Crypto portfolio tracking app Coinstats has found itself at the center of a security breach, impacting approximately 1,590 user wallets. The Coinstats data breach, which occurred on June 22, 2024, has been attributed to a group with alleged ties to North Korea, marking a concerning development for crypto investors.  Coinstats swiftly responded to the breach by taking down its application temporarily. This proactive measure was aimed at containing the data breach at Coinstats and preventing further unauthorized access to user data and funds.  The affected wallets, constituting about 1.3% of all Coinstats wallets, were primarily those created directly within the app. Fortunately, wallets connected to external exchanges and platforms remained unaffected, providing some relief amidst the security scare.

Understanding the Coinstats Data Breach 

[caption id="attachment_78679" align="alignnone" width="733"] Source: Coinstats on X[/caption] In a public statement addressing the breach, Coinstats reassured its user base that the incident has been mitigated, and immediate steps have been taken to secure the platform. Users whose wallet addresses were compromised were advised to take action by transferring their funds using exported private keys. A spreadsheet link was provided for users to check if their wallets were among those affected. CEO Narek Gevorgyan highlighted the seriousness of the situation, acknowledging the challenges posed by the Coinstats cyberattack while emphasizing Coinstats' commitment to restoring normal operations swiftly and securely. Gevorgyan outlined that comprehensive security measures were being implemented during the restoration process to fortify the platform against future vulnerabilities. "We're actively working to bring the app back online as quickly as possible. Thank you for your patience," stated Gevorgyan in an update shared via Coinstats' official channels.

North Korea-linked Hackers Behind the Data Breach at Coinstats

The revelation of North Korea-linked hackers being behind the breach adds a geopolitical dimension to the Coinstats data breach incident, highlighting the global reach and sophisticated tactics employed by cyber threat actors targeting digital assets and platforms. This aspect of the breach highlights the need for heightened cybersecurity measures across the cryptocurrency sector. In a similar case, another crypto firm, BtcTurk faced a cyberattack on its hot wallets on June 22, 2024. Binance Binance CEO Richard Teng confirmed this attack, pledging ongoing support for BtcTurk's investigation. Cryptocurrency investigator ZachXBT hinted at a possible link between the breach and a $54 million Avalanche transfer.  Coinstats users have been urged to remain vigilant and monitor their accounts closely for any unauthorized transactions or suspicious activities. The company assured its users that it is actively investigating the extent of funds moved during the breach and pledged to provide updates as new information becomes available. In response to the breach, regulatory bodies and industry stakeholders may scrutinize Coinstats' security practices and response protocols. The outcome of such scrutiny could influence future cybersecurity standards within the cryptocurrency industry, potentially leading to more stringent requirements for platform security and user protection.

ECU Worldwide, a global player in Less than Container Load (LCL) consolidation, has appointed Rajneesh Garg as its new Chief Information Officer (CIO). In his new role, Garg will focus on managing and supporting software applications, leading technology transformation initiatives, and ensuring their successful implementation and adoption. He will work closely with the IT group shared services organization and report to Kapil Mahajan, Global CIO of Allcargo Group, from the company's Mumbai headquarters. "I am excited to be a part of ECU Worldwide known for its vision of a digital-first approach to build unmatched customer centricity at a global scale,” said newly appointed CIO, Garg. He added further, “The role gives me an opportunity to leverage my know-how to drive the growth journey of the company led under the leadership of Founder and Chairman Mr. Shashi Kiran Shetty, which is based on sustainability, superior customer experience, and futuristic approach. I look forward to working with the Allcargo Group to contribute to ECU Worldwide's growth journey.”

Rajneesh Garg Extensive Background

Garg brings over 20 years of leadership experience across various sectors, including banking, insurance, travel, hospitality, manufacturing, energy resources, and retail. Before joining ECU Worldwide, he was Vice President of Information Technology at Capgemini, overseeing regional delivery and growth for consumer products and retail accounts in the Nordic region. Garg holds a postgraduate degree in computer science from Moscow State University in Russia and has also worked in senior leadership roles at Tata Consultancy Services for over two decades. "With his extensive and diversified leadership experience in various sectors, Rajneesh will be instrumental in driving our technology transformation forward. His strategic vision aligns with our efforts to fortify ECU Worldwide's IT division as we pursue our ambitious growth and expansion strategies. We are confident that under Garg's leadership, our IT division will continue to break new ground in offering superior customer experience. We look forward to working with him as we embark on the next phase of growth,’’ said Kapil Mahajan, Global Chief Information Officer, Allcargo Group.

Way Forward

Founded in 1987, ECU Worldwide is a wholly-owned global subsidiary of Allcargo Logistics. The company is a major player in multi-modal transport and a leader in LCL consolidation. ECU Worldwide operates with a digital-first approach and is supported by leaders with expertise in logistics, data science, and technology. The appointment of Garg as CIO is a significant step for ECU Worldwide. His extensive experience and strategic approach are expected to drive the company’s technology initiatives and support its growth in the global LCL market. Garg's collaboration with the Allcargo Group leadership aims to bring technological advancements and improvements to ECU Worldwide's services and operations.

CISA has released the new version of the SAFECOM Guidelines. This exclusive guideline talks about the Emergency Communications Grants in cooperation with SAFECOM and NCSWIC. The new version aims to give the correct information to businesses globally. The National Council of Statewide Interoperability Coordinators (NCSWIC) and the Cybersecurity and Infrastructure Security Agency (CISA) work closely together to develop and maintain the SAFECOM Guidelines. According to the guidelines, the collaboration between the agencies goes into great detail about financial requirements, eligibility requirements, and technical requirements.

The New CISA SAFECOM Guidelines

The new SAFECOM guidelines help state, local, tribal, and territory governments secure federal money for crucial emergency communications projects is its main goal. Billy Bob Brown, Jr., Executive Assistant Director for Emergency Communications at CISA, stated: "The SAFECOM Guidance on Emergency Communications Grants is an essential resource that supports our collective efforts to strengthen the resilience and interoperability of emergency communications nationwide."  The guidance aims to provide a seamless experience to governments and agencies while also receiving new updates every year. These updates include new developments in technology and online risk management. It guarantees that grantees have access to the most recent guidelines and specifications required to construct reliable, safe, and compatible communication networks. By adhering to these standards, recipients can maximize government funding by ensuring that investments align with both national and community interests. "Incorporating SAFECOM Guidance into project planning not only enhances funding prospects but also strengthens the overall emergency response capabilities of our communities," Brown said. The document encourages stakeholders to adopt best practices in the planning, organizing, and execution of emergency communications projects to foster a uniform strategy across all governmental levels and public safety groups.

SAFECOM and Federal Agencies

Federal organizations such as the Office of Management and Budget and the Department of Homeland Security have acknowledged the SAFECOM Guidance as a vital resource since its establishment.  Grant candidates are encouraged to utilize the SAFECOM Guidance to ensure that their projects are in line with state, local, tribal, or territorial emergency communications strategies. To address the diverse needs of public safety organizations and communities, the research places a strong emphasis on the integration of new technologies, cybersecurity measures, and interoperable communication systems. Through the SAFECOM website, CISA offers resources and information on comprehending federal grant criteria to further assist stakeholders. The team is still dedicated to helping applicants create thorough plans that both satisfy funding requirements and improve emergency infrastructure's overall resilience.

Advance Auto Parts, Inc., one of the big suppliers of automobile aftermarket components in America, has reported a data breach to the US Securities and Exchange Commission (SEC).  Advance Auto Parts data breach was first reported by The Cyber Express on June 6, 2024. In its report to the SEC, the company said that a data breach from its third-party cloud storage had resulted in unauthorized access to consumer and policyholder information. In a June 14 filing to the SEC, the company said, “On May 23, 2024, Advance Auto Parts, Inc. identified unauthorized activity within a third-party cloud database environment containing Company data and launched an investigation with industry-leading experts. On June 4, 2024, a criminal threat actor offered what it alleged to be Company data for sale. The Company has notified law enforcement.” A threat actor going by the handle “Sp1d3r” had claimed to have stolen three terabytes of data from the company’s Snowflake cloud storage. The stolen information was allegedly being sold for US$1.5 million on dark web. [caption id="attachment_78143" align="alignnone" width="815"] (Source: X)[/caption] According to the threat actor, the stolen data included 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses; information on 358,000 employees, 44 million Loyalty/Gas card numbers, the company’s sales history, among other details.

Details of Advance Auto Parts SEC Filing

In its declaration to the SEC, auto parts seller said that “There has been no material interruption to the Company's business operations due to the incident. “Based on the review of files determined to have been impacted, the Company believes that some files contain personal information, including but not limited to social security numbers or other government identification numbers of current and former job applicants and employees of the Company,” the filing said. Advance Auto Parts said that the company would share information about the data breach and would offer free credit monitoring and identity restoration services to the impact parties. The company noted that though it was covered by insurance, the cyberattack could cost damages up to $3 million. “The Company has insurance for cyber incidents and currently expects its costs related to response and remediation to be generally limited to its retention under such policy. The Company currently plans to record an expense of approximately $3 million for the quarter ending July 13, 2024, for such costs,” it said to the SEC. Advance Auto Parts currently operates 4,777 stores and 320 Worldpac branches primarily within the United States, with added locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of the cloud storage company Snowflake. These attacks have been taking place since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers.  Many of Snowlflakes’ clients had reportedly taken down their databases after the series of cyberattacks. Infact, a comprehensive report revealed that 165 customers were impacted by the Snowflake data breach. It was on July 26, 2023 that the US Securities and Exchange Commission directed companies to mandatorily declare material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

The Advanced Research Projects Agency for Health (ARPA-H) has appointed Chris Pashley as its Chief Information Security Officer (CISO). Pashley, formerly the Deputy Chief Information Security Officer at the Cybersecurity and Infrastructure Security Agency (CISA), announced his new role through a LinkedIn post. ARPA-H, part of the U.S. Department of Health and Human Services, is dedicated to tackling the most challenging problems in health through innovative research programs grounded in urgency, excellence, and honesty. The agency aims to accelerate breakthroughs that enable every American to realize their full health potential, transforming the seemingly impossible into the possible and the actual. [caption id="attachment_78081" align="aligncenter" width="838"] Source: Chris Pashley's LinkedIn Post[/caption] Pashley’s appointment comes at a crucial time for ARPA-H as it seeks to develop and launch an agency-wide initiative to implement strong cybersecurity measures. His extensive experience and proven track record in cybersecurity make him an ideal fit for this pivotal role.

Chris Pashley's Background and Experience

Before joining ARPA-H, Pashley played a key role at CISA, where he supported efforts to strengthen the agency’s internal cybersecurity program. He worked closely with CISA’s CISO and Chief Information Officer to enhance the agency’s cybersecurity posture, ensuring that its systems and data were well-protected against the ever-evolving landscape of cyber threats. Prior to his tenure at CISA, Pashley led the Cyber Threat Intelligence (CTI) team within the Security Operations Division at U.S. Customs and Border Protection (CBP). In this capacity, he focused on establishing the foundational elements of the CTI team, including its vision, mission, structure, and performance management. He also improved the team’s integration with and support to CBP’s Security Operations Center (SOC), providing senior leadership with critical updates on cyber threat activity. Pashley’s move to the government sector in 2017 was preceded by a nearly seven-year stint at Booz Allen Hamilton, where he served as an associate. His work there laid the groundwork for his subsequent roles in government cybersecurity, equipping him with the skills and experience needed to navigate the complex and high-stakes environment of federal cybersecurity operations. Pashley’s expertise will be instrumental in developing and implementing comprehensive cybersecurity measures across ARPA-H. His approach will likely involve a combination of proactive threat intelligence, rigorous security protocols, and continuous monitoring to protect the agency’s digital assets. .With his extensive background in cybersecurity and proven leadership, Pashley is well-equipped to guide ARPA-H in protecting its vital research and operations. As the agency continues to push the boundaries of health innovation, robust strong cybersecurity measures will be crucial in ensuring the success and integrity of its groundbreaking work.

Titania, specialists in continuous network security and compliance assurance solutions, announced the release of compelling new research that highlights a significant shift in cybersecurity spending towards proactive security measures. The report, "Emerging Best Practice in the Use of Proactive Security Solutions," indicates a marked increase in investments aimed at preemptively mitigating cyber threats. According to the study, over 70% of businesses reported increased spending on proactive security solutions, such as attack surface management and risk-based vulnerability management, over the past year. This growth notably outpaces investments in both preventative and reactive measures.

Strategic Implementation and Cybersecurity Industry Trends

Conducted in partnership with Omdia, a global analyst and advisory leader, the study surveyed over 400 security decision-makers across North America, the UK, France, and Germany. The findings highlight a rapid adoption of proactive security measures driven by three key objectives:

• Reducing the opportunity for cyber threats
• Reducing the mean time to remediate known vulnerabilities
• Minimizing the attack surface.

These proactive solutions are becoming an essential layer of protection, providing a comprehensive understanding of the threat landscape and attack surface to enhance organizational resilience and readiness.

Geographic and Sectoral Insights

The trend towards proactive security is particularly pronounced in the EMEA region, where 74% of respondents increased their budgets compared to 67% in North America. The financial services sector (54%) and critical infrastructure organizations, including energy and utilities companies (53%), show a strong inclination towards these investments. Nearly half (47%) of the respondents reported that their top cybersecurity goals for the next 12-24 months include reducing the opportunity for threats through proactive security. In contrast, only 27% of organizations plan to focus on improving tactical outcomes such as better threat prevention, detection, and response.

Enhancing Security Posture

Organizations are increasingly recognizing the need to improve their security posture through proactive security tools, which significantly enhance attack surface management and security control optimization. Many organizations reported limited visibility into the security posture of their network assets, such as firewalls, switches, and routers. Approximately half of the surveyed organizations check their network devices at most monthly, and some only monitor devices in critical segments or a sample of devices across their networks. Critical infrastructure organizations reported lower confidence than other industries in their ability to maintain adequate network segmentation and prevent unauthorized network access.

Anticipated Organizational Impact

Almost half (48%) of all respondents anticipate a high level of organizational disruption due to the broader adoption of proactive security solutions, highlighting the transformative impact these measures are expected to have. “This research vividly illustrates a widespread and rapid shift towards proactive security to improve operational readiness and resilience,” said Tom Beese, Executive Chairman of Titania. “Organizations recognize the critical need to stay ahead of known threats and shut down attacks by investing in solutions that offer real-time visibility of their security posture and remediation actions that continuously minimize their exposure.” Businesses emphasized the importance of consolidating proactive security tools, with 65% highlighting better visibility and management of the attack surface, 60% focusing on improved security control optimization, and 54% noting manpower productivity improvements.

Critical Proactive Security Capabilities

The survey identified several critical proactive security capabilities:

• The ability to view risks through different attack frameworks (61%).
• Full asset context (60%).
• Integration with existing security fabric to implement temporary mitigations (57%).

Andrew Braunberg, Principal Analyst at Omdia, explained, “While the cybersecurity industry has clung to the 'assume breach' mantra with its preventative and reactive solutions, organizations are awakening to a smarter strategy: proactively understanding attack surfaces, mapping attack paths, and plugging vulnerabilities to prevent breaches. Network device configurations are crucial to security posture management, and the adoption of proactive security solutions that automate configuration assessments could have a transformative impact.” The report highlights a gap in industry guidance on best practices for building a proactive security strategy. It notes that the US Defense Department’s Command Cyber Readiness Inspection program (CORA) and the EU’s Digital Operational Resilience Act (DORA) requirements align well with the need for proactive security solutions.

Guidehouse Inc., based in McLean, Virginia, and Nan McKay and Associates, headquartered in El Cajon, California, have agreed to pay settlements totaling $11.3 million to resolve allegations under the False Claims Act. The settlements came from their failure to meet cybersecurity requirements in contracts aimed at providing secure online access for low-income New Yorkers applying for federal rental assistance during the COVID-19 pandemic.

What Exactly Happened?

In response to the economic hardships brought on by the pandemic, Congress enacted the Emergency Rental Assistance Program (ERAP) in early 2021. This initiative was designed to offer financial support to eligible low-income households in covering rent, rental arrears, utilities, and other housing-related expenses. Participating state agencies, such as New York's Office of Temporary and Disability Assistance (OTDA), were tasked with distributing federal funding to qualified tenants and landlords. Guidehouse assumed a pivotal role as the prime contractor for New York's ERAP, responsible for overseeing the ERAP technology and services. Nan McKay acted as Guidehouse's subcontractor, entrusted with delivering and maintaining the ERAP technology used by New Yorkers to submit online applications for rental assistance.

Admission of Violations and Settlement

Critical to the allegations were breaches in cybersecurity protocols. Both Guidehouse and Nan McKay admitted to failing their obligation to conduct required pre-production cybersecurity testing on the ERAP Application. Consequently, the ERAP system went live on June 1, 2021, only to be shut down twelve hours later by OTDA due to a cybersecurity breach. This data breach exposed the personally identifiable information (PII) of applicants, which was found accessible on the Internet. Guidehouse and Nan McKay acknowledged that proper cybersecurity testing could have detected and potentially prevented such breaches. Additionally, Guidehouse admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contractual obligations.

Government Response and Accountability

Principal Deputy Assistant Attorney General Brian M. Boynton of the Justice Department’s Civil Division emphasized the importance of adhering to cybersecurity commitments associated with federal funding. "Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said Boynton. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.” U.S. Attorney Carla B. Freedman for the Northern District of New York echoed these sentiments, highlighting the necessity for federal contractors to prioritize cybersecurity obligations. “Contractors who receive federal funding must take their cybersecurity obligations seriously,” said Freedman. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.” Acting Inspector General Richard K. Delmar of the Department of the Treasury emphasized the severe impact of these breaches on a program crucial to the government’s pandemic recovery efforts. He expressed gratitude for the partnership with the DOJ in addressing this breach and ensuring accountability. “These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security, which jeopardized the effectiveness of a vital part of the government’s pandemic recovery effort,” said Delmar. “Treasury OIG is grateful for DOJ’s support of its oversight work to accomplish this recovery.” New York State Comptroller Thomas P. DiNapoli emphasized the critical role of protecting the integrity of programs like ERAP, vital to economic recovery. He thanked federal partners for their collaborative efforts in holding these contractors accountable. “This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts,” said DiNapoli. “Rental assistance has been vital to our economic recovery, and the integrity of the program needs to be protected. I thank the United States Department of Justice, United States Attorney for the Northern District of New York Freedman and the United States Department of Treasury Office of the Inspector General for their partnership in exposing this breach and holding these vendors accountable.”

Initiative to Address Cybersecurity Risks

In response to such breaches, the Deputy Attorney General announced the Civil Cyber-Fraud Initiative on October 6, 2021. This initiative aims to hold accountable entities or individuals who knowingly endanger sensitive information through inadequate cybersecurity practices or misrepresentations. The investigation into these breaches was initiated following a whistleblower lawsuit under the False Claims Act. As part of the settlement, whistleblower Elevation 33 LLC, owned by a former Guidehouse employee, will receive approximately $1.95 million. Trial Attorney J. Jennifer Koh from the Civil Division's Commercial Litigation Branch, Fraud Section, and Assistant U.S. Attorney Adam J. Katz from the Northern District of New York led the case, with support from the Department of the Treasury OIG and the Office of the New York State Comptroller. These settlements highlight the imperative for rigorous cybersecurity measures in federal contracts, particularly in safeguarding sensitive personal information critical to public assistance programs. As the government continues to navigate evolving cybersecurity threats, it remains steadfast in enforcing accountability among contractors entrusted with protecting essential public resources.

Cybersecurity researchers have uncovered a disturbing trend in malware delivery tactics involving sophisticated social engineering techniques. These methods exploit user trust and familiarity with PowerShell scripts to compromise systems.  Among these threat actors, the two highlighted, TA571 and ClearFake campaign, were seen leveraging social engineering for spreading malware. According to researchers, the threat actors associated with TA571 and the ClearFake cluster have been actively using a novel approach to infiltrate systems.  This technique involves manipulating users into copying and pasting malicious PowerShell scripts under the guise of resolving legitimate issues.

Understanding the TA571 and ClearFake Campaign 

[caption id="attachment_77553" align="alignnone" width="1402"] Example of a ClearFake attack chain. (Source: Proofpoint)[/caption] The TA571 campaign, first observed in March 2024, distributed emails containing HTML attachments that mimic legitimate Microsoft Word error messages. These messages coerce users to execute PowerShell scripts supposedly aimed at fixing document viewing issues.  Similarly, the ClearFake campaign, identified in April 2024, employs fake browser update prompts on compromised websites. These prompts instruct users to run PowerShell scripts to install what appears to be necessary security certificates, says Proofpoint. Upon interaction with the malicious prompts, users unwittingly copy PowerShell commands to their clipboard. Subsequent instructions guide them to paste and execute these commands in PowerShell terminals or via Windows Run dialog boxes. Once executed, these scripts initiate a chain of events leading to the download and execution of malware payloads such as DarkGate, Matanbuchus, and NetSupport RAT. The complexity of these attacks is compounded by their ability to evade traditional detection methods. Malicious scripts are often concealed within double-Base64 encoded HTML elements or obscured in JavaScript, making them challenging to identify and block preemptively.

Attack Variants, Evolution, and Recommendations

Since their initial observations, Proofpoint has noted the evolution of these techniques. TA571, for instance, has diversified its lures, sometimes directing victims to use the Windows Run dialog for script execution instead of PowerShell terminals. Meanwhile, Clearlake has incorporated blockchain-based techniques like "EtherHiding" to host malicious scripts, adding a layer of obfuscation. These developments highlight the critical importance of user education and better cybersecurity measures within organizations. Employees must be trained to recognize suspicious messages and actions that prompt the execution of PowerShell scripts from unknown sources. Organizations should also deploy advanced threat detection and blocking mechanisms capable of identifying malicious activities embedded within seemingly legitimate web pages or email attachments. While the TA571 and ClearFake campaigns represent distinct threat actors with varying objectives, their utilization of advanced social engineering and PowerShell exploitation techniques demands heightened vigilance from organizations worldwide. By staying informed and implementing better cybersecurity practices, businesses can better defend against these online threats.

By: Abhilash R., Head of Cybersecurity at OQ Trading In a progressively digital world, small and medium sized enterprises (SMEs) are not immune to cyber threats. Despite their size, SMEs are prime targets for cyberattacks due to their limited resources and perceived vulnerability. Therefore, implementing robust cybersecurity strategies is imperative to safeguard sensitive data, maintain customer trust, and ensure business continuity. This article delves into five essential cybersecurity strategies tailored to SMEs, emphasizing their importance, and providing cost effective solutions.

Employee Education and Training

One of the most critical cybersecurity strategies for SMEs is ensuring that employees are educated and trained in cybersecurity best practices. Human error remains a significant factor in cyber incidents, making cybersecurity awareness training indispensable. Employees should be educated on recognizing phishing attempts, creating strong passwords, and understanding the importance of software updates. Importance: Employees serve as the first line of defence against cyber threats, they are also the weakest links in cybersecurity. By educating them, SMEs can significantly reduce the risk of successful cyberattacks. Solutions: Implement regular cybersecurity training sessions for all employees, covering topics such as identifying suspicious emails, safe internet browsing practices, and responding to security incidents. Utilize online training resources and simulations to reinforce learning effectively. You can develop internal cybersecurity awareness materials using free or low cost presentation tools such as Google Slides or Microsoft PowerPoint. Create engaging presentations covering topics like identifying phishing emails, password best practices, and responding to security incidents. Additionally, leverage free online resources such as cybersecurity blogs, webinars, and tutorials to supplement employee training efforts. Encourage participation in online courses offered by reputable cybersecurity organizations, some of which may be available at no cost.

Implementing Multi-Factor Authentication (MFA)

Multifactor authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive data or systems. This strategy helps mitigate the risk of unauthorized access, even if passwords are compromised. Importance: Passwords alone are no longer sufficient to protect against cyber threats. MFA significantly enhances security by requiring additional authentication factors, such as biometric data or one-time codes. Solutions: Implement MFA for all accounts with access to sensitive information or critical systems. Many cloud-based services and software applications offer built-in MFA capabilities, making implementation relatively straightforward and cost effective. Utilize built-in MFA features provided by cloud-based services and software applications, many of which offer MFA functionality at no additional cost. Implement open source MFA solutions that can be customized to fit the organization's specific needs without incurring licensing fees. Alternatively, explore low-cost MFA options offered by third-party providers, ensuring compatibility with existing systems and scalability as the business grows.

Regular Data Backups

Data loss can have devastating consequences for SMEs, ranging from financial losses to reputational damage. Regularly backing up data is essential for mitigating the impact of ransomware attacks, hardware failures, or accidental deletions. Importance: Data backups serve as a safety net, allowing SMEs to recover quickly in the event of a cyber incident. Without backups, businesses risk permanent loss of valuable information. Solutions: Automate regular backups of critical data to secure cloud storage or offline storage devices. Utilize backup solutions that offer versioning capabilities, allowing businesses to restore data to previous states if necessary. Utilize cloud based backup solutions that offer affordable storage options and automated backup scheduling. Leverage free or low cost backup software with basic features for backing up critical data to secure cloud storage or external hard drives. Implement a combination of full and incremental backups to optimize storage space and minimize backup times. Explore open source backup solutions that provide flexibility and customization options without the need for expensive proprietary software.

Network Security Measures

Securing the network infrastructure is crucial for protecting against external threats and unauthorized access. SMEs should implement robust network security measures, such as firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs). Importance: Networks are prime targets for cyberattacks, making network security measures essential for preventing unauthorized access and data breaches. Solutions: Deploy firewalls to monitor and control incoming and outgoing network traffic. Implement IDS to detect and respond to suspicious activities within the network. Utilize VPNs to encrypt data transmissions and establish secure connections for remote workers. Implement open source firewall solutions that provide robust network protection without the high cost associated with commercial firewalls. Utilize free or low cost intrusion detection system (IDS) software that offers essential features such as real time monitoring and threat detection. Explore cost effective virtual private network (VPN) solutions tailored to SMEs' needs, such as subscription based services with affordable pricing plans and easy deployment for remote workers.

Regular Security Assessments and Updates

Cyber threats are constantly evolving, requiring SMEs to stay vigilant and proactive in their cybersecurity efforts. Regular security assessments and updates help identify vulnerabilities and ensure that systems and software are up to date with the latest security patches. Importance: Cyber threats are continuously evolving, making regular security assessments and updates essential for maintaining strong cybersecurity posture. Solutions: Conduct regular security assessments to identify potential vulnerabilities in systems, networks, and applications. Develop and implement a patch management strategy to ensure that software and firmware updates are applied promptly. Conduct internal security assessments using free or low cost vulnerability scanning tools to identify potential weaknesses in systems and networks. Utilize open source penetration testing frameworks to simulate cyberattacks and assess the effectiveness of existing security measures. Implement a systematic approach to applying security patches and updates, leveraging free tools provided by software vendors or community driven initiatives. Additionally, establish internal processes for monitoring security advisories and alerts issued by relevant authorities to stay informed about emerging threats and vulnerabilities. In conclusion, cybersecurity is a critical concern for SMEs in today's digital landscape. By implementing the strategies explained above, SMEs can significantly enhance their cybersecurity posture without breaking the bank. Investing in cybersecurity is not only essential for protecting sensitive data and maintaining business operations but also for safeguarding the long-term viability and reputation of SMEs in an increasingly interconnected world. About Author: Abhilash Radhadevi, a seasoned cybersecurity leader, serves as the Head of Cybersecurity at OQ Trading, bringing over two decades of comprehensive experience in the Banking, Financial, Oil and Energy sectors. Widely recognized for his adept leadership, Abhilash has effectively steered international organizations through intricate security challenges. His illustrious career includes spearheading pioneering cybersecurity strategies, resulting in prestigious awards and acclaim. Beyond his professional achievements, Abhilash maintains a global influence and demonstrates unwavering commitment to mentoring, showcasing his dedication to shaping the future landscape of cybersecurity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

By Hoda Alkhzaimi The technological prowess of small nations is increasingly recognized as a significant driver of global economic power. This is because technology is a great equalizer; it can enable small nations to leapfrog development stages and compete on a global scale. For instance, the UNCTAD Technology and Innovation Report 2021 highlights that frontier technologies like AI, robotics, and biotechnology have the potential to significantly boost sustainable development, while also posing the risk of widening the digital divide. Small nations, by embracing these technologies, can foster innovation, improve productivity, and create high-value industries that contribute to global trade and economic growth. Moreover, the digital transformation allows for the democratization of information and resources, enabling smaller economies to participate in markets traditionally dominated by larger countries. The OECD also emphasizes the role of SMEs in adapting to a more open and digitalized environment, which is essential for inclusive globalization. Therefore, the technological development of small nations is not just about national progress; it's about contributing to and shaping the global economic landscape. By investing in technology and innovation, small nations can assert their presence on the world stage, influencing global trends and economic policies. Cyber conflicts have emerged as a significant factor in international relations, influencing the dynamics of power in the digital age. The Atlantic Council's Cyber Statecraft Initiative highlights the shift from traditional deterrence strategies to more proactive measures like Defend Forward and Persistent Engagement, reflecting the evolving nature of cyber threats. Research published in Armed Forces & Society suggests that cyber conflicts, termed 'cool wars', are reshaping interactions between states, with denial-of-service attacks and behaviour-changing tactics significantly affecting state relations. Moreover, the ICRC has raised concerns about the protection of civilians from cyber threats during armed conflicts, emphasizing the need for legal and policy frameworks to address the digital risks in warfare. The CyberPeace Institute's analysis of cyberattacks in the context of the Ukraine conflict provides valuable data on the harm to civilians and the evolution of cyber threats. Additionally, the European Repository of Cyber Incidents offers an extensive database of cyber incidents, which can serve as a resource for understanding the scope and impact of cyber warfare. These insights underscore the importance of cyber capabilities in asserting influence and the need for robust cyber defence mechanisms to safeguard national security and civilian welfare in the face of digital threats. The interplay between cyber operations and political power is complex, and as technology continues to advance, the implications for international stability and power hierarchies will likely become even more pronounced

The Role of Misinformation and Disinformation in Cyberconflict

Misinformation and disinformation play a critical role in the landscape of cyberconflict, shaping public perception and influencing the dynamics of geopolitical tensions. A report by Full Fact highlights the detrimental impact of false information on democratic societies, emphasizing the need for informed citizenship to combat the spread of such information. Similarly, data from UNESCO underscores the pervasive risk of encountering disinformation across various media platforms, with statistics indicating a significant trust deficit in media and an increase in the manipulation of news consumption. The cybersecurity sector also recognizes disinformation as a substantial threat, with a study by the Institute for Public Relations revealing that 63% of Americans view disinformation as a major societal issue, and nearly half of cybersecurity professionals consider it a significant threat to security. These concerns are echoed globally, as a survey found that over 85% of people worry about the impact of online disinformation on their country's politics. The intertwining of misinformation, disinformation, and cyberconflict presents a complex challenge that requires a multifaceted approach, including media literacy, regulatory frameworks, and international cooperation to mitigate its effects and safeguard information integrity.

The Role of Big Tech in Cyberconflict Interplay

The role of big tech companies in cyber conflict is a complex and evolving issue. These companies often find themselves at the forefront of cyber conflict, whether as targets, mediators, or sometimes even participants. For instance, during civil conflicts, digital technologies have been used to recruit followers, finance activities, and control narratives, posing additional challenges for peacemakers. The explosive growth of digital technologies has also opened new potential domains for conflict, with state and non-state actors capable of carrying out attacks across international borders, affecting critical infrastructure and diminishing trust among states. In response to the invasion of Ukraine, big tech companies played crucial roles in addressing information warfare and cyber-attacks, showcasing their significant influence during times of conflict. Moreover, the technological competition between major powers like the United States and China further highlights the geopolitical dimension of big tech's involvement in cyber conflict. These instances underscore the need for a robust framework to manage the participation of big tech in cyber conflict, ensuring that their capabilities are harnessed for peace and security rather than exacerbating tensions.

Hedging the Risks of Using AI and Emerging Tech To Scaleup Misinformation and Global Cyberconflicts

In response to the growing threat of election misinformation, various initiatives have been undertaken globally. The World Economic Forum has identified misinformation as a top societal threat and emphasized the need for a concerted effort to combat it, especially in an election year with a significant global population going to the polls. The European Union has implemented a voluntary code of practice for online platforms to take proactive measures against disinformation, including the establishment of a Rapid Alert System and the promotion of fact-checking and media literacy programs. In the United States, the Brennan Center for Justice advocates for active monitoring of false election information and collaboration with internet companies to curb digital disinformation. Additionally, the North Carolina State Board of Elections (NCSBE) provides guidelines for the public to critically assess the credibility of election news sources and encourages the use of reputable outlets. These initiatives represent a multifaceted approach to safeguarding the integrity of elections by enhancing public awareness, improving digital literacy, and fostering collaboration between governments, tech companies, and civil society. In the ongoing battle against election misinformation, several key alliances and actions have been formed. Notably, the AI Elections Accord was proposed for public signature at the Munich Security Conference on February 16, 2024. This accord represents a commitment by technology companies to combat deceptive AI content in elections. In a similar vein, Meta established a dedicated team on February 26, 2024, to address disinformation and the misuse of AI leading up to the European Parliament elections. Furthermore, the Federal Communications Commission (FCC) in the United States took a decisive step by making AI-generated voices in robocalls illegal on February 8, 2024, to prevent their use in misleading voters. These measures reflect a growing recognition of the need for collaborative efforts to safeguard the integrity of elections in the digital age. The alliances and regulations are pivotal in ensuring that the democratic process remains transparent and trustworthy amidst the challenges posed by advanced technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age. Here's everything to know about the Snowflake breach; we'll update this page as new information becomes available.

Why the Snowflake Breach Matters

Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.

Ongoing Investigation and Preliminary Results in Snowflake Breach

On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.

Compromised Employee Account

Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.

Test Environments Targeted

Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.

Attack Path

The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.

Possible Reasons for the Breach

Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.

Unconfirmed Threat Actor Claims

The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.

Affected Customers from Snowflake Breach

The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:

• Santander Group: The company confirmed a compromise without mentioning Snowflake.
• Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.

• TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
• Impact: 560 Million TicketMaster user details and card info potentially at risk.

• LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
• Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.

• Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
• Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.

• Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
• Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.

Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels.

Security Measures and Customer Support

Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.

Key Recommendations for Snowflake Customers:

1. Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
2. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
3. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
4. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.

Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here. Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence. Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.

A 22-year-old British national, allegedly the leader of an organized cybercrime group that targeted nearly four dozen U.S. companies, was arrested in Palma de Mallorca at the behest of the FBI, said the Spanish National Police. The young man allegedly orchestrated attacks on 45 companies in the United States through phishing campaigns, and subsequently gained unauthorized access to sensitive company information and cryptocurrency wallets.

Cyber Scammer Used Familiar Playbook

The modus operandi of the cybercriminal was simple: use phishing techniques to obtain access credentials from individuals,; use these credentials to infiltrate corporate work systems; exfiltrate sensitive company data that was likely monetized and put up for sale on dark web forums; and also access victims' cryptocurrency wallets to siphon them off. This modus operandi allowed the scammer to amass a significant amount of bitcoins. The Spanish police said the young cyber scammer managed to gain control over 391 bitcoins - approximately valued at over $27 million - from his victims. The arrest occurred at Palma airport as the suspect was preparing to leave Spain on a charter flight to Naples. The operation was conducted by agents of the Spanish National Police in collaboration with the FBI. The investigation, led by the Central Cybercrime Unit and supported by the Balearic Superior Headquarters, began in late May when the FBI’s Los Angeles office requested information about the suspect that they believed was in Spain. The FBI reported that an International Arrest Warrant had been issued by a Federal Court of the Central District of California, prompting intensified efforts to locate the suspect.

Laptop, Phone Seized

The suspect was carrying a laptop and a mobile phone at the time of his arrest, which were seized. The judicial authority subsequently ordered the suspect to be placed in provisional prison. The FBI did not immediately provide a response on whether the young British man would be extradited to the U.S. to be tried, nor did they release details on an indictment, but many similar cases in the recent past show the possibility of that happening soon.

Linked to Scattered Spider?

The cybercrime-focused vx-underground X account (formerly known as Twitter) said the U.K. man arrested was a SIM-swapper who operated under the alias “Tyler.” Fraudster's transfer the target’s phone number in a sim swapping attack to a device they control and intercept any text messages or phone calls to the victim. This includes one-time passcodes for authentication or password reset links sent over an SMS. “He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground tweeted. The details, however, could not be confirmed but independent journalist Brian Krebs said the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

“Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.” - vx-underground

The initial access vector in the attack on MGM included targeting of a help desk executive with social engineering tactics. Mandiant in its latest report found Scattered Spider aka UNC3944 using the same modus operandi, and although no victim names were stated, it now suggests the possible linkage between them. *Update (June 17 5:45 AM EST): Added details on the 22-year old young cyber scammer's identity and possible links to Scattered Spider group.

The Chinese University of Hong Kong (CUHK) has been confronted by a massive data breach that has compromised personal information of precisely 20,870 students, staff and past graduates. The CUHK data breach was initially identified on June 3, 2024, prompting swift action by the institution. An investigation is currently underway to trace the culprits and to take corrective measures.

Understanding the CUHK Data Breach

The CUHK is one of the premier institutes in China which was established in 1963 and is the first research university in Hong Kong. The cyberattack on CUHK reportedly took place on June 1 at its School of Continuing and Professional Studies (CUSCS). In a statement put out by the school on June 13, CUSCS said that it had undertaken an investigation into the breach on June 3. An information technology security consultant was appointed by the college to assess the breach. The investigation revealed that the school’s “Moodle learning management system” was hacked. Moodle is an open-source learning management system designed. It allows educators, administrators and learners to create personalized learning environments for online projects in schools, colleges and workplaces. Moodle can be used to create custom websites with online courses and allows for community-sourced plugins. [caption id="attachment_77266" align="alignnone" width="1196"] Source: CUSCS Website[/caption] According to the CUSCS, the leaked data included the names, email addresses, and student numbers of 20,870 Moodle accounts of tutors, students, graduates, and visitors. This personal data was reportedly stolen after a server at one of the institution’s schools was hacked. Despite the university management stating that the sensitive data was not leaked on any public platforms, the breached information was found to be readily available on the dark web domain BreachForums. A Threat Actor (TA), who goes by the alias “Valerie”, put up a post on dark web stating that the hacker was willing to sell the data. The TA noted that, “75 per cent of the stolen data was sold to a private party, which financed the breach.  The rest of the data was not shared. So upon multiple offers, we decided to make a public sell.” To claim that the data was credible, the TA provided samples, which included the username, first name, last name, institution, department, mobile number and city of the victims of the data breach.

Investigation Status of CUHK Data Breach

The CUSCS stated that as soon as its investigation revealed a massive data breach, it had deactivated the relevant account and reset the password. It added that, apart from the relevant server, the online learning platform has been moved, and security measures have been strengthened to block any account after three unsuccessful login attempts. “CUHK has also been notified of the incident. The college has also established a crisis management team composed of the dean, deputy dean, information technology services director, administrative director and communications and public relations director to assess the risks,” CUSCS said. The college also had filed a complaint over the data breach to the local police. The university, too, has notified the city’s privacy watchdog-Office of the Privacy Commissioner for Personal Data (PCPD), in accordance with established procedures. The PCPD acknowledged receipt of the complaint on June 13.

CUHK Data Breach: Institutions in Hong Kong Under Scanner

In what is becoming a trend, CUHK has become the third educational institute in Hong Kong this year to fall victim to cyberattacks. In May, the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, fell victim to a ransomware attack where the data of over 600 people was leaked. Similarly, in April, a private medical facility, Union Hospital, suffered a ransomware attack affecting its servers, which allegedly resulted in operational paralysis. The Hong Kong College of Technology too suffered a ransomware attack in February, which led to the data of around 8,100 students being breached.

Cisco, a global leader in networking and cybersecurity solutions, has announced the appointment of Sean Duca as its new Chief Information Security Officer (CISO) & Practice Leader for the Asia Pacific, Japan, and China (APJC) region. Sean, in his LinkedIn post, expressed his excitement about joining Cisco after taking a six-month break to focus on his health and recharge. He shared his enthusiasm for the new challenge ahead, working within Cisco's Customer Experience (CX) Team for APJC and eventually relocating to Singapore. “After an amazing 6-month break to recharge and focus on my health, I'm thrilled to embark on a new and exciting challenge at Cisco, working in the CX Team for APJC, and will eventually be based in Singapore,” reads the LinkedIn Post. On his first day at Cisco, Sean expressed his eagerness to collaborate with Jacqueline Guichelaar and the broader CX team, as well as reconnecting with former colleagues, including Peter M. Sean's decision to join Cisco was influenced by the opportunity to work with remarkable individuals, such as Jeetu Patel, and to contribute to innovative solutions like Cisco’s Hypershield. “Day 1 is done, and loving it! I am excited to work with Jacqueline Guichelaar and the wider CX team and to reconnect and work alongside Peter M. again,” reads the post. [caption id="attachment_76494" align="aligncenter" width="679"] Source: Sean Duca's LinkedIn Post[/caption]

Sean Duca Vast Experience

Sean brings over 20 years of experience in cybersecurity to his new role, with a proven track record of driving visionary strategies and practical solutions to enhance digital security. Sean's extensive background includes nearly nine years at Palo Alto Networks, where he served as Vice President and Regional Chief Security Officer (CSO) for the APJ region. Before that, he spent over 15 years at Intel Security, serving as the Chief Technology Officer (CTO) for the Asia Pacific region. His leadership in technology and security has made a significant impact in the industry. Reflecting on his new role at Cisco, Sean emphasized his commitment to helping customers achieve their security and business goals while extracting value from their Cisco investments. He expressed his eagerness to reconnect with partners and contacts in his soon-to-be new country, Singapore, highlighting his dedication to driving cybersecurity excellence across the region. “What drew me to Cisco? I've met incredible people, Jeetu Patel’s visionary strategy, and the innovation behind solutions like Cisco’s Hypershield. I can't wait to reconnect with partners, new and old, and many contacts in my soon-to-be new country when I move up next month. Most importantly, I'm eager to help our customers achieve their security and business goals, proving our value and extracting value from their Cisco investment,” reads the post further. With his renewed focus and energy, Sean's appointment is poised to lead Cisco's efforts to elevate performance in the cybersecurity world across APJC.

Sophos, a cybersecurity company that offers a wide range of security solutions, has announced the appointment of Joe Levy as the company’s Chief Executive Officer (CEO). Levy, who has been serving as acting CEO since February 15, is set to drive the execution of Sophos' strategic vision. To support this strategy, Levy has named Jim Dildine as Sophos’ new Chief Financial Officer (CFO) and a member of the senior management team. Speaking on the development, Dildine said," Having worked in technology and finance for over 30 years, joining Sophos at this pivotal moment is exciting. The company’s achievements, including its dedication to innovating cybersecurity technology and supporting its partners, are impressive.” “I look forward to helping Joe accelerate growth and further establish Sophos as an industry leader.”

Joe Levy's Extensive Experience

Levy brings nearly 30 years of experience in cybersecurity product development and leadership to his new role. Over his nine-year tenure at Sophos, he has transformed the company from a product-only vendor into a global cybersecurity giant. This transformation includes the establishment of an incident response team and a managed detection and response (MDR) service that now defends over 21,000 organizations worldwide. Additionally, Levy created SophosAI and Sophos X-Ops, an operational threat intelligence unit that integrates over 500 cross-departmental cybersecurity operators and threat intelligence experts. This unit shares real-time and historical cyberattack data across all Sophos solutions, enhancing their ability to defend against persistent cyberattacks. Levy's extensive experience includes working with the channel, including managed security providers (MSPs), which began in the mid-1990s when he started his career as a cybersecurity practitioner and innovator at a value-added reseller.

Joe Levy Next Move: Expanding the Midmarket Base

As CEO, Levy aims to expand Sophos’ strong customer base in the midmarket, which includes nearly 600,000 customers worldwide and generates more than $1.2 billion in annual revenue. “When midmarket organizations – the global critical substrate – are paralyzed due to ransomware or other cyberattacks, the ripple effect impacts supply chains and slows our economy. Operations of all sizes suffer collateral damage when supply chain dependencies are attacked. This can be devastating in unpredictable ways due to the complexity of the modern global economy,” said Levy. Adding further, Levy said, “Our goal is to help more midmarket organizations – the estimated 99% below the cybersecurity poverty line – improve their detection and disruption of inevitable cyberattacks. We plan to achieve this by working with MSPs and channel partners who can scale with us using our innovative technologies and managed services. Cyberattacks on the midmarket can severely impact global functionality, and Sophos is committed to changing that.” Sophos has a unique opportunity to scale its business by helping organizations that require basic and advanced defenses against cyberattacks. These organizations, often smaller entities within critical infrastructure sectors, are just as vulnerable to cyber threats as major corporations. Sophos' Active Adversary report and 2024 Threat Report highlight that attackers frequently exploit exposed Remote Desktop Protocol (RDP) access at midmarket organizations for data theft, espionage, ransomware payoffs, or supply chain attacks.

Strategic Appointment of Jim Dildine as CFO

To support his leadership strategy, Levy has appointed Dildine as CFO. Dildine brings exceptional operational expertise and a strong background in channel partner-based cybersecurity business. He joins Sophos from Imperva, where he served as CFO for over four years. Before Imperva, Dildine was CFO for Symantec’s $2.5 billion enterprise security business unit and held key financial leadership roles at Blue Coat Systems. At Blue Coat, he oversaw significant growth, leading to a go-private transaction by Thoma Bravo, a sale to Bain Capital, and a subsequent sale to Symantec for $4.6 billion in 2016. He also managed the acquisition and integration of six security-focused companies valued at over $750 million. Chip Virnig, a partner at Thoma Bravo and a Sophos board member, expressed confidence in the new leadership team. “Thoma Bravo has worked with Joe through successful investments in SonicWall and Blue Coat Systems. His authentic leadership and impeccable reputation in the cybersecurity industry make him the ideal CEO for Sophos. We’re also excited to have Jim join as CFO. We’ve worked with Joe and Jim for over a decade and believe their combined expertise will drive Sophos to new heights," said Virnig.

By Dina Alsalamen, VP, Head of Cyber and Information Security Department at Bank ABC  In today's interconnected digital landscape, cyber threats pose significant risks to organizations of all sizes and industries. From data breaches to ransomware attacks, the consequences of cyber incidents can be severe, including financial losses, reputational damage, and regulatory penalties. To effectively mitigate these risks and safeguard their operations, organizations must prioritize building cyber resilience. In this article, we'll explore strategies and best practices for building a cyber-resilient organization. 

Understand Your Risks 

The first step in building cyber resilience is understanding the unique risks facing your organization. Conduct a comprehensive risk assessment to identify potential threats, vulnerabilities, and their potential impact on your business operations. This assessment should encompass all aspects of your organization's IT infrastructure, including networks, systems, applications, and data assets. 

Develop a Cybersecurity Strategy 

Based on your risk assessment, develop a robust cybersecurity strategy that aligns with your organization's goals and priorities. This strategy should outline clear objectives, policies, and procedures for protecting against cyber threats. Key components of your cybersecurity strategy may include: 

• Risk Management Framework: Establish a risk management framework to systematically identify, assess, and mitigate cyber risks across your organization. 
• Security Controls: Implement a layered approach to cybersecurity by deploying a combination of preventive, detective, and responsive security controls. 
• Incident Response Plan: Develop a detailed incident response plan outlining procedures for detecting, responding to, and recovering from cyber incidents. 
• Employee Training and Awareness: Educate employees about cybersecurity best practices and raise awareness about the importance of security hygiene in everyday operations. 

Implement Security Controls 

Deploy a range of security controls to protect your organization's digital assets from cyber threats. These controls may include: 

• Firewalls and Intrusion Detection Systems: Implement firewalls and intrusion detection systems to monitor and control network traffic, identifying and blocking malicious activities. 
• Endpoint Protection: Install endpoint protection solutions, such as antivirus software and endpoint detection and response (EDR) tools, to defend against malware and other malicious threats targeting end-user devices. 
• Data Encryption: Encrypt sensitive data both at rest and in transit to prevent unauthorized access and protect confidentiality. 

• Multi-Factor Authentication (MFA): Enable MFA for accessing critical systems and applications, adding an extra layer of security beyond passwords. 

Continuously Monitor and Assess 

Cyber threats are constantly evolving, so it's essential to continuously monitor your organization's security posture and assess for vulnerabilities. Implement threat detection tools and security monitoring systems to detect and respond to suspicious activities in real-time.  Conduct regular security assessments, including penetration testing and vulnerability scanning, to identify weaknesses and address them proactively. 

Foster a Culture of Cyber Resilience 

Building a cyber-resilient organization requires a collective effort from all stakeholders, from top management to frontline employees. Foster a culture of cyber resilience by promoting collaboration, accountability, and a shared responsibility for cybersecurity across the organization. Encourage open communication channels for reporting security incidents and provide support and resources for ongoing training and skill development. 

Conclusion 

Building a cyber-resilient organization is an ongoing process that requires proactive planning, investment, and commitment from leadership and employees alike. By understanding your risks, developing a comprehensive cybersecurity strategy, implementing robust security controls, continuously monitoring and assessing your security posture, and fostering a culture of cyber resilience, you can strengthen your organization's ability to withstand and recover from cyber threats, ensuring the continuity of your business operations in an increasingly digital world. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.

Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, has allegedly suffered a massive data breach. A threat actor going by the handle "Sp1d3r" claimed Advance Auto Parts data breach. The threat actor further claims to have stolen three terabytes of data from the company's Snowflake cloud storage. The stolen information is allegedly being sold for US$1.5 million. According to the threat actor, Sp1d3r, post the stolen data includes:

• 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses, and more.
• 44 million Loyalty/Gas card numbers, along with customer details.
• Information on 358,000 employees, though the company currently employs around 68,000 people. This discrepancy suggests the data might include records of former employees.
• Auto parts and part numbers.
• 140 million customer orders.
• Sales history
• Employment candidate information, including Social Security numbers, driver's license numbers, and demographic details.
• Transaction tender details.
• Over 200 tables of various data.

The threat actor has specified that a middleman is required to facilitate the sale of the stolen data, and no dealings will be conducted via Telegram. Furthermore, what’s worth noting is that in its post, the threat actor claimed to sell the stolen information of 358,000 employees, despite the fact that the organization now employs approximately 68,000 people. The disparity could be due to old data from former employees and associates. [caption id="attachment_75319" align="aligncenter" width="815"] Source: X[/caption] [caption id="attachment_75320" align="aligncenter" width="346"] Source: X[/caption] To find answers to these doubts and verify the threat actor's claims, The Cyber Express Team reached out to the officials to verify the breach, however, as of writing this news report no response has been received. Therefore, the confirmation or denial of these claims has yet to be verified. Advance Auto Parts operates 4,777 stores and 320 Worldpac branches primarily within the United States, with additional locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The company also serves 1,152 independently owned Carquest branded stores across these locations, as well as in Mexico and various Caribbean islands.

Advance Auto Parts Data Breach: Linked to Snowflake Cyberattacks

The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of Snowflake, a cloud storage company. These attacks have been ongoing since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. However, Snowflake did not provide specific details about the nature of the cyberattacks or confirm if data had been stolen from customer accounts. This incident follows another significant breach involving Live Nation, the parent company of Ticketmaster. Hackers claimed to have stolen personal details of 560 million customers, and the stolen data was hosted on Snowflake's cloud storage. Live Nation disclosed this breach in a filing to the U.S. Securities and Exchange Commission (SEC), revealing that a criminal actor had offered the company's user data for sale on the dark web. In response to the breach, Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, issued a joint statement regarding their ongoing investigation into the targeted threat campaign against some Snowflake customer accounts. They are working diligently to understand the extent of the breach and mitigate its impact. Screenshots shared by the threat actor indicate that the leaked data contains numerous references to 'SNOWFLAKE,' supporting the claim that it was stolen during the recent Snowflake data theft attacks. The full extent of the data breach and its implications for Advance Auto Parts and other companies using Snowflake remains to be seen. With Snowflake's large client base and the significant volume of data they manage, the repercussions could be widespread. Only time will tell how many more companies will disclose their data breaches linked to the recent Snowflake attacks. In the meantime, affected customers and employees are advised to monitor their personal information closely and take necessary precautions to protect their data. Companies utilizing Snowflake's services should stay vigilant and follow cybersecurity best practices to safeguard their data against potential threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.