A global cryptocurrency derivatives exchange BitMEX (HDR Global Trading Limited) admitted guilt on Wednesday to violating the Bank Secrecy Act by "willfully" flouting U.S. anti-money laundering (AML) regulations. This admission, following previous actions against its founders, exposes significant vulnerabilities in cryptocurrency exchange oversight.

The Department of Justice (DoJ) accused BitMEX of operating from 2015 to 2020 as a "vehicle for large-scale money laundering and sanctions evasion schemes." The exchange allegedly failed to implement a "Know Your Customer" (KYC) program, a cornerstone of AML compliance that verifies user identities and helps prevent illicit activities.

"By only mandating lax service access credentials, BitMEX not only failed to comply with nationally required anti-money laundering procedures designed to protect the US financial markets from illicit actors and transactions, but knowingly did so to increase the business’s revenue," said FBI Assistant Director Christie M. Curtis, highlighting a deliberate effort to circumvent regulations. This raises concerns about the potential for other cryptocurrency exchanges to exploit similar loopholes.

The DoJ charges echo a 2022 guilty plea by Gregory Dwyer, BitMEX's first employee, for violating the Bank Secrecy Act. Prosecutors previously secured convictions against the exchange's founders for similar offenses. These actions demonstrate a coordinated effort to hold BitMEX and its leadership accountable.

BitMEX Founders Also Admitted Guilt and Received Sentences

In 2022, the three founders of BitMEX pleaded guilty to the same charges as Dwyer. Judge Koeltl took into account the exchange's belated efforts to implement AML and KYC controls during sentencing.

36-year-old Florida resident Hayes, the former CEO, received a six-month home detention sentence and two years of probation. 38-year-old Delo was sentenced to 30 months of probation and allowed to return to Hong Kong. The judge found Reed slightly less culpable than the other founders and sentenced the Massachusetts resident to 18 months of probation in July.

Both, Hayes and Delo agreed to pay a $10 million fine, at the time. All three founders – Hayes, Delo, and Reed – still own BitMEX.

The founders also reached a settlement agreement with the Department of Treasury. The agreement did not require them to admit or deny allegations that BitMEX "processed over $200 million in suspicious transactions and failed to report nearly 600 suspicious activities," according to the DOJ.

Cryptocurrency's Regulatory Struggles

The case also underscores the ongoing struggle to regulate the cryptocurrency space. While the Commodity Futures Trading Commission (CFTC) imposed a $100 million civil penalty on BitMEX in 2021 for related violations, the lack of a centralized authority creates challenges in enforcing AML and KYC requirements across the entire cryptocurrency ecosystem.

This incident serves as a wake-up call for regulatory bodies. It necessitates a collaborative effort to establish clear and comprehensive AML/KYC frameworks for cryptocurrency exchanges. Strengthening international cooperation and information sharing is also crucial to combatting money laundering and other illicit activities within the crypto sphere.

Recently, the FBI warned of the financial risks associated with using unregistered cryptocurrency transfer services, especially considering potential law enforcement actions against these platforms. The warning focussed on crypto transfer platforms that operate without proper registration as Money Services Businesses (MSB) and fail to comply with anti-money laundering regulations mandated by the U.S. federal law.

The future of BitMEX remains uncertain. The exchange faces potential financial penalties and could struggle to regain user trust. The DOJ had earlier noted that "due to the lack of KYC controls, the full extent of criminal activity on BitMEX may never be known."

This case sets a significant precedent and paves the way for stricter enforcement of AML regulations within the cryptocurrency industry.

Evolve Bank & Trust, a financial institution with both traditional banking and open banking services, disclosed a data breach impacting a staggering 7.64 million individuals.

The Arkansas-based bank initially believed a "hardware failure" caused system disruptions in late May, but an investigation revealed a cyberattack with a much longer timeline.

Evolve confirmed hackers infiltrated their network as early as February, potentially compromising sensitive customer data. While the official notification letter filed with the Maine Attorney General avoids specifics, the bank has acknowledged stolen information, including names, Social Security numbers, bank account numbers, and contact details.

Affirm and Wise Customers Hit By Attack

This breach extends beyond Evolve's core clientele, impacting customers of its open banking platform (often referred to as Banking-as-a-Service) used by several fintech firms. "Buy now, pay later" provider Affirm and money transfer service Wise are among those notifying their customers of potential data exposure due to Evolve's security lapse.

The incident adds another layer of concern for Evolve, which faced a regulatory order from the Federal Reserve Board in June. The order mandated improvements to Evolve's anti-money laundering (AML) and risk management programs, citing the need for enhanced procedures in record keeping and consumer compliance. This regulatory action raises questions about whether vulnerabilities exploited in the cyberattack might have been linked to the bank's AML/compliance shortcomings.

LockBit Claims Evolve Bank Attack

LockBit, a Russian-speaking ransomware-as-a-service (RaaS) group, claimed responsibility for the attack. Interestingly, LockBit initially attributed the stolen data to the Federal Reserve, likely due to a stolen document referencing the central bank.

“The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank,” Evolve Bank said at the time.

This error highlights the evolving tactics of RaaS groups, who often employ misinformation or disinformation campaigns alongside cyberattacks to create confusion and maximize impact.

The Evolve breach serves as a stark reminder for financial institutions of the critical need for robust cybersecurity measures. With the increasing adoption of open banking platforms and the ever-present threat of RaaS attacks, institutions must prioritize data security and implement strong access controls, encryption, and incident response protocols. Regulatory bodies are likely to intensify their scrutiny of financial institutions' cybersecurity posture in the wake of this incident.

In a move likely fueled by intensifying antitrust scrutiny, Microsoft is exiting OpenAI and stepping down from its non-voting observer seat of the AI company's board of directors. This comes just days after reports suggested Apple might take a similar observer role, but now the Cupertino giant has also opted out.

Microsoft's exit, communicated via a letter on Tuesday, cited "significant progress" made by OpenAI's newly formed board, according to Axios. This explanation rings somewhat hollow, considering Microsoft's role was established just last November following a period of upheaval at OpenAI that saw the ousting and reinstatement of CEO Sam Altman.

OpenAI announced a new safety and security committee in May end as it began training a new AI model intended to replace the GPT-4 chatbot. A month later, OpenAI pushed out the rollout of its highly anticipated “Voice Mode” feature for ChatGPT to July, citing safety concerns. The company said it needed more time to ensure the model could “detect and refuse certain content.”

Microsoft Exits OpenAI, Caving to Regulatory Pressure?

The timing of these decisions coincides neatly with growing regulatory pressure on Big Tech's influence in the burgeoning field of artificial intelligence. Both the U.S. Federal Trade Commission (FTC) and the European Commission (EC) have expressed concerns that tech giants' investments in AI startups like OpenAI could stifle competition and create monopolies in key technological areas.

In June, the FTC launched an investigation into Big Tech investments in generative AI startups, including Microsoft, Amazon, and Google. The EC, meanwhile, explored the possibility of an antitrust probe into the Microsoft-OpenAI partnership after deciding against a merger control investigation.

AI Model Access Scrutinized

While both Microsoft and OpenAI maintain the company's independence despite the multi-billion dollar investment, the optics surrounding the close relationship are not lost on regulators. Microsoft's access to cutting-edge AI models through this partnership gives them a significant advantage, potentially hindering the growth of smaller competitors.

OpenAI seems to be taking a new approach to partner engagement. Moving forward, they plan to host regular meetings with key partners like Microsoft and Apple, alongside investors, to foster communication and collaboration. This strategy aims to maintain strong relationships without raising red flags for regulators.

The future trajectory of Big Tech's involvement in AI development remains to be seen. The recent retreat from board positions suggests a potential shift as companies navigate the increasingly complex regulatory landscape as they strive to maintain a competitive edge in the race for AI dominance.

As NATO leaders convene in Washington, D.C. for the organization's 75th Anniversary summit, a hidden war rages on – a relentless campaign of cyberattacks targeting the Alliance and its members.

This threat landscape is not merely a static backdrop, but a dynamic battlefield where adversaries employ a growing arsenal of tactics, from stealthy espionage to disruptive cyberattacks and disinformation campaigns, a report from Google-owned cybersecurity firm Mandiant said.

Espionage Actors Set Their Sights on Alliance Secrets

Nation-state actors like APT29 (ICECAP), attributed to Russia's SVR intelligence service, are notorious for targeting NATO members. These actors excel at compromising networks, often through social engineering or exploiting zero-day vulnerabilities, to steal sensitive political, diplomatic, and military intelligence. Their ability to operate undetected within compromised environments makes them particularly troublesome adversaries, Mandiant said.

China's cyber espionage efforts have also become more sophisticated, transitioning from loud operations to stealthier techniques. These actors exploit network edges and leverage complex infrastructure like operational relay box networks to mask their activities and hinder detection. Additionally, they increasingly rely on "living off the land" techniques, using legitimate system tools for malicious purposes, further complicating defenders' ability to identify intrusions.

Beyond Espionage: Disruptive and Destructive Attacks

Disruptive and destructive cyberattacks pose a direct threat to NATO's operational capabilities. Iranian and Russian actors have demonstrated a willingness to launch such attacks, often masking their involvement behind hacktivist groups. For instance, the destructive 2022 attack on Albania, initially attributed to "HomeLand Justice" hacktivists, was later linked to Iranian state actors. These incidents highlight the growing risk of attacks targeting critical infrastructure that could cripple essential services for NATO members.

Hacktivists and criminal actors further complicate the threat landscape. The global resurgence of hacktivism, fueled by geopolitical flashpoints like the Ukraine war, has resulted in a surge of attacks against NATO members. While these operations often lack sophistication and lasting impact, they can garner significant media attention and sow discord. Additionally, some hacktivist groups, like the pro-Russian Cyber Army Russia Reborn (CARR), are experimenting with more disruptive tactics, targeting critical infrastructure such as water supplies.

Financially motivated cybercrime, particularly ransomware attacks, pose a significant threat to critical infrastructure across NATO states. Healthcare institutions have become prime targets, disrupting patient care and highlighting the potential for widespread societal consequences. The ability of cybercriminals to operate with impunity from lax jurisdictions and the lucrative nature of ransomware attacks suggest this threat will only escalate.

Disinformation: A Weapon to Sow Discord

Information operations, encompassing social media manipulation and complex network intrusions, have become a hallmark of modern cyberwarfare. Russian and Belarusian actors have heavily targeted NATO with disinformation campaigns aimed at undermining Alliance unity and objectives. These efforts range from social media manipulation by "troll farms" to the coordinated leaking of stolen information.

In fact, on the same day as Mandiant released this report, the U.S. Department of Justice disrupted a Russia-run AI-enabled Twitter disinformation bot farm. Almost 1,000 accounts were seized. These bots masqueraded as Americans and promoted Russian government narratives.

Countering such campaigns requires collaboration between governments and the private sector, with tech giants like Google actively removing malicious content and disrupting information operations.

A Collective Defense is Paramount

A senior NATO official on Tuesday during the NATO Summit said Russia can sustain its war economy for 3-4 more years. "Ultimately, we all have to be prepared to continue to support Ukraine well beyond 2025. This is certainly something that we all understand very well," the official added.

The cyber threat landscape facing NATO is vast and ever-evolving. Unlike traditional warfare, cyberattacks can persist irrespective of broader geopolitical tensions. The war in Ukraine has undoubtedly emboldened reckless cyber activity against NATO allies, highlighting the need for a collective defense strategy. To effectively counter these threats, NATO must leverage the technological expertise of the private sector and foster strong partnerships with its member states. Only through a united front can the Alliance seize the initiative in cyberspace and secure its future.

The Alabama State Department of Education (ALSDE) narrowly avoided a crippling ransomware attack on June 17, but not before hackers breached sensitive data, raising concerns about the security of student and employee information.

While ALSDE officials successfully prevented a complete system lockdown, they acknowledged in a statement earlier this week that the attackers gained access to some data before being stopped. The department is currently working with federal law enforcement to investigate the scope of the breach and determine what information was compromised.

Education Ransomware Attacks Soar

The incident comes amidst a wave of cyberattacks targeting educational institutions across the United States. In fact, 2023 was the worst ransomware year on record for the education sector, with a 92% spike.

Although the attacks were carried out by several ransomware gangs, LockBit and Rhysida (a rebrand of Vice Society) had the lion’s share of 2023 attacks, with half credited to them. While ransomware attacks against education are a global phenomenon, the U.S. education sector has faced 80% of known attacks.

Scope of Alabama Education Department Breach Unknown

The exact nature of the stolen data remains unclear. ALSDE has not confirmed the type of information compromised, but at a press conference, State Superintendent Eric Mackey warned that student and employee data, including "some personally identifiable information," may have been accessed. The department has set up a dedicated webpage, alabamaachieves.org/databreach, to provide updates on the investigation.

While ALSDE has taken steps to mitigate the damage, several questions remain unanswered. The investigation into the attack is ongoing, and the department has not responded to requests for further details about the compromised data. The potential impact on students, families, and school employees will depend on the nature and volume of the information accessed by the attackers.

The department reiterated its firm stance against negotiating with cybercriminals. We have taken the position not to negotiate with foreign actors and extortionists," the department's statement said, reflecting growing law enforcement guidance against feeding the ransomware ecosystem.

Importance of Data Backups for Ransomware Protection

Despite the breach, ALSDE was able to restore its systems and data using clean backups, highlighting the importance of robust data backup and recovery strategies for organizations of all sizes.

The incident underscores the need for educational institutions to invest in cybersecurity measures to protect sensitive student and staff data, and serves as a stark reminder of the growing cybersecurity threats faced by educational institutions. As schools continue to collect and store sensitive student data, robust cybersecurity protocols and incident response plans are critical to safeguard this valuable information.

American video game giant Roblox has reported a data breach stemming from a third-party service provider that helps host its annual Developer Conference. Result? Data related to its in-person and online attendees registered through the third-party's platform in the last two years leaked. Roblox Corp. is an American video game developer based in San Mateo, California. Founded in 2004 by David Baszucki and Erik Cassel, the company is the developer of Roblox, which was released in 2006. As of December 2023, the company employs over 2,400 people. The gaming company has an average monthly user base of 214 million players and makes around $7 million per day from a user base that is primarily youngsters below the age of 16 years. In fact, 21% of its users are aged between 9 and 12 years.

Roblox Developers Conference Data Leak

Security researchers are scrambling to assess the fallout from a massive leak of stolen passwords, dubbed "RockYou2024." Uploaded to a notorious cybercrime forum, the database allegedly contains nearly 10 billion unique passwords – a staggering figure that dwarfs previous records.

Unprecedented Scale of RockYou2024 Password Leak

According to Cybernews researchers, the RockYou2024 compilation appears to be the largest collection of leaked credentials ever discovered. The data offered by a hacker using the alias "ObamaCare" reportedly consists of 9.948 billion unique passwords in plain text format. This builds upon the RockYou2021 database, which exposed 8.4 billion passwords, with an additional 1.5 billion entries added from 2021 to 2024. Researchers estimate the trove originates from at least 4,000 separate data breaches spanning two decades.

Credential Stuffing Bonanza

Security experts warn that RockYou2024 presents a significant risk for credential stuffing attacks. These automated assaults use stolen login credentials against multiple online services, often succeeding when users employ the same password across different accounts.

The researchers emphasize the danger that "revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks." Attackers could potentially gain unauthorized access to a vast array of targets, including personal accounts, internet-connected devices, and even industrial control systems. Furthermore, when combined with other leaked data like email addresses – readily available on hacker forums – RockYou2024 could fuel a wave of data breaches, financial fraud, and identity theft.

Mitigating the RockYou2024 Threat

Chris Bates, chief information security officer at SandboxAQ, said, “Companies should assume all passwords are compromised and build the correct mitigating controls. This include phishing resistant MFA, passwordless authentication, and behaviour-based detection and response programs to detect malicious use.”

Adding to this advice, these are the steps users can take to mitigate the risks associated with RockYou2024. Services like the "AmIBreached" data leak checker from Cyble allow individuals to verify if their credentials have been compromised. More importantly, adopting strong, unique passwords for every online account is crucial.

Password managers like LastPass, Password1 and Enpass can be invaluable tools for generating and storing complex passwords, ensuring each account has a unique login.

Finally, identity theft protection services can provide an extra layer of security, assisting with recovery efforts in the event of fraud or identity theft.

The Road Ahead

The RockYou2024 leak serves as a stark reminder of the ever-evolving cyber threat landscape.

Marc Manzano, general manager at SandboxAQ, said, “It's imperative for organizations to implement and enforce stringent password policies, educate users about the risks of password reuse, and put into action multi-factor authentication widespread adoption.” He added, “Enhancing overall IT systems security by deploying modern cryptography management platforms will be crucial in defending against large-scale threats leveraging stolen passwords.”

Organizations and individuals alike must prioritize robust password security practices to stay ahead of malicious actors. As investigations into the leak continue, security professionals remain vigilant, anticipating the potential consequences of this colossal data breach.

The Ethereum Foundation (EF) this week disclosed a phishing campaign that targeted its email subscribers. The attack that took place on June 23, saw a malicious email sent to over 35,794 recipients from the compromised email account of ethereum - "updates@blog.ethereum.org".

[caption id="attachment_80450" align="aligncenter" width="1024"] Phishing mail sent on 23-06-2024, 00:19 AM UTC, to 35,794 email addresses from updates@blog.ethereum.org[/caption]

The phishing email sent from this address leveraged social engineering tactics, luring users with the promise of a high annual percentage yield (APY) through a fake collaboration between Ethereum and Lido DAO. Clicking the embedded "Begin staking" button led victims to a well disguised website designed to steal cryptocurrency from unsuspecting users' crypto wallets.

Dissecting the Ethereum Mailing List Attack

Investigators discovered the attacker used a combined email list, incorporating both their own addresses and a subset of 3,759 addresses harvested from the Ethereum blog's mailing list. Fortunately, only 81 of the obtained addresses were new to the attacker.

The phishing email advertised a lucrative 6.8% APY on staked Ethereum. Upon clicking the malicious link and attempting to connect their wallets, users would unknowingly initiate a transaction that would drain their crypto holdings straight into the attacker's wallet.

[caption id="attachment_80452" align="aligncenter" width="1024"] Fake website where crypto drainers were masqueraded[/caption]

Swift Response and Ongoing Measures

The Ethereum Foundation's security team swiftly responded to the incident. They identified and blocked the attacker from sending further emails, while simultaneously alerting the community via Twitter about the malicious campaign. Additionally, the team submitted the fraudulent link to various blocklists, effectively hindering its reach and protecting users of popular Web3 wallet providers and Cloudflare.

While on-chain analysis revealed no successful thefts during this specific campaign, the EF emphasizes the importance of vigilance. They have implemented additional security measures and are migrating some email services to mitigate future risks.

Similar Incidents

This incident highlights the evolving tactics of cybercriminals who exploit trust in reputable organizations to target cryptocurrency users. In February, crypto scammers devised a new tactic to deceive owners of Ethereum Name Service (ENS) domains, commonly recognized by their “.eth” extension. The ENS email phishing scam involved sending emails to ENS owners, purportedly alerting them about the expiration of their domains. But, as seen in the latest campaign victims were directed to fraudulent platforms designed to siphon their funds.

Nick Bax, a prominent figure in cryptocurrency analysis, first reported the crypto scam, suggesting that attackers could be exploiting the extensive data leaked from previous data breaches. This leak potentially provides scammers with access to genuine email addresses associated with [.]eth accounts, facilitating the targeting of ENS owners.

Security professionals and crypto enthusiasts alike should remain vigilant against phishing attempts and prioritize verifying information before interacting with suspicious links or investment opportunities.

In a move that tightens Russia's grip on internet control, Apple has removed several Virtual Private Network (VPN) applications from the App Store in response to a request by Roskomnadzor, the country's federal media watchdog.

The deleted VPN apps belonging to ProtonVPN, Red Shield VPN, NordVPN, and Le VPN were popular tools used by Russians to bypass government-imposed internet censorship. Red Shield VPN and Le VPN confirmed the removals, sharing messages from Apple stating the apps were deleted per "demand from Roskomnadzor" for containing "content considered illegal in Russia."

VPNs creates encrypted tunnels for internet traffic, allowing users to access blocked websites and applications anonymously.

Apple offered little explanation, suggesting developers contact Roskomnadzor directly. Red Shield VPN, in turn, advised users to switch their Apple ID country to access the app and updates elsewhere. But the suggestion came not before it used some stern wordings against the Cupertino giant. It said:

"Apple's actions, motivated by a desire to retain revenue from the Russian market, actively support an authoritarian regime. This is not just reckless but a crime against civil society. The fact that a corporation with a capitalization larger than Russia's GDP helps support authoritarianism says a lot about the moral principles of that corporation." - Red Shield VPN

Red Shield said its services aims to provide free access to information and improving the world. But in the notification, Apple refers to Roskomnadzor's request to remove the app and claims that its app "solicits, promotes, or encourages criminal or clearly reckless behavior," which it strongly disagrees with.

A similar notice was sent to LeVPN as seen in the image below:

[caption id="attachment_80371" align="aligncenter" width="1024"] Apple Notice to LeVPN (Source: LeVPN)[/caption]

Banning and Removal of VPN Apps Not New

This is just the latest chapter in Russia's escalating efforts to control online information. The crackdown on VPN Apps and their services predates the Ukraine war but has intensified significantly since. Roskomnadzor executed large-scale blocks targeting VPN protocols like WireGuard, OpenVPN, and IPSec in August and September 2023.

According to Sergei Khutortsev, Director of Roskomnadzor's Public Communications Network Monitoring and Management Centre, 167 "malicious" VPN services and 84 applications have been blocked in just two years.

This aggressive censorship push extends beyond VPNs. Roskomnadzor is reportedly developing an AI-powered system to maintain a vast register of banned information, further solidifying its control over the Russian online landscape. Additionally, the agency compels telecom operators to block roughly 300,000 unregistered SIM cards weekly.

While Apple's compliance with Roskomnadzor's demands raises concerns about corporate responsibility in the face of authoritarian restrictions, it's a tactic with limited effectiveness. Tech-savvy users will undoubtedly explore alternative methods to access VPN services. The bigger worry lies with Roskomnadzor's growing arsenal of censorship tools and its potential to stifle free speech and the flow of information within Russia.

Australia’s eSafety Commissioner has given key online industry players six months to develop "enforceable codes" to shield children from exposure to pornography and other harmful content. The codes will aim to prevent young children from encountering explicit material that is deemed unsuitable for their age. They will also seek to empower Australian internet users with options to manage their exposure to various online materials. While the primary focus is on pornography, the codes will also cover other high-impact content, including themes of suicide, self-harm, and disordered eating. The regulations will apply to app stores, apps, websites (including porn sites), search engines, social media, hosting services, ISPs, messaging platforms, multiplayer games, online dating services, and device providers. The European Union calls these large digital platforms “gatekeepers.”

Why 'Enforceable Codes' are Important

eSafety Commissioner Julie Inman Grant noted the pervasive and invasive nature of online pornography. She said children often encounter explicit material accidentally and at younger ages than before.

“Our own research shows that while the average age when Australian children first encounter pornography is around 13, a third of these children are actually seeing this content younger and often by accident,”  - eSafety Commissioner Julie Inman Grant

She clarified that these measures focus on preventing young children’s unintentional exposure to explicit content that revolves around such a sensitive topic. Social media plays a significant role in unintentional exposure, with 60% of young people encountering pornography on platforms like TikTok, Instagram, and Snapchat, according to Inman Grant. “The last thing anyone wants is children seeing violent or extreme pornography without guidance, context or the appropriate maturity levels because they may think that a video showing a man aggressively choking a woman during sex on a porn site is what consent, sex and healthy relationships should look like,” she added. Parents and caregivers are crucial in protecting children, but the industry must also implement effective barriers, Inman Grant stressed. These could include age verification, default safety settings, parental controls, and tools to filter or blur unwanted sexual content. Such measures should apply across all technology layers, from connected devices to app stores, messaging services, social media platforms, and search engines, providing multi-layered protection, the eSafety Commissioner said.

Draft Due Oct. 3, Final Versions by Dec. 19

Industry bodies are required to submit a preliminary draft of the codes by October 3, with final versions due at the end of the year on December 19. Public consultations in the process of defining "enforceable codes" is also a requirement from the eSafety commissioner. eSafety has released a Position Paper to help industry develop these codes and clarify expectations.

“We want industry to succeed here and we will work with them to help them come up with codes that provide meaningful protections for children.” - eSafety Commissioner Julie Inman Grant

eSafety Commissioner Can Set Rules if Efforts Fail

But if any code falls short, then the eSafety commissioner can set the rules for them, under the Online Safety Act provisions. eSafety has also published an Age Assurance Tech Trends Paper examining recent developments in age verification technology to provide additional context. These new codes will complement existing protections under the Online Safety Act, including the Restricted Access System Declaration, Basic Online Safety Expectations Determination, and initial industry codes addressing illegal content like online child sexual abuse material. Additionally, the codes align with broader initiatives such as the Government’s Age Assurance Trial, Privacy Act reforms, the statutory review of the Online Safety Act, and efforts under the National Plan to End Violence Against Women and Children 2022-2032. Last year, the eSafety commissioner had also issued notices to online platforms like Twitter, Meta, and others concerning their approaches to combatting online child abuse. This was followed by a similar action from Inman Grant against online hate over social media platforms.

In a coordinated takedown, law enforcement and cybersecurity firms joined forces to cripple cybercriminals' misuse of a legitimate security tool – Cobalt Strike. The week-long operation, codenamed MORPHEUS and spearheaded by UK's National Crime Agency, targeted unlicensed versions of Cobalt Strike used to infiltrate victim networks.

Europol, which helped coordinate the operation involving authorities from six other countries, said a total of 690 IP addresses linked to criminal activity were flagged. By the end of the week, over 85% (593) of these addresses associated with unlicensed Cobalt Strike instances were disabled by internet service providers (ISPs) in 27 countries.

Cobalt Strike: Double-Edged Sword

Cobalt Strike, a commercially available tool by Fortra, is used by ethical hackers for penetration testing – simulating cyberattacks to identify vulnerabilities in a network's defenses. However, in the hands of malicious actors, unlicensed versions of Cobalt Strike transform into a powerful weapon.

"Since the mid 2010’s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyberattack, allowing them to deploy ransomware at speed and at scale." - UK's NCA

Cybercriminals typically deploy Cobalt Strike through spear phishing emails, tricking victims into clicking malicious links or opening infected attachments. Once a victim clicks, a "Beacon" is installed, granting the attacker remote access to the compromised system. This access allows them to steal data, through infostealers, or launch further attacks.

Criminals also exploit these cracked copies to establish backdoors on compromised systems, and deploy malware. Notably, investigations into ransomware strains like Ryuk, Trickbot, and Conti have linked them to the use of unlicensed Cobalt Strike, Europol said.

Paul Foster, director of threat leadership at the National Crime Agency, said, “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes. Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise." Foster warned  that such attacks could cost companies millions in terms of losses and recovery.

Public-Private Partnership: A Winning Formula

The success of Operation MORPHEUS hinges on the unprecedented cooperation between law enforcement and the private sector. Key industry partners like BAE Systems Digital Intelligence, Trellix, Spamhaus, and The Shadowserver Foundation provided crucial support. Their expertise in threat intelligence, network scanning, and data analysis proved instrumental in identifying malicious activities and pinpointing cybercriminal infrastructure.

This collaboration is a direct consequence of Europol's recent regulatory amendments, empowering the agency to work more effectively with private entities. This novel approach grants Europol access to real-time threat intelligence and a broader understanding of cybercriminal tactics. This translates to a more coordinated and comprehensive response, ultimately strengthening the overall cybersecurity posture across Europe.

Europol's European Cybercrime Centre (EC3) played a pivotal role throughout the investigation, offering analytical and forensic support while facilitating seamless information exchange between all partners, while the FBI, Australian Federal Police, and other national agencies provided critical support.

Over the past two and a half years, law enforcement utilized the Malware Information Sharing Platform (MISP) to facilitate real-time threat intelligence sharing with the private sector. Nearly 730 intelligence reports containing almost 1.2 million indicators of compromise (IOCs) were exchanged during the investigation. Additionally, EC3 organized over 40 coordination meetings to ensure smooth collaboration between law enforcement and private partners. Europol even established a virtual command post during the takedown week to coordinate global law enforcement activities.

The Fight Continues

While Operation MORPHEUS represents a significant victory, the war against cybercrime is far from over. Law enforcement agencies remain vigilant, prepared to conduct similar disruptive actions as long as criminals continue to exploit vulnerabilities in legitimate security tools.

Fortra, the developer of Cobalt Strike, has also released a new version with enhanced security measures and is committed to working with law enforcement to remove older, vulnerable versions from circulation.

The European Commission has found that Meta's "pay or consent" advertising model breaches the Digital Markets Act (DMA). The preliminary findings highlight concerns about user choice and data control within the social media landscape. The comprehensive investigation will take a year's time, after which a formal decision will be made, the Commission said.

DMA Compliance: A New Benchmark for User Privacy

The Digital Markets Act (DMA) was signed into law by the European Parliament and the Council presidency in September 2022. It became legally effective two months later and most of its regulations took effect on May 2, 2023.

The DMA is a European law that aims to prevent large online platforms from abusing their market power and to ensure fair competition in the digital economy. The law primarily targets "gatekeepers," which are large digital platforms that provide core services like search engines, messaging services, app stores and dominant online platforms like Meta.

Meta's Model Under Fire: Limited Options, Privacy Concerns

Online platforms collect a lot of personal data to power online advertising. Their dominant position allows them to set user agreements that enable vast data collection, giving them a big advantage over competitors.

New EU regulations - DMA Article 5(2) - aim to empower users by requiring platforms to get explicit consent before combining their data across different services. Even if users refuse consent, they must still have access to a basic version of the service, even if it's less personalized. This stops platforms from forcing users to give up their data to use the service entirely.

Meta's "pay or consent" model, launched in response to the DMA, presents EU users with a binary choice, the commission argued. Subscribe for an ad-free version or accept personalized ads in the free version. The Commission said this approach fails to comply with the DMA on two key points:

• Lack of a "Less Personalized" Option: Users are not offered a service with reduced data collection and ad personalization, violating their right to control their data footprint.
• Consent Coercion: The model allegedly coerces consent by making access to certain functionalities conditional on agreeing to data combination.

The Commission asserted that users who choose not to consent should still have access to an equivalent service with less data collection for advertising purposes.

Next Steps: Dialog and Potential Penalties

Meta now has the opportunity to respond to the preliminary findings and defend its practices. The Commission will conclude its investigation within a year, potentially leading to a formal decision against Meta if the concerns are confirmed.

Potential consequences for non-compliance include hefty fines – up to 20% of global turnover for repeated offenses. More drastic measures like forced business divestments are also on the table.

The Commission remains open to discussions with Meta to find a solution that complies with the DMA. This case sets a crucial precedent for how dominant platforms handle user data and privacy in the age of stricter regulations.

French authorities seized servers and proceeds worth millions belonging to the "Coco" chat website, a free-for-all online platform that facilitated child sexual abuse and drug dealing, among other illegal activities.

In a major international cooperative effort, the French authorities, alongside Bulgaria, Germany, Lithuania, Netherlands, and Hungary, dismantled a notorious online platform that facilitated a range of criminal activities.

Under investigation since December 2023, the website called "Coco" has facilitated child pornography, sexual exploitation, drug dealing and violent acts including homicides, said Eurojust, the European Union Agency for Criminal Justice Cooperation.

The details of the seizure were revealed on Monday, a week after the initial announcement from the Paris prosecutor's office that the website was no longer available and only displayed a seizure notice from the French national police.

Platform Served as Hub for Organized Crime

For years, the platform served as a virtual meeting ground for criminals, enabling them to communicate, plan operations, and conduct transactions, said Eurojust. Over 23,000 judicial procedures linked to this platform have been initiated since 2021, with at least 480 victims identified to date.

French authorities launched an investigation in December last year after it received a host of allegations about the abuse faced by some individuals through the platform. The investigation uncovered the platform's role in facilitating activities like human trafficking and child exploitation for organized crime groups, after which the authorities took steps to shut it down.

Coordinated Takedown Nets Servers and Millions

A synchronized operation supported by Eurojust led to the seizure of servers located in Germany, effectively shutting down the platform and displaying a splash page. Lithuanian and Hungarian authorities swiftly executed freezing orders, securing over €5.6 million in suspected criminal funds.

Furthermore, a European Investigation Order (EIO) issued by France was successfully executed in Bulgaria. French magistrates and law enforcement officials, authorized by Bulgarian authorities, conducted bank statement reviews, searches, seizures, and witness interviews.

Coco Chat Site's Links to Violence

Coco was a chat website with a notorious lack of moderation. Rights groups in France have labeled it a "predator's den" due to its alleged links to violence. SOS Homophobie, for instance, called for its closure after a brutal attack on a gay man allegedly planned by Coco users. Child protection groups have also campaigned against Coco since 2013, citing its easy access for criminals. The website, owned by a Bulgarian company and operating outside French jurisdiction with a [.]gg domain, boasted over 850,000 users in France as of 2023. Paris prosecutors connect Coco's anonymity to its appeal for criminals, highlighting a recent murder allegedly set up on the platform.

A data breach at insurance giant Prudential has ballooned far beyond initial estimates, with regulators informed that over 2.5 million individuals may have had personal information compromised. This significant update comes after Prudential downplayed the incident in March, stating only 36,545 customers were affected. Prudential is the second largest life insurance company in the United States, with 40,000 employees worldwide and revenue of $50 billion in 2023.

Initial Claims vs. Updated Numbers

In March 2024, following a February network intrusion, Prudential reported to regulators that hackers accessed a limited dataset, including names, addresses, and driver's license/ID numbers, for 36,545 individuals. However, updated data breach filings submitted to Maine regulators on June 30th paint a much bleaker picture. The revised figures show a staggering 2,556,210 customers potentially impacted by the data leak.

A Prudential spokesperson clarified that the leaked information may vary for each affected individual. While the full scope of the breach is under investigation, the significant increase in reported victims raises concerns about the initial assessment and potential notification delays.

Prudential's Response and Next Steps

Prudential maintains they have completed a "complex analysis" of the affected data and initiated a rolling notification process starting in March. However, the vast increase in impacted individuals begs the question of whether these notifications were comprehensive and timely. The company assures it's offering all affected individuals 24 months of complimentary credit monitoring.

ALPHV Ransomware Gang Claimed Prudential Data Breach

Prudential has yet to disclose details about the attackers behind the February data breach. However, the ALPHV/BlackCat ransomware gang took responsibility for the incident on February 13. The gang is now shut down, but not before running an exit scam and getting a hefty ransom of $22 million from the Change Healthcare breach. The FBI tied ALPHV to over 60 breaches in its first four months, netting at least $300 million from more than 1,000 victims by September 2023.

Notably, this is not Prudential's first major data breach. In 2023, a separate attack involving a compromised file transfer tool exposed the Social Security numbers and other sensitive data of over 320,000 customers.

Prudential's revised data breach figures raise critical questions about incident response protocols, data forensics capabilities, and the potential impact on millions of customers. Regulatory bodies could scrutinize Prudential's handling of the situation as the situation evolves.

The ransomware attack that crippled Synnovis, a key pathology provider for southeast London's NHS Trusts, continues to disrupt critical services nearly a month after the initial attack. While some progress has been made, the slow recovery highlights the fragility of healthcare infrastructure and the potential for wider patient data breaches.

Technical Hurdles Plague Restoration Efforts

The attack that took place on June 3 knocked out most of Synnovis' IT systems, impacting everything from lab analysis equipment to results transmission. With electronic workflows crippled, the lab reverted to manual processes, significantly hindering processing capacity and turnaround times.

The daily blood sampling count in major London hospitals plunged from 10,000 to merely 400 per day after the cyberattack. The biggest challenge that Synnovis is facing is that all its automated end-to-end laboratory processes are offline, since all IT systems have been locked down in response to the ransomware attack.

The ongoing recovery prioritizes critical systems first. New middleware deployed at partner hospitals aims to streamline result reporting, but full restoration remains a distant prospect. Synnovis is collaborating its parent company, SYNLAB, and NHS to ensure a secure and phased recovery.

Mutual Aid Boosts Capacity, But Data Breach Looms Large

To address the backlog of critical tests, Synnovis implemented a "Mutual Aid" program across southeast London boroughs, leveraging partner labs within the NHS network. Additionally, SYNLAB is diverting resources from its wider UK and international network to bolster processing capacity.

However, a more concerning development emerged on June 20. A Russian ransomware group called Qilin claimed responsibility for the attack and leaked data online. Synnovis later confirmed the published data was stolen from its administrative drives.

"This drive held information which supported our corporate and business support activities. Synnovis personnel files and payroll information were not published, but more needs to be done to review other data that has been published relating to our employees." - Synnovis

While a full analysis is ongoing, initial findings suggest the data may contain patient information like full names, NHS numbers, and test codes.

Uncertainties for Synnovis Remain as Investigation Continues

The stolen data appears partial and in a complex format, making analysis and identification of impacted individuals challenging. Synnovis, with assistance from the NCSC and NHS cybersecurity specialists, is investigating the attack's scope and potential data breach. Law enforcement and the Information Commissioner are also kept informed.

Mark Dollar, CEO of Synnovis, acknowledged the disruption and expressed regret for the inconvenience caused.

“We are very aware of the impact and upset this incident is causing to patients, service users and frontline NHS colleagues, and for that I am truly sorry. While progress has been made, there is much yet to do, both on the forensic IT investigation and the technical recovery. We are working as fast as we can and will keep our service users, employees and partners updated.” - Mark Dollar, CEO of Synnovis

However, the timeline for full system restoration and the extent of the potential data breach remain unclear.

The Synnovis attack highlights a broader trend within healthcare IT systems and the potential consequences of third-party cyberattacks. SYNLAB, the parent company of Synnovis, has been targeted by cybercriminals multiple times in the last year. Similar attacks hit their subsidiaries in Italy in April 2024 and a year earlier in France. These incidents underline a concerning rise in third-party vulnerabilities within the healthcare industry.

As Synnovis grapples with recovery, the cybersecurity community awaits further details on the data breach and its potential impact on patients.

Google's Chrome browser is making a significant security move by distrusting certificates issued by Entrust, a prominent Certificate Authority (CA), beginning late 2024. This decision throws a wrench into the operations of numerous websites including those of major organizations like Bank of America, ESPN, and IRS.GOV, among others.

Digital certificates (SSL/TLS) play a vital role in ensuring secure connections between users and websites. These certificates issued by trusted CAs act as a security seal - more like a blue tick for websites - and helps users gauge the legitimacy of the website. It also ensures an encrypted communication to prevent data breaches.

However, Chrome is removing Entrust from its list of trusted CAs due to a concerning pattern of "compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress" over the past six years. Entrust's repeated shortcomings in upholding security standards have led Google to lose confidence in their ability to act as a reliable CA.

"It is our opinion that Chrome’s continued trust in Entrust is no longer justified." - Google Chrome

This move also extends to AffirmTrust, a lesser-known provider acquired by Entrust. While these certificates account for only a small fraction (0.1%) compared to Let's Encrypt (49.7%), the impact is still significant considering organizations like Bank of America, BookMyShow, ESPN and even government websites like IRS.gov, which have high internet traffic volumes, are also certified by Entrust.

[caption id="attachment_79569" align="aligncenter" width="1024"] Bank of America and IRS.gov certificates as displayed on Chrome Certificate Viewer[/caption]

What This Means for Users and Website Owners

Starting November 1, 2024, Chrome users encountering websites with distrusted Entrust certificates will be met with a full-page warning proclaiming the site as "not secure."

[caption id="attachment_79563" align="aligncenter" width="1024"] Sample of how Chrome will display warning for websites having a certificate from Entrust or AffirmTrust (Source: Google)[/caption]

This warning only applies to certificates issued after October 31, 2024, providing a grace period for websites with existing Entrust certificates. However, as certificates have lifespans, website owners must transition to a different CA before expiration. Considering its market share Let's Encrypt, a free and trusted option, comes highly recommended.

This shift is crucial for maintaining a secure web environment. When a CA fails to meet expectations, it jeopardizes the entire internet ecosystem. Chrome's decision prioritizes user protection by eliminating trust in potentially compromised certificates.

Website owners using impacted Entrust certificates should act swiftly to switch to a different CA. The Chrome Certificate Viewer can be used to identify certificates issued by Entrust. While this may seem inconvenient, it's necessary to ensure continued user access without security warnings.

Potential Workaround Only on Internal Networks

Large organizations managing internal networks have some leeway. Chrome allows enterprises to bypass these changes by installing the affected certificates as trusted on their local networks. This ensures internal websites using these certificates function normally.

The Entrust Controversy: A Deeper Look

Further context emerges from discussions on Mozilla's Bug Tracker (Bug 1890685). It reveals a critical issue – Entrust's failure to revoke a specific set of Extended Validation (EV) TLS certificates issued between March 18 and 21, 2024. This violated their own Certification Practice Statement (CPS).

Entrust opted against revoking the certificates, citing potential customer confusion and denying any security risks. However, this decision sparked outrage. Critics emphasized the importance of proper revocation procedures to uphold trust in the CA system. Entrust's prioritization of customer convenience over security raised concerns about their commitment to strict adherence to security best practices.

A detailed post on Google Groups by Mike Shaver sheds further light on the situation. Shaver expresses doubt in Entrust's ability to comply with WebPKI and Mozilla Root Store Program (MRSP) requirements. Despite attempts to address these concerns, Entrust's handling of certificate revocation, operational accountability, and transparency remain under scrutiny.

Shaver points out Entrust's tendency to prioritize customer convenience over strict adherence to security standards. He also criticizes the lack of detailed information regarding organizational changes and Entrust's failure to meet Mozilla's incident response requirements. Until Entrust demonstrates substantial improvements and transparency, continued trust in their certificates poses a significant risk to the overall web PKI and the security of internet users.

But this is not the end of it. In fact it is just the tip of the ice berg. Shaver's comments in the forum are in response to a host of compliance incidents between March and May related to Entrust. Ben Wilson summarized these recent incidents in a dedicated wiki page.

"In brief, these incidents arose out of certificate mis-issuance due to a misunderstanding of the EV Guidelines, followed by numerous mistakes in incident handling including a deliberate decision to continue mis-issuance," Wilson said.

This is a very serious shortcoming on Entrust's behalf considering the stringent norms and root store requirements, he added.

However, Chrome's decision to distrust Entrust certificates sends a strong message – prioritizing user safety requires holding CAs accountable for upholding the highest security standards.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Crypto scammers hijacked Channel 7 News Australia's YouTube account to run a live stream of an Elon Musk deepfake on loop. The AI-generated version of the business tycoon was seen luring users to scan a QR code and invest in a money-doubling scheme through cryptocurrency. The news and media company is investigating claims even as traces of account takeover persist at the time this article was published.

Crypto Scammers Shift to Deepfake Deployment

Crypto scammers hijacking social media accounts of popular brands and celebrities on platforms like YouTube and X is not a novel thing. But what transpired on Thursday could very well be a snippet of things to come as we move towards the Age of AI.

Crypto scammers first took over the YouTube account of Channel 7 News and modified it in a way that it masqueraded the official Tesla channel.

[caption id="attachment_79292" align="aligncenter" width="300"] Hijacked Channel 7 News' YouTube Account Screenshot (Source: Reddit)[/caption]

After making aesthetic changes to the YouTube account, the crypto scammers replaced the videos in the channel with a deepfake live stream of Tesla chief Elon Musk. The AI-generated Musk was seen encouraging viewers to scan a QR code and invest in cryptocurrency.

[caption id="attachment_79296" align="aligncenter" width="600"] Musk's Deepfake Asking Users to Scan or Regret (Source: Reddit)[/caption] As per local media, the Musk deepfake said, "All you need to do is scan the QR code on the screen, go to the website and watch your cryptocurrency double. Today's event is a chance for all crypto enthusiasts and users to double their assets."

"This is an opportunity that cannot be missed." - Elon Musk Deepfake

The deepfake video was made in a way that Musk's AI version even interacted with the audience, where he continued to say that twice as much would return to investors' wallets.

The Channel 7 News has several region- and programming-specific YouTube channels, and most of them seemed to be hijacked at present, with all of them running the same deepfake live stream on loop. The page is no longer accessible via direct links from the company website, but as pointed by a Reddit user, if you go to the YouTube channel via the platform's search, it still displays the changes made by crypto scammers, which is a Tesla logo as seen in the images above.

Experts, Leaders Press for Deep Fake Regulations

Owing to the menace of deepfakes, nearly 1,500 AI and tech experts in February urged global regulation of deepfakes to curb risks like fraud and political disinformation. An open letter recommends that lawmakers criminalize deepfake child pornography, penalize creators and facilitators of harmful deepfakes, and hold software developers accountable.

"The whole deepfake supply chain should be held accountable, just as they are for malware and child pornography." - The Open Letter

Legal experts and technologists have also previously urged the U.S. Congress to regulate the use of deepfake technologies and provide new protections particularly for women and minority communities against the use of digitally manipulated media. Experts warned that the deceptive content is already affecting national security, personal privacy and public trust.

A coordinated international police operation led by Interpol has resulted in the disruption of global online scam networks that carried out phishing, investment fraud, romance and impersonation scams and operated fake online shopping sites. The global operation, codenamed “First Light,” led to the seizure of assets amounting to $257 million and froze more than 6,700 bank accounts linked to the online scam syndicates. Under the banner of Operation First Light 2024, the police also arrested a total of 3,950 suspects and identified another 14,643 as likely members of the global online scam syndicates.

“By confiscating such large amounts of money, and disrupting the networks behind them, we not only safeguard our communities but also deal a significant blow to the transnational organized crime groups that pose such a serious threat to global security.” - Director of Interpol’s Financial Crime and Anti-Corruption Centre (IFCACC), Dr Isaac Kehinde Oginni

Global Online Scam Crackdown Impact

The impact of this police operation against global online scam is “more than just numbers – they represent lives protected, crimes prevented, and a healthier global economy worldwide,” Oginni said. Interpol’s Global Rapid Intervention of Payments (I-GRIP) mechanism traced and intercepted the illicit proceeds from online scams across borders in both, fiat currency cash ($135 million) and cryptocurrency ($2 million). An example of this interception was a business email compromise fraud that involved a Spanish citizen who unwittingly transferred $331,000 to Hong Kong, China, the Interpol said. In another case, the Australian authorities successfully recovered AU$ 5.5 million (approximately $3.7 million) for an impersonation scam victim, after the online scammers fraudulently transferred the funds to Malaysia and Hong Kong-based bank accounts. The global nature of online scams was underscored by the operation’s diverse participants. From rescuing 88 young people forced to work in a Namibian scam ring to preventing a tech support scam targeting a senior citizen in Singapore, Operation First Light 2024 showcased the importance of international cooperation. Operations of First Light have been coordinated since 2014 and are designed to fight social engineering and telecom fraud. The operation is funded by China’s Ministry of Public Security and coordinated by Interpol. [caption id="attachment_79238" align="aligncenter" width="1024"] Operation First Light conclusion meeting in Tianjin, China (Source: Interpol)[/caption] In 2022, First Light saw a coordinated effort between law enforcement of 76 countries that resulted in the seizure of $50 million worth of illicit funds that was defrauded from more than 24,000 victims. “The world is grappling with the severe challenges of social engineering fraud, and organized crime groups are operating from Southeast Asia to the Middle East and Africa, with victims on every continent,” Oginni said.

“No country is immune to this type of crime, and combating it requires very strong international cooperation.” - Dr Isaac Kehinde Oginni

Investment and Phishing Scams Top Threats to U.S.

According to FBI's Internet Crime report (IC3), Investment scams led to the highest reported losses in the United Stated last year. Totaling $4.57 billion, investment scams saw a 38% increase from 2022. Crypto-investment fraud also rose 53% to $3.94 billion. Scammers mainly targeted individuals aged 30-49 in these scam types. Phishing schemes, on the other hand, were the most reported crime in 2023, with over 298,000 complaints, comprising 34% of all complaints received. In the FBI San Francisco division, there were 364 complaints with nearly $1.5 million in losses. Santa Clara County had the most complaints, while Alameda County had the highest losses at $500,000.

Experts are raising eyebrows after OpenAI announced a one-month delay in the rollout of its highly anticipated “Voice Mode” feature for ChatGPT, citing safety concerns. The company said it needs more time to ensure the model can “detect and refuse certain content.”

“We’re improving the model’s ability to detect and refuse certain content. We’re also working on enhancing the user experience and scaling our infrastructure to support millions of users while maintaining real-time responses.” - OpenAI

The stalling of the rollout comes a month after OpenAI announced a new safety and security committee that would oversee issues related to the company’s future projects and operations. It is unclear if this postponement was suggested by the committee or by internal stakeholders.

Features of ChatGPT’s ‘Voice Mode’

OpenAI unveiled its GPT-4o system in May, boasting significant advancements in human-computer interaction. “GPT-4o (‘o’ for ‘omni’) is a step towards much more natural human-computer interaction,” OpenAI said at the time. The omni model can respond to audio inputs at an average of 320 milliseconds, which is similar to the response time of humans. Other salient features of the “Voice Mode” promise real-time conversations with human-like emotional responses, but this also raises concerns about potential manipulation and the spread of misinformation. The May announcement gave a snippet at the model’s ability to understand nuances like tone, non-verbal cues and background noise, further blurring the lines between human and machine interaction. While OpenAI plans an alpha release for a limited group of paid subscribers in July, the broader rollout remains uncertain. The company emphasizes its commitment to a “high safety and reliability” standard but the exact timeline for wider access hinges on user feedback.

The ‘Sky’ of Controversy Surrounding ‘Voice Mode’

The rollout delay of “voice mode” feature of ChatGPT follows the controversy sparked by actress Scarlett Johansson, who accused OpenAI of using her voice without permission in demonstrations of the technology. OpenAI refuted the claim stating the controversial voice of “Sky” - one of the five voice modulation that the Voice Mode offers for responses – belonged to a voice artist and not Johansson. The company said an internal team reviewed the voices it received from over 400 artists, from a product and research perspective, and after careful consideration zeroed on five of them, namely Breeze, Cove, Ember, Juniper and Sky. OpenAI, however, did confirm that its top boss Sam Altman reached out to Johannson to integrate her voice.

“On September 11, 2023, Sam spoke with Ms. Johansson and her team to discuss her potential involvement as a sixth voice actor for ChatGPT, along with the other five voices, including Sky. She politely declined the opportunity one week later through her agent.” - OpenAI

Altman took a last chance of onboarding the Hollywood star this May, when he again contacted her team to inform the launch of GPT-4o and asked if she might reconsider joining as a future additional voice in ChatGPT. But instead, with the demo version of Sky airing through, Johannson threatened to sue the company for “stealing” her voice. Owing to the pressure from her lawyers, OpenAI removed the Sky voice sample since May 19.

“The voice of Sky is not Scarlett Johansson's, and it was never intended to resemble hers. We cast the voice actor behind Sky’s voice before any outreach to Ms. Johansson. Out of respect for Ms. Johansson, we have paused using Sky’s voice in our products. We are sorry to Ms. Johansson that we didn’t communicate better.” – Sam Altman

Although the issue seems to have resolved for the time being, this duel between Johannson and Altman brought to the fore the ethical considerations surrounding deepfakes and synthetic media.

Likely Delays in Apple AI and OpenAI Partnership Too

If the technical issues and the Sky voice mode controversy weren’t enough, adding another layer of complication to OpenAI’s woes is Apple’s recent brush with EU regulators that now casts a shadow over the future of ChatGPT integration into Apple devices. Announced earlier this month, the partnership aimed to leverage OpenAI's technology in Cupertino tech giant’s “Apple Intelligence” system. However, with Apple facing potential regulatory roadblocks under the EU’s Digital Markets Act (DMA), the integration’s fate remains unclear. This confluence of factors – safety concerns, potential for misuse, and regulatory hurdles – paints a complex picture for OpenAI's “Voice Mode.” The cybersecurity and regulatory industry will undoubtedly be watching closely as the technology evolves, with a keen eye on potential security vulnerabilities and the implications for responsible AI development.

A U.S. grand jury has indicted a Russian citizen, Amin Timovich Stigal, for allegedly conspiring with Russia's military intelligence agency (GRU) to launch cyberattacks crippling Ukrainian government systems and data ahead of Russia's full-scale invasion in February 2022.

The indictment, unsealed yesterday in Maryland, sheds light on a coordinated effort to disrupt critical Ukrainian infrastructure and sow panic among the population.

“As alleged, the defendant conspired with Russian military intelligence on the eve of Russia’s unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States.” - Attorney General Merrick B. Garland

Attacker Aimed for 'Complete Destruction' in Cyberattacks Targeting Ukraine

Stigal, 22, who remains at large, was charged for his alleged role in using a deceptive malware strain called "WhisperGate" to infiltrate dozens of Ukrainian government networks, including ministries, state services, and critical infrastructure entities. Disguised as ransomware, WhisperGate reportedly went beyond data encryption, aiming for complete destruction of targeted systems and data.

The attacks coincided with the defacement of Ukrainian websites displaying threatening messages designed to intimidate the public. Sensitive data, including patient health records, was exfiltrated and offered for sale online, further amplifying the chaos.

U.S. Critical Infrastructure Targeted Too

But the malicious campaign wasn't limited to cyberattacks targeting Ukraine. The indictment broadens the scope beyond Ukraine, revealing attempts to probe U.S. government networks in Maryland using similar tactics.

“These GRU actors are known to have targeted U.S. critical infrastructure. During these malicious cyber activities, GRU actors launched efforts to scan for vulnerabilities, map networks, and identify potential website vulnerabilities in U.S.-based critical infrastructure – particularly the energy, government, and aerospace sectors.” - Rewards for Justice

The scope of the malicious campaign highlights the potential wide-ranging objectives of the GRU cyber campaign and the ongoing threat posed by nation-state actors.

Reward Offered for Info Leading to Capture

The Justice Department emphasized its commitment to holding accountable those responsible for Russia's malicious cyber activity. The indictment carries a maximum sentence of five years, but international cooperation remains crucial to apprehend Stigal.

The U.S. Department of State's Rewards for Justice program is offering a significant reward – up to $10 million – for information leading to Stigal's capture or the disruption of his cyber operations. This substantial reward underscores the seriousness of the charges and the international effort to dismantle Russia's cyber warfare apparatus.

This case serves as a stark reminder of the evolving cyber threat landscape. The destructive capabilities of malware like WhisperGate, coupled with the targeting of critical infrastructure necessitates vigilance and collaboration between governments and security professionals to defend against nation-state cyberattacks.

“Malicious cyber actors who attack our allies should know that we will pursue them to the full extent of the law,” said Erek L. Barron, U.S. Attorney for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”

Who is Amin Stigal?

The U.S. linked 22-year-old Amin Stigal to the Russian GRU and labelled him for his involvement in the WhisperGate malware operations. But who is Amin Stigal and what is the extent of his involvement? [caption id="attachment_79079" align="aligncenter" width="947"] Source: Rewards for Justice[/caption] The U.S. authorities, along with the $10 million bounty, released scarce but very important details on Stigal's cyber trail - his aliases or the threat group names with whom he is affiliated. The Cyber Express did an open-source intelligence (OSINT) study on these aliases and found the following details on Amin Stigal's cyber activities:

DEV-0586/Cadet Blizzard

Microsoft first tracked this threat actor as DEV-0586 and observed its destructive malware targeting Ukrainian organizations in January 2022. The tech giant later in April 2023 shifted to a new threat actor-naming taxonomy and thus named the TA "Cadet Blizzard." Cadet Blizzard has been operational since at least 2020 and has initiated a wave of destructive wiper attacks against Ukraine in the lead up to Russia's February 2022 invasion of Ukraine. Specifically, it created and developed WhisperGate, a wiper that deletes the master boot record, Microsoft said.

EMBER BEAR

Crowd Strike tracked this threat actor as EMBER BEAR (aka Lorec Bear, Bleeding Bear, Saint Bear) and linked it to an adversary group that has operated against government and military organizations in eastern Europe since early 2021. The likely motive of this TA is to collect intelligence from target networks, the cybersecurity firm said. EMBER BEAR primarily weaponized the access and data obtained during their intrusions to support information operations (IO), according to CrowdStrike. Their aim in employing this tactic was to create public mistrust in targeted institutions and degrade respective government's ability to counter Russian cyber operations.

UAC-0056

The Computer Emergency Response Team of Ukraine tracked this Russian-linked threat actor/group as UAC-0056 and observed its malicious campaigns targeting Ukraine through phishing campaigns in July 2022. In the discovered attack, threat actors sought to disrupt the integrity and availability of government websites by exploiting several backdoors and deploying Cobalt Strike Beacon malware. The threat actors communicated with the web shell using IP addresses, including those belonging to neighboring devices of other hacked organizations due to their previous account abuse and additional VPN connection to the corresponding organizations. The hackers also applied other malware samples in this campaign including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor.

What is WhisperGate Malware?

WhisperGate is a destructive malware that is seemingly designed like a ransomware, but it is not. Unlike ransomware, which encrypts data and demands a ransom for decryption, WhisperGate aimed to completely destroy data, rendering the infected systems inoperable. It first targeted Ukrainian organizations in January 2022 and ever since continues to remain on the list of top malware variants used to target Kyiv.

Key Points on WhisperGate:

• Multi-stage Attack: It operated in stages, with the first stage overwriting the Master Boot Record (MBR) to prevent the system from booting normally and displaying a fake ransom note.
• Data Wiping: The MBR overwrite made data recovery nearly impossible.
• Motive: Experts believe the goal was data destruction, not financial gain, due to the lack of a real decryption method.
• Deployment: The malware resided in common directories like C:\PerfLogs and used a publicly available tool called Impacket to spread laterally within networks.

In a significant move to bolster data privacy protections, the California Privacy Protection Agency (CPPA) inked a new partnership with France’s Commission Nationale de l'Informatique et des Libertés (CNIL). The collaboration aims to conduct joint research on data privacy issues and share investigative findings that will enhance the capabilities of both organizations in safeguarding personal data. The partnership between CPPA and CNIL shows the growing emphasis on international collaboration in data privacy protection. Both California and France, along with the broader European Union (EU) through its General Data Protection Regulation (GDPR), recognize that effective data privacy measures require global cooperation. France’s membership in the EU brings additional regulatory weight to this partnership and highlights the necessity of cross-border collaboration to tackle the complex challenges of data protection in an interconnected world.

What the CPPA-CNIL Data Privacy Protections Deal Means

The CPPA on Tuesday outlined the goals of the partnership, stating, “This declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.” The strengthened framework is designed to enable both agencies to stay ahead of emerging threats and innovations in data privacy. Michael Macko, the deputy director of enforcement at the CPPA, said there were practical benefits of this collaboration. “Privacy rights are a commercial reality in our global economy,” Macko said. “We’re going to learn as much as we can from each other to advance our enforcement priorities.” This mutual learning approach aims to enhance the enforcement capabilities of both agencies, ensuring they can better protect consumers’ data in an ever-evolving digital landscape.

CPPA’s Collaborative Approach

The partnership with CNIL is not the CPPA’s first foray into international cooperation. The California agency also collaborates with three other major international organizations: the Asia Pacific Privacy Authorities (APPA), the Global Privacy Assembly, and the Global Privacy Enforcement Network (GPEN). These collaborations help create a robust network of privacy regulators working together to uphold high standards of data protection worldwide. The CPPA was established following the implementation of California's groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA). As the first comprehensive consumer privacy law in the United States, the CCPA set a precedent for other states and countries looking to enhance their data protection frameworks. The CPPA’s role as an independent data protection authority mirror that of the CNIL - France’s first independent data protection agency – which highlights the pioneering efforts of both regions in the field of data privacy. By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world. As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that a cyberattack in January may have compromised sensitive information related to the nation's chemical facilities. Initially reported in March, the attack exploited a vulnerability in Ivanti products, leading to the temporary shutdown of two systems. In an advisory this week, CISA detailed that the Chemical Security Assessment Tool (CSAT) was specifically targeted by the cyber intrusion, which occurred between January 23 and 26. CSAT contains highly sensitive industrial data, and while all information was encrypted, CISA warned affected participants of the potential for unauthorized access.

Potential Data Compromised in Chemical Facilities' Targeting

CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.

CISA's Response and Recommendations

CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.

Investigation Findings

The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.

Experts Say More Transparency Required

Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.

"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"

"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.

"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."

After a 14-year legal battle, WikiLeaks founder Julian Assange walked out of the United Kingdom’s Belmarsh prison Monday morning, where he agreed to a plea deal with the United States. According to court documents, Assange agreed to plead guilty to a single charge of conspiracy to obtain and disclose national defense information, which violates espionage law in the United States. The sole charge carries a sentence of 62 months in prison, but under the plea deal the time he has already served in the UK prison — a little over 62 months — will be counted as time served. Thus, Assange will not be required to spend any more time behind bars in the U.S., the UK or anywhere else.

WikiLeaks and Human Rights Groups Celebrate Assange's Release

In a statement on platform X, WikiLeaks wrote, “Julian Assange is free.”

“He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there. He was granted bail by the High Court in London and was released at Stansted airport during the afternoon, where he boarded a plane and departed the UK.” – WikiLeaks

Assange is being flown to Saipan, the capital of the Northern Mariana Islands and a U.S. commonwealth in the Western Pacific Ocean. The formal hearing and sentencing is set to take place in the U.S. District Court for the Northern Mariana Islands at 9 a.m. local time Wednesday. Assange was reluctant to fly to the mainland U.S., his prosecutors said, and thus Saipan was decided as an alternative due to its proximity with Australia. If the guilty plea is approved by the judge – as is expected – the WikiLeaks founder will head to Australia after the sentencing. Human rights organization Amnesty International’s Secretary General, Agnès Callamard welcomed the “positive news.”

“We firmly believe that Julian Assange should never have been imprisoned in the first place and have continuously called for charges to be dropped.” - Amnesty International’s Secretary General, Agnès Callamard 

“The years-long global spectacle of the US authorities hell-bent on violating press freedom and freedom of expression by making an example of Assange for exposing alleged war crimes committed by the USA has undoubtedly done historic damage,” Callamard said. “Amnesty International salutes the work of Julian Assange’s family, campaigners, lawyers, press freedom organizations and many within the media community and beyond who have stood by him and the fundamental principles that should govern society’s right and access to information and justice.” The Mexican President Andrés Manuel, sounded a similar sentiment and said:

“I celebrate the release of Julian Assange from prison. At least in this case, the Statue of Liberty did not remain an empty symbol; She is alive and happy like millions in the world.”

Brief Timeline of Julian Assange Espionage Case

Julian Assange, the founder and Editor-in-Chief of WikiLeaks, gained prominence after the site published more than 90,000 classified U.S. military documents on the Afghanistan war and about 400,000 classified U.S. documents on the Iraq war. After the release of these documents via WikiLeaks, Assange was indicted by the U.S. on 18 counts, including 17 espionage charges under the 1917 Espionage Act and one for computer misuse, where he allegedly gained unauthorized access to a government computer system of a NATO country. In 2012, Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI), and provided a list of targets for LulzSec to hack, the indictment said. With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases and PDFs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times. WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an “Anonymous” and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again. An August 2010 arrest warrant for sexual assault allegations in Sweden was initially dropped but later reopened, leading to an international arrest warrant against him. Assange then sought refuge in the Ecuadorian embassy in London. In 2019, Ecuador revoked his asylum, and he was arrested by London police and sentenced to 50 weeks in prison for breaching bail conditions. Swedish prosecutors dropped their case in 2019 because the passage of time had weakened evidence, but they said they retained confidence in the complainant.

Assange’s Freedom Starts ‘a New Chapter’

Stella Assange, the WikiLeaks founder’s wife, was elated and thanked everyone who stood by her husband. “Throughout the years of Julian’s imprisonment and persecution, an incredible movement has been formed. People from all walks of life from around the world who support not just Julian ... but what Julian stands for: truth and justice,” Stella Assange said. “What starts now with Julian’s freedom is a new chapter.” It will be interesting to see if Assange will be back at the helm of WikiLeaks and if he will keep his fight on against human right exploitations but for now it seems like he would be eager to reunite with his wife Stella Assange, and his children, “who have only known their father from behind bars.” Update* (June 25 1:30 p.m. ET): Added comments from Amnesty International’s Secretary General, Agnès Callamard and President of Mexico, Andrés Manuel.

After the Qilin ransomware gang last week published on its leak site a data subset as a proof of hacking Synnovis’ systems, the London-based pathology services provider has now confirmed its legitimacy saying the data belongs to its storage drive related to administrative work and contains fragments of patient identifiable data. Hackers that are linked to the Russian-linked Qilin ransomware gang published on Friday around 400 gigabytes of sensitive patient data, which they claimed included names, dates of birth, NHS numbers and descriptions of blood tests stolen from Synnovis’ systems. Following the data leak on the dark web, Synnovis confirmed on Monday that the published data was legitimate but noted it was too early to determine the full extent of the compromised information.

“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - Synnovis

An initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:

“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”

The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

A day after the Biden administration announced a U.S. ban on the sale of Kaspersky Lab products, the U.S. Treasury Department on Friday sanctioned a dozen top executives and senior leaders at the Russian cybersecurity company. Kaspersky took issue with the Biden administration's moves and said, "The decision does not affect the company’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the U.S." The company said the action will instead benefit cybercriminals by restricting international cooperation between cybersecurity experts. The decision to ban Kaspersky is "based on the present geopolitical climate and theoretical concerns," the company said in a scathing response to the Commerce Department's ban. The sanctions represent the latest in a series of punitive measures against the Russian antivirus company, underscoring growing concerns about cybersecurity and national security risks associated with the firm's operations.

Details of the Kaspersky Sanctions

The Treasury Department’s Office of Foreign Assets Control (OFAC) specifically targeted key individuals within Kaspersky Lab, including the chief operating officer, chief legal officer, chief of human resources, and chief business development and technology officers, among others. [caption id="attachment_78565" align="aligncenter" width="588"] Source: U.S. Department of the Treasury[/caption] The Treasury added all the above individuals to its Specially Designated Nationals list. SDN is a list maintained by OFAC that publicly identifies persons determined by the U.S. government to be involved in activities that threaten or undermine U.S. foreign policy or national security objectives. Notably, the sanctions did not extend to Kaspersky Lab itself, its parent or subsidiary companies nor to its CEO Eugene Kaspersky. The sanctions came just a day after the U.S. Commerce Department issued a final determination to ban Kaspersky Lab from operating in the United States. This ban is rooted in longstanding concerns over national security and the potential risks to critical infrastructure. The Commerce Department also added three Kaspersky divisions to its entity list due to their cooperation with the Russian government in cyber intelligence activities. The U.S. government has been wary of Kaspersky Lab's ties to the Russian government, fearing that its software could be used to facilitate cyber espionage. Bloomberg in 2017 first reported it had seen emails between chief executive Eugene Kaspersky and senior Kaspersky staff outlining a secret cybersecurity project apparently requested by the Russian intelligence service FSB. Kaspersky refuted these claims, calling the allegations "false"  and "inaccurate." However, these concerns have led to a broader push to restrict the company's operations within the U.S. and to mitigate any potential threats to national security.

Kaspersky Lab’s Response

Kaspersky Lab has consistently denied any allegations of being influenced or controlled by any government. The company has pledged to explore all legal options in response to the Commerce Department’s ban and the recent sanctions imposed by the Treasury. In a statement, Kaspersky Lab reiterated its commitment to transparency and maintaining the trust of its users worldwide, emphasizing it has never assisted any government in cyber espionage activities. "Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies," it said.

"Kaspersky provides industry-leading products and services to customers around the world to protect them from all types of cyber threats, and has repeatedly demonstrated its independence from any government." - Kaspersky Lab

The antivirus company claimed it has also implemented significant transparency measures that demonstrate its commitment to integrity and trustworthiness. But "the Department of Commerce’s decision unfairly ignores the evidence," Kaspersky said. The company said it also proposed a system in which the security of Kaspersky products could have been independently verified by a trusted third party.

"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services."

However, Brian Nelson, Treasury’s Undersecretary for Terrorism and Financial Intelligence, stated, “Today’s action against the leadership of Kaspersky Lab underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats. The U.S. will take action where necessary to hold accountable those who would seek to facilitate or otherwise enable these activities.”

Implications and Future Actions

The sanctions against Kaspersky Lab’s leadership signal a broader strategy by the U.S. government to address cybersecurity threats posed by foreign entities. This approach is part of a larger effort to strengthen national security and protect critical infrastructure from potential cyberattacks.

Legal and Business Repercussions

Kaspersky Lab’s legal battles and its efforts to counteract these sanctions will be closely watched. The company's ability to operate in the international market could be significantly affected by these measures, impacting its business operations and customer trust.

Global Cybersecurity Landscape

This development also highlights the ongoing tensions in the global cybersecurity landscape, where national security concerns often intersect with business interests. The actions taken by the U.S. government may set a precedent for how other nations address similar concerns with foreign technology firms. The U.S. Treasury Department's decision to sanction senior leaders at Kaspersky Lab marks a pivotal moment in the ongoing scrutiny of the Russian cybersecurity firm. While Kaspersky Lab denies any wrongdoing and prepares to contest the sanctions legally, the actions taken by the U.S. government underscore a determined effort to mitigate potential cyber threats and protect national security. As the situation unfolds, it will have significant implications for both Kaspersky and the broader cybersecurity environment.

One of Australia’s largest telecommunications companies Optus could have averted the massive 2022 data breach that leaked nearly 9.5 million individuals’ sensitive personal information, the Australian telecom watchdog said. The Australian Communications and Media Authority in a filing with the Federal Court said, “[Optus] cyberattack was not highly sophisticated or one that required advanced skills.” Its investigation attributed the 2022 Optus data breach to an access control coding error that left an API open to abuse. The investigation details of ACMA comes weeks after the telecom watchdog took legal action against Optus, in the same court, for allegedly failing to protect customer data adequately.

Coding Error and API Mismanagement Led to Optus Data Breach

The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period. The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted.

“The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMA

But the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law.

Optus’ Response to ACMA’s Allegations

Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter.

“This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of Optus

Venter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment. The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said. Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers' sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers. Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web.

Deloitte Report Handed to the Federal Court

Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach. “Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express. The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus.

“Much to do to Fully Regain our Customers’ Trust”

Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach. Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures.

“Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael Venter

The Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices. As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.