Normal view
- Cybersecurity News and Magazine
- California Privacy Watchdog Inks Deal with French Counterpart to Strengthen Data Privacy Protections
- Cybersecurity News and Magazine
- Credit Suisse Data Breach Allegedly Exposes Info of 19,000 Indian Employees
Credit Suisse Data Breach Allegedly Exposes Info of 19,000 Indian Employees
Credit Suisse Data Breach Details
Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.Not the First Credit Suisse Data Breach
This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.Credit Suisse Hacker Targeted Big Multinationals Recently
There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell. The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.LockBit Claims Breaching the US Federal Reserve but Fails to Prove It
On June 23rd, LockBit announced breaching the US Federal Reserve System, while security experts remained skeptical. The Russian threat group claimed to exfiltrate 33 terabytes of banking information from the USA’s central bank servers. They also threatened to publish the data in the following 48 hours unless the victims would pay ransom. Source – Cybernews.com […]
The post LockBit Claims Breaching the US Federal Reserve but Fails to Prove It appeared first on Heimdal Security Blog.
GrimResource Technique Exploits Years-Old Unpatched Windows XSS Flaw
New GrimResource technique exploits a 2018-old, unpatched, Windows XSS flaw and crafted MSC files to deploy malware via the Microsoft Management Console (MMC). Researchers detected the new exploitation technique in the wild on June 6th, 2024. Exploiting the Microsoft Management Console could enable hackers to evade security measures and gain initial access. Although researchers reported […]
The post GrimResource Technique Exploits Years-Old Unpatched Windows XSS Flaw appeared first on Heimdal Security Blog.
- Cybersecurity News and Magazine
- BianLian Ransomware Targets Better Business Bureau, US Dermatology Partners
BianLian Ransomware Targets Better Business Bureau, US Dermatology Partners
BianLian Ransomware Attack: Critical Details
The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.Potential Impact of BianLian Ransomware Attack
If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.History of BianLian Ransomware Group Attacks
BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- BSNL Data Breached Yet Again? Millions of Users Face Risk of SIM Card Cloning, Financial Fraud
BSNL Data Breached Yet Again? Millions of Users Face Risk of SIM Card Cloning, Financial Fraud
Exploring Claims of BSNL Data Breach
The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised. The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL. The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response. This article will be updated based on their response.Potential Implications of BSNL Data Breach
- SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
- Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
- Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
- Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.
Second BSNL Data Breach in Less Than Six Months
If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Don’t Fall for Fake Recovery: FBI Warns of Cryptocurrency Scam
Cryptocurrency Scam: Emerging Criminal Tactic
The FBI's announcement aims to inform the public about a new criminal tactic designed to exploit cryptocurrency scam victims further. Using social media and other messaging platforms, fraudsters posing as lawyers from fictitious law firms are contacting scam victims and offering their services. These "lawyers" claim they have the authority to investigate fund recovery cases and often assert that they are working with, or have received information from, the FBI, Consumer Financial Protection Bureau (CFPB), or other government agencies to validate their legitimacy. In some instances, victims have reached out to these scammers through fake websites that appear legitimate, hoping to recover their lost funds. The scammers use various methods to further the recovery scam, including:- Verification Requests: They ask victims to verify their identities by providing personal identifying information or banking details.
- Judgment Amount Requests: They request that victims provide a judgment amount they are seeking from the initial fraudster.
- Upfront Fees: They demand a portion of the fees upfront, with the balance due upon recovery of the funds.
- Additional Payments: They direct victims to make payments for back taxes and other fees purportedly necessary to recover their funds.
- Credibility Building: They reference actual financial institutions and money exchanges to build credibility and further their schemes.
Tips to Protect Yourself
The FBI offers several tips to help individuals protect themselves from falling victim to these scams:- Be Wary of Advertisements: Be cautious of advertisements for cryptocurrency recovery services. Research the advertised company thoroughly and be suspicious if the company uses vague language, has a minimal online presence, and makes unrealistic promises about its ability to recover funds.
- Do Not Release Information: If an unknown individual contacts you claiming to be able to recover stolen cryptocurrency, do not release any financial or personal identifying information, and do not send money.
- No Fees from Law Enforcement: Remember that law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm their legitimacy.
Victim Reporting
The FBI urges victims to file a report with the Internet Crime Complaint Center. When filing a report, try to include the following information:- Contact Information: Details about how the individual initially contacted you and how they identified themselves, including name, phone number, address, email address, and username.
- Financial Transaction Information: Details such as the date, type of payment, amount, account numbers involved (including cryptocurrency addresses), name and address of the receiving financial institution, and receiving cryptocurrency addresses.
- Cybersecurity News and Magazine
- Cyble Recognized in Attack Surface Management Solutions Landscape Report
Cyble Recognized in Attack Surface Management Solutions Landscape Report
Key Capabilities of Cyble Vision X include:
- Attack Surface Management: Ensures digital security by identifying and mitigating threats.
- Brand Intelligence: Comprehensive protection against online brand abuse, including brand impersonation, phishing, and fraudulent domains.
- Cyber Threat Intelligence: Helps organizations gain insights and enhance their defense with AI-driven analysis and continuous threat monitoring.
- Dark Web and Cyber Crime Monitoring: Helps organizations stay vigilant and ahead of cybercriminals
- Third-Party Risk Management (TPRM): Helps organizations identify, assess, and mitigate risks that may arise from a business's interactions with third parties.
- Cybersecurity News and Magazine
- Cyber Attack Forces South Africa’s National Health Laboratory Service To Shut Down Systems
Cyber Attack Forces South Africa’s National Health Laboratory Service To Shut Down Systems
Impact on South Africa's National Health Laboratory Service
NHLS Chief Executive Officer Prof Koleka Mlisana informed staff of the incident in a memo, stating that the breach had caused damage and that the organization was treating the matter with extreme urgency and concern. Milsana stated, “I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend.” Mlisana assured staff that the organization's Incident Response Team was working around the clock to determine the scope of the intrusion and deploy the necessary safeguards to secure systems and data. The NHLS has implemented its "Downtime Protocol" to minimize disruption to services, prioritizing patients' samples and processing, with results communicated directly to clinicians whenever urgent. The cyber attack comes at a critical time for South Africa's healthcare system. The country is currently grappling with a Mpox outbreak, and the NHLS was already facing a significant backlog in toxicology tests as of March. The shutdown of IT systems is likely to exacerbate these challenges. Mzi Gcukumana, the NHLS Communication, Marketing, and PR officer, disclosed: “Preliminary investigation suggests that our Enterprise Resource Planning (Oracle) environment, Laboratory Information System (LIS) (TrakCare) database, and CDW are not affected. Therefore, no patient data has been lost or compromised. All patient data is safe."Response and Recovery Efforts
“Please rest assured that our priority focus is on data security. We are determined to solve this issue swiftly and transparently,” Milsana stated to patients. In response to the breach, the NHLS has deployed its Incident Response Team to assess the scope of the intrusion and implement necessary safeguards. Mlisana assured staff that the team is working around the clock to secure systems and data. “I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” Milsana added. The NHLS had determined that that certain sections of its systems, including its backup server were deleted, requiring the rebuilding of affected systems. Gcukumana stated, “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted.” He added, “Unfortunately, this will take time, and investigations thus far have not advanced enough for us to give a timeframe for the restoration of our systems and full service. All stakeholders and the public will be informed as soon as more information becomes available.” The National Department of Health, which oversees the NHLS, has been informed of the incident. A spokesperson for the department called for patience as efforts to resolve the issue continue. As the investigation unfolds, the NHLS has promised regular updates on the compromise and ongoing response activities. The organization emphasizes its commitment to data security and swift, transparent resolution of the issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Russian Hackers Target Ukraine with XWorm RAT Malware Payload
Technical Overview of XWorm RAT Campaign
The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"] Source: Cyble[/caption] The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence. The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities. [caption id="attachment_78919" align="alignnone" width="537"] Source: Cyble[/caption] While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.Protecting Against XWorm RAT
The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:- Implement strong email filtering to block malicious attachments.
- Exercise caution with email attachments, especially from unknown senders.
- Limit execution of scripting languages where possible.
- Use application whitelisting to control which programs can run.
- Deploy robust antivirus and anti-malware solutions.
- Enforce strong, unique passwords and two-factor authentication.
- Monitor networks for unusual activity or data exfiltration attempts.
GrimResource: New Microsoft Management Console Attack Found in Wild
GrimResource Attack Uses Old XSS Flaw
GrimResource is a “a novel, in-the-wild code execution technique leveraging specially crafted MSC files,” the researchers wrote. “GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings, ideal for gaining initial access and evading defenses.” The key to the attack technique is an old XSS flaw present in the apds.dll library. “By adding a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted MSC file, attackers can execute arbitrary javascript in the context of mmc.exe,” they said. Attackers can combine the technique with DotNetToJScript to gain arbitrary code execution. The sample begins with a TransformNode obfuscation technique, which was recently reported by open source tool developer Philippe Lagadec in unrelated macro samples. The obfuscation technique helps evade ActiveX security warnings and leads to an obfuscated embedded VBScript, which sets the target payload in a series of environment variables before leveraging the DotNetToJs technique to execute an embedded .NET loader. The researchers named that component PASTALOADER. PASTALOADER retrieves the payload from environment variables set by the VBScript and “spawns a new instance of dllhost.exe and injects the payload into it. This is done in a deliberately stealthy manner using the DirtyCLR technique, function unhooking, and indirect syscalls. In this sample, the final payload is Cobalt Strike.” Using the DotNetToJScript technique triggers another detection looking for RWX memory allocation from .NET on behalf of a Windows Script Host (WSH) script engine. The researchers created a rule in Elastic’s Event Query Language (EQL) to detect execution via the .NET loader.GrimResource Detection Rules Provided
Those detections can be bypassed with stealthier methods, the researchers noted: Using apds.dll to execute Jscript via XSS, which can create detectable artifacts in the mmc.exe Procmon output as a CreateFile operation (apds.dll is not loaded as a library), and the creation of a temporary HTML file in the INetCache folder, named redirect[*] as a result of the APDS XSS redirection. In addition to EQL rules, the researchers also provided a YARA detection rule: [caption id="attachment_78894" align="alignnone" width="500"] GrimResource YARA detection rule (source: Elastic Security Labs)[/caption] “Defenders should leverage our detection guidance to protect themselves and their customers from this technique before it proliferates into commodity threat groups,” the researchers warned.CISA: Hackers Breached Chemical Facilities’ Data in January
Potential Data Compromised in Chemical Facilities' Targeting
CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.CISA's Response and Recommendations
CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.Investigation Findings
The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.Experts Say More Transparency Required
Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.
"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"
"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.
"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."
EU Issues New Sanctions Against Russia-Linked Threat Actors
Russian Military Intelligence and FSB Operative Sanctions
The sanctions will take effect following publication in the Official Journal of the European Union. The council document justified the new sanctions as measures in response to the ongoing war between Russia and Ukraine and its resulting cyber activities:The use of cyber operations that have enabled and accompanied Russia’s unprovoked and unjustified war of aggression against Ukraine affects global stability and security, represents an important risk of escalation, and adds to the already significant increase of malicious cyber activities outside the context of armed conflict over recent years. The growing cybersecurity risks and an overall complex cyber threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others, and from third countries to the Union, further call for restrictive measures under Decision (CFSP) 2019/797.Among those sanctioned are Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both identified as members of the "Callisto group" linked to Russian military intelligence. The group, also known as "Seaborgium" or "Star Blizzard," is accused of conducting multi-year phishing campaigns to steal credentials and data, targeting individuals and critical state functions in defense and foreign relations. Two Ukrainian nationals, Oleksandr Sklianko and Mykola Chernykh, were sanctioned for their involvement in the "Armageddon" hacker group, allegedly supported by Russia's Federal Security Service (FSB). The group was found carrying out cyberattacks against the Ukrainian government and EU member states using phishing emails and malware campaigns.
Wizard Spider Threat Group Members Sanctioned
The EU also targeted two key players in the Russia-based threat group Wizard Spider: Mikhail Mikhailovich Tsarev and Maksim Sergeevich Galochkin. Both are implicated in deploying the "Conti" and "Trickbot" malware programs, which have caused substantial economic damage in the EU through ransomware campaigns targeting essential services such as healthcare, banking and defense. The EU Council has emphasized the need to protect these vital sectors from cyber threats, which can have devastating consequences for individuals, businesses, and societies as a whole. The Council said the sanctions imposed on these six individuals are a clear message that the EU will not tolerate malicious cyber activities that threaten its security, economy, and democracy. The Council document stated:"As part of the sustained, tailored and coordinated Union action against persistent cyber threat actors, six natural persons should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in the Annex to Decision (CFSP) 2019/797. Those persons are responsible for, or were involved in, cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States."The sanctions demonstrate that the EU will continue to work closely with its Member States, international partners, and other stakeholders to address the growing cybersecurity threat landscape escalated by geopolitical tensions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- BlackBasta Ransomware Gang Claims Cyberattack on Key Benefit Administrators, Scrubs & Beyond
BlackBasta Ransomware Gang Claims Cyberattack on Key Benefit Administrators, Scrubs & Beyond
Decoding BlackBasta Ransomware's Alleged Attack
The first organization targeted by BlackBasta is Key Benefit Administrators, Inc., which offers financial services. The company provides employment benefit services that manages pension, retirement, health, and welfare funds. BlackBasta claims to have access to 2.5TB of sensitive data of the firm, including client, executive, and employee info. [caption id="attachment_78852" align="alignnone" width="1247"] Source: Ransomware.live[/caption] The other organization targeted by the ransomware group is Scrubs & Beyond, which is the largest retailer of healthcare apparel and accessories in the U.S. The ransomware crew claims to have accessed 600GB of the organization’s sensitive data, including HR, employee, and departmental files. [caption id="attachment_78853" align="alignnone" width="1238"] Source: Ransomware.live[/caption] Until an official statement is released by the two firms, the facts behind the BlackBasta ransomware attack claim will likely remain elusive. If BlackBasta's claims are proven true, the implications could be significant. The compromise of sensitive legal information and client data could have broad consequences, not only for the firms concerned but also for its clients and partners.How Does BlackBasta Group Operate?
BlackBasta is a highly active ransomware group that has quickly gained a reputation for targeting high-value organizations across various industries. BlackBasta typically uses sophisticated phishing campaigns, and exploits known vulnerabilities in software to obtain access to their targets' systems. After gaining access, the group encrypts critical data and demands hefty ransoms for its release.Previous Attacks By BlackBasta
A recent joint security advisory from the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) stated that Black Basta has, through its affiliates, compromised more than 500 organizations all over the world. The victims include organizations that span 12 of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. A few of BlackBasta’s victims include Microsoft, Hyundai Europe, Capita, The American Dental Association, Yellow Pages Canada, and Dish, among others.How to Protect Against Ransomware
The ever-present threat of ransomware requires vigilant cybersecurity practices by consumers and organizations alike. Keeping software and operating systems up-to-date: Many ransomware attacks exploit vulnerabilities in outdated software and operating systems. By keeping software and operating systems up-to-date, you can minimize the possibility of a ransomware attack. Backing up important data: If your files are encrypted by ransomware, you may be able to restore them from a backup. By regularly backing up important data, you can increase the chances that you can recover your files if they are encrypted by ransomware. However, those backups should be immutable and ransomware-resistant - a good backup service provider may be your surest bet. Using antivirus software: Antivirus software can detect and remove various types of malware, including ransomware. By using antivirus or endpoint security software, you can reduce the risk of a ransomware attack. Being cautious of suspicious emails: Many ransomware attacks are spread via phishing emails. You can lower the risk of a ransomware attack by being wary of suspicious emails and refraining from clicking on links or opening attachments from unknown sources. Educating employees about cybersecurity: Employees play a critical role in defending against cyberattacks. It is of utmost importance that they understand the best practices and know how to identify and report suspicious activities. Isolating critical workloads and data: Isolating your most important data and applications with technologies such as microsegmentation, VLANs, firewalls and strict access and permission controls will create an extra layer of security that will make it that much harder for ransomware to infect your most critical systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- With U.S. Plea Deal, WikiLeaks Founder Assange is Free after 14-Year Legal Battle
With U.S. Plea Deal, WikiLeaks Founder Assange is Free after 14-Year Legal Battle
WikiLeaks and Human Rights Groups Celebrate Assange's Release
In a statement on platform X, WikiLeaks wrote, “Julian Assange is free.”“He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there. He was granted bail by the High Court in London and was released at Stansted airport during the afternoon, where he boarded a plane and departed the UK.” – WikiLeaksAssange is being flown to Saipan, the capital of the Northern Mariana Islands and a U.S. commonwealth in the Western Pacific Ocean. The formal hearing and sentencing is set to take place in the U.S. District Court for the Northern Mariana Islands at 9 a.m. local time Wednesday. Assange was reluctant to fly to the mainland U.S., his prosecutors said, and thus Saipan was decided as an alternative due to its proximity with Australia. If the guilty plea is approved by the judge – as is expected – the WikiLeaks founder will head to Australia after the sentencing. Human rights organization Amnesty International’s Secretary General, Agnès Callamard welcomed the “positive news.”
“We firmly believe that Julian Assange should never have been imprisoned in the first place and have continuously called for charges to be dropped.” - Amnesty International’s Secretary General, Agnès Callamard“The years-long global spectacle of the US authorities hell-bent on violating press freedom and freedom of expression by making an example of Assange for exposing alleged war crimes committed by the USA has undoubtedly done historic damage,” Callamard said. “Amnesty International salutes the work of Julian Assange’s family, campaigners, lawyers, press freedom organizations and many within the media community and beyond who have stood by him and the fundamental principles that should govern society’s right and access to information and justice.” The Mexican President Andrés Manuel, sounded a similar sentiment and said:
“I celebrate the release of Julian Assange from prison. At least in this case, the Statue of Liberty did not remain an empty symbol; She is alive and happy like millions in the world.”
Brief Timeline of Julian Assange Espionage Case
Julian Assange, the founder and Editor-in-Chief of WikiLeaks, gained prominence after the site published more than 90,000 classified U.S. military documents on the Afghanistan war and about 400,000 classified U.S. documents on the Iraq war. After the release of these documents via WikiLeaks, Assange was indicted by the U.S. on 18 counts, including 17 espionage charges under the 1917 Espionage Act and one for computer misuse, where he allegedly gained unauthorized access to a government computer system of a NATO country. In 2012, Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI), and provided a list of targets for LulzSec to hack, the indictment said. With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases and PDFs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times. WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an “Anonymous” and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again. An August 2010 arrest warrant for sexual assault allegations in Sweden was initially dropped but later reopened, leading to an international arrest warrant against him. Assange then sought refuge in the Ecuadorian embassy in London. In 2019, Ecuador revoked his asylum, and he was arrested by London police and sentenced to 50 weeks in prison for breaching bail conditions. Swedish prosecutors dropped their case in 2019 because the passage of time had weakened evidence, but they said they retained confidence in the complainant.Assange’s Freedom Starts ‘a New Chapter’
Stella Assange, the WikiLeaks founder’s wife, was elated and thanked everyone who stood by her husband. “Throughout the years of Julian’s imprisonment and persecution, an incredible movement has been formed. People from all walks of life from around the world who support not just Julian ... but what Julian stands for: truth and justice,” Stella Assange said. “What starts now with Julian’s freedom is a new chapter.” It will be interesting to see if Assange will be back at the helm of WikiLeaks and if he will keep his fight on against human right exploitations but for now it seems like he would be eager to reunite with his wife Stella Assange, and his children, “who have only known their father from behind bars.” Update* (June 25 1:30 p.m. ET): Added comments from Amnesty International’s Secretary General, Agnès Callamard and President of Mexico, Andrés Manuel.- Cybersecurity News and Magazine
- Synnovis Confirms Data Published by Qilin Ransomware Gang as Legitimate
Synnovis Confirms Data Published by Qilin Ransomware Gang as Legitimate
“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - SynnovisAn initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:
“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.
Alert: Australian Non-Profit Accuses Google Privacy Sandbox
Google’s initiative to phase out third-party tracking cookies through its Google Privacy Sandbox has encountered criticism from Austrian privacy advocacy group noyb (none of your business). The non-profit alleges that Google’s proposed solution still facilitates user tracking, albeit in a different form. Allegations of Misleading Practices According to noyb, Google’s Privacy Sandbox, marketed as […]
The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on TuxCare.
The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on Security Boulevard.
- Cybersecurity News and Magazine
- Doxxing on BreachForums Allegedly Exposes Moderator’s Personal Information
Doxxing on BreachForums Allegedly Exposes Moderator’s Personal Information
BreachForums Moderator Doxxing Details
On Tuesday, Bhavesh Mohinani, an SOC analyst and a member of "CISO2CISO," shared screenshots of a BreachForums post by an anonymous threat actor that allegedly contained sensitive Personally Identifiable Information (PII) of BreachForums moderator "Aegis". [caption id="attachment_78802" align="alignnone" width="1069"] Source: LinkedIn[/caption] The threat actor claimed that he obtained “bits and pieces” information about Aegis through his friend. “One thing I was given was a first name and an IP. Looking into it, you find out his information is very much out there! So much OPSEC, am I right,” the TA wrote in his post. OPSEC or Operational Security, is a process that identifies seemingly innocuous actions that could inadvertently reveal critical or sensitive data to a cybercriminal. Elaborating the details of Aegis, the threat actor claimed, “Aegis is a 17-year-old Egyptian resident living with his mother. His father seems not to have been found. Aegis started off being a skid, stealing code, claiming to be harmful and so on...he is a loser. “Aegis will most likely deny this being his information but if this post gets taken down, you will know the truth/ love everyone! Expect this loser,” the TA wrote. The user also shared details claiming to be the moderator’s phone number, IP address, residential address and telegram account. [caption id="attachment_78803" align="alignnone" width="1091"] Source: LinkedIn[/caption] While there is no confirmation or credibility to the claims shared by the anonymous actor, the post was deleted as soon as it was shared. However, the post has raised concerns about the security and trustworthiness of online communities.What is Doxxing?
Doxxing, or doxing for short, is when someone puts your personal information out there on the internet. This can include information like where you work, your home address, your credit card numbers, and other private details. Usually, the intention of the threat actor is to harass the victims. The word "doxxing" first came about in the 1990s, starting from the word "documents," which got shortened to "docs," and then finally became "dox." When people talk about "dropping dox," they mean cybercriminals revealing the true identities of their rivals, taking away their anonymity, and making them vulnerable to the authorities. A doxxing attack begins with the threat actor gathering extensive information about their target, searching online and checking social media for clues. Social media can reveal workplace details, which can be exploited for attacks. Skilled threat actors might also trace a target’s IP address to determine their location. The more data a threat actor collects, the more harm they can inflict. While some doxxing incidents are minor, like sending unwanted pizza deliveries, others can lead to severe consequences such as online harassment, swatting, identity theft, reputational damage, physical assault, job loss, or stalking. The alleged doxxing of the BreachForums moderator has raised questions about whether it would lead to the arrest of another threat actor and if it signals the decline of the forums. For example, in California, doxing is considered a serious offense, and individuals engaging in this activity could face legal consequences. Individuals arrested and charged with cyber harassment (doxing) under Penal Code §653.2 face up to one year in jail and a fine of up to $1,000. In April 2023, Hong Kong’s privacy watchdog, Office of the Privacy Commissioner for Personal Data, arrested a 27-year-old woman on suspicion of doxxing after she allegedly posted the personal details of her friend’s ex-boyfriend on social media.Prevention Against Doxxing
To protect users against doxxing, one must use strong, unique passwords for each account and enable Multi-Factor Authentication (MFA). Cleaning the digital footprint by removing personal information from online sites, deactivating old accounts, and adjusting privacy settings is regarded as a healthy practice. Using a VPN is recommended to hide the user’s IP address and prevent location tracking. Users must also be vigilant against phishing scams by recognizing poor spelling, mismatched email addresses, and unsolicited links. Finally, avoiding oversharing personal information online and keeping social media profiles private is a healthy digital practice to enhance security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.CDK Group Falls Victim to Two Cyberattacks
Massive hack forces CDK Global, a provider of software-as-a-service for car dealerships, to shut down its servers, leaving customers unable to run their businesses as usual. A SaaS platform from CDK Global serves clients in the auto sector, managing all facets of vehicle dealership operations, such as inventory management, CRM, financing, payroll, support, and servicing. […]
The post CDK Group Falls Victim to Two Cyberattacks appeared first on Heimdal Security Blog.
- Cybersecurity News and Magazine
- Apple Fixes ‘Bug’ in Vision Pro That Allowed Hackers To Fill Room with Bugs And Spiders
Apple Fixes ‘Bug’ in Vision Pro That Allowed Hackers To Fill Room with Bugs And Spiders
Spatial Hack in Apple Vision Pro Devices
Apple designed the Vision Pro with strict privacy controls. This includes limiting device apps to a default 'Shared Space' and mandating explicit user consent for more engaging and immersive content. Websites must also obtain explicit user permission to generate 3D content within a user's physical environment. [caption id="attachment_78754" align="alignnone" width="720"] Source: ryanpickren.com[/caption] However, Pickren discovered that the AR Quick Look feature that had been introduced in 2018 for iOS remained active in the visionOS without the implementation of proper safeguards. This oversight allowed websites to manipulate HTML anchor tags to spawn unlimited 3D objects coupled with animations and spatial audio. By adding specific anchor tags to webpages, malicious websites can instruct Safari to render a 3D model, surprisingly without any form of user interaction. "If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats," Pickren explained. "Freaky stuff," he exclaimed. [caption id="attachment_78758" align="alignnone" width="1168"] Source: ryanpickren.com[/caption] [caption id="attachment_78756" align="alignnone" width="1186"] Source: ryanpickren.com[/caption] The researcher stated that the exploit code is straightforward and that closing Safari doesn't get rid of the 3D objects, as they are handled by a separate application. "To make things even freakier – since these animated files are being handled by a separate application (Quick Look), closing Safari does not get rid of them," Pickren noted. He added, "There is no obvious way to get rid of them besides manually running around the room to physically tap each one."Bug Reporting and Gaps in Vulnerability Assessment
After trying to disclose the flaw to Apple, the researcher felt the tech giant had downplayed its relation to spatial computing and the generation of 3D objects, instead focusing on the potential for system crashes and reboots. The CVE description claimed that the issue had been addressed by improving the file handling protocol, which the researcher believed was unrelated to the bug. This highlights the challenges of triaging and classifying bugs in emerging fields such as Spatial Computing. The researcher believes the bug's impact goes beyond simple system crashes or reboots, raising questions about the security and privacy of the technology and the need for reevaluating existing threat models. "Perhaps it's time for Apple to re-evaluate their Vision Pro threat model," Pickren suggested. "This is a deeply personal product and classic vulnerability triaging guidelines may not capture the full impact anymore." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- CDK Global Cyberattack Ripple Effect: Several Car Dealers Report Disruptions
CDK Global Cyberattack Ripple Effect: Several Car Dealers Report Disruptions
Systems Shut Down After Attack
CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.How CDK Global Cyberattack Impacts Customers
Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.CDK Customers Move to Manual Methods
Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.CDK May Pay Ransom
Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.- Cybersecurity News and Magazine
- Indonesia National Data Center Hack Disrupts Government Services, Affecting Over 200 Agencies
Indonesia National Data Center Hack Disrupts Government Services, Affecting Over 200 Agencies
Authorities Have Detected Samples of LockBit 3.0 Ransomware
Samuel Abrijani Pangerapan, director general of informatics applications at the Communications and Informatics Ministry, confirmed that essential services like immigration checks at airports had been disrupted. Long lines were formed at affected airports after automated passport machines were rendered useless. While some of these services have been restored, including the government's immigration services, ongoing efforts are aimed at restoring other critical operations, such as investment licensing. Samuel stated, “We have tried our best to carry out recovery while the (National Cyber and Crypto Agency) is currently carrying out forensics.” The National Cyber and Crypto Agency has detected samples of LockBit 3.0 ransomware, a variant known for encrypting victims' data and demanding payment for its release. PT Telkom Indonesia, an Indonesian multinational telecommunications company, is working with domestic and international authorities and leading the efforts to efforts to break the encryption and restore access to the compromised data. Herlan Wijanarko, the company's director of network & IT solutions, confirmed that the attackers had offered a decryption key in exchange for an $8 million ransom.Experts Concerned About Indonesia Government Infrastructure Security
Cybersecurity experts warn that the severity of the attack highlights significant vulnerabilities in the government's digital infrastructure and incident response capabilities. Cybersecurity expert Teguh Aprianto described the latest attack as "severe" and notes that it highlights the need for improved infrastructure, manpower, and vendor management to prevent such attacks in the future. Teguh stated, "It shows that the government infrastructure, manpower handling this and the vendors are all problematic." In recent years, Indonesia has faced a series of high-profile cyber attacks, including a ransomware attack on its central bank and a data breach at its largest Islamic lender. The consequences of these attacks can be severe, with victims often forced to pay large sums to regain access to their data. Last year, the LockBit ransomware gang claimed responsibility for an attack on the Bank Syariah Indonesia. Sensitive information of over 15 million individuals had been stolen in the attack, affecting both customers and employees. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Weekly Vulnerability Report: Critical Security Flaws Identified by Cyble in Microsoft, VMware, Veeam, ASUS Products
Weekly Vulnerability Report: Critical Security Flaws Identified by Cyble in Microsoft, VMware, Veeam, ASUS Products
The Week’s Top Vulnerabilities
Cyble’s weekly report focused on 9 of the vulnerabilities in particular; they are:CVE-2024-37079, CVE-2024-37080 and CVE-2024-37081: VMware
Impact Analysis: These critical and high severity heap-overflow and privilege escalation vulnerabilities impact the VMware vCenter Server, a central management platform for VMware vSphere, enabling the management of virtual machines and ESXi hosts. With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors (Tas) to leverage these critical vulnerabilities also. Internet Exposure: Yes Available Patch? YesCVE-2024-3080: ASUS Router Bypass
Impact Analysis: This critical authentication bypass vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to log in to the device. Recently, the Taiwan Computer Emergency Response Team informed users about the vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? YesCVE-2024-3912: ASUS Arbitrary Firmware Upload Vulnerability
Impact Analysis: This critical arbitrary firmware upload vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to execute arbitrary system commands on the device. The Taiwan Computer Emergency Response Team also informed users about this vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? YesCVE-2024-29855: Veeam Recovery Orchestrator
Impact Analysis: This critical authentication bypass vulnerability impacts the Veeam Recovery Orchestrator. The recovery solution extends the capabilities of the Veeam Data Platform by automating recovery processes and providing comprehensive reporting and testing features. The availability of a recent publicly available proof-of-concept (PoC) exploit for this vulnerability elevates the risk of exploitation in attacks by TAs. Internet Exposure: No Patch Available? YesCVE-2024-30103: Microsoft Outlook RCE Vulnerability
Impact Analysis: This high-severity remote code execution (RCE) vulnerability impacts Microsoft Outlook. Since the zero-click RCE flaw can be exploited simply by opening and previewing an email that contains a malicious payload in the body of the email, requiring no further interaction from the user, there are high possibilities for the weaponization of the vulnerability by TAs in targeting government and private entities. Internet Exposure: No Patch Available? YesCVE-2024-30078: Windows Wi-Fi Driver RCE Vulnerability
Impact Analysis: This high severity remote code execution (RCE) vulnerability impacts Windows Wi-Fi Driver. With the wide usage of Windows devices around the world and the ability to exploit without the need for any user interaction, TAs can leverage the flaw to gain initial access to the devices and later install malware and exfiltrate user data. Internet Exposure: No Patch Available? YesCVE-2024-37051: JetBrains GitHub Plugin Vulnerability
Impact Analysis: This critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories. Internet Exposure: No Patch Available? YesCISA Adds 5 Vulnerabilities to KEV Catalog
Five of the vulnerabilities in the Cyble report were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog:- CVE-2024-32896, an Android Pixel vulnerability with a 7.8 CVSSv3 criticality score
- CVE-2024-26169, a Microsoft Windows error reporting service elevation of privilege vulnerability with a 7.8 criticality rating
- CVE-2024-4358, a Progress Telerik Report Server vulnerability with a 9.8 rating
- CVE-2024-4610, an Arm Mali GPU Kernel Driver vulnerability with a 5.5 rating
- CVE-2024-4577, a PHP remote code execution flaw, a 9.8 vulnerability that Cyble addressed in last week’s report
Lindex Group Faces Alleged Source Code Leak by Hacker IntelBroker
Decoding IntelBroker’s Claims of Lindex Group Data Breach
[caption id="attachment_78687" align="alignnone" width="1242"] Source: X[/caption] The claims made by IntelBroker on the dark web suggest that the compromised source code of Lindex Group is now accessible through undisclosed channels, although specific details such as the price for access or direct communication channels have not been publicly disclosed. The situation has prompted concerns about the potential impact on Lindex Group's operations and the security of its customers' data. Despite these reports, Lindex Group has yet to issue an official statement or response regarding the alleged breach. The Cyber Express has reached out to the organization to learn more about this the breach claims. However, at the time of this, no official statement or response has been received. Visitors to Lindex Group's website may find it operational without immediate signs of intrusion, suggesting that the attack may have targeted backend systems rather than initiating a more visible front-end assault like a Distributed Denial-of-Service (DDoS) attack or website defacements.IntelBroker Hacking Spree
IntelBroker, the solo hacker claiming responsibility for the breach, has a history of similar actions, having previously claimed involvement in cybersecurity incidents affecting other major companies. One notable example includes an alleged data breach targeting Advanced Micro Devices (AMD), a leading semiconductor manufacturer, and Apple was another alleged victim. The incident, disclosed on platforms like BreachForums, involved the exposure of sensitive data, prompting AMD to initiate investigations in collaboration with law enforcement authorities and third-party cybersecurity experts. The situation highlights the persistent nature of hackers like IntelBroker, who continue to exploit vulnerabilities in digital infrastructure for financial gain or malicious intent. For organizations like Lindex Group, the fallout from such breaches can encompass not only financial losses but also reputational damage and regulatory scrutiny. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Crypto Investors Alarmed as Coinstats Breach Impacts 1,590 Wallets
Understanding the Coinstats Data Breach
[caption id="attachment_78679" align="alignnone" width="733"] Source: Coinstats on X[/caption] In a public statement addressing the breach, Coinstats reassured its user base that the incident has been mitigated, and immediate steps have been taken to secure the platform. Users whose wallet addresses were compromised were advised to take action by transferring their funds using exported private keys. A spreadsheet link was provided for users to check if their wallets were among those affected. CEO Narek Gevorgyan highlighted the seriousness of the situation, acknowledging the challenges posed by the Coinstats cyberattack while emphasizing Coinstats' commitment to restoring normal operations swiftly and securely. Gevorgyan outlined that comprehensive security measures were being implemented during the restoration process to fortify the platform against future vulnerabilities. "We're actively working to bring the app back online as quickly as possible. Thank you for your patience," stated Gevorgyan in an update shared via Coinstats' official channels.North Korea-linked Hackers Behind the Data Breach at Coinstats
The revelation of North Korea-linked hackers being behind the breach adds a geopolitical dimension to the Coinstats data breach incident, highlighting the global reach and sophisticated tactics employed by cyber threat actors targeting digital assets and platforms. This aspect of the breach highlights the need for heightened cybersecurity measures across the cryptocurrency sector. In a similar case, another crypto firm, BtcTurk faced a cyberattack on its hot wallets on June 22, 2024. Binance Binance CEO Richard Teng confirmed this attack, pledging ongoing support for BtcTurk's investigation. Cryptocurrency investigator ZachXBT hinted at a possible link between the breach and a $54 million Avalanche transfer. Coinstats users have been urged to remain vigilant and monitor their accounts closely for any unauthorized transactions or suspicious activities. The company assured its users that it is actively investigating the extent of funds moved during the breach and pledged to provide updates as new information becomes available. In response to the breach, regulatory bodies and industry stakeholders may scrutinize Coinstats' security practices and response protocols. The outcome of such scrutiny could influence future cybersecurity standards within the cryptocurrency industry, potentially leading to more stringent requirements for platform security and user protection.TCE Cyberwatch: Your Weekly Cybersecurity Roundup
TCE Cyberwatch: A Weekly Round Up
CISA Issues Urgent Advisories to Patch Critical Flaws in Industrial Control Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued 20 advisories to address vulnerabilities in Industrial Control Systems (ICS). These advisories offer detailed technical information and mitigation strategies for various ICS components. Key vulnerabilities include CVE-2024-33500 in Siemens Mendix Applications, which poses remote exploitation risks due to improper privilege management, and issues in Siemens SIMATIC S7-200 SMART devices that can lead to denial-of-service attacks. Additional affected systems include Siemens TIA Administrator, SCALANCE devices, Fuji Electric’s Tellus Lite, and Rockwell Automation’s FactoryTalk View SE. CISA stresses the importance of timely updates, network access restrictions, and strict adherence to security protocols. Although no public exploits have been identified, CISA recommends proactive measures such as network segmentation and secure remote access to bolster ICS resilience against cyber threats. Read MoreMicrosoft Vows Security Overhaul After U.S. Report
Microsoft has faced severe criticism over its cybersecurity measures, highlighted by a U.S. Cyber Safety Review Board (CSRB) report detailing multiple security failures. These failures include a July 2023 attack by Chinese actors on senior U.S. officials' email accounts. Despite pledges to prioritize security, issues have been compounded by the flawed rollout of the Windows Recall feature. In a House Committee hearing, Microsoft President Brad Smith acknowledged these failings, accepted responsibility, and outlined plans for improvement. These measures include integrating security into executive bonuses and employee reviews, adding 1,600 security engineers, and expanding senior-level oversight. Microsoft is also addressing all CSRB recommendations and enhancing identity protection, network security, and threat detection. Smith emphasized the ongoing battle against cyberattacks, noting that Microsoft detects nearly 4,000 password-based attacks per second. Read MoreOver 300 Fake Paris 2024 Sites Target Olympic Ticket Buyers
As the Paris 2024 Summer Olympics approach, security researchers and officials have identified over 300 fraudulent ticketing sites exploiting legitimate Olympics branding to scam users. One notable site, paris24tickets[.]com, appeared professional and ranked highly in Google search results, misleading users into providing personal and financial information. Proofpoint researchers exposed this site as entirely fraudulent, collecting sensitive data instead of processing ticket orders. The French Gendarmerie Nationale has identified 338 scam sites since March 2023, shutting down 51 and putting 140 on notice. Scammers use ads and targeted emails to attract victims, often offering fake discounts. Captain Etienne Lestrelin advises against buying tickets outside official sources, warning that excessively cheap tickets are likely scams and could involve buyers in criminal activities. Read MoreTesla's $45 Billion Payout: Court Battle Looms Over Coercion Claims
Tesla's efforts to reinstate Elon Musk's $45 billion pay package continue to face legal challenges despite shareholder support. The package was nullified by a Delaware judge due to concerns over board independence. Tesla's chair plans to resubmit the deal to the court, but plaintiffs argue the vote was coerced and legally flawed. Richard Tornetta's lawyer, representing the plaintiffs, claims the new vote does not address the initial issues. Legal experts predict ongoing court battles in Delaware, with possible appeals to the state’s supreme court. They also highlight potential coercion by Musk, who threatened to develop AI and robotics outside Tesla if the vote failed. Future pay deals will be governed by Texas law following Tesla's incorporation move, but existing litigation remains in Delaware. Read MoreMFA Failure Exposes Millions: Medibank Fined for Massive Data Breach
A lack of multi-factor authentication (MFA) likely caused the Medibank data breach, exposing the personal data of 9.7 million customers in October 2022. The Australian Information Commissioner’s report revealed that hackers stole an IT service desk operator’s credentials via malware on a home device. The compromised VPN lacked MFA, allowing unauthorized access. Ignored security alerts further enabled the attackers to extract 520GB of sensitive data. Medibank's inadequate cybersecurity measures, highlighted in a 2020 risk assessment, included excessive access privileges and the absence of MFA. This negligence led to legal action by Australia's privacy regulator, with potential fines exceeding AU$2 million. Sanctions and arrests followed for the hackers involved. The breach underscores the critical need for MFA, proper alert management, regular security audits, and employee training. Read MoreMETA Stealer Ups the Ante: Encrypted Builds, Custom Stubs in v5.0 Update
META Stealer v5.0 has launched, introducing advanced features and heightened security for this information-stealing malware. Key improvements include TLS encryption for secure communication between the build and the control panel, similar to updates seen in other top stealers like Lumma and Vidar. The update also offers a new build system for generating unique builds, supported by a "Stub token" currency for creating Runtime stubs, enhancing customization. The "Crypt build" option encrypts builds to evade detection during scans, significantly boosting stealth capabilities. Additionally, the panel's security and licensing systems have been upgraded to minimize disruptions. While previous updates, such as version 4.3 in February 2023, introduced features like enhanced detection cleaning and Telegram integration for build creation, version 5.0 focuses on individualized security and continuous improvement. Read More In this week's edition of TCE Cyberwatch, we've covered critical cybersecurity updates, from CISA's advisories on industrial control systems to Microsoft's pledges for security improvements and the exposure of fraudulent Olympic ticketing sites. As cyber threats continue to evolve, staying informed and proactive is essential. By keeping abreast of the latest news and trends, you can better protect your digital assets and stay ahead in the ongoing battle against cyberattacks. Stay vigilant and informed with TCE Cyberwatch.- Cybersecurity News and Magazine
- Jollibee Probes Alleged Data Breach Affecting 32 Million Customers, Asks Public to Remain Vigilant
Jollibee Probes Alleged Data Breach Affecting 32 Million Customers, Asks Public to Remain Vigilant
Details of Jollibee Probe into Cyberattack
The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery. A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”. “The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said. JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company. “JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said. “The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added. The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.Jollibee’s Cybersecurity Concerns
The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20. The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee. This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed. After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Google Pixel Firmware Zero-Day Flaw Exploited And Patched
Google has recently issued a warning regarding a critical security flaw affecting Google Pixel Firmware, which has been actively exploited as a zero-day vulnerability. Identified as CVE-2024-32896, this high-severity issue involves an elevation of privilege, potentially allowing attackers to gain unauthorized access on affected devices. Nature of the Memory-Related Vulnerability The zero-day exploit in […]
The post Google Pixel Firmware Zero-Day Flaw Exploited And Patched appeared first on TuxCare.
The post Google Pixel Firmware Zero-Day Flaw Exploited And Patched appeared first on Security Boulevard.
- Cybersecurity News and Magazine
- Millions of Americans Affected: Change Healthcare Reveals Data Stolen in Cyberattack
Millions of Americans Affected: Change Healthcare Reveals Data Stolen in Cyberattack
Stolen Data Information in CHC Cyberattack
The Change Healthcare data breach notification provided a comprehensive overview of the types of information that may have been affected. Although CHC cannot confirm exactly what data was compromised for each individual, the exposed information may include:- Contact Information: Names, addresses, dates of birth, phone numbers, and email addresses.
- Health Insurance Information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
- Health Information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
- Billing, Claims, and Payment Information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
- Other Personal Information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.
Cyberattack on Change Healthcare: What Exactly Happen?
The Change Healthcare cyberattack occurred when a cybercriminal gained unauthorized access to the CHC computer system on February 21, 2024. Upon discovering the ransomware deployment, CHC immediately took steps to halt the activity, disconnected and shut down systems to prevent further impact and initiated an investigation. Law enforcement was contacted, and CHC's security team, along with several top cybersecurity experts, worked tirelessly to address the breach and understand its scope. The investigation revealed that a significant amount of data was exfiltrated from CHC’s environment between February 17, 2024, and February 20, 2024. By March 7, 2024, CHC confirmed the data exfiltration and began analyzing the compromised files. On April 22, 2024, CHC publicly confirmed that the impacted data could affect a substantial proportion of the American population. As of June 20, 2024, CHC began notifying customers whose data was identified as compromised. When CHC learned about the activity, CHC immediately began an investigation with support from leading cybersecurity experts and law enforcement. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact," informed Change Healthcare official release "CHC has also reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future. CHC, along with leading external industry experts, continues to monitor the internet and dark web.What Steps Affected Individuals Can Take
While the investigation continues, individuals who suspect their information may have been compromised can take several steps to protect themselves:- Enroll in Credit Monitoring and Identity Protection: CHC is offering two years of complimentary credit monitoring and identity protection services.
- Monitor Statements and Reports: Regularly check explanations of benefits from health plans, statements from healthcare providers, bank and credit card statements, credit reports, and tax returns for any unfamiliar activity.
- Report Unfamiliar Health Services: If any unauthorized healthcare services are found on an explanation of the benefits statement, contact the health plan or doctor.
- Alert Financial Institutions: Immediately contact financial institutions or credit card companies if suspicious activity is detected on bank or credit card statements or tax returns.
- File a Police Report: Contact local law enforcement if you believe you are a victim of a crime.
- Cybersecurity News and Magazine
- Allcargo’s ECU Worldwide Appoints Rajneesh Garg as the Chief Information Officer
Allcargo’s ECU Worldwide Appoints Rajneesh Garg as the Chief Information Officer
Rajneesh Garg Extensive Background
Garg brings over 20 years of leadership experience across various sectors, including banking, insurance, travel, hospitality, manufacturing, energy resources, and retail. Before joining ECU Worldwide, he was Vice President of Information Technology at Capgemini, overseeing regional delivery and growth for consumer products and retail accounts in the Nordic region. Garg holds a postgraduate degree in computer science from Moscow State University in Russia and has also worked in senior leadership roles at Tata Consultancy Services for over two decades. "With his extensive and diversified leadership experience in various sectors, Rajneesh will be instrumental in driving our technology transformation forward. His strategic vision aligns with our efforts to fortify ECU Worldwide's IT division as we pursue our ambitious growth and expansion strategies. We are confident that under Garg's leadership, our IT division will continue to break new ground in offering superior customer experience. We look forward to working with him as we embark on the next phase of growth,’’ said Kapil Mahajan, Global Chief Information Officer, Allcargo Group.Way Forward
Founded in 1987, ECU Worldwide is a wholly-owned global subsidiary of Allcargo Logistics. The company is a major player in multi-modal transport and a leader in LCL consolidation. ECU Worldwide operates with a digital-first approach and is supported by leaders with expertise in logistics, data science, and technology. The appointment of Garg as CIO is a significant step for ECU Worldwide. His extensive experience and strategic approach are expected to drive the company’s technology initiatives and support its growth in the global LCL market. Garg's collaboration with the Allcargo Group leadership aims to bring technological advancements and improvements to ECU Worldwide's services and operations.- Cybersecurity News and Magazine
- Binance Steps in to Aid Investigation of BtcTurk Cyberattack, Freezes $5.3M in Stolen Funds
Binance Steps in to Aid Investigation of BtcTurk Cyberattack, Freezes $5.3M in Stolen Funds
Decoding the BtcTurk Cyberattack
Cryptocurrency investigator ZachXBT hinted at a potential link between the BtcTurk breach and a $54 million Avalanche transfer. The transfer, involving 1.96 million AVAX to Coinbase and subsequent Bitcoin withdrawals from Binance, coincided suspiciously with the timing of the cyberattack on BtcTurk. [caption id="attachment_78620" align="alignnone" width="755"] Source: X[/caption] Despite the setback, BtcTurk announced plans to gradually restore crypto deposit and withdrawal services once their cybersecurity measures are completed. They emphasized that their financial resilience surpasses the amount lost in the attack, ensuring that user assets remain unaffected. “Our teams have detected that there was a cyber attack on our platform on June 22, 2024, which caused uncontrolled footage to be taken. Only some of the balances in the hot wallets of 10 cryptocurrencies were affected by the cyber attack in question, and our cold wallets, where most of the assets are kept, are safe. BtcTurk's financial strength is well above the amounts affected by this attack, and user assets will not be affected by these losses”, reads the organization's statement.Mitigation Against the Cyberattack on BtcTurk
The BtcTurk cyberattack specifically impacted deposits of various cryptocurrencies, including Bitcoin (BTC), Aave (AAVE), Algorand (ALGO), Ankr (ANKR), Cardano (ADA), Avalanche (AVAX), ApeCoin (APE), Axie Infinity (AXS), Chainlink (LINK), Cosmos (ATOM), Filecoin (FIL), among others, says BtcTurk's. “Our teams are carrying out detailed research on the subject. At the same time, official authorities were contacted. As a precaution, cryptocurrency deposits and withdrawals have been stopped and will be made available for use as soon as our work is completed. You can follow the current status of the transactions on https://status.btcturk.com”, concludes the statement. As investigations continue, both BtcTurk and Binance are working diligently to mitigate the impact of the cyberattack and strengthen their security protocols to prevent future incidents. Users are encouraged to monitor official channels for updates on the situation. By collaborating and taking swift action, Binance and BtcTurk aim to uphold trust within the cryptocurrency community while enhancing the resilience of their platforms against online threats.ANY.RUN Malware Sandbox Provider’s Employee Email Compromised
ANY.RUN Employee Email Compromise
[caption id="attachment_78600" align="alignnone" width="531"] Source: X.com (@anyrun_app)[/caption] According to a post on X from the company's official handle, the attack originated from a compromised customer account, which had been used to send a convincing phishing email to a staff member. This led to unauthorized access to the employee's email account. Subsequently, the attacker forwarded a phishing message to contacts within the compromised email address book. ANY.RUN stated that it had already notified data controllers of affected individuals and is working closely with them to address any concerns. They emphasized that the compromised employee did not have access to the production environment or any code base, which limits the potential scope of the breach.ANY.RUN Response and Next Steps
Upon discovery of the incident, ANY.RUN took steps to minimize possible compromise and share details about the incident. An ongoing investigation is being done to determine the full impact of the breach and gather additional details. While the comprehensive report, the company has assured its customers that they are taking the matter seriously. In the coming days and weeks, ANY.RUN would work to: 1. Continue their investigation and analysis of the incident 2. Provide regular updates on their progress 3. Compile a detailed report of their findings The company acknowledges that many questions remain unanswered at this stage. However, they are committed to keeping all parties informed throughout the process. Customers appear to have viewed the effort at communication positively, highlighting it as an example of transparency around cybersecurity incident reporting and disclosure. The incident serves as a stark reminder that even companies working in the cybersecurity industry remain a potential target for attacks. Last year, Okta, a provider of identity and access management software, had suffered a security incident in which attackers had managed to access its support incident management through the use of stolen credentials. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- UK’s Sellafield Nuclear Waste Site Pleads Guilty To Cybersecurity Failings
UK’s Sellafield Nuclear Waste Site Pleads Guilty To Cybersecurity Failings
Sellafield Nuclear Waste Site's Cybersecurity Failings
Concerns over the site's security implementations grew after a 2012 report warned of "critical security vulnerabilities" requiring urgent attention. Due to the extreme sensitivity of the issues, problems were referred to with the codename "Voldemort." While Sellafield stated there has never been a successful cyberattack, revelations of IT failures last year raised alarms. In an investigative report last year, the Guardian uncovered that the site had been attacked by threat actors affiliated with the Russian and Chinese governments. The report found out that the site's authorities were not aware of when Sellafield's systems began to be compromised, but breaches may have gone as far back as the year 2015. In 2015, security experts had realized that Sellafield's computer systems had been compromised by sleeper malware. Sellafield had been earlier forced into “special measures” for regular cybersecurity failings by the UK's Office for Nuclear Regulation (ONR) and security services. The status of the compromised systems are unknown, but may have possibly led to the theft of sensitive information regarding moving of radioactive waste, monitoring for leaks of dangerous material, and fire checks. Sellafield stated that current protections on critical systems are robust, with isolated networks preventing external IT breaches from penetrating operational controls. An ONR spokesperson stated to the Guardian: “We acknowledge that Sellafield Limited has pleaded guilty to all charges," but emphasized that there was no evidence the vulnerabilities led to compromise. A Sellafield spokesman stated in the report, “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised."Concerns of GMB Trade Union
With attention now focused on improving cyber resilience, officials are working to prevent sensitive materials or dangerous nuclear operations from potential disruption by hackers. Earlier the GMB trade union, which represents tens of thousands of workers across the energy industry, also expressed concerns over the security of Sellafield, with its national secretary Andy Prendergast noting a “lack of training and competence among staff, inadequate safety procedures and a culture of fear and intimidation.” Prendergast added, “GMB has repeatedly raised concerns over safety and staffing levels, which are mainly due to turnover and the age and demographic of the workforce.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- After Banning Sales of Kaspersky Products, U.S. Sanctions its Top Executives
After Banning Sales of Kaspersky Products, U.S. Sanctions its Top Executives
Details of the Kaspersky Sanctions
The Treasury Department’s Office of Foreign Assets Control (OFAC) specifically targeted key individuals within Kaspersky Lab, including the chief operating officer, chief legal officer, chief of human resources, and chief business development and technology officers, among others. [caption id="attachment_78565" align="aligncenter" width="588"] Source: U.S. Department of the Treasury[/caption] The Treasury added all the above individuals to its Specially Designated Nationals list. SDN is a list maintained by OFAC that publicly identifies persons determined by the U.S. government to be involved in activities that threaten or undermine U.S. foreign policy or national security objectives. Notably, the sanctions did not extend to Kaspersky Lab itself, its parent or subsidiary companies nor to its CEO Eugene Kaspersky. The sanctions came just a day after the U.S. Commerce Department issued a final determination to ban Kaspersky Lab from operating in the United States. This ban is rooted in longstanding concerns over national security and the potential risks to critical infrastructure. The Commerce Department also added three Kaspersky divisions to its entity list due to their cooperation with the Russian government in cyber intelligence activities. The U.S. government has been wary of Kaspersky Lab's ties to the Russian government, fearing that its software could be used to facilitate cyber espionage. Bloomberg in 2017 first reported it had seen emails between chief executive Eugene Kaspersky and senior Kaspersky staff outlining a secret cybersecurity project apparently requested by the Russian intelligence service FSB. Kaspersky refuted these claims, calling the allegations "false" and "inaccurate." However, these concerns have led to a broader push to restrict the company's operations within the U.S. and to mitigate any potential threats to national security.Kaspersky Lab’s Response
Kaspersky Lab has consistently denied any allegations of being influenced or controlled by any government. The company has pledged to explore all legal options in response to the Commerce Department’s ban and the recent sanctions imposed by the Treasury. In a statement, Kaspersky Lab reiterated its commitment to transparency and maintaining the trust of its users worldwide, emphasizing it has never assisted any government in cyber espionage activities. "Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies," it said."Kaspersky provides industry-leading products and services to customers around the world to protect them from all types of cyber threats, and has repeatedly demonstrated its independence from any government." - Kaspersky LabThe antivirus company claimed it has also implemented significant transparency measures that demonstrate its commitment to integrity and trustworthiness. But "the Department of Commerce’s decision unfairly ignores the evidence," Kaspersky said. The company said it also proposed a system in which the security of Kaspersky products could have been independently verified by a trusted third party.
"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services."However, Brian Nelson, Treasury’s Undersecretary for Terrorism and Financial Intelligence, stated, “Today’s action against the leadership of Kaspersky Lab underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats. The U.S. will take action where necessary to hold accountable those who would seek to facilitate or otherwise enable these activities.”
Implications and Future Actions
The sanctions against Kaspersky Lab’s leadership signal a broader strategy by the U.S. government to address cybersecurity threats posed by foreign entities. This approach is part of a larger effort to strengthen national security and protect critical infrastructure from potential cyberattacks.Legal and Business Repercussions
Kaspersky Lab’s legal battles and its efforts to counteract these sanctions will be closely watched. The company's ability to operate in the international market could be significantly affected by these measures, impacting its business operations and customer trust.Global Cybersecurity Landscape
This development also highlights the ongoing tensions in the global cybersecurity landscape, where national security concerns often intersect with business interests. The actions taken by the U.S. government may set a precedent for how other nations address similar concerns with foreign technology firms. The U.S. Treasury Department's decision to sanction senior leaders at Kaspersky Lab marks a pivotal moment in the ongoing scrutiny of the Russian cybersecurity firm. While Kaspersky Lab denies any wrongdoing and prepares to contest the sanctions legally, the actions taken by the U.S. government underscore a determined effort to mitigate potential cyber threats and protect national security. As the situation unfolds, it will have significant implications for both Kaspersky and the broader cybersecurity environment.- Cybersecurity News and Magazine
- Jollibee Cyberattack: Data of 32 Million Customers of Fast Food Chain Allegedly Compromised
Jollibee Cyberattack: Data of 32 Million Customers of Fast Food Chain Allegedly Compromised
Details of Jollibee Cyberattack
The data breach of the fast-food chain was posted by the threat actor on popular data hack site BreachForums. The threat actor stated that “Jollibee is a Filipino chain of fast-food restaurants owned by Jollibee Foods Corporation. As of September 2023, there were over 1,500 Jollibee outlets worldwide, with restaurants in Southeast Asia, East Asia, the Middle East, North America, and Europe.” [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption] The threat actor claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. To support these claims, the TA included a sample in tabular data format accessible through spreadsheet programs like Microsoft Excel and Google Sheets. While the exact details of the alleged data breach remains unclear, the potential impact on millions of customers is cause for concern.Jollibee Yet to React to Cyberattack Claims
The motive behind the Jollibee cyberattack remains unknown. So far, Jollibee Foods Corporation has not reacted or issued any official statement regarding the alleged data breach. The Cyber Express has reached out to the corporation to verify the claims. This article will be updated once the company responds to the allegations and shares any preventive measures in place to prevent critical data from being misused. The Philippines National Privacy Commission (NPC) has yet to receive any notification from Jollibee Foods Corporation regarding the breach. The NPC regulations require organizations to inform affected individuals and report such incidents within 72 hours of discovery.Jollibee Cyberattack Threat Actor Responsible for Snowflake Breach
While Jollibee investigates the claims made by “Sp1d3r”, the threat actor has been responsible for several recent breaches, which includes many customers of third-party cloud data storage vendor Snowflake. On June 1, “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes, and other information. The same threat actor was responsible for the data breach at American automobile aftermarket component supplier Advance Auto Parts, Inc. The attacker “Sp1d3r” claimed to have stolen three terabytes of customer data from the company’s Snowflake cloud storage and was selling the data for US$1.5 million. In its report, the company stated that the cyberattack could create damages up to $3 million. The Jollibee Cyberattack is a stark reminder of the vulnerabilities of the digital world, where even the largest and most established companies could become victims of notorious data hackers. Customers should stay vigilant and follow any further guidance provided by Jollibee and cybersecurity professionals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Python Developers Targeted Via Fake Crytic-Compilers Package
As per recent reports, cybersecurity experts uncovered a troubling development on the Python Package Index (PyPI) – a platform used widely by developers to find and distribute Python packages. A malicious package named ‘crytic-compilers‘ was discovered, mimicking the legitimate ‘crytic-compile’ library developed by Trail of Bits. This fraudulent package was designed with sinister intent: to […]
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on TuxCare.
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on Security Boulevard.
- Cybersecurity News and Magazine
- CDK Global Struck By Second Cyberattack While Investigating Incident
CDK Global Struck By Second Cyberattack While Investigating Incident
Incident Extends CDK Global Systems Outage
After the initial attack, CDK Global shut down most of its systems on Wednesday, while working to investigate the incident and restore systems. "We are actively investigating a cyber incident.," the company said. "Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.” Later on the same day, the software firm managed to restore systems involved with its core DMS and Digital Retailing activities. In a statement to the Cyber Express, a spokesman from CDK Global said:“As we’ve communicated previously, we are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing and consulted with external third-party experts. With the work done so far, our core DMS and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online. Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner.”However, this restoration was short-lived, as the firm experienced a subsequent cyberattack on the same day:
“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”According to CNN, sources appeared to confirm that the outage could last for several days in light of the second cyberattack. The CDK Global outage makes information related to sales deals, negotiations and customer appointments inaccessible by salespeople who work at affected dealerships.
Incident Comes Ahead of Summer Sales Season
The incident has caused concerns among dealers who anticipate business during the summer months. “This is where we need systems functioning,” stated Jeff Ramsey, an executive with Ourisman Auto Group which operates various dealerships. This had led to dealers switching to alternative methods to handle sales such as hand-written notes of buyer's orders. Brian Benstock, general manager of Paragon Honda and Paragon Acura, stated, “My selling team can hand-write a buyer’s order.” Companies such as Kia, Toyota and Stellantis and Ford have also been working on alternate ways to handle customer services due to the CDK outage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- From Espionage to Ransomware: Rafel RAT’s Impact on Android Security
From Espionage to Ransomware: Rafel RAT’s Impact on Android Security
The Relation Between APT-C-35 and Rafel RAT
Recent research by Check Point has uncovered instances of APT-C-35, also known as DoNot Team, leveraging Rafel RAT in their espionage operations. This discovery highlights the tool's versatility and effectiveness across different threat actor profiles and operational objectives. The group has been observed using Rafel RAT to conduct extensive espionage campaigns and targeting high-profile organizations, including those in the military sector. Analysis reveals approximately 120 distinct malicious campaigns associated with Rafel RAT, some of which have successfully targeted prominent organizations globally. Victims primarily hail from the United States, China, and Indonesia, with Samsung, Xiaomi, Vivo, and Huawei being the most affected device brands. Notably, a portion of targeted devices runs on unsupported Android versions, exacerbating security vulnerabilities due to the lack of essential security patches.Technical Insights and Modus Operandi
Rafel RAT employs sophisticated techniques to evade detection and execute malicious operations discreetly. Upon infiltration, the malware initiates communication with a command-and-control (C&C) server, facilitating remote data exfiltration, surveillance, and device manipulation. Its command set includes capabilities for accessing phone books, SMS messages, call logs, location tracking, and even initiating ransomware operations. Threat actors utilizing Rafel RAT operate through a PHP-based C&C panel, leveraging JSON files for data storage. This streamlined infrastructure enables attackers to monitor infected devices comprehensively, accessing crucial information such as device models, Android versions, geographical locations, and network operator details. Such insights empower threat actors to tailor their malicious activities and campaigns effectively.Emerging Threats and Mitigation Strategies
As Rafel RAT continues to evolve and proliferate, robust cybersecurity measures become imperative for Android users and enterprises alike. Effective strategies to mitigate risks include deploying comprehensive endpoint protection, staying updated with security patches, educating users about phishing and malware threats, and fostering collaboration across cybersecurity stakeholders. Rafel RAT exemplifies the nature of Android malware, characterized by its open-source nature, extensive feature set, and widespread adoption in illicit activities. Vigilance and proactive security measures are essential to safeguard against its threats, ensuring continued protection of user privacy, data integrity, and organizational security in an increasingly interconnected digital world.- Cybersecurity News and Magazine
- 2022 Optus Data Breach Could Have Been Averted Four Years Prior, Says Australian Telecom Watchdog
2022 Optus Data Breach Could Have Been Averted Four Years Prior, Says Australian Telecom Watchdog
Coding Error and API Mismanagement Led to Optus Data Breach
The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period. The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted.“The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMABut the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law.
Optus’ Response to ACMA’s Allegations
Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter.“This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of OptusVenter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment. The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said. Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers' sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers. Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web.
Deloitte Report Handed to the Federal Court
Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach. “Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express. The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus.“Much to do to Fully Regain our Customers’ Trust”
Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach. Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures.“Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael VenterThe Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices. As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.
- Cybersecurity News and Magazine
- Phoenix SecureCore UEFI Flaw Exposes Intel Processors to ‘UEFIcanhazbufferoverflow'” Vulnerability
Phoenix SecureCore UEFI Flaw Exposes Intel Processors to ‘UEFIcanhazbufferoverflow'” Vulnerability
Decoding the UEFIcanhazbufferoverflow Vulnerability and its Impact
The affected Phoenix SecureCore UEFI firmware is utilized across multiple generations of Intel Core processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Given the widespread adoption of these processors by various OEMs, the UEFIcanhazbufferoverflow vulnerability has the potential to impact a broad array of PC products in the market. According to Eclypsium researchers, the vulnerability arises due to an insecure variable handling within the TPM configuration, specifically related to the TCG2_CONFIGURATION variable. This oversight could lead to a scenario where a buffer overflow occurs, facilitating the execution of arbitrary code by an attacker. Phoenix Technologies, in response to the disclosure, promptly assigned CVE-2024-0762 to the UEFIcanhazbufferoverflow vulnerability and released patches on May 14, 2024, to mitigate the issue. The severity of the vulnerability is reflected in its CVSS score of 7.5, indicating a high-risk threat.The Importance of UEFI Architecture Security
In practical terms, the exploitation of UEFI firmware vulnerabilities like "UEFIcanhazbufferoverflow" highlights the critical role of firmware in device security. The UEFI architecture serves as the foundational software that initializes hardware and manages system runtime operations, making it a prime target for attackers seeking persistent access and control. This incident also highlights the challenges associated with supply chain security, where vulnerabilities in upstream components can have cascading effects across multiple vendors and products. As such, organizations are advised to leverage comprehensive scanning tools to identify affected devices and promptly apply vendor-supplied firmware updates. For enterprises relying on devices with potentially impacted firmware, proactive measures include deploying solutions to continuously monitor and assess device integrity. This approach helps mitigate risks associated with older devices and ensures ongoing protection against active exploitation of firmware-based vulnerabilities.- Cybersecurity News and Magazine
- Biden Bans Kaspersky for Good: How It Started and What It Means for Cybersecurity Companies in US
Biden Bans Kaspersky for Good: How It Started and What It Means for Cybersecurity Companies in US
US vs Kaspersky: A Timeline of Cybersecurity Actions
2017
September- The Trump Administration’s heightened scrutiny of Kaspersky began. The Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD 17-01) that mandated removing and discontinuing Kaspersky products from all federal information systems. This directive followed mounting evidence suggesting that the Russian government could use Kaspersky’s products to infiltrate U.S. networks. December- The National Defense Authorization Act (NDAA) for Fiscal Year 2018 cemented these concerns into law by prohibiting the use of Kaspersky software across all federal agencies. This legislative action reflected a bipartisan consensus on the potential risks posed by the Russian firm.2022
March- The Federal Communications Commission (FCC) added Kaspersky to its “List of Communications Equipment and Services that Pose a Threat to National Security.” This action was part of a broader effort to secure the nation’s communications networks from foreign influence and control.2024
June - Today’s Final Determination by the BIS represents the culmination of a thorough investigation by the Office of Information and Communications Technology and Services (OICTS). This office, established to assess whether certain information and communications technology (ICT) transactions pose unacceptable national security risks, has found Kaspersky’s operations in the U.S. untenable.US Banning Kaspersky: The Context and Implications of BIS’s Final Determination
The BIS’s decision comes after a comprehensive investigation revealed that Kaspersky’s operations in the United States posed an undue or unacceptable national security risk. The key concerns highlighted include:- Jurisdiction and Control by the Russian Government: Kaspersky is subject to Russian laws requiring cooperation with intelligence agencies. This legal framework gives the Russian government potential access to data managed by Kaspersky’s software. Therefore, Kaspersky is subject to Russian laws, requiring it to comply with requests for information that could compromise U.S. national security.
- Access to Sensitive Information: Kaspersky’s software has extensive administrative privileges over customer systems, creating opportunities for data exploitation.
- Potential for Malicious Activities: Kaspersky could theoretically introduce malware or withhold crucial security updates, compromising U.S. cybersecurity.
- Third-Party Integrations: Integrating Kaspersky products into third-party services further complicates the risk, as the source code might be obscured, increasing vulnerability in critical U.S. systems.
Transition Period and Recommendations
While users won’t face legal penalties for continued use of Kaspersky products during this period, they assume all associated cybersecurity risks. This grace period is crucial for minimizing disruptions and ensuring a smooth transition to secure alternatives. The Department of Commerce, along with DHS and DOJ, is actively working to inform and assist users in transitioning to alternative cybersecurity solutions. “The actions taken today are vital to our national security and will better protect the personal information and privacy of many Americans. We will continue to work with the Department of Commerce, state and local officials, and critical infrastructure operators to protect our nation’s most vital systems and assets,” said Secretary of Homeland Security Alejandro N. Mayorkas. runZero, meanwhile, released tools to detect Kaspersky products on in most Windows installations, which also work with the company's free community edition.Historical Background: From Trump to Biden
The determination against Kaspersky is part of a broader U.S. strategy to safeguard its information and communications technology infrastructure. The roots of this policy can be traced back to Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” which empowers the Commerce Department to evaluate and act against risks posed by foreign ICTS transactions. The scrutiny of Kaspersky began during the Trump administration, amid growing concerns about Russia's cyber capabilities and potential espionage activities. The Trump-era directives and legislative actions laid the groundwork for stricter controls, reflecting a bipartisan consensus on the threat posed by foreign cyber interference. Under the Biden administration, the approach has evolved into a more comprehensive and coordinated effort. The establishment of the OICTS within BIS and the issuance of the Final Determination represents a significant escalation in the U.S. government's efforts to protect its digital infrastructure. The Biden administration's emphasis on a “whole-of-government” strategy underscores the critical importance of cybersecurity in national defense. The U.S. government has taken a coordinated approach to implementing this determination. Commerce Secretary Gina Raimondo emphasized the commitment to national security and innovation, stating that this action is a clear message to adversaries. “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people. Today’s action, our first use of the Commerce Department’s ICTS authorities, demonstrates Commerce’s role in support of our national defense and shows our adversaries we will not hesitate to act when they use their technology poses a risk to the United States and its citizens,” said Raimondo.The Future of U.S. Cybersecurity Policy
The inclusion of Kaspersky and related entities on the Entity List highlights the U.S. government’s proactive stance. This list, maintained under the Export Control Reform Act of 2018, identifies entities engaged in activities contrary to U.S. national security interests. Additions to this list involve rigorous interagency review, ensuring that actions are based on concrete, specific evidence of risk. “With today’s action, the American cyber ecosystem is safer and more secure than it was yesterday,” said Under Secretary for Industry and Security Alan Estevez. “We will not hesitate to protect U.S. individuals and businesses from Russia or other malign actors who seek to weaponize technology that is supposed to protect its users.” As the September deadline approaches, businesses and individuals alike must stay informed and take necessary steps to secure their digital environments. The U.S. government's decisive action against Kaspersky highlights the critical importance of vigilance and proactive measures in the ever-evolving landscape of cybersecurity.- Cybersecurity News and Magazine
- Enhancing Security Measures: Overcoming Barriers to Single Sign-On (SSO) Adoption Among SMBs
Enhancing Security Measures: Overcoming Barriers to Single Sign-On (SSO) Adoption Among SMBs
Implementing Single Sign-On (SSO) into Small and Medium-sized Businesses (SMBs)
SSO simplifies access management by allowing users to authenticate once and gain access to multiple applications—a crucial feature for enhancing security postures across organizations. However, its adoption faces significant hurdles, primarily due to cost implications and perceived operational complexities. One of the primary challenges identified by CISA is pricing SSO capabilities as add-ons rather than including them in the base service. This "SSO tax" not only inflates costs but also creates a barrier for SMBs looking to bolster their security frameworks without incurring substantial expenses. By advocating for SSO to be a fundamental component of software packages, CISA aims to democratize access to essential security measures, positioning them as a customer right rather than a premium feature. Beyond financial considerations, the adoption of SSO is also influenced by varying perceptions among SMBs. While some view it as a critical enhancement to their security infrastructure, others question its cost-effectiveness and operational benefits. Addressing these concerns requires clearer communication on how SSO can streamline operations and improve overall security posture, thereby aligning perceived expenses with tangible returns on investment.Improving User Experience and Support
Technical proficiency poses another hurdle. Despite vendors providing training materials, SMBs often face challenges in effectively deploying and maintaining SSO solutions. The complexity involved in integrating SSO into existing systems and the adequacy of support resources provided by vendors are critical factors influencing adoption rates. Streamlining deployment processes and enhancing support mechanisms can mitigate these challenges, making SSO more accessible and manageable for SMBs with limited technical resources. Moreover, the user experience with SSO implementation plays a pivotal role. Feedback from SMBs indicates discrepancies in the accuracy and comprehensiveness of support materials, necessitating multiple interactions with customer support—a time-consuming process for resource-constrained businesses. Simplifying user interfaces, refining support documentation, and offering responsive customer service are essential to improving the adoption experience and reducing operational friction. In light of these updates, there is a clear call to action for software manufacturers. Aligning with the principles of Secure by Design, manufacturers should integrate SSO into their core service offerings, thereby enhancing accessibility and affordability for SMBs. By addressing economic barriers, improving user interfaces, and providing robust technical support, manufacturers can foster a more conducive environment for SSO adoption among SMBs.- Cybersecurity News and Magazine
- Cyberattack on Ascension Hospitals Led to Lapses in Patient Care Such As Wrongful Administration of Narcotics
Cyberattack on Ascension Hospitals Led to Lapses in Patient Care Such As Wrongful Administration of Narcotics
Ascension Hospitals Cyberattack Places Strain on Staff
"I had no training for this," said Marvin Ruckle, a neonatal ICU nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, who nearly gave a baby the wrong dose of medication. Lisa Watson, a critical care nurse who works at the same hospital, says she almost administered the wrong drug to a critically ill patient because she couldn't scan it electronically. "My patient probably would have passed away," she said. Doctors and nurses across Ascension report relying on paper records, handwritten notes, faxes and basic spreadsheets to deliver care - many cobbled together in real time. An ER doctor in Detroit said a mix-up due to paperwork issues led a patient to receive the wrong narcotic and end up on a ventilator. In Baltimore, ICU nurse Melissa LaRue described narrowly avoiding giving an incorrect blood pressure medication dosage due to confusion from paperwork. Several clinicians said errors could threaten their licenses, but patient privacy laws prevented verifying their accounts. Ascension declined to address specific claims but said in a statement it is "confident that our care providers...continue to provide quality medical care."Ascension Hospitals' Staff Urge Changes
While federal regulations require safeguarding patient data, hospitals currently face no cyberattack preparation or prevention mandates. Experts regard health care as the top target for ransomware attacks, which are rising exponentially. Proposed regulations are pending, but timelines and requirements remain unclear. Nurses and doctors urging reforms at Ascension say cyberattacks should be treated similarly to natural disasters, with contingency plans that account for outages lasting weeks or longer. Many also echoed a plea for more staff support to shoulder the additional workload. "We implore Ascension," one Michigan clinician wrote, "to recognize the internal problems that continue to plague its hospitals, both publicly and privately, and take earnest steps toward improving working conditions for all of its staff." While the Biden administration has pushed for stronger cybersecurity standards in health care, the new requirements are still in development. Meanwhile, hospital industry lobbyists argue mandates could divert resources from cybersecurity efforts. These incidents prove that patients may ultimately pay the price when hospitals fall victim to cybercrime, while staff experience additional burden affecting routine practice and judgement. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Association of Texas Professional Educators Reports Data Breach Affecting Over 414,000 Members
Association of Texas Professional Educators Reports Data Breach Affecting Over 414,000 Members
Association of Texas Professional Educators Data Breach
On February 12, 2024, ATPE detected abnormal activity on its network, which led to a comprehensive forensic investigation. The investigation concluded on March 20, 2024, and found evidence that some of ATPE's systems had been accessed by an unauthorized user. Based on this finding, ATPE reviewed the affected systems to identify the specific individuals and types of information that may have been compromised. The accessed information varied depending on when members joined:- For those who became members before May 15, 2021, the breach may have exposed names, addresses, dates of birth, Social Security numbers and medical records. Tax Identification Numbers could also possibly have been accessed if employers used them as identifiers.
- For members who received payments from ATPE via ACH transactions, financial account information could also have been accessed.
Response to Breach Incident and Credit Offering
Since discovery of the breach, ATPE stated that it has taken several steps to secure its systems, including:- Disconnecting all access to its network.
- Change of administrative credentials.
- Installation of enhanced security safeguards on ATPE's environment and endpoints.
- Restoration of ATPE's website in a Microsoft Azure hosted environment.
- Cybersecurity News and Magazine
- Apparent Ransomware Attack Halts Operations at Crown Equipment for Second Week
Apparent Ransomware Attack Halts Operations at Crown Equipment for Second Week
Crown Equipment Cyberattack Overview
Since approximately June 8th, Crown's employees reported a breach in the company's IT systems. This breach led to a complete shutdown of systems, preventing employees from clocking in their hours, accessing service manuals, and in some cases delivering machinery. In an internal email sent to employees, the heavy machinery manufacturer confirmed the cyberattack and advised employees to ignore multifactor authentication (MFA) requests and to be cautious of phishing emails."I currently work there. Everyone is scrambling, can't order parts except for TVH and that's strictly for emergencies. The company hasn't officially announced that it's been hacked but they keep pushing the importance of MFA. We can read between the lines." - Reddit User (Williams2242)The company in its press release revealed that the breach necessitated the shutdown of their operating systems to investigate and resolve the issue without giving details on the hackers and their ransom demand, if any.
Crown Equipment Attack Details
Crown disclosed that many of their security measures were effective in limiting data access by the criminals. However, the breach likely occurred due to an employee not adhering to data security policies that resulted in unauthorized access to their device, according to a Reddit post."I heard someone got a call from a hacker pretending to be IT. They installed a fake VPN on their computer and got access to everything. They created a privileged account on the network that gave them access all the systems. The network went down Sunday and it's been down since with no ETA." - Reddit User (DragonflyJust2223)This speculation suggests a social engineering attack where the threat actor installed remote access software on the employee's computer. BornCity, a website maintained by a German-speaking digital observer, first reported the possibility of a hack nearly a week ago. Citing a distant source who used to work at the manufacturing plant of Crown, BornCity said the problems were likely due to a 'coding bug.' "This had sent the Crown 360 (a service likely based on the Microsoft Cloud and Office 365) solution downhill – but I take that information not as reliable." Crown Equipment, however, did not confirm the speculation and thus the claims remain unverified.
Impact on Crown Equipment's Employees
Initially, Crown told employees they would need to file for unemployment or use their paid time off (PTO) and vacation days to receive pay for missed days. Last weekend, this directive was updated and the employees were asked to file for unemployment, after which several took to Reddit to vent their discontent."The fact that their not paying people for their mistake is straight bu****it. Crown pretends to be a family company but as soon as they need to support their "family" they shaft them. People need this money to live, while the owner can just sit back and chill with his multi-millions in the bank. Crown needs to take the hit and do the right thing." - Reddit UserAnother said: [caption id="attachment_78309" align="aligncenter" width="1024"] Source: Reddit[/caption] However, Crown later decided to provide regular pay as an advance, allowing employees to compensate for the lost hours later. Despite this adjustment, employees expressed frustration over the lack of transparency and communication from the company during the incident. Crown Equipment has reportedly engaged some of the world’s top cybersecurity experts and the FBI to analyze the affected data and manage the aftermath of the attack. The company emphasized that there were no indications that employee personal information or data that could facilitate identity theft was targeted. The company is now in the process of restoring systems and transitioning back to normal business operations. They are also working closely with customers to minimize the disruption's impact on their operations. Although Crown did not specify the type of cyberattack, their description suggests a ransomware attack by an international cybercriminal organization. If confirmed, this implies that corporate data was likely stolen and could be leaked if the ransom demands are not met. As Crown continues to recover from this significant disruption, the incident serves as a reminder for companies worldwide to strengthen their cybersecurity protocols, including isolating critical workloads, invest in employee training to prevent social engineering attacks, and establish effective communication strategies for managing cyber incidents.
- Cybersecurity News and Magazine
- Several Chinese APTs Have Been Targeting Telecommunications of Asian Country Since 2021
Several Chinese APTs Have Been Targeting Telecommunications of Asian Country Since 2021
Malware Variants Used in Chinese Espionage Campaign
Researchers from Symantec observed the use of several custom malware linked to China-based threat actors, including:- Coolclient: A backdoor used by the Fireant group that logs keystrokes and communicates with command servers. The campaign utilized a version delivered via a trojanized VLC media player. It is linked to the Fireant group, also known as Mustang Panda or Earth Preta.
- Quickheal: A backdoor associated with the Needleminer group, also known as RedFoxtrot or Nomad Panda. The variant used in the campaign was nearly identical to those documented in 2021. It communicated with a command server at swiftandfast[.]net.
- Rainyday: A backdoor tied to the Firefly group, also known as Naikon. Multiple variants were deployed using trojanized executables to sideload malicious loaders and decrypt payloads. At least one loader variant matched those linked to Firefly in 2021.
Campaign Motives and Attribution
The custom malware exclusively used by Fireant, Needleminer and Firefly provides strong evidence that this campaign involves Chinese state-sponsored groups. Firefly has been linked to a Chinese military intelligence unit by the U.S.-China Commission. The level of coordination between the groups involved is unclear but possibilities include independent action, personnel/tool sharing, or active collaboration. The ultimate motives behind the hacking campaign remain uncertain. Potential objectives include intelligence gathering on the telecommunications sector, eavesdropping on voice and data communications, or developing disruptive capabilities against critical infrastructure. To protect against these threats, telecom operators and other organizations should ensure they have the latest protection updates and implement robust security measures to detect and block malicious files. The researchers shared several Indicators of compromise and file hashes to help defenders detect against the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Kraken vs Certik: A Dispute Over a $3 Million Zero-Day and Bug Bounty Ethics
Kraken vs Certik: A Dispute Over a $3 Million Zero-Day and Bug Bounty Ethics
Accusations from Kraken
Nick Percoco, Kraken's chief security officer, took to social media platform X (formerly known as Twitter) to accuse an unnamed security research firm of misconduct. According to Percoco, the firm - later revealed to be Certik - breached Kraken’s bug bounty program rules. Instead of adhering to the established protocol of promptly returning extracted funds and fully disclosing bug transaction details, Certik allegedly withheld the $3 million and sought additional compensation, Percoco claimed. Percoco claimed that "the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets." He said that after contacting the researchers, instead of returning the funds they "demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!" Percoco said that in the decade-long history of Kraken’s bug bounty program, the company had never encountered researchers who refused to follow the rules. The program stipulates that any funds extracted during bug identification must be immediately returned and accompanied by a proof of concept. The researchers are also expected to avoid excessive exploitation of identified bugs. The dispute escalated as Certik reportedly failed to return the funds and accused Kraken of being “unreasonable” and unprofessional. Percoco responded that such actions by security researchers revoke their “license to hack” and classify them as criminals.“As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals.”
Certik's Response to Kraken
Following Kraken’s public accusations, Certik disclosed its involvement and countered Kraken’s narrative by accusing the exchange of making unreasonable demands and threatening its employees. Certik claimed Kraken demanded the return of a “mismatched” amount of cryptocurrency within an unfeasible timeframe without providing necessary repayment addresses. The company provided an accounting of its test transactions to support its claims. Certik shared its intent to transfer the funds to an account accessible to Kraken despite the complications in the requested amount and lack of repayment addresses.“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.” - CertiK
CertiK’s Take on Kraken’s Defense Systems
Certik defended its actions and instead highlighted the inadequacy of Kraken’s defense systems. The firm pointed out that the continuous large withdrawals from different testing accounts, which were part of their testing process, should have been detected by Kraken’s security measures. Certik questioned why Kraken’s purportedly robust defense systems failed to identify such significant anomalies. “According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.” - CertiK The blockchain security firm said the fact behind their white hat operation is that “millions dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved” in these research activities. The firm also said that the dispute with the cryptocurrency exchange is actually shifting focus away from a more severe security issue at Kraken. “For several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK,” it said. “The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions.” Regarding the money siphoned, Certik said, “Continuous large withdrawals from different testing accounts was a part of our testing.” With an aim of transparency, the security firm disclosed details of all testing deposit transactions and the timeline of how the bug bounty saga played out on X. [caption id="attachment_78192" align="aligncenter" width="698"] Timeline of the Kraken vs CertiK zero-day and bug bounty dispute (Source: CertiK on platform X)[/caption]Disclosure of Product Flaws Treads a Fine Line
The news of the escalated dispute comes on the heels of another incident where a white hat hacker - after following bug bounty ethics - was threatened by the legal team of the company to “cease and desist.” Andrew Lemon, an offensive security expert, responsibly reported a critical vulnerability to an unnamed company that manufactured and sold a traffic control system. The vulnerability allowed a remote unauthenticated attacker to bypass security and gain full control of a traffic controller, giving them the ability to changing stoplights and modify traffic flow, Lemon explained in a LinkedIn post. But to Lemon’s surprise, instead of acknowledging and addressing the bug with the engineering team, its legal team threatened to sue him under the Computer Fraud and Abuse Act. “I Received a letter from a company's legal team instead of engineering after responsibly disclosing a critical vulnerability in a traffic control system I purchased from eBay,” he said. “The company's response? In order for them to acknowledge the vulnerability, hardware must be purchased directly from them or tested with explicit authorization from one of their customers, they threatened prosecution under the Computer Fraud and Abuse Act, and labeled disclosure as irresponsible, potentially causing more harm.” Security Engineer Jake Brodsky responded saying, “Legally they're not wrong for writing such a letter or even bringing a court case against the researcher. However, ethically, because it pits professional organizations against each other for no good reason, it is problematic.” Disclosure of product flaws treads a very fine line. On the one hand, nobody likes the publicity that follows. On the other hand, if nobody says anything, the only way we can improve is in the aftermath of an investigation where fortunes are lost and people get hurt.Implications for the Bug Bounty Ecosystem
The Kraken-Certik dispute and the one highlighted by Andrew Lemon raises critical questions about the operational dynamics and ethical boundaries within bug bounty programs. These programs are designed to incentivize security researchers to identify and report vulnerabilities, offering financial rewards for their efforts. However, these cases reveal potential pitfalls when communication and mutual understanding between parties break down. The ethical framework of bug bounty programs relies on clear rules and mutual trust. Researchers must adhere to the program’s guidelines, including the immediate return of any extracted funds and full disclosure of their findings. On the other hand, companies must provide clear instructions and maintain professional interactions with researchers. There is a need for well-defined protocols and communication channels between companies and researchers. Ensuring transparency and clarity in expectations can prevent misunderstandings and conflicts, fostering a more cooperative environment for cybersecurity improvements.- Cybersecurity News and Magazine
- CISA Releases 2024 SAFECOM Guidance: Boosting Emergency Communications Nationwide
CISA Releases 2024 SAFECOM Guidance: Boosting Emergency Communications Nationwide
The New CISA SAFECOM Guidelines
The new SAFECOM guidelines help state, local, tribal, and territory governments secure federal money for crucial emergency communications projects is its main goal. Billy Bob Brown, Jr., Executive Assistant Director for Emergency Communications at CISA, stated: "The SAFECOM Guidance on Emergency Communications Grants is an essential resource that supports our collective efforts to strengthen the resilience and interoperability of emergency communications nationwide." The guidance aims to provide a seamless experience to governments and agencies while also receiving new updates every year. These updates include new developments in technology and online risk management. It guarantees that grantees have access to the most recent guidelines and specifications required to construct reliable, safe, and compatible communication networks. By adhering to these standards, recipients can maximize government funding by ensuring that investments align with both national and community interests. "Incorporating SAFECOM Guidance into project planning not only enhances funding prospects but also strengthens the overall emergency response capabilities of our communities," Brown said. The document encourages stakeholders to adopt best practices in the planning, organizing, and execution of emergency communications projects to foster a uniform strategy across all governmental levels and public safety groups.SAFECOM and Federal Agencies
Federal organizations such as the Office of Management and Budget and the Department of Homeland Security have acknowledged the SAFECOM Guidance as a vital resource since its establishment. Grant candidates are encouraged to utilize the SAFECOM Guidance to ensure that their projects are in line with state, local, tribal, or territorial emergency communications strategies. To address the diverse needs of public safety organizations and communities, the research places a strong emphasis on the integration of new technologies, cybersecurity measures, and interoperable communication systems. Through the SAFECOM website, CISA offers resources and information on comprehending federal grant criteria to further assist stakeholders. The team is still dedicated to helping applicants create thorough plans that both satisfy funding requirements and improve emergency infrastructure's overall resilience.- Cybersecurity News and Magazine
- Advance Auto Parts Confirms Data Breach in SEC Filing; Reports Losses Around $300,000