites inaccessible, displaying the ominous message, "This Site Can't be Reached.
Political Motives Behind the Cyberattack on Moldova
Although the extent of the cyberattack and the motive behind it have not been explicitly disclosed by the NoName group, a message left by the hackers hints at a political agenda. We continue to send DDoS greetings to the State website of Moldova in order to discourage the local government from craving for Russophobia," the message reads. This suggests a possible attempt to influence Moldova's foreign policy by targeting its digital infrastructure. [caption id="attachment_65468" align="aligncenter" width="531"] Source: X[/caption]
The implications of such cyberattacks on Moldova could be profound, affecting not only the government's operations but also the country's stability and security. The ongoing tension between Moldova and Russia adds another layer of complexity to the situation, raising concerns about the potential involvement of state-sponsored actors behind the cyber assault.
[caption id="attachment_65469" align="aligncenter" width="528"] Source: X[/caption]
NoName Ransomware Group Track Record
This is not the first time NoName has launched such attacks. In March 2024, the group claimed responsibility for targeting multiple websites in Denmark, including key entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January of the same year, NoName targeted high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB.
Moreover, NoName's recent cyber onslaught on Finland has further escalated concerns. The Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, The Agency for Regulation and Development of Transport and Communications Infrastructure of Finland, and several subdomains of the Finnish Road Agency, faced temporary inaccessibility due to DDoS attacks. The sophistication and scale of NoName's operations, combined with their apparent political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The rising frequency of cyberattacks targeting governmental institutions across Europe demands a coordinated response from both national and international cybersecurity agencies. Furthermore, these incidents serve as a wake-up call for governments worldwide to prioritize cybersecurity and invest in strong defense mechanisms to safeguard their digital assets. The increasing sophistication of cybercriminals, coupled with geopolitical tensions, highlights the need for proactive measures to protect critical infrastructure and ensure the integrity of government operations. As the investigation into the recent cyberattack on Moldova unfolds, the international community will be closely monitoring the situation, with a keen eye on the implications for regional security and the broader cybersecurity landscape. In an era where cyberspace knows no borders, collective action and cooperation are essential to effectively combat the growing threat of cyber warfare and ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- Multi-Year Cyberattack: Chinese Hackers Suspected in Breaching Volkswagen
Multi-Year Cyberattack: Chinese Hackers Suspected in Breaching Volkswagen
26 April 2024 at 04:31
Multi-year Volkswagen Cyberattack by Chinese Hackers
The timeline of the cyberattacks on Volkswagen, spanning from 2010 to 2015, highlights the meticulous planning and execution by the perpetrators. Reports suggest that the hackers meticulously analyzed Volkswagen's IT infrastructure before breaching its networks, leading to the exfiltration of approximately 19,000 documents. Among the stolen intellectual property were coveted insights into emerging technologies like electric and hydrogen cars, areas crucial for Volkswagen's competitiveness in the global market. While China is not directly accused, evidence points to its involvement, with IP addresses traced back to Beijing and the timing of the attacks aligning with the Chinese workday. Moreover, the hacking tools employed, including the notorious "China Chopper," further implicate Chinese origins, though conclusive proof remains elusive.The Implications of Volkswagen Data Breaches
The implications of these Volkswagen data breaches extend beyond corporate espionage, raising concerns about the integrity of fair competition in the automotive industry. Professor Helena Wisbert of Ostfalia University emphasizes the strategic advantage gained by those privy to competitors' plans, highlighting the significance of stolen data in shaping market dynamics. Volkswagen's acknowledgment of the incident highlights the gravity of the situation, with reassurances of bolstered IT security measures. However, the Federal Office for Information Security (BSI) warns of ongoing threats, stressing the attractiveness of German expertise as a target for espionage. As German companies gear up for the "Auto China" trade fair, the cyberattack on Volkswagen questions the intent of Chinese hackers and their targets in the automobile industry. The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the alleged attacks or any updates from Volkswagen.Cyberattacks on the Automotive Industry
As automotive technology advances, vehicles are increasingly vulnerable to cyberattacks, particularly with the rise of electronics, software, and internet connectivity. Experts warn that even electric vehicles (EVs) are at heightened risk due to their intricate electronic systems. Ransomware attacks could target critical functions like steering and braking systems, posing significant safety concerns. The abundance of software codes in modern vehicles creates ample opportunities for cyber threats, not only affecting the cars themselves but also their entire ecosystem. While cybersecurity defenses are improving, the automotive industry faces challenges in managing software lifecycles and ensuring end-to-end risk management. Collaboration between industry stakeholders, government, and private players is essential to address these challenges. As the global automotive cybersecurity market grows, the need for robust cybersecurity measures becomes increasingly critical, prompting software solution providers to offer localized and cost-effective solutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- SpaceX Data Breach Back From the Dead: Hunters International Posts Alleged Stolen Information
SpaceX Data Breach Back From the Dead: Hunters International Posts Alleged Stolen Information
26 April 2024 at 02:46
Hunters International shared samples and databases supposedly linked to SpaceX, including access to 149.9 GB of data. This database, originally associated with the initial SpaceX data breach linked to LockBit, was traced back to a third-party supplier within SpaceX's supply chain, specifically a manufacturing contractor based in Texas.
Through infiltration of the vendor's systems, LockBit allegedly gained control of 3,000 drawings or schematics verified by SpaceX engineers.SpaceX Data Breach Resurfaces on the Dark Web
[caption id="attachment_65258" align="alignnone" width="1170"] Source: X[/caption]
Interestingly, the threat actor sheds light on the SpaceX data breach's infiltration including an undisclosed GoPro development environment.
Adding another layer to the intrigue, recent events in April 2024 reveal the Cactus ransomware group's purported targeting of Aero Dynamic Machining, Inc., a US-based aerospace equipment manufacturer.
The group alleges to have extracted a staggering 1.1 TB of data, encompassing confidential, employee, and customer information from industry giants like Boeing, SpaceX, and Airbus. Subsequently, the group leaked 5.8 MB of compressed data, containing agreements, passports, shipping orders, and engineering drawings, further intensifying the gravity of the situation.
The Cyber Express has reached out to SpaceX to learn more about the data breach claims made by the Hunters International group. However, at the time of writing this, no official statement or response has been received, leaving the claims for the SpaceX data breach stand unverified.
Moreover, the website for SpaceX seems to be operational at the moment and doesn’t show any immediate sign of the attack or data breach suggesting a likelihood that the data shared by Hunters International may indeed stem from the breach of 2023.
How LockBit Ransomware Group Breached SpaceX?
In March 2023, the LockBit Ransomware group infiltrated a third-party manufacturing contractor in Texas, part of SpaceX's supply chain, seizing 3,000 certified drawings and schematics created by SpaceX engineers. LockBit directly addressed SpaceX CEO Elon Musk, demanding ransom payment within a week under the threat of selling the stolen blueprints. The gang's audacious move aimed to profit from the sensitive data, regardless of the vendor's response. Despite concerns over compromised national security and the potential for identity theft, SpaceX has not confirmed the breach, leaving the claims unresolved. This breach, along with the reappearance of leaked data from previous incidents, highlights the persistent threat of cyberattacks on critical infrastructure. It sheds light on the urgent need for robust cybersecurity measures to safeguard against such breaches, as the ramifications extend beyond financial loss to encompass broader security implications. The reappearance of data from last year's SpaceX data breach is raising significant concerns. This recurrence poses a serious threat to the personal and financial security of millions, potentially exposing them to the risks of identity theft and fraud. Notably, despite the breach being initially reported last year and now resurfacing, SpaceX has yet to confirm the incident, leaving the claims unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- St-Jerome Company Targeted in Alleged Ransomware Attack by Everest Group
St-Jerome Company Targeted in Alleged Ransomware Attack by Everest Group
26 April 2024 at 01:44
The infamous Everest ransomware group has struck again, this time targeting Les Miroirs St-Antoine Inc., a longstanding company based in the St-Jérôme region. As of now, the extent of the data breach, the level of data compromise, and the motive behind the cyberattack on Les Miroirs St-Antoine remain undisclosed by the ransomware group.
Founded in 1956, Les Miroirs St-Antoine is a family-owned business specializing in the design, manufacturing, installation, and repair of glazing and aluminum products for commercial, industrial, and institutional sectors. However, the company is now facing allegedly the daunting challenge of navigating the aftermath of this Les Miroirs St-Antoine cyberattack.
Cyberattack on Les Miroirs St-Antoine Remains Unverified
The Everest ransomware group has issued a chilling ultimatum, stating that Les Miroirs St-Antoine Inc. has 24 hours to contact them using the provided instructions. Failure to comply will result in the publication of all stolen data. "Company has the last 24 hours to contact us using the instructions left. In case of silence, all data will be published here," reads the post by Everest ransomware group. This tactic, known as double extortion, is characteristic of the group's modus operandi. [caption id="attachment_65194" align="aligncenter" width="1024"] Source: X[/caption]
To investigate further, The Cyber Express Team (TCE) attempted to access Les Miroirs St-Antoine's official website and found it fully functional, indicating no immediate visible signs of compromise. However, this does not discount the possibility of covert access to sensitive company data. TCE has reached out to company officials for clarification but has yet to receive an official response.
The Everest ransomware group has been a prominent threat in the cybersecurity landscape since December 2020. Operating primarily in Russian-speaking circles, the group targets organizations across various industries and regions, with high-profile victims including NASA and the Brazilian Government.
The Persistent Threat of Everest Ransomware
Known for its sophisticated data exfiltration techniques, Everest ransomware often demands a ransom in exchange for not only decrypting the victim's files but also for refraining from releasing stolen information to the public. This approach maximizes pressure on victims to pay up, as the consequences of data exposure can be severe. Experts have linked Everest ransomware to other notorious cyber threats, such as the Everbe 2.0 and BlackByte families. The group employs a range of tactics, including leveraging compromised user accounts and exploiting Remote Desktop Protocol (RDP) for lateral movement within targeted networks. The Everest ransomware's reach extends beyond private corporations, as they have also targeted government offices in various countries, including Argentina, Peru, and Brazil. This demonstrates the group's audaciousness and their willingness to target entities regardless of their size or prominence. The cyberattack on Les Miroirs St-Antoine Inc. highlights the urgent need for organizations to enhance their cybersecurity defenses. This includes implementing strong security measures, conducting regular vulnerability assessments, and providing comprehensive employee training to mitigate the risk of human error. Furthermore, proactive monitoring and threat intelligence sharing among organizations can help identify and respond to potential cyber threats more effectively. Collaboration between the public and private sectors is essential in combating cybercriminals like the Everest ransomware group. In conclusion, the ransomware attack on Les Miroirs St-Antoine Inc. serves as a reminder of the ever-present threat posed by cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- Qiulong Ransomware Group Targets Brazilian Surgeon Dr. Willian Segalin, Citing Privacy Concerns
Qiulong Ransomware Group Targets Brazilian Surgeon Dr. Willian Segalin, Citing Privacy Concerns
25 April 2024 at 04:37
Dr Willian Segalin Cyberattack Claims Surfaces on Dark Web
The ransomware group's post on the dark web revealed sensitive information allegedly extracted from Dr Willian Segalin's website, including images of nude patients, confidential personal data, and financial information. The group's message admonished Dr Willian for purportedly neglecting patient privacy and urged him to take action to safeguard sensitive information. [caption id="attachment_64873" align="alignnone" width="1028"] Source: chum1ng0 on X[/caption]
“Dr. Willian, if you care about your patients' data and privacy, stop driving your Mustang around like a negligent doctor and avoid remaining silent”, reads the threat actor post.
[caption id="attachment_64877" align="alignnone" width="746"] Source: chum1ng0 on X[/caption]
The cyberattack on Dr Willian Segalin is not an isolated incident. Within the same timeframe, the Qiulong ransomware group targeted three other Brazilian organizations including two related to plastic surgery and one car dealership.
The Cyber Express has reached out to the plastic surgeon's office to learn more about the authenticity of the cyberattack on Dr Willian Segalin. However, at the time of writing this, no official statement or response has been received.
Qiulong Ransomware Group Targets Multiple Victims in Brazil
The Qiulong ransomware group's recent cyberattacks extend beyond Dr. Willian Segalin, affecting three other Brazilian entities. The group's posts on the dark web highlight their grievances against these victims, accusing them of neglecting patient privacy and data protection. [caption id="attachment_64880" align="alignnone" width="1074"] Source: chum1ng0 on X[/caption]
One victim, Dr. Andrea Rechia, a plastic surgeon, faced criticism for allegedly disregarding patient privacy despite numerous attempts to reach out. The group's post includes sensitive information about the clinic's operations and contact details.
Similarly, Dr. Lincoln Graça Neto, another plastic surgeon, was targeted by the ransomware group. The post exposes the clinic's location and amenities but condemns Dr. Lincoln for purportedly neglecting patient data security.
The final victim, Rosalvo Automóveis, a car dealership, faced data exposure threats, indicating potential repercussions from the cyberattack. While specific details about the data breach are not provided, the post suggests imminent data exposure.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.RansomHouse on the Move Again: Hirsh Industries Latest Target
25 April 2024 at 02:43
Unverified: Cyberattack on Hirsh Industries
While the claim by the RansomHouse ransomware group has been made, no further details have been disclosed regarding the extent of the data breach or the motives behind the cyberattack. Upon accessing the official website, no signs of foul play were detected, as the website appeared to be fully functional. To validate the Hirsh Industries cyberattack claim, The Cyber Express Team reached out to company officials, but as of writing this report, no official response has been received. The attack on Hirsh Industries marks yet another addition to the growing list of attacks attributed to the RansomHouse ransomware group.RansomHouse Previous Attacks
In April 2024, the group targeted Bank Pembangunan Daerah Banten Tbk, a regional development bank in Indonesia. While the full extent of the cyberattack on the bank remains undisclosed, the implications could be significant, given its focus on micro-enterprises and SMEs. Earlier in the same month, Lopesan Hotels fell victim to a RansomHouse attack, with the group claiming to have obtained 650GB of sensitive data, including hotel revenue and employee information. In February, Webber International University and GCA Nederland were targeted by the RansomHouse group, adding to their list of victims on the dark web portal. The alleged attack on Hirsh Industries by the RansomHouse ransomware group highlights the increasing threat posed by such groups to organizations worldwide. While the authenticity of the claim remains unverified, the incident serves as a wake-up call for businesses to bolster their cybersecurity defenses. With Hirsh Industries being a significant player in the industry, the implications of the cyberattack, if proven true, could be far-reaching. The compromise of sensitive data could not only affect the company's operations but also raise concerns among its clients and partners. Additionally, the potential financial losses and reputational damage could be substantial. As investigations into the Hirsh Industries cyberattack continue, stakeholders await an official response from the company regarding the breach and its impact. Meanwhile, businesses are urged to prioritize cybersecurity measures to mitigate the risk of falling victim to ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Cactus Ransomware Hits Singapore Garment Giant Ghim Li Global
24 April 2024 at 02:42
Cactus ransomware has added Ghim Li Global Pte Ltd to its victim list, sparking concerns over data security and the vulnerability of businesses to cyberattacks.
Ghim Li Global is a prominent Singapore-based company specializing in garment manufacturing and distribution across the Asia-Pacific region.
While the extent of the Ghim Li Global cyberattack and the compromise of data remain undisclosed by the ransomware group, the potential implications of such an attack could be profound.
Claim of Ghim Li Global Cyberattack
The ransomware group's claim has raised skepticism, especially as Ghim Li Global's official website appears to be fully functional, casting doubts on the authenticity of the claim. Despite attempts to verify the Ghim Li Global cyberattack, no official response has been received from the company, leaving the claim unverified.
[caption id="attachment_64590" align="aligncenter" width="908"] Source: X[/caption]
Emergence of Cactus Ransomware
Cactus ransomware has been a growing threat since March 2023, targeting commercial entities with considerable success. In a study conducted by the SANS Institute on the growth of ransomware, Cactus was identified as one of the fastest-growing threat actors of the year. Notably, 17% of all ransomware attacks in 2023 were attributed to new groups that did not exist in 2022, with Cactus ranking among the top five threats in this new group of threat actors. The name "Cactus" originates from the filename of the ransom note, "cAcTuS.readme.txt", with encrypted files being renamed with the extension.CTSx, where 'x' is a single-digit number that varies between attacks.Previous Cyberattacks Claims
Prior to targeting Ghim Li Global, Cactus ransomware made headlines in March 2024 for its cyberattack on Petersen Health Care. The attack compromised the company's digital infrastructure and led to the exposure of sensitive information. Petersen Health Care, a prominent Illinois-based company operating a network of nursing homes across the United States, was forced to file for bankruptcy under Chapter 11 protection in a Delaware court, burdened by a staggering $295 million in debt. Among this debt was a significant $45 million owed under healthcare facility loans insured by the U.S. Department of Housing and Urban Development. In February, Schneider Electric's Sustainability Business Division fell victim to a data breach, raising alarms about the security of sensitive information within the company's ecosystem. While details of the breach remain murky, the the ransomware group claimed responsibility, asserting that 1.5 TB of personal documents, confidential agreements, and non-disclosure agreements were among the information stolen. Before these incidents, in December, Cactus ransomware targeted Coop, a major supermarket chain in Sweden. Despite claiming responsibility for the attack, the group did not disclose the extent of the data accessed or the ransom amount demanded. Subsequently, in January 2024, Coop confirmed facing a severe cyberattack that rendered its payment checkouts useless, plunging the supermarket giant into chaos. With the alleged cyberattack on Ghim Li Global Pte Ltd, the ransomware group continues to pose a significant threat to organizations worldwide. The incident highlights the urgent need for businesses to strengthen their cybersecurity measures and remain vigilant against evolving cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- 8Base Ransomware Group Launches Cyberattack on Bieler Lang GmbH, Threatens Data Leak
8Base Ransomware Group Launches Cyberattack on Bieler Lang GmbH, Threatens Data Leak
23 April 2024 at 23:27
Analyzing the Bieler Lang GmbH Cyberattack and Other Intrusions
This cyberattack has significant implications for Bieler Lang GmbH. However, other organizations, including FEB31st, Wasserkraft Volk AG, Speedy France, and The Tech Interactive are facing the same allegation from the threat actor, highlighting the scape of the breach and threat actor perplexing intentions. [caption id="attachment_64534" align="alignnone" width="991"] Source: X[/caption]
The Bieler Lang GmbH cyberattack was posted on the threat actor’s data leak site and several screenshots were posted about the organization and the data stolen from the attack. In 8Base’s words, the threat actor said, they have uploaded “invoices, receipts, accounting documents, personal data, A huge amount of confidential information”, and other personal data about the organization.
The Cyber Express reached out to Bieler Lang GmbH for further details regarding the incident. However, as of now, no confirmation or denial has been issued by the organization, leaving the claims of the cyberattack on Bieler Lang GmbH stand unverified.
The Anonymity of the 8Base Ransomware Group
Despite the cyber intrusion, the website of Bieler Lang GmbH appears to be operational, showing no immediate signs of the attack. However, it's important to note that 8Base operates not solely as a ransomware operation but as a data-extortion cybercrime group. They have gained notoriety for targeting similar companies and posting about their exploits on data leak sites. While the origins and identities of the 8Base operators remain unknown, cybersecurity experts emphasize that their recent surge in activity indicates a well-established and mature organization. With a history of targeting companies that neglect data privacy, the group presents a challenge to cybersecurity efforts globally. As for the Bieler Lang GmbH cyberattack, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information about the attack or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- Family-Owned Music Store Targeted: MEDUSA Ransomware Strikes Ted Brown Music
Family-Owned Music Store Targeted: MEDUSA Ransomware Strikes Ted Brown Music
22 April 2024 at 08:49
Decoding the Ted Brown Music Cyberattack Claims
[caption id="attachment_64315" align="alignnone" width="1030"] Source: X[/caption]
Transitioning to more tangible information, the post provides details about Ted Brown Music, including its rich history, family ownership, and corporate address in Tacoma, Washington. With 95 employees and a distressing disclosure of 29.4 GB of leaked data, the magnitude of the alleged breach becomes all too apparent.
The ransom demands escalate, starting at $10,000 to add one more day before the data gets published. Similarly, by paying $300,000, the threat actor will “delete all data” or the organization can “download all data” again. The message concludes with the numeral "23", adding the list of viewers who saw the data.
The Cyber Express has reached out to the organization to learn more about this cyberattack on Ted Brown Music. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Ted Brown Music cyberattack stand unverified.
The Rise of MEDUSA Ransomware Group
The cyberattack on Ted Brown Music follows a list of cyberattacks faced by the music industry. According to Gitnux, the sector grapples with an alarming rate of cyber attacks, with breach detection often taking months and the average cost of an attack skyrocketing. Among these cyberattacks, the MEDUSA ransomware group has manifested into a sophisticated cybercrime group. Emerging as a ransomware-as-a-service (RaaS) platform in late 2022, Medusa gained infamy in 2023, primarily targeting Windows environments. The threat actors operate a site where they expose sensitive data from organizations that refuse to meet their ransom demands. Employing a multi-extortion approach, they offer victims choices like extending deadlines, deleting data, or downloading it, each option coming with a price. In addition to their Onion site, they use a Telegram channel named “information support” to publicly share compromised files, making them more accessible. As for the cyberattack on Ted Brown Music, this is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged attack or any confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- Consol Energy Targeted in Cyberattack: Russian Cyber Army Claims Responsibility
Consol Energy Targeted in Cyberattack: Russian Cyber Army Claims Responsibility
22 April 2024 at 06:18
Alleged Consol Energy Cyberattack Claims by Pro-Russian Hackers
[caption id="attachment_64266" align="alignnone" width="450"] Source: Falcon Feeds on X[/caption]
The threat actor's post suggests a motive behind the attack, citing Consol Energy's role as a competitor in the European energy market and its alleged benefits from the conflict in Ukraine.
The Cyber Express has reached out to the organization to verify the authenticity of the Alleged Consol cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the Alleged Consol cyberattack stand unverified.
[caption id="attachment_64268" align="alignnone" width="712"] Source: X[/caption]
Interestingly, this isn't the first time Consol Energy has been targeted by cyber threats. In 2023, the Cl0p ransomware group claimed responsibility for a similar attack on the company. Despite these incidents, Consol Energy continues to post on its social media channels and is contributing to the country's power supply.
In the wake of the cyberattack, financial analysts are observing the impact on Consol Energy's stock performance. Justin Spittler, Chief Trader at Hedge_Your_Risk, notes insights into coal stocks, highlighting CONSOL Energy's resilience despite a recent decline.
[caption id="attachment_64269" align="alignnone" width="990"] Source: Justin Spittler on X[/caption]
However, the extent to which the cyberattack influenced this decline remains uncertain, pending official statements from the company.
Cyber Army Russia Reborn and Ongoing Investigation
The cyberattack on Consol Energy is part of a broader trend of cyber threats targeting energy companies worldwide. Just last month, Cyber Army Russia Reborn claimed responsibility for cyberattacks in Slovenia, targeting government bodies and the public broadcaster. In a video message, group implied that attacks were due to Slovenia's backing of Ukraine. Voiced in Slovenian and circulated by local news, the message urged Russians and Slovenians not to harbor animosity, citing shared heritage. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from Consol Energy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Frontier Communications Shuts Down Systems Following Cyberattack
19 April 2024 at 07:12
Telecom giant Frontier shuts down systems to contain a cyberattack that led to personal information compromise.
The post Frontier Communications Shuts Down Systems Following Cyberattack appeared first on SecurityWeek.
Frontier Hit by Cyberattack, Customer Data Potentially Exposed
19 April 2024 at 01:47
Frontier Communications, a prominent telecom provider in the United States, finds itself grappling with the aftermath of a recent cyberattack orchestrated by a nefarious cybercrime group. The cyberattack on Frontier Communications, which occurred on April 14, 2024, has thrown the company into disarray as it races to restore its compromised systems and reassure its millions of customers across 25 states.
The cyberattack on Frontier Communications, detected by the company's vigilant cybersecurity team, prompted the company to take swift action, partially shutting down affected systems to thwart further unauthorized access.
This proactive measure, while essential for containing the breach, resulted in operational disruptions, leaving many customers facing internet connection issues and encountering difficulties reaching support services.
Disclosure of Cyberattack on Frontier Communications
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, Frontier Communications divulged the unsettling details of the breach. The cybercriminals managed to infiltrate portions of the company's information technology infrastructure, gaining access to sensitive personally identifiable information (PII). While the specifics of the compromised data remain undisclosed, concerns linger regarding the potential exposure of customer and employee information. Despite the severity of the cyberattack on Frontier Communications, Company assures stakeholders that it has successfully contained the incident and restored its core IT systems affected during the attack. However, the road to recovery has been fraught with challenges, as evidenced by ongoing technical issues plaguing the company's website.Customer Conundrum: Support Snags and Communication Breakdowns
Customers attempting to access Frontier's online services are met with warnings of internal support technical difficulties, exacerbating frustrations amid the connectivity woes.
Furthermore, reports have surfaced indicating that affected customers are experiencing prolonged internet outages, with support phone lines inundated with prerecorded messages instead of connecting to live operators.
This breakdown in customer communication compounds the anxiety and uncertainty surrounding the situation, underscoring the urgency for Frontier to swiftly address the fallout from the cyberattack on Frontier Communications.
[caption id="attachment_63730" align="aligncenter" width="594"] Source: X[/caption]
[caption id="attachment_63731" align="aligncenter" width="594"] Source: X[/caption]
In response to the breach, Frontier has mobilized a comprehensive investigative effort, enlisting the expertise of cybersecurity specialists and promptly notifying law enforcement authorities.
Despite these concerted efforts, a Frontier spokesperson remained unavailable for comment when contacted by The Cyber Express Team, leaving concerned consumers clamoring for reassurance and transparency from the embattled telecom provider.
Amid the chaos and disruption wrought by the cyberattack, Frontier remains steadfast in its commitment to safeguarding customer data and restoring normal business operations. While the company maintains that the incident is unlikely to have a significant impact on its financial standing, the full extent of the breach's ramifications is yet to be fully realized.
As stakeholders await further updates from Frontier, the telecom giant faces a critical test of resilience and accountability in the wake of these brazen cyberattacks. Only time will tell whether Frontier can emerge from this trial stronger and more fortified against future threats or if lingering doubts and repercussions will continue to cast a shadow over its operations.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Patients Sue Ernest Health After Data Breach of 94,747 Exposed
17 April 2024 at 08:44
Ernest Health Data Breach Turns Into Class Action Lawsuit
Following an extensive investigation, Ernest Health commenced a process of notifying affected individuals about the breach, ensuring transparency about the compromised data. In response to the Ernest Health data breach, plaintiffs Joe Lara and Laurie Cook have initiated a class-action lawsuit against Ernest Health. Alleging negligence in safeguarding highly sensitive data, the lawsuit highlights Ernest Health's failure to adequately train employees on cybersecurity measures and maintain sufficient security protocols, leaving patient information vulnerable to cybercriminals. The lawsuit, filed in the United States District Court, Northern District of Texas, contends that Ernest Health's actions not only breached its duty to protect patient data but also violated state and federal laws governing data protection and breach notifications. Plaintiffs Lara and Cook, representing the class of over one hundred current and former patients affected by the breach, argue that Ernest Health's delayed notification deprived them of the opportunity to mitigate potential damages promptly. The exposed information places them at risk of identity theft and other harms, necessitating legal recourse to address the Ernest Health data breach and its repercussions.Decoding the Ernest Health Class Action Lawsuit
The Ernest Health class action lawsuit outlines various causes of action, including negligence, negligence per se under the FTC Act and HIPAA, and breach of implied contract, emphasizing Ernest Health's failure to fulfill its obligations in protecting patient information and mitigating damages resulting from the breach. In seeking relief, the plaintiffs and class members are pursuing certification of the case as a class action, along with declaratory and equitable relief, damages, coverage for attorneys' fees and costs, and other appropriate remedies deemed necessary by the court. With demands for a jury trial and a comprehensive legal strategy in place, plaintiffs aim to hold Ernest Health accountable for its role in the data breach and secure justice for those affected by the cyberattack. As the case unfolds, the Ernest Health lawsuit highlights the growing threat posed by cyberattacks on healthcare institutions. In a similar case, the recent cyberattack Change Healthcare is going to result in expenses of $1.6 billion this year. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.-
- ‘We Will be Attacked’: Cybersecurity Challenges Loom Over Paris Olympics 2024
‘We Will be Attacked’: Cybersecurity Challenges Loom Over Paris Olympics 2024
17 April 2024 at 04:13
Paris Olympics 2024 Cyberattack Risk and Precautions
With teams like Regul's stationed in high-tech rooms equipped with servers and monitoring screens, vigilance against any cyberattacks on Paris Olympics 2024. The Paris operations center even boasts a red alert system to signal the gravest dangers. Thus far, there have been no disruptions, but as the Olympics draw nearer, the frequency and severity of hacking attempts are expected to escalate dramatically. Unlike other organizations that are preparing for potential cyberattacks on Paris Olympics 2024 without a specific timeline, Regul's team knows precisely when to brace for impact: July and August. While security concerns at major events traditionally revolved around physical threats such as terrorism, digital intrusions have brought cyberattacks to the forefront of Olympic organizers' minds. To learn more about the risk of cyberattacks on the Paris Olympics 2024, The Cyber Express has reached out to the organization. Paris Olympics 2024 replied, stating that scammers are impersonating Paris 2024 to target unsuspecting victims.Scams and Cyberattacks on Paris Olympics 2024
A spokesperson for Paris Olympics 2024 further explained the full extent of cyberattacks and scams targeting the event. Among the ongoing scams, a fraudulent scheme has emerged, with scammers posing as representatives of Paris 2024 or On Location, employing deceptive tactics such as fake emails, sales materials, and legal documents to lure businesses into purported Olympic venue deals. The appeal for the Olympic and Paralympic Games is generating scam attempts by companies posing as Paris 2024 or On Location, the exclusive supplier of hospitality for Paris 2024, to offer fictitious services in connection or in relation with the Games", stated the spokesperson. These scammers target restaurants, shopkeepers, and others, promising slots at hypothetical Olympic venues during the Games and demanding deposits. Paris 2024 and On Location have taken legal action, filing criminal complaints for offenses including fraud, identity theft, and counterfeiting. Victims are encouraged to report incidents to the French police or contact the following addresses: integrityandenforcement@paris2024.org and alertfraud@onlocationexp.com. Paris 2024 emphasizes vigilance, urging individuals to reach out to designated email addresses for assistance if suspicious.The Paris Olympics 2024 Cybersecurity Plan
In a conversation with TCE, Paris Olympics 2024 emphasized the significance of the Olympic and Paralympic Games, highlighting them as unparalleled opportunities for a country's image enhancement. They acknowledged the vast audience of billions of television viewers and the multifaceted challenges they entail: technical, technological, and human. Addressing cybersecurity concerns, they outlined a comprehensive strategy built on three pillars: anticipation, coordination, and expertise. This strategy encompasses both the Organizing Committee's systems and those of their external suppliers and partners. By collaborating with government departments, the International Olympic Committee (IOC), and key partners like Atos, Cisco, and Orange, they aim to mitigate any cybersecurity risk during the games. "Our cybersecurity strategy covers both the systems directly under the responsibility of the Organizing Committee, and the external systems of our suppliers and partners, which means we are already preparing external partners to all the risks", said a Paris Olympics 2024 spokesperson. During the Games, various entities, including a Technology Operations Center (TOC), a Cybersecurity Operations Center (CSOC), and the National Strategic Command Center (CNCS), will operate in seamless coordination. These centers will bring together the expertise of the Paris 2024 cybersecurity team and their partners, establishing physical hubs in undisclosed locations around Paris.The Biggest Challenge for Cybersecurity Experts
The upcoming Paris Olympics 2024, which are expected to draw over 4 billion viewers, pose a substantial cybersecurity challenge. With ten million spectators, 20,000 journalists, and 15,000 athletes from 206 countries converging on Paris, the scale of the event magnifies the risk. The array of potential cyber threats includes cybercriminals, hacktivists, and even state-sponsored actors, all aiming to disrupt the Games. Their targets range from IT systems supporting press rooms and ticketing to stadium entry systems, TV broadcasts, and even the power supply to event venues. According to experts cited by The New York Times, hacking groups and nations like Russia, China, North Korea, and Iran possess sophisticated capabilities capable of crippling not only computer networks but also digital ticketing systems and event timing systems. The 2018 Pyeongchang Winter Olympics in South Korea serves as a stark reminder of the real-world implications of cyberattacks on major sporting events. A successful attack during the opening ceremony caused widespread disruption, with the Wi-Fi network failing, the official Olympics smartphone app malfunctioning, and broadcast drones being grounded. With the Paris Olympics 2024 drawing closer, the spotlight is on cybersecurity, highlighting the critical need for robust defenses against potential cyber threats that could undermine the integrity and smooth functioning of this global event. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UNDP Hit by Cyberattack: HR and Procurement Data Breached
17 April 2024 at 03:09
The United Nations Development Programme (UNDP) finds itself at the center of a cybersecurity storm as it grapples with the aftermath of a recent cyberattack targeting its local IT infrastructure in UN City, Copenhagen. The agency informed about the cyberattack on UNDP by issuing an official notice on their website.
According to the notification, in the last week of March 2024, the UNDP received a troubling threat intelligence notification, revealing that a data-extortion actor had breached its systems, pilfering sensitive data including human resources and procurement information."On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information," reads the notice.
[caption id="attachment_63166" align="aligncenter" width="1024"] Source: United Nations Development Programme[/caption]
Swift Response and Vigilance on Cyberattack on UNDP
Upon knowing the incident, UNDP swiftly sprang into action, initiating a series of urgent measures aimed at identifying the source of the data breach and mitigating its impact. Immediate steps were taken to isolate the affected server, with meticulous efforts underway to ascertain the precise nature and extent of the compromised data, as well as to identify individuals affected by the breach. The organization has maintained transparent communication with those impacted by the cyberattack on UNDP, empowering them to safeguard their personal information against potential misuse. Moreover, UNDP has embarked on a comprehensive outreach initiative to apprise its partners within the UN system about the incident, underlining its commitment to transparency and accountability in the face of adversity. UNDP is currently conducting a thorough assessment of the nature and scope of the cyber-attack, and we have maintained ongoing communication with those affected by the breach so they can take steps to protect their personal information from misuse. Additionally, we are continuing efforts to contact other stakeholders, including informing our partners across the UN system," informed Officials.Potential Impact of the UNDP Cyberattack
As the United Nations' lead agency on international development, UNDP occupies a pivotal role in shaping the global agenda for sustainable development. Operating in 170 countries and territories, the organization spearheads initiatives aimed at eradicating poverty, reducing inequality, and fostering inclusive growth. Through its multifaceted approach, UNDP empowers nations to develop robust policies, enhance leadership capabilities, forge strategic partnerships, and bolster institutional capacities, thereby accelerating progress towards the attainment of the Sustainable Development Goals (SDGs). Therefore, the ramifications of this cyberattack on UNDP extend far beyond the confines of its digital infrastructure. Given the organization's indispensable role in driving global development efforts, the breach poses significant implications for the continuity and efficacy of vital initiatives aimed at addressing pressing socio-economic challenges. The compromised data, encompassing sensitive human resources and procurement information, could potentially undermine the confidentiality and integrity of crucial operations, impeding UNDP's ability to deliver essential services and support to communities worldwide. Moreover, the breach may erode trust and confidence in UNDP's ability to safeguard sensitive information, jeopardizing its partnerships and collaborative endeavors with governments, civil society organizations, and other stakeholders. In the aftermath of this cyberattack, UNDP remains steadfast in its mission to advance the cause of global development, undeterred by the challenges posed by malicious cyber actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UnitedHealth Beats Earnings Despite $1.6 Billion Cyberattack Hit
17 April 2024 at 02:51
The Aftermath of the Change Healthcare Cyberattack
[caption id="attachment_60476" align="alignnone" width="1000"] Source: Shutterstock[/caption]
The disruption caused by the cyberattack extended beyond financial transactions, leading to delays in claim submissions as healthcare providers grappled with manual paperwork due to the inability to access the Change Healthcare system.
In response to the crisis, UnitedHealth Group's CEO, Andrew Witty, assured stakeholders of the company's unwavering commitment to resolving the connectivity issues faced by care providers, emphasizing progress in addressing the fallout of the Change Healthcare cyberattack during a recent conference call discussing the company's financial results.
The impact of the cyberattack reverberated through UnitedHealth Group's financial performance in the first quarter of 2024, with total cyberattack-related costs amounting to $0.74 per share. Looking ahead, the company estimates a full-year impact ranging from $1.15 to $1.35 per share, encompassing both direct response costs and business disruption impacts.
Despite the challenges posed by the cyberattack, UnitedHealth Group reported robust first-quarter earnings, surpassing expectations. The company's revenues for the quarter surged by nearly $8 billion year-over-year to reach $99.8 billion, fueled by strong growth in its Optum and UnitedHealthcare segments.
Response to the UnitedHealth Group Cyberattack
While the Change Healthcare cyberattack did leave a notable dent in UnitedHealth Group's earnings from operations, which included $872 million in adverse effects, the company's adjusted earnings from operations remained resilient, excluding direct response costs attributed to the cyberattack. As per the latest press release, In light of the cyberattack's potential implications on claims receipt timing, UnitedHealth Group exercised prudence by allocating an additional $800 million towards claims reserves in the first quarter, reflecting a proactive approach to manage potential future impacts on its financial stability. Looking beyond the immediate financial repercussions, UnitedHealth Group remains focused on maintaining consistent care patterns and supporting its care providers through accommodations necessitated by the cyberattack, as evidenced by a medical care ratio of 84.3% in the first quarter of 2024. Despite the turbulence induced by the cyberattack on Change Healthcare, UnitedHealth Group reaffirmed its commitment to shareholder value by returning $4.8 billion through dividends and share repurchases in the first quarter. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Lessons from a Ransomware Attack against the British Library
29 March 2024 at 07:03
You might think that libraries are kind of boring, but this self-analysis of a 2023 ransomware and extortion attack against the British Library is anything but.
A Cyber Insurance Backstop
28 February 2024 at 07:02
In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of Merck’s computers, which significantly disrupted the company’s drug and vaccine production. After Merck filed its $700 million claim, the pharmaceutical giant’s insurers argued that they were not required to cover the malware’s damage because the cyberattack was widely attributed to the Russian government and therefore was excluded from standard property and casualty insurance coverage as a “hostile or warlike act.”
At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?
One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for the federal government to step in and help pay for these sorts of attacks by providing a cyber insurance backstop. A cyber insurance backstop would provide a means for insurers to receive financial support from the federal government in the event that there was a catastrophic cyberattack that caused so much financial damage that the insurers could not afford to cover all of it.
In his discussion of a potential backstop, Chertoff specifically references the Terrorism Risk Insurance Act (TRIA) as a model. TRIA was passed in 2002 to provide financial assistance to the insurers who were reeling from covering the costs of the Sept. 11, 2001, terrorist attacks. It also created the Terrorism Risk Insurance Program (TRIP), a public-private system of compensation for some terrorism insurance claims. The 9/11 attacks cost insurers and reinsurers $47 billion. It was one of the most expensive insured events in history and prompted many insurers to stop offering terrorism coverage, while others raised the premiums for such policies significantly, making them prohibitively expensive for many businesses. The government passed TRIA to provide support for insurers in the event of another terrorist attack, so that they would be willing to offer terrorism coverage again at reasonable rates. President Biden’s 2023 National Cybersecurity Strategy tasked the Treasury and Homeland Security Departments with investigating possible ways of implementing something similar for large cyberattacks.
There is a growing (and unsurprising) consensus among insurers in favor of the creation and implementation of a federal cyber insurance backstop. Like terrorist attacks, catastrophic cyberattacks are difficult for insurers to predict or model because there is not very good historical data about them—and even if there were, it’s not clear that past patterns of cyberattacks will dictate future ones. What’s more, cyberattacks could cost insurers astronomic sums of money, especially if all of their policyholders were simultaneously affected by the same attack. However, despite this consensus and the fact that this idea of the government acting as the “insurer of last resort” was first floated more than a decade ago, actually developing a sound, thorough proposal for a backstop has proved to be much more challenging than many insurers and policymakers anticipated.
One major point of issue is determining a threshold for what types of cyberattacks should trigger a backstop. Specific characteristics of cyberattacks—such as who perpetrated the attack, the motive behind it, and total damage it has caused—are often exceedingly difficult to determine. Therefore, even if policymakers could agree on what types of attacks they think the government should pay for based on these characteristics, they likely won’t be able to calculate which incursions actually qualify for assistance.
For instance, NotPetya is estimated to have caused more than $10 billion in damage worldwide, but the quantifiable amount of damage it actually did is unknown. The attack caused such a wide variety of disruptions in so many different industries, many of which likely went unreported since many companies had no incentive to publicize their security failings and were not required to do so. Observers do, however, have a pretty good idea who was behind the NotPetya attack because several governments, including the United States and the United Kingdom, issued coordinated statements blaming the Russian military. As for the motive behind NotPetya, the program was initially transmitted through Ukrainian accounting software, which suggests that it was intended to target Ukrainian critical infrastructure. But notably, this type of coordinated, consensus-based attribution to a specific government is relatively rare when it comes to cyberattacks. Future attacks are not likely to receive the same determination.
In the absence of a government backstop, the insurance industry has begun to carve out larger and larger exceptions to their standard cyber coverage. For example, in a pair of rulings against Merck’s insurers, judges in New Jersey ruled that the insurance exclusions for “hostile or warlike acts” (such as the one in Merck’s property policy that excluded coverage for “loss or damage caused by hostile or warlike action in time of peace or war by any government or sovereign power”) were not sufficiently specific to encompass a cyberattack such as NotPetya that did not involve the use of traditional force.
Accordingly, insurers such as Lloyd’s have begun to change their policy language to explicitly exclude broad swaths of cyberattacks that are perpetrated by nation-states. In an August 2022 bulletin, Lloyd’s instructed its underwriters to exclude from all cyber insurance policies not just losses arising from war but also “losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.” Other insurers, such as Chubb, have tried to avoid tricky questions about attribution by suggesting a government response-based exclusion for war that only applies if a government responds to a cyberattack by authorizing the use of force. Chubb has also introduced explicit definitions for cyberattacks that pose a “systemic risk” or impact multiple entities simultaneously. But most of this language has not yet been tested by insurers trying to deny claims. No one, including the companies buying the policies with these exclusions written into them, really knows exactly which types of cyberattacks they exclude. It’s not clear what types of cyberattacks courts will recognize as being state-sponsored, or posing systemic risks, or significantly impairing the ability of a state to function. And for the policyholders’ whose insurance exclusions feature this sort of language, it matters a great deal how that language in their exclusions will be parsed and understood by courts adjudicating claim disputes.
These types of recent exclusions leave a large hole in companies’ coverage for cyber risks, placing even more pressure on the government to help. One of the reasons Chertoff gives for why the backstop is important is to help clarify for organizations what cyber risk-related costs they are and are not responsible for. That clarity will require very specific definitions of what types of cyberattacks the government will and will not pay for. And as the insurers know, it can be quite difficult to anticipate what the next catastrophic cyberattack will look like or how to craft a policy that will enable the government to pay only for a narrow slice of cyberattacks in a varied and unpredictable threat landscape. Get this wrong, and the government will end up writing some very large checks.
And in comparison to insurers’ coverage of terrorist attacks, large-scale cyberattacks are much more common and affect far more organizations, which makes it a far more costly risk that no one wants to take on. Organizations don’t want to—that’s why they buy insurance. Insurance companies don’t want to—that’s why they look to the government for assistance. But, so far, the U.S. government doesn’t want to take on the risk, either.
It is safe to assume, however, that regardless of whether a formal backstop is established, the federal government would step in and help pay for a sufficiently catastrophic cyberattack. If the electric grid went down nationwide, for instance, the U.S. government would certainly help cover the resulting costs. It’s possible to imagine any number of catastrophic scenarios in which an ad hoc backstop would be implemented hastily to help address massive costs and catastrophic damage, but that’s not primarily what insurers and their policyholders are looking for. They want some reassurance and clarity up front about what types of incidents the government will help pay for. But to provide that kind of promise in advance, the government likely would have to pair it with some security requirements, such as implementing multifactor authentication, strong encryption, or intrusion detection systems. Otherwise, they create a moral hazard problem, where companies may decide they can invest less in security knowing that the government will bail them out if they are the victims of a really expensive attack.
The U.S. government has been looking into the issue for a while, though, even before the 2023 National Cybersecurity Strategy was released. In 2022, for instance, the Federal Insurance Office in the Treasury Department published a Request for Comment on a “Potential Federal Insurance Response to Catastrophic Cyber Incidents.” The responses recommended a variety of different possible backstop models, ranging from expanding TRIP to encompass certain catastrophic cyber incidents, to creating a new structure similar to the National Flood Insurance Program that helps underwrite flood insurance, to trying a public-private partnership backstop model similar to the United Kingdom’s Pool Re program.
Many of these responses rightly noted that while it might eventually make sense to have some federal backstop, implementing such a program immediately might be premature. University of Edinburgh Professor Daniel Woods, for example, made a compelling case for why it was too soon to institute a backstop in Lawfare last year. Woods wrote,
One might argue similarly that a cyber insurance backstop would subsidize those companies whose security posture creates the potential for cyber catastrophe, such as the NotPetya attack that caused $10 billion in damage. Infection in this instance could have been prevented by basic cyber hygiene. Why should companies that do not employ basic cyber hygiene be subsidized by industry peers? The argument is even less clear for a taxpayer-funded subsidy.
The answer is to ensure that a backstop applies only to companies that follow basic cyber hygiene guidelines, or to insurers who require those hygiene measures of their policyholders. These are the types of controls many are familiar with: complicated passwords, app-based two-factor authentication, antivirus programs, and warning labels on emails. But this is easier said than done. To a surprising extent, it is difficult to know which security controls really work to improve companies’ cybersecurity. Scholars know what they think works: strong encryption, multifactor authentication, regular software updates, and automated backups. But there is not anywhere near as much empirical evidence as there ought to be about how effective these measures are in different implementations, or how much they reduce a company’s exposure to cyber risk.
This is largely due to companies’ reluctance to share detailed, quantitative information about cybersecurity incidents because any such information may be used to criticize their security posture or, even worse, as evidence for a government investigation or class-action lawsuit. And when insurers and regulators alike try to gather that data, they often run into legal roadblocks because these investigations are often run by lawyers who claim that the results are shielded by attorney-client privilege or work product doctrine. In some cases, companies don’t write down their findings at all to avoid the possibility of its being used against them in court. Without this data, it’s difficult for insurers to be confident that what they’re requiring of their policyholders will really work to improve those policyholders’ security and decrease their claims for cybersecurity-related incidents under their policies. Similarly, it’s hard for the federal government to be confident that they can impose requirements for a backstop that will actually raise the level of cybersecurity hygiene nationwide.
The key to managing cyber risks—both large and small—and designing a cyber backstop is determining what security practices can effectively mitigate the impact of these attacks. If there were data showing which controls work, insurers could then require that their policyholders use them, in the same way they require policyholders to install smoke detectors or burglar alarms. Similarly, if the government had better data about which security tools actually work, it could establish a backstop that applied only to victims who have used those tools as safeguards. The goal of this effort, of course, is to improve organizations’ overall cybersecurity in addition to providing financial assistance.
There are a number of ways this data could be collected. Insurers could do it through their claims databases and then aggregate that data across carriers to policymakers. They did this for car safety measures starting in the 1950s, when a group of insurance associations founded the Insurance Institute for Highway Safety. The government could use its increasing reporting authorities, for instance under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, to require that companies report data about cybersecurity incidents, including which countermeasures were in place and the root causes of the incidents. Or the government could establish an entirely new entity in the form of a Bureau for Cyber Statistics that would be devoted to collecting and analyzing this type of data.
Scholars and policymakers can’t design a cyber backstop until this data is collected and studied to determine what works best for cybersecurity. More broadly, organizations’ cybersecurity cannot improve until more is known about the threat landscape and the most effective tools for managing cyber risk.
If the cybersecurity community doesn’t pause to gather that data first, then it will never be able to meaningfully strengthen companies’ security postures against large-scale cyberattacks, and insurers and government officials will just keep passing the buck back and forth, while the victims are left to pay for those attacks themselves.
This essay was written with Josephine Wolff, and was originally published in Lawfare.
