Crypto scammers hijacked Channel 7 News Australia's YouTube account to run a live stream of an Elon Musk deepfake on loop. The AI-generated version of the business tycoon was seen luring users to scan a QR code and invest in a money-doubling scheme through cryptocurrency. The news and media company is investigating claims even as traces of account takeover persist at the time this article was published.

Crypto Scammers Shift to Deepfake Deployment

Crypto scammers hijacking social media accounts of popular brands and celebrities on platforms like YouTube and X is not a novel thing. But what transpired on Thursday could very well be a snippet of things to come as we move towards the Age of AI.

Crypto scammers first took over the YouTube account of Channel 7 News and modified it in a way that it masqueraded the official Tesla channel.

[caption id="attachment_79292" align="aligncenter" width="300"] Hijacked Channel 7 News' YouTube Account Screenshot (Source: Reddit)[/caption]

After making aesthetic changes to the YouTube account, the crypto scammers replaced the videos in the channel with a deepfake live stream of Tesla chief Elon Musk. The AI-generated Musk was seen encouraging viewers to scan a QR code and invest in cryptocurrency.

[caption id="attachment_79296" align="aligncenter" width="600"] Musk's Deepfake Asking Users to Scan or Regret (Source: Reddit)[/caption] As per local media, the Musk deepfake said, "All you need to do is scan the QR code on the screen, go to the website and watch your cryptocurrency double. Today's event is a chance for all crypto enthusiasts and users to double their assets."

"This is an opportunity that cannot be missed." - Elon Musk Deepfake

The deepfake video was made in a way that Musk's AI version even interacted with the audience, where he continued to say that twice as much would return to investors' wallets.

The Channel 7 News has several region- and programming-specific YouTube channels, and most of them seemed to be hijacked at present, with all of them running the same deepfake live stream on loop. The page is no longer accessible via direct links from the company website, but as pointed by a Reddit user, if you go to the YouTube channel via the platform's search, it still displays the changes made by crypto scammers, which is a Tesla logo as seen in the images above.

Experts, Leaders Press for Deep Fake Regulations

Owing to the menace of deepfakes, nearly 1,500 AI and tech experts in February urged global regulation of deepfakes to curb risks like fraud and political disinformation. An open letter recommends that lawmakers criminalize deepfake child pornography, penalize creators and facilitators of harmful deepfakes, and hold software developers accountable.

"The whole deepfake supply chain should be held accountable, just as they are for malware and child pornography." - The Open Letter

Legal experts and technologists have also previously urged the U.S. Congress to regulate the use of deepfake technologies and provide new protections particularly for women and minority communities against the use of digitally manipulated media. Experts warned that the deceptive content is already affecting national security, personal privacy and public trust.

A coordinated international police operation led by Interpol has resulted in the disruption of global online scam networks that carried out phishing, investment fraud, romance and impersonation scams and operated fake online shopping sites. The global operation, codenamed “First Light,” led to the seizure of assets amounting to $257 million and froze more than 6,700 bank accounts linked to the online scam syndicates. Under the banner of Operation First Light 2024, the police also arrested a total of 3,950 suspects and identified another 14,643 as likely members of the global online scam syndicates.

“By confiscating such large amounts of money, and disrupting the networks behind them, we not only safeguard our communities but also deal a significant blow to the transnational organized crime groups that pose such a serious threat to global security.” - Director of Interpol’s Financial Crime and Anti-Corruption Centre (IFCACC), Dr Isaac Kehinde Oginni

Global Online Scam Crackdown Impact

The impact of this police operation against global online scam is “more than just numbers – they represent lives protected, crimes prevented, and a healthier global economy worldwide,” Oginni said. Interpol’s Global Rapid Intervention of Payments (I-GRIP) mechanism traced and intercepted the illicit proceeds from online scams across borders in both, fiat currency cash ($135 million) and cryptocurrency ($2 million). An example of this interception was a business email compromise fraud that involved a Spanish citizen who unwittingly transferred $331,000 to Hong Kong, China, the Interpol said. In another case, the Australian authorities successfully recovered AU$ 5.5 million (approximately $3.7 million) for an impersonation scam victim, after the online scammers fraudulently transferred the funds to Malaysia and Hong Kong-based bank accounts. The global nature of online scams was underscored by the operation’s diverse participants. From rescuing 88 young people forced to work in a Namibian scam ring to preventing a tech support scam targeting a senior citizen in Singapore, Operation First Light 2024 showcased the importance of international cooperation. Operations of First Light have been coordinated since 2014 and are designed to fight social engineering and telecom fraud. The operation is funded by China’s Ministry of Public Security and coordinated by Interpol. [caption id="attachment_79238" align="aligncenter" width="1024"] Operation First Light conclusion meeting in Tianjin, China (Source: Interpol)[/caption] In 2022, First Light saw a coordinated effort between law enforcement of 76 countries that resulted in the seizure of $50 million worth of illicit funds that was defrauded from more than 24,000 victims. “The world is grappling with the severe challenges of social engineering fraud, and organized crime groups are operating from Southeast Asia to the Middle East and Africa, with victims on every continent,” Oginni said.

“No country is immune to this type of crime, and combating it requires very strong international cooperation.” - Dr Isaac Kehinde Oginni

Investment and Phishing Scams Top Threats to U.S.

According to FBI's Internet Crime report (IC3), Investment scams led to the highest reported losses in the United Stated last year. Totaling $4.57 billion, investment scams saw a 38% increase from 2022. Crypto-investment fraud also rose 53% to $3.94 billion. Scammers mainly targeted individuals aged 30-49 in these scam types. Phishing schemes, on the other hand, were the most reported crime in 2023, with over 298,000 complaints, comprising 34% of all complaints received. In the FBI San Francisco division, there were 364 complaints with nearly $1.5 million in losses. Santa Clara County had the most complaints, while Alameda County had the highest losses at $500,000.

Experts are raising eyebrows after OpenAI announced a one-month delay in the rollout of its highly anticipated “Voice Mode” feature for ChatGPT, citing safety concerns. The company said it needs more time to ensure the model can “detect and refuse certain content.”

“We’re improving the model’s ability to detect and refuse certain content. We’re also working on enhancing the user experience and scaling our infrastructure to support millions of users while maintaining real-time responses.” - OpenAI

The stalling of the rollout comes a month after OpenAI announced a new safety and security committee that would oversee issues related to the company’s future projects and operations. It is unclear if this postponement was suggested by the committee or by internal stakeholders.

Features of ChatGPT’s ‘Voice Mode’

OpenAI unveiled its GPT-4o system in May, boasting significant advancements in human-computer interaction. “GPT-4o (‘o’ for ‘omni’) is a step towards much more natural human-computer interaction,” OpenAI said at the time. The omni model can respond to audio inputs at an average of 320 milliseconds, which is similar to the response time of humans. Other salient features of the “Voice Mode” promise real-time conversations with human-like emotional responses, but this also raises concerns about potential manipulation and the spread of misinformation. The May announcement gave a snippet at the model’s ability to understand nuances like tone, non-verbal cues and background noise, further blurring the lines between human and machine interaction. While OpenAI plans an alpha release for a limited group of paid subscribers in July, the broader rollout remains uncertain. The company emphasizes its commitment to a “high safety and reliability” standard but the exact timeline for wider access hinges on user feedback.

The ‘Sky’ of Controversy Surrounding ‘Voice Mode’

The rollout delay of “voice mode” feature of ChatGPT follows the controversy sparked by actress Scarlett Johansson, who accused OpenAI of using her voice without permission in demonstrations of the technology. OpenAI refuted the claim stating the controversial voice of “Sky” - one of the five voice modulation that the Voice Mode offers for responses – belonged to a voice artist and not Johansson. The company said an internal team reviewed the voices it received from over 400 artists, from a product and research perspective, and after careful consideration zeroed on five of them, namely Breeze, Cove, Ember, Juniper and Sky. OpenAI, however, did confirm that its top boss Sam Altman reached out to Johannson to integrate her voice.

“On September 11, 2023, Sam spoke with Ms. Johansson and her team to discuss her potential involvement as a sixth voice actor for ChatGPT, along with the other five voices, including Sky. She politely declined the opportunity one week later through her agent.” - OpenAI

Altman took a last chance of onboarding the Hollywood star this May, when he again contacted her team to inform the launch of GPT-4o and asked if she might reconsider joining as a future additional voice in ChatGPT. But instead, with the demo version of Sky airing through, Johannson threatened to sue the company for “stealing” her voice. Owing to the pressure from her lawyers, OpenAI removed the Sky voice sample since May 19.

“The voice of Sky is not Scarlett Johansson's, and it was never intended to resemble hers. We cast the voice actor behind Sky’s voice before any outreach to Ms. Johansson. Out of respect for Ms. Johansson, we have paused using Sky’s voice in our products. We are sorry to Ms. Johansson that we didn’t communicate better.” – Sam Altman

Although the issue seems to have resolved for the time being, this duel between Johannson and Altman brought to the fore the ethical considerations surrounding deepfakes and synthetic media.

Likely Delays in Apple AI and OpenAI Partnership Too

If the technical issues and the Sky voice mode controversy weren’t enough, adding another layer of complication to OpenAI’s woes is Apple’s recent brush with EU regulators that now casts a shadow over the future of ChatGPT integration into Apple devices. Announced earlier this month, the partnership aimed to leverage OpenAI's technology in Cupertino tech giant’s “Apple Intelligence” system. However, with Apple facing potential regulatory roadblocks under the EU’s Digital Markets Act (DMA), the integration’s fate remains unclear. This confluence of factors – safety concerns, potential for misuse, and regulatory hurdles – paints a complex picture for OpenAI's “Voice Mode.” The cybersecurity and regulatory industry will undoubtedly be watching closely as the technology evolves, with a keen eye on potential security vulnerabilities and the implications for responsible AI development.

A U.S. grand jury has indicted a Russian citizen, Amin Timovich Stigal, for allegedly conspiring with Russia's military intelligence agency (GRU) to launch cyberattacks crippling Ukrainian government systems and data ahead of Russia's full-scale invasion in February 2022.

The indictment, unsealed yesterday in Maryland, sheds light on a coordinated effort to disrupt critical Ukrainian infrastructure and sow panic among the population.

“As alleged, the defendant conspired with Russian military intelligence on the eve of Russia’s unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States.” - Attorney General Merrick B. Garland

Attacker Aimed for 'Complete Destruction' in Cyberattacks Targeting Ukraine

Stigal, 22, who remains at large, was charged for his alleged role in using a deceptive malware strain called "WhisperGate" to infiltrate dozens of Ukrainian government networks, including ministries, state services, and critical infrastructure entities. Disguised as ransomware, WhisperGate reportedly went beyond data encryption, aiming for complete destruction of targeted systems and data.

The attacks coincided with the defacement of Ukrainian websites displaying threatening messages designed to intimidate the public. Sensitive data, including patient health records, was exfiltrated and offered for sale online, further amplifying the chaos.

U.S. Critical Infrastructure Targeted Too

But the malicious campaign wasn't limited to cyberattacks targeting Ukraine. The indictment broadens the scope beyond Ukraine, revealing attempts to probe U.S. government networks in Maryland using similar tactics.

“These GRU actors are known to have targeted U.S. critical infrastructure. During these malicious cyber activities, GRU actors launched efforts to scan for vulnerabilities, map networks, and identify potential website vulnerabilities in U.S.-based critical infrastructure – particularly the energy, government, and aerospace sectors.” - Rewards for Justice

The scope of the malicious campaign highlights the potential wide-ranging objectives of the GRU cyber campaign and the ongoing threat posed by nation-state actors.

Reward Offered for Info Leading to Capture

The Justice Department emphasized its commitment to holding accountable those responsible for Russia's malicious cyber activity. The indictment carries a maximum sentence of five years, but international cooperation remains crucial to apprehend Stigal.

The U.S. Department of State's Rewards for Justice program is offering a significant reward – up to $10 million – for information leading to Stigal's capture or the disruption of his cyber operations. This substantial reward underscores the seriousness of the charges and the international effort to dismantle Russia's cyber warfare apparatus.

This case serves as a stark reminder of the evolving cyber threat landscape. The destructive capabilities of malware like WhisperGate, coupled with the targeting of critical infrastructure necessitates vigilance and collaboration between governments and security professionals to defend against nation-state cyberattacks.

“Malicious cyber actors who attack our allies should know that we will pursue them to the full extent of the law,” said Erek L. Barron, U.S. Attorney for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”

Who is Amin Stigal?

The U.S. linked 22-year-old Amin Stigal to the Russian GRU and labelled him for his involvement in the WhisperGate malware operations. But who is Amin Stigal and what is the extent of his involvement? [caption id="attachment_79079" align="aligncenter" width="947"] Source: Rewards for Justice[/caption] The U.S. authorities, along with the $10 million bounty, released scarce but very important details on Stigal's cyber trail - his aliases or the threat group names with whom he is affiliated. The Cyber Express did an open-source intelligence (OSINT) study on these aliases and found the following details on Amin Stigal's cyber activities:

DEV-0586/Cadet Blizzard

Microsoft first tracked this threat actor as DEV-0586 and observed its destructive malware targeting Ukrainian organizations in January 2022. The tech giant later in April 2023 shifted to a new threat actor-naming taxonomy and thus named the TA "Cadet Blizzard." Cadet Blizzard has been operational since at least 2020 and has initiated a wave of destructive wiper attacks against Ukraine in the lead up to Russia's February 2022 invasion of Ukraine. Specifically, it created and developed WhisperGate, a wiper that deletes the master boot record, Microsoft said.

EMBER BEAR

Crowd Strike tracked this threat actor as EMBER BEAR (aka Lorec Bear, Bleeding Bear, Saint Bear) and linked it to an adversary group that has operated against government and military organizations in eastern Europe since early 2021. The likely motive of this TA is to collect intelligence from target networks, the cybersecurity firm said. EMBER BEAR primarily weaponized the access and data obtained during their intrusions to support information operations (IO), according to CrowdStrike. Their aim in employing this tactic was to create public mistrust in targeted institutions and degrade respective government's ability to counter Russian cyber operations.

UAC-0056

The Computer Emergency Response Team of Ukraine tracked this Russian-linked threat actor/group as UAC-0056 and observed its malicious campaigns targeting Ukraine through phishing campaigns in July 2022. In the discovered attack, threat actors sought to disrupt the integrity and availability of government websites by exploiting several backdoors and deploying Cobalt Strike Beacon malware. The threat actors communicated with the web shell using IP addresses, including those belonging to neighboring devices of other hacked organizations due to their previous account abuse and additional VPN connection to the corresponding organizations. The hackers also applied other malware samples in this campaign including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor.

What is WhisperGate Malware?

WhisperGate is a destructive malware that is seemingly designed like a ransomware, but it is not. Unlike ransomware, which encrypts data and demands a ransom for decryption, WhisperGate aimed to completely destroy data, rendering the infected systems inoperable. It first targeted Ukrainian organizations in January 2022 and ever since continues to remain on the list of top malware variants used to target Kyiv.

Key Points on WhisperGate:

• Multi-stage Attack: It operated in stages, with the first stage overwriting the Master Boot Record (MBR) to prevent the system from booting normally and displaying a fake ransom note.
• Data Wiping: The MBR overwrite made data recovery nearly impossible.
• Motive: Experts believe the goal was data destruction, not financial gain, due to the lack of a real decryption method.
• Deployment: The malware resided in common directories like C:\PerfLogs and used a publicly available tool called Impacket to spread laterally within networks.

In a significant move to bolster data privacy protections, the California Privacy Protection Agency (CPPA) inked a new partnership with France’s Commission Nationale de l'Informatique et des Libertés (CNIL). The collaboration aims to conduct joint research on data privacy issues and share investigative findings that will enhance the capabilities of both organizations in safeguarding personal data. The partnership between CPPA and CNIL shows the growing emphasis on international collaboration in data privacy protection. Both California and France, along with the broader European Union (EU) through its General Data Protection Regulation (GDPR), recognize that effective data privacy measures require global cooperation. France’s membership in the EU brings additional regulatory weight to this partnership and highlights the necessity of cross-border collaboration to tackle the complex challenges of data protection in an interconnected world.

What the CPPA-CNIL Data Privacy Protections Deal Means

The CPPA on Tuesday outlined the goals of the partnership, stating, “This declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.” The strengthened framework is designed to enable both agencies to stay ahead of emerging threats and innovations in data privacy. Michael Macko, the deputy director of enforcement at the CPPA, said there were practical benefits of this collaboration. “Privacy rights are a commercial reality in our global economy,” Macko said. “We’re going to learn as much as we can from each other to advance our enforcement priorities.” This mutual learning approach aims to enhance the enforcement capabilities of both agencies, ensuring they can better protect consumers’ data in an ever-evolving digital landscape.

CPPA’s Collaborative Approach

The partnership with CNIL is not the CPPA’s first foray into international cooperation. The California agency also collaborates with three other major international organizations: the Asia Pacific Privacy Authorities (APPA), the Global Privacy Assembly, and the Global Privacy Enforcement Network (GPEN). These collaborations help create a robust network of privacy regulators working together to uphold high standards of data protection worldwide. The CPPA was established following the implementation of California's groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA). As the first comprehensive consumer privacy law in the United States, the CCPA set a precedent for other states and countries looking to enhance their data protection frameworks. The CPPA’s role as an independent data protection authority mirror that of the CNIL - France’s first independent data protection agency – which highlights the pioneering efforts of both regions in the field of data privacy. By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world. As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that a cyberattack in January may have compromised sensitive information related to the nation's chemical facilities. Initially reported in March, the attack exploited a vulnerability in Ivanti products, leading to the temporary shutdown of two systems. In an advisory this week, CISA detailed that the Chemical Security Assessment Tool (CSAT) was specifically targeted by the cyber intrusion, which occurred between January 23 and 26. CSAT contains highly sensitive industrial data, and while all information was encrypted, CISA warned affected participants of the potential for unauthorized access.

Potential Data Compromised in Chemical Facilities' Targeting

CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.

CISA's Response and Recommendations

CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.

Investigation Findings

The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.

Experts Say More Transparency Required

Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.

"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"

"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.

"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."

After a 14-year legal battle, WikiLeaks founder Julian Assange walked out of the United Kingdom’s Belmarsh prison Monday morning, where he agreed to a plea deal with the United States. According to court documents, Assange agreed to plead guilty to a single charge of conspiracy to obtain and disclose national defense information, which violates espionage law in the United States. The sole charge carries a sentence of 62 months in prison, but under the plea deal the time he has already served in the UK prison — a little over 62 months — will be counted as time served. Thus, Assange will not be required to spend any more time behind bars in the U.S., the UK or anywhere else.

WikiLeaks and Human Rights Groups Celebrate Assange's Release

In a statement on platform X, WikiLeaks wrote, “Julian Assange is free.”

“He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there. He was granted bail by the High Court in London and was released at Stansted airport during the afternoon, where he boarded a plane and departed the UK.” – WikiLeaks

Assange is being flown to Saipan, the capital of the Northern Mariana Islands and a U.S. commonwealth in the Western Pacific Ocean. The formal hearing and sentencing is set to take place in the U.S. District Court for the Northern Mariana Islands at 9 a.m. local time Wednesday. Assange was reluctant to fly to the mainland U.S., his prosecutors said, and thus Saipan was decided as an alternative due to its proximity with Australia. If the guilty plea is approved by the judge – as is expected – the WikiLeaks founder will head to Australia after the sentencing. Human rights organization Amnesty International’s Secretary General, Agnès Callamard welcomed the “positive news.”

“We firmly believe that Julian Assange should never have been imprisoned in the first place and have continuously called for charges to be dropped.” - Amnesty International’s Secretary General, Agnès Callamard 

“The years-long global spectacle of the US authorities hell-bent on violating press freedom and freedom of expression by making an example of Assange for exposing alleged war crimes committed by the USA has undoubtedly done historic damage,” Callamard said. “Amnesty International salutes the work of Julian Assange’s family, campaigners, lawyers, press freedom organizations and many within the media community and beyond who have stood by him and the fundamental principles that should govern society’s right and access to information and justice.” The Mexican President Andrés Manuel, sounded a similar sentiment and said:

“I celebrate the release of Julian Assange from prison. At least in this case, the Statue of Liberty did not remain an empty symbol; She is alive and happy like millions in the world.”

Brief Timeline of Julian Assange Espionage Case

Julian Assange, the founder and Editor-in-Chief of WikiLeaks, gained prominence after the site published more than 90,000 classified U.S. military documents on the Afghanistan war and about 400,000 classified U.S. documents on the Iraq war. After the release of these documents via WikiLeaks, Assange was indicted by the U.S. on 18 counts, including 17 espionage charges under the 1917 Espionage Act and one for computer misuse, where he allegedly gained unauthorized access to a government computer system of a NATO country. In 2012, Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI), and provided a list of targets for LulzSec to hack, the indictment said. With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases and PDFs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times. WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an “Anonymous” and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again. An August 2010 arrest warrant for sexual assault allegations in Sweden was initially dropped but later reopened, leading to an international arrest warrant against him. Assange then sought refuge in the Ecuadorian embassy in London. In 2019, Ecuador revoked his asylum, and he was arrested by London police and sentenced to 50 weeks in prison for breaching bail conditions. Swedish prosecutors dropped their case in 2019 because the passage of time had weakened evidence, but they said they retained confidence in the complainant.

Assange’s Freedom Starts ‘a New Chapter’

Stella Assange, the WikiLeaks founder’s wife, was elated and thanked everyone who stood by her husband. “Throughout the years of Julian’s imprisonment and persecution, an incredible movement has been formed. People from all walks of life from around the world who support not just Julian ... but what Julian stands for: truth and justice,” Stella Assange said. “What starts now with Julian’s freedom is a new chapter.” It will be interesting to see if Assange will be back at the helm of WikiLeaks and if he will keep his fight on against human right exploitations but for now it seems like he would be eager to reunite with his wife Stella Assange, and his children, “who have only known their father from behind bars.” Update* (June 25 1:30 p.m. ET): Added comments from Amnesty International’s Secretary General, Agnès Callamard and President of Mexico, Andrés Manuel.

After the Qilin ransomware gang last week published on its leak site a data subset as a proof of hacking Synnovis’ systems, the London-based pathology services provider has now confirmed its legitimacy saying the data belongs to its storage drive related to administrative work and contains fragments of patient identifiable data. Hackers that are linked to the Russian-linked Qilin ransomware gang published on Friday around 400 gigabytes of sensitive patient data, which they claimed included names, dates of birth, NHS numbers and descriptions of blood tests stolen from Synnovis’ systems. Following the data leak on the dark web, Synnovis confirmed on Monday that the published data was legitimate but noted it was too early to determine the full extent of the compromised information.

“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - Synnovis

An initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:

“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”

The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

A day after the Biden administration announced a U.S. ban on the sale of Kaspersky Lab products, the U.S. Treasury Department on Friday sanctioned a dozen top executives and senior leaders at the Russian cybersecurity company. Kaspersky took issue with the Biden administration's moves and said, "The decision does not affect the company’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the U.S." The company said the action will instead benefit cybercriminals by restricting international cooperation between cybersecurity experts. The decision to ban Kaspersky is "based on the present geopolitical climate and theoretical concerns," the company said in a scathing response to the Commerce Department's ban. The sanctions represent the latest in a series of punitive measures against the Russian antivirus company, underscoring growing concerns about cybersecurity and national security risks associated with the firm's operations.

Details of the Kaspersky Sanctions

The Treasury Department’s Office of Foreign Assets Control (OFAC) specifically targeted key individuals within Kaspersky Lab, including the chief operating officer, chief legal officer, chief of human resources, and chief business development and technology officers, among others. [caption id="attachment_78565" align="aligncenter" width="588"] Source: U.S. Department of the Treasury[/caption] The Treasury added all the above individuals to its Specially Designated Nationals list. SDN is a list maintained by OFAC that publicly identifies persons determined by the U.S. government to be involved in activities that threaten or undermine U.S. foreign policy or national security objectives. Notably, the sanctions did not extend to Kaspersky Lab itself, its parent or subsidiary companies nor to its CEO Eugene Kaspersky. The sanctions came just a day after the U.S. Commerce Department issued a final determination to ban Kaspersky Lab from operating in the United States. This ban is rooted in longstanding concerns over national security and the potential risks to critical infrastructure. The Commerce Department also added three Kaspersky divisions to its entity list due to their cooperation with the Russian government in cyber intelligence activities. The U.S. government has been wary of Kaspersky Lab's ties to the Russian government, fearing that its software could be used to facilitate cyber espionage. Bloomberg in 2017 first reported it had seen emails between chief executive Eugene Kaspersky and senior Kaspersky staff outlining a secret cybersecurity project apparently requested by the Russian intelligence service FSB. Kaspersky refuted these claims, calling the allegations "false"  and "inaccurate." However, these concerns have led to a broader push to restrict the company's operations within the U.S. and to mitigate any potential threats to national security.

Kaspersky Lab’s Response

Kaspersky Lab has consistently denied any allegations of being influenced or controlled by any government. The company has pledged to explore all legal options in response to the Commerce Department’s ban and the recent sanctions imposed by the Treasury. In a statement, Kaspersky Lab reiterated its commitment to transparency and maintaining the trust of its users worldwide, emphasizing it has never assisted any government in cyber espionage activities. "Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies," it said.

"Kaspersky provides industry-leading products and services to customers around the world to protect them from all types of cyber threats, and has repeatedly demonstrated its independence from any government." - Kaspersky Lab

The antivirus company claimed it has also implemented significant transparency measures that demonstrate its commitment to integrity and trustworthiness. But "the Department of Commerce’s decision unfairly ignores the evidence," Kaspersky said. The company said it also proposed a system in which the security of Kaspersky products could have been independently verified by a trusted third party.

"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services."

However, Brian Nelson, Treasury’s Undersecretary for Terrorism and Financial Intelligence, stated, “Today’s action against the leadership of Kaspersky Lab underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats. The U.S. will take action where necessary to hold accountable those who would seek to facilitate or otherwise enable these activities.”

Implications and Future Actions

The sanctions against Kaspersky Lab’s leadership signal a broader strategy by the U.S. government to address cybersecurity threats posed by foreign entities. This approach is part of a larger effort to strengthen national security and protect critical infrastructure from potential cyberattacks.

Legal and Business Repercussions

Kaspersky Lab’s legal battles and its efforts to counteract these sanctions will be closely watched. The company's ability to operate in the international market could be significantly affected by these measures, impacting its business operations and customer trust.

Global Cybersecurity Landscape

This development also highlights the ongoing tensions in the global cybersecurity landscape, where national security concerns often intersect with business interests. The actions taken by the U.S. government may set a precedent for how other nations address similar concerns with foreign technology firms. The U.S. Treasury Department's decision to sanction senior leaders at Kaspersky Lab marks a pivotal moment in the ongoing scrutiny of the Russian cybersecurity firm. While Kaspersky Lab denies any wrongdoing and prepares to contest the sanctions legally, the actions taken by the U.S. government underscore a determined effort to mitigate potential cyber threats and protect national security. As the situation unfolds, it will have significant implications for both Kaspersky and the broader cybersecurity environment.

One of Australia’s largest telecommunications companies Optus could have averted the massive 2022 data breach that leaked nearly 9.5 million individuals’ sensitive personal information, the Australian telecom watchdog said. The Australian Communications and Media Authority in a filing with the Federal Court said, “[Optus] cyberattack was not highly sophisticated or one that required advanced skills.” Its investigation attributed the 2022 Optus data breach to an access control coding error that left an API open to abuse. The investigation details of ACMA comes weeks after the telecom watchdog took legal action against Optus, in the same court, for allegedly failing to protect customer data adequately.

Coding Error and API Mismanagement Led to Optus Data Breach

The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period. The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted.

“The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMA

But the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law.

Optus’ Response to ACMA’s Allegations

Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter.

“This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of Optus

Venter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment. The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said. Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers' sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers. Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web.

Deloitte Report Handed to the Federal Court

Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach. “Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express. The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus.

“Much to do to Fully Regain our Customers’ Trust”

Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach. Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures.

“Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael Venter

The Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices. As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.

Crown Equipment, a global top five forklift manufacturer, was hit by a cyberattack that has disrupted its manufacturing operations for nearly two weeks. The company yesterday attributed the attack to an "international cybercriminal organization," raising speculation of a ransomware gang's involvement. The cyberattack has affected Crown's IT systems, employee workflows and overall business continuity for the second week running.

Crown Equipment Cyberattack Overview

Since approximately June 8th, Crown's employees reported a breach in the company's IT systems. This breach led to a complete shutdown of systems, preventing employees from clocking in their hours, accessing service manuals, and in some cases delivering machinery. In an internal email sent to employees, the heavy machinery manufacturer confirmed the cyberattack and advised employees to ignore multifactor authentication (MFA) requests and to be cautious of phishing emails.

"I currently work there. Everyone is scrambling, can't order parts except for TVH and that's strictly for emergencies. The company hasn't officially announced that it's been hacked but they keep pushing the importance of MFA. We can read between the lines." - Reddit User (Williams2242)

The company in its press release revealed that the breach necessitated the shutdown of their operating systems to investigate and resolve the issue without giving details on the hackers and their ransom demand, if any.

Crown Equipment Attack Details

Crown disclosed that many of their security measures were effective in limiting data access by the criminals. However, the breach likely occurred due to an employee not adhering to data security policies that resulted in unauthorized access to their device, according to a Reddit post.

"I heard someone got a call from a hacker pretending to be IT. They installed a fake VPN on their computer and got access to everything. They created a privileged account on the network that gave them access all the systems. The network went down Sunday and it's been down since with no ETA." - Reddit User (DragonflyJust2223)

This speculation suggests a social engineering attack where the threat actor installed remote access software on the employee's computer. BornCity, a website maintained by a German-speaking digital observer, first reported the possibility of a hack nearly a week ago. Citing a distant source who used to work at the manufacturing plant of Crown, BornCity said the problems were likely due to a 'coding bug.' "This had sent the Crown 360 (a service likely based on the Microsoft Cloud and Office 365) solution downhill – but I take that information not as reliable." Crown Equipment, however, did not confirm the speculation and thus the claims remain unverified.

Impact on Crown Equipment's Employees

Initially, Crown told employees they would need to file for unemployment or use their paid time off (PTO) and vacation days to receive pay for missed days. Last weekend, this directive was updated and the employees were asked to file for unemployment, after which several took to Reddit to vent their discontent.

"The fact that their not paying people for their mistake is straight bu****it. Crown pretends to be a family company but as soon as they need to support their "family" they shaft them. People need this money to live, while the owner can just sit back and chill with his multi-millions in the bank. Crown needs to take the hit and do the right thing." - Reddit User

Another said: [caption id="attachment_78309" align="aligncenter" width="1024"] Source: Reddit[/caption] However, Crown later decided to provide regular pay as an advance, allowing employees to compensate for the lost hours later. Despite this adjustment, employees expressed frustration over the lack of transparency and communication from the company during the incident. Crown Equipment has reportedly engaged some of the world’s top cybersecurity experts and the FBI to analyze the affected data and manage the aftermath of the attack. The company emphasized that there were no indications that employee personal information or data that could facilitate identity theft was targeted. The company is now in the process of restoring systems and transitioning back to normal business operations. They are also working closely with customers to minimize the disruption's impact on their operations. Although Crown did not specify the type of cyberattack, their description suggests a ransomware attack by an international cybercriminal organization. If confirmed, this implies that corporate data was likely stolen and could be leaked if the ransom demands are not met. As Crown continues to recover from this significant disruption, the incident serves as a reminder for companies worldwide to strengthen their cybersecurity protocols, including isolating critical workloads, invest in employee training to prevent social engineering attacks, and establish effective communication strategies for managing cyber incidents.

In a high-stakes clash within the crypto verse, Kraken, a leading U.S. cryptocurrency exchange, has accused blockchain security firm Certik of illicitly siphoning $3 million from its treasury and attempting extortion. The dispute shows the significant tensions between ethical hacking practices and corporate responses and underscores the complexities and challenges within the bug bounty ecosystem.

Accusations from Kraken

Nick Percoco, Kraken's chief security officer, took to social media platform X (formerly known as Twitter) to accuse an unnamed security research firm of misconduct. According to Percoco, the firm - later revealed to be Certik - breached Kraken’s bug bounty program rules. Instead of adhering to the established protocol of promptly returning extracted funds and fully disclosing bug transaction details, Certik allegedly withheld the $3 million and sought additional compensation, Percoco claimed. Percoco claimed that "the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets." He said that after contacting the researchers, instead of returning the funds they "demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!" Percoco said that in the decade-long history of Kraken’s bug bounty program, the company had never encountered researchers who refused to follow the rules. The program stipulates that any funds extracted during bug identification must be immediately returned and accompanied by a proof of concept. The researchers are also expected to avoid excessive exploitation of identified bugs. The dispute escalated as Certik reportedly failed to return the funds and accused Kraken of being “unreasonable” and unprofessional. Percoco responded that such actions by security researchers revoke their “license to hack” and classify them as criminals.

“As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals.”

Certik's Response to Kraken

Following Kraken’s public accusations, Certik disclosed its involvement and countered Kraken’s narrative by accusing the exchange of making unreasonable demands and threatening its employees. Certik claimed Kraken demanded the return of a “mismatched” amount of cryptocurrency within an unfeasible timeframe without providing necessary repayment addresses. The company provided an accounting of its test transactions to support its claims. Certik shared its intent to transfer the funds to an account accessible to Kraken despite the complications in the requested amount and lack of repayment addresses.

“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.” - CertiK

CertiK’s Take on Kraken’s Defense Systems

Certik defended its actions and instead highlighted the inadequacy of Kraken’s defense systems. The firm pointed out that the continuous large withdrawals from different testing accounts, which were part of their testing process, should have been detected by Kraken’s security measures. Certik questioned why Kraken’s purportedly robust defense systems failed to identify such significant anomalies. “According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.” - CertiK The blockchain security firm said the fact behind their white hat operation is that “millions dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved” in these research activities. The firm also said that the dispute with the cryptocurrency exchange is actually shifting focus away from a more severe security issue at Kraken. “For several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK,” it said. “The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions.” Regarding the money siphoned, Certik said, “Continuous large withdrawals from different testing accounts was a part of our testing.” With an aim of transparency, the security firm disclosed details of all testing deposit transactions and the timeline of how the bug bounty saga played out on X. [caption id="attachment_78192" align="aligncenter" width="698"] Timeline of the Kraken vs CertiK zero-day and bug bounty dispute (Source: CertiK on platform X)[/caption]

Disclosure of Product Flaws Treads a Fine Line

The news of the escalated dispute comes on the heels of another incident where a white hat hacker - after following bug bounty ethics - was threatened by the legal team of the company to “cease and desist.” Andrew Lemon, an offensive security expert, responsibly reported a critical vulnerability to an unnamed company that manufactured and sold a traffic control system. The vulnerability allowed a remote unauthenticated attacker to bypass security and gain full control of a traffic controller, giving them the ability to changing stoplights and modify traffic flow, Lemon explained in a LinkedIn post. But to Lemon’s surprise, instead of acknowledging and addressing the bug with the engineering team, its legal team threatened to sue him under the Computer Fraud and Abuse Act. “I Received a letter from a company's legal team instead of engineering after responsibly disclosing a critical vulnerability in a traffic control system I purchased from eBay,” he said. “The company's response? In order for them to acknowledge the vulnerability, hardware must be purchased directly from them or tested with explicit authorization from one of their customers, they threatened prosecution under the Computer Fraud and Abuse Act, and labeled disclosure as irresponsible, potentially causing more harm.” Security Engineer Jake Brodsky responded saying, “Legally they're not wrong for writing such a letter or even bringing a court case against the researcher. However, ethically, because it pits professional organizations against each other for no good reason, it is problematic.” Disclosure of product flaws treads a very fine line. On the one hand, nobody likes the publicity that follows. On the other hand, if nobody says anything, the only way we can improve is in the aftermath of an investigation where fortunes are lost and people get hurt.

Implications for the Bug Bounty Ecosystem

The Kraken-Certik dispute and the one highlighted by Andrew Lemon raises critical questions about the operational dynamics and ethical boundaries within bug bounty programs. These programs are designed to incentivize security researchers to identify and report vulnerabilities, offering financial rewards for their efforts. However, these cases reveal potential pitfalls when communication and mutual understanding between parties break down. The ethical framework of bug bounty programs relies on clear rules and mutual trust. Researchers must adhere to the program’s guidelines, including the immediate return of any extracted funds and full disclosure of their findings. On the other hand, companies must provide clear instructions and maintain professional interactions with researchers. There is a need for well-defined protocols and communication channels between companies and researchers. Ensuring transparency and clarity in expectations can prevent misunderstandings and conflicts, fostering a more cooperative environment for cybersecurity improvements.

Two weeks after the Australian privacy watchdog filed a lawsuit against Medibank for failure to protect personal information of its citizens in a 2022 data breach, the Information Commissioner's office this week made public a comprehensive analysis of the security failures that led to the incident. Medibank, a prominent Australian health insurance provider, faced a devastating cyberattack in October 2022 that compromised the personal data of 9.7 million current and former customers. According to the report from the Office of the Australian Information Commissioner (OAIC), the attack was likely caused by a lack of basic cybersecurity measures like requiring its workers to use multi-factor authentication to log onto its VPN.

The Sequence of Events in the Medibank Breach

The attack on Medibank began when an IT service desk operator at a third-party contractor used his personal browser profile on a work computer and inadvertently synced his Medibank credentials to his home computer. This home device was infected with information-stealing malware, which allowed hackers to obtain these credentials, including those with elevated access permissions. The attackers first breached Medibank’s Microsoft Exchange server using these credentials on August 12, 2022, before logging into Medibank’s Palo Alto Networks Global Protect VPN. Incidentally, the VPN did not require multi-factor authentication (MFA), making it easier for the attackers to gain access. It was only in mid-October that Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, when they discovered data was previously stolen in a cyberattack.

"During the Relevant Period, the Admin Account had access to most (if not all) of Medibank's systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)." - the OAIC report.

Security Failures and Missed Alerts

Lack of Multi-Factor Authentication (MFA)

One of the critical failures in the Medibank breach was the health insurer’s neglect to implement MFA for VPN access. The OAIC report said that during the relevant period, the VPN was configured to allow access with just a device certificate or a username and password. It did not require the additional security layer provided by MFA. This oversight significantly lowered the barrier for unauthorized access.

Operational and Alert Management Failures

Despite receiving several security alerts from their Endpoint Detection and Response (EDR) software about suspicious activities on August 24 and 25, these alerts were not appropriately triaged or escalated. This delay allowed the attackers to continue their operations undetected for an extended period, which ultimately led to the exfiltration of approximately 520 gigabytes of sensitive data from the company's MARS Database and MPLFiler systems.

Data Compromised and Consequences

The stolen data included highly sensitive information such as customers' names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers and extensive health-related data. The exposure of such information has severe implications for the affected individuals, ranging from identity theft to potential misuse of medical data in various frauds and scams. The attackers linked to the ransomware gang BlogXX, which is believed to be an offshoot of the notorious REvil group, leaked the data on the dark web. This incident not only caused significant distress to millions of Australians but also highlighted the grave consequences of inadequate cybersecurity measures.

Legal and Regulatory Actions Follow

The OAIC said that Medibank was aware “of serious deficiencies in its cybersecurity and information security,” prior to the hack. For example, citing an Active Directory Risk Assessment report from Datacom in June 2020, OAIC said Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains).

"A number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and nonprivileged users which was described as a “critical” defect."

Given the nature and the volume of the data Medibank stores and collects, “it was reasonable” for the company to adopt the security measures recommended by Australia’s privacy regulator, but “these measures were not implemented, or, alternatively, not properly implemented or enforced, by Medibank,” OAIC said.

Thus, in response to the breach and the negligence that led to it, Australia's data protection regulator OAIC, announced legal action against Medibank for failing to protect personal information. The company faces potential fines exceeding AU$2 million.

A spokesperson for the health insurer did not detail the plan of action against the lawsuit but earlier told The Cyber Express that ”Medibank intends to defend the proceedings.”

Medibank Hacker Sanctioned and Arrested

Earlier this year, the U.S., Australia, and the U.K. sanctioned Aleksandr Gennadievich Ermakov, believed to be behind the 2022 Medibank hack. Ermakov, also known by aliases such as AlexanderErmakov and JimJones, was subsequently arrested by Russian police along with two others for violating Article 273, which prohibits creating or spreading harmful computer code. Extradition of Ermakov is unlikely given the current political climate.

Lessons and Recommendations

The Medibank breach underscores several critical lessons for organizations regarding cybersecurity: 1. Implementation of Multi-Factor Authentication: Utilizing MFA for all access points, especially VPNs, is essential. MFA adds an additional layer of security, making it significantly harder for attackers to exploit stolen credentials. 2. Proper Alert Management: Organizations must ensure that security alerts are promptly and effectively managed. Implementing robust procedures for triaging and escalating suspicious activities can prevent prolonged unauthorized access. 3. Regular Security Audits: Conducting regular security audits to identify and rectify vulnerabilities is crucial. These audits should include evaluating the effectiveness of existing security measures and compliance with best practices. 4. Employee Training: Continuous training for employees on cybersecurity best practices, including safe browsing habits and the importance of using corporate credentials responsibly, is vital to minimize the risk of breaches originating from human error.

After unearthing a malware campaign targeting ESXi hypervisors two years ago, researchers have now revealed extensive details into their investigation of UNC3886, a suspected China-nexus cyberespionage group targeting strategic global organizations. In January 2023, Google-owned cybersecurity firm Mandiant identified that UNC3886 had exploited a now-patched FortiOS vulnerability. In March 2023, further analysis revealed a custom malware ecosystem affecting Fortinet devices with compromised VMware technologies facilitating access to guest virtual machines.

Persistent and Evasive Techniques of UNC3886 Group

UNC3886 demonstrated sophisticated and cautious approaches by employing multiple layers of persistence across network devices, hypervisors and virtual machines to maintain long-term access, Mandiant said in its detailed analysis. The threat group's strategies include:

• Using publicly available rootkits like REPTILE and MEDUSA for long-term persistence.
• Deploying malware that leverages trusted third-party services for command and control (C2) communications.
• Installing Secure Shell (SSH) backdoors to subvert access and collect credentials.
• Extracting credentials from TACACS+ authentication using custom malware.

[caption id="attachment_77918" align="aligncenter" width="1024"] UNC3886 Attack Lifecycle (Source: Mandiant)[/caption]

Initial Access through Zero-Days

Mandiant's earlier findings detailed UNC3886's exploitation of CVE-2023-34048, an out-of-bounds write vulnerability in the implementation of the DCERPC protocol in VMware's vCenter Server. This critical-rated flaw allowed unauthenticated malicious actor remote command execution on vCenter servers. Additional zero-day vulnerabilities exploited included:

• CVE-2022-41328 in FortiOS for executing backdoors on FortiGate devices. CVE-2022-22948 in VMware vCenter to access encrypted credentials in vCenter's postgres DB. CVE-2023-20867 in VMware Tools for unauthenticated guest operations from ESXi host to virtual machines.

Rootkits and Malware

The deeper investigation into UNC3886's operations also revealed their expansive malware arsenal that includes customized open-source variants.

REPTILE Rootkit

REPTILE, an open-source Linux rootkit, was heavily utilized by UNC3886 for its backdoor and stealth functionalities, enabling the threat actor to maintain undetected access to compromised systems. Key components include:

• REPTILE.CMD: A user-mode component for hiding files, processes, and network connections. REPTILE.SHELL: A reverse shell backdoor activated by specific network packets. Kernel-Level Component: A loadable kernel module (LKM) for achieving rootkit functionality. LKM Launcher: A custom launcher for loading the kernel module into memory.

UNC3886 modified REPTILE for persistence and stealth using unique keywords and customized scripts to evade detection.

MEDUSA Rootkit

MEDUSA employs dynamic linker hijacking to log user credentials and command executions, which complements UNC3886’s strategy of using valid credentials for lateral movement. Deployment on MEDUSA involved a customized installer  called "SEAELF" and modified configuration files.

Malware Leveraging Trusted Third-Party Services

MOPSLED is a modular backdoor that communicates over HTTP or a custom binary protocol, retrieving plugins from its C2 server. It was shared among Chinese cyberespionage groups and used by UNC3886 primarily on vCenter servers. RIFLESPINE is a backdoor that uses Google Drive for command and control communication and executes commands from encrypted files. It relied on "systemd" for persistence but was less favored due to its detectable nature.

Network Reconnaissance and Lateral Movement

UNC3886 has employed internal reconnaissance and lateral movement techniques using custom tools like LOOKOVER to capture TACACS+ credentials. Backdoored TACACS+ binaries further facilitated unauthorized access and credential logging.

VMCI Backdoors

UNC3886 also used VMCI backdoors for communication between guest and host systems, enhancing their control over compromised environments. Notable VMCI backdoors included:

• VIRTUALSHINE: Provided access to a bash shell via VMCI sockets. VIRTUALPIE: A Python-based backdoor supporting file transfer, command execution and reverse shell capabilities.

Mandiant observed UNC3886 using valid credentials for lateral movement between guest VMs on compromised VMware ESXi. The threat actor deployed backdoored SSH clients and daemons to intercept and collect credentials stored in XOR-encrypted files.

Backdoored SSH Executables

The threat group modified SSH client (/usr/bin/ssh) and daemon (/usr/sbin/sshd) to harvest and store credentials. The SSH client stored credentials in "/var/log/ldapd<unique_keyword>.2.gz," while the SSH daemon stores them in "/var/log/ldapd<unique_keyword>.1.gz." To persist the malicious SSH components, the threat actor used yum-versionlock to prevent OpenSSH package upgrades.

Custom SSH Server

UNC3886 also used the MEDUSA rootkit to deploy a custom SSH server. They employed executables (/usr/sbin/libvird and /usr/bin/NetworkManage) to hijack SSH connections and redirect them to a Unix socket for credential collection. SELinux contexts ensured socket accessibility. Additional tools (sentry and sshdng-venter-7.0) were used on another endpoint for similar injection and redirection operations.

Indicators of Compromise (IOCs)

Mandiant has published IOCs to aid in detecting UNC3886 activities. These IOCs, along with detection and hardening guidelines, help organizations protect against sophisticated threats posed by UNC3886.

Researchers from Cyble Research and Intelligence Labs (CRIL) have discovered a QR code-based phishing campaign that uses malicious Word documents masquerading as official documents from the Ministry of Human Resources and Social Security of China. Users are tricked into providing bank card details and passwords under the guise of identity verification and authentication processes.

QR Code-Based Phishing Campaign

QR code phishing attacks have escalated significantly this year, with cybercriminals leveraging this technology to steal personal and financial information. Threat actors (TAs) are embedding QR codes in office documents and redirecting users to fraudulent websites designed to harvest sensitive data. In the ever-evolving cyber threat landscape, a new vector has emerged: QR code-based phishing campaign. Cybercriminals are increasingly embedding QR codes in malicious documents, which when scanned direct users to fraudulent websites. This tactic has seen a marked rise in 2024 following a trend that started during the COVID-19 pandemic, when QR codes became widely adopted for contactless transactions and information sharing. The Hoxhunt Challenge highlighted a 22% increase in QR code phishing during late 2023, and research by Abnormal Security indicates that 89.3% of these attacks aim to steal credentials. The growing familiarity with QR codes has created a false sense of security, making it easier for cybercriminals to exploit them. QR codes can mask destination URLs, preventing users from easily verifying the legitimacy of the site they are being redirected to.

Recent QR Code Campaigns and Techniques

Recently, Cyble Research and Intelligence Labs uncovered a sophisticated phishing campaign targeting individuals in China. This campaign saw the use of Microsoft Word documents embedded with QR codes, which are distributed via spam email attachments. The documents were designed to appear as official notices from the Ministry of Human Resources and Social Security of China, offering labor subsidies above 1000 RMB to lure victims. [caption id="attachment_77666" align="aligncenter" width="769"] MS Word file containing QR code (Source: Cyble)[/caption] The documents are meticulously crafted to look authentic, complete with official logos and language that mimics government communications. Once the QR code in the document is scanned, it redirects the user to a phishing site designed to collect sensitive information. This particular campaign stands out due to its use of a Domain Generation Algorithm (DGA), which generates a series of seemingly random domain names. DGA is a program that generates large numbers of new domain names. Cybercriminals and botnet operators generally use it to frequently change the domains used to launch malware attacks. This technique enables hackers to avoid malware-detection solutions that block specific domain names and static IP addresses. The latest campaign isn't an isolated incident. A similar phishing operation was documented in January 2023 by Fortinet, where cybercriminals impersonated another Chinese government agency. This resurgence in QR code phishing attacks indicates a persistent threat targeting Chinese citizens, with malicious actors continually refining their tactics to evade detection.

The QR Code Phishing Process

The phishing process begins with the user scanning the QR code from the malicious Word document. This action takes them to the phishing site, which initially displays a dialogue box promising a labor subsidy. The site is designed to appear official, complete with government logos and formal language to enhance credibility. The phishing site instructs the user to provide personal information, starting with their name and national ID. This step is presented as a necessary part of the application process for the subsidy. Once the user enters this information, they are directed to a second page that requests detailed bank card information, including the card number, phone number, and balance. This information is ostensibly required for identity verification and to process the subsidy. After collecting the bank card details, the phishing site asks the user to wait while their information is "verified." This waiting period is a tactic used to add a sense of legitimacy to the process. Following this, the site prompts the user to enter their bank card password, under the guise of further verification. This password is suspected to be the same as the payment password used for domestic credit card transactions. By obtaining this password along with the card details, the threat actors can perform unauthorized transactions, leading to significant financial losses for the victim.

Phishing Activity Technical IoCs

The phishing activity begins when the user scans the QR code embedded in the Word document. This action directs them to the link “hxxp://wj[.]zhvsp[.]com”. This initial URL then redirects to a subdomain, “tiozl[.]cn”, created using a DGA. The use of a DGA means the phishing URLs are constantly changing, making them harder to block preemptively. [caption id="attachment_77670" align="aligncenter" width="1024"] Landing page of phishing site (Source: Cyble)[/caption] The domain “tiozl[.]cn” is hosted on the IP address “20.2.161[.]134”. This IP address is associated with multiple other domains, suggesting a large-scale phishing operation. The domains linked to this campaign are: - 2wxlrl.tiozl[.]cn - op18bw[.]tiozl.cn - gzha31.tiozl[.]cn - i5xydb[.]tiozl.cn - hzrz7c.zcyyl[.]com Further investigation revealed that the SHA-256 fingerprint of an SSH server host key associated with the IP address “20.2.161[.]134” is linked to 18 other IPs, all within the same Autonomous System Number (ASN), AS8075, and located in Hong Kong. These IPs host URLs with similar patterns, indicating a coordinated effort to deploy numerous phishing sites. The rise in QR code phishing attacks underscores the increasing sophistication and adaptability of cybercriminals. By exploiting the widespread use of QR codes - especially in a post-pandemic world - these attacks effectively lure users into divulging sensitive financial information. The recent campaign targeting Chinese citizens highlights the severity of this threat, as malicious actors use seemingly official documents to gather card details and passwords, leading to significant financial losses. This trend emphasizes the need for heightened vigilance and robust security measures to protect against such evolving threats.

Recommendations for Mitigation

To mitigate the risk of QR code phishing attacks, CRIL said it is crucial to follow these cybersecurity best practices: 1. Scan QR codes from trusted sources only: Avoid scanning codes from unsolicited emails, messages, or documents, especially those offering financial incentives or urgent actions. 2. Verify URLs before proceeding: After scanning a QR code, carefully check the URL for legitimacy, such as official domains and secure connections (https://). 3. Install reputable antivirus and anti-phishing software: These tools can detect and block malicious websites and downloads. 4. Stay informed about phishing techniques: Educate yourself and others about the risks associated with QR codes to prevent successful phishing attacks. 5. Use two-factor authentication (2FA): This adds an extra layer of security, making it harder for attackers to gain unauthorized access. 6. Keep software up to date: Ensure your operating systems, browsers, and applications are updated with the latest security patches to protect against known vulnerabilities. 7. Use secure QR code scanner apps: Consider apps that check URLs against a database of known malicious sites before opening them. 8. Monitor financial statements regularly: Review your bank and credit card statements for unauthorized transactions and report any suspicious activity immediately.

Experts slammed the latest European Union proposals for chat control to prevent child sexual abuse, calling the proposals a front for mass surveillance that will undermine encryption standards. Meredith Whittaker, president of the Signal foundation that operates the end-to-end encrypted (E2EE) messaging application, criticized the latest European Union proposals for chat control to prevent child sexual abuse, calling it “an old wine repackaged in new bottle.” “For decades, experts have been clear: there is no way to both preserve the integrity of end-to-end encryption and expose encrypted contents to surveillance. But proposals to do just this emerge repeatedly,” Whittaker said.

“Either end-to-end encryption protects everyone, and enshrines security and privacy, or it’s broken for everyone.” – Meredith Whittaker

The Chat Control Proposal

Her statement comes in response to the European Council’s proposal for chat control, which lays down rules to monitor E2EE under the veil of preventing and combating child sexual abuse. “While end-to-end encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society, the European Union needs to ensure the effective prevention of and fight against serious crime such as child sexual abuse,” the proposal says. “It is crucial that services employing end-to-end encryption do not inadvertently become secure zones where child sexual abuse material can be shared or disseminated. Therefore, child sexual abuse material should remain detectable in all interpersonal communications services through the application of vetted technologies.” The proposal suggests that chat control could work in way that when any visual content is uploaded, the users be required to give explicit consent for a detection mechanism to be applied to that particular service. “Users not giving their consent should still be able to use that part of the service that does not involve the sending of visual content and URLs,” it said. “This ensures that the detection mechanism can access the data in its unencrypted form for effective analysis and action, without compromising the protection provided by end-to-end encryption once the data is transmitted.”

What Experts Say

However, Whittaker said that what the EU is proposing isn't possible without fundamentally undermining encryption and creating “a dangerous vulnerability in core infrastructure” that can have global implications beyond Europe. She called the proposal a “rhetorical game” of some European countries that have come up with the same idea under a new banner. Whittaker was referring to previous proposals under the name of “client-side scanning,” which is now being called “upload moderation.”

“Some are claiming that ‘upload moderation’ does not undermine encryption because it happens before your message or video is encrypted. This is untrue. We can call it a backdoor, a front door, or “upload moderation.” But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability."

Whittaker reiterated that mandating mass scanning of private communications fundamentally undermines encryption, “Full stop.”

Chaos Computer Club, German MP Also Opposed

The Chaos Computer Club (CCC) and Patrick Dreyer, Member of European Parliament for the German and the European Pirate Party, argued along similar lines. The proposal stipulates that users must actively agree to chat control, but the refusal to do so comes with a punishment: Those who do not agree are no longer allowed to send any pictures or videos at all, a severe restriction of the service. “There can be no talk of voluntary participation here,” commented Linus Neumann, spokesman for the Chaos Computer Club. [caption id="attachment_77633" align="aligncenter" width="1024"] Source: Patrick Dreyer[/caption] Dreyer urged Europeans to take immediate action against the Chat Control proposal and said the EU countries pushing the proposal are exploiting the short period after the European Elections during which there is less public attention and the new European Parliament is not yet formed. “If Chat Control is endorsed by Council now, experience shows there is a great risk it will be adopted at the end of the political process,” he said. Dreyer said the silver lining in the current situation is the fact that many EU governments have not yet decided whether to go along with this final Belgian push for Chat Control mass surveillance. The countries still considering the proposal are Italy, Finland, Czech Republic, Sweden, Slovenia, Estonia, Greece and Portugal. Only Germany, Luxembourg, the Netherlands, Austria and Poland are relatively clear that they will not support the proposal, but this is not sufficient for a “blocking minority,” Dreyer said. The proposal for chat control searches of private communications could be greenlighted by EU governments as early as Wednesday, June 19. Dreyer urged Europeans to press their governments to vote against this. “Demand a firm ‘No.’ Time is pressing. This may be our last chance to stop Chat Control!” Dreyer said.

With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age. Here's everything to know about the Snowflake breach; we'll update this page as new information becomes available.

Why the Snowflake Breach Matters

Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.

Ongoing Investigation and Preliminary Results in Snowflake Breach

On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.

Compromised Employee Account

Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.

Test Environments Targeted

Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.

Attack Path

The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.

Possible Reasons for the Breach

Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.

Unconfirmed Threat Actor Claims

The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.

Affected Customers from Snowflake Breach

The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:

• Santander Group: The company confirmed a compromise without mentioning Snowflake.
• Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.

• TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
• Impact: 560 Million TicketMaster user details and card info potentially at risk.

• LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
• Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.

• Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
• Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.

• Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
• Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.

Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels.

Security Measures and Customer Support

Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.

Key Recommendations for Snowflake Customers:

1. Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
2. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
3. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
4. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.

Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here. Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence. Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.

A 22-year-old British national, allegedly the leader of an organized cybercrime group that targeted nearly four dozen U.S. companies, was arrested in Palma de Mallorca at the behest of the FBI, said the Spanish National Police. The young man allegedly orchestrated attacks on 45 companies in the United States through phishing campaigns, and subsequently gained unauthorized access to sensitive company information and cryptocurrency wallets.

Cyber Scammer Used Familiar Playbook

The modus operandi of the cybercriminal was simple: use phishing techniques to obtain access credentials from individuals,; use these credentials to infiltrate corporate work systems; exfiltrate sensitive company data that was likely monetized and put up for sale on dark web forums; and also access victims' cryptocurrency wallets to siphon them off. This modus operandi allowed the scammer to amass a significant amount of bitcoins. The Spanish police said the young cyber scammer managed to gain control over 391 bitcoins - approximately valued at over $27 million - from his victims. The arrest occurred at Palma airport as the suspect was preparing to leave Spain on a charter flight to Naples. The operation was conducted by agents of the Spanish National Police in collaboration with the FBI. The investigation, led by the Central Cybercrime Unit and supported by the Balearic Superior Headquarters, began in late May when the FBI’s Los Angeles office requested information about the suspect that they believed was in Spain. The FBI reported that an International Arrest Warrant had been issued by a Federal Court of the Central District of California, prompting intensified efforts to locate the suspect.

Laptop, Phone Seized

The suspect was carrying a laptop and a mobile phone at the time of his arrest, which were seized. The judicial authority subsequently ordered the suspect to be placed in provisional prison. The FBI did not immediately provide a response on whether the young British man would be extradited to the U.S. to be tried, nor did they release details on an indictment, but many similar cases in the recent past show the possibility of that happening soon.

Linked to Scattered Spider?

The cybercrime-focused vx-underground X account (formerly known as Twitter) said the U.K. man arrested was a SIM-swapper who operated under the alias “Tyler.” Fraudster's transfer the target’s phone number in a sim swapping attack to a device they control and intercept any text messages or phone calls to the victim. This includes one-time passcodes for authentication or password reset links sent over an SMS. “He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground tweeted. The details, however, could not be confirmed but independent journalist Brian Krebs said the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

“Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.” - vx-underground

The initial access vector in the attack on MGM included targeting of a help desk executive with social engineering tactics. Mandiant in its latest report found Scattered Spider aka UNC3944 using the same modus operandi, and although no victim names were stated, it now suggests the possible linkage between them. *Update (June 17 5:45 AM EST): Added details on the 22-year old young cyber scammer's identity and possible links to Scattered Spider group.

Europol coordinated two separate operations this week to disrupt 13 websites used in spreading terrorist propaganda online. This action followed a year-long operation involving ten law enforcement authorities across Europe. The targeted websites were linked to Islamic State, al-Qaeda and its affiliates, and the Syria-based rebel group Hay’at Tahrir al-Sham.

“The disrupted terrorist operated websites worked as a node and an archive for terrorist propaganda produced by the different IS [Islamic State] media outlets using a multiplatform approach.” - Capt. Alberto Rodríguez Vázquez of Spain's Guardia Civil.

Servers Taken Down in Europe and U.S.

Europol reported that servers were taken down in Germany, the Netherlands, the United States and Iceland under Operation HOPPER II. The authorities in Spain also arrested nine “radicalized individuals” from different nationalities. Spain's Guardia Civil led a separate operation, dubbed ALMUASASA, against media linked to the Islamic State’s I’LAM Foundation. Europol said this organization ran global communication channels, including radio stations, a news agency, and social media content.

“The network was designed to be resilient and low profile and that explains its multi-server hosting strategy. It operated both on the surface web and the dark web.” – Vázquez.

Terrorist Propaganda in 30 Languages

The organization communicated Islamic State directives and slogans in over 30 languages, including Spanish, Arabic, English, French, German, Danish, Turkish, Russian, Indonesian, and Pashto. Investigations revealed several terabytes of information, which will help law enforcement in further investigations into the terror group. The overall terrorist threat to the European Union remains high, with jihadist terrorism being a principal concern. Europol's operations followed the seizure of four computer servers in Romania, Ukraine, and Iceland, as part of ongoing investigations into religious and politically motivated terrorist groups.

“The servers supported multiple media outlets linked to Islamic State. They were used to disseminate worldwide propaganda and messages capable of inciting terrorism.” - Europol

According to Europol, the targeted websites enabled terrorist organizations and violent extremists to bypass the enhanced moderation and content removal efforts of mainstream online service providers. This helped them maintain a persistent online presence. The sites were used for recruitment, fundraising, inciting violence, and spreading propaganda, including manuals for creating explosives and content designed to radicalize and mobilize individuals. [caption id="attachment_77383" align="aligncenter" width="1024"] Jode de la Mata Amaya, national member for Spain, Eurojust (Source: YouTube)[/caption] The investigation has also revealed important details on the financing of the terrorist networks, which will be pivotal in future combat of threats from these networks, said Jode de la Mata Amaya, national member for Spain, Eurojust. All the 13 websites were referred for removal under European Union laws that mandate all hosting service providers remove flagged content within an hour of receiving a removal order or face penalties determined by individual member states.

Ukraine’s Security Service (SBU) detained two individuals accused of aiding Russian intelligence in hacking the phones of Ukrainian soldiers and spreading pro-Kremlin propaganda. The suspects operated bot farms using servers and SIM cards to create fake social media accounts. One bot farm in the Zhytomyr Oblast was hosted in an apartment of a Ukrainian woman. She allegedly registered over 600 virtual mobile numbers and several anonymous Telegram accounts.

Russian Intelligence Installed Spyware in Campaign

The woman sold or rented these accounts in exchange for cryptocurrency on online Russian underground marketplaces. Russian intelligence used these accounts and numbers to hack phones of Ukrainian military personnel by sending phishing emails containing spyware that collected sensitive confidential data. Russian hackers were recently observed using legitimate remote monitoring and management (RMM) software to spy on Ukraine and its allies. [caption id="attachment_77338" align="aligncenter" width="1024"] Source: SBU[/caption] According to the SBU, the accounts hosted on this bot farm were also used to spread pro-Kremlin propaganda purporting as ordinary Ukrainian citizens. Another 30-year-old man from Dnipro allegedly registered nearly 15,000 fake accounts on various social networks and messaging platforms using Ukrainian SIM cards. He sold these accounts to Russian intelligence services on darknet forums. [caption id="attachment_77337" align="aligncenter" width="1024"] Source: SBU[/caption] Both suspects face up to three years in prison or a fine if found guilty. The investigation continues.

Russian Bot Farms Used Since Invasion Started

Russia has used bot farms to disseminate Kremlin propaganda, incite panic and manipulate narratives since the beginning of its Ukrainian invasion. The Ukrainian authorities have busted dozens of bot farms and arrested hundreds of people across the country who operate them. In December 2022, they dismantled more than a dozen bot farms. In September of that year, two bot farms were taken down, while in August a group that operated more than 1 million bots was also dismantled. Bot farm operators typically receive payments in Russian rubles, a prohibited currency in Ukraine. These activities continued in the second year of the war, where the Ukrainian Cyber Police raided 21 locations across the country and seized computer equipment, mobile phones and more than 250 GSM gateways. This included 150,000 SIM cards of different mobile operators used in the illicit activities to create fake social media profiles.

The financially motivated UNC3944 threat group has shifted focus to data theft extortion from software-as-a-service applications but without the use of ransomware variants, which it is historically known for. UNC3944, also known as 0ktapus, Octo Tempest, Scatter Swine and Scattered Spider, is a financially motivated threat group that has demonstrated significant adaptability in its tactics since its inception in May 2022. According to Google-owned cybersecurity company Mandiant, the threat group has now evolved its strategies to include data theft from SaaS applications. It leverages cloud synchronization tools for data exfiltration, persistence mechanisms against virtualization platforms and lateral movement via SaaS permissions abuse, Mandiant said.

Data Theft Extortion Without Ransomware

UNC3944 initially focused on credential harvesting and SIM swapping attacks but over the years has transitioned to ransomware. Mandiant has now found evidence that shows the threat group has taken a further leap and now shifted primarily to data theft extortion without any ransomware deployment. UNC3944’s latest attack lifecycle often begins with social engineering techniques aimed at corporate help desks. Mandiant said the threat group gained initial access exploiting privileged accounts in multiple instances. The UNC3944 group used personally identifiable information (PII) such as Social Security numbers, birth dates and employment details likely scraped from social media profiles of the victims to bypass identity verification processes of help desks. They often claimed the need for a multi-factor authentication (MFA) reset due to receiving a new phone, enabling them to reset passwords and bypass MFA protections on privileged accounts.

“Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” - Mandiant

Phase I of UNC3944’s Attack Lifecycle

The first phase of the threat group’s attack lifecycle includes:

• Social Engineering: UNC3944 conducted sophisticated social engineering attacks, leveraging extensive research on victims to gain help desk access.
• Credential Harvesting: Used SMS phishing campaigns to harvest credentials.
• Internal Reconnaissance: After gaining access, conducted reconnaissance on Microsoft applications like SharePoint to gather internal documentation on VPNs, VDI and remote work utilities.
• Privilege Escalation: Abused Okta permissions to self-assign roles and gain broader access to SaaS applications.

[caption id="attachment_77144" align="aligncenter" width="1024"] UNC3944 attack lifecycle (Source: Mandiant)[/caption]

Phase II of the Attack Lifecycle

In the second phase of UNC3944’s attack lifecycle, the threat group employed aggressive persistence methods through the creation of new virtual machines in environments like vSphere and Azure. They use administrative privileges to create these machines and configure them to disable security policies, such as Microsoft Defender, to avoid detection. A lack of endpoint monitoring allowed the group to download tools like Mimikatz, ADRecon, and various covert tunneling utilities like NGROK, RSOCX and Localtonet to maintain access to the compromised device without needing VPN or MFA. UNC3944 has previously deployed Alphv ransomware on virtual machine file systems but Mandiant said since the turn of 2024, it has not observed ransomware deployment by this threat group.

Focus Shifts to SaaS Applications

The novel shift in UNC3944’s targeting is its exploitation of SaaS applications to gain further access and conduct reconnaissance.

“Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.”

Once the threat group gained access to any of the SaaS applications, they then used endpoint detection and response tooling to test access to the environment and further used tools like Airbyte and Fivetran to exfiltrate data to attacker-owned cloud storage.

Advanced Techniques of Phase II

Some of the advanced techniques demonstrated by UNC3944 in phase two of the attack lifecycle includes: ADFS Targeting: Exporting Active Directory Federated Services certificates to perform Golden SAML attacks for persistent cloud access. Data Exfiltration: Using cloud synchronization utilities to move data from SaaS platforms to external cloud storage. Endpoint Detection and Response (EDR): Creation of API keys in CrowdStrike’s console for executing commands and further testing access. Anti-Forensic Measures: UNC3944 employed anti-forensic techniques to obscure their activities. They use publicly available utilities to reconfigure virtual machines, disable logging, and remove endpoint protections. The attackers also used ISO files like PCUnlocker to reset local administrator passwords and bypass domain controls.

Abuse of M365 Delve Feature

Mandiant observed advanced M365 features like Microsoft Office Delve being used for data reconnaissance by UNC3944 for uncovering accessible data sources. Delve offers quick access to files based on group membership or direct sharing and shows personalized content recommendations from M365 sources and mapping organizational relationships. While this feature is useful for collaboration, UNC3944 exploited Delve for rapid reconnaissance, identifying active projects and sensitive information by recent modification. These resources typically lack sufficient security monitoring and logging. Traditional security controls, like firewalls and network flow sensors, are ineffective for detecting large data transfers from SaaS platforms. Identifying data theft with traditional logs is challenging, and real-time detection remains difficult with historical log analysis. The storage of sensitive data in SaaS applications poses significant risks that is often overlooked due to the perceived security of SaaS models. UNC3944 exploited these weaknesses and took advantage of inadequate logging and monitoring to perform data theft undetected.

Recommended Mitigation Steps

Mandiant researchers recommended a number of controls to protect against the threat group's tactics:

• Implement host-based certificates and MFA for VPN access to ensure secure connections.
• Have stricter conditional access policies and limit visibility and access within cloud tenants.
• Have enhanced monitoring through centralized logs from SaaS applications and virtual machine infrastructures to detect suspicious activities.
• Ensure comprehensive logging for SaaS applications to detect signs of malicious intent.

In the aftermath of the Synnovis ransomware attack that struck last week, London hospitals continue to struggle to deliver patient care at an optimal level. The attack on the pathology services provider has brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day, according to Synnovis.

“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - Synnovis

Services including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.

Blood Testing Severely Impacted After Synnovis Ransomware Attack

The biggest challenge that Synnovis is currently facing is that all its automated end-to-end laboratory processes are offline since all IT systems have been locked down in response to the ransomware attack. “This means we are having to log all samples manually when they arrive, select each test manually on analyzers and, once tests have been processed, type in each result on the laboratory’s computer system (the Laboratory Information Management System - LIMS),” Synnovis said. And this is not the end of it. Synnovis then must manually deliver these results to the Trust’s IT system so that the results can be further electronically submitted back to the requester. But since the Synnovis’ LIMS is presently disconnected from the Trusts’ IT systems, “this extensive manual activity takes so much time that it severely limits the number of pathology tests we can process at the moment,” Synnovis explained. The pathology service provider normally processes around 10,000 primary care blood samples a day, but at the moment is managing only up to 400 from across all six boroughs. “Despite the measures we know colleagues are taking to prioritize the most urgent samples, we are receiving many more than we can process and we have an increasing backlog,” Synnovis said. The lab services provider last week was able to process around 3,000 Full Blood Count samples but could not export results due to the lack of IT connectivity. “Of those tests processed, we have phoned through all results that sit outside of critical limits, however, we have been unable to return any results electronically and are unlikely to be able to do so,” Synnovis said. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this week to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Will Process only 'Clinically Critical' Blood Samples

To manage the inadequacy of the services, the service provider is momentarily only accepting blood samples that the requesting clinician considers to be “clinically critical.” Clinicians need to consider a test as “critical” only if a test result is needed within 24 hours to determine a patient’s urgent treatment or care plan. “As experts, your clinical view of what is considered ‘critical’ will be accepted by the laboratory, but we urge you to apply this definition carefully, given the severe capacity limitations we are facing,” Synnovis recommended. [caption id="attachment_77097" align="aligncenter" width="1024"] Source: Synnovis[/caption] The pathology service provider is also working with NHS Trust to install laptops at the hub laboratory, which will give them access to the Trust IT systems to return test results electronically.

Caregivers Working Overtime

Doctors and caregivers at Guy's and St Thomas' Hospital and King's College Hospital have been putting in extra hours since the Synnovis ransomware attack disrupted services last week. But this is not enough, as KCH has already cancelled some of its operations and is working only at about 70% capacity. Three of its 17 operating theatres remain shut, BBC reported.

The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests. Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix. Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said at the time of patching. The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.

Black Basta’s Privilege Escalation Bug Exploitation

The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,” Symantec said. These TTPs included the use of batch scripts disguised as software updates, the researchers added.

Black Basta Exploit Tool Analysis

The exploit tool leverages a flaw where the Windows file “werkernel.sys” uses a null security descriptor for creating registry keys. The tool exploits this by creating a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key, setting its “Debugger” value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained. Two variants of the tool analyzed:

• Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
• Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.

While time stamp values in executables can be modified, in this case the attackers likely had little motivation to alter them, suggesting genuine pre-patch compilation.

Indicators of Compromise

Symantec shared the following IoCs: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect

About Black Basta Ransomware

The latest attempts of exploiting a Windows privilege escalation bug comes a month after Microsoft revealed details of Black Basta ransomware operators abusing its Quick Assist application that enables a user to share their Windows or macOS device with another person over a remote connection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a May advisory said Black Basta's affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia since its launch in April 2022. An analysis from blockchain analytics firm Elliptic indicates that Black Basta has accumulated at least $107 million in ransom payments since early 2022, targeting more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million each. The average ransom payment was $1.2 million.

The United Kingdom and Canada privacy watchdogs announced a joint investigation this week to determine the security lapses in the genetic testing company 23andMe’s October data breach, which leaked ancestry data of 6.9 million individuals worldwide. The UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will lead the investigation, pooling the resources and expertise of their respective offices.

Focus of 23andMe Data Breach Investigation

The joint investigation will examine three key aspects:

• Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
• Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
• Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.

Edwards said the investigation was needed to garner the trust of people in organizations that handle sensitive personal data. He stated:

“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.

“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.

Genetic Testing Company 23andMe Data Breach Timeline

23andMe first disclosed details of the October data breach in an 8-K filing with the U.S. Securities and Exchange Commission. The genetic testing company said attackers scraped profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. This profiling feature connects users with genetic distant relatives - or other 23andMe users who share their bits of DNA. The attackers used credential stuffing attacks that affected 0.1% of user accounts, the company told SEC. Using these accounts as a launchpad, hackers were able to access “a significant number of files containing profile information about other users' ancestry.” Threat actors claimed on underground forums that they were able to siphon “20 million pieces of code” from 23andMe. The claimed data set included information DNA ancestry backgrounds belonging to more than 1.3 million Ashkenazi Jewish and Chinese users. By the end of October, another threat actor claimed compromise of 4 million genetic profiles, which the company also investigated. The genetic testing company 23andMe said it notified the affected 6.9 million users - 5.5 million DNA Relatives profiles and 1.4 million Family Tree profile – in December. The company told federal regulators that the data breach incident was set to incur between $1 million and $2 million in one-time expenses. The company faces at least 30 class action lawsuits in U.S.state and federal jurisdictions as well as in Canada. 23andMe blamed the customers’ poor security hygiene for the breach and has since made two-step verification a prerequisite for account logon. It also mandated customers to reset their passwords. *Update 1 (June 12 – 12:00 AM EST): Added response from the 23andMe spokesperson.