Hackers have claimed three prominent cyberattacks in Italy in the last 24 hours. The Italy ransomware attacks were allegedly carried out by the RansomHub and RansomHouse groups. RansomHub targeted the websites of the Cloud Europe and Mangimi Fusco firms, while RansomHouse took credit for orchestrating a cyberattack on Francesco Parisi.

Details of Italy ransomware attacks

Cloud Europe is a Tier IV certified carrier-neutral data center located in Rome’s Tecnopolo Tiburtino. According to details on the company website, it specializes in the design and management of data centers, with particular attention to the problems of security and service continuity. The company builds, hosts and manages modular infrastructure for customer data centers in the private and public sectors. [caption id="attachment_79490" align="alignnone" width="1173"] Source: X[/caption] The threat actor RansomHub claimed to have encrypted the servers of Cloud Europe, exfiltrating more than 70 TB of its data. “In addition, we have stolen over 541.41 GB of your sensitive data, obtained access to another company from your sensitive transformations,” RansomHub stated on its site. The other company targeted by RansomHub is Mangimi Fusco, which is an animal food manufacturer. It also supplies farm products and raw materials to wholesale merchants. According to the ransomware group, it has stolen 490 GB of “Private and confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information, etc…we give you three days to come for negotiations.” [caption id="attachment_79491" align="alignnone" width="1189"] Source: X[/caption] Meanwhile, RansomHouse has allegedly breached the website of Francesco Parisi, which is a group of freight forwarding and shipping agents. It was established by Francesco Parisi in Trieste and has been operating in Central Europe since 1807. The group has around 100 employees and has a revenue of $13.7 million. The ransomware group claims that it stole 150 GB of the company’s data on May 29. [caption id="attachment_79492" align="alignnone" width="1491"] Source: X[/caption] Despite these claims, a closer inspection reveals that that the websites of Cloud Europe and Mangimi Fusco seem to be functioning normally, showing no signs of the ransomware attack as alleged by the threat actor. However, Francesco Parisi has put up a disclaimer on its home site which reads, “Important notice: Hacker Attack. We are aware that are infrastructure was subjected to a hacker attack. We want to reassure our users, customers and suppliers that we have immediately taken the necessary measures to restore operations and protect their data. Safety is a top priority. We are working hard to investigate the incident and implement additional security measures to prevent future attacks. We apologize for any inconvenience this event may have caused. We will keep you informed of developments in the situation and will let you know as soon as we have further information. In the meantime, if you have any questions or concerns, please feel free to contact us. Thank you for understanding.” [caption id="attachment_79494" align="alignnone" width="1196"] Source: X[/caption] Meanwhile, The Cyber Express has reached out to both Cloud Europe and Mangimi Fusco regarding the purported cyberattack orchestrated by the RansomHub group. However, at the time of publication, no official statements or responses have been received, leaving the claims of the ransomware cyberattack on these entities unverified.

Inglorious Past of RansomHub, RansomHouse

The origins of RansomHub trace back to February 2024, when it emerged as a Ransomware-as-a-Service (RaaS) on cybercrime forums. They employ sophisticated encryption techniques and target organizations predominantly in the IT & ITES sector. RansomHub has hackers from various global locations united by a common goal of financial gain. The gang openly mentions prohibiting attacks on non-profit organizations. RansomHouse emerged in March 2022 and is labelled as a multi-pronged extortion threat. In the words of RansomHouse representatives, the group claims to not encrypt data and that they are ‘extortion only,’ claiming itself as a ‘force for good’ that intends ‘shine a light’ on companies with poor security practices. The group has been observed accepting only Bitcoin payments.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Indonesia’s civil aviation authority has alleged suffered a massive security breach where a threat actor has claimed to have accessed critical data related to handling of air traffic in the country. The Indonesian civil aviation data breached was allegedly orchestrated by a threat actor, operating under the alias, “Hacker Mail”. The threat actor has alleged exfiltrated more than 3GB of database which includes all employees and passwords for all applications, website user data, ID card photo data for all employees, drone pilot certificate participants, and flight data related to aircraft, pilot’s personal data, as well as all other activities in Indonesian airports.

Decoding Indonesian Civil Aviation Data Breach

The threat actor’s post on hacking site Breachforums, stated that the exfiltration of data occurred on June 27,2024. In his post, the hacker stated, “The Directorate General of Civil Aviation (DGCA) is an element that implements some of the duties and functions of the Indonesian Ministry of Transportation, which is under and responsible to the Minister of Transportation. The Directorate General of Civil Aviation is led by the Director General. The Directorate General of Civil Aviation has the task of formulating and implementing policies and technical standardization in the field of air transportation. The Directorate General of Civil Aviation handles the administration and management of civil aviation within the Unitary State of the Republic of Indonesia.” To substantiate the data breach claim, the threat actor attached the following sample records.

• User log for small, unmanned aircraft certificates, remote pilot certificate and unmanned aircraft operation approval.

In this sample of data leak, the cyberattacker has claimed to  expose sensitive personal information of pilots, IP address used to login and date and time of login. The data is for users who logged in to one of the applications of the DGCA on 08/15/2022 and 08/16/2022.

• Sample chats which probably refer to communication of DGCA employees with pilots on 04/13/2022
• ID card photo data for all employees
• Userrname and password of employees who logged on to a DGCA application

Despite these high-profile declarations, a closer inspection reveals that Indonesia’s DGCA website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the DGCA officials to verify the alleged cyberattack. The authorities too are yet to release an official statement or response regarding the reported data breach, leaving the claims unverified as of now. The article too would be updated if any information is provided by the officials.

Indonesia Battles Three Major Cyberattack Claims in One Week

Hackers have recently carried out allegedly three major cyberattacks on key Indonesian establishments. Last week, a ransomware attack on Indonesia’s national data center has disrupted official government services including immigration services at airports. The attack has reportedly affected more than 200 government agencies at national and regional levels. The attack was carried out by LockBit 3.0 ransomware, a variant known for encrypting victims’ data and demanding payment for its release. The attackers had offered a decryption key in exchange for an $8 million ransom. The AFP however reported that the Indonesian government though refused to pay the ransom but admitted that the cyberattack would have been rendered useless if there was a backup to the main server. Earlier this week, a hacker “MoonzHaxor” had claimed to have breached Indonesian Military's (TNI) Strategic Intelligence Agency (Bais) and offered to sell this data for $1,000 USD. The same hacker had announced breaching Indonesia's Automatic Finger Identification System (Inafis) owned by the National Police (Polri). The data reportedly includes fingerprint images, email addresses, and SpringBoot application configurations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Geisinger Healthcare, a leading provider in Pennsylvania's healthcare sector, has recently disclosed a data breach involving the unauthorized access of patient information by a former employee of Nuance, an IT services contractor. This Geisinger Healthcare data breach has impacted over one million patients across its extensive network of care facilities. Founded in 1915, Geisinger operates 134 care sites and ten hospitals, serving 1.2 million individuals across urban and rural Pennsylvania. The non-profit organization is renowned for its commitment to delivering value-based care and employs 26,000 staff, including 1,600 physicians.

Geisinger Data Breach Links to Former Employee

The Geisinger data breach was first identified in November 2023 when the organization detected unauthorized access to its patient database by a former Nuance employee, shortly after their termination. Geisinger promptly notified Nuance, which took immediate steps to sever the employee's access to their systems containing patient records. According to Geisinger's Chief Privacy Officer, Jonathan Friesen, "Our patients' and members' privacy is a top priority, and we take protecting it very seriously." Nuance, in collaboration with law enforcement authorities, launched an investigation resulting in the arrest of the former employee, who now faces federal charges. The investigation revealed that the compromised information included patient names along with various details such as date of birth, addresses, medical record numbers, and contact information. Importantly, sensitive financial information such as credit card numbers or Social Security numbers remained unaffected.

Geisinger has Notified the Customers About the Data Leak

Geisinger has taken proactive measures to notify affected patients and has provided a dedicated helpline (855-575-8722) for assistance. Patients are advised to review any communications from their health insurer and report any discrepancies promptly. This incident underscores the critical importance of robust data security measures within healthcare systems, especially when handling sensitive patient information," said Friesen. Geisinger continues to cooperate closely with authorities as the investigation progresses, aiming to mitigate any further risks to patient privacy and security. Geisinger urges recipients of the notification to carefully review the details provided and reach out with any questions or concerns. The organization has shared customer service numbers where affected individuals can contact from Monday through Friday, Eastern Time, excluding major U.S. holidays, and reference engagement number B124651. In light of the breach, Geisinger emphasizes its commitment to transparency and patient care, ensuring affected individuals receive the support and resources necessary to safeguard their personal information and mitigate potential risks associated with the Geisinger data leak.

TeamViewer, a leading provider of remote access software, has attributed a security breach in its corporate network to an advanced persistent threat group, tracked as APT29. The TeamViewer data breach incident was first detected on June 26, 2024, prompting immediate action from TeamViewer's security team. In an initial statement posted on Thursday in the the company's Trust Center, TeamViewer reassured users that the breach occurred solely within their internal corporate IT environment, which is separate from their product environment. They emphasized that there is currently no evidence suggesting that customer data or the product itself has been compromised. In a Friday update the company reiterated the same and tied the compromise to employee account credentials that gave the threat actor access to Team Viewer's corporate IT environment.

"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data." - TeamViewer

The company that provides enterprise solutions for remote access, reassured its customers that it follows best-practices in its overall system architecture and thus, has segmented the Corporate IT, the production environment, and the TeamViewer connectivity platform.

"This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach." - TeamViewer

Despite ongoing investigations, the company remains focused on safeguarding system integrity and ensuring transparency in its communication regarding the incident.

TeamViewer Data Breach Confirmed 

The TeamViewer data breach was highlighted by cybersecurity firm NCC Group, which was alerted about the compromise of TeamViewer's remote access and support platform by an APT group. This group, identified as APT29, aka Midnight Blizzard or Cozy Bear, is known for its cyberespionage capabilities and has previously been linked to cyberattacks targeting various global entities, including Western diplomats and technology firms. “On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment. We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts, and implemented necessary remediation measures”, reads the official statement. Coinciding with TeamViewer's disclosure, alerts from the Dutch Digital Trust Center and Health-ISAC highlighted the severity of the situation. The Health-ISAC alert specifically warned of active exploitation of TeamViewer by APT29, advising organizations to monitor remote desktop traffic for any suspicious activity.

Mitigation Against the TeamViewer Data Leak

TeamViewer, known for its widespread adoption with thousands of customers globally and installed on billions of devices, continues to update stakeholders through its IT security update page. However, concerns have been raised about transparency practices, as the page currently includes a directive preventing indexing by search engines. “There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems. Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available” concludes the statement.  For users and organizations relying on remote access solutions like TeamViewer, vigilance and proactive monitoring are recommended to mitigate risks posed by sophisticated cyber adversaries.  *Update (Friday, June 28 - 8:10 A.M. ET): The headline and text through the article was updated to reflect TeamViewer's Friday update and attribution of the cyberattack to APT29 or Midnight Blizzard. 

A threat actor claims to have carried out a cyberattack on India’s National Disaster Management Authority (NDMA). The NDMA is the top statutory body for disaster management in India, with the Prime Minister as its chairperson. The threat actor, operating under the alias “infamous,” has allegedly gained access to personal data of 93,000 volunteers, including their names, age, mobile numbers and other critical records. The hacker is currently selling the data on the dark web for $1,000.

Exploring Data Leak Claims of NDMA Volunteers

The NDMA was created in 2006. Its primary responsibility is to coordinate response to natural or man-made disasters and for capacity-building in disaster resiliency and crisis response. It is also the apex body for setting policies, plans and guidelines for disaster management to ensure a timely and effective response to disasters. The allegation that NDMA data had been hacked emerged on June 25 on the data leak site BreachForums. The threat actor “infamous” claimed to be in possession of a stolen database, consisting of the Personally Identifiable Information (PII) of NDMA volunteers, including their personal details such as name, title, gender, blood group, date of birth, email, mobile number, ID number, marital status, family contact number, education qualifications, skills, cadre, address, postal code, and the current state of residence. [caption id="attachment_79228" align="alignnone" width="1596"] Source: X[/caption] To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of June 2024, while disclosing that the database includes records of 93,000 volunteers. The cyberattacker is asking $1,000 for the entire data set on BreachForums. Despite these claims by the threat actor, a closer inspection reveals that NDMA’s website is currently functioning normally, showing no signs of a security breach. The threat actor has also not provided clarity on the time period when the services of volunteers occurred. The Cyber Express has reached out to NDMA to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

NDMA Volunteers Must Stay Vigilant

While authorities investigate the data breach claim, NDMA volunteers must be vigilant and take steps to prevent any malicious activities. Cybercriminals usually employ a range of tactics to misuse personal information, perpetuating identity theft and financial fraud. Some prominent techniques include phishing, where hackers trick individuals into revealing their PII by mimicking legitimate entities through fraudulent emails or phone calls. Individuals are also susceptible to identity theft and fraud, where fraudsters use psychological tactics to divulge sensitive information, such as passwords or credit card details. Since the email addresses have also been allegedly leaked, individuals must be vigilant of suspicious messages requesting sensitive information, as well as any unusual activity involving new or existing accounts.

Hackers Target 373 Indian Govt Websites in Five Years: Report

According to data published by the Indian Government, hackers have repeatedly targeted key websites run by the administration. An article in The Hindustan Times, quoting data from the Ministry of Electronics and Information Technology, said that, “As per the information reported to and tracked by CERT-In (Indian Computer Emergency Response Team), a total number of 110, 54, 59, 42, 50 and 58 website hacking incidents of Central Ministries/Departments and State Government organizations were observed during the years 2018, 2019, 2020, 2021, 2022 and 2023 (up to September).” The report added that some government offices were still using outdated Windows versions in their official computers and laptops, making them vulnerable to cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Evolve Bank & Trust disclosed that it has been the target of a cybersecurity incident. In a statement, the bank confirmed that customers' personal information had been illegally obtained and released on the dark web by cybercriminals. This Evolve Bank data breach affected both retail bank customers and the customers of Evolve’s financial technology partners. The Evolve Bank data breach involved a known cybercriminal organization that illegally obtained and published sensitive information. The stolen data includes Personal Identification Information (PII) such as names, Social Security Numbers, dates of birth, account details, and other personal information. "Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users)," reads the official statement. Evolve Bank & Trust has confirmed that its debit cards, and online, and digital banking credentials have not been compromised in the incident and remain secure. "Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," reads the official statement.

Details of the Evolve Bank Data Breach

There were reports that the Russian hacker group LockBit was responsible for the ransomware attack and data breach at Evolve Bank. LockBit had claimed to possess Federal Reserve data and, when their demands were not met, released approximately 33 terabytes of data from Evolve's systems. The group had allegedly touted their cache of Federal Reserve data, which was used to pressure the bank into meeting their demands. In response to the reports surfacing about the Evolve data breach, Evolve Bank & Trust is actively informing affected individuals about the breach. The bank has started reaching out to impacted customers and financial technology partners' customers through emails sent from notifications@getevolved.com. The communication includes detailed instructions on how to enroll in complimentary credit monitoring and identity theft detection services.

Steps Taken by Evolve Bank & Trust

The bank is undertaking a comprehensive response to this incident, which includes:

1. Engagement with Law Enforcement: Evolve has involved appropriate law enforcement authorities to aid in the investigation and response efforts.
2. Customer Communication: Direct communication with affected customers and financial technology partners' customers is ongoing to ensure they are informed and can take necessary protective measures.
3. Credit Monitoring Services: Impacted individuals are being offered complimentary credit monitoring and identity theft detection services.
4. Continuous Monitoring: Evolve is closely monitoring the situation and will provide updates as necessary to keep customers informed.

Recommendations for Affected Customers

Evolve Bank & Trust advises all retail banking customers and financial technology partners' customers to remain vigilant by:

1. Monitoring Account Activity: Regularly check bank accounts and report any suspicious activity immediately.
2. Credit Report Checks: Set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. Customers can also request and review their free credit report through Freecreditreport.com.
3. Reporting Suspicious Activity: Contact the bank immediately if any fraudulent or suspicious activity is detected. Additionally, individuals can file a report with the Federal Trade Commission (FTC) or law enforcement authorities if they suspect identity theft or fraud.

Recently, Evolve received an enforcement action from its primary regulator, the Federal Reserve Board, highlighting deficiencies in the bank's IT practices and requiring a plan and timetable to correct these issues. This breach highlights the importance of addressing these security concerns promptly. Evolve Bank & Trust is known for its partnerships with several high-profile fintech companies, including Mercury, Stripe, Affirm, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, and TabaPay. The bank has also worked with Wise and Rho in the past, though both have since migrated to other banking partners.

Credit Suisse, a global investment bank and financial services firm, has reportedly fallen victim to a cyberattack. The Credit Suisse data breach was allegedly masterminded by a threat actor (TA), operating under the alias “888,” on the data hack site BreachForums. The TA claims to have accessed highly sensitive data of the bank and posted it on the dark web marketplace. According to the the threat actor, the data breach contains personal information of about 19,000 of the bank’s Indian employees.

Credit Suisse Data Breach Details

Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

Not the First Credit Suisse Data Breach

This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.

Credit Suisse Hacker Targeted Big Multinationals Recently

There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell.  The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.  

Notorious ransomware group BianLian has claimed to have added two new organizations as its latest cyberattack victims. The BianLian ransomware attack was allegedly carried out on two US-based firms, namely, Better Business Bureau Inc and U.S. Dermatology Partners. The infamous actor has claimed to have accessed sensitive data including financial, contract, and employee profiles from both its victims.

BianLian Ransomware Attack: Critical Details  

The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.

Potential Impact of BianLian Ransomware Attack

If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.

History of BianLian Ransomware Group Attacks

BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by  BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

India’s largest government-owned-telecommunications service provider, Bharat Sanchar Nigam Ltd (BSNL), has allegedly suffered a massive data breach, the second such instance in less than six months. The BSNL data breach reportedly involves critical data including international Mobile Subscriber Identity (IMSI) numbers, SIM card information, Home Location Register (HLR) specifics, DP Card Data, and even snapshots of BSNL's SOLARIS servers which can be misused for SIM cloning.

Exploring Claims of BSNL Data Breach

The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised. The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL. The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response.  This article will be updated based on their response.

Potential Implications of BSNL Data Breach

1. SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
2. Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
3. Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
4. Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.

The threat is not just limited to the consumers, but also to BSNL’s operations and security. Illegal access to servers can result in service disruptions, slow performance, and unauthorized access to telecom operations. Leaking of such information poses a severe threat to critical infrastructures and paves the way for future attacks on complex systems interconnectivity. BSNL users should remain vigilant and monitor any unusual activity on their phones and bank accounts and enable two-factor authentication (2FA) for added security on all accounts. BSNL too should take immediate action if the breach is confirmed, secure network endpoints, and audit access logs. They should enhance security measures, conduct frequent security audits, and adopt advanced threat detection technologies.

Second BSNL Data Breach in Less Than Six Months

If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Neiman Marcus has issued a notification to its customers regarding a massive data breach that occurred in May 2024, potentially exposing sensitive personal information. The Neiman Marcus data breach, affecting approximately 64,472 customers, involved unauthorized access to a cloud database platform used by the luxury retailer, which is operated by Snowflake, a third-party provider. In a conversation with The Cyber Express, a Neiman Marcus spokesperson confirmed the breach, stating, "Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake." Prompt action was taken, with the spokesperson adding, "Promptly after discovering the incident, NMG took steps to contain it, including by disabling access to the platform."

Neiman Marcus Data Breach Confirmed

The Neiman Marcus data breach compromised a range of personal data, including customer names, contact details, dates of birth, and Neiman Marcus gift card numbers. "Based on our investigation, the unauthorized party obtained certain personal information stored in the platform," the spokesperson continued, clarifying that "The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers (but without gift card PINs)." Neiman Marcus has acted swiftly, launching an investigation with leading cybersecurity experts and notifying law enforcement authorities. In compliance with regulatory requirements, the company has begun notifying affected customers, including reaching out to the Maine Attorney General's office. The retailer has advised customers to monitor their financial statements for any suspicious activity and has provided resources for individuals concerned about identity theft.

Mitigation Against the Neiman Marcus Data Leak

"We also began an investigation with assistance from leading cybersecurity experts and notified law enforcement authorities," the spokesperson emphasized. Customers are encouraged to request free credit reports, report any suspected fraud to law enforcement and the Federal Trade Commission, and consider placing a security freeze on their credit files as precautionary measures. Neiman Marcus Group, Inc., based in Dallas, Texas, is a popular luxury retailer that oversees brands such as Neiman Marcus, Bergdorf Goodman, Horchow, and Last Call. Since September 2021, it has been under the ownership of a consortium of investment firms led by Davidson Kempner Capital Management, Sixth Street Partners, and Pacific Investment Management. Following this Neiman Marcus data leak, the firm has established a dedicated toll-free hotline (1-885-889-2743) for affected customers seeking further information or assistance related to the data breach incident. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that a cyberattack in January may have compromised sensitive information related to the nation's chemical facilities. Initially reported in March, the attack exploited a vulnerability in Ivanti products, leading to the temporary shutdown of two systems. In an advisory this week, CISA detailed that the Chemical Security Assessment Tool (CSAT) was specifically targeted by the cyber intrusion, which occurred between January 23 and 26. CSAT contains highly sensitive industrial data, and while all information was encrypted, CISA warned affected participants of the potential for unauthorized access.

Potential Data Compromised in Chemical Facilities' Targeting

CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.

CISA's Response and Recommendations

CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.

Investigation Findings

The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.

Experts Say More Transparency Required

Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.

"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"

"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.

"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."

After the Qilin ransomware gang last week published on its leak site a data subset as a proof of hacking Synnovis’ systems, the London-based pathology services provider has now confirmed its legitimacy saying the data belongs to its storage drive related to administrative work and contains fragments of patient identifiable data. Hackers that are linked to the Russian-linked Qilin ransomware gang published on Friday around 400 gigabytes of sensitive patient data, which they claimed included names, dates of birth, NHS numbers and descriptions of blood tests stolen from Synnovis’ systems. Following the data leak on the dark web, Synnovis confirmed on Monday that the published data was legitimate but noted it was too early to determine the full extent of the compromised information.

“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - Synnovis

An initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:

“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”

The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

Crypto portfolio tracking app Coinstats has found itself at the center of a security breach, impacting approximately 1,590 user wallets. The Coinstats data breach, which occurred on June 22, 2024, has been attributed to a group with alleged ties to North Korea, marking a concerning development for crypto investors.  Coinstats swiftly responded to the breach by taking down its application temporarily. This proactive measure was aimed at containing the data breach at Coinstats and preventing further unauthorized access to user data and funds.  The affected wallets, constituting about 1.3% of all Coinstats wallets, were primarily those created directly within the app. Fortunately, wallets connected to external exchanges and platforms remained unaffected, providing some relief amidst the security scare.

Understanding the Coinstats Data Breach 

[caption id="attachment_78679" align="alignnone" width="733"] Source: Coinstats on X[/caption] In a public statement addressing the breach, Coinstats reassured its user base that the incident has been mitigated, and immediate steps have been taken to secure the platform. Users whose wallet addresses were compromised were advised to take action by transferring their funds using exported private keys. A spreadsheet link was provided for users to check if their wallets were among those affected. CEO Narek Gevorgyan highlighted the seriousness of the situation, acknowledging the challenges posed by the Coinstats cyberattack while emphasizing Coinstats' commitment to restoring normal operations swiftly and securely. Gevorgyan outlined that comprehensive security measures were being implemented during the restoration process to fortify the platform against future vulnerabilities. "We're actively working to bring the app back online as quickly as possible. Thank you for your patience," stated Gevorgyan in an update shared via Coinstats' official channels.

North Korea-linked Hackers Behind the Data Breach at Coinstats

The revelation of North Korea-linked hackers being behind the breach adds a geopolitical dimension to the Coinstats data breach incident, highlighting the global reach and sophisticated tactics employed by cyber threat actors targeting digital assets and platforms. This aspect of the breach highlights the need for heightened cybersecurity measures across the cryptocurrency sector. In a similar case, another crypto firm, BtcTurk faced a cyberattack on its hot wallets on June 22, 2024. Binance Binance CEO Richard Teng confirmed this attack, pledging ongoing support for BtcTurk's investigation. Cryptocurrency investigator ZachXBT hinted at a possible link between the breach and a $54 million Avalanche transfer.  Coinstats users have been urged to remain vigilant and monitor their accounts closely for any unauthorized transactions or suspicious activities. The company assured its users that it is actively investigating the extent of funds moved during the breach and pledged to provide updates as new information becomes available. In response to the breach, regulatory bodies and industry stakeholders may scrutinize Coinstats' security practices and response protocols. The outcome of such scrutiny could influence future cybersecurity standards within the cryptocurrency industry, potentially leading to more stringent requirements for platform security and user protection.

Jollibee Foods Corporation (JFC), which is the largest fast-food chain operator in Philippines, has launched an investigation for an alleged data breach in its system that may have affected millions of its customers across the globe. The Jollibee probe was initiated after a threat actor claimed responsibility for breaching the systems of the Jollibee Foods Corporation. On June 21, The Cyber Express reported that a notorious attacker, operating under the alias “Sp1d3r”, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000 on the dark web. [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption]

Details of Jollibee Probe into Cyberattack

The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery. A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”. “The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said. JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company. “JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said. “The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added. The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.

Jollibee’s Cybersecurity Concerns  

The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20. The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee. This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed. After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Following the massive cyberattack on Turkish cryptocurrency exchange BtcTurk, Binance has joined efforts to investigate the incident and has frozen over $5.3 million in stolen funds. Binance CEO Richard Teng confirmed this intervention on X, sharing operation details. The BtcTurk cyberattack, which occurred on June 22, 2024, targeted BtcTurk's hot wallets, exposing vulnerabilities in the exchange's internet-connected software-based crypto wallets. [caption id="attachment_78617" align="alignnone" width="738"] Source: X[/caption] BtcTurk reassured its users in a statement on its website and denoted that most assets stored in cold wallets remained secure, safeguarding the bulk of its users' holdings. Binance CEO Richard Teng stated on X that their team is actively supporting BtcTurk in their investigation and pledged to provide updates as their security teams uncover more information. 

Decoding the BtcTurk Cyberattack

Cryptocurrency investigator ZachXBT hinted at a potential link between the BtcTurk breach and a $54 million Avalanche transfer. The transfer, involving 1.96 million AVAX to Coinbase and subsequent Bitcoin withdrawals from Binance, coincided suspiciously with the timing of the cyberattack on BtcTurk. [caption id="attachment_78620" align="alignnone" width="755"] Source: X[/caption] Despite the setback, BtcTurk announced plans to gradually restore crypto deposit and withdrawal services once their cybersecurity measures are completed. They emphasized that their financial resilience surpasses the amount lost in the attack, ensuring that user assets remain unaffected. “Our teams have detected that there was a cyber attack on our platform on June 22, 2024, which caused uncontrolled footage to be taken. Only some of the balances in the hot wallets of 10 cryptocurrencies were affected by the cyber attack in question, and our cold wallets, where most of the assets are kept, are safe. BtcTurk's financial strength is well above the amounts affected by this attack, and user assets will not be affected by these losses”, reads the organization's statement. 

Mitigation Against the Cyberattack on BtcTurk

The BtcTurk cyberattack specifically impacted deposits of various cryptocurrencies, including Bitcoin (BTC), Aave (AAVE), Algorand (ALGO), Ankr (ANKR), Cardano (ADA), Avalanche (AVAX), ApeCoin (APE), Axie Infinity (AXS), Chainlink (LINK), Cosmos (ATOM), Filecoin (FIL), among others, says BtcTurk's. “Our teams are carrying out detailed research on the subject. At the same time, official authorities were contacted. As a precaution, cryptocurrency deposits and withdrawals have been stopped and will be made available for use as soon as our work is completed. You can follow the current status of the transactions on https://status.btcturk.com”, concludes the statement.  As investigations continue, both BtcTurk and Binance are working diligently to mitigate the impact of the cyberattack and strengthen their security protocols to prevent future incidents. Users are encouraged to monitor official channels for updates on the situation. By collaborating and taking swift action, Binance and BtcTurk aim to uphold trust within the cryptocurrency community while enhancing the resilience of their platforms against online threats.

Jollibee, the Philippines’ largest fast-food chain, has allegedly been hit by a massive data breach. The Jollibee cyberattack came to light on June 20, 2024, when a threat actor claimed responsibility for breaching the systems of Jollibee Foods Corporation. The notorious attacker, operating under the alias “Sp1d3r“, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000.

Details of Jollibee Cyberattack

The data breach of the fast-food chain was posted by the threat actor on popular data hack site BreachForums. The threat actor stated that “Jollibee is a Filipino chain of fast-food restaurants owned by Jollibee Foods Corporation. As of September 2023, there were over 1,500 Jollibee outlets worldwide, with restaurants in Southeast Asia, East Asia, the Middle East, North America, and Europe.” [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption] The threat actor claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. To support these claims, the TA included a sample in tabular data format accessible through spreadsheet programs like Microsoft Excel and Google Sheets. While the exact details of the alleged data breach remains unclear, the potential impact on millions of customers is cause for concern.

Jollibee Yet to React to Cyberattack Claims

The motive behind the Jollibee cyberattack remains unknown. So far, Jollibee Foods Corporation has not reacted or issued any official statement regarding the alleged data breach. The Cyber Express has reached out to the corporation to verify the claims. This article will be updated once the company responds to the allegations and shares any preventive measures in place to prevent critical data from being misused. The Philippines National Privacy Commission (NPC) has yet to receive any notification from Jollibee Foods Corporation regarding the breach. The NPC regulations require organizations to inform affected individuals and report such incidents within 72 hours of discovery.

Jollibee Cyberattack Threat Actor Responsible for Snowflake Breach

While Jollibee investigates the claims made by “Sp1d3r”, the threat actor has been responsible for several recent breaches, which includes many customers of third-party cloud data storage vendor Snowflake. On June 1, “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes, and other information. The same threat actor was responsible for the data breach at American automobile aftermarket component supplier Advance Auto Parts, Inc. The attacker “Sp1d3r” claimed to have stolen three terabytes of customer data from the company’s Snowflake cloud storage and was selling the data for US$1.5 million. In its report, the company stated that the cyberattack could create damages up to $3 million. The Jollibee Cyberattack is a stark reminder of the vulnerabilities of the digital world, where even the largest and most established companies could become victims of notorious data hackers. Customers should stay vigilant and follow any further guidance provided by Jollibee and cybersecurity professionals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

One of Australia’s largest telecommunications companies Optus could have averted the massive 2022 data breach that leaked nearly 9.5 million individuals’ sensitive personal information, the Australian telecom watchdog said. The Australian Communications and Media Authority in a filing with the Federal Court said, “[Optus] cyberattack was not highly sophisticated or one that required advanced skills.” Its investigation attributed the 2022 Optus data breach to an access control coding error that left an API open to abuse. The investigation details of ACMA comes weeks after the telecom watchdog took legal action against Optus, in the same court, for allegedly failing to protect customer data adequately.

Coding Error and API Mismanagement Led to Optus Data Breach

The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period. The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted.

“The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMA

But the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law.

Optus’ Response to ACMA’s Allegations

Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter.

“This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of Optus

Venter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment. The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said. Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers' sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers. Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web.

Deloitte Report Handed to the Federal Court

Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach. “Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express. The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus.

“Much to do to Fully Regain our Customers’ Trust”

Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach. Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures.

“Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael Venter

The Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices. As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.

Crown Equipment, a global top five forklift manufacturer, was hit by a cyberattack that has disrupted its manufacturing operations for nearly two weeks. The company yesterday attributed the attack to an "international cybercriminal organization," raising speculation of a ransomware gang's involvement. The cyberattack has affected Crown's IT systems, employee workflows and overall business continuity for the second week running.

Crown Equipment Cyberattack Overview

Since approximately June 8th, Crown's employees reported a breach in the company's IT systems. This breach led to a complete shutdown of systems, preventing employees from clocking in their hours, accessing service manuals, and in some cases delivering machinery. In an internal email sent to employees, the heavy machinery manufacturer confirmed the cyberattack and advised employees to ignore multifactor authentication (MFA) requests and to be cautious of phishing emails.

"I currently work there. Everyone is scrambling, can't order parts except for TVH and that's strictly for emergencies. The company hasn't officially announced that it's been hacked but they keep pushing the importance of MFA. We can read between the lines." - Reddit User (Williams2242)

The company in its press release revealed that the breach necessitated the shutdown of their operating systems to investigate and resolve the issue without giving details on the hackers and their ransom demand, if any.

Crown Equipment Attack Details

Crown disclosed that many of their security measures were effective in limiting data access by the criminals. However, the breach likely occurred due to an employee not adhering to data security policies that resulted in unauthorized access to their device, according to a Reddit post.

"I heard someone got a call from a hacker pretending to be IT. They installed a fake VPN on their computer and got access to everything. They created a privileged account on the network that gave them access all the systems. The network went down Sunday and it's been down since with no ETA." - Reddit User (DragonflyJust2223)

This speculation suggests a social engineering attack where the threat actor installed remote access software on the employee's computer. BornCity, a website maintained by a German-speaking digital observer, first reported the possibility of a hack nearly a week ago. Citing a distant source who used to work at the manufacturing plant of Crown, BornCity said the problems were likely due to a 'coding bug.' "This had sent the Crown 360 (a service likely based on the Microsoft Cloud and Office 365) solution downhill – but I take that information not as reliable." Crown Equipment, however, did not confirm the speculation and thus the claims remain unverified.

Impact on Crown Equipment's Employees

Initially, Crown told employees they would need to file for unemployment or use their paid time off (PTO) and vacation days to receive pay for missed days. Last weekend, this directive was updated and the employees were asked to file for unemployment, after which several took to Reddit to vent their discontent.

"The fact that their not paying people for their mistake is straight bu****it. Crown pretends to be a family company but as soon as they need to support their "family" they shaft them. People need this money to live, while the owner can just sit back and chill with his multi-millions in the bank. Crown needs to take the hit and do the right thing." - Reddit User

Another said: [caption id="attachment_78309" align="aligncenter" width="1024"] Source: Reddit[/caption] However, Crown later decided to provide regular pay as an advance, allowing employees to compensate for the lost hours later. Despite this adjustment, employees expressed frustration over the lack of transparency and communication from the company during the incident. Crown Equipment has reportedly engaged some of the world’s top cybersecurity experts and the FBI to analyze the affected data and manage the aftermath of the attack. The company emphasized that there were no indications that employee personal information or data that could facilitate identity theft was targeted. The company is now in the process of restoring systems and transitioning back to normal business operations. They are also working closely with customers to minimize the disruption's impact on their operations. Although Crown did not specify the type of cyberattack, their description suggests a ransomware attack by an international cybercriminal organization. If confirmed, this implies that corporate data was likely stolen and could be leaked if the ransom demands are not met. As Crown continues to recover from this significant disruption, the incident serves as a reminder for companies worldwide to strengthen their cybersecurity protocols, including isolating critical workloads, invest in employee training to prevent social engineering attacks, and establish effective communication strategies for managing cyber incidents.

Advance Auto Parts, Inc., one of the big suppliers of automobile aftermarket components in America, has reported a data breach to the US Securities and Exchange Commission (SEC).  Advance Auto Parts data breach was first reported by The Cyber Express on June 6, 2024. In its report to the SEC, the company said that a data breach from its third-party cloud storage had resulted in unauthorized access to consumer and policyholder information. In a June 14 filing to the SEC, the company said, “On May 23, 2024, Advance Auto Parts, Inc. identified unauthorized activity within a third-party cloud database environment containing Company data and launched an investigation with industry-leading experts. On June 4, 2024, a criminal threat actor offered what it alleged to be Company data for sale. The Company has notified law enforcement.” A threat actor going by the handle “Sp1d3r” had claimed to have stolen three terabytes of data from the company’s Snowflake cloud storage. The stolen information was allegedly being sold for US$1.5 million on dark web. [caption id="attachment_78143" align="alignnone" width="815"] (Source: X)[/caption] According to the threat actor, the stolen data included 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses; information on 358,000 employees, 44 million Loyalty/Gas card numbers, the company’s sales history, among other details.

Details of Advance Auto Parts SEC Filing

In its declaration to the SEC, auto parts seller said that “There has been no material interruption to the Company's business operations due to the incident. “Based on the review of files determined to have been impacted, the Company believes that some files contain personal information, including but not limited to social security numbers or other government identification numbers of current and former job applicants and employees of the Company,” the filing said. Advance Auto Parts said that the company would share information about the data breach and would offer free credit monitoring and identity restoration services to the impact parties. The company noted that though it was covered by insurance, the cyberattack could cost damages up to $3 million. “The Company has insurance for cyber incidents and currently expects its costs related to response and remediation to be generally limited to its retention under such policy. The Company currently plans to record an expense of approximately $3 million for the quarter ending July 13, 2024, for such costs,” it said to the SEC. Advance Auto Parts currently operates 4,777 stores and 320 Worldpac branches primarily within the United States, with added locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of the cloud storage company Snowflake. These attacks have been taking place since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers.  Many of Snowlflakes’ clients had reportedly taken down their databases after the series of cyberattacks. Infact, a comprehensive report revealed that 165 customers were impacted by the Snowflake data breach. It was on July 26, 2023 that the US Securities and Exchange Commission directed companies to mandatorily declare material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

Two weeks after the Australian privacy watchdog filed a lawsuit against Medibank for failure to protect personal information of its citizens in a 2022 data breach, the Information Commissioner's office this week made public a comprehensive analysis of the security failures that led to the incident. Medibank, a prominent Australian health insurance provider, faced a devastating cyberattack in October 2022 that compromised the personal data of 9.7 million current and former customers. According to the report from the Office of the Australian Information Commissioner (OAIC), the attack was likely caused by a lack of basic cybersecurity measures like requiring its workers to use multi-factor authentication to log onto its VPN.

The Sequence of Events in the Medibank Breach

The attack on Medibank began when an IT service desk operator at a third-party contractor used his personal browser profile on a work computer and inadvertently synced his Medibank credentials to his home computer. This home device was infected with information-stealing malware, which allowed hackers to obtain these credentials, including those with elevated access permissions. The attackers first breached Medibank’s Microsoft Exchange server using these credentials on August 12, 2022, before logging into Medibank’s Palo Alto Networks Global Protect VPN. Incidentally, the VPN did not require multi-factor authentication (MFA), making it easier for the attackers to gain access. It was only in mid-October that Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, when they discovered data was previously stolen in a cyberattack.

"During the Relevant Period, the Admin Account had access to most (if not all) of Medibank's systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)." - the OAIC report.

Security Failures and Missed Alerts

Lack of Multi-Factor Authentication (MFA)

One of the critical failures in the Medibank breach was the health insurer’s neglect to implement MFA for VPN access. The OAIC report said that during the relevant period, the VPN was configured to allow access with just a device certificate or a username and password. It did not require the additional security layer provided by MFA. This oversight significantly lowered the barrier for unauthorized access.

Operational and Alert Management Failures

Despite receiving several security alerts from their Endpoint Detection and Response (EDR) software about suspicious activities on August 24 and 25, these alerts were not appropriately triaged or escalated. This delay allowed the attackers to continue their operations undetected for an extended period, which ultimately led to the exfiltration of approximately 520 gigabytes of sensitive data from the company's MARS Database and MPLFiler systems.

Data Compromised and Consequences

The stolen data included highly sensitive information such as customers' names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers and extensive health-related data. The exposure of such information has severe implications for the affected individuals, ranging from identity theft to potential misuse of medical data in various frauds and scams. The attackers linked to the ransomware gang BlogXX, which is believed to be an offshoot of the notorious REvil group, leaked the data on the dark web. This incident not only caused significant distress to millions of Australians but also highlighted the grave consequences of inadequate cybersecurity measures.

Legal and Regulatory Actions Follow

The OAIC said that Medibank was aware “of serious deficiencies in its cybersecurity and information security,” prior to the hack. For example, citing an Active Directory Risk Assessment report from Datacom in June 2020, OAIC said Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains).

"A number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and nonprivileged users which was described as a “critical” defect."

Given the nature and the volume of the data Medibank stores and collects, “it was reasonable” for the company to adopt the security measures recommended by Australia’s privacy regulator, but “these measures were not implemented, or, alternatively, not properly implemented or enforced, by Medibank,” OAIC said.

Thus, in response to the breach and the negligence that led to it, Australia's data protection regulator OAIC, announced legal action against Medibank for failing to protect personal information. The company faces potential fines exceeding AU$2 million.

A spokesperson for the health insurer did not detail the plan of action against the lawsuit but earlier told The Cyber Express that ”Medibank intends to defend the proceedings.”

Medibank Hacker Sanctioned and Arrested

Earlier this year, the U.S., Australia, and the U.K. sanctioned Aleksandr Gennadievich Ermakov, believed to be behind the 2022 Medibank hack. Ermakov, also known by aliases such as AlexanderErmakov and JimJones, was subsequently arrested by Russian police along with two others for violating Article 273, which prohibits creating or spreading harmful computer code. Extradition of Ermakov is unlikely given the current political climate.

Lessons and Recommendations

The Medibank breach underscores several critical lessons for organizations regarding cybersecurity: 1. Implementation of Multi-Factor Authentication: Utilizing MFA for all access points, especially VPNs, is essential. MFA adds an additional layer of security, making it significantly harder for attackers to exploit stolen credentials. 2. Proper Alert Management: Organizations must ensure that security alerts are promptly and effectively managed. Implementing robust procedures for triaging and escalating suspicious activities can prevent prolonged unauthorized access. 3. Regular Security Audits: Conducting regular security audits to identify and rectify vulnerabilities is crucial. These audits should include evaluating the effectiveness of existing security measures and compliance with best practices. 4. Employee Training: Continuous training for employees on cybersecurity best practices, including safe browsing habits and the importance of using corporate credentials responsibly, is vital to minimize the risk of breaches originating from human error.

Threat actor IntelBroker, notorious for a series of daring cyberattacks, has resurfaced with claims of orchestrating a data breach of Apple’s website. The TA allegedly has gained access to internal source code of three popular tools of Apple.com. This claim comes just a day after IntelBroker claimed to have orchestrated a data breach of another tech giant, Advanced Micro Devices (AMD).

Decoding Apple Data Breach Claims

Per the available information, IntelBroker allegedly breached Apple’s security in June 2024 and has managed to lay hands on the internal source code of three commonly used Apple tools, namely, AppleConnect-SSO, Apple-HWE-Confluence-Advanced and AppleMacroPlugin. The information was posted by the threat actor on BreachForums, a high-profile platform for trading stolen data and hacking tools. “I'm releasing the internal source code to three of Apple's commonly used tools for their internal site, thanks for reading and enjoy!” the TA posted. AppleConnect is the Apple-Specific Single Sign-On (SSO) and authentication system that allows a user to access certain applications inside Apple's network. Apple-HWE-Confluence-Advanced might be used for team projects or to share some information inside the company, and AppleMacroPlugin is presumably an application that facilitates certain processes in the company. Apple has not yet responded to the alleged data breach by IntelBroker or the leaked code. However, if the data breach occurred as claimed, it may lead to the exposure of important information that could be sensitive to the workings and operations of Apple. If legitimate, this breach could compromise Apple's internal operations and workflow. Leaked source code could expose vulnerabilities and inner workings of these tools. The Cyber Express has reached out to Apple to learn more about the potential data breach. However, at the time of publication, no official statement or response has been received, leaving the claims for the Apple data leak unconfirmed for now. The article will be updated as soon as we receive a response from the tech giant.

Previous Attacks by IntelBroker

The alleged data breach at Apple could prove significant considering the history of the threat actor. IntelBroker is believed to be a mature threat actor and is known to have been responsible for high-profile intrusions in the past. On June 18th, 2024, chipmaker AMD acknowledged that they were investigating a potential data breach by IntelBroker. The attacker claimed to be selling stolen AMD data, including employee information, financial documents, and confidential information. Last month, the threat actor is believed to have breached data of European Union’s law enforcement agency, Europol’s Platform for Experts (EPE). Some of the other organizations that the attacker is believed to have breached data include Panda Buy, Home Depot, and General Electric. The hacker also claimed to have targeted US Citizenship and Immigration Services (USCIS) and Facebook Marketplace.

Apple's Security Posture

Apple prides itself on its robust security measures and user privacy. However, the company has faced security threats in the past. In December 2023, Apple released security updates to address vulnerabilities in various Apple products, including iOS, iPadOS, macOS, tvOS, watchOS, and Safari. One critical vulnerability patched allowed attackers to potentially inject keystrokes by mimicking a keyboard. This incident highlights the importance of keeping software updated to mitigate security risks. In November 2023, there were reports of a state-sponsored attack targeting Apple iOS devices used in India. While details about this attack remain scarce, it serves as a reminder that even Apple devices are susceptible to cyberattacks.

Looking Ahead

The situation with IntelBroker's claims is ongoing. If the leak is verified, Apple will likely need to take steps to mitigate the potential damage. This could involve patching vulnerabilities in the leaked code and improving internal security measures. It is important to note that these are unconfirmed reports at this stage. However, they serve as a stark reminder of the ever-evolving cyber threat landscape. Apple, and all tech companies for that matter, must constantly work to stay ahead of determined attackers like IntelBroker. For users, it is a reminder to be vigilant about potential phishing attempts or malware that could exploit these alleged vulnerabilities. Keeping software updated and practicing good cyber hygiene are crucial steps for protecting yourself online.

The Los Angeles County Department of Public Health (DPH) has disclosed a significant data breach impacting more than 200,000 individuals. The data breach at Los Angeles County DPH, occurring between February 19 and 20, 2024, involved the theft of sensitive personal, medical, and financial information. The data breach was initiated through a phishing attack, where an external threat actor obtained the login credentials of 53 DPH employees. “Between February 19, 2024, and February 20, 2024, DPH experienced a phishing attack,” reads the official notice.

Data Breach at Los Angeles County DPH: What Happened

The phishing email, designed to appear legitimate, tricked employees into divulging their credentials by clicking on a malicious link. This unauthorized access led to a wide-ranging compromise of data, affecting various individuals associated with DPH, including clients, employees, and others. The compromised email accounts contained a wealth of sensitive data. The potentially exposed information includes:

• First and last names
• Dates of birth
• Diagnosis and prescription details
• Medical record numbers/patient IDs
• Medicare/Med-Cal numbers
• Health insurance information
• Social Security numbers
• Other financial information

It is important to note that not all of the above data elements were present for every affected individual. Each individual may have been impacted differently based on the specific information contained in the compromised accounts. “Affected individuals may have been impacted differently and not all of the elements listed were present for each individual,” Los Angeles County DPH informed.

 Data Breach at Los Angeles County DPH Notification 

DPH is taking extensive steps to notify all potentially affected individuals. Notifications are being sent via post to those whose mailing addresses are available. For individuals without a mailing address, DPH also posts a notice on its website to provide necessary information and resources. The department has advised impacted individuals to review the content and accuracy of their medical records with their healthcare providers. However, on delay in notification, Los Angeles County DPH said, “Due to an investigation by law enforcement, we were advised to delay notification of this incident, as public notice may have hindered their investigation.” To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll, a global leader in risk mitigation and response. “To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll, a global leader in risk mitigation and response, to provide identity monitoring for one year at no cost to affected clients,” reads the notice.

Response and Preventive Measures

Upon discovering the Los Angeles County DPH data breach, DPH took immediate action to mitigate further risks. The department disabled the affected email accounts, reset and re-imaged the users’ devices, blocked the websites involved in the phishing campaign, and quarantined all suspicious incoming emails. Additionally, DPH has implemented numerous security enhancements to prevent similar incidents in the future. Awareness notifications have been distributed to all workforce members, reminding them to be vigilant when reviewing emails, especially those containing links or attachments. These measures aim to bolster the department’s defense against phishing attacks and other cyber threats. The incident was promptly reported to law enforcement authorities, who investigated the breach. The US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies are also notified, as required by law and contractual obligations.

Steps for Individuals to Protect Themselves

While DPH cannot confirm whether any information has been accessed or misused, affected individuals are encouraged to take proactive steps to protect their personal information. These steps include:

• Reviewing Medical Records: Individuals should review their medical records and Explanation of Benefits statements for any discrepancies or unauthorized services. Any irregularities should be reported to their healthcare provider or health plan.
• Requesting Credit Reports: Individuals should remain vigilant against identity theft and fraud by regularly reviewing their financial statements and credit reports. Under US law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. Free credit reports can be requested at www.annualcreditreport.com or by calling 1-877-322-8228.
• Placing Fraud Alerts: Individuals can place a fraud alert on their credit files, which notifies creditors to take additional steps to verify identity before granting credit. Fraud alerts can be set up by contacting any of the major credit bureaus.
• Security Freezes: A security freeze can also be placed on credit reports, which prevents credit bureaus from releasing any information without written authorization. This measure can help prevent unauthorized credit activity but may delay the approval of new credit requests.

The Los Angeles County Department of Public Health continues to cooperate with law enforcement and other agencies to protect the privacy and security of its clients, employees, and other stakeholders.

With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age. Here's everything to know about the Snowflake breach; we'll update this page as new information becomes available.

Why the Snowflake Breach Matters

Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.

Ongoing Investigation and Preliminary Results in Snowflake Breach

On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.

Compromised Employee Account

Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.

Test Environments Targeted

Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.

Attack Path

The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.

Possible Reasons for the Breach

Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.

Unconfirmed Threat Actor Claims

The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.

Affected Customers from Snowflake Breach

The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:

• Santander Group: The company confirmed a compromise without mentioning Snowflake.
• Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.

• TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
• Impact: 560 Million TicketMaster user details and card info potentially at risk.

• LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
• Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.

• Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
• Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.

• Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
• Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.

Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels.

Security Measures and Customer Support

Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.

Key Recommendations for Snowflake Customers:

1. Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
2. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
3. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
4. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.

Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here. Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence. Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.

Hacktivist group 177 Members Team has claimed a cyberattack on Malaysia's leading internet service provider, Unifi TV. The Unifi TV cyberattack was posted on a dark web leak site, highlighting crucial details about the organization with links shared to confirm the intrusion. Unifi TV, a subsidiary of Telekom Malaysia Berhad, offers a range of services including internet access, VoIP, and IPTV. The threat actor claimed this attack on June 12, 2024, and took responsibility for compromising Unifi TV's systems and launching multiple Distributed Denial of Service (DDoS) attacks against the company.

177 Members Team Claims Unifi TV Cyberattack

[caption id="attachment_77209" align="alignnone" width="525"] Source: Dark Web[/caption] The cyberattack on Unifi TV was aimed at disrupting the operation of the organization and highlighted the importance of robust cybersecurity measures in safeguarding critical digital infrastructure. Despite claims by the threat actor that the Unifi TV website was down, the web pages seem to be operational at the moment and don’t show any immediate sign of the cyberattack. The impact of the cyberattack extends beyond Unifi TV, affecting not only the telecommunications industry but also posing a threat to Malaysia's digital ecosystem as a whole. With the country witnessing over 3,000 cyber attacks daily, according to Defence Minister Datuk Seri Mohamed Khaled Nordin, the cyberattacks on Malaysia highlights the growing nature of ransomware groups and hacktivist collectives targeting the nation. 

Previous Cybersecurity Incidents

While Unifi TV has yet to release an official statement regarding the cyberattack, concerns about data breaches have been previously raised. In July 2023, Telekom Malaysia issued a data breach alert to Unifi users, stating that personal information, including names, identification numbers, and contact details, may have been compromised. The company assured users that measures had been taken to contain the breach and protect customer data. In light of these incidents, cybersecurity experts emphasize the need for proactive measures to mitigate future threats. Collaborative efforts between government agencies, law enforcement, and private sector entities are crucial in addressing online threats that target Asian nations. As for the current Unifi TV cyberattack claims, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. food chain giant Panera Bread has begun notifying its employees of a significant data breach that occurred as a result of a ransomware attack in March 2024. The company, along with its franchises, operates 2,160 cafes under the names Panera Bread or Saint Louis Bread Co, spread across 48 states in the U.S. and Ontario, Canada. The Panera Bread data breach was disclosed in notification letters filed with the Office of California's Attorney General, where Panera detailed its response to what it termed a "security incident." Upon detecting the Panera Bread data breach, the company acted swiftly to contain it, enlisting external cybersecurity experts to investigate and inform law enforcement of the situation. The files involved were reviewed, and on May 16, 2024, we determined that a file contained your name and Social Security number. Other information you provided in connection with your employment could have been in the files involved. As of the date of mailing of this letter, there is no indication that the information accessed has been made publicly available," reads Panera's official notification.

Panera Bread Data Breach: Impact on Employees and Operations

The ransomware attack has had substantial repercussions on Panera's operations and its employees. Many of Panera's virtual machine systems were reportedly encrypted during the attack, leading to a significant outage that crippled internal IT systems, phones, point of sale systems, the company’s website, and mobile apps. During this outage, employees were unable to access their shift details and had to contact their managers to obtain work schedules. The stores faced further disruption as they could only process cash transactions, with electronic payment systems down. Additionally, the rewards program system was inoperable, preventing members from redeeming their points. The most concerning aspect of the breach for employees is the compromise of sensitive personal information. Panera has confirmed that files containing employee names and Social Security numbers were accessed. There is also the potential that other employment-related information was compromised. However, the company has assured employees that, as of the notification date, there is no evidence that the accessed information has been publicly disseminated. To mitigate the potential impact on affected individuals, Panera is offering a one-year membership to CyEx's Identity Defense Total, which includes credit monitoring, identity detection, and identity theft resolution services. This proactive measure aims to help employees safeguard their identities and respond swiftly to any signs of fraudulent activity.

The Bigger Picture: Unanswered Questions

Despite the detailed notifications to employees, Panera has yet to publicly disclose the total number of individuals impacted by the breach. The identity of the threat actors behind the ransomware attack also remains unknown. No ransomware group has claimed responsibility, which raises speculation that the attackers might be awaiting a ransom payment or have already received it. Moreover, Panera has not responded to requests for comment from The Cyber Express regarding the outage and the ransomware attack. This lack of communication leaves several critical questions unanswered, particularly about the measures being taken to prevent future incidents and the ongoing efforts to recover from the current breach.

Implications for Panera Bread Data Breach

The implications of this ransomware attack extend beyond the immediate disruption and data breach. Panera Bread's reputation is at stake, as customers and employees alike may question the company's ability to protect sensitive information. The operational disruptions also highlight vulnerabilities in the company’s IT infrastructure that need to be addressed to prevent similar incidents in the future. In response to the data breach, Panera has committed to enhancing its existing security measures. The company is likely to conduct a thorough review of its cybersecurity policies and practices to identify and address any gaps. Additionally, ongoing communication with employees and stakeholders will be crucial in rebuilding trust and ensuring that all affected parties are adequately supported. As the investigation continues, further details may emerge about the nature of the breach and the steps Panera is taking to strengthen its defenses.

A threat actor on a dark web forum has listed data from Truist Bank for sale following a cyberattack on the banking institution. Meanwhile, Kulicke and Soffa Industries, Inc. (K&S) is also dealing with a data breach. Reports indicate that Truist Bank client data, including sensitive information such as employee details and bank transactions, has been put up for sale on the dark web. The alleged Truist Bank data leak is attributed to a threat actor known as Sp1d3r. The data, reportedly obtained via the Snowflake breach, raises questions about the security measures in place at Truist Bank.

Truist Bank Data Breach Allegedly Goes on Sale on Dark Web

According to the threat actor’s post, the Truist Bank data breach is now selling for $1 million. The compromised data includes details of 65,000 employees, bank transactions containing names, account numbers, balances, and the source code for IVR funds transfers. [caption id="attachment_77051" align="alignnone" width="595"] Source: Dark Web[/caption] The post by the threat actor provides specific information about the data for sale and contact details for purchase. Additionally, the post includes various usernames, threads, reputation points, and contact information such as XMPP handles and email addresses associated with the threat actor. Meanwhile, Kulicke and Soffa Industries, a renowned semiconductor and electronics manufacturing company, disclosed a breach compromising millions of files. Initially detected on May 12, 2024, the breach exposed critical data, including source codes, engineering information, and personally identifiable information.

Two Cybersecurity Incidents at Once

In response to the Kulicke and Soffa data breach, K&S swiftly initiated containment measures in collaboration with cybersecurity experts and law enforcement agencies. The company's cybersecurity team worked diligently to isolate affected servers and prevent further intrusion. Despite the breach, K&S remains committed to safeguarding its systems and data integrity. In a filing with the U.S. Securities and Exchange Commission (SEC), K&S detailed its efforts to mitigate the impact of the breach. The company assured stakeholders that, as of the filing date, the incident had not materially disrupted its operations. However, investigations are ongoing to ascertain the full extent of the breach and increase the cybersecurity measures in place. The Truist Bank data breach and the Kulicke and Soffa cyber incident highlight the persistent threat of cyberattacks faced by organizations worldwide. While both entities are actively addressing the breaches, the incidents highlight a broader case of cybersecurity measures and their impact in safeguarding sensitive information and maintaining trust in the digital age. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Life360 Inc., the parent company of Tile, has recently disclosed that it was the victim of a criminal extortion attempt involving stolen customer data. The incident, the Life360 data breach, which was communicated by CEO Chris Hulls, highlights the growing threat of cyberattacks targeting companies that handle large amounts of user information. Chris Hulls, CEO of Life360 Inc., provided details about the extortion attempt in an official release: "Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information." Upon receiving these emails, Life360 swiftly initiated an investigation. The company detected unauthorized access to a Tile customer support platform, though notably, the breach did not affect the Tile service platform itself. The compromised data includes customer names, addresses, email addresses, phone numbers, and Tile device identification numbers. Crucially, it does not include sensitive information such as credit card numbers, passwords, log-in credentials, location data, or government-issued identification numbers, as these were not stored on the affected support platform. "We believe this incident was limited to the specific Tile customer support data described above and is not more widespread," Hulls assured. We take this event and the security of customer information seriously. We have taken and will continue to take steps designed to further protect our systems from bad actors, and we have reported this event and the extortion attempt to law enforcement. We remain committed to keeping families safe online and in the real world."

About Tile and Life360

Tile, much like Apple's AirTag, produces small Bluetooth-enabled devices that help users locate and track items such as keys, wallets, and bags. These devices work in conjunction with a mobile app, allowing users to find lost items using sound alerts or by viewing the last known location of the Tile tracker on a map. Tile is a subsidiary of Life360, the leading connection and safety app used by one in nine U.S. families. With over 66 million members, Life360 offers driving, location, and digital safety features that keep loved ones connected. The app's extensive user base makes the implications of any data breach potentially far-reaching.

Implications of the Life360 Data Breach

While the Life360 data breach did not include highly sensitive data, the exposure of personal information such as names, addresses, and phone numbers can still have significant implications. Such data can be used for targeted phishing attacks, identity theft, and other malicious activities. The breach highlights the importance of cybersecurity measures, particularly for companies managing large databases of personal information. Life360's swift response to the incident and its cooperation with law enforcement demonstrates the company's commitment to transparency and user security.

Moving Forward

In response to the breach, Life360 has reiterated its commitment to enhancing its security infrastructure and safeguarding user information. The company is taking proactive steps to prevent future cybersecurity incidents, including strengthening its cybersecurity protocols and continuing to monitor its systems for potential vulnerabilities. "We remain committed to keeping families safe online and in the real world," Hulls emphasized. The company’s prompt action and transparent communication are crucial in maintaining user trust and addressing concerns related to the breach.

Ascension, a leading healthcare provider, has made significant progress in its investigation and recovery efforts following a recent cyberattack. With the help of third-party cybersecurity experts, Ascension has identified the extent of the Ascension cyberattack and the steps needed to protect affected individuals. Ascension reports that attackers managed to steal files from a few servers within its network. Specifically, seven out of approximately 25,000 servers, primarily used by associates for daily tasks, were compromised. These servers might contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals. "We now have evidence that attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks. Though we are still investigating, we believe some of those files may contain PHI and PII for certain individuals, although the specific data may differ from individual to individual," said an Ascension spokesperson.

What Caused Ascension Cyberattack?

The cyberattack on Ascension was traced back to an innocent mistake by an employee who accidentally downloaded a malicious file, mistaking it for a legitimate one. "We have also identified how the attacker gained access to our systems. An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake," informed the spokesperson. This incident highlights the importance of continuous cybersecurity training and vigilance among all employees to prevent such occurrences in the future. Ascension has assured its patients and associates that there is no evidence suggesting any data was taken from the Electronic Health Records (EHR) system or other clinical systems where comprehensive patient records are securely stored. This means the most sensitive health information remains uncompromised, providing some relief amidst the ongoing investigation.

Ongoing Review and Protective Measures

Ascension is currently conducting a detailed review and analysis of the potentially impacted files to determine precisely what data was affected and identify the individuals involved. This meticulous process is expected to take considerable time due to the volume and complexity of the data. In the meantime, Ascension is taking proactive steps to protect its patients and associates. The healthcare provider is offering free credit monitoring and identity theft protection services to all patients and associates, regardless of whether their data is eventually found to be compromised. This service is intended to provide immediate peace of mind and mitigate potential risks from the Ascension data breach. Individuals who wish to enroll in these protective services are encouraged to contact Ascension's dedicated call center at 1-888-498-8066.

Commitment to Transparency and Legal Compliance

Ascension remains committed to transparency throughout this investigation. While specific details regarding whether an individual's data was affected cannot be provided, Ascension pledges to follow all applicable laws and regulations related to data breach notifications. "We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear that this offer does not mean we have determined that any specific individual patient’s data has been compromised. Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals’ data," the spokesperson explained. "Once our data analysis is complete, we are committed to following all applicable laws and regulations to notify affected individuals and the appropriate regulatory bodies. To our patients, associates, and the communities we serve, we regret any disruption or concern you may have experienced as a result of this incident," the spokesperson added.

Background and Impact of Cyberattack on Ascension

On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Due to the cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.

A resident of Moreton Bay, Australia was shocked to discover that the private information of several resident ratepayers in the region, including their friends and neighbors, had been accidentally published on the Moreton Bay council's official website. The leaked information included names, residential addresses, email addresses, and phone numbers, as well as resident complaints to the council and details about council investigations.

Data Breach Discovered By Local Resident

City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers,  complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."

City of Moreton Bay Responses to Data Breach

After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]

We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.

The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The MEDUSA ransomware group has reared its ugly head again and this time it has claimed to have targeted three new victims: GEMCO Constructors, Dynamo Electric and Farnell Packaging. The ransomware group’s dark web portal highlighted these additions, adding to their growing list of victims. Like many of its earlier attacks, the group has not disclosed crucial details, such as the type of compromised data. It has, however, demanded a bounty of US $900,000 from GEMCO and $100,000 each from Dynamo and Farnell Packaging to stop leaking its internal data.

MEDUSA Ransomware Attack: The Latest Victims

GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days. The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days. Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days. Despite the gigantic claims made by the ransomware group, the official websites of the targeted companies seem to be fully operational, with no signs of foul play. The organizations, however, have not yet responded to the alleged cyberattack, leaving the claims made by the ransomware group unverified.  The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen whether it is a tactic employed by MEDUSA to garner attention or if there are ulterior motives attached to their actions. Only an official statement by the affected companies can shed light on the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be far-reaching. The potential leak of sensitive data could pose a significant threat to the affected organizations and their employees.

Background of MEDUSA Ransomware Group

MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America. MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.

Previous Ransomware Attacks

Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services.  In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group. MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The United Kingdom and Canada privacy watchdogs announced a joint investigation this week to determine the security lapses in the genetic testing company 23andMe’s October data breach, which leaked ancestry data of 6.9 million individuals worldwide. The UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will lead the investigation, pooling the resources and expertise of their respective offices.

Focus of 23andMe Data Breach Investigation

The joint investigation will examine three key aspects:

• Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
• Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
• Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.

Edwards said the investigation was needed to garner the trust of people in organizations that handle sensitive personal data. He stated:

“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.

“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.

Genetic Testing Company 23andMe Data Breach Timeline

23andMe first disclosed details of the October data breach in an 8-K filing with the U.S. Securities and Exchange Commission. The genetic testing company said attackers scraped profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. This profiling feature connects users with genetic distant relatives - or other 23andMe users who share their bits of DNA. The attackers used credential stuffing attacks that affected 0.1% of user accounts, the company told SEC. Using these accounts as a launchpad, hackers were able to access “a significant number of files containing profile information about other users' ancestry.” Threat actors claimed on underground forums that they were able to siphon “20 million pieces of code” from 23andMe. The claimed data set included information DNA ancestry backgrounds belonging to more than 1.3 million Ashkenazi Jewish and Chinese users. By the end of October, another threat actor claimed compromise of 4 million genetic profiles, which the company also investigated. The genetic testing company 23andMe said it notified the affected 6.9 million users - 5.5 million DNA Relatives profiles and 1.4 million Family Tree profile – in December. The company told federal regulators that the data breach incident was set to incur between $1 million and $2 million in one-time expenses. The company faces at least 30 class action lawsuits in U.S.state and federal jurisdictions as well as in Canada. 23andMe blamed the customers’ poor security hygiene for the breach and has since made two-step verification a prerequisite for account logon. It also mandated customers to reset their passwords. *Update 1 (June 12 – 12:00 AM EST): Added response from the 23andMe spokesperson.

The City of Wichita has made significant progress in recovering from a cyberattack that disrupted many city services early last month. More than a month later, the City of Wichita cyberattack update has come up stating that most public-facing systems are back online, although some services are still being restored. The city reports that water metering, billing, and payment processing systems are gradually coming back online.

City of Wichita Cyberattack Update

Water Services Restored Customers can expect to receive updated statements this week. Auto-payments have resumed normal operations, and customers now have full access to their utility accounts online. Bills can be paid by credit card, cash, check, and money order at City Hall, online at City's payment portal, by calling (316) 265-1300, or through the mail. Due to the cyberattack on City of Wichita, some June bills may cover more than 60 days of service. Customers needing help with these bills are encouraged to contact a representative at (316) 265-1300 to arrange a payment plan. Library Services Update The Wichita Public Library has also seen progress, though some services remain affected. Public Wi-Fi is available at all locations, and patrons can access Libby for eBooks, audiobooks, and digital magazines. Additionally, materials can be checked in and out manually. However, hold requests and renewals, customer account information, the online catalog, the automated materials handler at the Advanced Learning Library, and online databases like Kanopy and LinkedIn Learning are still unavailable. Airport and Court Systems At the Wichita Dwight D. Eisenhower National Airport, public flight and gate display information is not yet available online but is expected to be restored soon. The Municipal Court has made strides in recovery, with most systems operational. The public search of warrants is anticipated to be online by Monday, June 10. The City’s Information Technology team is working to fix the remaining system outages. The city appreciates residents' patience as there may be occasional service interruptions during ongoing recovery efforts.

What Happened During the City of Wichita Cyberattack

The Cyber Express reported that the cyberattack occurred on May 5, leading to the shutdown of several online city services, including water bill payments, some city-building Wi-Fi, and electronic payments. LockBit, a known ransomware group, claimed responsibility for the cyberattack. This followed an earlier notification from the City of Wichita regarding a ransomware incident, although the responsible group was not initially disclosed. The ransomware attack has shown the vulnerabilities in the city's IT systems and the importance of strong cybersecurity measures. Despite the challenges, the city has worked hard to restore essential services to its residents. The City of Wichita urges residents to stay informed through official updates and to reach out to the provided contact points for help. The city remains committed to being transparent and providing the necessary support to its residents during this recovery period.

Findlay Automotive Group, a prominent dealership network with operations spanning Nevada, Utah, Arizona, Washington, and Idaho, recently identified a cybersecurity issue impacting certain areas of its IT infrastructure. Upon discovery, the company swiftly launched an investigation, joining the expertise of leading cybersecurity professionals and collaborating with law enforcement agencies to address the Findlay Automotive cybersecurity issue. While the investigation is ongoing, Findlay Automotive is actively working to mitigate the issue and restore full operational capabilities. However, no details related to the data compromised and the extent of the data breach have been provided by the Officials of Findlay Automotive Group. “Promptly after becoming aware of the issue, we launched an investigation with the assistance of leading cybersecurity experts and law enforcement. Our investigation is ongoing, and we are working diligently to resolve the matter,” reads the company’s statement on Facebook. [caption id="attachment_76709" align="aligncenter" width="760"] Source: Findlay Automotive's Facebook Post[/caption]

Operational Impact of Findlay Automotive Cybersecurity Issue

Despite the restrictions imposed by the Findlay Automotive cybersecurity issue, all dealership locations remain open. Customers with vehicles currently in service are encouraged to visit or contact their respective service departments directly for assistance from Findlay’s dedicated staff. "At Findlay Automotive, we have been serving our communities with pride and integrity since 1961," reads the company’s Facebook Post. "We take our responsibility to our customers and the community very seriously. We will continue to provide updates as the investigation continues and more information becomes available.” The urgency and gravity of the situation are highlighted by recent trends in cybersecurity, particularly the rising threat of ransomware attacks in the industrial sector.

Rising Cyber Threats in the Industrial Sector

In 2019, industrial companies faced significant financial burdens due to ransomware, collectively paying out $6.9 million, which accounted for 62% of the total $11 million spent on ransomware that year. Despite representing only 18% of ransomware cases, the manufacturing sector bore the brunt of the financial impact. By 2020, the cross-industry cost of ransomware had escalated to a staggering $20 billion. Gartner, a research firm, has projected that by 2023, the financial repercussions of cyberattacks on industrial systems, including potential fatal casualties, could exceed $50 billion. The automotive sector, in particular, has become a prime target for cybercriminals. As these threats intensify, paying ransoms become increasingly weak, emphasizing the necessity of enhanced cybersecurity measures to protect assets. The recent Volkswagen incident exemplifies the magnitude of these threats. In April 2024, Volkswagen faced a cyberattack, suspected to originate from Chinese hackers. The breach exposed sensitive data, including development plans for gasoline engines and critical information on e-mobility initiatives. Investigations by ZDF Frontal and “Der Spiegel” revealed more than 40 internal documents, highlighting the severity of the cyberattack. Similarly, in February 2024, Thyssenkrupp's automotive unit in Duisburg, Germany, experienced a cyberattack that disrupted production in its car parts division. Although no data theft or manipulation was detected, the company had to take several systems offline to prevent further unauthorized access, underlining the operational risks posed by such cyber incidents. Closer to home, Eagers Automotive Limited faced a cyber incident on December 27, 2023, leading to a temporary trading halt to address its continuous disclosure obligations. The company issued an apology to its customers for the inconvenience caused by the disruption, reflecting the broad and often immediate impact of cyberattacks on automotive businesses. Findlay Automotive’s proactive response to the current cybersecurity issue demonstrates its commitment to safeguarding its operations and customer trust. The company is maintaining open lines of communication with customers, providing regular updates as the investigation progresses and more information becomes available.

The NoName ransomware group has claimed responsibility for yet another cyberattack targeting government websites in Germany. The proclamation of the attack comes just 11 days after the group is said to have targeted German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG. In this latest attack, the group allegedly targeted the Federal Office for Logistics and Mobility and the Federal Ministry of the Interior and Community. NoName allegedly carried out a DDos (Distributed Denial-of-Service) attack, preventing other users from accessing the websites. In the message posted on a dark web forum on Tuesday, NoName claimed that the attack on German websites was to condemn the visit of Ukrainian President Volodymyr Zelenskiy to the country to participate in a conference on Ukraine’s post-war recovery. “Ukrainian President Volodymyr Zelenskyy arrived in Germany late in the evening on Monday, June 10, to take part in an international conference on Ukraine's reconstruction. In his message in Telegram, Zelenskyy said that during his visit he had meetings with German Federal President Frank-Walter Steinmeier, Chancellor Olaf Scholz and Bundestag chairwoman Berbel Bas,” NoName said. “We decided to visit the conference too, and crush some websites,” it added. Despite the hack, NoName has not provided elaborate evidence or context of the cyberattack nor has it provided any details of how the German websites would be affected. While many experts had previously warned people not to underestimate thread actors who take out DDoS attacks, their effectiveness remains a big question, as most of the targets suffer only a few hours of downtime before returning to normal operations. As of the writing of this report, there has been no response from officials of the alleged target websites, leaving the claims unverified.

Previous Instances of NoName Ransomware Attacks

Since first emerging on dark web in March 2022, the pro-Russian hacker group NoName has been increasingly active, shortly after Russia’s invasion of Ukraine. The group has taken responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe. Before making the claim of targeting German websites, NoName had a history of targeting prominent organizations in other countries. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks. The ongoing cyberattacks by NoName across several countries serve as a reminder of the perils of the digital landscape. The operations of NoName ransomware, combined with their alleged political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A month after a cyberattack on Ascension, one of the largest nonprofit healthcare systems in the United States, continues to work expeditiously with industry cybersecurity experts to safely restore systems across its network. Ascension Via Christi has announced an update regarding the Ascension cyberattack that it expects to improve efficiencies and reduce wait times for patients. "Please know our hospitals and facilities remain open and are providing patient care. Ascension continues to make progress in our efforts to safely restore systems across our network. Restoring our Electronic Health Record (EHR) system remains a top priority," stated an official Ascension announcement.

Ascension cyberattack: What All Have Restored?

According to the latest update on the Ascension cyberattack, officials have successfully restored EHR access in Florida, Alabama, Tennessee, Maryland, Central Texas (Ascension Seton and Dell Children's hospitals), and Oklahoma markets. Ascension Via Christi further informed that its hospitals, including St. Francis and St. Joseph hospitals, and Ascension Medical Group clinics in Wichita, have restored the primary technology used for electronic patient documentation in care settings. "This will allow most hospital departments, physician offices, and clinics to use electronic documentation and charting. Patients should see improved efficiencies and shorter wait times. Our team continues to work tirelessly to restore other ancillary technology systems," Ascension Via Christi explained on its website, providing cybersecurity updates for its Kansas facilities. [caption id="attachment_76455" align="aligncenter" width="1024"] Source: Ascension Via Christi Website[/caption] The update for Ascension Via Christi St. Francis followed a national update from Ascension, which reported continued progress in restoring systems across its network. The company aims to have systems fully restored across its ministry by Friday, June 14.

Ascension cyberattack: What Happened?

On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Consequently, access to certain systems has been interrupted during the ongoing investigation process. Due to the massive cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.

In a massive breakthrough, an exclusive news report published by The Cyber Express has led to the arrest of a hacker who threatened to sell sensitive data of 200,000 citizens in Telangana State in India. The Hawk Eye App Data Breach was reported by The Cyber Express on May 31, 2024, which stated how a hacker claimed to reveal personal information of users of Hawk Eye, a popular citizen-friendly app of the Telangana State police. [caption id="attachment_73712" align="alignnone" width="720"] Source: Hawk Eye App on Android[/caption] The Telangana Police further acknowledged that the news report on The Cyber Express gave them crucial leads that led to the arrest of the hacker. In the First Information Report (FIR), a written document prepared by the police in India to detail a cognizable offence, the Telangana Police revealed that it was based exclusively on this report by The Cyber Express, that they were also able to verify the data breach on the Hawk Eye app.

Background of Hawk Eye App Data Breach

The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. On May 29, 2024, a threat actor, who goes by the name “Adm1nFr1end”, revealed that he had breached the Hawk Eye app. He shared that the stolen database had sensitive data of over 200,000 citizens, including their Personally Identifiable Information (PII), names, email addresses, phone numbers, physical addresses, IMEI numbers, and location coordinates. The threat actor had posted samples of the data breach on hacking website BreachForums and was selling this compromised data for USD $150. [caption id="attachment_73714" align="alignnone" width="1123"] Source: X[/caption]

Arrest of Hawk Eye App Data Breach Hacker

In the aftermath of the news report published on this website, the Telangana Police registered a suo moto case on June 4. “We have registered a case and are investigating the hacking allegations and suspected data breach,” said Telangana Cyber Security Bureau (TGCSB) Director Shikha Goel. On June 9, the Telangana Police reported that its Cyber Security Bureau has apprehended a hacker involved in the Hawk Eye app data breach. “Acting swiftly, the TGCSB investigators travelled to Delhi, where they identified and arrested the hacker, who had claimed to have posted the compromised data on a public platform for a price,” the police said in a statement. Sharing details of the arrest, Director General of Police of Telangana Police, Ravi Gupta, who is the top cop of the state, said that the police had used advanced tools to successfully unveil the hacker's identity. He, however, refrained from elaborating on the techniques used to arrest the hacker to ensure secrecy. “The hacker had posted details of the breach on databreachforum.st, offering the compromised data for sale at $150 USD. He provided the Telegram IDs “Adm1nfr1end” and “Adm1nfr1ends” for interested buyers to contact him regarding the Hawk Eye data,” Ravi said. The alleged hacker was identified as Jatin Kumar, a 20-year-old student and a resident of Greater Noida, a prominent suburb in Delhi's National Capital Region. The police also shared that he was arrested earlier in a case for cybersecurity fraud. (This is Part 1 of the article. Click here to learn more about the hacker, why he was selling the data and how the police tracked him down)

A threat actor known as Desec0x has claimed to possess a database allegedly stolen from the State Grid Corporation of China (SGCC), offering it for sale on the nuovo BreachForums. In the post, Desec0x claimed a cyberattack on SGCC and stated to have gained access through a third-party network, allowing them to exfiltrate sensitive data. The threat actor claimed that multiple databases containing user account information, user details, department information, and roles were accessed. The employee information allegedly includes headers such as eID, username, phone number, email, employee number, username, and password. The database is allegedly available in SQL and XLSX formats for US$1,000.

Potential Implications of Cyberattack on SGCC

Established on December 29, 2002, SGCC is the largest utility company in the world and consistently ranks second on the Fortune Global 500 list. SGCC operates as a group with RMB 536.3 billion in registered capital and employs 1.72 million people. It provides power to over 1.1 billion people across 26 provinces, autonomous regions, and municipalities, covering 88% of China's national territory. Additionally, SGCC owns and operates overseas assets in countries such as the Philippines, Brazil, Portugal, Australia, and Italy. If the claims of the cyberattack on SGCC made by Desec0x are proven to be true, the implications could be far-reaching. The sensitive nature of the data allegedly stolen, including personal and departmental information of SGCC employees, could have serious consequences for the company and its stakeholders. However, upon accessing the official SGCC website, no signs of foul play were detected, and the website appeared to be functioning normally.

Global Context of Cyberattacks in the Energy Sector

The energy sector has been increasingly targeted by cyberattacks, often involving third-party data breaches. According to Security Intelligence, 90% of the world’s top energy companies suffered from third-party data breaches in 2023. Additionally, nearly 60% of cyberattacks in the energy sector are attributed to state-affiliated actors. In late 2023, 22 energy firms were targeted in a large-scale coordinated attack on Danish infrastructure. In April 2024, a group called Cyber Army Russia claimed responsibility for a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. This cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. In March 2024, a dark web actor was reportedly selling access to an Indonesian energy company, believed to be the same threat actor who targeted an American manufacturer. In 2023, a suspected cyberattack on Petro-Canada was officially confirmed. Suncor Energy, the holding company of Petro-Canada, acknowledged that an IT outage over the weekend was indeed a cyberattack. The company stated that it took immediate action upon discovering the attack, collaborating with third-party experts to investigate and address the situation. This incident caused significant disruptions to Petro-Canada's operations, affecting gas stations and preventing customers from accessing the Petro-Canada app and website. In the case of the State Grid Corporation of China, the claims made by Desec0x remain unverified until an official statement is released by SGCC. Without confirmation from the company, the alleged cyberattack on SGCC and data breach cannot be substantiated. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The popular Japanese video-sharing website Niconico has suspended its services due to a cyberattack, its operator announced. Taking to X, formerly known as Twitter, Niconico tweeted, “As of 10:45 on June 10th, various Niconico services are unavailable. We deeply apologize for the concern and inconvenience this may cause.” In a further update, Niconico informed users, “The cyberattacks are still ongoing, and it is difficult to report on future developments until safety is ensured. We will provide updates to the extent possible this evening.” Details regarding the extent of the data breach and what specific information may have been compromised are still under investigation. [caption id="attachment_76107" align="aligncenter" width="622"] Source: Niconico's X account[/caption] On June 8, the Niconico management team tweeted, “Niconico is currently undergoing a large-scale cyberattack and has temporarily suspended its services in order to minimize the impact.” Despite rapid investigation and countermeasures, they stated, “We cannot begin recovery efforts until we are confident that we have completely eliminated the effects of the cyberattack and ensured safety. There is no hope of recovery at least this weekend.” [caption id="attachment_76108" align="aligncenter" width="637"] Source: Niconico's X account[/caption] Niconico is one of Japan's largest video-sharing platforms, offering a wide variety of content from music and sports to various hobbies. It also features live streaming of programs, including press conferences by government officials. In addition to Niconico, its parent company Kadokawa's official website and its e-commerce site, Ebten, were also affected by possible unauthorized access, the publisher said on Sunday. “We are currently investigating and responding to the issue, and have confirmed that the impact has been felt on the Niconico service in general, the Kadokawa official site, and Ebten. We are also investigating whether any information was leaked,” Kadokawa stated. "We sincerely apologize for causing concern and inconvenience due to the issue affecting several websites of the Kadokawa Group since early Saturday morning," the Tokyo-based publisher added. [caption id="attachment_76111" align="aligncenter" width="699"] Source: Kadokawa's account[/caption]  

How Cyberattack on Niconico Happened

Beginning in the early hours of Saturday, June 8th, an issue arose that prevented access to multiple servers within the group. In response, Kadokawa immediately shut down the relevant servers to protect data. Based on the internal analysis and investigation conducted that same day, it was determined that there was a high possibility of a cyberattack. Kadokawa is investigating the impact of the attack, including "whether there have been leaks of information," and is cooperating with external experts and the police. Niconico, known for its diverse content and live-streaming capabilities, plays a crucial role in the digital landscape of Japan. The suspension of its services has undoubtedly caused widespread concern among its user base, which spans millions of people who rely on the platform for entertainment, information, and community engagement.

Concern Over Niconico Cyberattack

Users have taken to social media to express their support and concern. One user tweeted, “I’ll wait until it’s back. I can’t be of much help, but I’m rooting for you. Niconico saved my life. I can’t imagine life without it.” Another user wrote, “Thank you for your hard work. We will wait patiently, so please don’t push yourself too hard and be patient.” [caption id="attachment_76115" align="aligncenter" width="622"] Source: X[/caption] Some users speculated about the cyberattack on Niconico origins and motives, with one asking, “Do you know who carried out the cyber attack?😓” and another suggesting, “If the attacks are this relentless, it’s almost like they’re testing something...?” [caption id="attachment_76116" align="aligncenter" width="621"] Source: X[/caption] As the investigation of the Niconico cyberattack continues, users and stakeholders await further updates on the situation. The company’s priority remains ensuring the complete elimination of the threat and safeguarding the integrity of its data and services.

Cyber threats continue to evolve this week as attackers target huge ticketing platforms, stealing hundreds of millions of people’s information. Large social media platforms like TikTok were also vulnerable to cyber issues this week. TCE Cyberwatch continues to ensure the highlights of the cybersecurity industry are conveyed to our readers. And remember, vigilance is important. Staying informed on what could affect you as well as knowing of the measures that are being taken is essential.

TCE Cyberwatch: Weekly Round-Up

Free Office Suite Turns Malicious: Pirated Downloads Spreading Malware in South Korea

South Korean researchers have found that pirated copies of productivity software like Microsoft Office and Hangul Word Processor are being used to spread malware. This malware maintains persistence by regularly updating itself, often several times a week. Distributed through file-sharing platforms, these malicious copies appear as cracked installers. Attackers use Telegram or Mastodon channels to provide encrypted instructions leading to malicious payloads hosted on Google Drive or GitHub. The malware includes strains like OrcusRAT, XMRig Cryptominer, 3Proxy, and PureCrypter, which perform various malicious activities, including keylogging, cryptomining, and disabling security products. The malware's ability to update and re-infect systems makes it difficult to remove. Researchers urge users to download software from official sources and update antivirus programs to prevent infection. Read More

Spanish Police Bust Illegal Streaming Network Serving 14,000 Subscribers

Spanish police dismantled an illegal media distribution network that had generated over 5.3 million euros since 2015. The operation began in November 2022 after a complaint from the Alliance for Creativity and Entertainment (ACE), targeting the IPTV service ‘TVMucho’ (also known as ‘Teeveeing’). TVMucho/Teeveeing, with over 4 million visits in 2023, offered over 125 channels, including BBC and ITV. Eight individuals were arrested across various cities, and authorities seized a vehicle, and computers, and froze 80,000 euros in bank accounts. Sixteen related websites were blocked. The network, led by Dutch nationals, decrypted and distributed content from over 130 channels. The crackdown disrupted a service with 14,000 subscribers, causing significant financial damage to content creators. Read More

Millions at Risk: Ticketmaster Confirms Huge Data Breach

Live Nation, Ticketmaster's parent company, confirmed a data breach after hackers claimed to have stolen personal details of 560 million customers. The breach was disclosed in a U.S. Securities and Exchange Commission (SEC) filing. Live Nation detected unauthorized activity in a third-party cloud database on May 20, 2024, and began an investigation. The company is mitigating risks, notifying affected users and regulatory authorities, and cooperating with law enforcement. The stolen data was hosted on Snowflake, a cloud storage firm. Snowflake and cybersecurity firms CrowdStrike and Mandiant are investigating, attributing the breach to identity-based attacks exploiting compromised user credentials. Recommendations include enforcing multi-factor authentication and resetting credentials. Live Nation asserts the breach has not significantly impacted its business operations. Read More

COVID Relief Fraud Busted: $5.9 Billion Botnet Scheme Unraveled

The DOJ charged Chinese national YunHe Wang with operating the "world's largest botnet," which stole $5.9 billion in Covid relief funds. Wang allegedly used the 911 S5 botnet to hack over 19 million IP addresses in nearly 200 countries from 2014 to 2022. The botnet also engaged in other crimes like fraud and harassment. Wang, who profited at least $99 million, faces up to 65 years in prison. The DOJ, FBI, and international law enforcement dismantled the network and arrested Wang. The U.S. has been increasingly concerned about sophisticated cyber threats, particularly from China. In January, the FBI dismantled another Chinese hacking group targeting U.S. infrastructure. Wang's arrest follows Treasury Department sanctions on him and his associated companies. Read More 

Poland Boosts Cybersecurity with $760 Million Investment After Suspected Russian Attack

Poland will invest over 3 billion zlotys ($760 million) to enhance cybersecurity following a likely Russian cyberattack on state news agency PAP. With European Parliament elections imminent, Poland is vigilant against Moscow's interference, especially after a false military mobilization article appeared on PAP. Poland, a key supporter of Ukraine, frequently accuses Russia of destabilization attempts, claims Russia denies. Digitalization Minister Krzysztof Gawkowski announced the "Cyber Shield" initiative and highlighted Poland's frontline position in the cyber conflict with Russia. Recent cyberattacks on critical infrastructure were blocked, reinforcing concerns about Russia's intent to destabilize and benefit anti-EU forces. Poland has linked Russia to sabotage and espionage activities, prompting the re-establishment of a commission to investigate Russian influence. Read More

Russia Accused of Spreading Misinformation Ahead of European Parliament Elections

European governments accuse Russia of spreading misinformation ahead of the European Parliament elections from June 6-9. Alleged tactics include amplifying conspiracy theories, creating deepfake videos, and cloning legitimate websites to disseminate false information. The Czech Republic identified a pro-Russian influence operation led by Viktor Medvedchuk, while Belgium accused Russian officials of bribing EU lawmakers to promote propaganda. Russia denies these accusations, claiming the West is waging an information war against it. European leaders, like Ursula von der Leyen, stress the importance of resisting authoritarian influence. The EU's Digital Services Act mandates the removal of illegal content and transparency in content aggregation. Tech giants like Meta, Google, and TikTok are implementing measures to counter election-related disinformation. Read More

Deepfakes Target Businesses: $25 Million Scam Exposes AI's Dark Side

Deepfake scams are increasingly targeting companies worldwide, exploiting generative AI for fraud. In a major case, a Hong Kong finance worker was deceived into transferring over $25 million to fraudsters using deepfake technology to pose as colleagues. UK engineering firm Arup confirmed involvement in this case, emphasizing a rise in such sophisticated attacks. OpenAI’s ChatGPT has popularized generative AI, lowering the barrier for cybercriminals. AI services can generate realistic text, images, and videos, aiding illicit activities. Deepfake incidents have targeted financial employees, leading to substantial financial losses. Companies fear deepfakes could manipulate stock prices, defame brands, and spread misinformation. Cybersecurity experts recommend enhanced staff education, testing, and multi-layered transaction approvals to mitigate risks, stressing that cybercrime will likely escalate before effective defences are developed. Read More

Up to 7 Years Jail for Deepfake Porn in Australia: New Laws Crack Down on Online Abuse

Proposed new Australian laws will impose up to six years in jail for sharing non-consensual deepfake pornographic images, and seven years for creating them. Attorney General Mark Dreyfus will introduce the legislation to make it illegal to share these images via any platform. Dreyfus condemned the harmful nature of such material, which predominantly affects women and girls. The laws aim to update legal protections in line with technological advances. Currently, creating such images isn't illegal under federal law, but the new bill expands existing laws on using technology to commit crimes. The legislation also seeks to curb technology-facilitated abuse and will include measures addressing doxing and reviewing the Online Safety Act. These changes are part of efforts to combat violence against women. Read More

Zero-Click Hack Hits TikTok: High-Profile Accounts Hijacked

Recently, hackers exploited a zero-day vulnerability in TikTok’s direct messaging feature to take over high-profile accounts without victims needing to download anything or click links. This flaw, unknown to the software makers, allowed control of accounts belonging to CNN, Sony, and Paris Hilton. TikTok's security lead, Alex Haurek, stated that they are working to prevent future attacks and restore affected accounts. Although only a few accounts were compromised, TikTok has not specified the numbers. Read More

Wrap Up

This week has shown the multiple vulnerabilities in even the biggest and assumed to be highly protected companies. Like always, there are tensions surrounding cyber issues in the world of politics as well. We over here at TCE hope that our readers know of the measures to be taken if ever affected by these breaches or hacks, as well as knowing the signs to look out for so as to not fall victim to cyberattacks. We are happy to see nations investing in the betterment of cyber security for their people.