In a significant move to bolster data privacy protections, the California Privacy Protection Agency (CPPA) inked a new partnership with France’s Commission Nationale de l'Informatique et des Libertés (CNIL). The collaboration aims to conduct joint research on data privacy issues and share investigative findings that will enhance the capabilities of both organizations in safeguarding personal data. The partnership between CPPA and CNIL shows the growing emphasis on international collaboration in data privacy protection. Both California and France, along with the broader European Union (EU) through its General Data Protection Regulation (GDPR), recognize that effective data privacy measures require global cooperation. France’s membership in the EU brings additional regulatory weight to this partnership and highlights the necessity of cross-border collaboration to tackle the complex challenges of data protection in an interconnected world.

What the CPPA-CNIL Data Privacy Protections Deal Means

The CPPA on Tuesday outlined the goals of the partnership, stating, “This declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.” The strengthened framework is designed to enable both agencies to stay ahead of emerging threats and innovations in data privacy. Michael Macko, the deputy director of enforcement at the CPPA, said there were practical benefits of this collaboration. “Privacy rights are a commercial reality in our global economy,” Macko said. “We’re going to learn as much as we can from each other to advance our enforcement priorities.” This mutual learning approach aims to enhance the enforcement capabilities of both agencies, ensuring they can better protect consumers’ data in an ever-evolving digital landscape.

CPPA’s Collaborative Approach

The partnership with CNIL is not the CPPA’s first foray into international cooperation. The California agency also collaborates with three other major international organizations: the Asia Pacific Privacy Authorities (APPA), the Global Privacy Assembly, and the Global Privacy Enforcement Network (GPEN). These collaborations help create a robust network of privacy regulators working together to uphold high standards of data protection worldwide. The CPPA was established following the implementation of California's groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA). As the first comprehensive consumer privacy law in the United States, the CCPA set a precedent for other states and countries looking to enhance their data protection frameworks. The CPPA’s role as an independent data protection authority mirror that of the CNIL - France’s first independent data protection agency – which highlights the pioneering efforts of both regions in the field of data privacy. By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world. As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration.

Credit Suisse, a global investment bank and financial services firm, has reportedly fallen victim to a cyberattack. The Credit Suisse data breach was allegedly masterminded by a threat actor (TA), operating under the alias “888,” on the data hack site BreachForums. The TA claims to have accessed highly sensitive data of the bank and posted it on the dark web marketplace. According to the the threat actor, the data breach contains personal information of about 19,000 of the bank’s Indian employees.

Credit Suisse Data Breach Details

Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

Not the First Credit Suisse Data Breach

This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.

Credit Suisse Hacker Targeted Big Multinationals Recently

There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell.  The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.  

On June 23rd, LockBit announced breaching the US Federal Reserve System, while security experts remained skeptical. The Russian threat group claimed to exfiltrate 33 terabytes of banking information from the USA’s central bank servers. They also threatened to publish the data in the following 48 hours unless the victims would pay ransom. Source – Cybernews.com […]

The post LockBit Claims Breaching the US Federal Reserve but Fails to Prove It appeared first on Heimdal Security Blog.

New GrimResource technique exploits a 2018-old, unpatched, Windows XSS flaw and crafted MSC files to deploy malware via the Microsoft Management Console (MMC). Researchers detected the new exploitation technique in the wild on June 6th, 2024. Exploiting the Microsoft Management Console could enable hackers to evade security measures and gain initial access. Although researchers reported […]

The post GrimResource Technique Exploits Years-Old Unpatched Windows XSS Flaw appeared first on Heimdal Security Blog.

Notorious ransomware group BianLian has claimed to have added two new organizations as its latest cyberattack victims. The BianLian ransomware attack was allegedly carried out on two US-based firms, namely, Better Business Bureau Inc and U.S. Dermatology Partners. The infamous actor has claimed to have accessed sensitive data including financial, contract, and employee profiles from both its victims.

BianLian Ransomware Attack: Critical Details  

The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.

Potential Impact of BianLian Ransomware Attack

If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.

History of BianLian Ransomware Group Attacks

BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by  BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime New Report Urges Public-Private Collaboration to Reduce Chemical, Nuclear AI Risks Chris Riotta (@chrisriotta) • June 25, 2024     The U.S. federal government warned that artificial intelligence lowers the barriers to conceptualizing and conducting […]

La entrada US DHS Warns of AI-Fueled Chemical and Biological Threats – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development Companies Eager for Tools Are Putting AI’s Transformative Power Ahead of Security Rashmi Ramesh (rashmiramesh_) • June 25, 2024     Oh, no – not all Ollama administrators have patched against the “Probllama” flaw. […]

La entrada Patched Weeks Ago, RCE Bug in AI Tool Still a ‘Probllama’ – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Healthcare , Industry Specific , Standards, Regulations & Compliance John Riggi of the American Hospital Association on HHS’ Upcoming Cyber Regulations Marianne Kolbasuk McGee (HealthInfoSec) • June 25, 2024     John Riggi, national cybersecurity and risk adviser, American Hospital Association White House efforts to ratchet up healthcare sector cybersecurity […]

La entrada Why New Cyber Penalties May Strain Hospital Resources – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime More Victims of Campaign Against Data Warehousing Platform Snowflake Come to Light Mathew J. Schwartz (euroinfosec) • June 25, 2024     Attention Neiman Marcus shoppers: Your contact information may be for sale on a criminal forum. (Image: Shutterstock) […]

La entrada Luxury Retailer Neiman Marcus Suffers Snowflake Breach – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Immutable backups are essential in the fight against ransomware, and businesses should put protections in place to ensure attackers can’t alter or delete them. Acronis President Gaidar Magdanurov said data protection firms must address the threat of ransomware by implementing immutable storage and exposing APIs for seamless integration with security […]

La entrada Securing Data With Immutable Backups and Automated Recovery – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

India’s largest government-owned-telecommunications service provider, Bharat Sanchar Nigam Ltd (BSNL), has allegedly suffered a massive data breach, the second such instance in less than six months. The BSNL data breach reportedly involves critical data including international Mobile Subscriber Identity (IMSI) numbers, SIM card information, Home Location Register (HLR) specifics, DP Card Data, and even snapshots of BSNL's SOLARIS servers which can be misused for SIM cloning.

Exploring Claims of BSNL Data Breach

The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised. The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL. The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response.  This article will be updated based on their response.

Potential Implications of BSNL Data Breach

1. SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
2. Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
3. Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
4. Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.

The threat is not just limited to the consumers, but also to BSNL’s operations and security. Illegal access to servers can result in service disruptions, slow performance, and unauthorized access to telecom operations. Leaking of such information poses a severe threat to critical infrastructures and paves the way for future attacks on complex systems interconnectivity. BSNL users should remain vigilant and monitor any unusual activity on their phones and bank accounts and enable two-factor authentication (2FA) for added security on all accounts. BSNL too should take immediate action if the breach is confirmed, secure network endpoints, and audit access logs. They should enhance security measures, conduct frequent security audits, and adopt advanced threat detection technologies.

Second BSNL Data Breach in Less Than Six Months

If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Federal Bureau of Investigation (FBI) has warned the public about a new wave of cybercriminal activity targeting victims of cryptocurrency scams. These fraudsters are posing as lawyers and law firms, offering bogus cryptocurrency recovery services to steal funds and personal information from those already defrauded. This latest cryptocurrency investment scam alert is an update to a previous warning from the FBI's Internet Crime Complaint Center (IC3), which had highlighted a surge in scams involving fake services for recovering digital assets. The updated Public Service Announcement (PSA), titled "Increase in Companies Falsely Claiming an Ability to Recover Funds Lost in Cryptocurrency Investment Scams," was originally published on August 11, 2023. Moreover, in April 2024, the FBI warned of financial risks tied to using unregistered cryptocurrency transfer services, highlighting potential law enforcement actions against these platforms. The announcement focused on crypto transfer services operating without registration as Money Services Businesses (MSBs) and non-compliance with U.S. anti-money laundering laws. These platforms are often targeted by law enforcement, especially when used by criminals to launder illegally obtained funds, such as ransomware payments.

Cryptocurrency Scam: Emerging Criminal Tactic

The FBI's announcement aims to inform the public about a new criminal tactic designed to exploit cryptocurrency scam victims further. Using social media and other messaging platforms, fraudsters posing as lawyers from fictitious law firms are contacting scam victims and offering their services. These "lawyers" claim they have the authority to investigate fund recovery cases and often assert that they are working with, or have received information from, the FBI, Consumer Financial Protection Bureau (CFPB), or other government agencies to validate their legitimacy. In some instances, victims have reached out to these scammers through fake websites that appear legitimate, hoping to recover their lost funds. The scammers use various methods to further the recovery scam, including:

• Verification Requests: They ask victims to verify their identities by providing personal identifying information or banking details.
• Judgment Amount Requests: They request that victims provide a judgment amount they are seeking from the initial fraudster.
• Upfront Fees: They demand a portion of the fees upfront, with the balance due upon recovery of the funds.
• Additional Payments: They direct victims to make payments for back taxes and other fees purportedly necessary to recover their funds.
• Credibility Building: They reference actual financial institutions and money exchanges to build credibility and further their schemes.

Between February 2023 and February 2024, cryptocurrency scam victims who were further exploited by these fictitious law firms reported losses totaling over $9.9 million, according to the FBI Internet Crime Complaint Center (IC3).

Tips to Protect Yourself

The FBI offers several tips to help individuals protect themselves from falling victim to these scams:

• Be Wary of Advertisements: Be cautious of advertisements for cryptocurrency recovery services. Research the advertised company thoroughly and be suspicious if the company uses vague language, has a minimal online presence, and makes unrealistic promises about its ability to recover funds.
• Do Not Release Information: If an unknown individual contacts you claiming to be able to recover stolen cryptocurrency, do not release any financial or personal identifying information, and do not send money.
• No Fees from Law Enforcement: Remember that law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm their legitimacy.

Victim Reporting

The FBI urges victims to file a report with the Internet Crime Complaint Center. When filing a report, try to include the following information:

• Contact Information: Details about how the individual initially contacted you and how they identified themselves, including name, phone number, address, email address, and username.
• Financial Transaction Information: Details such as the date, type of payment, amount, account numbers involved (including cryptocurrency addresses), name and address of the receiving financial institution, and receiving cryptocurrency addresses.

The FBI's announcement highlights the importance of vigilance and caution when dealing with unsolicited offers of assistance, particularly in the highly targeted and vulnerable area of cryptocurrency investments. By staying informed and following the FBI's guidelines, individuals can better protect themselves from becoming victims of these crypto scams.

ATLANTA — June TK, 2024 — Cyble, the leading provider of AI-driven cybersecurity solutions, has been recognized by Forrester (Nasdaq: FORR) in its report, The Attack Surface Management Solutions Landscape, Q2 2024 Report.  This report offers valuable insights for organizations seeking to evaluate and select an attack surface management (ASM) solution that aligns with their unique attack surfaces and threats. It provides an overview of the ASM solutions market, explores the value that security and risk (S&R) professionals can expect from ASM vendors, and offers guidance on vendor options based on company size and market focus. It also notes how ASM is essential for building a proactive program, offering valuable insights that enhance SecOps solutions.   “We provide organizations with the tools and insights they need to proactively identify and mitigate potential cyber threats before they escalate. Our inclusion in the Forrester report will only further the resolve," said Beenu Arora, Founder and CEO of Cyble. “Cyble develops AI-powered solutions that help businesses protect their digital assets and maintain a strong security posture, and we’re constantly innovating to help customers keep pace with the rapidly evolving threat landscape.”  Cyble Vision X, the successor to its award-winning Cyble Vision 2.0 threat intelligence platform elevates the user experience by empowering decision-makers with immediate access to critical information through its AI-powered insights and intuitive design. The platform covers the entire breach lifecycle, encompassing pre-breach, during-breach, and post-breach stages. 

Key Capabilities of Cyble Vision X include: 

• Attack Surface Management: Ensures digital security by identifying and mitigating threats.  

• Brand Intelligence: Comprehensive protection against online brand abuse, including brand impersonation, phishing, and fraudulent domains. 

• Cyber Threat Intelligence: Helps organizations gain insights and enhance their defense with AI-driven analysis and continuous threat monitoring. 

• Dark Web and Cyber Crime Monitoring: Helps organizations stay vigilant and ahead of cybercriminals 

• Third-Party Risk Management (TPRM):  Helps organizations identify, assess, and mitigate risks that may arise from a business's interactions with third parties. 

"By leveraging Cyble Vision X’s unmatched coverage, organizations gain total visibility and control over their attack surface, ensuring a robust security posture amid evolving cyber threats," added Arora.  Cyble’s ASM is powered by ODIN, a groundbreaking attack surface monitoring capability that scans the entire IPv4 and IPv6 space. ODIN empowers infosec teams with an accurate map of the internet, enabling them to fortify their security perimeter and proactively hunt for threats on their attack surface. To learn more about ODIN, Cyble Vision X, and how Cyble can help you stay ahead of cyber threats, visit www.cyble.com.  About Cyble:  Cyble, a trailblazer in Cyber Threat Intelligence, is committed to democratizing Dark Web Threat Intelligence through advanced AI and Machine Learning solutions. Recognized as one of the most sought-after workplaces, Cyble’s culture fosters innovation, collaboration, and professional growth.  With a proven track record in delivering cutting-edge research and proactive monitoring, Cyble stands at the forefront of the cybersecurity landscape. Headquartered in Atlanta, Georgia, with a global presence spanning Australia, Malaysia, Singapore, Dubai, Saudi Arabia, and India, Cyble is the trusted authority empowering organizations to proactively combat evolving cyber threats. Media Contact  Matt McLoughlin  matt@gregoryfca.com Cyble Inc.  enquiries@cyble.com  Ph: +1 678 379 3241  

The National Health Laboratory Service (NHLS), South Africa's primary diagnostic pathology service for public healthcare facilities, has fallen victim to a cyber attack. The incident, which occurred over the weekend, has forced the organization to shut down its IT systems, including emails, website, and patient lab test results storage and retrieval systems. NHLS CEO Prof Koleka Mlisana confirmed the breach in a memo to staff, describing it as a "suspected incident" that compromised the security of their IT infrastructure. The attack comes amidst an Mpox outbreak that has already overwhelmed the country's healthcare services. However, the extent of the cyberattack has yet to be determined, even as restoration efforts are underway.

Impact on South Africa's National Health Laboratory Service

NHLS Chief Executive Officer Prof Koleka Mlisana informed staff of the incident in a memo, stating that the breach had caused damage and that the organization was treating the matter with extreme urgency and concern. Milsana stated, “I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend.” Mlisana assured staff that the organization's Incident Response Team was working around the clock to determine the scope of the intrusion and deploy the necessary safeguards to secure systems and data. The NHLS has implemented its "Downtime Protocol" to minimize disruption to services, prioritizing patients' samples and processing, with results communicated directly to clinicians whenever urgent. The cyber attack comes at a critical time for South Africa's healthcare system. The country is currently grappling with a Mpox outbreak, and the NHLS was already facing a significant backlog in toxicology tests as of March. The shutdown of IT systems is likely to exacerbate these challenges. Mzi Gcukumana, the NHLS Communication, Marketing, and PR officer, disclosed: “Preliminary investigation suggests that our Enterprise Resource Planning (Oracle) environment, Laboratory Information System (LIS) (TrakCare) database, and CDW are not affected. Therefore, no patient data has been lost or compromised. All patient data is safe."

Response and Recovery Efforts

“Please rest assured that our priority focus is on data security. We are determined to solve this issue swiftly and transparently,” Milsana stated to patients. In response to the breach, the NHLS has deployed its Incident Response Team to assess the scope of the intrusion and implement necessary safeguards. Mlisana assured staff that the team is working around the clock to secure systems and data. “I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” Milsana added. The NHLS had determined that that certain sections of its systems, including its backup server were deleted, requiring the rebuilding of affected systems. Gcukumana stated, “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted.” He added, “Unfortunately, this will take time, and investigations thus far have not advanced enough for us to give a timeframe for the restoration of our systems and full service. All stakeholders and the public will be informed as soon as more information becomes available.” The National Department of Health, which oversees the NHLS, has been informed of the incident. A spokesperson for the department called for patience as efforts to resolve the issue continue. As the investigation unfolds, the NHLS has promised regular updates on the compromise and ongoing response activities. The organization emphasizes its commitment to data security and swift, transparent resolution of the issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) researchers have observed the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm remote access trojan (RAT) through the use of Python-related files.

Technical Overview of XWorm RAT Campaign

The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"] Source: Cyble[/caption] The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence. The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities. [caption id="attachment_78919" align="alignnone" width="537"] Source: Cyble[/caption] While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.

Protecting Against XWorm RAT

The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:

• Implement strong email filtering to block malicious attachments.
• Exercise caution with email attachments, especially from unknown senders.
• Limit execution of scripting languages where possible.
• Use application whitelisting to control which programs can run.
• Deploy robust antivirus and anti-malware solutions.
• Enforce strong, unique passwords and two-factor authentication.
• Monitor networks for unusual activity or data exfiltration attempts.

The campaign demonstrates UAC-0184's relentless efforts at attacking Ukraine with evasive techniques. The use of the XWorm RAT as the final payload indicates the intent to establish remote access over compromised systems for strategic purposes. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actors are using a new attack technique that allows them to evade detection and gain full code execution of Microsoft Management Console using specially crafted management saved console (MSC) files. Elastic Security Labs researchers uncovered the new technique after a sample was uploaded to VirusTotal on June 6 – and it has yet to trigger static detections by antivirus tools on the site. The researchers are calling the new infection technique GrimResource.

GrimResource Attack Uses Old XSS Flaw

GrimResource is a “a novel, in-the-wild code execution technique leveraging specially crafted MSC files,” the researchers wrote. “GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings, ideal for gaining initial access and evading defenses.” The key to the attack technique is an old XSS flaw present in the apds.dll library. “By adding a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted MSC file, attackers can execute arbitrary javascript in the context of mmc.exe,” they said. Attackers can combine the technique with DotNetToJScript to gain arbitrary code execution. The sample begins with a TransformNode obfuscation technique, which was recently reported by open source tool developer Philippe Lagadec in unrelated macro samples. The obfuscation technique helps evade ActiveX security warnings and leads to an obfuscated embedded VBScript, which sets the target payload in a series of environment variables before leveraging the DotNetToJs technique to execute an embedded .NET loader. The researchers named that component PASTALOADER. PASTALOADER retrieves the payload from environment variables set by the VBScript and “spawns a new instance of dllhost.exe and injects the payload into it. This is done in a deliberately stealthy manner using the DirtyCLR technique, function unhooking, and indirect syscalls. In this sample, the final payload is Cobalt Strike.” Using the DotNetToJScript technique triggers another detection looking for RWX memory allocation from .NET on behalf of a Windows Script Host (WSH) script engine. The researchers created a rule in Elastic’s Event Query Language (EQL) to detect execution via the .NET loader.

GrimResource Detection Rules Provided

Those detections can be bypassed with stealthier methods, the researchers noted: Using apds.dll to execute Jscript via XSS, which can create detectable artifacts in the mmc.exe Procmon output as a CreateFile operation (apds.dll is not loaded as a library), and the creation of a temporary HTML file in the INetCache folder, named redirect[*] as a result of the APDS XSS redirection. In addition to EQL rules, the researchers also provided a YARA detection rule: [caption id="attachment_78894" align="alignnone" width="500"] GrimResource YARA detection rule (source: Elastic Security Labs)[/caption] “Defenders should leverage our detection guidance to protect themselves and their customers from this technique before it proliferates into commodity threat groups,” the researchers warned.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that a cyberattack in January may have compromised sensitive information related to the nation's chemical facilities. Initially reported in March, the attack exploited a vulnerability in Ivanti products, leading to the temporary shutdown of two systems. In an advisory this week, CISA detailed that the Chemical Security Assessment Tool (CSAT) was specifically targeted by the cyber intrusion, which occurred between January 23 and 26. CSAT contains highly sensitive industrial data, and while all information was encrypted, CISA warned affected participants of the potential for unauthorized access.

Potential Data Compromised in Chemical Facilities' Targeting

CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.

CISA's Response and Recommendations

CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.

Investigation Findings

The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.

Experts Say More Transparency Required

Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.

"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"

"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.

"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."

The European Union has extended its sanctions against threat actors after adding six Russian and Ukrainian nationals to its restrictive measures list. These latest sanctions come as part of the EU's ongoing efforts to combat malicious campaigns that threaten its member states and global security. The Council of the European Union adopted the decision to expand sanctions on June 24, 2024, citing the increasing frequency and sophistication of cyberattacks against critical infrastructure and essential services. These attacks, including ransomware, supply chain targeting, and cyberespionage, pose a systemic threat to the EU's security, economy, and society. The sanctions are aimed at preventing, deterring, and discouraging such activities, and are considered a vital instrument in the EU's framework for a joint diplomatic response to malicious cyber activities.

Russian Military Intelligence and FSB Operative Sanctions

The sanctions will take effect following publication in the Official Journal of the European Union. The council document justified the new sanctions as measures in response to the ongoing war between Russia and Ukraine and its resulting cyber activities:

The use of cyber operations that have enabled and accompanied Russia’s unprovoked and unjustified war of aggression against Ukraine affects global stability and security, represents an important risk of escalation, and adds to the already significant increase of malicious cyber activities outside the context of armed conflict over recent years. The growing cybersecurity risks and an overall complex cyber threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others, and from third countries to the Union, further call for restrictive measures under Decision (CFSP) 2019/797.

Among those sanctioned are Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both identified as members of the "Callisto group" linked to Russian military intelligence. The group, also known as "Seaborgium" or "Star Blizzard," is accused of conducting multi-year phishing campaigns to steal credentials and data, targeting individuals and critical state functions in defense and foreign relations. Two Ukrainian nationals, Oleksandr Sklianko and Mykola Chernykh, were sanctioned for their involvement in the "Armageddon" hacker group, allegedly supported by Russia's Federal Security Service (FSB). The group was found carrying out cyberattacks against the Ukrainian government and EU member states using phishing emails and malware campaigns.

Wizard Spider Threat Group Members Sanctioned

The EU also targeted two key players in the Russia-based threat group Wizard Spider: Mikhail Mikhailovich Tsarev and Maksim Sergeevich Galochkin. Both are implicated in deploying the "Conti" and "Trickbot" malware programs, which have caused substantial economic damage in the EU through ransomware campaigns targeting essential services such as healthcare, banking and defense. The EU Council has emphasized the need to protect these vital sectors from cyber threats, which can have devastating consequences for individuals, businesses, and societies as a whole. The Council said the sanctions imposed on these six individuals are a clear message that the EU will not tolerate malicious cyber activities that threaten its security, economy, and democracy. The Council document stated:

 "As part of the sustained, tailored and coordinated Union action against persistent cyber threat actors, six natural persons should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in the Annex to Decision (CFSP) 2019/797. Those persons are responsible for, or were involved in, cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States."

The sanctions demonstrate that the EU will continue to work closely with its Member States, international partners, and other stakeholders to address the growing cybersecurity threat landscape escalated by geopolitical tensions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious BlackBasta ransomware group is claiming credit for carrying out cyberattacks on major multinationals in the U.S. The ransomware gang claims it has access to sensitive data of financial services firm Key Benefit Administrators and healthcare apparel retailer Scrubs & Beyond. BlackBasta was recently suspected to have exploited a Microsoft zero-day prior to Microsoft’s release of a patch for the vulnerability back in March.

Decoding BlackBasta Ransomware's Alleged Attack

The first organization targeted by BlackBasta is Key Benefit Administrators, Inc., which offers financial services. The company provides employment benefit services that manages pension, retirement, health, and welfare funds. BlackBasta claims to have access to 2.5TB of sensitive data of the firm, including client, executive, and employee info. [caption id="attachment_78852" align="alignnone" width="1247"] Source: Ransomware.live[/caption] The other organization targeted by the ransomware group is Scrubs & Beyond, which is the largest retailer of healthcare apparel and accessories in the U.S. The ransomware crew claims to have accessed 600GB of the organization’s sensitive data, including HR, employee, and departmental files. [caption id="attachment_78853" align="alignnone" width="1238"] Source: Ransomware.live[/caption] Until an official statement is released by the two firms, the facts behind the BlackBasta ransomware attack claim will likely remain elusive. If BlackBasta's claims are proven true, the implications could be significant. The compromise of sensitive legal information and client data could have broad consequences, not only for the firms concerned but also for its clients and partners.

How Does BlackBasta Group Operate?

BlackBasta is a highly active ransomware group that has quickly gained a reputation for targeting high-value organizations across various industries. BlackBasta typically uses sophisticated phishing campaigns, and exploits known vulnerabilities in software to obtain access to their targets' systems. After gaining access, the group encrypts critical data and demands hefty ransoms for its release.

Previous Attacks By BlackBasta

A recent joint security advisory from the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) stated that Black Basta has, through its affiliates, compromised more than 500 organizations all over the world. The victims include organizations that span 12 of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. A few of BlackBasta’s victims include Microsoft, Hyundai Europe, Capita, The American Dental Association, Yellow Pages Canada, and Dish, among others.

How to Protect Against Ransomware

The ever-present threat of ransomware requires vigilant cybersecurity practices by consumers and organizations alike. Keeping software and operating systems up-to-date: Many ransomware attacks exploit vulnerabilities in outdated software and operating systems. By keeping software and operating systems up-to-date, you can minimize the possibility of a ransomware attack. Backing up important data: If your files are encrypted by ransomware, you may be able to restore them from a backup. By regularly backing up important data, you can increase the chances that you can recover your files if they are encrypted by ransomware. However, those backups should be immutable and ransomware-resistant - a good backup service provider may be your surest bet. Using antivirus software: Antivirus software can detect and remove various types of malware, including ransomware. By using antivirus or endpoint security software, you can reduce the risk of a ransomware attack. Being cautious of suspicious emails: Many ransomware attacks are spread via phishing emails. You can lower the risk of a ransomware attack by being wary of suspicious emails and refraining from clicking on links or opening attachments from unknown sources. Educating employees about cybersecurity: Employees play a critical role in defending against cyberattacks. It is of utmost importance that they understand the best practices and know how to identify and report suspicious activities. Isolating critical workloads and data: Isolating your most important data and applications with technologies such as microsegmentation, VLANs, firewalls and strict access and permission controls will create an extra layer of security that will make it that much harder for ransomware to infect your most critical systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.databreachtoday.com – Author: 1 Critical Infrastructure Security , Incident & Breach Response , Network Firewalls, Network Access Control US Cyber Defense Agency Says Major Cyberattack Result of Vulnerable Ivanti Products Chris Riotta (@chrisriotta) • June 24, 2024     CISA’s Chemical Security Assessment Tool houses sensitive private sector chemical security plans. (Image: Shutterstock) The […]

La entrada CISA Confirms Cyberattack on Critical Chemical Security Tool – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response Auto Dealership Software Firm Says Restoring Service Will Take ‘Days and Not Weeks’ Chris Riotta (@chrisriotta) • June 24, 2024     CDK Global supplies software solutions to an estimated 15,000 car dealerships in the U.S. and Canada. (Image: […]

La entrada CDK Begins Restoring Systems Amid Ransomware Payment Reports – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Endpoint Security , Hardware / Chip-level Security Chipmaker Arm Is Not an Alliance Member Akshaya Asokan (asokan_akshaya) • June 24, 2024     CHERI backers hope a new alliance will result in industry adoption of the memory safety chip architecture. (Image: Shutterstock) Developers of a computer hardware project for stopping […]

La entrada CHERI Backers Form Alliance to Promote Memory Safety Chip – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia Espionage Group Used SoftEther VPN Client to Exploit Targeted Networks Jayant Chakravarti (@JayJay_Tech) • June 24, 2024     Taipei city skyline (Image: Shutterstock) A Chinese state-sponsored group tracked as RedJuliett is using open-source VPN client SoftEther […]

La entrada Chinese Hackers Caught Spying on Taiwanese Firms – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Chris Schueler Chief Executive Officer, Simeio Chris Schueler, as Chief Executive Officer, drives the overall vision and strategy for Simeio. He is a proven leader with extensive experience in Go To Market, Operations, and Product Development in the managed security services space. He joined Simeio from Trustwave; leading all aspects […]

La entrada Live Webinar | Taking the Challenges Out of Identity Security – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Thank you for registering with ISMG Complete your profile and stay up to date Need help registering? Contact Support Original Post url: https://www.databreachtoday.com/webinars/webinar-just-in-time-access-reducing-risks-improving-velocity-w-5696 Category & Tags: – Views: 0

La entrada Webinar | Just-In-Time Access: Reducing Risks and Improving Velocity – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Bruce Johnson Senior Director, Enterprise Security, TekStream Bruce Johnson has over 38 years of experience in the information technology industry, including security, infrastructure architecture, software development, and management of multiple portfolios. He has experience in Splunk, security solutions, cloud migration, portal, content workflow, integration, and project management. As the senior […]

La entrada Webinar | Transforming Cybersecurity with Collaborative MDR Solution – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Account Takeover Fraud , AI-Based Attacks , Anti-Phishing, DMARC Presented by KnowBe4     60 mins     Social engineering and phishing are not just IT buzzwords; they are potent threats capable of causing devastating damage to your organization. Bad actors and the technology they use to infiltrate your defenses […]

La entrada Webinar | Everything You Can Do to Fight Social Engineering and Phishing – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 The average large company has close to 3,000 vendors. Payment fraud is the top risk to companies across the globe. Business email compromise is continually on the rise, and now attackers can use generative AI to refine their social engineering techniques. We need FinSecOps, said Johnny Deutsch, co-founder and CEO […]

La entrada Fighting Payment Fraud by Integrating Security Into Finance – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

After a 14-year legal battle, WikiLeaks founder Julian Assange walked out of the United Kingdom’s Belmarsh prison Monday morning, where he agreed to a plea deal with the United States. According to court documents, Assange agreed to plead guilty to a single charge of conspiracy to obtain and disclose national defense information, which violates espionage law in the United States. The sole charge carries a sentence of 62 months in prison, but under the plea deal the time he has already served in the UK prison — a little over 62 months — will be counted as time served. Thus, Assange will not be required to spend any more time behind bars in the U.S., the UK or anywhere else.

WikiLeaks and Human Rights Groups Celebrate Assange's Release

In a statement on platform X, WikiLeaks wrote, “Julian Assange is free.”

“He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there. He was granted bail by the High Court in London and was released at Stansted airport during the afternoon, where he boarded a plane and departed the UK.” – WikiLeaks

Assange is being flown to Saipan, the capital of the Northern Mariana Islands and a U.S. commonwealth in the Western Pacific Ocean. The formal hearing and sentencing is set to take place in the U.S. District Court for the Northern Mariana Islands at 9 a.m. local time Wednesday. Assange was reluctant to fly to the mainland U.S., his prosecutors said, and thus Saipan was decided as an alternative due to its proximity with Australia. If the guilty plea is approved by the judge – as is expected – the WikiLeaks founder will head to Australia after the sentencing. Human rights organization Amnesty International’s Secretary General, Agnès Callamard welcomed the “positive news.”

“We firmly believe that Julian Assange should never have been imprisoned in the first place and have continuously called for charges to be dropped.” - Amnesty International’s Secretary General, Agnès Callamard 

“The years-long global spectacle of the US authorities hell-bent on violating press freedom and freedom of expression by making an example of Assange for exposing alleged war crimes committed by the USA has undoubtedly done historic damage,” Callamard said. “Amnesty International salutes the work of Julian Assange’s family, campaigners, lawyers, press freedom organizations and many within the media community and beyond who have stood by him and the fundamental principles that should govern society’s right and access to information and justice.” The Mexican President Andrés Manuel, sounded a similar sentiment and said:

“I celebrate the release of Julian Assange from prison. At least in this case, the Statue of Liberty did not remain an empty symbol; She is alive and happy like millions in the world.”

Brief Timeline of Julian Assange Espionage Case

Julian Assange, the founder and Editor-in-Chief of WikiLeaks, gained prominence after the site published more than 90,000 classified U.S. military documents on the Afghanistan war and about 400,000 classified U.S. documents on the Iraq war. After the release of these documents via WikiLeaks, Assange was indicted by the U.S. on 18 counts, including 17 espionage charges under the 1917 Espionage Act and one for computer misuse, where he allegedly gained unauthorized access to a government computer system of a NATO country. In 2012, Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI), and provided a list of targets for LulzSec to hack, the indictment said. With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases and PDFs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times. WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an “Anonymous” and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again. An August 2010 arrest warrant for sexual assault allegations in Sweden was initially dropped but later reopened, leading to an international arrest warrant against him. Assange then sought refuge in the Ecuadorian embassy in London. In 2019, Ecuador revoked his asylum, and he was arrested by London police and sentenced to 50 weeks in prison for breaching bail conditions. Swedish prosecutors dropped their case in 2019 because the passage of time had weakened evidence, but they said they retained confidence in the complainant.

Assange’s Freedom Starts ‘a New Chapter’

Stella Assange, the WikiLeaks founder’s wife, was elated and thanked everyone who stood by her husband. “Throughout the years of Julian’s imprisonment and persecution, an incredible movement has been formed. People from all walks of life from around the world who support not just Julian ... but what Julian stands for: truth and justice,” Stella Assange said. “What starts now with Julian’s freedom is a new chapter.” It will be interesting to see if Assange will be back at the helm of WikiLeaks and if he will keep his fight on against human right exploitations but for now it seems like he would be eager to reunite with his wife Stella Assange, and his children, “who have only known their father from behind bars.” Update* (June 25 1:30 p.m. ET): Added comments from Amnesty International’s Secretary General, Agnès Callamard and President of Mexico, Andrés Manuel.

After the Qilin ransomware gang last week published on its leak site a data subset as a proof of hacking Synnovis’ systems, the London-based pathology services provider has now confirmed its legitimacy saying the data belongs to its storage drive related to administrative work and contains fragments of patient identifiable data. Hackers that are linked to the Russian-linked Qilin ransomware gang published on Friday around 400 gigabytes of sensitive patient data, which they claimed included names, dates of birth, NHS numbers and descriptions of blood tests stolen from Synnovis’ systems. Following the data leak on the dark web, Synnovis confirmed on Monday that the published data was legitimate but noted it was too early to determine the full extent of the compromised information.

“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - Synnovis

An initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:

“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”

The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Google’s initiative to phase out third-party tracking cookies through its Google Privacy Sandbox has encountered criticism from Austrian privacy advocacy group noyb (none of your business). The non-profit alleges that Google’s proposed solution still facilitates user tracking, albeit in a different form. Allegations of Misleading Practices   According to noyb, Google’s Privacy Sandbox, marketed as […]

The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on TuxCare.

The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on Security Boulevard.

The infamous cybercrime marketplace BreachForums faced an awkward scenario on June 25, 2024, when a threat actor leaked unverified information about "Aegis”, one of the forum moderators. The doxxing incident of BreachForums moderator was first reported by a LinkedIn user on a cybersecurity forum named “CISO2CISO”.

BreachForums Moderator Doxxing Details

On Tuesday, Bhavesh Mohinani, an SOC analyst and a member of "CISO2CISO,"  shared screenshots of a BreachForums post by an anonymous threat actor that allegedly contained sensitive Personally Identifiable Information (PII) of BreachForums moderator "Aegis". [caption id="attachment_78802" align="alignnone" width="1069"] Source: LinkedIn[/caption] The threat actor claimed that he obtained “bits and pieces” information about Aegis through his friend. “One thing I was given was a first name and an IP. Looking into it, you find out his information is very much out there! So much OPSEC, am I right,” the TA wrote in his post. OPSEC or Operational Security, is a process that identifies seemingly innocuous actions that could inadvertently reveal critical or sensitive data to a cybercriminal. Elaborating the details of Aegis, the threat actor claimed, “Aegis is a 17-year-old Egyptian resident living with his mother. His father seems not to have been found. Aegis started off being a skid, stealing code, claiming to be harmful and so on...he is a loser. “Aegis will most likely deny this being his information but if this post gets taken down, you will know the truth/ love everyone! Expect this loser,” the TA wrote. The user also shared details claiming to be the moderator’s phone number, IP address, residential address and telegram account. [caption id="attachment_78803" align="alignnone" width="1091"] Source: LinkedIn[/caption] While there is no confirmation or credibility to the claims shared by the anonymous actor, the post was deleted as soon as it was shared. However, the post has raised concerns about the security and trustworthiness of online communities.

What is Doxxing?

Doxxing, or doxing for short, is when someone puts your personal information out there on the internet. This can include information like where you work, your home address, your credit card numbers, and other private details. Usually, the intention of the threat actor is to harass the victims. The word "doxxing" first came about in the 1990s, starting from the word "documents," which got shortened to "docs," and then finally became "dox." When people talk about "dropping dox," they mean cybercriminals revealing the true identities of their rivals, taking away their anonymity, and making them vulnerable to the authorities. A doxxing attack begins with the threat actor gathering extensive information about their target, searching online and checking social media for clues. Social media can reveal workplace details, which can be exploited for attacks. Skilled threat actors might also trace a target’s IP address to determine their location. The more data a threat actor collects, the more harm they can inflict. While some doxxing incidents are minor, like sending unwanted pizza deliveries, others can lead to severe consequences such as online harassment, swatting, identity theft, reputational damage, physical assault, job loss, or stalking. The alleged doxxing of the BreachForums moderator has raised questions about whether it would lead to the arrest of another threat actor and if it signals the decline of the forums. For example, in California, doxing is considered a serious offense, and individuals engaging in this activity could face legal consequences. Individuals arrested and charged with cyber harassment (doxing) under Penal Code §653.2 face up to one year in jail and a fine of up to $1,000. In April 2023, Hong Kong’s privacy watchdog, Office of the Privacy Commissioner for Personal Data, arrested a 27-year-old woman on suspicion of doxxing after she allegedly posted the personal details of her friend’s ex-boyfriend on social media.

Prevention Against Doxxing

To protect users against doxxing, one must use strong, unique passwords for each account and enable Multi-Factor Authentication (MFA). Cleaning the digital footprint by removing personal information from online sites, deactivating old accounts, and adjusting privacy settings is regarded as a healthy practice. Using a VPN is recommended to hide the user’s IP address and prevent location tracking. Users must also be vigilant against phishing scams by recognizing poor spelling, mismatched email addresses, and unsolicited links. Finally, avoiding oversharing personal information online and keeping social media profiles private is a healthy digital practice to enhance security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Massive hack forces CDK Global, a provider of software-as-a-service for car dealerships, to shut down its servers, leaving customers unable to run their businesses as usual. A SaaS platform from CDK Global serves clients in the auto sector, managing all facets of vehicle dealership operations, such as inventory management, CRM, financing, payroll, support, and servicing. […]

The post CDK Group Falls Victim to Two Cyberattacks appeared first on Heimdal Security Blog.

A recently discovered vulnerability (CVE-2024-27812) in the Apple Vision Pro headset allowed hackers to bypass device security mechanisms and flood user's environments with animated 3D objects – such as spiders and bugs – through a Safari exploit. These objects persisted even after exiting Safari, making for a uniquely unsettling environment. Apple addressed the vulnerability this month after security researcher Ryan Pickren had disclosed the flaw in February, awarding the researcher a bounty. The bug highlights the challenges in securing 'spatial computing' devices.

Spatial Hack in Apple Vision Pro Devices

Apple designed the Vision Pro with strict privacy controls. This includes limiting device apps to a default 'Shared Space' and mandating explicit user consent for more engaging and immersive content. Websites must also obtain explicit user permission to generate 3D content within a user's physical environment. [caption id="attachment_78754" align="alignnone" width="720"] Source: ryanpickren.com[/caption] However, Pickren discovered that the AR Quick Look feature that had been introduced in 2018 for iOS remained active in the visionOS without the implementation of proper safeguards. This oversight allowed websites to manipulate HTML anchor tags to spawn unlimited 3D objects coupled with animations and spatial audio. By adding specific anchor tags to webpages, malicious websites can instruct Safari to render a 3D model, surprisingly without any form of user interaction. "If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats," Pickren explained. "Freaky stuff," he exclaimed. [caption id="attachment_78758" align="alignnone" width="1168"] Source: ryanpickren.com[/caption] [caption id="attachment_78756" align="alignnone" width="1186"] Source: ryanpickren.com[/caption] The researcher stated that the exploit code is straightforward and that closing Safari doesn't get rid of the 3D objects, as they are handled by a separate application. "To make things even freakier – since these animated files are being handled by a separate application (Quick Look), closing Safari does not get rid of them," Pickren noted. He added, "There is no obvious way to get rid of them besides manually running around the room to physically tap each one."

Bug Reporting and Gaps in Vulnerability Assessment

After trying to disclose the flaw to Apple, the researcher felt the tech giant had downplayed its relation to spatial computing and the generation of 3D objects, instead focusing on the potential for system crashes and reboots. The CVE description claimed that the issue had been addressed by improving the file handling protocol, which the researcher believed was unrelated to the bug. This highlights the challenges of triaging and classifying bugs in emerging fields such as Spatial Computing. The researcher believes the bug's impact goes beyond simple system crashes or reboots, raising questions about the security and privacy of the technology and the need for reevaluating existing threat models. "Perhaps it's time for Apple to re-evaluate their Vision Pro threat model," Pickren suggested. "This is a deeply personal product and classic vulnerability triaging guidelines may not capture the full impact anymore." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

A ransomware attack on Indonesia's national data center has disrupted official government services. The attack has reportedly affected more than 200 government agencies at national and regional levels, and the threat actors claiming responsibility have demanded a ransom of $8 million for a restoration of these systems. A senior official has reported that the government has refused to pay the ransom, instead focusing on restoring services and trying to identify the attackers.

Authorities Have Detected Samples of LockBit 3.0 Ransomware

Samuel Abrijani Pangerapan, director general of informatics applications at the Communications and Informatics Ministry, confirmed that essential services like immigration checks at airports had been disrupted. Long lines were formed at affected airports after automated passport machines were rendered useless. While some of these services have been restored, including the government's immigration services, ongoing efforts are aimed at restoring other critical operations, such as investment licensing. Samuel stated, “We have tried our best to carry out recovery while the (National Cyber and Crypto Agency) is currently carrying out forensics.” The National Cyber and Crypto Agency has detected samples of LockBit 3.0 ransomware, a variant known for encrypting victims' data and demanding payment for its release. PT Telkom Indonesia, an Indonesian multinational telecommunications company, is working with domestic and international authorities and leading the efforts to efforts to break the encryption and restore access to the compromised data. Herlan Wijanarko, the company's director of network & IT solutions, confirmed that the attackers had offered a decryption key in exchange for an $8 million ransom.

Experts Concerned About Indonesia Government Infrastructure Security

Cybersecurity experts warn that the severity of the attack highlights significant vulnerabilities in the government's digital infrastructure and incident response capabilities. Cybersecurity expert Teguh Aprianto described the latest attack as "severe" and notes that it highlights the need for improved infrastructure, manpower, and vendor management to prevent such attacks in the future. Teguh stated, "It shows that the government infrastructure, manpower handling this and the vendors are all problematic." In recent years, Indonesia has faced a series of high-profile cyber attacks, including a ransomware attack on its central bank and a data breach at its largest Islamic lender. The consequences of these attacks can be severe, with victims often forced to pay large sums to regain access to their data. Last year, the LockBit ransomware gang claimed responsibility for an attack on the Bank Syariah Indonesia. Sensitive information of over 15 million individuals had been stolen in the attack, affecting both customers and employees. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research & Intelligence Labs (CRIL) last week analyzed 154 vulnerabilities in its weekly vulnerability report, including critical flaws in products from the likes of Microsoft, VMware, Veeam and ASUS. A whopping 126 of the vulnerabilities occurred in Siemens industrial control systems (ICS) products, potentially putting critical manufacturing infrastructure at risk. About 25,000 new security vulnerabilities are discovered each year, yet only a small percentage of those are actively exploited by threat actors. To help security teams focus on the most important vulnerabilities and threats, The Cyber Express is collaborating with Cyble’s highly skilled dark web and threat intelligence researchers to highlight security vulnerabilities that warrant particularly close attention.

The Week’s Top Vulnerabilities

Cyble’s weekly report focused on 9 of the vulnerabilities in particular; they are:

CVE-2024-37079, CVE-2024-37080 and CVE-2024-37081: VMware

Impact Analysis: These critical and high severity heap-overflow and privilege escalation vulnerabilities impact the VMware vCenter Server, a central management platform for VMware vSphere, enabling the management of virtual machines and ESXi hosts. With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors (Tas) to leverage these critical vulnerabilities also. Internet Exposure: Yes Available Patch? Yes

CVE-2024-3080: ASUS Router Bypass

Impact Analysis: This critical authentication bypass vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to log in to the device. Recently, the Taiwan Computer Emergency Response Team informed users about the vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? Yes

CVE-2024-3912: ASUS Arbitrary Firmware Upload Vulnerability

Impact Analysis: This critical arbitrary firmware upload vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to execute arbitrary system commands on the device. The Taiwan Computer Emergency Response Team also informed users about this vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? Yes

CVE-2024-29855: Veeam Recovery Orchestrator

Impact Analysis: This critical authentication bypass vulnerability impacts the Veeam Recovery Orchestrator. The recovery solution extends the capabilities of the Veeam Data Platform by automating recovery processes and providing comprehensive reporting and testing features. The availability of a recent publicly available proof-of-concept (PoC) exploit for this vulnerability elevates the risk of exploitation in attacks by TAs. Internet Exposure: No Patch Available? Yes

CVE-2024-30103: Microsoft Outlook RCE Vulnerability

Impact Analysis: This high-severity remote code execution (RCE) vulnerability impacts Microsoft Outlook. Since the zero-click RCE flaw can be exploited simply by opening and previewing an email that contains a malicious payload in the body of the email, requiring no further interaction from the user, there are high possibilities for the weaponization of the vulnerability by TAs in targeting government and private entities. Internet Exposure: No Patch Available? Yes

CVE-2024-30078: Windows Wi-Fi Driver RCE Vulnerability

Impact Analysis: This high severity remote code execution (RCE) vulnerability impacts Windows Wi-Fi Driver. With the wide usage of Windows devices around the world and the ability to exploit without the need for any user interaction, TAs can leverage the flaw to gain initial access to the devices and later install malware and exfiltrate user data. Internet Exposure: No Patch Available? Yes

CVE-2024-37051: JetBrains GitHub Plugin Vulnerability

Impact Analysis: This critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories. Internet Exposure: No Patch Available? Yes

CISA Adds 5 Vulnerabilities to KEV Catalog

Five of the vulnerabilities in the Cyble report were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-32896, an Android Pixel vulnerability with a 7.8 CVSSv3 criticality score
• CVE-2024-26169, a Microsoft Windows error reporting service elevation of privilege vulnerability with a 7.8 criticality rating
• CVE-2024-4358, a Progress Telerik Report Server vulnerability with a 9.8 rating
• CVE-2024-4610, an Arm Mali GPU Kernel Driver vulnerability with a 5.5 rating
• CVE-2024-4577, a PHP remote code execution flaw, a 9.8 vulnerability that Cyble addressed in last week’s report

The full Cyble report available for clients covers all these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses. Cyble security analysts also conducted scans of customer environments to alert them of any exposures – and found more than 2 million exposures to 13 of the vulnerabilities. Stay ahead of cyber threats with the Weekly Vulnerability Intelligence Report by Cyble, brought to you by The Cyber Express. Subscribe now for the latest insights powered by Cyble's advanced AI-driven threat intelligence.

Lindex Group, an international retail giant specializing in high-quality fashion, has reportedly fallen victim to a data breach. According to claims made by threat actor IntelBroker on dark web forums, the Lindex Group data breach allegedly occurred in June 2024, targeting Lindex Group's internal GitLab. The perpetrator allegedly exploited vulnerabilities stemming from developers storing credentials in their Jira workplace, thereby gaining access to a collection of source code belonging to the company. Lindex Group, which has been a part of the Finnish Stockmann Group since 2007, operates approximately 480 stores across 18 markets, including the Nordic countries, the Baltic states, Central Europe, and the Middle East. With a workforce of around 5,000 employees, the company holds a prominent position in the retail industry, focusing on an omnichannel approach to fashion retailing.

Decoding IntelBroker’s Claims of Lindex Group Data Breach

[caption id="attachment_78687" align="alignnone" width="1242"] Source: X[/caption] The claims made by IntelBroker on the dark web suggest that the compromised source code of Lindex Group is now accessible through undisclosed channels, although specific details such as the price for access or direct communication channels have not been publicly disclosed. The situation has prompted concerns about the potential impact on Lindex Group's operations and the security of its customers' data. Despite these reports, Lindex Group has yet to issue an official statement or response regarding the alleged breach. The Cyber Express has reached out to the organization to learn more about this the breach claims. However, at the time of this, no official statement or response has been received. Visitors to Lindex Group's website may find it operational without immediate signs of intrusion, suggesting that the attack may have targeted backend systems rather than initiating a more visible front-end assault like a Distributed Denial-of-Service (DDoS) attack or website defacements.

IntelBroker Hacking Spree

IntelBroker, the solo hacker claiming responsibility for the breach, has a history of similar actions, having previously claimed involvement in cybersecurity incidents affecting other major companies. One notable example includes an alleged data breach targeting Advanced Micro Devices (AMD), a leading semiconductor manufacturer, and Apple was another alleged victim. The incident, disclosed on platforms like BreachForums, involved the exposure of sensitive data, prompting AMD to initiate investigations in collaboration with law enforcement authorities and third-party cybersecurity experts. The situation highlights the persistent nature of hackers like IntelBroker, who continue to exploit vulnerabilities in digital infrastructure for financial gain or malicious intent. For organizations like Lindex Group, the fallout from such breaches can encompass not only financial losses but also reputational damage and regulatory scrutiny. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Crypto portfolio tracking app Coinstats has found itself at the center of a security breach, impacting approximately 1,590 user wallets. The Coinstats data breach, which occurred on June 22, 2024, has been attributed to a group with alleged ties to North Korea, marking a concerning development for crypto investors.  Coinstats swiftly responded to the breach by taking down its application temporarily. This proactive measure was aimed at containing the data breach at Coinstats and preventing further unauthorized access to user data and funds.  The affected wallets, constituting about 1.3% of all Coinstats wallets, were primarily those created directly within the app. Fortunately, wallets connected to external exchanges and platforms remained unaffected, providing some relief amidst the security scare.

Understanding the Coinstats Data Breach 

[caption id="attachment_78679" align="alignnone" width="733"] Source: Coinstats on X[/caption] In a public statement addressing the breach, Coinstats reassured its user base that the incident has been mitigated, and immediate steps have been taken to secure the platform. Users whose wallet addresses were compromised were advised to take action by transferring their funds using exported private keys. A spreadsheet link was provided for users to check if their wallets were among those affected. CEO Narek Gevorgyan highlighted the seriousness of the situation, acknowledging the challenges posed by the Coinstats cyberattack while emphasizing Coinstats' commitment to restoring normal operations swiftly and securely. Gevorgyan outlined that comprehensive security measures were being implemented during the restoration process to fortify the platform against future vulnerabilities. "We're actively working to bring the app back online as quickly as possible. Thank you for your patience," stated Gevorgyan in an update shared via Coinstats' official channels.

North Korea-linked Hackers Behind the Data Breach at Coinstats

The revelation of North Korea-linked hackers being behind the breach adds a geopolitical dimension to the Coinstats data breach incident, highlighting the global reach and sophisticated tactics employed by cyber threat actors targeting digital assets and platforms. This aspect of the breach highlights the need for heightened cybersecurity measures across the cryptocurrency sector. In a similar case, another crypto firm, BtcTurk faced a cyberattack on its hot wallets on June 22, 2024. Binance Binance CEO Richard Teng confirmed this attack, pledging ongoing support for BtcTurk's investigation. Cryptocurrency investigator ZachXBT hinted at a possible link between the breach and a $54 million Avalanche transfer.  Coinstats users have been urged to remain vigilant and monitor their accounts closely for any unauthorized transactions or suspicious activities. The company assured its users that it is actively investigating the extent of funds moved during the breach and pledged to provide updates as new information becomes available. In response to the breach, regulatory bodies and industry stakeholders may scrutinize Coinstats' security practices and response protocols. The outcome of such scrutiny could influence future cybersecurity standards within the cryptocurrency industry, potentially leading to more stringent requirements for platform security and user protection.

In today's digital age, staying informed about the latest developments in cybersecurity is crucial. Cyber threats are constantly evolving, and staying ahead of these challenges requires up-to-date knowledge and proactive measures. TCE Cyberwatch is here to provide you with a comprehensive weekly roundup of the most significant cybersecurity news, trends, and insights. Each week, we delve into the latest breaches, emerging threats, advancements in security technology, and critical updates from the cybersecurity world. Whether it's a major data breach affecting millions, a new vulnerability discovered in popular software, or innovative strategies to enhance your defenses, TCE Cyberwatch covers it all. Read on and find out what was the most relevant news in the world of cybersecurity this week.

TCE Cyberwatch: A Weekly Round Up

CISA Issues Urgent Advisories to Patch Critical Flaws in Industrial Control Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued 20 advisories to address vulnerabilities in Industrial Control Systems (ICS). These advisories offer detailed technical information and mitigation strategies for various ICS components. Key vulnerabilities include CVE-2024-33500 in Siemens Mendix Applications, which poses remote exploitation risks due to improper privilege management, and issues in Siemens SIMATIC S7-200 SMART devices that can lead to denial-of-service attacks. Additional affected systems include Siemens TIA Administrator, SCALANCE devices, Fuji Electric’s Tellus Lite, and Rockwell Automation’s FactoryTalk View SE. CISA stresses the importance of timely updates, network access restrictions, and strict adherence to security protocols. Although no public exploits have been identified, CISA recommends proactive measures such as network segmentation and secure remote access to bolster ICS resilience against cyber threats. Read More

Microsoft Vows Security Overhaul After U.S. Report

Microsoft has faced severe criticism over its cybersecurity measures, highlighted by a U.S. Cyber Safety Review Board (CSRB) report detailing multiple security failures. These failures include a July 2023 attack by Chinese actors on senior U.S. officials' email accounts. Despite pledges to prioritize security, issues have been compounded by the flawed rollout of the Windows Recall feature. In a House Committee hearing, Microsoft President Brad Smith acknowledged these failings, accepted responsibility, and outlined plans for improvement. These measures include integrating security into executive bonuses and employee reviews, adding 1,600 security engineers, and expanding senior-level oversight. Microsoft is also addressing all CSRB recommendations and enhancing identity protection, network security, and threat detection. Smith emphasized the ongoing battle against cyberattacks, noting that Microsoft detects nearly 4,000 password-based attacks per second. Read More

Over 300 Fake Paris 2024 Sites Target Olympic Ticket Buyers

As the Paris 2024 Summer Olympics approach, security researchers and officials have identified over 300 fraudulent ticketing sites exploiting legitimate Olympics branding to scam users. One notable site, paris24tickets[.]com, appeared professional and ranked highly in Google search results, misleading users into providing personal and financial information. Proofpoint researchers exposed this site as entirely fraudulent, collecting sensitive data instead of processing ticket orders. The French Gendarmerie Nationale has identified 338 scam sites since March 2023, shutting down 51 and putting 140 on notice. Scammers use ads and targeted emails to attract victims, often offering fake discounts. Captain Etienne Lestrelin advises against buying tickets outside official sources, warning that excessively cheap tickets are likely scams and could involve buyers in criminal activities. Read More

Tesla's $45 Billion Payout: Court Battle Looms Over Coercion Claims

Tesla's efforts to reinstate Elon Musk's $45 billion pay package continue to face legal challenges despite shareholder support. The package was nullified by a Delaware judge due to concerns over board independence. Tesla's chair plans to resubmit the deal to the court, but plaintiffs argue the vote was coerced and legally flawed. Richard Tornetta's lawyer, representing the plaintiffs, claims the new vote does not address the initial issues. Legal experts predict ongoing court battles in Delaware, with possible appeals to the state’s supreme court. They also highlight potential coercion by Musk, who threatened to develop AI and robotics outside Tesla if the vote failed. Future pay deals will be governed by Texas law following Tesla's incorporation move, but existing litigation remains in Delaware. Read More

MFA Failure Exposes Millions: Medibank Fined for Massive Data Breach

A lack of multi-factor authentication (MFA) likely caused the Medibank data breach, exposing the personal data of 9.7 million customers in October 2022. The Australian Information Commissioner’s report revealed that hackers stole an IT service desk operator’s credentials via malware on a home device. The compromised VPN lacked MFA, allowing unauthorized access. Ignored security alerts further enabled the attackers to extract 520GB of sensitive data. Medibank's inadequate cybersecurity measures, highlighted in a 2020 risk assessment, included excessive access privileges and the absence of MFA. This negligence led to legal action by Australia's privacy regulator, with potential fines exceeding AU$2 million. Sanctions and arrests followed for the hackers involved. The breach underscores the critical need for MFA, proper alert management, regular security audits, and employee training. Read More

META Stealer Ups the Ante: Encrypted Builds, Custom Stubs in v5.0 Update

META Stealer v5.0 has launched, introducing advanced features and heightened security for this information-stealing malware. Key improvements include TLS encryption for secure communication between the build and the control panel, similar to updates seen in other top stealers like Lumma and Vidar. The update also offers a new build system for generating unique builds, supported by a "Stub token" currency for creating Runtime stubs, enhancing customization. The "Crypt build" option encrypts builds to evade detection during scans, significantly boosting stealth capabilities. Additionally, the panel's security and licensing systems have been upgraded to minimize disruptions. While previous updates, such as version 4.3 in February 2023, introduced features like enhanced detection cleaning and Telegram integration for build creation, version 5.0 focuses on individualized security and continuous improvement. Read More In this week's edition of TCE Cyberwatch, we've covered critical cybersecurity updates, from CISA's advisories on industrial control systems to Microsoft's pledges for security improvements and the exposure of fraudulent Olympic ticketing sites. As cyber threats continue to evolve, staying informed and proactive is essential. By keeping abreast of the latest news and trends, you can better protect your digital assets and stay ahead in the ongoing battle against cyberattacks. Stay vigilant and informed with TCE Cyberwatch.

Jollibee Foods Corporation (JFC), which is the largest fast-food chain operator in Philippines, has launched an investigation for an alleged data breach in its system that may have affected millions of its customers across the globe. The Jollibee probe was initiated after a threat actor claimed responsibility for breaching the systems of the Jollibee Foods Corporation. On June 21, The Cyber Express reported that a notorious attacker, operating under the alias “Sp1d3r”, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000 on the dark web. [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption]

Details of Jollibee Probe into Cyberattack

The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery. A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”. “The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said. JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company. “JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said. “The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added. The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.

Jollibee’s Cybersecurity Concerns  

The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20. The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee. This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed. After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Google has recently issued a warning regarding a critical security flaw affecting Google Pixel Firmware, which has been actively exploited as a zero-day vulnerability. Identified as CVE-2024-32896, this high-severity issue involves an elevation of privilege, potentially allowing attackers to gain unauthorized access on affected devices. Nature of the Memory-Related Vulnerability   The zero-day exploit in […]

The post Google Pixel Firmware Zero-Day Flaw Exploited And Patched appeared first on TuxCare.

The post Google Pixel Firmware Zero-Day Flaw Exploited And Patched appeared first on Security Boulevard.

UnitedHealth has, for the first time, detailed the types of medical and patient data stolen in the extensive cyberattack on Change Healthcare (CHC). The company announced that CHC cyberattack notifications will be mailed in July to affected individuals. "CHC plans to mail written letters at the conclusion of data review to affected individuals for whom CHC has a sufficient address. Please note, we may not have sufficient addresses for all affected individuals. The mailing process is expected to begin in late July as CHC completes quality assurance procedures," reads the official statement by Change Healthcare. UnitedHealth issued a data breach notification, revealing that the ransomware attack exposed a "substantial quantity of data" for a "substantial proportion of people in America." During a congressional hearing, UnitedHealth CEO Andrew Witty estimated that "maybe a third" of all Americans' health data was compromised in the attack.

Stolen Data Information in CHC Cyberattack

The Change Healthcare data breach notification provided a comprehensive overview of the types of information that may have been affected. Although CHC cannot confirm exactly what data was compromised for each individual, the exposed information may include:

1. Contact Information: Names, addresses, dates of birth, phone numbers, and email addresses.
2. Health Insurance Information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
3. Health Information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
4. Billing, Claims, and Payment Information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
5. Other Personal Information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

This information may vary for each impacted individual. To date, CHC has not seen full medical histories appear in their data review. "The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review. Also, some of this information may have related to guarantors who paid bills for health care services. A guarantor is the person who paid the bill for health care services," the official statement reads further.

Cyberattack on Change Healthcare: What Exactly Happen?

The Change Healthcare cyberattack occurred when a cybercriminal gained unauthorized access to the CHC computer system on February 21, 2024. Upon discovering the ransomware deployment, CHC immediately took steps to halt the activity, disconnected and shut down systems to prevent further impact and initiated an investigation. Law enforcement was contacted, and CHC's security team, along with several top cybersecurity experts, worked tirelessly to address the breach and understand its scope. The investigation revealed that a significant amount of data was exfiltrated from CHC’s environment between February 17, 2024, and February 20, 2024. By March 7, 2024, CHC confirmed the data exfiltration and began analyzing the compromised files. On April 22, 2024, CHC publicly confirmed that the impacted data could affect a substantial proportion of the American population. As of June 20, 2024, CHC began notifying customers whose data was identified as compromised. When CHC learned about the activity, CHC immediately began an investigation with support from leading cybersecurity experts and law enforcement. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact," informed Change Healthcare official release "CHC has also reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future. CHC, along with leading external industry experts, continues to monitor the internet and dark web.

What Steps Affected Individuals Can Take

While the investigation continues, individuals who suspect their information may have been compromised can take several steps to protect themselves:

1. Enroll in Credit Monitoring and Identity Protection: CHC is offering two years of complimentary credit monitoring and identity protection services.
2. Monitor Statements and Reports: Regularly check explanations of benefits from health plans, statements from healthcare providers, bank and credit card statements, credit reports, and tax returns for any unfamiliar activity.
3. Report Unfamiliar Health Services: If any unauthorized healthcare services are found on an explanation of the benefits statement, contact the health plan or doctor.
4. Alert Financial Institutions: Immediately contact financial institutions or credit card companies if suspicious activity is detected on bank or credit card statements or tax returns.
5. File a Police Report: Contact local law enforcement if you believe you are a victim of a crime.

Individuals may also have additional rights depending on their state of residence and should refer to the provided Reference Guide for more information. The ransomware attack on CHC has highlighted significant vulnerabilities in the handling of sensitive health and personal information. As the investigation progresses, affected individuals are urged to stay vigilant and utilize the resources provided to mitigate potential risks.

ECU Worldwide, a global player in Less than Container Load (LCL) consolidation, has appointed Rajneesh Garg as its new Chief Information Officer (CIO). In his new role, Garg will focus on managing and supporting software applications, leading technology transformation initiatives, and ensuring their successful implementation and adoption. He will work closely with the IT group shared services organization and report to Kapil Mahajan, Global CIO of Allcargo Group, from the company's Mumbai headquarters. "I am excited to be a part of ECU Worldwide known for its vision of a digital-first approach to build unmatched customer centricity at a global scale,” said newly appointed CIO, Garg. He added further, “The role gives me an opportunity to leverage my know-how to drive the growth journey of the company led under the leadership of Founder and Chairman Mr. Shashi Kiran Shetty, which is based on sustainability, superior customer experience, and futuristic approach. I look forward to working with the Allcargo Group to contribute to ECU Worldwide's growth journey.”

Rajneesh Garg Extensive Background

Garg brings over 20 years of leadership experience across various sectors, including banking, insurance, travel, hospitality, manufacturing, energy resources, and retail. Before joining ECU Worldwide, he was Vice President of Information Technology at Capgemini, overseeing regional delivery and growth for consumer products and retail accounts in the Nordic region. Garg holds a postgraduate degree in computer science from Moscow State University in Russia and has also worked in senior leadership roles at Tata Consultancy Services for over two decades. "With his extensive and diversified leadership experience in various sectors, Rajneesh will be instrumental in driving our technology transformation forward. His strategic vision aligns with our efforts to fortify ECU Worldwide's IT division as we pursue our ambitious growth and expansion strategies. We are confident that under Garg's leadership, our IT division will continue to break new ground in offering superior customer experience. We look forward to working with him as we embark on the next phase of growth,’’ said Kapil Mahajan, Global Chief Information Officer, Allcargo Group.

Way Forward

Founded in 1987, ECU Worldwide is a wholly-owned global subsidiary of Allcargo Logistics. The company is a major player in multi-modal transport and a leader in LCL consolidation. ECU Worldwide operates with a digital-first approach and is supported by leaders with expertise in logistics, data science, and technology. The appointment of Garg as CIO is a significant step for ECU Worldwide. His extensive experience and strategic approach are expected to drive the company’s technology initiatives and support its growth in the global LCL market. Garg's collaboration with the Allcargo Group leadership aims to bring technological advancements and improvements to ECU Worldwide's services and operations.

Following the massive cyberattack on Turkish cryptocurrency exchange BtcTurk, Binance has joined efforts to investigate the incident and has frozen over $5.3 million in stolen funds. Binance CEO Richard Teng confirmed this intervention on X, sharing operation details. The BtcTurk cyberattack, which occurred on June 22, 2024, targeted BtcTurk's hot wallets, exposing vulnerabilities in the exchange's internet-connected software-based crypto wallets. [caption id="attachment_78617" align="alignnone" width="738"] Source: X[/caption] BtcTurk reassured its users in a statement on its website and denoted that most assets stored in cold wallets remained secure, safeguarding the bulk of its users' holdings. Binance CEO Richard Teng stated on X that their team is actively supporting BtcTurk in their investigation and pledged to provide updates as their security teams uncover more information. 

Decoding the BtcTurk Cyberattack

Cryptocurrency investigator ZachXBT hinted at a potential link between the BtcTurk breach and a $54 million Avalanche transfer. The transfer, involving 1.96 million AVAX to Coinbase and subsequent Bitcoin withdrawals from Binance, coincided suspiciously with the timing of the cyberattack on BtcTurk. [caption id="attachment_78620" align="alignnone" width="755"] Source: X[/caption] Despite the setback, BtcTurk announced plans to gradually restore crypto deposit and withdrawal services once their cybersecurity measures are completed. They emphasized that their financial resilience surpasses the amount lost in the attack, ensuring that user assets remain unaffected. “Our teams have detected that there was a cyber attack on our platform on June 22, 2024, which caused uncontrolled footage to be taken. Only some of the balances in the hot wallets of 10 cryptocurrencies were affected by the cyber attack in question, and our cold wallets, where most of the assets are kept, are safe. BtcTurk's financial strength is well above the amounts affected by this attack, and user assets will not be affected by these losses”, reads the organization's statement. 

Mitigation Against the Cyberattack on BtcTurk

The BtcTurk cyberattack specifically impacted deposits of various cryptocurrencies, including Bitcoin (BTC), Aave (AAVE), Algorand (ALGO), Ankr (ANKR), Cardano (ADA), Avalanche (AVAX), ApeCoin (APE), Axie Infinity (AXS), Chainlink (LINK), Cosmos (ATOM), Filecoin (FIL), among others, says BtcTurk's. “Our teams are carrying out detailed research on the subject. At the same time, official authorities were contacted. As a precaution, cryptocurrency deposits and withdrawals have been stopped and will be made available for use as soon as our work is completed. You can follow the current status of the transactions on https://status.btcturk.com”, concludes the statement.  As investigations continue, both BtcTurk and Binance are working diligently to mitigate the impact of the cyberattack and strengthen their security protocols to prevent future incidents. Users are encouraged to monitor official channels for updates on the situation. By collaborating and taking swift action, Binance and BtcTurk aim to uphold trust within the cryptocurrency community while enhancing the resilience of their platforms against online threats.

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Battle the Business Model With Business Resilience Planning, Failover Capabilities Mathew J. Schwartz (euroinfosec) • June 21, 2024     We shouldn’t become numb to the human cost of ransomware. (Image: Shutterstock) Never let ransomware become normalized. As Britain’s National Health […]

La entrada As Britain’s NHS Faces Data Leak, Never Normalize Ransomware – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Ransomware Different Countries Have Different Levels of Law Enforcement Involvement Sally Adam • June 20, 2024     In the early years of ransomware, many victims were reluctant to admit publicly that they had been hit for fear of negative press and customer attrition. See […]

La entrada Law Enforcement’s Role in Remediating Ransomware Attacks – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Cloud Security , Network Detection & Response , Next-Generation Technologies & Secure Development How Gigamon’s Technical Capabilities Boost Organizations’ Cybersecurity Information Security Media Group • June 20, 2024     Network security threats are ever-evolving, and all types of organizations work hard to face down emerging threats while maintaining robust […]

La entrada Corpay, UHN Secure Hybrid Cloud Infrastructure With Gigamon – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Finance & Banking , Fraud Management & Cybercrime , Fraud Risk Management It’s Time for Big Tech to Be Held Accountable for Rampant Online Fraud Suparna Goswami (gsuparna) • June 19, 2024     From account takeover threats to fake investment schemes, you don’t have to spend much time on […]

La entrada Ever Tried to Report a Scam on Facebook? Good Luck! – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.