A leading cybersecurity expert has issued a warning that the National Health Service (NHS) remains highly vulnerable to cyberattacks unless significant updates are made to its computer systems. This comes in the wake of a major ransomware attack that has severely disrupted healthcare services across London. Professor Ciaran Martin, the founding CEO of the UK's National Cyber Security Centre (NCSC), shared his concerns in an interview with the BBC. "I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem," Prof. Martin stated. Despite NHS England’s investment of £338 million over the past seven years to enhance cybersecurity resilience, Prof. Martin’s warnings suggest that more urgent and extensive actions are necessary to protect the NHS from future threats. On June 3, 2024, a cyberattack targeted Synnovis, a pathology testing organization, severely affecting services at Guy's, St Thomas', King's College, and Evelina London Children's Hospitals. NHS England declared it a regional incident, resulting in the postponement of 4,913 acute outpatient appointments and 1,391 operations. The cyberattack raised significant data security concerns and has been described as one of the most severe cyber incidents in British history.

The Attackers and Their Demands

The Russian-based hacking group Qilin believed to be part of a Kremlin-protected cyber army, claimed responsibility for the attack. They demanded a £40 million ransom, which the NHS refused to pay. Consequently, the group published stolen data on the dark web, reflecting a growing trend of Russian cyber criminals targeting global healthcare systems. Prof. Martin, now a professor at the University of Oxford, highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices. "In parts of the NHS estate, it's quite clear that some of the IT is out of date," he noted. He emphasized the necessity of identifying "single points of failure" in the system and implementing better backups. Improving basic security measures could significantly hinder attackers. "Those little things make the point of entry quite a lot harder for the thugs to get in," Prof. Martin added.

Front-line Staff Concerns

Concerns among front-line staff are mounting in the wake of the recent cyber-attacks. Many have pointed to outdated equipment and a lack of unified systems as major vulnerabilities. A senior intensive care doctor in London remarked, "The NHS is vulnerable. It's a patient safety issue, but there's no interest in addressing it." An A&E consultant in north London highlighted the use of "decade-old computers and Windows 7," noting that systems crash "every few months." A junior doctor expressed concerns over the risks posed by outdated equipment and the impact of privatization. "Old computers pose a security risk for patient data. The Synnovis incident shows how vulnerable we are," the doctor said. A senior orthopedic surgeon described the fragmented nature of NHS IT systems, where a patient’s X-ray in one hospital cannot be accessed in another. "It's shocking and worrying for cybersecurity," he said. Dr. Daniel Gardham from the Surrey Centre for Cyber Security echoed Prof. Martin’s concerns, emphasizing the link between outdated systems and cyber-attacks. "If you have old computers, then simply put, there's going to be unpatched vulnerabilities," Dr. Gardham explained. He stressed that while sophisticated attacks do occur, many breaches result from basic security oversights. "It could be something really, really, simple and actually most likely it is something very, very, simple. It would be one person, perhaps, that had a weak password or left their computer unattended in a cafe."

NHS England’s Response

An NHS England spokesperson told the BBC, "We are increasing cyber resilience across the NHS and over £338 million has been invested over the past seven years to help keep health and care organizations as safe as possible. Our ambitious Cyber Improvement Programme will support the NHS to respond to the changing cyber threats, expand protection, and reduce the risk of a successful attack." As cyber threats continue to evolve, the NHS must prioritize these updates to safeguard patient data and ensure the continuity of critical healthcare services. The collective insights from cybersecurity experts and front-line staff highlight the pressing need for immediate and sustained action to protect the NHS from future cyber threats.

The infamous ransomware group NoName has allegedly launched cyberattacks on MitID, the Finland Chamber of Commerce, and OP Financial Group. The NoName ransomware took to a dark web forum to announce their actions, framing them as retaliation against Denmark and Finland's recent military and infrastructural initiatives supportive of NATO. In a post filled with both defiance and threat, NoName stated: "Denmark has trained the first 50 Ukrainian specialists in servicing F-16 fighter jets, Commander of the Danish Air Force Jan Dam said in an interview with TV2. Most of the specialists have already returned to Ukraine to prepare for the reception of F-16s at local air bases. The training of the first group of Ukrainian pilots continues in Denmark." The message did not stop at Denmark. It continued with a pointed statement about Finland's recent activities: "Finland has begun repairing roads and bridges in Lapland to prepare for the deployment of NATO troops on its territory. ERR.EE reports on its change of stance on NATO forces and planned infrastructure work." NoName concluded with a chilling warning: "As you can see, the Russophobic authorities of these countries have not learned the lessons of the past. Therefore, we decided to clearly show what such initiatives lead to." [caption id="attachment_80729" align="aligncenter" width="441"] Source: X[/caption] [caption id="attachment_80730" align="aligncenter" width="447"] Source: X[/caption]

Background of the Allegedly Targeted Companies

MitID: MitID is Denmark's new digital identification system, replacing the NemID. It is an essential component of Denmark's digital infrastructure, allowing citizens and businesses to access various public and private services securely. An attack on this system could potentially disrupt countless services and erode trust in the nation's digital security. Finland Chamber of Commerce: The Finland Chamber of Commerce plays a critical role in supporting Finnish businesses, fostering economic growth, and promoting international trade. A cyberattack on Finland Chamber of Commerce could aim to destabilize economic activities and undermine business confidence. OP Financial Group: As Finland's largest financial services group, OP Financial Group's services range from banking to insurance. A cyber attack here could have severe ramifications, potentially affecting millions of customers, disrupting financial transactions, and causing significant economic damage. Upon accessing the official websites of the targeted companies, they appeared fully functional, showing no signs of foul play. To verify further, The Cyber Express Team reached out to the targeted companies. However, as of the time of writing this report, no official response has been received, leaving the claim unverified.

The Reason Behind NoName Attack

The timing and targets of these cyberattacks are no coincidence. They align closely with recent developments in Denmark and Finland's military and infrastructural commitments to NATO, particularly regarding support for Ukraine amidst its ongoing conflict with Russia. Denmark's training of Ukrainian specialists in F-16 fighter jet maintenance marks a significant step in bolstering Ukraine's military capabilities. This initiative underscores Denmark's commitment to supporting Ukraine, which has been under sustained aggression from Russia since the 2014 annexation of Crimea and the more recent 2022 invasion. Finland's decision to repair roads and bridges in Lapland for NATO troop deployment signals a notable shift in its defense strategy. Since joining NATO, Finland has taken several steps to align its infrastructure and military readiness with NATO standards, a move likely aimed at deterring Russian aggression in the region.

To Sum Up

NoName's actions exemplify the increasing use of cyber warfare as a tool for political and military coercion. These attacks are designed to cause immediate disruption and send a message of deterrence and retaliation. Targeting critical national infrastructure and prominent institutions highlights the vulnerabilities modern societies face in the digital age. The cyber attacks claimed by NoName against Danish and Finnish institutions remain unverified. The Cyber Express Team is closely monitoring the situation and will update its readers as more information or responses from the allegedly targeted companies become available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Space Bears ransomware group has allegedly targeted three prominent Canadian entities, compromising substantial volumes of sensitive data. The victims—Haylem, Un Museau Vaut Mille Mots, and Lexibar—have had details about their breaches posted on a dark web forum by the ransomware group, heightening concerns over data privacy and security.

Details of Space Bears Ransomware Attack Victim

The first victim identified by the Space Bears ransomware is Haylem, a leading software development company based in Terrebonne, Canada. Haylem is well-known for its specialization in creating educational tools designed to assist individuals with learning disabilities. The ransomware group has threatened to release a trove of sensitive data, including financial reports, databases, and personal information of both employees and clients, within the next 5-6 days. [caption id="attachment_80493" align="aligncenter" width="1024"] Source: ransomlook.io[/caption] The second target of the Space Bears ransomware is Un Museau Vaut Mille Mots, a renowned orthophonics clinic in Terrebonne, Quebec. Developed by Haylem, this clinic is dedicated to providing exceptional orthophonics services using innovative technologies. The ransomware group has announced plans to disclose sensitive data from the clinic, including patient histories and personal information, within the same 5-6 day timeframe. [caption id="attachment_80494" align="aligncenter" width="1024"] Source: ransomlook.io[/caption] Lastly, Lexibar, another product developed by Haylem, has fallen prey to the Space Bears ransomware. Lexibar is widely used in French schools and specialized clinics for treating language disorders. The ransomware group claims that it will publish sensitive data from Lexibar, including financial reports, databases, and personal information of employees and clients, within 5-6 days. patients who depend on Lexibar for their learning and treatment. [caption id="attachment_80495" align="aligncenter" width="1024"] Source: ransomlook.io[/caption]

Verification Efforts and Current Status

In an attempt to verify the claims made by the Space Bears ransomware group, The Cyber Express Team accessed the official websites of the targeted companies. Upon inspection, the websites of Haylem, Un Museau Vaut Mille Mots, and Lexibar were found to be fully functional with no immediate signs of foul play detected. Despite the ransomware group’s threats, the digital presence of these companies remains intact as of now. The Cyber Express Team has also reached out to the officials of the targeted companies for comments on the alleged breaches. However, as of the writing of this news report, no official response has been received. This lack of communication leaves the claims unverified, adding to the uncertainty and anxiety surrounding the situation.

Potential Implications if Claims Are Verified

If the claims made by the Space Bears ransomware group are proven to be true, the implications could be far-reaching. The exposure of sensitive data from Haylem, Un Museau Vaut Mille Mots, and Lexibar could lead to significant financial losses, reputational damage, and legal ramifications for the affected companies. For Haylem, the breach could undermine its position as a trusted provider of educational tools, potentially affecting its client base and market share. For Un Museau Vaut Mille Mots, the release of patient data could lead to a loss of trust from patients and legal actions for violating privacy laws. Similarly, the breach of Lexibar’s data could disrupt educational and clinical services, impacting the progress and treatment of numerous individuals relying on the tool. The Space Bears ransomware attack serves as a reminder of the growing threat posed by cybercriminals in today’s digital age. The Cyber Express Team will continue to monitor the situation closely and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Vintage Investment Partners, a global venture capital platform managing $4 billion in assets, has announced the appointment of Ilan Leiferman as Chief Value-Add Officer. Leiferman will lead Vintage's Value+ platform, bringing extensive experience from his nearly four-year tenure at Amazon Web Services (AWS), where he spearheaded business development for top-tier venture capitalists and startups and built AWS's global cybersecurity business practice for startups. Vintage's Value+ platform is a pivotal part of the firm's strategy to add value to the venture ecosystem. It leverages Vintage's extensive network, including over 4,000 venture funds and over 25,000 startups, to connect venture-backed technology startups with corporations seeking digital transformation support. The platform has facilitated over 280 purchase orders and paid proofs of concept for startups from global corporations, amounting to over $200 million in business.

Ilan Leiferman: Leadership Transition and Strategic Vision

Ilan Leiferman will be succeeding Orit Shilo, who will be relocating abroad after three impactful years at Vintage. Abe Finkelstein, Co-Managing Partner of Vintage, expressed enthusiasm about the leadership transition, stating, "Value+ is a critical component of Vintage's strategy of adding value to the ecosystem, and we are excited to have Ilan on board to enhance our focus on connecting startups and corporates as well as leveraging the power of Gen-AI to roll out new free services for funds and startups across the globe." Leiferman's expertise in fostering business development and his strategic vision for integrating advanced technologies like Gen-AI will be instrumental in expanding the Value+ platform's capabilities. This appointment is poised to enhance the platform's offerings, ensuring that it continues to be a vital resource for startups and corporations navigating their digital journeys. Leiferman's background at AWS, where he was responsible for developing business opportunities for leading VCs and startups, highlights his capability to drive innovation and growth within the venture ecosystem. His work in establishing AWS's global cybersecurity business practice for startups demonstrates his proficiency in addressing complex technological needs and creating impactful business solutions.

About Vintage Investment Partners

Vintage Investment Partners is a distinguished global venture platform that combines Secondary Funds, Growth-Stage Funds, and Fund-of-Funds. With $4 billion in assets under management across 15 active funds, Vintage has established itself as a significant player in the venture capital landscape. The firm's investments span leading venture funds and mid-to-late-stage startups, positioning it at the forefront of innovation and growth in the technology sector. As Orit Shilo transitions from her role at Vintage, the firm extends its gratitude for her contributions and wishes her success in her future endeavors. Her leadership over the past three years has been integral to the development and success of the Value+ platform. Looking ahead, Leiferman's appointment signals a new phase of growth and innovation for Vintage Investment Partners. The focus on leveraging Gen-AI and enhancing the platform's services reflects Vintage's dedication to staying at the cutting edge of technological advancement and providing unparalleled value to its stakeholders.

Amazon Web Services (AWS) has announced a $2 billion strategic partnership with the Australian Government to create a "Top Secret" AWS Cloud (TS Cloud). This initiative is set to significantly enhance Australia's defence and intelligence capabilities. "The partnership leverages AWS's global experience, reliability, security, and performance, with local skilled personnel, the ability to dedicate thousands of engineers and experts to long-term government initiatives. It provides for continuous infrastructure investment and focus on enhancing cloud services to meet evolving needs," reads the AWS official release. While this may seem like a massive leap forward in terms of innovation and security, it also raises questions about dependency on a single corporation for critical national infrastructure. Let's dive in and dig more into this AWS and Australian Government partnership.

AWS History of Investment and Innovation

AWS's commitment to Australia isn't new. Since establishing a local presence with the 2012 launch of the AWS Asia Pacific (Sydney) Region, the company has been a driving force behind digital transformation in both the public and private sectors. The 2023 launch of the AWS Asia Pacific (Melbourne) Region further solidified this relationship. AWS claims that these investments have already amounted to over $9.1 billion into the local economy, with plans to invest an additional $13.2 billion by 2027. While these numbers are staggering, they also highlight the immense influence AWS has accumulated over the past decade. The TS Cloud initiative, albeit promising, cements AWS's role as a critical player in Australia's digital infrastructure, raising concerns about monopolistic tendencies and the risks associated with single-provider dependencies.

AWS Partnership: Implications for Defence and Intelligence

The TS Cloud is purpose-built for Australia’s Defence and Intelligence agencies to securely host sensitive information and facilitate seamless data sharing between the National Intelligence Community and the Australian Defence Force. AWS touts that the cloud will unlock new Artificial Intelligence (AI) and Machine Learning (ML) capabilities, potentially revolutionizing how classified data is managed and analyzed. "With the TS Cloud, Australia’s Defence and Intelligence agencies will have the ability to select from AWS’s services across compute, storage, databases, analytics, AI and ML. Cloud technology is an important capability for agencies to accelerate innovation and agility whilst staying secure. By eliminating the basic, routine IT infrastructure tasks, agencies can focus on what’s most important to them: protecting and advancing Australia’s interests. The cloud eliminates the undifferentiated heavy lifting of sourcing and maintaining IT hardware, and enables a mission first focus," AWS statement reads. However, while the potential benefits are significant, the security implications of entrusting such sensitive data to a cloud environment, even one designed with the highest security standards, cannot be overlooked. The success of this initiative will largely depend on AWS's ability to continually meet stringent security requirements and protect against increasingly sophisticated cyber threats.

Security and Compliance

AWS's certification as a Strategic Hosting Provider under the Australian Government’s Hosting Certification Framework and its ongoing compliance with the Information Security Registered Assessors Program (IRAP) for operating workloads at the PROTECTED level is reassuring. As of June 2024, AWS boasts 151 Cloud services available in Australia, supporting a plethora of security standards and compliance certifications. The AWS-Australia partnership is not just about technology; it’s also about economic growth and workforce development. AWS claims that the TS Cloud initiative will generate local jobs in fields like cybersecurity, data analytics, and cloud computing. Additionally, AWS’s collaboration with educational institutions aims to prepare Australians for future roles, with over 400,000 individuals having already received cloud skills training since 2017. "We’re excited by the opportunities the TS Cloud initiative brings to Australia’s economy and communities. The government’s investment opens doors for creating new jobs, developing skills, and sparking innovation across multiple sectors. By enabling Australian businesses to design, build, and integrate cutting-edge cloud capabilities, this collaboration will generate new local jobs in fields like cybersecurity, data analytics, and cloud computing," reads the statement. While the creation of new jobs and skills development is a positive outcome, it also raises questions about the long-term impact on the local tech industry. As AWS continues to expand its footprint, there is a risk of creating a dependency on AWS-specific skills, potentially limiting the diversity and resilience of Australia's tech ecosystem.

AWS and Australian Government Partnership: Sustainability Efforts

AWS’s investment in sustainable cloud infrastructure, including renewable energy projects like the 125MW Amazon Solar Farm in Wandoan, Queensland, reflects a commitment to environmental responsibility. These projects are forecast to generate significant economic benefits and contribute to Australia’s GDP. However, it remains to be seen how these initiatives will balance with the overall environmental impact of large-scale data centers, which are known for their substantial energy consumption. The integration of sustainable practices within such a large operation will require continuous effort and innovation.

A Double-Edged Sword

The AWS-TS Cloud initiative represents a significant leap forward in enhancing Australia’s national security and digital capabilities. However, this partnership also exemplifies the complex interplay between innovation, security, and economic dependency. As Australia embraces this ambitious project, it must also navigate the inherent risks and ensure that the benefits do not come at the cost of sovereignty and independence in critical national infrastructure. As AWS and the Australian Government move forward with the TS Cloud initiative, ongoing scrutiny and transparent reporting will be essential to safeguard the interests of all stakeholders. The Cyber Express will continue to monitor developments and provide in-depth analysis on the implications of this strategic partnership.

The Fédération Internationale de l'Automobile (FIA), the auto racing governing body since the 1950s, has confirmed that attackers gained unauthorized access to personal data after compromising several FIA email accounts in a phishing attack. The FIA data breach has raised significant concerns within the motorsport community and beyond, as the organization manages sensitive information related to its various operations and members. In an official statement, the FIA revealed the extent of the breach: "Recent incidents pursuant to phishing attacks has led to the unauthorized access to personal data contained in two email accounts belonging to the FIA." The organization has acknowledged the seriousness of the incident and has taken immediate action to mitigate the impact. The Cyber Express reached out to an FIA spokesperson with additional questions about the incident. In an exclusive response to The Cyber Express, an FIA spokesperson said, "I can confirm that the incidents were identified as part of a wider phishing attempt across the motor sport sphere, rather than a targeted attack on the FIA’s systems."

FIA Data Breach: Immediate Response and Regulatory Notification

Upon discovering the breach, the FIA acted swiftly to rectify the issues, notably cutting off illegitimate accesses in a very short time. The organization notified relevant regulatory bodies, including the Commission Nationale de l'Informatique et des Libertés (the French data protection regulator) and the Préposé Fédéral à la Protection des Données et à la Transparence (the Swiss data protection regulator). "The FIA took all actions to rectify the issues, notably in cutting the illegitimate accesses in a very short time, once it became aware of the incidents and notified the Commission Nationale de l'Informatique et des Libertés (the French data protection regulator), and the Préposé Fédéral à la Protection des Données et à la Transparence (the Swiss data protection regulator)," reads the official statement. The FIA has expressed regret for any concern caused to the affected individuals and emphasized its dedication to data protection. "We take our data protection and information security obligations very seriously and continuously review our systems to ensure they are robust, in the context of evolving cyber-criminality. The FIA has put additional security measures in place to protect against any future attacks.," the FIA stated. The organization has implemented additional security measures to protect against future attacks and is committed to ongoing improvements in its cybersecurity posture.

FIA's Legacy and Role

Founded in 1904 as the Association Internationale des Automobile Clubs Reconnus (AIACR), the FIA is a non-profit international association that coordinates numerous auto racing championships, including the prestigious Formula 1 and the World Rally Championship (WRC). The FIA brings together 242 member organizations from 147 countries across five continents and controls the FIA Foundation, which promotes and funds road safety research. Despite the swift response, the FIA has yet to disclose critical details about the cyberattack on FIA, including when it was detected, how many individuals' personal information was accessed, and what specific data was exposed or stolen. This lack of information has left many stakeholders eager for further updates to understand the full scope and potential implications of the incident. The Cyber Express will continue to monitor the situation and provide updates as more information becomes available. In the meantime, organizations across all sectors are urged to review and strengthen their cybersecurity protocols to safeguard against similar threats.

Cognizant Technology Solutions, a leading American multinational specializing in IT services and consulting, has provided an update regarding the alleged Cognizant data breach claimed by IntelBroker, a prominent member of the notorious BreachForums. In response to inquiries by The Cyber Express, a spokesperson from Cognizant confirmed that their investigation revealed the incident involved a cloud-based testing environment with fictional test data.

"We have investigated the claim and found that the impact involved a cloud-based testing environment with fictional test data," the Cognizant spokesperson told The Cyber Express.

The organization further clarified that no clients or client data were impacted by this event.

"No clients or client data were impacted by this event," reads the official statement from Cognizant.

The company has not confirmed any other claims regarding the alleged data breach. In a prior statement to The Cyber Express, the spokesperson had stated,

"We are aware of the reports made by a cybercriminal organization, claiming it has targeted some of our services. We take this matter very seriously and we are investigating the validity and extent of this claim."

Initial Cognizant Data Breach Claims by IntelBroker

Earlier, The Cyber Express had reported that IntelBroker had allegedly leaked a substantial amount of data stolen from Cognizant Technology Solutions. According to IntelBroker, the leak included a document with 12 million lines from Cognizant’s internal website and user data from the company’s Oracle Insurance Policy Admin System (OIPA), a cloud-based DevOps solution. The purported leaked file reportedly contained approximately 40,000 user records with various sensitive data fields, such as policy number, role code, client name, company code, state code, role sequence number, arrangement number, arrangement status, start date, start year, end date, end year, draft day, modular amount, and next premium due date.

IntelBroker’s Notorious History

IntelBroker is well-known for high-profile cyber intrusions. The hacker has previously claimed responsibility for a massive data breach involving Advanced Micro Devices (AMD), a leading player in the semiconductor industry. This unverified breach, disclosed on BreachForums, included multiple data samples shared with the forum’s users, raising serious concerns about the security of AMD’s infrastructure. AMD officials have since stated that they are investigating the claims. IntelBroker's notoriety is rooted in a history of targeting diverse organizations, including critical infrastructure, major tech corporations, and government contractors. The hacker's sophisticated approach to exploiting vulnerabilities has enabled access to sensitive information on multiple occasions. Previous claims include breaches at institutions like Apple, Lindex Group, and Acuity, a U.S. federal technology consulting firm. Cognizant Technology Solutions' prompt response and thorough investigation highlight their commitment to security and client data protection. By swiftly addressing the claims of Cognizant cyberattack and confirming the integrity of their client data, Cognizant has taken an essential step in maintaining trust and transparency with their stakeholders. The Cyber Express will continue to monitor the situation closely, providing updates as more information becomes available. As investigations continue, it is crucial for organizations to communicate clearly and promptly with stakeholders, providing accurate information about the nature and extent of any data breaches. By staying informed and prepared, organizations can better protect their digital assets and maintain the trust of their clients and partners. The Cyber Express remains committed to delivering timely and accurate updates to keep the public informed about significant cybersecurity developments.

Axis Finance Limited, a prominent non-banking financial company, has announced a strategic leadership appointment that is set to strengthen its information security and compliance framework. Praveen Mishra, a seasoned expert in IT risk management and security, has been named Chief Information Security Officer (CISO) and Senior Vice President (SVP). This appointment marks a significant step for Axis Finance Limited in its ongoing commitment to enhancing its cybersecurity measures and regulatory compliance. [caption id="attachment_80105" align="aligncenter" width="840"] Source: Praveen Mishra's LinkedIn Post[/caption]

Praveen Mishra's Extensive Background in IT Security and Compliance

Praveen Mishra joins Axis Finance Limited with a distinguished career at Axis Bank, where he held various pivotal roles that honed his expertise in IT risk management, compliance, and security. His journey at Axis Bank began as an operations trainee, but his dedication and strategic acumen quickly propelled him through the ranks to become Vice President. In this capacity, he oversaw numerous regulatory compliance projects and provided critical advice on technological regulations. During his tenure at Axis Bank, Mishra spearheaded several key initiatives, including the development and implementation of IT risk frameworks and conducting thorough IT audits. His leadership in ensuring adherence to ISO standards was instrumental in maintaining high levels of security and compliance within the organization. Praveen's strategic approach to IT security involved not only the formulation of comprehensive security strategies but also the meticulous allocation of budgets to support these initiatives. His focus on risk mitigation measures was always balanced with a keen understanding of the importance of user experience, ensuring that security protocols did not hinder the efficiency and effectiveness of technological operations.

New Role and Responsibilities at Axis Finance Limited

In his new role as CISO and SVP at Axis Finance Limited, Praveen Mishra will leverage his experience to enhance the company’s information security posture. He will be responsible for ensuring regulatory compliance across all technological operations and driving initiatives that safeguard the company’s digital assets. His appointment is expected to bring a renewed focus on cybersecurity, aligning with the company's strategic goals of maintaining high standards of security and compliance. The appointment of Praveen Mishra as CISO and SVP represents a strategic move for Axis Finance Limited, reflecting the company’s dedication to strengthening its cybersecurity and compliance frameworks. Praveen's extensive background in IT risk management, his leadership in regulatory compliance, and his strategic vision for information security make him an ideal choice for this critical role. As Axis Finance Limited continues to grow and expand its operations, Praveen's expertise will be instrumental in navigating the challenges of the digital landscape. His proactive approach to security and compliance will help ensure that the company remains at the forefront of the financial industry, delivering secure and efficient services to its clients.

The Securities and Exchange Commission (SEC) has charged Silvergate Capital Corporation, along with its former executives Alan Lane, Kathleen Fraher, and Antonio Martino, with misleading investors regarding the strength of its compliance programs and financial stability. From November 2022 to January 2023, Silvergate, along with its then-CEO Alan Lane and former Chief Risk Officer Kathleen Fraher, falsely assured investors of the robustness of its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program.

Silvergate Misleading Investors About Compliance Programs

This was an attempt to allay concerns following the collapse of one of its largest clients, FTX. The reality, as the SEC alleges, was far bleaker. Silvergate’s automated transaction monitoring system failed to oversee more than $1 trillion worth of transactions on its payments platform, the Silvergate Exchange Network. This failure allegedly allowed nearly $9 billion in suspicious transfers among FTX and related entities to go undetected. “At all times, but especially during moments of crises, public companies and their officers must speak truthfully to the investing public. Here, we allege that Silvergate, Lane, and Fraher fell not only woefully, but also fraudulently, short in that regard,” stated Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. Adding further, Grewal said, “Rather than coming clean to investors about serious deficiencies in its compliance programs in the wake of the collapse of FTX, one of Silvergate’s largest banking customers, they doubled down in a way that misled investors about the soundness of the programs. In fact, because of those deficiencies, Silvergate allegedly failed to detect nearly $9 billion in suspicious transfers among FTX and its related entities. Silvergate’s stock eventually cratered, wiping out billions in market value for investors.” The repercussions of this deception were severe. Silvergate’s stock plummeted, erasing billions in market value and leaving investors in the lurch.

SEC’s Legal Action and Settlements

Adding to the gravity of the situation, Silvergate and its former CFO Antonio Martino were accused of misrepresenting the company’s financial condition during the liquidity crisis and bank run that followed FTX’s collapse. They reportedly understated losses from expected securities sales and falsely claimed that Silvergate remained well-capitalized as of December 31, 2022. By March 2023, Silvergate announced it would wind down its banking operations, leading to a further nosedive in its stock value, which plummeted to near zero. The SEC’s complaint, filed in the U.S. District Court for the Southern District of New York, charges Silvergate, Lane, and Fraher with negligence-based fraud and violations of reporting, internal accounting controls, and books-and-records provisions. In a bid to settle the charges, Silvergate has agreed to a $50 million civil penalty and a permanent injunction. Lane and Fraher have also agreed to settlements, including permanent injunctions, five-year officer-and-director bars, and civil penalties of $1 million and $250,000, respectively. These settlements, however, are still subject to court approval, and Silvergate's payment might be offset by penalties from other regulatory bodies. Martino faces charges for violating certain antifraud and books-and-records provisions and for aiding and abetting some of Silvergate’s violations. The SEC’s litigation against Martino is ongoing, reflecting the seriousness of the allegations and the need for thorough judicial scrutiny. The broader implications of this case are significant. It highlights a troubling trend where financial institutions involved with high-risk clients, such as those in the cryptocurrency sector, may prioritize short-term gains over regulatory compliance and transparency. The SEC’s stringent actions serve as a reminder that such behavior will not go unchecked. In parallel actions, the Board of Governors of the Federal Reserve System (FRB) and the California Department of Financial Protection and Innovation (DFPI) have also announced settled charges against Silvergate. The SEC’s investigation was thorough and collaborative, involving numerous staff members and assistance from the FRB and DFPI.

To Wrap Up

This case exemplifies the critical role of regulatory bodies in safeguarding investor interests and maintaining the integrity of financial markets. The Silvergate saga should serve as a wake-up call for all financial institutions. In an era where the boundaries of traditional banking are increasingly blurred by emerging technologies and high-risk sectors like cryptocurrency, the importance of enhanced compliance programs and transparency cannot be overstated. Investors and regulators alike must remain vigilant to ensure that the pursuit of innovation does not come at the expense of ethical standards and financial stability.

Cisco has patched a critical zero-day vulnerability in its NX-OS software. The patched Cisco zero-day vulnerability was exploited in April attacks to install previously unknown malware as root on vulnerable switches. The cybersecurity firm Sygnia, which reported the incidents to Cisco, attributed the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant. "The vulnerability was identified as part of a larger forensic investigation performed by Sygnia of a China-nexus cyber espionage operation that was conducted by a threat actor Sygnia dubs as ‘Velvet Ant’," reads Sygnia's official statement.

Cisco Zero-Day Vulnerability Overview

The patched Cisco zero-day vulnerability, identified as CVE-2024-20399, is a command injection flaw in the Cisco NX-OS Software Command Line Interface (CLI). This vulnerability affects a wide range of Cisco Nexus devices. On July 1, Cisco published an advisory detailing the nature and scope of the vulnerability, which allows attackers with valid administrator credentials to execute arbitrary commands on the underlying Linux operating system of the affected devices. "Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability," reads Cisco's official statement. Sygnia discovered this vulnerability during a forensic investigation of a China-nexus cyber espionage operation conducted by Velvet Ant. The investigation revealed that the threat actor had exploited the zero-day vulnerability to execute malicious code on the underlying OS of the Nexus switches. Velvet Ant's exploitation of CVE-2024-20399 enabled the execution of custom malware on compromised Cisco Nexus devices. This malware facilitated remote connections to the devices, allowing the attackers to upload additional files and execute further code. Network appliances, particularly switches, often go unmonitored, and their logs are rarely forwarded to a centralized logging system, making it challenging to detect and investigate such malicious activities. "This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," informed Sygnia.

Background on Cisco NX-OS

Cisco NX-OS Software is a network operating system used for Cisco’s Nexus series of switches. Although NX-OS is based on a Linux kernel, it abstracts the underlying Linux environment and provides its own set of commands via the NX-OS CLI. To execute commands on the underlying Linux OS from the switch management console, an attacker would need a "jailbreak" type of vulnerability to escape the NX-OS CLI context. The newly identified vulnerability allows attackers with administrator-level access to the Switch management console to escape the NX-OS CLI and execute arbitrary commands on the underlying Linux OS.

Impact and Risk Assessment

Cisco Nexus switches are widely deployed in enterprise environments, particularly in data centers. Exploiting the identified vulnerability requires the threat group to possess valid administrator-level credentials and have network access to the Nexus switch. Given that most Nexus switches are not directly exposed to the internet, attackers must first achieve initial access to an organization’s internal network to exploit this vulnerability. This reduces the overall risk to organizations, but the incident highlights the importance of monitoring and protecting network appliances.

Mitigation Strategies

Cisco has released software updates to address the vulnerability described in the advisory. Updating affected devices is the primary mitigation strategy. However, when software updates are not immediately available, it is crucial to adopt security best practices to prevent unauthorized access and mitigate potential exploitation. These practices include:

1. Restrict Administrative Access: Utilize Privileged Access Management (PAM) solutions or dedicated, hardened jump servers with multi-factor authentication (MFA) to restrict access to network equipment. If these options are not feasible, restrict access to specific network addresses.
2. Centralize Authentication, Authorization, and Accounting Management (AAA): Use TACACS+ and systems like Cisco ISE to streamline and enhance security. Centralized user management simplifies monitoring, password rotation, and access reviews, and allows for quick remediation in case of a compromise.
3. Enforce Strong Password Policies: Ensure that administrative users have complex, securely stored passwords. Use Privileged Identity Management (PIM) solutions to auto-rotate administrative account passwords or employ a password vault with restricted access.
4. Restrict Outbound Internet Access: Implement strict firewall rules and access control lists (ACLs) to prevent switches from initiating outbound connections to the internet.
5. Implement Regular Patch and Vulnerability Management: Regularly review and apply patches to all network devices. Use automated tools to identify and prioritize vulnerabilities.

"When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers," urges Cisco.

Monitoring and Detection

Enhancing visibility and forwarding logs to a central logging solution are crucial steps in identifying malicious activities on network devices. Organizations should:

• Enable Syslog on all switches to send log data to a centralized server.
• Integrate switch logs with a Security Information and Event Management (SIEM) system to correlate events and detect anomalies.
• Configure alerts to identify suspicious activities, such as unauthorized SSH connections.
• Regularly analyze network traffic for anomalies associated with Cisco switches, focusing on management ports like SSH and Telnet.

The exploitation of CVE-2024-20399 by Velvet Ant highlights the persistent and evolving threats posed by state-sponsored cyber actors.  Cisco’s timely patching of the vulnerability and Sygnia’s detailed forensic investigation provide crucial insights into mitigating such threats.

Affirm Holdings, a prominent U.S. financial technology firm, announced that the personal information of Affirm card users may have been compromised due to a cybersecurity incident at Arkansas-based Evolve Bank and Trust. This Evolve Bank data breach, which occurred last week, involved the illegal release of customer data on the dark web. Evolve Bank, a third-party issuer of Affirm cards, revealed it was the target of a significant cybersecurity attack. Affirm has reassured its customers that its systems remain secure, and Affirm cardholders can continue to use their cards without interruption. However, the company has acknowledged that the breach involved shared personal information used to facilitate card issuance and servicing. In a statement, Affirm's spokesperson highlighted, "Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more."

LockBit Blamed for Evolve Bank Data Breach

Evolve Bank disclosed that the incident was a ransomware attack perpetrated by the criminal organization LockBit. "This was a ransomware attack by the criminal organization, LockBit," reads Evolve Bank's official statement. The ransomware attack involved unauthorized access to the bank’s systems, resulting in the download and subsequent leak of sensitive customer information. This Evolve Bank data breach occurred in two phases, in February and May when an employee inadvertently clicked on a malicious internet link. "They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link. There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May," said Evolve Bank. Further, the Bank disclosed that the threat actor also encrypted some data within its environment. However, the Bank had backups available and experienced limited data loss and impact on its operations. Moreover, Evolve Bank confirmed that they have refused to pay the ransom demand because of which LockBit has leaked the data they downloaded. "The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank," inform Evolve Bank.

Incident Details and Evolve Bank’s Response

Evolve Bank provided a comprehensive update on the data breach. The bank identified unusual system behavior in late May 2024, initially suspected to be a hardware failure but later confirmed as unauthorized activity. Cybersecurity specialists were engaged, and Evolve promptly initiated its incident response protocols, successfully halting the attack by May 31, 2024. The attack did not compromise customer funds, but sensitive data was accessed and downloaded from the bank’s databases. "At this time, we have evidence that files were downloaded from our systems," informed Bank. This included names, Social Security numbers, bank account numbers, and contact information of personal banking customers and partners, including Affirm card users. Additionally, personal information related to Evolve employees was likely impacted. "We have now learned that personal information relating to our employees was also likely impacted. We are still investigating what other personal information was affected, including information regarding our Business, Trust, and Mortgage customers," reads the official statement of Evolve Bank. Evolve Bank has undertaken several measures to enhance security and prevent future incidents:

• Global password resets.
• Reconstructing critical Identity Access Management components, including Active Directory.
• Hardening of firewall and dynamic security appliances.
• Deploying endpoint detection and response tools.

The bank is also strengthening its security response protocols, policies, and procedures to improve detection and response to suspected incidents.

Impact on Affirm Card Users and Future Actions

Affirm cardholders whose data may have been compromised will be directly notified. "The incident may have compromised some data and personal information Evolve had on record. If you do not have an Affirm Card, the incident does not impact you. If you do have an Affirm Card, we’re still investigating and we will have your back," said Affirm official statement. Evolve Bank is offering affected individuals two years of free credit monitoring and identity theft protection. Notifications will begin via email on July 8, 2024, including details about a dedicated call center for assistance and enrollment in credit monitoring services. Evolve Bank urges all affected customers to remain vigilant by monitoring their account activity and credit reports. The bank provided resources for setting up fraud alerts with nationwide credit bureaus (Equifax, Experian, and TransUnion) and obtaining free credit reports. Customers suspecting identity theft or fraud are encouraged to file reports with the Federal Trade Commission (FTC) or local law enforcement. Evolve Bank stated, "We appreciate your patience and understanding as we navigate this challenging situation. Your trust is of utmost importance to us, and we are committed to transparency."

TeamViewer, a provider of remote access software, has confirmed that a recent cyberattack has been successfully contained within its internal corporate IT environment. Crucially, the company has reassured its customers and stakeholders that the breach did not affect its product environment, the TeamViewer connectivity platform, or any customer data. This announcement comes as the investigation into the TeamViewer data breach progresses, providing clarity and reassurance to the millions of users who rely on it's services.

TeamViewer Breach Overview and Immediate Response

The TeamViewer data breach was first detected on June 26, 2024, prompting an immediate response from TeamViewer’s security team. The company has attributed the breach to an advanced persistent threat group, tracked as APT29, also known as Midnight Blizzard or Cozy Bear. This group is renowned for its sophisticated cyberespionage capabilities and has a history of targeting high-profile entities, including Western diplomats and technology firms. In an initial statement posted on Thursday in the company’s Trust Center, TeamViewer explained that the breach was confined to its internal corporate IT environment. The company emphasized that this environment is distinct and separate from its product environment, where customer interactions occur. As such, there is no evidence to suggest that the product or customer data was compromised. "TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems," reads the initial statement.

Details of the Data Compromise

According to TeamViewer, the threat actor leveraged a compromised employee account to gain access to the internal corporate IT environment. This access allowed the attacker to copy certain employee directory data, including names, corporate contact information, and encrypted employee passwords. Importantly, the compromised data was limited to internal corporate information, and no customer data was involved. The company has taken swift action to mitigate the risk associated with the encrypted passwords. "According to current findings, the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities. The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft," reads the statement. In collaboration with leading experts from their incident response partner, Microsoft, TeamViewer has implemented enhanced authentication procedures and added further strong protection layers. These measures ensure that the authentication processes for employees are now at the maximum security level. "The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state," reads TeamViewer statement.

The Role of NCC Group

The cybersecurity firm NCC Group played a significant role in highlighting the TeamViewer data breach. NCC Group was alerted to the compromise of TeamViewer’s remote access and support platform by APT29. Their involvement underscores the importance of third-party cybersecurity firms in detecting and responding to advanced threats. For TeamViewer’s customers, the key takeaway from this incident is that their data and the functionality of the TeamViewer connectivity platform remain secure. The company has reiterated that its overall system architecture follows best practices, with a clear segmentation between the corporate IT environment, the production environment, and the TeamViewer connectivity platform. This segmentation is a critical factor in ensuring that breaches in one area do not affect others.

Evolve Bank & Trust disclosed that it has been the target of a cybersecurity incident. In a statement, the bank confirmed that customers' personal information had been illegally obtained and released on the dark web by cybercriminals. This Evolve Bank data breach affected both retail bank customers and the customers of Evolve’s financial technology partners. The Evolve Bank data breach involved a known cybercriminal organization that illegally obtained and published sensitive information. The stolen data includes Personal Identification Information (PII) such as names, Social Security Numbers, dates of birth, account details, and other personal information. "Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users)," reads the official statement. Evolve Bank & Trust has confirmed that its debit cards, and online, and digital banking credentials have not been compromised in the incident and remain secure. "Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," reads the official statement.

Details of the Evolve Bank Data Breach

There were reports that the Russian hacker group LockBit was responsible for the ransomware attack and data breach at Evolve Bank. LockBit had claimed to possess Federal Reserve data and, when their demands were not met, released approximately 33 terabytes of data from Evolve's systems. The group had allegedly touted their cache of Federal Reserve data, which was used to pressure the bank into meeting their demands. In response to the reports surfacing about the Evolve data breach, Evolve Bank & Trust is actively informing affected individuals about the breach. The bank has started reaching out to impacted customers and financial technology partners' customers through emails sent from notifications@getevolved.com. The communication includes detailed instructions on how to enroll in complimentary credit monitoring and identity theft detection services.

Steps Taken by Evolve Bank & Trust

The bank is undertaking a comprehensive response to this incident, which includes:

1. Engagement with Law Enforcement: Evolve has involved appropriate law enforcement authorities to aid in the investigation and response efforts.
2. Customer Communication: Direct communication with affected customers and financial technology partners' customers is ongoing to ensure they are informed and can take necessary protective measures.
3. Credit Monitoring Services: Impacted individuals are being offered complimentary credit monitoring and identity theft detection services.
4. Continuous Monitoring: Evolve is closely monitoring the situation and will provide updates as necessary to keep customers informed.

Recommendations for Affected Customers

Evolve Bank & Trust advises all retail banking customers and financial technology partners' customers to remain vigilant by:

1. Monitoring Account Activity: Regularly check bank accounts and report any suspicious activity immediately.
2. Credit Report Checks: Set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. Customers can also request and review their free credit report through Freecreditreport.com.
3. Reporting Suspicious Activity: Contact the bank immediately if any fraudulent or suspicious activity is detected. Additionally, individuals can file a report with the Federal Trade Commission (FTC) or law enforcement authorities if they suspect identity theft or fraud.

Recently, Evolve received an enforcement action from its primary regulator, the Federal Reserve Board, highlighting deficiencies in the bank's IT practices and requiring a plan and timetable to correct these issues. This breach highlights the importance of addressing these security concerns promptly. Evolve Bank & Trust is known for its partnerships with several high-profile fintech companies, including Mercury, Stripe, Affirm, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, and TabaPay. The bank has also worked with Wise and Rho in the past, though both have since migrated to other banking partners.

The Federal Bureau of Investigation (FBI) has warned the public about a new wave of cybercriminal activity targeting victims of cryptocurrency scams. These fraudsters are posing as lawyers and law firms, offering bogus cryptocurrency recovery services to steal funds and personal information from those already defrauded. This latest cryptocurrency investment scam alert is an update to a previous warning from the FBI's Internet Crime Complaint Center (IC3), which had highlighted a surge in scams involving fake services for recovering digital assets. The updated Public Service Announcement (PSA), titled "Increase in Companies Falsely Claiming an Ability to Recover Funds Lost in Cryptocurrency Investment Scams," was originally published on August 11, 2023. Moreover, in April 2024, the FBI warned of financial risks tied to using unregistered cryptocurrency transfer services, highlighting potential law enforcement actions against these platforms. The announcement focused on crypto transfer services operating without registration as Money Services Businesses (MSBs) and non-compliance with U.S. anti-money laundering laws. These platforms are often targeted by law enforcement, especially when used by criminals to launder illegally obtained funds, such as ransomware payments.

Cryptocurrency Scam: Emerging Criminal Tactic

The FBI's announcement aims to inform the public about a new criminal tactic designed to exploit cryptocurrency scam victims further. Using social media and other messaging platforms, fraudsters posing as lawyers from fictitious law firms are contacting scam victims and offering their services. These "lawyers" claim they have the authority to investigate fund recovery cases and often assert that they are working with, or have received information from, the FBI, Consumer Financial Protection Bureau (CFPB), or other government agencies to validate their legitimacy. In some instances, victims have reached out to these scammers through fake websites that appear legitimate, hoping to recover their lost funds. The scammers use various methods to further the recovery scam, including:

• Verification Requests: They ask victims to verify their identities by providing personal identifying information or banking details.
• Judgment Amount Requests: They request that victims provide a judgment amount they are seeking from the initial fraudster.
• Upfront Fees: They demand a portion of the fees upfront, with the balance due upon recovery of the funds.
• Additional Payments: They direct victims to make payments for back taxes and other fees purportedly necessary to recover their funds.
• Credibility Building: They reference actual financial institutions and money exchanges to build credibility and further their schemes.

Between February 2023 and February 2024, cryptocurrency scam victims who were further exploited by these fictitious law firms reported losses totaling over $9.9 million, according to the FBI Internet Crime Complaint Center (IC3).

Tips to Protect Yourself

The FBI offers several tips to help individuals protect themselves from falling victim to these scams:

• Be Wary of Advertisements: Be cautious of advertisements for cryptocurrency recovery services. Research the advertised company thoroughly and be suspicious if the company uses vague language, has a minimal online presence, and makes unrealistic promises about its ability to recover funds.
• Do Not Release Information: If an unknown individual contacts you claiming to be able to recover stolen cryptocurrency, do not release any financial or personal identifying information, and do not send money.
• No Fees from Law Enforcement: Remember that law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm their legitimacy.

Victim Reporting

The FBI urges victims to file a report with the Internet Crime Complaint Center. When filing a report, try to include the following information:

• Contact Information: Details about how the individual initially contacted you and how they identified themselves, including name, phone number, address, email address, and username.
• Financial Transaction Information: Details such as the date, type of payment, amount, account numbers involved (including cryptocurrency addresses), name and address of the receiving financial institution, and receiving cryptocurrency addresses.

The FBI's announcement highlights the importance of vigilance and caution when dealing with unsolicited offers of assistance, particularly in the highly targeted and vulnerable area of cryptocurrency investments. By staying informed and following the FBI's guidelines, individuals can better protect themselves from becoming victims of these crypto scams.

Yana Li, Director of IT & Platform Security at WebBeds, embodies resilience, determination, and a passion for cybersecurity that has propelled her from a challenging childhood to a leadership role in one of the most critical sectors of IT. Recently honored for her contributions at the World CyberCon Meta Edition, Yana's path to cybersecurity wasn't straightforward. In a candid interview with The Cyber Express (TCE), Yana reflects on her journey, the challenges she faced, and her unwavering commitment to empowering women in cybersecurity.

Early Challenges and Discovering Passion

Yana's childhood was marked by financial hardship and the absence of familial support. Emerging from a modest upbringing in Russia, she navigated childhood challenges with an independent spirit and unwavering resolve. Opportunities are to be seized," Yana reflects, recalling how she secured a full scholarship for Computer Science and Engineering studies in the United States, setting the stage for her remarkable journey through the realms of IT and cybersecurity. Her career trajectory initially flourished in technical support and project management, roles that equipped her with a profound understanding of IT infrastructures. However, it was a pivotal security project that ignited Yana's passion for cybersecurity. "It's not merely a project," she realized; "it opens doors to a whole new world." This revelation spurred her to further her education, including a transformative semester at Harvard focused on cybersecurity, where she engaged with industry leaders and broadened her expertise significantly.

Yana Li Breaking Barriers in a Male-Dominated Field

Entering the IT field in 2013, particularly in Russia, Yana confronted a stark reality of gender disparity. The industry was predominantly male, and discouragement was a constant companion. "They tried to tell you that you don't have it," Yana recalls, referring to the discouragement she faced early in her career. Despite these obstacles, Yana persevered, buoyed by a growing network of supportive communities and initiatives aimed at empowering women in cybersecurity. "There's so much support now," she emphasizes, citing numerous organizations and communities dedicated to mentoring and guiding aspiring female professionals.

Championing Diversity and Mentorship

Reflecting on her journey, Yana is keenly aware of the importance of mentorship and advocacy. As an ambassador for Google's Women Techmakers initiative, she actively champions diversity and inclusivity in tech fields. "I want to be the person I needed when I was younger," she affirms, emphasizing the need for aspiring professionals to believe in their capabilities and seek out mentors who can offer guidance and support. Her message resonates deeply: "If your dreams don't scare you, they're not big enough." Yana emphasizes the importance of seeking mentorship, leveraging community resources, and believing in the limitless potential within oneself. In addressing the persistent gender gap in cybersecurity, Yana stresses the abundance of resources available today. From women-focused cybersecurity councils to mentorship programs offered by tech giants like Amazon, Google, and Microsoft, opportunities for growth and support abound. "Don't be shy," she encourages, urging women to leverage these resources and reach out for assistance when needed. "We've all been there," she reassures, highlighting the collective experience and solidarity within the community. "Just ask for help and believe that anything is possible."

Advice for Aspiring Women in Cybersecurity

Looking ahead, Yana remains optimistic about the future of cybersecurity and the role women will play in shaping its landscape. With increasing awareness and concerted efforts to foster diversity, she believes the field is ripe for innovation and transformation. "Anything in this world is possible," she asserts, a testament to her own journey and the limitless potential she sees in aspiring cybersecurity professionals. In conclusion, Yana Li's story is not just one of personal triumph but a testament to the transformative power of passion and perseverance in cybersecurity. As women continue to carve out their place in this critical field, Yana stands as a role model, advocating for inclusivity, empowerment, and excellence. Her journey reminds us that with dedication and support, barriers can be overcome, and dreams can be realized. For those embarking on similar paths, Yana's story offers guidance, encouragement, and a steadfast belief in the limitless possibilities within cybersecurity.

UnitedHealth has, for the first time, detailed the types of medical and patient data stolen in the extensive cyberattack on Change Healthcare (CHC). The company announced that CHC cyberattack notifications will be mailed in July to affected individuals. "CHC plans to mail written letters at the conclusion of data review to affected individuals for whom CHC has a sufficient address. Please note, we may not have sufficient addresses for all affected individuals. The mailing process is expected to begin in late July as CHC completes quality assurance procedures," reads the official statement by Change Healthcare. UnitedHealth issued a data breach notification, revealing that the ransomware attack exposed a "substantial quantity of data" for a "substantial proportion of people in America." During a congressional hearing, UnitedHealth CEO Andrew Witty estimated that "maybe a third" of all Americans' health data was compromised in the attack.

Stolen Data Information in CHC Cyberattack

The Change Healthcare data breach notification provided a comprehensive overview of the types of information that may have been affected. Although CHC cannot confirm exactly what data was compromised for each individual, the exposed information may include:

1. Contact Information: Names, addresses, dates of birth, phone numbers, and email addresses.
2. Health Insurance Information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
3. Health Information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
4. Billing, Claims, and Payment Information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
5. Other Personal Information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

This information may vary for each impacted individual. To date, CHC has not seen full medical histories appear in their data review. "The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review. Also, some of this information may have related to guarantors who paid bills for health care services. A guarantor is the person who paid the bill for health care services," the official statement reads further.

Cyberattack on Change Healthcare: What Exactly Happen?

The Change Healthcare cyberattack occurred when a cybercriminal gained unauthorized access to the CHC computer system on February 21, 2024. Upon discovering the ransomware deployment, CHC immediately took steps to halt the activity, disconnected and shut down systems to prevent further impact and initiated an investigation. Law enforcement was contacted, and CHC's security team, along with several top cybersecurity experts, worked tirelessly to address the breach and understand its scope. The investigation revealed that a significant amount of data was exfiltrated from CHC’s environment between February 17, 2024, and February 20, 2024. By March 7, 2024, CHC confirmed the data exfiltration and began analyzing the compromised files. On April 22, 2024, CHC publicly confirmed that the impacted data could affect a substantial proportion of the American population. As of June 20, 2024, CHC began notifying customers whose data was identified as compromised. When CHC learned about the activity, CHC immediately began an investigation with support from leading cybersecurity experts and law enforcement. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact," informed Change Healthcare official release "CHC has also reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future. CHC, along with leading external industry experts, continues to monitor the internet and dark web.

What Steps Affected Individuals Can Take

While the investigation continues, individuals who suspect their information may have been compromised can take several steps to protect themselves:

1. Enroll in Credit Monitoring and Identity Protection: CHC is offering two years of complimentary credit monitoring and identity protection services.
2. Monitor Statements and Reports: Regularly check explanations of benefits from health plans, statements from healthcare providers, bank and credit card statements, credit reports, and tax returns for any unfamiliar activity.
3. Report Unfamiliar Health Services: If any unauthorized healthcare services are found on an explanation of the benefits statement, contact the health plan or doctor.
4. Alert Financial Institutions: Immediately contact financial institutions or credit card companies if suspicious activity is detected on bank or credit card statements or tax returns.
5. File a Police Report: Contact local law enforcement if you believe you are a victim of a crime.

Individuals may also have additional rights depending on their state of residence and should refer to the provided Reference Guide for more information. The ransomware attack on CHC has highlighted significant vulnerabilities in the handling of sensitive health and personal information. As the investigation progresses, affected individuals are urged to stay vigilant and utilize the resources provided to mitigate potential risks.

ECU Worldwide, a global player in Less than Container Load (LCL) consolidation, has appointed Rajneesh Garg as its new Chief Information Officer (CIO). In his new role, Garg will focus on managing and supporting software applications, leading technology transformation initiatives, and ensuring their successful implementation and adoption. He will work closely with the IT group shared services organization and report to Kapil Mahajan, Global CIO of Allcargo Group, from the company's Mumbai headquarters. "I am excited to be a part of ECU Worldwide known for its vision of a digital-first approach to build unmatched customer centricity at a global scale,” said newly appointed CIO, Garg. He added further, “The role gives me an opportunity to leverage my know-how to drive the growth journey of the company led under the leadership of Founder and Chairman Mr. Shashi Kiran Shetty, which is based on sustainability, superior customer experience, and futuristic approach. I look forward to working with the Allcargo Group to contribute to ECU Worldwide's growth journey.”

Rajneesh Garg Extensive Background

Garg brings over 20 years of leadership experience across various sectors, including banking, insurance, travel, hospitality, manufacturing, energy resources, and retail. Before joining ECU Worldwide, he was Vice President of Information Technology at Capgemini, overseeing regional delivery and growth for consumer products and retail accounts in the Nordic region. Garg holds a postgraduate degree in computer science from Moscow State University in Russia and has also worked in senior leadership roles at Tata Consultancy Services for over two decades. "With his extensive and diversified leadership experience in various sectors, Rajneesh will be instrumental in driving our technology transformation forward. His strategic vision aligns with our efforts to fortify ECU Worldwide's IT division as we pursue our ambitious growth and expansion strategies. We are confident that under Garg's leadership, our IT division will continue to break new ground in offering superior customer experience. We look forward to working with him as we embark on the next phase of growth,’’ said Kapil Mahajan, Global Chief Information Officer, Allcargo Group.

Way Forward

Founded in 1987, ECU Worldwide is a wholly-owned global subsidiary of Allcargo Logistics. The company is a major player in multi-modal transport and a leader in LCL consolidation. ECU Worldwide operates with a digital-first approach and is supported by leaders with expertise in logistics, data science, and technology. The appointment of Garg as CIO is a significant step for ECU Worldwide. His extensive experience and strategic approach are expected to drive the company’s technology initiatives and support its growth in the global LCL market. Garg's collaboration with the Allcargo Group leadership aims to bring technological advancements and improvements to ECU Worldwide's services and operations.

The Department of Commerce's Bureau of Industry and Security (BIS) has announced a Final Determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of the Russian cybersecurity firm, from providing any products or services in the United States. This historic decision of the US banning Kaspersky marks the first Final Determination by the Office of Information and Communications Technology and Services (OICTS). The BIS has set a deadline of September 29, 2024, giving U.S. consumers and businesses time to switch to alternative cybersecurity solutions. Kaspersky will no longer be able to sell its software within the United States or provide updates to software already in use. The prohibition also applies to Kaspersky Lab, Inc.’s affiliates, subsidiaries, and parent companies (together with Kaspersky Lab, Inc., “Kaspersky” The US banning Kaspersky incident highlights rising concerns over national security risks linked to foreign technology companies, especially those from adversarial states. Further, it reflects years of scrutiny and represents a significant escalation in U.S. efforts to safeguard its cyber infrastructure. “This action is the first of its kind and is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS), whose mission is to investigate whether certain information and communications technology or services transactions in the United States pose an undue or unacceptable national security risk,” reads the official BIS announcement. Additionally, BIS has added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives. This article delves into the timeline and context of U.S. actions against Kaspersky, highlighting the shift from the Trump administration to the Biden administration.

US vs Kaspersky: A Timeline of Cybersecurity Actions

2017

September- The Trump Administration’s heightened scrutiny of Kaspersky began. The Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD 17-01) that mandated removing and discontinuing Kaspersky products from all federal information systems. This directive followed mounting evidence suggesting that the Russian government could use Kaspersky’s products to infiltrate U.S. networks. December- The National Defense Authorization Act (NDAA) for Fiscal Year 2018 cemented these concerns into law by prohibiting the use of Kaspersky software across all federal agencies. This legislative action reflected a bipartisan consensus on the potential risks posed by the Russian firm.

2022

March- The Federal Communications Commission (FCC) added Kaspersky to its “List of Communications Equipment and Services that Pose a Threat to National Security.” This action was part of a broader effort to secure the nation’s communications networks from foreign influence and control.

2024

June - Today’s Final Determination by the BIS represents the culmination of a thorough investigation by the Office of Information and Communications Technology and Services (OICTS). This office, established to assess whether certain information and communications technology (ICT) transactions pose unacceptable national security risks, has found Kaspersky’s operations in the U.S. untenable.

US Banning Kaspersky: The Context and Implications of BIS’s Final Determination

The BIS’s decision comes after a comprehensive investigation revealed that Kaspersky’s operations in the United States posed an undue or unacceptable national security risk. The key concerns highlighted include:

1. Jurisdiction and Control by the Russian Government: Kaspersky is subject to Russian laws requiring cooperation with intelligence agencies. This legal framework gives the Russian government potential access to data managed by Kaspersky’s software. Therefore, Kaspersky is subject to Russian laws, requiring it to comply with requests for information that could compromise U.S. national security.
2. Access to Sensitive Information: Kaspersky’s software has extensive administrative privileges over customer systems, creating opportunities for data exploitation.
3. Potential for Malicious Activities: Kaspersky could theoretically introduce malware or withhold crucial security updates, compromising U.S. cybersecurity.
4. Third-Party Integrations: Integrating Kaspersky products into third-party services further complicates the risk, as the source code might be obscured, increasing vulnerability in critical U.S. systems.

Transition Period and Recommendations

While users won’t face legal penalties for continued use of Kaspersky products during this period, they assume all associated cybersecurity risks. This grace period is crucial for minimizing disruptions and ensuring a smooth transition to secure alternatives. The Department of Commerce, along with DHS and DOJ, is actively working to inform and assist users in transitioning to alternative cybersecurity solutions. “The actions taken today are vital to our national security and will better protect the personal information and privacy of many Americans. We will continue to work with the Department of Commerce, state and local officials, and critical infrastructure operators to protect our nation’s most vital systems and assets,” said Secretary of Homeland Security Alejandro N. Mayorkas. runZero, meanwhile, released tools to detect Kaspersky products on in most Windows installations, which also work with the company's free community edition.

Historical Background: From Trump to Biden

The determination against Kaspersky is part of a broader U.S. strategy to safeguard its information and communications technology infrastructure. The roots of this policy can be traced back to Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” which empowers the Commerce Department to evaluate and act against risks posed by foreign ICTS transactions. The scrutiny of Kaspersky began during the Trump administration, amid growing concerns about Russia's cyber capabilities and potential espionage activities. The Trump-era directives and legislative actions laid the groundwork for stricter controls, reflecting a bipartisan consensus on the threat posed by foreign cyber interference. Under the Biden administration, the approach has evolved into a more comprehensive and coordinated effort. The establishment of the OICTS within BIS and the issuance of the Final Determination represents a significant escalation in the U.S. government's efforts to protect its digital infrastructure. The Biden administration's emphasis on a “whole-of-government” strategy underscores the critical importance of cybersecurity in national defense. The U.S. government has taken a coordinated approach to implementing this determination. Commerce Secretary Gina Raimondo emphasized the commitment to national security and innovation, stating that this action is a clear message to adversaries. “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people. Today’s action, our first use of the Commerce Department’s ICTS authorities, demonstrates Commerce’s role in support of our national defense and shows our adversaries we will not hesitate to act when they use their technology poses a risk to the United States and its citizens,” said Raimondo.

The Future of U.S. Cybersecurity Policy

The inclusion of Kaspersky and related entities on the Entity List highlights the U.S. government’s proactive stance. This list, maintained under the Export Control Reform Act of 2018, identifies entities engaged in activities contrary to U.S. national security interests. Additions to this list involve rigorous interagency review, ensuring that actions are based on concrete, specific evidence of risk. “With today’s action, the American cyber ecosystem is safer and more secure than it was yesterday,” said Under Secretary for Industry and Security Alan Estevez. “We will not hesitate to protect U.S. individuals and businesses from Russia or other malign actors who seek to weaponize technology that is supposed to protect its users.” As the September deadline approaches, businesses and individuals alike must stay informed and take necessary steps to secure their digital environments. The U.S. government's decisive action against Kaspersky highlights the critical importance of vigilance and proactive measures in the ever-evolving landscape of cybersecurity.

The Advanced Research Projects Agency for Health (ARPA-H) has appointed Chris Pashley as its Chief Information Security Officer (CISO). Pashley, formerly the Deputy Chief Information Security Officer at the Cybersecurity and Infrastructure Security Agency (CISA), announced his new role through a LinkedIn post. ARPA-H, part of the U.S. Department of Health and Human Services, is dedicated to tackling the most challenging problems in health through innovative research programs grounded in urgency, excellence, and honesty. The agency aims to accelerate breakthroughs that enable every American to realize their full health potential, transforming the seemingly impossible into the possible and the actual. [caption id="attachment_78081" align="aligncenter" width="838"] Source: Chris Pashley's LinkedIn Post[/caption] Pashley’s appointment comes at a crucial time for ARPA-H as it seeks to develop and launch an agency-wide initiative to implement strong cybersecurity measures. His extensive experience and proven track record in cybersecurity make him an ideal fit for this pivotal role.

Chris Pashley's Background and Experience

Before joining ARPA-H, Pashley played a key role at CISA, where he supported efforts to strengthen the agency’s internal cybersecurity program. He worked closely with CISA’s CISO and Chief Information Officer to enhance the agency’s cybersecurity posture, ensuring that its systems and data were well-protected against the ever-evolving landscape of cyber threats. Prior to his tenure at CISA, Pashley led the Cyber Threat Intelligence (CTI) team within the Security Operations Division at U.S. Customs and Border Protection (CBP). In this capacity, he focused on establishing the foundational elements of the CTI team, including its vision, mission, structure, and performance management. He also improved the team’s integration with and support to CBP’s Security Operations Center (SOC), providing senior leadership with critical updates on cyber threat activity. Pashley’s move to the government sector in 2017 was preceded by a nearly seven-year stint at Booz Allen Hamilton, where he served as an associate. His work there laid the groundwork for his subsequent roles in government cybersecurity, equipping him with the skills and experience needed to navigate the complex and high-stakes environment of federal cybersecurity operations. Pashley’s expertise will be instrumental in developing and implementing comprehensive cybersecurity measures across ARPA-H. His approach will likely involve a combination of proactive threat intelligence, rigorous security protocols, and continuous monitoring to protect the agency’s digital assets. .With his extensive background in cybersecurity and proven leadership, Pashley is well-equipped to guide ARPA-H in protecting its vital research and operations. As the agency continues to push the boundaries of health innovation, robust strong cybersecurity measures will be crucial in ensuring the success and integrity of its groundbreaking work.

CDK Global, a provider of software solutions to auto dealerships across the United States, has fallen victim to a significant cyberattack. This CDK Global cyberattack has forced the company to temporarily shut down most of its systems, effectively bringing sales operations at approximately 15,000 car dealerships to a standstill. The cyberattack on CDK Global has had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, and Holman, which operates dealerships across eight U.S. states. These dealerships rely heavily on CDK's software to manage their daily operations, from sales transactions to inventory management. "We are actively investigating a cyber incident. Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible", a CDK spokesperson told CBS News. According to the news reports, CDK reported that they had restored some of their systems after conducting extensive tests and consulting with third-party experts. "With the work done so far, our core dealer management system and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications and will provide updates as we bring those applications back online," CDK stated in a communication to CBS MoneyWatch. CDK Global’s dealer management system (DMS) serves as a central hub that allows dealerships to monitor their operations from a single interface. Their retail tools enable dealerships to conduct transactions both online and in showrooms. These tools are essential for managing payroll, inventory, and various office operations. CDK also prides itself on offering robust cybersecurity solutions, as stated on its website: "CDK Cybersecurity Solutions provide a three-tiered cybersecurity strategy to prevent, protect, and respond to cyberattacks so you can defend your dealership.

Dealerships' Response to the CDK Global Cyberattack

The sudden outage has caused widespread disruption among car dealerships. Many have been forced to find creative solutions to continue their operations. Dealership employees took to Reddit to discuss the challenges they were facing. They reported relying on spreadsheets and sticky notes to handle small parts sales and repairs, while larger transactions were effectively halted. One employee questioned others on Reddit, asking, "How many of you are standing around because your whole shop runs on CDK?" Responses from users in Wisconsin and Colorado confirmed that their dealership systems were offline, causing significant operational delays. The CDK Global Cyberattack has left many employees with little to do, with some dealerships sending staff home due to the inability to conduct normal business operations. "We are almost to that point… no parts, no ROs, no times… just dead vehicles with nothing to show for them or parts to fix them," lamented one dealership employee on Reddit. Another employee shared, "Excel spreadsheets and post-it notes for any parts we're handing out. Any big jobs are not happening," highlighting the extent to which the disruption has impacted their workflow.

Potential Ransomware Attack

While CDK Global has not released an official statement on the nature of the cyberattack, rumors and reports suggest that the company may have suffered a ransomware attack that also impacted its backups.  If it indeed was a ransomware attack, the outages could persist for several days, potentially stretching into the next week or longer. The Cyber Express Team tried to reach out to CDK Global to get an official statement and know more details about the cyberattack, however, as of writing this news report no response has been received.

Titania, specialists in continuous network security and compliance assurance solutions, announced the release of compelling new research that highlights a significant shift in cybersecurity spending towards proactive security measures. The report, "Emerging Best Practice in the Use of Proactive Security Solutions," indicates a marked increase in investments aimed at preemptively mitigating cyber threats. According to the study, over 70% of businesses reported increased spending on proactive security solutions, such as attack surface management and risk-based vulnerability management, over the past year. This growth notably outpaces investments in both preventative and reactive measures.

Strategic Implementation and Cybersecurity Industry Trends

Conducted in partnership with Omdia, a global analyst and advisory leader, the study surveyed over 400 security decision-makers across North America, the UK, France, and Germany. The findings highlight a rapid adoption of proactive security measures driven by three key objectives:

• Reducing the opportunity for cyber threats
• Reducing the mean time to remediate known vulnerabilities
• Minimizing the attack surface.

These proactive solutions are becoming an essential layer of protection, providing a comprehensive understanding of the threat landscape and attack surface to enhance organizational resilience and readiness.

Geographic and Sectoral Insights

The trend towards proactive security is particularly pronounced in the EMEA region, where 74% of respondents increased their budgets compared to 67% in North America. The financial services sector (54%) and critical infrastructure organizations, including energy and utilities companies (53%), show a strong inclination towards these investments. Nearly half (47%) of the respondents reported that their top cybersecurity goals for the next 12-24 months include reducing the opportunity for threats through proactive security. In contrast, only 27% of organizations plan to focus on improving tactical outcomes such as better threat prevention, detection, and response.

Enhancing Security Posture

Organizations are increasingly recognizing the need to improve their security posture through proactive security tools, which significantly enhance attack surface management and security control optimization. Many organizations reported limited visibility into the security posture of their network assets, such as firewalls, switches, and routers. Approximately half of the surveyed organizations check their network devices at most monthly, and some only monitor devices in critical segments or a sample of devices across their networks. Critical infrastructure organizations reported lower confidence than other industries in their ability to maintain adequate network segmentation and prevent unauthorized network access.

Anticipated Organizational Impact

Almost half (48%) of all respondents anticipate a high level of organizational disruption due to the broader adoption of proactive security solutions, highlighting the transformative impact these measures are expected to have. “This research vividly illustrates a widespread and rapid shift towards proactive security to improve operational readiness and resilience,” said Tom Beese, Executive Chairman of Titania. “Organizations recognize the critical need to stay ahead of known threats and shut down attacks by investing in solutions that offer real-time visibility of their security posture and remediation actions that continuously minimize their exposure.” Businesses emphasized the importance of consolidating proactive security tools, with 65% highlighting better visibility and management of the attack surface, 60% focusing on improved security control optimization, and 54% noting manpower productivity improvements.

Critical Proactive Security Capabilities

The survey identified several critical proactive security capabilities:

• The ability to view risks through different attack frameworks (61%).
• Full asset context (60%).
• Integration with existing security fabric to implement temporary mitigations (57%).

Andrew Braunberg, Principal Analyst at Omdia, explained, “While the cybersecurity industry has clung to the 'assume breach' mantra with its preventative and reactive solutions, organizations are awakening to a smarter strategy: proactively understanding attack surfaces, mapping attack paths, and plugging vulnerabilities to prevent breaches. Network device configurations are crucial to security posture management, and the adoption of proactive security solutions that automate configuration assessments could have a transformative impact.” The report highlights a gap in industry guidance on best practices for building a proactive security strategy. It notes that the US Defense Department’s Command Cyber Readiness Inspection program (CORA) and the EU’s Digital Operational Resilience Act (DORA) requirements align well with the need for proactive security solutions.

The FBI's Baltimore Field Office is actively seeking to identify potential victims of Richard Michael Roe, who has recently been indicted on charges of cyberstalking under federal law. The charges allege that Roe engaged in a campaign of harassment through phone calls, text messages, and emails, targeting multiple victims over the course of a year. The FBI's investigation uncovered that Roe used spoofed phone numbers and email accounts to conduct this harassment. The indictment against Richard Michael Roe is a significant step in addressing the cyberstalking activities that allegedly took place from December 2019 until January 2021. It is important to note that an indictment is merely an allegation, and Roe is presumed innocent until proven guilty beyond a reasonable doubt. According to the charges, Roe's cyberstalking involved making numerous phone calls and sending multiple text messages daily to his victims. The FBI believes that approximately six individuals and two businesses were targeted during this period.

FBI's Call for Public Assistance

The FBI is reaching out to the public for assistance in identifying additional victims who may have been harassed by Roe. “If you and/or anyone you know were victimized by Roe, or if you have information relevant to this investigation, please fill out this short form,” reads the FBI release. The agency has set up a dedicated email, RoeVictims@fbi.gov, and a short form for individuals to provide information. Your responses are voluntary but could be crucial in furthering the federal investigation and identifying additional victims. The FBI is legally required to identify victims of federal crimes it investigates. Victims of such crimes may be eligible for various services, restitution, and rights under federal and/or state law. Identifying victims is not only a legal mandate but also an essential part of ensuring that those affected by Roe's alleged cyberstalking receive the support and justice they deserve. The FBI assures that all identities of victims will be kept confidential. “Based on the responses provided, you may be contacted by the FBI and asked to provide additional information. All identities of victims will be kept confidential.”

The Impact of Cyberstalking

Cyberstalking is a serious offense that can have profound effects on the lives of victims. It involves the use of digital means to harass, intimidate, and threaten individuals, leading to emotional distress, fear, and disruption of daily life. The use of spoofed phone numbers and email accounts, as alleged in Roe's case, can make it challenging for victims to trace the source of harassment, adding to their anxiety and sense of vulnerability.

How to Recognize Cyberstalking

Victims of cyberstalking often experience repeated, unwanted contact through digital communication methods. This can include:

• Frequent and persistent phone calls, often from unknown or spoofed numbers.
• Harassing text messages that may contain threats or abusive language.
• Unwanted emails that may be difficult to trace back to the sender.

If you have experienced such behaviors, it is crucial to report them to authorities. The FBI's current efforts to identify victims of Roe underline the importance of addressing and combating cyberstalking.

The Federal Trade Commission (FTC) has launched legal action against software giant Adobe and two of its top executives, Maninder Sawhney, and David Wadhwani, for allegedly deceiving consumers about early termination fees and making it difficult to cancel subscriptions. The Department of Justice (DOJ), following a referral from the FTC, has filed a complaint in a federal court, charging Adobe with pushing consumers toward its “annual paid monthly” subscription plan without adequately disclosing the costly cancellation fees associated with it. “Adobe trapped customers into year-long subscriptions through hidden early termination fees and numerous cancellation hurdles,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Americans are tired of companies hiding the ball during subscription signup and then putting up roadblocks when they try to cancel. The FTC will continue working to protect Americans from these illegal business practices.”

Details of the FTC Complaint Against Adobe

According to the complaint, Adobe has been steering consumers towards its "annual paid monthly" subscription plan by pre-selecting it as the default option on its website. While the monthly cost is prominently displayed, the early termination fee (ETF) is not. The ETF, which amounts to 50 percent of the remaining monthly payments if the subscription is canceled within the first year, is buried in small print or hidden behind small icons on the website. Consumers have complained to the FTC and the Better Business Bureau, stating they were unaware of the ETF or that the plan required a year-long commitment.

Adobe's Practices

Adobe shifted primarily to a subscription model in 2012, which now accounts for most of its revenue. The complaint alleges that despite knowing about consumer confusion regarding the ETF, Adobe continues to obscure the fee and make it difficult to cancel subscriptions. When consumers try to cancel their subscriptions through Adobe’s website, they must navigate through numerous pages. Those who seek help from customer service face resistance, delays, and additional obstacles, such as dropped calls, chats, and multiple transfers. Some consumers who believed they had canceled their subscriptions later found that Adobe continued to charge them. The FTC charges that Adobe's practices violate the Restore Online Shoppers’ Confidence Act. The Commission voted unanimously (3-0) to refer the civil penalty complaint to the DOJ, which then filed it in the U.S. District Court for the Northern District of California.

Adobe's Response to FTC Complaint

In response to the FTC's complaint, Adobe released a statement through Dana Rao, General Counsel and Chief Trust Officer: “Subscription services are convenient, flexible, and cost-effective to allow users to choose the plan that best fits their needs, timeline, and budget. Our priority is to always ensure our customers have a positive experience. We are transparent with the terms and conditions of our subscription agreements and have a simple cancellation process. We will refute the FTC’s claims in court.”

Adobe Shift to the Subscription Model

Adobe's transition to a subscription model over a decade ago was driven by the digital and cloud-based evolution of the industry. This model was designed to deliver continuous innovation, including cloud-based features and services, more affordably to customers. Subscription-based software and services have become integral to the digital economy, offering numerous benefits such as:

• Continuous Innovation: Subscriptions allow Adobe to deliver ongoing improvements and new features, including those that require cloud computation, without additional cost to customers. For example, Photoshop's Generative Fill feature.
• Multi-Device Usage: Products can be used on multiple devices and across groups of collaborators, providing automatic updates and enhanced security.
• Access to Cloud-Only Services: Subscribers gain access to services like artificial intelligence (AI) tools and other cloud-based functionalities.
• Consumer Choice: Adobe offers various plans, giving consumers the flexibility to choose between lower upfront costs and maximum flexibility.

The FTC's complaint against Adobe brings to light the critical issue of transparency in subscription services. As digital subscriptions become more prevalent, it is essential for companies to be upfront about fees and provide straightforward cancellation processes. This case serves as a reminder that consumer protection agencies will continue to hold companies accountable for deceptive practices, ensuring that consumers are treated fairly in the marketplace. The ongoing legal battle will be closely watched, with significant implications for both Adobe and the wider industry.

AJE Group, a prominent company in the manufacture, distribution, and sale of alcoholic and nonalcoholic beverages, has allegedly fallen victim to a MEDUSA ransomware attack. Founded in 1988 and headquartered in Lima, Peru, AJE Group employs 2,896 people. The unconfirmed ransomware attack on AJE Group has allegedly resulted in a significant data breach, putting allegedly 646.4 GB of data at risk.

Ransomware Attack on AJE Group: Ransom Demand and Countdown

The ransomware group has set an ominous countdown of eight days, 21 hours, 20 minutes, and 30 seconds for the company to comply with their demands. The attackers have placed a hefty price tag of US$1,500,000 to prevent unauthorized distribution of the compromised data. Additionally, for every day that passes without payment, the ransom amount increases by US$100,000. However, these claims remain unconfirmed as AJE Group has yet to release an official statement regarding the incident. [caption id="attachment_77719" align="aligncenter" width="1024"] Source: X[/caption] A preliminary investigation into AJE Group’s official website revealed no apparent disruptions; the site was fully operational, casting doubt on the authenticity of the ransomware group’s claims. Nevertheless, without an official statement from AJE Group, it is premature to conclude whether the ransomware attack on AJE Group has genuinely occurred. If the ransomware attack on AJE Group is confirmed, the implications for the Group could be extensive and severe. Data breaches can lead to significant financial losses, reputational damage, and operational disruptions. The compromised data may include sensitive information that, if leaked, could affect the company's competitive standing and expose its employees and customers to further risks.

MEDUSA Ransomware: A Rising Threat

Earlier, The Cyber Express (TCE) reported that Threat Actors (TAs) associated with the notorious MEDUSA ransomware have escalated their activities, allegedly targeting two institutions in the USA. The first target is Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona. The threat actors claim to have access to 1.2 GB of the school’s data and have threatened to publish it within seven to eight days. The second target is Fitzgerald, DePietro & Wojnas CPAs, P.C., an accounting firm based in Utica, New York. The attackers claim to have access to 92.5 GB of the firm’s data and have threatened to release it within eight to nine days.

History and Modus Operandi of MEDUSA

MEDUSA first emerged in June 2021 and has since launched attacks on organizations across various countries and industries, including healthcare, education, manufacturing, and retail. Despite its global reach, most victims have been based in the United States. MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, offering malicious software and infrastructure to would-be attackers. This model enables less technically skilled criminals to launch sophisticated ransomware attacks. MEDUSA's TAs often utilize a public Telegram channel to post stolen data, leveraging public exposure as an extortion tactic to pressure organizations into paying the ransom.

The Broader Impact of Ransomware Attacks

The reported MEDUSA ransomware attack on AJE Group highlights the growing threat posed by ransomware groups. Ransomware attacks have become increasingly prevalent, targeting critical sectors and causing widespread disruption. The healthcare industry, for instance, has seen hospitals forced to shut down operations, delaying critical medical procedures and compromising patient care. Educational institutions have faced similar disruptions, with students' data at risk and academic schedules thrown into disarray. The manufacturing and retail sectors, too, have not been spared. Companies in these industries have experienced production halts, supply chain disruptions, and significant financial losses due to ransomware attacks. These incidents highlight the importance of enhanced cybersecurity measures and prompt incident response protocols to mitigate the impact of such attacks. Additionally, organizations must prioritize cybersecurity awareness and preparedness to defend against ransomware attacks. Regular employee training, stringent access controls, and up-to-date security software are essential components of a robust cybersecurity strategy. Further, organizations should have a well-defined incident response plan to quickly address and contain any breaches.

Conclusion

While the authenticity of the ransomware attack on AJE Group remains unconfirmed, the potential consequences are significant. TCE will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Guidehouse Inc., based in McLean, Virginia, and Nan McKay and Associates, headquartered in El Cajon, California, have agreed to pay settlements totaling $11.3 million to resolve allegations under the False Claims Act. The settlements came from their failure to meet cybersecurity requirements in contracts aimed at providing secure online access for low-income New Yorkers applying for federal rental assistance during the COVID-19 pandemic.

What Exactly Happened?

In response to the economic hardships brought on by the pandemic, Congress enacted the Emergency Rental Assistance Program (ERAP) in early 2021. This initiative was designed to offer financial support to eligible low-income households in covering rent, rental arrears, utilities, and other housing-related expenses. Participating state agencies, such as New York's Office of Temporary and Disability Assistance (OTDA), were tasked with distributing federal funding to qualified tenants and landlords. Guidehouse assumed a pivotal role as the prime contractor for New York's ERAP, responsible for overseeing the ERAP technology and services. Nan McKay acted as Guidehouse's subcontractor, entrusted with delivering and maintaining the ERAP technology used by New Yorkers to submit online applications for rental assistance.

Admission of Violations and Settlement

Critical to the allegations were breaches in cybersecurity protocols. Both Guidehouse and Nan McKay admitted to failing their obligation to conduct required pre-production cybersecurity testing on the ERAP Application. Consequently, the ERAP system went live on June 1, 2021, only to be shut down twelve hours later by OTDA due to a cybersecurity breach. This data breach exposed the personally identifiable information (PII) of applicants, which was found accessible on the Internet. Guidehouse and Nan McKay acknowledged that proper cybersecurity testing could have detected and potentially prevented such breaches. Additionally, Guidehouse admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contractual obligations.

Government Response and Accountability

Principal Deputy Assistant Attorney General Brian M. Boynton of the Justice Department’s Civil Division emphasized the importance of adhering to cybersecurity commitments associated with federal funding. "Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said Boynton. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.” U.S. Attorney Carla B. Freedman for the Northern District of New York echoed these sentiments, highlighting the necessity for federal contractors to prioritize cybersecurity obligations. “Contractors who receive federal funding must take their cybersecurity obligations seriously,” said Freedman. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.” Acting Inspector General Richard K. Delmar of the Department of the Treasury emphasized the severe impact of these breaches on a program crucial to the government’s pandemic recovery efforts. He expressed gratitude for the partnership with the DOJ in addressing this breach and ensuring accountability. “These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security, which jeopardized the effectiveness of a vital part of the government’s pandemic recovery effort,” said Delmar. “Treasury OIG is grateful for DOJ’s support of its oversight work to accomplish this recovery.” New York State Comptroller Thomas P. DiNapoli emphasized the critical role of protecting the integrity of programs like ERAP, vital to economic recovery. He thanked federal partners for their collaborative efforts in holding these contractors accountable. “This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts,” said DiNapoli. “Rental assistance has been vital to our economic recovery, and the integrity of the program needs to be protected. I thank the United States Department of Justice, United States Attorney for the Northern District of New York Freedman and the United States Department of Treasury Office of the Inspector General for their partnership in exposing this breach and holding these vendors accountable.”

Initiative to Address Cybersecurity Risks

In response to such breaches, the Deputy Attorney General announced the Civil Cyber-Fraud Initiative on October 6, 2021. This initiative aims to hold accountable entities or individuals who knowingly endanger sensitive information through inadequate cybersecurity practices or misrepresentations. The investigation into these breaches was initiated following a whistleblower lawsuit under the False Claims Act. As part of the settlement, whistleblower Elevation 33 LLC, owned by a former Guidehouse employee, will receive approximately $1.95 million. Trial Attorney J. Jennifer Koh from the Civil Division's Commercial Litigation Branch, Fraud Section, and Assistant U.S. Attorney Adam J. Katz from the Northern District of New York led the case, with support from the Department of the Treasury OIG and the Office of the New York State Comptroller. These settlements highlight the imperative for rigorous cybersecurity measures in federal contracts, particularly in safeguarding sensitive personal information critical to public assistance programs. As the government continues to navigate evolving cybersecurity threats, it remains steadfast in enforcing accountability among contractors entrusted with protecting essential public resources.

In a joint effort to enhance election security and public confidence, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Election Assistance Commission (EAC) have released a comprehensive guide titled “Enhancing Election Security Through Public Communications.” This guide on election security is designed for state, local, tribal, and territorial election officials who play a critical role as the primary sources of official election information.

Why Communication is Important in Election Security

Open and transparent communication with the American public is essential to maintaining trust in the electoral process. State and local election officials are on the front lines, engaging with the public and the media on numerous election-related topics. These range from election dates and deadlines to voter registration, candidate filings, voting locations, election worker recruitment, security measures, and the publication of results. The new guide aims to provide these officials with a strong framework and practical tools to develop and implement an effective, year-round communications plan. “The ability for election officials to be transparent about the elections process and communicate quickly and effectively with the American people is crucial for building and maintaining their trust in the security and integrity of our elections process,” stated CISA Senior Advisor Cait Conley. The election security guide offers practical advice on how to tailor communication plans to the specific needs and resources of different jurisdictions. It includes worksheets to help officials develop core components of their communication strategies. This approach recognizes the diverse nature of election administration across the United States, where varying local contexts require customized solutions. EAC Chairman Ben Hovland, Vice Chair Donald Palmer, Commissioner Thomas Hicks, and Commissioner Christy McCormick collectively emphasized the critical role of election officials as trusted sources of information. “This resource supports election officials to successfully deliver accurate communication to voters with the critical information they need before and after Election Day,” they said. Effective and transparent communication not only aids voters in casting their ballots but also helps instill confidence in the security and accuracy of the election results.

How Tailored Communication Enhances Election Security

The release of this guide on election security comes at a crucial time when trust in the electoral process is increasingly under scrutiny. In recent years, the rise of misinformation and cyber threats has posed significant challenges to the integrity of elections worldwide. By equipping election officials with the tools to communicate effectively and transparently, CISA and the EAC are taking proactive steps to safeguard the democratic process. One of the strengths of this guide is its emphasis on tailoring communication strategies to the unique needs of different jurisdictions. This is a pragmatic approach that acknowledges the diverse landscape of election administration in the U.S. It recognizes that a one-size-fits-all solution is not feasible and that local context matters significantly in how information is disseminated and received. Furthermore, the guide’s focus on year-round communication is a noteworthy aspect. Election security is not just a concern during election cycles but is a continuous process that requires ongoing vigilance and engagement with the public. By encouraging a year-round communication plan, the guide promotes sustained efforts to build and maintain public trust. However, while the guide is a step in the right direction, its effectiveness will largely depend on the implementation by election officials at all levels. Adequate training and resources must be provided to ensure that officials can effectively utilize the tools and strategies outlined in the guide. Additionally, there needs to be a concerted effort to address potential barriers to effective communication, such as limited funding or technological challenges in certain jurisdictions.

To Wrap UP

The “Enhancing Election Security Through Public Communications” guide by CISA and the EAC is a timely and necessary resource for election officials across the United States. As election officials begin to implement the strategies outlined in the guide, it is imperative that they receive the support and resources needed to overcome any challenges. Ultimately, the success of this initiative will hinge on the ability of election officials to engage with the public in a clear, accurate, and transparent manner, thereby reinforcing the security and integrity of the election process.

The Los Angeles County Department of Public Health (DPH) has disclosed a significant data breach impacting more than 200,000 individuals. The data breach at Los Angeles County DPH, occurring between February 19 and 20, 2024, involved the theft of sensitive personal, medical, and financial information. The data breach was initiated through a phishing attack, where an external threat actor obtained the login credentials of 53 DPH employees. “Between February 19, 2024, and February 20, 2024, DPH experienced a phishing attack,” reads the official notice.

Data Breach at Los Angeles County DPH: What Happened

The phishing email, designed to appear legitimate, tricked employees into divulging their credentials by clicking on a malicious link. This unauthorized access led to a wide-ranging compromise of data, affecting various individuals associated with DPH, including clients, employees, and others. The compromised email accounts contained a wealth of sensitive data. The potentially exposed information includes:

• First and last names
• Dates of birth
• Diagnosis and prescription details
• Medical record numbers/patient IDs
• Medicare/Med-Cal numbers
• Health insurance information
• Social Security numbers
• Other financial information

It is important to note that not all of the above data elements were present for every affected individual. Each individual may have been impacted differently based on the specific information contained in the compromised accounts. “Affected individuals may have been impacted differently and not all of the elements listed were present for each individual,” Los Angeles County DPH informed.

 Data Breach at Los Angeles County DPH Notification 

DPH is taking extensive steps to notify all potentially affected individuals. Notifications are being sent via post to those whose mailing addresses are available. For individuals without a mailing address, DPH also posts a notice on its website to provide necessary information and resources. The department has advised impacted individuals to review the content and accuracy of their medical records with their healthcare providers. However, on delay in notification, Los Angeles County DPH said, “Due to an investigation by law enforcement, we were advised to delay notification of this incident, as public notice may have hindered their investigation.” To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll, a global leader in risk mitigation and response. “To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll, a global leader in risk mitigation and response, to provide identity monitoring for one year at no cost to affected clients,” reads the notice.

Response and Preventive Measures

Upon discovering the Los Angeles County DPH data breach, DPH took immediate action to mitigate further risks. The department disabled the affected email accounts, reset and re-imaged the users’ devices, blocked the websites involved in the phishing campaign, and quarantined all suspicious incoming emails. Additionally, DPH has implemented numerous security enhancements to prevent similar incidents in the future. Awareness notifications have been distributed to all workforce members, reminding them to be vigilant when reviewing emails, especially those containing links or attachments. These measures aim to bolster the department’s defense against phishing attacks and other cyber threats. The incident was promptly reported to law enforcement authorities, who investigated the breach. The US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies are also notified, as required by law and contractual obligations.

Steps for Individuals to Protect Themselves

While DPH cannot confirm whether any information has been accessed or misused, affected individuals are encouraged to take proactive steps to protect their personal information. These steps include:

• Reviewing Medical Records: Individuals should review their medical records and Explanation of Benefits statements for any discrepancies or unauthorized services. Any irregularities should be reported to their healthcare provider or health plan.
• Requesting Credit Reports: Individuals should remain vigilant against identity theft and fraud by regularly reviewing their financial statements and credit reports. Under US law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. Free credit reports can be requested at www.annualcreditreport.com or by calling 1-877-322-8228.
• Placing Fraud Alerts: Individuals can place a fraud alert on their credit files, which notifies creditors to take additional steps to verify identity before granting credit. Fraud alerts can be set up by contacting any of the major credit bureaus.
• Security Freezes: A security freeze can also be placed on credit reports, which prevents credit bureaus from releasing any information without written authorization. This measure can help prevent unauthorized credit activity but may delay the approval of new credit requests.

The Los Angeles County Department of Public Health continues to cooperate with law enforcement and other agencies to protect the privacy and security of its clients, employees, and other stakeholders.